All console applications are presented with their (self-contained) ANSI C source code and build without the MSVCRT runtime library.
Group Policy Scripts Client Registration
Privileged Process Launcher
Interactive SYSTEM
Process Launcher
Privilege Twiddler
Really Known SIDs Enumerator Security Descriptor Definition Language Decoder
Security Descriptor Inspector 8.3 File and Directory Name Changer Directory Change Notifier
Debug String Monitor Non-interactive Symbolic Debugger Shim Database Decoder
Registry Policy Reader Registry INF Dumper Offline Registry Reader
Portable Executable Version Information Reader Portable Executable Resource Enumerator
Portable Executable Metadata Reader Product Key Validator Language Enumerator Locale Enumerator Network Enumerator
MSVC Helper Library MSVC Helper Library •
Note: only privileges already assigned to a user account can be enabled!
Cmd.exe
with the privileges SeAuditPrivilege
,
SeBackupPrivilege
, SeDebugPrivilege
,
SeRestorePrivilege
, SeSecurityPrivilege
and SeTakeOwnershipPrivilege
enabled in the directory
C:\System Volume Information\
and list its contents.
Create the text file PROCESS.VBS
with the following
content in an arbitrary directory:
Rem Copyright © 1999-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
Rem * The software is provided "as is" without any warranty, neither express
Rem nor implied.
Rem * In no event will the author be held liable for any damage(s) arising
Rem from the use of the software.
Rem * Redistribution of the software is allowed only in unmodified form.
Rem * Permission is granted to use the software solely for personal private
Rem and non-commercial purposes.
Rem * An individuals use of the software in his or her capacity or function
Rem as an agent, (independent) contractor, employee, member or officer of
Rem a business, corporation or organization (commercial or non-commercial)
Rem does not qualify as personal private and non-commercial purpose.
Rem * Without written approval from the author the software must not be used
Rem for a business, for commercial, corporate, governmental, military or
Rem organizational purposes of any kind, or in a commercial, corporate,
Rem governmental, military or organizational environment of any kind.
Option Explicit
Const strCommandLine = "C:\Windows\System32\Cmd.exe /D /K DIR /A"
Const strCurrentDirectory = "C:\System Volume Information"
Dim arrEnvironment(10)
arrEnvironment(0) = "NoDefaultCurrentDirectoryInExePath=*"
With WScript.CreateObject("Scripting.FileSystemObject")
Const fsoWindowsFolder = 0
Const fsoSystemFolder = 1
Const fsoTemporaryFolder = 2
arrEnvironment(1) = "SYSTEMDRIVE=" & .GetSpecialFolder(fsoWindowsFolder).Drive
arrEnvironment(2) = "SYSTEMROOT=" & .GetSpecialFolder(fsoWindowsFolder).Path
arrEnvironment(3) = "PATH=" & .GetSpecialFolder(fsoSystemFolder).Path & ";" & .GetSpecialFolder(fsoWindowsFolder).Path
arrEnvironment(4) = "TEMP=" & .GetSpecialFolder(fsoTemporaryFolder).Path
arrEnvironment(5) = "LOCALAPPDATA=" & .GetSpecialFolder(fsoTemporaryFolder).ParentFolder.Path
arrEnvironment(6) = "USERPROFILE=" & .GetSpecialFolder(fsoTemporaryFolder).ParentFolder.ParentFolder.ParentFolder.Path
End With
With WScript.CreateObject("WScript.Network")
arrEnvironment(7) = "COMPUTERNAME=" & .ComputerName
arrEnvironment(8) = "USERDOMAIN=" & .UserDomain
arrEnvironment(9) = "USERNAME=" & .UserName
End With
With GetObject("WinMgmts:{impersonationLevel=Impersonate, (Audit, Backup, Debug, Restore, Security, TakeOwnership)}!\\.\Root\CIMv2")
Dim objProcessStartup
Set objProcessStartup = .Get("Win32_ProcessStartup").SpawnInstance_
With objProcessStartup
' .CreateFlags = 8 ' Detached_Process
.EnvironmentVariables = arrEnvironment
.ErrorMode = 2 ' Fail_Critical_Errors
.FillAttribute = 240 ' Black on White
.PriorityClass = 32 ' Normal
.ShowWindow = 1 ' SW_NORMAL
.Title = vbNullString
.WinstationDesktop = vbNullString
' .X = 0
.XCountChars = 80
' .XSize = 640
' .Y = 240
.YCountChars = 50
' .YSize = 480
End With
Dim intReturn, intProcessID
intReturn = .Get("Win32_Process").Create(strCommandLine, strCurrentDirectory, objProcessStartup, intProcessID)
If intReturn <> 0 Then
WScript.Echo "Error " & intReturn
Else
WScript.Echo "Process " & intProcessID & " created"
End If
End With
Execute the
VBScript
PROCESS.VBS
created in step 1. per double-click.
