| |
| |
|
 | another treasure from the TNT-Schatzkammer:
we started TNT and look us once The USER32.DLL in the TNT Process on - before Please but in the Menu Erweiterte Exportfunktionssuche select. now through Rechtsklick on found Exportfunktionen: The Exportfunktionen into Clipboard copy and some Word-document zwischenspeichern.
thereafter The Ladeadresse the Moduls in the Process, The e Einsprungsadresse the Moduls in the Process and the address the Exportsektion ditto copy and there insert.
by me comes the out (windows2000):
[box:0cfc1d18f2]
1. function name: ActivateKeyboardLayout
1. function address in the Process: 2011245688
1. function address ex Offset the Moduls: 76920
2. function name: AdjustWindowRect
2. function address in the Process: 2011254280
2. function address ex Offset the Moduls: 85512
3. function name: AdjustWindowRectEx
3. function address in the Process: 2011197974
3. function address ex Offset the Moduls: 29206
4. function name: AlignRects
4. function address in the Process: 2011493835
4. function address ex Offset the Moduls: 325067
5. function name: AllowSetForegroundWindow
5. function address in the Process: 2011234139
5. function address ex Offset the Moduls: 65371
6. function name: AnimateWindow
6. function address in the Process: 2011308835
6. function address ex Offset the Moduls: 140067
7. function name: AnyPopup
7. function address in the Process: 2011480293
7. function address ex Offset the Moduls: 311525
8. function name: AppendMenuA
8. function address in the Process: 2011247766
8. function address ex Offset the Moduls: 78998
9. function name: AppendMenuW
9. function address in the Process: 2011327550
9. function address ex Offset the Moduls: 158782
10. function name: ArrangeIconicWindows
10. function address in the Process: 2011418844
10. function address ex Offset the Moduls: 250076
11. function name: AttachThreadInput
11. function address in the Process: 2011285863
11. function address ex Offset the Moduls: 117095
12. function name: BeginDeferWindowPos
12. function address in the Process: 2011199137
12. function address ex Offset the Moduls: 30369
13. function name: BeginPaint
13. function address in the Process: 2011184489
13. function address ex Offset the Moduls: 15721
14. function name: BlockInput
14. function address in the Process: 2011491773
14. function address ex Offset the Moduls: 323005
15. function name: BringWindowToTop
15. function address in the Process: 2011198909
15. function address ex Offset the Moduls: 30141
16. function name: BroadcastSystemMessage
16. function address in the Process: 2011484994
16. function address ex Offset the Moduls: 316226
17. function name: BroadcastSystemMessageA
17. function address in the Process: 2011484994
17. function address ex Offset the Moduls: 316226
18. function name: BroadcastSystemMessageW
18. function address in the Process: 2011315291
18. function address ex Offset the Moduls: 146523
19. function name: CallMsgFilter
19. function address in the Process: 2011315745
19. function address ex Offset the Moduls: 146977
20. function name: CallMsgFilterA
20. function address in the Process: 2011315745
20. function address ex Offset the Moduls: 146977
21. function name: CallMsgFilterW
21. function address in the Process: 2011208178
21. function address ex Offset the Moduls: 39410
22. function name: CallNextHookEx
22. function address in the Process: 2011252324
22. function address ex Offset the Moduls: 83556
23. function name: CallWindowProcA
23. function address in the Process: 2011196117
23. function address ex Offset the Moduls: 27349
24. function name: CallWindowProcW
24. function address in the Process: 2011196146
24. function address ex Offset the Moduls: 27378
25. function name: CascadeChildWindows
25. function address in the Process: 2011418858
25. function address ex Offset the Moduls: 250090
26. function name: CascadeWindows
26. function address in the Process: 2011465153
26. function address ex Offset the Moduls: 296385
27. function name: ChangeClipboardChain
27. function address in the Process: 2011256424
27. function address ex Offset the Moduls: 87656
28. function name: ChangeDisplaySettingsA
