找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 9221|回复: 11

关于IDA库函数识别技术的讨论

[复制链接]
发表于 2015-1-15 01:46:38 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
1.问题:lib是否应该分类?
    我并没有系统研究过lib文件格式,不过从某些解析器可以看出含有目录结构,是多个文件打包处理后形成的一种文件,其中的文件可以通过VS自带工具解包出来。一般含有2种子文件形式:.dll和.obj。前者是动态链接库编译生成的文件形式,里面仅有链接信息而没有实际执行代码,用于定位到dll中的函数,而obj则是代码编译产生的可执行机器码。对于静态链接库工程编译后得到的lib(我称为“第一种lib文件格式”),用ida打开可以看到这个lib包含多个obj文件,给第三方使用时只需要用#pragma comment(lib,"*.lib")包含进来即可,结果是obj中的代码转移到生成的可执行文件中;对于动态链接库工程编译后得到的lib(我称为“第一种lib文件格式”)和dll,lib用IDA打开可以发现包含多个dll文件,他们只有定位dll函数的作用,而实际执行代码在dll中,给第三方使用时,如果单纯用dll则调用LoadLibrary和GetProcAddress系列API获得函数指针从而进行调用,如果同时使用lib和dll则只需要用#pragma comment(lib,"*.lib")包含进来即可使用里面的函数,这两种方式我把他称为“静态方式的动态链接”和“动态方式的动态链接”,无论哪种方式,dll都必须存在于可执行文件目录,否则无法运行。
    对于“第二种lib文件格式”解包的dll文件分析其PE格式,可以发现并不是常规的dll格式也就是PE格式,而只是一部分,且含有.debug .idata段,目前还没做深入研究。

2.问题:如何找到某种框架、运行库链接阶段用到的文件?
    在前一个帖子http://www.0xaa55.com/forum.php? ... tid=1021&extra=《关于MSVC的几个问题的研究》中,我已经提供了使用procmon监视文件系统获取编译使用文件的方法,在这里我提供另一种方法——使用调试器,这种方法比较高级也比较彻底,不过需要对调试指令有所了解。使用WinDbg打开MSVC主程序msdev.exe,打开对话框底部勾选“调试子进程”,这样对于由于编译调用CreateProcess产生的一系列子进程及孙进程都可进行调试。载入后运行,在MSVC建立MFC工程,编译前在WinDbg中暂停该进程下断点(注意是一整行):
bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
之后Ctrl+F5编译,运行,此后在WinDbg中会产生异常暂停几次,这是由于产生了新进程,一旦遇到这种情况需要在新进程里重新设置以上断点,总共十几次,最后得到满满的记录如下:
006346f0  ""
006346f0  ""
006346f0  ""
022e3208  "G:\temp\ConsoleApplication1\1\De"
022e3228  "bug\vc60.idb"
00672410  "G:\temp\ConsoleApplication1\1\De"
00672450  "bug\vc60.idb"
022b22c0  "G:\temp\ConsoleApplication1\1\1."
022b22e0  "plg"
00634418  "G:\temp\ConsoleApplication1\1\1."
00634458  "plg"
022e3208  "C:\Users\ADMINI~1\AppData\Local\"
022e3228  "Temp\RSPA726.tmp"
00672410  "C:\Users\ADMINI~1\AppData\Local\"
00672450  "Temp\RSPA726.tmp"
022b6718  "C:\Users\ADMINI~1\AppData\Local\"
022b6738  "Temp\RSPA727.tmp"
00672410  "C:\Users\ADMINI~1\AppData\Local\"
00672450  "Temp\RSPA727.tmp"
50021544  "NUL"
0063ca30  "NUL"