Note: PROCESS.VBS
must be run under a
user account which has the privileges to enable assigned, typically
any member of the
BUILTIN\Administrators
user group!
Note: startup and shutdown scripts
run under
the NT AUTHORITY\SYSTEM
alias
LocalSystem
account; logon and logoff scripts
run under the current user
account.
SCRIPTS.INF
and save it in an arbitrary directory, then right-click the
downloaded file to display its context menu and click Installto run it.
Note: on Windows Vista and newer
versions of Windows NT,
InfDefaultInstall.exe
,
the application registered for the Install
verb of
*.inf
files, requests administrative privileges and
access rights.
client programswhich can be selected by every user as the
default programfor their associated file types and URL protocols.
CLIENTS.INF
and save it in an arbitrary directory, then right-click the
downloaded file to display its context menu and click Installto run it.
Note: on Windows Vista and newer
versions of Windows NT,
InfDefaultInstall.exe
,
the application registered for the Install
verb of
*.inf
files, requests administrative privileges.
Application Compatibility Shim Database(
.sdb
) file and print its contents in
UTF-16LE
encoding on standard output(which must be redirected to a file or piped into an application that reads from
standard input, like Clip, Find or More).
SdbCloseDatabase()
SdbGetBinaryTagData()
SdbGetFirstChild()
SdbGetNextChild()
SdbGetStringTagPtr()
SdbGetTagFromTagID()
SdbOpenDatabase()
SdbReadDWORDTag()
SdbReadQWORDTag()
SdbTagToString()
Understanding Shims
APPHELP.COM ‹input file name› >‹output file name› APPHELP.COM ‹input file name› | MORE.COM
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and APPHELP.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
is not supported!
The MSDN article Console Handles provides background information.
Create the text file APPHELP.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#ifndef _DLL
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
typedef enum _PATH_TYPE
{
DOS_PATH,
NT_PATH
} PATH_TYPE;
#define PATCH_STOP 0UL
#define PATCH_REPLACE 2UL
#define PATCH_MATCH 4UL
typedef struct _PATCH_ACTION
{
DWORD Opcode;
DWORD ActionSize; // size of structure
DWORD PatternSize;
DWORD RVA;
DWORD Reserved;
WCHAR ModuleName[32];
BYTE Pattern[ANYSIZE_ARRAY];
} PATCH_ACTION, *LPPATCH_ACTION;
typedef LPVOID PDB;
typedef ULONGLONG QWORD;
typedef WORD TAG;
#define TAG_TYPE_NULL 0x1000 // no value associated with the TAG
#define TAG_TYPE_BYTE 0x2000 // BYTE value
#define TAG_TYPE_WORD 0x3000 // WORD value
#define TAG_TYPE_DWORD 0x4000 // DWORD value
#define TAG_TYPE_QWORD 0x5000 // ULONGLONG value
#define TAG_TYPE_STRINGREF 0x6000 // tokenized string value
#define TAG_TYPE_LIST 0x7000 // list of TAG values
#define TAG_TYPE_STRING 0x8000 // UNICODE string value
#define TAG_TYPE_BINARY 0x9000 // binary value
#define TAG_TYPE_MASK 0xF000
#define TAG_LINK_DATE (TAG_TYPE_DWORD | 0x001D) // link date attribute of a file