28. function address in the Process: 2011485843
28. function address ex Offset the Moduls: 317075
29. function name: ChangeDisplaySettingsExA
29. function address in the Process: 2011485873
29. function address ex Offset the Moduls: 317105
30. function name: ChangeDisplaySettingsExW
30. function address in the Process: 2011429049
30. function address ex Offset the Moduls: 260281
31. function name: ChangeDisplaySettingsW
31. function address in the Process: 2011429019
31. function address ex Offset the Moduls: 260251
32. function name: ChangeMenuA
32. function address in the Process: 2011376593
32. function address ex Offset the Moduls: 207825
33. function name: ChangeMenuW
33. function address in the Process: 2011465321
33. function address ex Offset the Moduls: 296553
34. function name: CharLowerA
34. function address in the Process: 2011210584
34. function address ex Offset the Moduls: 41816
35. function name: CharLowerBuffA
35. function address in the Process: 2011210723
35. function address ex Offset the Moduls: 41955
36. function name: CharLowerBuffW
36. function address in the Process: 2011190487
36. function address ex Offset the Moduls: 21719
37. function name: CharLowerW
37. function address in the Process: 2011190540
37. function address ex Offset the Moduls: 21772
38. function name: CharNextA
38. function address in the Process: 2011188676
38. function address ex Offset the Moduls: 19908
39. function name: CharNextExA
39. function address in the Process: 2011479374
39. function address ex Offset the Moduls: 310606
40. function name: CharNextW
40. function address in the Process: 2011190249
40. function address ex Offset the Moduls: 21481
41. function name: CharPrevA
41. function address in the Process: 2011253369
41. function address ex Offset the Moduls: 84601
42. function name: CharPrevExA
42. function address in the Process: 2011479419
42. function address ex Offset the Moduls: 310651
43. function name: CharPrevW
43. function address in the Process: 2011190310
43. function address ex Offset the Moduls: 21542
44. function name: CharToOemA
44. function address in the Process: 2011182664
44. function address ex Offset the Moduls: 13896
45. function name: CharToOemBuffA
45. function address in the Process: 2011341958
45. function address ex Offset the Moduls: 173190
46. function name: CharToOemBuffW
46. function address in the Process: 2011472284
46. function address ex Offset the Moduls: 303516
47. function name: CharToOemW
47. function address in the Process: 2011472215
47. function address ex Offset the Moduls: 303447
48. function name: CharUpperA
48. function address in the Process: 2011184843
48. function address ex Offset the Moduls: 16075
49. function name: CharUpperBuffA
49. function address in the Process: 2011245428
49. function address ex Offset the Moduls: 76660
50. function name: CharUpperBuffW
50. function address in the Process: 2011184982
50. function address ex Offset the Moduls: 16214
51. function name: CharUpperW
51. function address in the Process: 2011185035
51. function address ex Offset the Moduls: 16267
52. function name: CheckDlgButton
52. function address in the Process: 2011285959
52. function address ex Offset the Moduls: 117191
53. function name: CheckMenuItem
53. function address in the Process: 2011328763
53. function address ex Offset the Moduls: 159995
54. function name: CheckMenuRadioItem
54. function address in the Process: 2011340619
54. function address ex Offset the Moduls: 171851
55. function name: CheckRadioButton
55. function address in the Process: 2011283379
55. function address ex Offset the Moduls: 114611
56. function name: ChildWindowFromPoint
56. function address in the Process: 2011340410
56. function address ex Offset the Moduls: 171642
57. function name: ChildWindowFromPointEx
57. function address in the Process: 2011281464
57. function address ex Offset the Moduls: 112696
58. function name: CliImmSetHotKey
58. function address in the Process: 2011410204
58. function address ex Offset the Moduls: 241436
59. function name: ClientThreadSetup
59. function address in the Process: 2011242778
59. function address ex Offset the Moduls: 74010