ModLoad: 00400000 00405000   vcspawn.exe
ModLoad: 01000000 01004000   rc.exe  

(1b64.1afc): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=9ce80000 edx=0008e3c8 esi=fffffffe edi=00000000
eip=7743103b esp=000cfb08 ebp=000cfb34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x96c:
7743103b cc              int     3
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
ModLoad: 722a0000 722ec000   C:\Windows\SysWOW64\apphelp.dll
ModLoad: 70ed0000 70ed2000   C:\Windows\AppPatch\acres.dll
ModLoad: 750e0000 75140000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 74d90000 74e5c000   C:\Windows\syswow64\MSCTF.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\MSVCRT.dll -
71c44f50  "Debug/1.res"
004c5c68  "Debug/1.res"
71c45c38  "G:\temp\ConsoleApplication1\1\1."
71c45c58  "rc"
004ca8f0  "G:\temp\ConsoleApplication1\1\1."
004ca930  "rc"
00210580  "G:\temp\ConsoleApplication1\1\De"
002105a0  "bug\RCa06908"
004ca960  "G:\temp\ConsoleApplication1\1\De"
004ca9a0  "bug\RCa06908"
71c38540  "G:\temp\ConsoleApplication1\1\De"
71c38560  "bug\RDa06908"
004ca960  "G:\temp\ConsoleApplication1\1\De"
004ca9a0  "bug\RDa06908"
71c38540  "G:\temp\ConsoleApplication1\1\De"
71c38560  "bug\RCa06908"
004ca960  "G:\temp\ConsoleApplication1\1\De"
004ca9a0  "bug\RCa06908"
71c38540  "G:\temp\ConsoleApplication1\1\re"
71c38560  "source.h"
004ca9d0  "G:\temp\ConsoleApplication1\1\re"
004caa10  "source.h"
71c38540  "G:\temp\ConsoleApplication1\1\af"
71c38560  "xres.h"
004ca9d0  "G:\temp\ConsoleApplication1\1\af"
004caa10  "xres.h"
71c38540  "./afxres.h"
004ca9d0  "./afxres.h"
71c38540  "G:\temp\ConsoleApplication1\1\af"
71c38560  "xres.h"
004ca9d0  "G:\temp\ConsoleApplication1\1\af"
004caa10  "xres.h"
71c38540  "./afxres.h"
004ca9d0  "./afxres.h"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/afxres.h"
004ca9d0  "E:\Program Files\Microsoft Visua"
004caa10  "l Studio\VC98\INCLUDE/afxres.h"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\MFC\INCLUDE/afxres"
71c38580  ".h"
004ca9d0  "E:\Program Files\Microsoft Visua"
004caa10  "l Studio\VC98\MFC\INCLUDE/afxres"
004caa50  ".h"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\MFC\INCLUDE/winres"
71c38580  ".h"
004caa40  "E:\Program Files\Microsoft Visua"
004caa80  "l Studio\VC98\MFC\INCLUDE/winres"
004caac0  ".h"
71c38540  "./winresrc.h"
004caab0  "./winresrc.h"
71c38540  "G:\temp\ConsoleApplication1\1\wi"
71c38560  "nresrc.h"
004caab0  "G:\temp\ConsoleApplication1\1\wi"
004caaf0  "nresrc.h"
71c38540  "./winresrc.h"
004caab0  "./winresrc.h"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/winresrc.h"
71c38580  ""
004caab0  "E:\Program Files\Microsoft Visua"
004caaf0  "l Studio\VC98\INCLUDE/winresrc.h"
004cab30  ""
71c38540  "./winuser.rh"
004cab20  "./winuser.rh"
71c38540  "G:\temp\ConsoleApplication1\1\wi"
71c38560  "nuser.rh"
004cab20  "G:\temp\ConsoleApplication1\1\wi"
004cab60  "nuser.rh"
71c38540  "./winuser.rh"
004cab20  "./winuser.rh"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/winuser.rh"
71c38580  ""
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/winuser.rh"
004caba0  ""
71c38540  "./commctrl.rh"
004cab20  "./commctrl.rh"
71c38540  "G:\temp\ConsoleApplication1\1\co"
71c38560  "mmctrl.rh"
004cab20  "G:\temp\ConsoleApplication1\1\co"
004cab60  "mmctrl.rh"
71c38540  "./commctrl.rh"
004cab20  "./commctrl.rh"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/commctrl.r"
71c38580  "h"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/commctrl.r"
004caba0  "h"
71c38540  "./dde.rh"
004cab20  "./dde.rh"
71c38540  "G:\temp\ConsoleApplication1\1\dd"
71c38560  "e.rh"
004cab20  "G:\temp\ConsoleApplication1\1\dd"
004cab60  "e.rh"
71c38540  "./dde.rh"
004cab20  "./dde.rh"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/dde.rh"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/dde.rh"
71c38540  "./winnt.rh"
004cab20  "./winnt.rh"
71c38540  "G:\temp\ConsoleApplication1\1\wi"
71c38560  "nnt.rh"
004cab20  "G:\temp\ConsoleApplication1\1\wi"
004cab60  "nnt.rh"
71c38540  "./winnt.rh"
004cab20  "./winnt.rh"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/winnt.rh"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/winnt.rh"
71c38540  "./dlgs.h"
004cab20  "./dlgs.h"
71c38540  "G:\temp\ConsoleApplication1\1\dl"
71c38560  "gs.h"
004cab20  "G:\temp\ConsoleApplication1\1\dl"
004cab60  "gs.h"
71c38540  "./dlgs.h"
004cab20  "./dlgs.h"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/dlgs.h"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/dlgs.h"
71c38540  "./winver.h"
004cab20  "./winver.h"
71c38540  "G:\temp\ConsoleApplication1\1\wi"
71c38560  "nver.h"
004cab20  "G:\temp\ConsoleApplication1\1\wi"
004cab60  "nver.h"
71c38540  "./winver.h"
004cab20  "./winver.h"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/winver.h"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/winver.h"
71c38540  "G:\temp\ConsoleApplication1\1\re"
71c38560  "s\\1.rc2"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\\1.rc2"
71c38540  "G:\temp\ConsoleApplication1\1\l."
71c38560  "chs\\afxres.rc"
004cab20  "G:\temp\ConsoleApplication1\1\l."
004cab60  "chs\\afxres.rc"
71c38540  "./l.chs\\afxres.rc"
004cab20  "./l.chs\\afxres.rc"
71c38540  "G:\temp\ConsoleApplication1\1\l."
71c38560  "chs\\afxres.rc"
004cab20  "G:\temp\ConsoleApplication1\1\l."
004cab60  "chs\\afxres.rc"
71c38540  "./l.chs\\afxres.rc"
004cab20  "./l.chs\\afxres.rc"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\INCLUDE/l.chs\\afx"
71c38580  "res.rc"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE/l.chs\\afx"
004caba0  "res.rc"
71c38540  "E:\Program Files\Microsoft Visua"
71c38560  "l Studio\VC98\MFC\INCLUDE/l.chs\"
71c38580  "\afxres.rc"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE/l.chs\"
004caba0  "\afxres.rc"
002109d0  "G:\temp\ConsoleApplication1\1\De"
002109f0  "bug\RDa06908"
004cab20  "G:\temp\ConsoleApplication1\1\De"
004cab60  "bug\RDa06908"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\1.ico"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\1.ico"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\1.ico"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\1.ico"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\help.cur"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\help.cur"
000cf338  ".\res\help.cur"
004cab20  ".\res\help.cur"
000cf338  "\res\help.cur"
004cab20  "\res\help.cur"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\INCLUDE\res\help.c"
000cf378  "ur"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE\res\help.c"
004caba0  "ur"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\he"
000cf378  "lp.cur"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\he"
004caba0  "lp.cur"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\he"
000cf378  "lp.cur"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\he"
004caba0  "lp.cur"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\3dcheck.bmp"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\3dcheck.bmp"
000cf338  ".\res\3dcheck.bmp"
004cab20  ".\res\3dcheck.bmp"
000cf338  "\res\3dcheck.bmp"
004cab20  "\res\3dcheck.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\INCLUDE\res\3dchec"
000cf378  "k.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE\res\3dchec"
004caba0  "k.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\3d"
000cf378  "check.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\3d"
004caba0  "check.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\3d"
000cf378  "check.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\3d"
004caba0  "check.bmp"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\minifwnd.bmp"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\minifwnd.bmp"
000cf338  ".\res\minifwnd.bmp"
004cab20  ".\res\minifwnd.bmp"
000cf338  "\res\minifwnd.bmp"
004cab20  "\res\minifwnd.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\INCLUDE\res\minifw"
000cf378  "nd.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE\res\minifw"
004caba0  "nd.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\mi"
000cf378  "nifwnd.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\mi"
004caba0  "nifwnd.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\mi"
000cf378  "nifwnd.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\mi"
004caba0  "nifwnd.bmp"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\ntcheck.bmp"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\ntcheck.bmp"
000cf338  ".\res\ntcheck.bmp"
004cab20  ".\res\ntcheck.bmp"
000cf338  "\res\ntcheck.bmp"
004cab20  "\res\ntcheck.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\INCLUDE\res\ntchec"
000cf378  "k.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE\res\ntchec"
004caba0  "k.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\nt"
000cf378  "check.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\nt"
004caba0  "check.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\nt"
000cf378  "check.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\nt"
004caba0  "check.bmp"
000cf338  "G:\temp\ConsoleApplication1\1\re"
000cf358  "s\95check.bmp"
004cab20  "G:\temp\ConsoleApplication1\1\re"
004cab60  "s\95check.bmp"
000cf338  ".\res\95check.bmp"
004cab20  ".\res\95check.bmp"
000cf338  "\res\95check.bmp"
004cab20  "\res\95check.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\INCLUDE\res\95chec"
000cf378  "k.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\INCLUDE\res\95chec"
004caba0  "k.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\95"
000cf378  "check.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\95"
004caba0  "check.bmp"
000cf338  "E:\Program Files\Microsoft Visua"
000cf358  "l Studio\VC98\MFC\INCLUDE\res\95"
000cf378  "check.bmp"
004cab20  "E:\Program Files\Microsoft Visua"
004cab60  "l Studio\VC98\MFC\INCLUDE\res\95"
004caba0  "check.bmp"
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=77492100 edi=774920c0