#define TAG_UPTO_LINK_DATE (TAG_TYPE_DWORD | 0x001E) // link date attribute of a file; matching is done up to and including this link date
#define TAG_APP_NAME_RC_ID (TAG_TYPE_DWORD | 0x0024) // application name resource identifier attribute for AppHelp entries
#define TAG_VENDOR_NAME_RC_ID (TAG_TYPE_DWORD | 0x0025) // vendor name resource identifier attribute for AppHelp entries
#define TAG_SUMMARY_MSG_RC_ID (TAG_TYPE_DWORD | 0x0026) // summary message resource identifier attribute for AppHelp entries
#define TAG_DESCRIPTION_RC_ID (TAG_TYPE_DWORD | 0x0028) // description resource identifier attribute for AppHelp entries
#define TAG_PARAMETER1_RC_ID (TAG_TYPE_DWORD | 0x0029) // parameter1 resource identifier attribute for AppHelp entries
#define TAG_TIME (TAG_TYPE_QWORD | 0x0001) // time attribute
#define TAG_BIN_FILE_VERSION (TAG_TYPE_QWORD | 0x0002) // bin file version attribute for file entries
#define TAG_BIN_PRODUCT_VERSION (TAG_TYPE_QWORD | 0x0003) // bin product version attribute for file entries
#define TAG_UPTO_BIN_PRODUCT_VERSION (TAG_TYPE_QWORD | 0x0006) // bin product version attribute of a file; matching is done up to and including this product version
#define TAG_UPTO_BIN_FILE_VERSION (TAG_TYPE_QWORD | 0x000D) // bin file version attribute of a file; matching is done up to and including this file version
#define TAG_PATCH_BITS (TAG_TYPE_BINARY | 0x0002) // patch file bits attribute
#define TAG_EXE_ID (TAG_TYPE_BINARY | 0x0004) // GUID attribute of an executable entry
#define TAG_MSI_PACKAGE_ID (TAG_TYPE_BINARY | 0x0006) // MSI package identifier attribute of an MSI package
#define TAG_DATABASE_ID (TAG_TYPE_BINARY | 0x0007) // GUID attribute of a database
#define TAG_CONTEXT_PLATFORM_ID (TAG_TYPE_BINARY | 0x0008)
#define TAG_CONTEXT_BRANCH_ID (TAG_TYPE_BINARY | 0x0009)
#define TAG_FIX_ID (TAG_TYPE_BINARY | 0x0010)
#define TAG_APP_ID (TAG_TYPE_BINARY | 0x0011)
typedef DWORD TAGID;
#define TAGID_NULL 0UL
#define TAGID_ROOT 0UL
__declspec(dllimport)
VOID WINAPI SdbCloseDatabase(PDB lpdb);
__declspec(dllimport)
LPVOID WINAPI SdbGetBinaryTagData(PDB lpdb,
TAGID tiWhich);
__declspec(dllimport)
BOOL WINAPI SdbGetDatabaseVersion(LPCWSTR lpwszFileName,
LPDWORD dwMajorversion,
LPDWORD dwMinorversion);
__declspec(dllimport)
TAGID WINAPI SdbGetFirstChild(PDB lpdb,
TAGID tiParent);
__declspec(dllimport)
TAGID WINAPI SdbGetNextChild(PDB lpdb,
TAGID tiParent,
TAGID tiPrevious);
__declspec(dllimport)
LPWSTR WINAPI SdbGetStringTagPtr(PDB lpdb,
TAGID tiWhich);
__declspec(dllimport)
DWORD WINAPI SdbGetTagDataSize(PDB lpdb,
TAGID tiWhich);
__declspec(dllimport)
TAG WINAPI SdbGetTagFromTagID(PDB lpdb,
TAGID tiWhich);
__declspec(dllimport)
BOOL WINAPI SdbGUIDToString(GUID *lpGuid,
LPWSTR lpwszGuidString);
__declspec(dllimport)
PDB WINAPI SdbOpenDatabase(LPCWSTR lpwszPath,
PATH_TYPE eType);
__declspec(dllimport)
DWORD WINAPI SdbReadDWORDTag(PDB lpdb,
TAGID tiWhich,
DWORD dwDefault);