60. function name: ClientToScreen
60. function address in the Process: 2011192742
60. function address ex Offset the Moduls: 23974
61. function name: ClipCursor
61. function address in the Process: 2011491815
61. function address ex Offset the Moduls: 323047
62. function name: CloseClipboard
62. function address in the Process: 2011249839
62. function address ex Offset the Moduls: 81071
63. function name: CloseDesktop
63. function address in the Process: 2011244941
63. function address ex Offset the Moduls: 76173
64. function name: CloseWindow
64. function address in the Process: 2011418882
64. function address ex Offset the Moduls: 250114
65. function name: CloseWindowStation
65. function address in the Process: 2011244913
65. function address ex Offset the Moduls: 76145
66. function name: CopyAcceleratorTableA
66. function address in the Process: 2011332075
66. function address ex Offset the Moduls: 163307
67. function name: CopyAcceleratorTableW
67. function address in the Process: 2011234153
67. function address ex Offset the Moduls: 65385
68. function name: CopyIcon
68. function address in the Process: 2011328654
68. function address ex Offset the Moduls: 159886
69. function name: CopyImage
69. function address in the Process: 2011232406
69. function address ex Offset the Moduls: 63638
70. function name: CopyRect
70. function address in the Process: 2011194030
70. function address ex Offset the Moduls: 25262
71. function name: CountClipboardFormats
71. function address in the Process: 2011250066
71. function address ex Offset the Moduls: 81298
72. function name: CreateAcceleratorTableA
72. function address in the Process: 2011325429
72. function address ex Offset the Moduls: 156661
73. function name: CreateAcceleratorTableW
73. function address in the Process: 2011327988
73. function address ex Offset the Moduls: 159220
74. function name: CreateCaret
74. function address in the Process: 2011196313
74. function address ex Offset the Moduls: 27545
75. function name: CreateCursor
75. function address in the Process: 2011422321
75. function address ex Offset the Moduls: 253553
76. function name: CreateDesktopA
76. function address in the Process: 2011418576
76. function address ex Offset the Moduls: 249808
77. function name: CreateDesktopW
77. function address in the Process: 2011176813
77. function address ex Offset the Moduls: 8045
78. function name: CreateDialogIndirectParamA
78. function address in the Process: 2011255720
78. function address ex Offset the Moduls: 86952
79. function name: CreateDialogIndirectParamAorW
79. function address in the Process: 2011225486
79. function address ex Offset the Moduls: 56718
80. function name: CreateDialogIndirectParamW
80. function address in the Process: 2011207945
80. function address ex Offset the Moduls: 39177
81. function name: CreateDialogParamA
81. function address in the Process: 2011214621
81. function address ex Offset the Moduls: 45853
82. function name: CreateDialogParamW
82. function address in the Process: 2011304876
82. function address ex Offset the Moduls: 136108
83. function name: CreateIcon
83. function address in the Process: 2011356336
83. function address ex Offset the Moduls: 187568
84. function name: CreateIconFromResource
84. function address in the Process: 2011422515
84. function address ex Offset the Moduls: 253747
85. function name: CreateIconFromResourceEx
85. function address in the Process: 2011327204
85. function address ex Offset the Moduls: 158436
86. function name: CreateIconIndirect
86. function address in the Process: 2011328274
86. function address ex Offset the Moduls: 159506
87. function name: CreateMDIWindowA
87. function address in the Process: 2011295918
87. function address ex Offset the Moduls: 127150
88. function name: CreateMDIWindowW
88. function address in the Process: 2011357207
88. function address ex Offset the Moduls: 188439
89. function name: CreateMenu
89. function address in the Process: 2011247347
89. function address ex Offset the Moduls: 78579
90. function name: CreatePopupMenu
90. function address in the Process: 2011249717
90. function address ex Offset the Moduls: 80949
91. function name: CreateWindowExA