eip=773afcc2 esp=000cfe9c ebp=000cfeb8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtTerminateProcess+0x12:
773afcc2 83c404          add     esp,4
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
breakpoint 4 redefined
breakpoint 5 redefined
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00410000   image00400000
ModLoad: 77390000 77510000   ntdll.dll
ModLoad: 76540000 76650000   C:\Windows\syswow64\kernel32.dll
ModLoad: 75270000 752b7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 76dc0000 76ec0000   C:\Windows\syswow64\USER32.dll
ModLoad: 76f00000 76f90000   C:\Windows\syswow64\GDI32.dll
ModLoad: 76a60000 76a6a000   C:\Windows\syswow64\LPK.dll
ModLoad: 752c0000 7535d000   C:\Windows\syswow64\USP10.dll
ModLoad: 763a0000 7644c000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 753a0000 75440000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 75140000 75159000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76650000 76740000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 74d20000 74d80000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 74d10000 74d1c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 10300000 1032c000   E:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\mspdb60.dll
(8c0.1db8): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=fbd70000 edx=0008e3c8 esi=fffffffe edi=00000000
eip=7743103b esp=0018fb08 ebp=0018fb34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x96c:
7743103b cc              int     3
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
ModLoad: 750e0000 75140000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 74d90000 74e5c000   C:\Windows\syswow64\MSCTF.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\msvcrt.dll -
00542796  "C:\Users\ADMINI~1\AppData\Local\"
005427b6  "Temp\RSPA727.tmp"
00598fa0  "C:\Users\ADMINI~1\AppData\Local\"
00598fe0  "Temp\RSPA727.tmp"
00542796  "C:\Users\ADMINI~1\AppData\Local\"
005427b6  "Temp\RSPA727.tmp"
00598fa0  "C:\Users\ADMINI~1\AppData\Local\"
00598fe0  "Temp\RSPA727.tmp"
00542796  "C:\Users\ADMINI~1\AppData\Local\"
005427b6  "Temp\RSPA727.tmp"
00598fa0  "C:\Users\ADMINI~1\AppData\Local\"
00598fe0  "Temp\RSPA727.tmp"
00546390  "Debug/vc60.idb"
00598fa0  "Debug/vc60.idb"
00546390  "Debug/vc60.idb"
00598fa0  "Debug/vc60.idb"
ModLoad: 10400000 10520000   E:\Program Files\Microsoft Visual Studio\VC98\BIN\c1xx.dll
005469bf  "Debug/1.pch"
00598fa0  "Debug/1.pch"
104de8d1  "Debug/1.pch"
00598fa0  "Debug/1.pch"
104deb31  "C:\Users\ADMINI~1\AppData\Local\"
104deb51  "Temp\a07608sy"
005990d0  "C:\Users\ADMINI~1\AppData\Local\"
00599110  "Temp\a07608sy"
104dea01  "C:\Users\ADMINI~1\AppData\Local\"
104dea21  "Temp\a07608gl"
00599140  "C:\Users\ADMINI~1\AppData\Local\"
00599180  "Temp\a07608gl"
104de7a1  "C:\Users\ADMINI~1\AppData\Local\"
104de7c1  "Temp\a07608in"
005991b0  "C:\Users\ADMINI~1\AppData\Local\"
005991f0  "Temp\a07608in"
104dec61  "C:\Users\ADMINI~1\AppData\Local\"
104dec81  "Temp\a07608db"
00599388  "C:\Users\ADMINI~1\AppData\Local\"
005993c8  "Temp\a07608db"
005468b8  "G:\temp\ConsoleApplication1\1\St"
005468d8  "dAfx.cpp"
005998b0  "G:\temp\ConsoleApplication1\1\St"
005998f0  "dAfx.cpp"
104d1d67  "g:\temp\consoleapplication1\1\de"
104d1d87  "bug\vc60.pdb"
005998e8  "g:\temp\consoleapplication1\1\de"
00599928  "bug\vc60.pdb"
104d1d67  "g:\temp\consoleapplication1\1\de"
104d1d87  "bug\vc60.pdb"
005998e8  "g:\temp\consoleapplication1\1\de"
00599928  "bug\vc60.pdb"
104d2d20  "g:\temp\consoleapplication1\1\de"
104d2d40  "bug\vc60.idb"
00599920  "g:\temp\consoleapplication1\1\de"
00599960  "bug\vc60.idb"
0018eee4  "g:\temp\consoleapplication1\1\st"
0018ef04  "dafx.h"
00599958  "g:\temp\consoleapplication1\1\st"
00599998  "dafx.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxwin.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxwin.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxwin"
0018ef24  ".h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxwin"
005999d8  ".h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afx.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afx.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afx.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afx.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxver_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxver_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxver"
0018ef24  "_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxver"
005999d8  "_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxv_w32.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxv_w32.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxv_w"
0018ef24  "32.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxv_w"
005999d8  "32.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\windows.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\windows.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\excpt.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\excpt.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\stdarg.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\stdarg.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\windef.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\windef.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winnt.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winnt.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\ctype.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\ctype.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\basetsd.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\basetsd.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack4.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack4.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\pshpack4.h"
0018ef24  ""
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\pshpack4.h"
005999d8  ""
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\pshpack2.h"
0018ef24  ""
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\pshpack2.h"
005999d8  ""
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\poppack.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\poppack.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\pshpack2.h"
0018ef24  ""
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\pshpack2.h"
005999d8  ""
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\poppack.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\poppack.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\pshpack8.h"
0018ef24  ""
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\pshpack8.h"
005999d8  ""
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\poppack.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\poppack.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\poppack.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\string.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\string.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winbase.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winbase.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winerror.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winerror.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\wingdi.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\wingdi.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack1.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack1.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack2.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack2.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack2.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack2.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack4.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack4.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winuser.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winuser.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack2.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack2.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winnls.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winnls.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\wincon.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\wincon.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winver.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winver.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winreg.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winreg.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winnetwk.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winnetwk.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\addfunc.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\addfunc.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\zmouse.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\zmouse.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\commctrl.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\commctrl.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack1.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack1.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\prsht.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\prsht.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\tchar.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\tchar.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\mbstring.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\mbstring.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\mbctype.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\mbctype.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\stdio.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\stdio.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\stdlib.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\stdlib.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\time.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\time.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\limits.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\limits.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\stddef.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\stddef.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\crtdbg.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\crtdbg.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxcoll.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxcoll.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxcol"