91. function address in the Process: 2011204611
91. function address ex Offset the Moduls: 35843
92. function name: CreateWindowExW
92. function address in the Process: 2011204561
92. function address ex Offset the Moduls: 35793
93. function name: CreateWindowStationA
93. function address in the Process: 2011418446
93. function address ex Offset the Moduls: 249678
94. function name: CreateWindowStationW
94. function address in the Process: 2011175119
94. function address ex Offset the Moduls: 6351
95. function name: CtxInitUser32
95. function address in the Process: 2011420512
95. function address ex Offset the Moduls: 251744
96. function name: DdeAbandonTransaction
96. function address in the Process: 2011483635
96. function address ex Offset the Moduls: 314867
97. function name: DdeAccessData
97. function address in the Process: 2011351713
97. function address ex Offset the Moduls: 182945
98. function name: DdeAddData
98. function address in the Process: 2011451656
98. function address ex Offset the Moduls: 282888
99. function name: DdeClientTransaction
99. function address in the Process: 2011348707
99. function address ex Offset the Moduls: 179939
100. function name: DdeCmpStringHandles
100. function address in the Process: 2011340578
100. function address ex Offset the Moduls: 171810
101. function name: DdeConnect
101. function address in the Process: 2011347316
101. function address ex Offset the Moduls: 178548
102. function name: DdeConnectList
102. function address in the Process: 2011423602
102. function address ex Offset the Moduls: 254834
103. function name: DdeCreateDataHandle
103. function address in the Process: 2011351079
103. function address ex Offset the Moduls: 182311
104. function name: DdeCreateStringHandleA
104. function address in the Process: 2011322392
104. function address ex Offset the Moduls: 153624
105. function name: DdeCreateStringHandleW
105. function address in the Process: 2011357030
105. function address ex Offset the Moduls: 188262
106. function name: DdeDisconnect
106. function address in the Process: 2011349894
106. function address ex Offset the Moduls: 181126
107. function name: DdeDisconnectList
107. function address in the Process: 2011425358
107. function address ex Offset the Moduls: 256590
108. function name: DdeEnableCallback
108. function address in the Process: 2011414428
108. function address ex Offset the Moduls: 245660
109. function name: DdeFreeDataHandle
109. function address in the Process: 2011351231
109. function address ex Offset the Moduls: 182463
110. function name: DdeFreeStringHandle
110. function address in the Process: 2011320857
110. function address ex Offset the Moduls: 152089
111. function name: DdeGetData
111. function address in the Process: 2011347045
111. function address ex Offset the Moduls: 178277
112. function name: DdeGetLastError
112. function address in the Process: 2011430418
112. function address ex Offset the Moduls: 261650
113. function name: DdeGetQualityOfService
113. function address in the Process: 2011344527
113. function address ex Offset the Moduls: 175759
114. function name: DdeImpersonateClient
114. function address in the Process: 2011430473
114. function address ex Offset the Moduls: 261705
115. function name: DdeInitializeA
115. function address in the Process: 2011322915
115. function address ex Offset the Moduls: 154147
116. function name: DdeInitializeW
116. function address in the Process: 2011356997
116. function address ex Offset the Moduls: 188229
117. function name: DdeKeepStringHandle
117. function address in the Process: 2011454257
117. function address ex Offset the Moduls: 285489
118. function name: DdeNameService
118. function address in the Process: 2011321288
118. function address ex Offset the Moduls: 152520
119. function name: DdePostAdvise
119. function address in the Process: 2011483967
119. function address ex Offset the Moduls: 315199
120. function name: DdeQueryConvInfo
120. function address in the Process: 2011346404
120. function address ex Offset the Moduls: 177636
121. function name: DdeQueryNextServer
121. function address in the Process: 2011425022
121. function address ex Offset the Moduls: 256254
122. function name: DdeQueryStringA
122. function address in the Process: 2011341318
122. function address ex Offset the Moduls: 172550
123. function name: DdeQueryStringW
123. function address in the Process: 2011454034
123. function address ex Offset the Moduls: 285266
124. function name: DdeReconnect
124. function address in the Process: 2011424141
124. function address ex Offset the Moduls: 255373
125. function name: DdeSetQualityOfService
125. function address in the Process: 2011348461
125. function address ex Offset the Moduls: 179693
126. function name: DdeSetUserHandle
126. function address in the Process: 2011483468
126. function address ex Offset the Moduls: 314700
127. function name: DdeUnaccessData
127. function address in the Process: 2011351814
127. function address ex Offset the Moduls: 183046
128. function name: DdeUninitialize
128. function address in the Process: 2011323502
128. function address ex Offset the Moduls: 154734
129. function name: DefDlgProcA
129. function address in the Process: 2011198284
129. function address ex Offset the Moduls: 29516
130. function name: DefDlgProcW
130. function address in the Process: 2011198454
130. function address ex Offset the Moduls: 29686
131. function name: DefFrameProcA
131. function address in the Process: 2011257045
131. function address ex Offset the Moduls: 88277
132. function name: DefFrameProcW
132. function address in the Process: 2011207854
132. function address ex Offset the Moduls: 39086
133. function name: DefMDIChildProcA
133. function address in the Process: 2011258475
133. function address ex Offset the Moduls: 89707
134. function name: DefMDIChildProcW
134. function address in the Process: 2011207919
134. function address ex Offset the Moduls: 39151
135. function name: DefWindowProcA
135. function address in the Process: 2011188942
135. function address ex Offset the Moduls: 20174
136. function name: DefWindowProcW
136. function address in the Process: 2011187057
136. function address ex Offset the Moduls: 18289
137. function name: DeferWindowPos
137. function address in the Process: 2011199190
137. function address ex Offset the Moduls: 30422
138. function name: DeleteMenu
138. function address in the Process: 2011206297
138. function address ex Offset the Moduls: 37529
139. function name: DeregisterShellHookWindow
139. function address in the Process: 2011419417
139. function address ex Offset the Moduls: 250649
140. function name: DestroyAcceleratorTable
140. function address in the Process: 2011332532
140. function address ex Offset the Moduls: 163764
141. function name: DestroyCaret
141. function address in the Process: 2011199247
141. function address ex Offset the Moduls: 30479
142. function name: DestroyCursor
142. function address in the Process: 2011198584
142. function address ex Offset the Moduls: 29816
143. function name: DestroyIcon
143. function address in the Process: 2011198584
143. function address ex Offset the Moduls: 29816
144. function name: DestroyMenu
144. function address in the Process: 2011249703
144. function address ex Offset the Moduls: 80935
145. function name: DestroyWindow
145. function address in the Process: 2011192281
145. function address ex Offset the Moduls: 23513
146. function name: DeviceEventWorker
146. function address in the Process: 2011177929
146. function address ex Offset the Moduls: 9161
...
[/box:0cfc1d18f2]
now clicking we in the Treeview time back on the Process Tasks and Token and let us time through Rechtsklick in that Treeview time 4000 Bytes the Prozessspeichers of TNT as dezimale Doublewords read. as Startadresse take we here The Ladeadresse the USER32.DLL (by me 2011168768).
by me comes the out:
[box:0cfc1d18f2]
X1=9460301
X2=3
X3=4
X4=65535
X5=184
X6=0
X7=64
X8=0
X9=0
X10=0
X11=0
X12=0
X13=0
X14=0
X15=0
X16=216
X17=247078670
X18=-855002112
X19=1275181089
X20=1750344141
X21=1881174889
X22=1919381362
X23=1663069537
X24=1869508193
X25=1700929652
X26=1853190688
X27=544106784
X28=542330692
X29=1701080941
X30=168627502
X31=36
X32=0
X33=-858161991
X34=-1615389187
X35=-1615389187
X36=-1615389187
X37=-1615454723
X38=-1615389481
X39=-1616626012