0018ef24  "l.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxcol"
005999d8  "l.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxstat_.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxstat_.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxsta"
0018ef24  "t_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxsta"
005999d8  "t_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxtls_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxtls_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxtls"
0018ef24  "_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxtls"
005999d8  "_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\shellapi.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\shellapi.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack1.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack1.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxres.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxres.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxres"
0018ef24  ".h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxres"
005999d8  ".h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxmsg_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxmsg_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxmsg"
0018ef24  "_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxmsg"
005999d8  "_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxdd_.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxdd_.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxdd_"
0018ef24  ".h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxdd_"
005999d8  ".h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxext.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxext.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxext"
0018ef24  ".h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxext"
005999d8  ".h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxdlgs.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxdlgs.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxdlg"
0018ef24  "s.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxdlg"
005999d8  "s.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\commdlg.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\commdlg.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack1.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack1.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\richedit.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\richedit.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack4.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack4.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxdtctl.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxdtctl.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxdtc"
0018ef24  "tl.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxdtc"
005999d8  "tl.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxdisp.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\afxdisp.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxdis"
0018ef24  "p.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\MFC\INCLUDE\afxdis"
005999d8  "p.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\objbase.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\objbase.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpc.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpc.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcdce.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcdce.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcdcep.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcdcep.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcnsi.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcnsi.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcnterr.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcnterr.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winerror.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winerror.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcasync.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcasync.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcndr.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcndr.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcnsip.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcnsip.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack4.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack4.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack8.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack8.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\wtypes.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\wtypes.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpcndr.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\unknwn.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\unknwn.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack8.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack8.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\winerror.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\winerror.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\objbase.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\objbase.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpc.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpc.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\rpcndr.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\rpcndr.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\oleauto.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\oleauto.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\pshpack8.h"
0018ef24  ""
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\pshpack8.h"
005999d8  ""
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\oaidl.h"
00599958  "E:\Program Files\Microsoft Visua"
00599998  "l Studio\VC98\INCLUDE\oaidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\objidl.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\objidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\unknwn.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\unknwn.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\wtypes.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\wtypes.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
00599958  "e:\program files\microsoft visua"
00599998  "l studio\vc98\include\rpcndr.h"
ModLoad: 76c60000 76dbc000   C:\Windows\syswow64\ole32.dll
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\oleidl.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\oleidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\objidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\objidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\objidl.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\objidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\cguid.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\cguid.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\urlmon.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\urlmon.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\objidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\objidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\oleidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\oleidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\servprov.h"
0018ef24  ""
0059a6a0  "e:\program files\microsoft visua"
0059a6e0  "l studio\vc98\include\servprov.h"
0059a720  ""
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\objidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\objidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\msxml.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\msxml.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\unknwn.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\unknwn.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\objidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\objidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\oaidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\oaidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\poppack.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\poppack.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\olectl.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\olectl.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\ocidl.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\ocidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\oleidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\oleidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\oaidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\oaidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\servprov.h"
0018ef24  ""
0059a6a0  "e:\program files\microsoft visua"
0059a6e0  "l studio\vc98\include\servprov.h"
0059a720  ""
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\urlmon.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\urlmon.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\shlobj.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\shlobj.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\ole2.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\shlguid.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\shlguid.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\isguids.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\isguids.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\exdisp.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\exdisp.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ocidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ocidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\docobj.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\docobj.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ocidl.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ocidl.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpc.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpc.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\rpcndr.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\rpcndr.h"
0018eee4  "e:\program files\microsoft visua"
0018ef04  "l studio\vc98\include\ole2.h"
0059a5d0  "e:\program files\microsoft visua"
0059a610  "l studio\vc98\include\ole2.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\INCLUDE\afxcmn.h"
0059a5d0  "E:\Program Files\Microsoft Visua"
0059a610  "l Studio\VC98\INCLUDE\afxcmn.h"
0018eee4  "E:\Program Files\Microsoft Visua"
0018ef04  "l Studio\VC98\MFC\INCLUDE\afxcmn"
0018ef24  ".h"
0059a6a0  "E:\Program Files\Microsoft Visua"
0059a6e0  "l Studio\VC98\MFC\INCLUDE\afxcmn"
0059a720  ".h"
104de8d1  "C:\Users\ADMINI~1\AppData\Local\"
104de8f1  "Temp\a07608ex"
0059a5d0  "C:\Users\ADMINI~1\AppData\Local\"
0059a610  "Temp\a07608ex"
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for E:\Program Files\Microsoft Visual Studio\VC98\BIN\c1xx.dll -
005469bf  "Debug/1.pch"
00599a48  "Debug/1.pch"
ModLoad: 10700000 107ba000   E:\Program Files\Microsoft Visual Studio\VC98\BIN\c2.dll
0018f3e4  "C:\Users\ADMINI~1\AppData\Local\"
0018f404  "Temp\a07608in"
00599310  "C:\Users\ADMINI~1\AppData\Local\"
00599350  "Temp\a07608in"
0018f3e4  "C:\Users\ADMINI~1\AppData\Local\"
0018f404  "Temp\a07608gl"
00599310  "C:\Users\ADMINI~1\AppData\Local\"
00599350  "Temp\a07608gl"
0018f314  "Debug/1.pch"
00599310  "Debug/1.pch"
0018f314  "Debug/1.pch"
00599310  "Debug/1.pch"
0018f3d0  "C:\Users\ADMINI~1\AppData\Local\"
0018f3f0  "Temp\a07608ex"
00599310  "C:\Users\ADMINI~1\AppData\Local\"
00599350  "Temp\a07608ex"
0018f3d0  "C:\Users\ADMINI~1\AppData\Local\"
0018f3f0  "Temp\a07608sy"
00599310  "C:\Users\ADMINI~1\AppData\Local\"
00599350  "Temp\a07608sy"
00544a6e  "Debug/StdAfx.obj"
00599310  "Debug/StdAfx.obj"
0018f3dc  "C:\Users\ADMINI~1\AppData\Local\"
0018f3fc  "Temp\a07608db"
00599310  "C:\Users\ADMINI~1\AppData\Local\"
00599350  "Temp\a07608db"
00546390  "Debug/vc60.idb"
00599a48  "Debug/vc60.idb"
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=77492100 edi=774920c0
eip=773afcc2 esp=0018fe18 ebp=0018fe34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtTerminateProcess+0x12:
773afcc2 83c404          add     esp,4
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
breakpoint 4 redefined
breakpoint 5 redefined
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00410000   image00400000
ModLoad: 77390000 77510000   ntdll.dll
ModLoad: 76540000 76650000   C:\Windows\syswow64\kernel32.dll
ModLoad: 75270000 752b7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 76dc0000 76ec0000   C:\Windows\syswow64\USER32.dll
ModLoad: 76f00000 76f90000   C:\Windows\syswow64\GDI32.dll
ModLoad: 76a60000 76a6a000   C:\Windows\syswow64\LPK.dll
ModLoad: 752c0000 7535d000   C:\Windows\syswow64\USP10.dll
ModLoad: 763a0000 7644c000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 753a0000 75440000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 75140000 75159000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76650000 76740000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 74d20000 74d80000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 74d10000 74d1c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 10300000 1032c000   E:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\mspdb60.dll
(1c8c.19d0): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=eb800000 edx=0008e3c8 esi=fffffffe edi=00000000
eip=7743103b esp=0018fb08 ebp=0018fb34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x96c:
7743103b cc              int     3
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
ModLoad: 750e0000 75140000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 74d90000 74e5c000   C:\Windows\syswow64\MSCTF.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\msvcrt.dll -
00732796  "C:\Users\ADMINI~1\AppData\Local\"
007327b6  "Temp\RSPA726.tmp"
00488fa0  "C:\Users\ADMINI~1\AppData\Local\"
00488fe0  "Temp\RSPA726.tmp"
00732796  "C:\Users\ADMINI~1\AppData\Local\"
007327b6  "Temp\RSPA726.tmp"
00488fa0  "C:\Users\ADMINI~1\AppData\Local\"
00488fe0  "Temp\RSPA726.tmp"
00732796  "C:\Users\ADMINI~1\AppData\Local\"
007327b6  "Temp\RSPA726.tmp"
00488fa0  "C:\Users\ADMINI~1\AppData\Local\"
00488fe0  "Temp\RSPA726.tmp"
00736d18  "Debug/vc60.idb"
00488fa0  "Debug/vc60.idb"
ModLoad: 10400000 10520000   E:\Program Files\Microsoft Visual Studio\VC98\BIN\c1xx.dll
104de8d1  "C:\Users\ADMINI~1\AppData\Local\"
104de8f1  "Temp\a06608ex"
00488fa0  "C:\Users\ADMINI~1\AppData\Local\"
00488fe0  "Temp\a06608ex"
104deb31  "C:\Users\ADMINI~1\AppData\Local\"
104deb51  "Temp\a06608sy"
004890d0  "C:\Users\ADMINI~1\AppData\Local\"
00489110  "Temp\a06608sy"
104dea01  "C:\Users\ADMINI~1\AppData\Local\"
104dea21  "Temp\a06608gl"
00489140  "C:\Users\ADMINI~1\AppData\Local\"
00489180  "Temp\a06608gl"
104de7a1  "C:\Users\ADMINI~1\AppData\Local\"
104de7c1  "Temp\a06608in"
004891b0  "C:\Users\ADMINI~1\AppData\Local\"
004891f0  "Temp\a06608in"
104dec61  "C:\Users\ADMINI~1\AppData\Local\"
104dec81  "Temp\a06608db"
00489388  "C:\Users\ADMINI~1\AppData\Local\"
004893c8  "Temp\a06608db"
00735318  "G:\temp\ConsoleApplication1\1\1."
00735338  "cpp"
004898b0  "G:\temp\ConsoleApplication1\1\1."
004898f0  "cpp"
0073541a  "Debug/1.pch"
00489920  "Debug/1.pch"
104d1d67  "g:\temp\consoleapplication1\1\de"
104d1d87  "bug\vc60.pdb"
00489958  "g:\temp\consoleapplication1\1\de"
00489998  "bug\vc60.pdb"
104d2d20  "g:\temp\consoleapplication1\1\de"
104d2d40  "bug\vc60.idb"
00489990  "g:\temp\consoleapplication1\1\de"
004899d0  "bug\vc60.idb"
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for E:\Program Files\Microsoft Visual Studio\VC98\BIN\c1xx.dll -
0073541a  "Debug/1.pch"
00489990  "Debug/1.pch"
0018ef00  "G:\temp\ConsoleApplication1\1\1."
0018ef20  "h"
00489990  "G:\temp\ConsoleApplication1\1\1."
004899d0  "h"
0018ef00  "g:\temp\consoleapplication1\1\re"
0018ef20  "source.h"
00489990  "g:\temp\consoleapplication1\1\re"
004899d0  "source.h"
0018ef00  "G:\temp\ConsoleApplication1\1\1D"
0018ef20  "lg.h"
00489990  "G:\temp\ConsoleApplication1\1\1D"
004899d0  "lg.h"
104de8d1  "C:\Users\ADMINI~1\AppData\Local\"
104de8f1  "Temp\a16608ex"
00489a78  "C:\Users\ADMINI~1\AppData\Local\"
00489ab8  "Temp\a16608ex"
104deb31  "C:\Users\ADMINI~1\AppData\Local\"
104deb51  "Temp\a16608sy"
00489a78  "C:\Users\ADMINI~1\AppData\Local\"
00489ab8  "Temp\a16608sy"
104dea01  "C:\Users\ADMINI~1\AppData\Local\"
104dea21  "Temp\a16608gl"
00489a78  "C:\Users\ADMINI~1\AppData\Local\"
00489ab8  "Temp\a16608gl"
104de7a1  "C:\Users\ADMINI~1\AppData\Local\"
104de7c1  "Temp\a16608in"
00489a78  "C:\Users\ADMINI~1\AppData\Local\"
00489ab8  "Temp\a16608in"
104dec61  "C:\Users\ADMINI~1\AppData\Local\"
104dec81  "Temp\a16608db"
00489a78  "C:\Users\ADMINI~1\AppData\Local\"
00489ab8  "Temp\a16608db"
00735318  "G:\temp\ConsoleApplication1\1\1D"
00735338  "lg.cpp"
00489990  "G:\temp\ConsoleApplication1\1\1D"
004899d0  "lg.cpp"
0073541d  "Debug/1.pch"
00489990  "Debug/1.pch"
0073541d  "Debug/1.pch"
00489990  "Debug/1.pch"
0018ef00  "G:\temp\ConsoleApplication1\1\1."
0018ef20  "h"
00489990  "G:\temp\ConsoleApplication1\1\1."
004899d0  "h"
0018ef00  "g:\temp\consoleapplication1\1\re"
0018ef20  "source.h"
00489990  "g:\temp\consoleapplication1\1\re"
004899d0  "source.h"
0018ef00  "G:\temp\ConsoleApplication1\1\1D"
0018ef20  "lg.h"
00489990  "G:\temp\ConsoleApplication1\1\1D"
004899d0  "lg.h"
ModLoad: 10700000 107ba000   E:\Program Files\Microsoft Visual Studio\VC98\BIN\c2.dll
0018f400  "C:\Users\ADMINI~1\AppData\Local\"
0018f420  "Temp\a16608in"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a16608in"
0018f400  "C:\Users\ADMINI~1\AppData\Local\"
0018f420  "Temp\a16608gl"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a16608gl"
0018f330  "Debug/1.pch"
00489010  "Debug/1.pch"
0018f330  "Debug/1.pch"
00489010  "Debug/1.pch"
0018f3ec  "C:\Users\ADMINI~1\AppData\Local\"
0018f40c  "Temp\a16608ex"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a16608ex"
0018f3ec  "C:\Users\ADMINI~1\AppData\Local\"
0018f40c  "Temp\a16608sy"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a16608sy"
0073536c  "Debug/1Dlg.obj"
00489010  "Debug/1Dlg.obj"
0018f3f8  "C:\Users\ADMINI~1\AppData\Local\"
0018f418  "Temp\a16608db"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a16608db"
0018f400  "C:\Users\ADMINI~1\AppData\Local\"
0018f420  "Temp\a06608in"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a06608in"
0018f400  "C:\Users\ADMINI~1\AppData\Local\"
0018f420  "Temp\a06608gl"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a06608gl"
0018f330  "Debug/1.pch"
00489010  "Debug/1.pch"
0018f330  "Debug/1.pch"
00489010  "Debug/1.pch"
0018f3ec  "C:\Users\ADMINI~1\AppData\Local\"
0018f40c  "Temp\a06608ex"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a06608ex"
0018f3ec  "C:\Users\ADMINI~1\AppData\Local\"
0018f40c  "Temp\a06608sy"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a06608sy"
00734f51  "Debug/1.obj"
00489010  "Debug/1.obj"
0018f3f8  "C:\Users\ADMINI~1\AppData\Local\"
0018f418  "Temp\a06608db"
00489010  "C:\Users\ADMINI~1\AppData\Local\"
00489050  "Temp\a06608db"
00736d18  "Debug/vc60.idb"
00489990  "Debug/vc60.idb"
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=77492100 edi=774920c0