X40=-1615389195
X41=-1615784533
X42=-1615389188
X43=-1615249935
X44=-1615389185
X45=-1615389187
X46=-1615389308
X47=1751345490
X48=-1615389187
X49=0
X50=0
X51=0
X52=0
X53=0
X54=0
X55=17744
X56=262476
X57=989012787
X58=0
X59=0
X60=588120288
X61=201654539
X62=356352
X63=45056
X64=0
X65=130686
X66=4096
X67=339968
X68=2011168768
X69=4096
X70=512
X71=5
X72=5
X73=4
X74=0
X75=409600
X76=1024
X77=447213
X78=2
X79=262144
X80=4096
X81=1048576
X82=4096
X83=0
X84=16
X85=335248
X86=18213
X87=353461
X88=114
X89=364544
X90=30788
X91=0
X92=0
X93=0
X94=0
X95=397312
X96=10944
X97=360102
X98=28
X99=0
X100=0
X101=0
X102=0
X103=0
X104=0
X105=0
X106=0
X107=624
X108=76
X109=4096
X110=1200
X111=0
X112=0
X113=0
X114=0
X115=0
X116=0
X117=2019914798
X118=116
X119=356202
X120=4096
X121=356352
X122=1024
X123=0
X124=0
X125=0
X126=1610612768
X127=1952539694
X128=97
X129=3712
X130=360448
X131=2560
X132=357376
X133=0
X134=0
X135=0
X136=-1073741760
X137=1920168494
X138=99
X139=32768
X140=364544
X141=31232
X142=359936
X143=0
X144=0
X145=0
X146=1073741888
X147=1818587694
X148=25455
X149=10944
X150=397312
X151=11264
X152=391168
X153=0
X154=0
X155=0
X156=1107296320
X157=989012787
X158=40
X159=989012787
X160=65586
X161=989012787
X162=40
X163=989012787
X164=63
X165=0
X166=0
X167=1279546446
X168=1279536716
X169=1162543180
X170=1279610450
X171=1143878195
X172=1191201868
X173=842221892
X174=1280066606
X175=0
X176=0
...
[/box:0cfc1d18f2]
now search we times the number 17744 - by me is the the Doubleword with the Kennumer X55. now we go ex this Doubleword 13 Doublewords moreover (by me X68) => voila, The Ladeadresse the Moduls, by me The already known number 2011168768!
now need we whom windows Taschenrechner and wander from the Einsprungsadresse (by me 2011299454) The Ladeadresse (2011168768) ex:
2011299454-2011168768=130686
Mmmh - goes one means again 3 Doublewords back, finds one here The address the Einsprungsfunktion the DLL - here but as address ex Offset the Moduls. would be one now to further Adressen of Exportfunktionen inside the Moduls search, would one here over ands over again not The Absoluten Adressen vorfinden, separate The Offsetadressen ex Modulstart. Why is the so important???
time adopted one would one Module not through Loadlibrary-API or Profan @UseDll() loading, separate it simply into memory one strangers Prozesses copy - what would among other things there To Change? These address!
who itself asks, How I on such things come => such a thing falls me in the rule with of my night shift one... |
|
| |
| |
| |
|
|
| and merchandise yet To Change?
time look... |
|
| |
| |
| |
|
|
| | apiece, jne, jmp, jl, jle, Yes, jae, jnl, jng and call evtl? Verweist this on absolute address? time TNT rausholen... |
|
| |
| |
| |
|
|
| that is - if I me of of my night shift erholt have  , vigorously diassemblen 
 |
|
| |
| |
| |
|
|
Michael
Wodrich | | and with which disassemblest You? which Program? |
|
| |
| Programmieren, das spannendste Detektivspiel der Welt. | 08/25/06 ▲ |
|
| |
|
|
| | with W32 DASM and compare wander with TNT and converting over the windows Taschenrechner - something heavy To explain in the moment... |
|
| |
| |
| |
|
|
| what have I to:
i want a User32.dll one older Betriebsystems into neueres loading and defined APIs therein address can.
loading: no trouble (see supra)
still somewhere voices The Adressen for Sprünge not yet what about me land again at target the API in the middle-aged User32.
As I said, time look where wrong gehopst becomes . |
|
| |
| |
| |
|
|
Michael
Wodrich | I had well always on the incorrect place sought. need whom for my ASM-programs. thanks
Best wishes
Michael Wodrich |
|
| |
| Programmieren, das spannendste Detektivspiel der Welt. | 08/25/06 ▲ |
|
| |
|
|
| so, The Sprungreferenzen inside the Source code verweisen apparently any on relative address - the could means so stay, as long as these not Adresen outside the DLL verweisen.
with whom Importfunktionen and its Adressen sees the but differently from, The müßten In any drop angepaßt go.. How one (with[...]  ) on The comes and these in a loaded DLL changes, I will here yet show. |
|
| |
| |
| |
|
(748)
Deutsch
English
Français
Español
Italia