eip=773afcc2 esp=0018fe18 ebp=0018fe34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtTerminateProcess+0x12:
773afcc2 83c404          add     esp,4
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
breakpoint 4 redefined
breakpoint 5 redefined
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 0049e000   link.exe
ModLoad: 77390000 77510000   ntdll.dll
ModLoad: 76540000 76650000   C:\Windows\syswow64\kernel32.dll
ModLoad: 75270000 752b7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 10300000 1032c000   E:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\mspdb60.dll
ModLoad: 763a0000 7644c000   C:\Windows\syswow64\MSVCRT.dll
ModLoad: 753a0000 75440000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 75140000 75159000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76650000 76740000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 74d20000 74d80000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 74d10000 74d1c000   C:\Windows\syswow64\CRYPTBASE.dll
(d58.1ed4): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=10a10000 edx=0008e3c8 esi=fffffffe edi=00000000
eip=7743103b esp=0018fb08 ebp=0018fb34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x96c:
7743103b cc              int     3
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
*** ERROR: Module load completed but symbols could not be loaded for link.exe
007ecf68  "Debug/1.ilk"
00556dd8  "Debug/1.ilk"
007ec8c0  "Debug/1.exe"
00556e10  "Debug/1.exe"
007ec918  ".\Debug\1.obj"
00556e10  ".\Debug\1.obj"
007ed610  ".\Debug\1Dlg.obj"
00556e10  ".\Debug\1Dlg.obj"
006585b8  ".\Debug\StdAfx.obj"
00556e10  ".\Debug\StdAfx.obj"
006585e8  ".\Debug\1.res"
00556e10  ".\Debug\1.res"
007ed238  "C:\Users\ADMINI~1\AppData\Local\"
007ed258  "Temp\lnk2"
00558050  "C:\Users\ADMINI~1\AppData\Local\"
00558090  "Temp\lnk2"
ModLoad: 004a0000 004ec000   C:\Windows\SysWOW64\apphelp.dll
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 01000000 01006000   cvtres.exe
ModLoad: 77390000 77510000   ntdll.dll
ModLoad: 76540000 76650000   C:\Windows\syswow64\kernel32.dll
ModLoad: 75270000 752b7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 763a0000 7644c000   C:\Windows\syswow64\MSVCRT.dll
(18fc.1444): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=15ad0000 edx=0008e3c8 esi=fffffffe edi=00000000
eip=7743103b esp=000cfb08 ebp=000cfb34 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x96c:
7743103b cc              int     3
3:010> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\MSVCRT.dll -
004825d2  ".\Debug\1.res"
00295098  ".\Debug\1.res"
0048259e  "C:\Users\ADMINI~1\AppData\Local\"
004825be  "Temp\lnk2"
00295108  "C:\Users\ADMINI~1\AppData\Local\"
00295148  "Temp\lnk2"
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=77492100 edi=774920c0
eip=773afcc2 esp=000cf978 ebp=000cf994 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtTerminateProcess+0x12:
773afcc2 83c404          add     esp,4
3:010> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
breakpoint 6 redefined
breakpoint 7 redefined
007ed1a8  "C:\Users\ADMINI~1\AppData\Local\"
007ed1c8  "Temp\lnk2"
00558258  "C:\Users\ADMINI~1\AppData\Local\"
00558298  "Temp\lnk2"
007ed310  "E:\Program Files\Microsoft Visua"
007ed330  "l Studio\VC98\MFC\LIB\nafxcwd.li"
007ed350  "b"
00558320  "E:\Program Files\Microsoft Visua"
00558360  "l Studio\VC98\MFC\LIB\nafxcwd.li"
005583a0  "b"
00705a08  "E:\Program Files\Microsoft Visua"
00705a28  "l Studio\VC98\LIB\libcmtd.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\libcmtd.lib"
0071c770  "E:\Program Files\Microsoft Visua"
0071c790  "l Studio\VC98\LIB\kernel32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\kernel32.lib"
0071f810  "C:\Users\ADMINI~1\AppData\Local\"
0071f830  "Temp\KER898D.tmp"
00558050  "C:\Users\ADMINI~1\AppData\Local\"
00558090  "Temp\KER898D.tmp"
007332e8  "E:\Program Files\Microsoft Visua"
00733308  "l Studio\VC98\LIB\user32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\user32.lib"
00743d18  "E:\Program Files\Microsoft Visua"
00743d38  "l Studio\VC98\LIB\gdi32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\gdi32.lib"
0074fa60  "E:\Program Files\Microsoft Visua"
0074fa80  "l Studio\VC98\LIB\comdlg32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\comdlg32.lib"
01482588  "E:\Program Files\Microsoft Visua"
014825a8  "l Studio\VC98\LIB\winspool.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\winspool.lib"
014859f0  "E:\Program Files\Microsoft Visua"
01485a10  "l Studio\VC98\LIB\advapi32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\advapi32.lib"
0148e898  "E:\Program Files\Microsoft Visua"
0148e8b8  "l Studio\VC98\LIB\shell32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\shell32.lib"
014921c8  "E:\Program Files\Microsoft Visua"
014921e8  "l Studio\VC98\LIB\comctl32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\comctl32.lib"
014937a8  "E:\Program Files\Microsoft Visua"
014937c8  "l Studio\VC98\LIB\uuid.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\uuid.lib"
014a7d08  "E:\Program Files\Microsoft Visua"
014a7d28  "l Studio\VC98\LIB\oledlg.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\oledlg.lib"
014a8450  "E:\Program Files\Microsoft Visua"
014a8470  "l Studio\VC98\LIB\ole32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\ole32.lib"
007ed310  "E:\Program Files\Microsoft Visua"
007ed330  "l Studio\VC98\LIB\olepro32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\olepro32.lib"
00705a08  "E:\Program Files\Microsoft Visua"
00705a28  "l Studio\VC98\LIB\oleaut32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\oleaut32.lib"
0071c770  "E:\Program Files\Microsoft Visua"
0071c790  "l Studio\VC98\LIB\urlmon.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\urlmon.lib"
007332e8  "E:\Program Files\Microsoft Visua"
00733308  "l Studio\VC98\LIB\OLDNAMES.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\OLDNAMES.lib"
00743d18  "E:\Program Files\Microsoft Visua"
00743d38  "l Studio\VC98\LIB\wininet.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\wininet.lib"
0074fa60  "E:\Program Files\Microsoft Visua"
0074fa80  "l Studio\VC98\LIB\imagehlp.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\imagehlp.lib"
01482588  "E:\Program Files\Microsoft Visua"
014825a8  "l Studio\VC98\LIB\libcpmtd.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\libcpmtd.lib"
014d4a98  "E:\Program Files\Microsoft Visua"
014d4ab8  "l Studio\VC98\MFC\LIB\nafxcwd.li"
014d4ad8  "b"
00558320  "E:\Program Files\Microsoft Visua"
00558360  "l Studio\VC98\MFC\LIB\nafxcwd.li"
005583a0  "b"
0148e898  "E:\Program Files\Microsoft Visua"
0148e8b8  "l Studio\VC98\LIB\user32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\user32.lib"
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\syswow64\MSVCRT.dll -
014d5b98  "G:\temp\ConsoleApplication1\1\De"
014d5bb8  "bug\1.pdb"
00558050  "G:\temp\ConsoleApplication1\1\De"
00558090  "bug\1.pdb"
014d5b98  "G:\temp\ConsoleApplication1\1\De"
014d5bb8  "bug\1.pdb"
00558050  "G:\temp\ConsoleApplication1\1\De"
00558090  "bug\1.pdb"
0074fab8  "C:\Users\ADMINI~1\AppData\Local\"
0074fad8  "Temp\lnk2"
00558050  "C:\Users\ADMINI~1\AppData\Local\"
00558090  "Temp\lnk2"
01482400  ".\Debug\StdAfx.obj"
00558290  ".\Debug\StdAfx.obj"
01482400  ".\Debug\1Dlg.obj"
00558290  ".\Debug\1Dlg.obj"
0074fab8  ".\Debug\1.obj"
00558290  ".\Debug\1.obj"
0074fab8  "E:\Program Files\Microsoft Visua"
0074fad8  "l Studio\VC98\LIB\libcmtd.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\libcmtd.lib"
014937a8  "E:\Program Files\Microsoft Visua"
014937c8  "l Studio\VC98\LIB\kernel32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\kernel32.lib"
0074fbc8  "E:\Program Files\Microsoft Visua"
0074fbe8  "l Studio\VC98\LIB\gdi32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\gdi32.lib"
0074fc20  "E:\Program Files\Microsoft Visua"
0074fc40  "l Studio\VC98\LIB\comdlg32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\comdlg32.lib"
007ed310  "E:\Program Files\Microsoft Visua"
007ed330  "l Studio\VC98\LIB\winspool.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\winspool.lib"
00705a08  "E:\Program Files\Microsoft Visua"
00705a28  "l Studio\VC98\LIB\advapi32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\advapi32.lib"
0074fc78  "E:\Program Files\Microsoft Visua"
0074fc98  "l Studio\VC98\LIB\shell32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\shell32.lib"
014ad228  "E:\Program Files\Microsoft Visua"
014ad248  "l Studio\VC98\LIB\comctl32.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\comctl32.lib"
0074fb10  "E:\Program Files\Microsoft Visua"
0074fb30  "l Studio\VC98\LIB\uuid.lib"
00558050  "E:\Program Files\Microsoft Visua"
00558090  "l Studio\VC98\LIB\uuid.lib"
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=77492100 edi=774920c0
eip=773afcc2 esp=0018feb8 ebp=0018fed4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtTerminateProcess+0x12:
773afcc2 83c404          add     esp,4
2:009> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
breakpoint 4 redefined
breakpoint 5 redefined
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=77492100 edi=774920c0
eip=773afcc2 esp=0018feb8 ebp=0018fed4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtTerminateProcess+0x12:
773afcc2 83c404          add     esp,4
1:003> bp Kernel32!CreateFileA "da poi([esp+4]);g";bp Kernel32!CreateFileW "du poi([esp+4]);g";g
breakpoint 2 redefined
breakpoint 3 redefined
022e23a8  "G:\temp\ConsoleApplication1\1\De"
022e23c8  "bug\vc60.idb"
00672410  "G:\temp\ConsoleApplication1\1\De"
00672450  "bug\vc60.idb"
022e2df8  "G:\temp\ConsoleApplication1\1\De"
022e2e18  "bug\vc60.idb"
00672410  "G:\temp\ConsoleApplication1\1\De"
00672450  "bug\vc60.idb"
    经过分析,使用到的文件确实多,调用编译程序的过程也一目了然,而mfc相关的文件自然在mfc文件夹下了,因此锁定*mfc*文件夹下的*.lib文件,可以找到vc98\mfc\lib\nafxcwd.lib。就这一个9M的lib?没错,不用怀疑,所有基础MFC的实现都在这里了,有兴趣的可以打开里面$UWD\strcore.obj看下,是CString的实现。
    该方法可以通用于其他库编译用文件的检测,例如ATL、第三方库等。

3.问题:MFC静态编译是否用到mfc*.lib
    最简单的方法是删掉这些文件并编译(记得备份啊^_^),发现没报错,说明没有用到。这些文件用于“静态方式的动态链接”(见1)。从问题2可知MFC采取静态链接方式编译的程序用到的库有nafxcwd.lib

4.问题:如何将.dll和.obj混合成.lib
    经常看到有lib文件是动态链接库和静态链接库混合形式的,这里提供一种制作思路。首先考虑如何将.lib拆分,来看下lib命令(有兴趣的可以逆向分析lib.exe,可以发现等同于link.exe -lib命令),msdn上有帮助:
usage: LIB [options] [files]
   options:

      /DEF[:filename]                用DEF文件生成输入lib文件(“第二种lib文件格式”)和一个.exp  
      /EXPORT:symbol                       
      /EXTRACT:membername        解压指定文件
      /INCLUDE:symbol
      /LIBPATH:dir
      /LIST[:filename]                列出目录文件,和EXTRACT合用可以解包出文件
      /MACHINE:{AM33|ARM|EBC|IA64|M32R|MIPS|MIPS16|MIPSFPU|MIPSFPU16|MIPSR41XX|
                SH3|SH3DSP|SH4|SH5|THUMB|X86}
      /NAME:filename
      /NODEFAULTLIB[:library]
      /NOLOGO
      /OUT:filename
      /REMOVE:membername
      /SUBSYSTEM:{CONSOLE|EFI_APPLICATION|EFI_BOOT_SERVICE_DRIVER|
                  EFI_ROM|EFI_RUNTIME_DRIVER|NATIVE|POSIX|WINDOWS|
                  WINDOWSCE}[,#[.##]]
      /VERBOSE
实例:        lib /def:yourdll.def /machine:i386 /out:yourdll.lib
        lib /def:1.def /export:_fn3=fn2 /machine:i386 /out:2.lib 1.lib                        //这个是我刚研究出来的,目前没看到有人使用过/export选项
        lib /list 1.lib => 1.obj 2.obj ... => lib /extract:2.obj 1.lib        //从1.lib解压出2.obj
        lib 1.dll stdafx.obj   /out:ll.lib                                                //合并1.dll stdafx.obj到ll.lib

5.问题:ida如何制作sig文件?
ida的flair扩展插件提供了制作sig文件的功能,其目录下有:
dumpsig.exe        将sig文件转储为txt文本
plb.exe                从omf格式的库文件(.lib .o .obj 等)生成pat
pcf.exe                从coff格式的库文件生成pat
pelf.exe        从elf格式的库文件生成pat
ppsx                从索尼PlayStation PSX格式的库文件生成pat
ptmobj.exe        从TriMedia格式的库文件生成pat
pomf166.exe        从Kiel OMF 166目标文件生成pat
pmacho.exe        从Mach-O目标文件生成pat
sigmake.exe        从pat生成sig
zipsig.exe        压缩解压sig文件

    对于静态库A.lib(A.o A.obj 等)文件,先判定A的二进制格式,分别选择plb pcf等转换成pat,若这一过程中提示格式不正确,则需要从lib中除去格式不同的那些obj,再操作。生成pat后使用sigmake生成sig,这一过程中若出现冲突,则需要修改exc中冲突的函数,一般规则为:在每组相互冲突的函数中,sigmake让你仅指定一个函数作为相关签名的匹配函数。任何时候,如果在数据库中发现一个对应的签名,并且你想应用一个函数的名称,那么,你可以在该函数名称前附加一个加号(+);如果你只想在数据库中添加某个函数的注释,则在该函数名称前附加一个减号(-);如果在数据库中发现对应的签名时,你不想应用任何名称,那么,你不需要添加任何符号。之后再使用sigmake即可。例:nafxcwd.lib
pcf nafxcwd.lib nafxcwd.pat
得到pat内容为:
558BEC51894DFC8B45FC8B8094000000C1E81783E0018BE55DC3558BEC51894D 25 3FBB 05E0 :0000 ?IsOptimizedDraw@COleControl@@QAEHXZ :001A ?Is
8B4DF0E8........C3B8........E9........8B4DF0E8........C3B8...... 00 0000 004C :0000 ? ^0004 ??1CAsyncMonikerFile@@UAE@XZ ^000F ___
558BEC51894DFC8B4DFCE8........8B450883E00185C074098B4DFC51E8.... 00 0000 002B :0000 ??_GCDataPathProperty@@UAEPAXI@Z ^000B ??1CDat
558BEC6AFF68........64A1........50648925........51894DF0C745FC00 0A 4EBE 004B :0000 ??1CDataPathProperty@@UAE@XZ ^000C __except_li
8B4DF0E8........C3B8........E9.................................. 00 0000 0013 :0000 ? ^0004 ??1CAsyncMonikerFile@@UAE@XZ ^000F ___
558BEC51894DFC8B4DFCE8........8B450883E00185C074098B4DFC51E8.... 00 0000 002B :0000 ??_GCCachedDataPathProperty@@UAEPAXI@Z ^000B ?
558BEC6AFF68........64A1........50648925........51894DF0C745FC00 0A 2ED9 004B :0000 ??1CCachedDataPathProperty@@UAE@XZ ^000C __exc
8B4DF0E8........C3B8........E9.................................. 00 0000 0013 :0000 ? ^0004 ??1CDataPathProperty@@UAE@XZ ^000F ___
558BEC51894DFCB8........8BE55DC3558BEC83EC18566A2068........8B45 03 BFB8 06EC :0000 ?GetMessageMap@CStockPropPage@@MBEPBUAFX_MSGMA
8B4DF0E8........C3B8........E9.................................. 00 0000 0013 :0000 ? ^0004 ??1COlePropertyPage@@UAE@XZ ^000F ___C
558BEC51894DFC8B4DFCE8........8B450883E00185C074098B4DFC51E8.... 00 0000 002B :0000 ??_GCStockPropPage@@UAEPAXI@Z ^000B ??1CStockP
558BEC6AFF68........64A1........50648925........51894DF0C745FC00 0D A621 004E :0000 ??1CStockPropPage@@UAE@XZ ^000C __except_list
8B4DF0E8........C3B8........E9.................................. 00 0000 0013 :0000 ? ^0004 ??1COlePropertyPage@@UAE@XZ ^000F ___C
558BEC51894DFCB8........8BE55DC3................................ 00 0000 0010 :0000 ?GetRuntimeClass@CStockPropPage@@UBEPAUCRuntim
558BEC6A108B450C508B4D0851E8........83C40CF7D81BC0405DC3........ 00 0000 001C :0000 ?IsEqualGUID@@YAHABU_GUID@@0@Z ^000E _memcmp
558BEC6A008B4510508B4D0C518B550852E8........5DC20C00............ 00 0000 001A :0000 ?AtlW2AHelper@@YGPADPADPBGH@Z ^0012 ?AtlW2AHel
558BEC535657837D0C00751E68........6A006A3C68........6A02E8...... 00 0000 0088 :0000 ?AtlW2AHelper@@YGPADPADPBGHI@Z ^000D ??_C@_08N
558BEC51894DFCB8........8BE55DC3558BEC6AFF68........64A1........ 04 9F62 115D :0000 ?GetMessageMap@CPicturePropPage@@MBEPBUAFX_MSG
8B4DF0E8........C38B4DF081C1E4000000E8........C3B8........E9.... 00 0000 012A :0000 ? ^0004 ??1CStockPropPage@@UAE@XZ ^0013 ??1CCo
558BEC51894DFC8B4DFCE8........8B450883E00185C074098B4DFC51E8.... 00 0000 002B :0000 ??_GCPicturePropPage@@UAEPAXI@Z ^000B ??1CPict
558BEC6AFF68........64A1........50648925........51894DF0C745FC00 0D A621 004E :0000 ??1CStockPropPage@@UAE@XZ ^000C __except_list
。。。。。。。。。。。。。
sigmake nafxcwd.pat MFC.sig       这步执行后产生:
I:\软件\ida61\sig>sigmake nafxcwd.pat MFC.sig
MFC.sig: modules/leaves: 1471/586, COLLISIONS: 27
See the documentation to learn how to resolve collisions.
编辑MFC.exc解决冲突后,重新执行成功得到sig

6.问题:为何ida官方未提供dll制作sig文件工具
    一般不需要dll的二进制代码,而需要lib的二进制代码,假设有同样功能的lib和dll,其中lib是静态链接库工程生成而dll是链接库工程生成,第三方exe在使用时,lib所嵌入在exe中的模块经过重定位,其字节码可能不同于dll中同样的模块。这里说明我发现的几个事实:
①编译好的静态库lib在于exe链接时,是不会被编译器优化的,无论exe怎样配置,优化阶段仅在编译阶段,也就是说如果lib在编译阶段未采用release,那么字节码怎样链接都不会变,只有重定位。
②经我实验,发现lib文件中的模块在链接时会发生重定位,因此call ??? jmp ???字节码相应地会发生调整,于是IDA就无法处理了。我想如果在这方面有所修改,识别能力将大大加强,不过会损失一些速度和产生误判。
③strcpy memcpy等内联函数和库函数,这种是不存在静态库中而是内联的话,稍经优化IDA也会无法识别,导致大量函数无法识别。
④不要太把FLIRT技术太当回事,等模糊匹配技术发展起来吧!

如果有好的意见和建议不妨提出来,以上仅为我个人观点
回复

使用道具 举报

发表于 2015-1-15 15:23:00 | 显示全部楼层
pat的语法已经考虑到了重定位导致代码被连接器修改的情况,允许忽略某些字节的匹配

没必要去debug linker,可以指定/VERBOSE开关去看连接信息

dll由于在调用的时候一般都是可以看到对应的函数名称,无论是导入表还是GetProcAddr,所以这里不涉及识别问题
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-1-15 16:42:43 | 显示全部楼层
本帖最后由 元始天尊 于 2015-1-15 16:57 编辑
ganboing 发表于 2015-1-15 15:23
pat的语法已经考虑到了重定位导致代码被连接器修改的情况,允许忽略某些字节的匹配

没必要去debug linker ...


"pat的语法已经考虑到了重定位导致代码被连接器修改的情况,允许忽略某些字节的匹配"
   pat的内容我看过,代码树的形式:
+abc
    def
       gh
       op
    efg
       qr
       st
没发现怎么能忽略字节,这种写法是为节省空间而已,如果要忽略,是要识别出地址单独存放的吧,所以我认为pat语法并没有做到这一点。另外一个例证是AfxWinMain函数,我昨天手动做出pat,看过里面内容,所有字节都是照搬的,并没有特殊处理,这样跟目标exe对比当然是找不到的了。或许你说的允许忽略指的是DLL_2_SIG,或者其他什么东西。你说的这个有什么证据吗?


对于linker所需文件,我这2种方法都比较通用,然而我确实不知道link.exe有这么个参数,也确实好用

dll确实可以通过导出表(不是导入表!)得到输出函数,不过不排除有内部函数,如果残留有debug信息就会有用,因为链接时dll代码和纯静态库lib代码基本一致,如果用的是dll,那么可以从dll提取信息成sig,用于用了lib的程序。这点可能你没弄懂我的用意
回复 赞! 靠!

使用道具 举报

发表于 2015-1-15 17:03:12 | 显示全部楼层
本帖最后由 ganboing 于 2015-1-15 17:11 编辑
元始天尊 发表于 2015-1-15 16:42
"pat的语法已经考虑到了重定位导致代码被连接器修改的情况,允许忽略某些字节的匹配"
   pat的内容我看过 ...


pat文件的第一列是pattern描述,如果遇到 .. (两个点),那么就表示这个字节可以取任意值。这个在pat.txt(在flairxx.zip)里面有说明

刚刚明白了你制作dll的sig的目的。这个估计用一个简单的工具来做还是有点够呛,毕竟还要先解析一下pdb,分析各种交叉引用之类,毕竟二进制文件同obj相比还是复杂很多。可能给ida做个插件是不错的主意,openrce上面有类似的插件,把当前ida数据库中的函数生成sig,效果也还凑合。
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-1-15 17:05:15 | 显示全部楼层
ganboing 发表于 2015-1-15 17:03
pat文件的第一列是pattern描述,如果遇到 .. (两个点),那么就表示这个字节可以取任意值。这个在pat.tx ...

恩,我看到了,不过为什么在识别AfxWinMain时,并没有这样处理呢?
回复 赞! 靠!

使用道具 举报

发表于 2015-1-15 17:16:22 | 显示全部楼层
元始天尊 发表于 2015-1-15 17:05
恩,我看到了,不过为什么在识别AfxWinMain时,并没有这样处理呢?


应该没问题的,可以把pat和反汇编比较一下,一些可能会被linker处理的地方应该会自动变成..
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-1-15 17:19:23 | 显示全部楼层
本帖最后由 元始天尊 于 2015-1-15 17:28 编辑
ganboing 发表于 2015-1-15 17:16
应该没问题的,可以把pat和反汇编比较一下,一些可能会被linker处理的地方应该会自动变成.. ...


我看过AfxWinMain的pat,他并没把地址换成....
你试试就知道
这个是pat文件里的,
558BEC83EC0C535657837D0C0074116A1868........E8........85C07401CC 0E 21BB 0117 :0000 ?AfxWinMain@@YGHPAUHINSTANCE__@@0PADH@Z :00D1@ $InitFailure$87608 ^

而lib源码为:
55 8B EC 83 EC 0C 53 56  57 83 7D 0C 00 74 11 6A
18 68 18 01 00 00 E8 95  01 00 00 85 C0 74 01 CC
33 C0 85 C0 75 E3 C7 45  F8 FF FF FF FF E8 7A 01
00 00 89 45 F4 E8 6E 01  00 00 89 45 FC 8B 4D 14

.text$AFX_CORE1:00000000
.text$AFX_CORE1:00000000                 push    ebp
.text$AFX_CORE1:00000001                 mov     ebp, esp
.text$AFX_CORE1:00000003                 sub     esp, 0Ch
.text$AFX_CORE1:00000006                 push    ebx
.text$AFX_CORE1:00000007                 push    esi
.text$AFX_CORE1:00000008                 push    edi
.text$AFX_CORE1:00000009
.text$AFX_CORE1:00000009 loc_9:                                  ; CODE XREF: AfxWinMain(HINSTANCE__ *,HINSTANCE__ *,char *,int)+24j
.text$AFX_CORE1:00000009                 cmp     [ebp+arg_4], 0
.text$AFX_CORE1:0000000D                 jz      short loc_20
.text$AFX_CORE1:0000000F                 push    18h             ; int
.text$AFX_CORE1:00000011                 push    offset $SG87603 ; "winmain.cpp"
.text$AFX_CORE1:00000016                 call    ?AfxAssertFailedLine@@YGHPBDH@Z ; AfxAssertFailedLine(char const *,int)
.text$AFX_CORE1:0000001B                 test    eax, eax
.text$AFX_CORE1:0000001D                 jz      short loc_20
.text$AFX_CORE1:0000001F                 int     3               ; Tr

实际调用时:
55 8B EC 83 EC 0C 53 56  57 83 7D 0C 00 74 11 6A
18 68 80 50 5E 00 E8 75  8C 04 00 85 C0 74 01 CC
33 C0 85 C0 75 E3 C7 45  F8 FF FF FF FF E8 07 D0
FE FF 89 45 F4 E8 46 1F  05 00 89 45 FC 8B 4D 14
51 8B 55 10 52 8B 45 0C  50 8B 4D 08 51 E8 3E 31
回复 赞! 靠!

使用道具 举报

发表于 2015-1-15 17:26:44 | 显示全部楼层
元始天尊 发表于 2015-1-15 17:19
我看过AfxWinMain的pat,他并没把地址换成....
你试试就知道

你用的命令行是什么,我也试一下
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-1-15 17:29:16 | 显示全部楼层
ganboing 发表于 2015-1-15 17:26
你用的命令行是什么,我也试一下


pcf nafxcwd.lib nafxcwd.pat
sigmake nafxcwd.pat MFC.sig

用的vc6 x86的文件

就是 push    offset $SG87603 ; "winmain.cpp"
这一句乱了。。。
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-1-15 18:01:24 来自手机 | 显示全部楼层
作者应该用重定位信息干这个的,,,盲目啊
回复 赞! 靠!

使用道具 举报

发表于 2015-1-15 18:38:41 | 显示全部楼层
元始天尊 发表于 2015-1-15 17:29
pcf nafxcwd.lib nafxcwd.pat
sigmake nafxcwd.pat MFC.sig

我看到pat里面不是 68........ 么?这个应该是对应push offset $SG87603的。
回复 赞! 靠!

使用道具 举报

 楼主| 发表于 2015-1-15 21:20:56 | 显示全部楼层
ganboing 发表于 2015-1-15 18:38
我看到pat里面不是 68........ 么?这个应该是对应push offset $SG87603的。

恩,之前我可能哪一步弄混了,确实可以识别
回复 赞! 靠!

使用道具 举报

本版积分规则

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-11-22 14:25 , Processed in 0.041882 second(s), 20 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表