__declspec(dllimport)
QWORD WINAPI SdbReadQWORDTag(PDB lpdb,
TAGID tiWhich,
QWORD qwDefault);
__declspec(dllimport)
WORD WINAPI SdbReadWORDTag(PDB lpdb,
TAGID tiWhich,
WORD wDefault);
__declspec(dllimport)
LPCWSTR WINAPI SdbTagToString(TAG tag);
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
LPBYTE lpOutput;
DWORD dwOutput;
DWORD dwFile;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
dwOutput *= sizeof(*szOutput);
lpOutput = (LPBYTE) szOutput;
do
{
if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpOutput += dwFile;
dwOutput -= dwFile;
} while (dwOutput > 0);
return TRUE;
}
#define PrintString(HANDLE, LITERAL) PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)
__inline
BOOL WINAPI PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
DWORD dwFile;
dwString *= sizeof(*lpString);
do
{
if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
dwString -= dwFile;
} while (dwString > 0);
return TRUE;
}
const LPCWSTR szDayOfWeek[7] = {L"Sunday",
L"Monday",
L"Tuesday",
L"Wednesday",
L"Thursday",
L"Friday",
L"Saturday"};
__declspec(safebuffers)
VOID WINAPI Children(HANDLE hConsole, HANDLE hOutput, PDB lpdb, TAGID tiParent, DWORD dwLevel)
{
SYSTEMTIME st;
PATCH_ACTION *lpPatch;
BOOL bOutput = TRUE;
DWORD dw;
LPBYTE lpData;
WORD wData;
DWORD dwData;
QWORD qwData;
WCHAR szGUID[sizeof("{00000000-0000-0000-0000-000000000000}")];
TAG tChild;
TAGID tiChild = SdbGetFirstChild(lpdb, tiParent);
while (tiChild != TAGID_NULL)
{
tChild = SdbGetTagFromTagID(lpdb, tiChild);
bOutput &= PrintFormat(hOutput,
L"0x%08lX%ls0x%04hX = %ls",
tiChild,
L"\t\t\t\t\t\t\t\t\t\t" + 9 - dwLevel,
tChild,
SdbTagToString(tChild));
switch (tChild & TAG_TYPE_MASK)
{
case TAG_TYPE_NULL:
bOutput &= PrintString(hOutput, L"\r\n");
break;
case TAG_TYPE_WORD:
wData = SdbReadWORDTag(lpdb, tiChild, ~0U);
if (wData == ~0U)
bOutput &= PrintString(hOutput, L"\r\n");
else
bOutput &= PrintFormat(hOutput, L": 0x%04hX\r\n", wData);
break;
case TAG_TYPE_DWORD:
dwData = SdbReadDWORDTag(lpdb, tiChild, ~0UL);
if (dwData == ~0UL)
bOutput &= PrintString(hOutput, L"\r\n");
else
if ((tChild == TAG_LINK_DATE)
|| (tChild == TAG_UPTO_LINK_DATE))
{
qwData = __emulu(dwData, 10000000) // seconds since 1970-01-01 to
+ 116444736000000000; // 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((LPFILETIME) &qwData, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu\n",
GetLastError());
else
bOutput &= PrintFormat(hOutput,
L": %ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu UTC\r\n",
szDayOfWeek[st.wDayOfWeek],
st.wYear, st.wMonth, st.wDay, st.wHour,
st.wMinute, st.wSecond, st.wMilliseconds);
}
#if 0 // NOTE: Windows Vista or newer!
else if ((tChild == TAG_APP_NAME_RC_ID)
|| (tChild == TAG_VENDOR_NAME_RC_ID)
|| (tChild == TAG_SUMMARY_MSG_RC_ID)
|| (tChild == TAG_DESCRIPTION_RC_ID)
|| (tChild == TAG_PARAMETER1_RC_ID))
bOutput &= PrintFormat(hOutput, L": 0x%08lX\r\n", dwData);
#endif
else
bOutput &= PrintFormat(hOutput, L": 0x%08lX\r\n", dwData);
break;
case TAG_TYPE_QWORD:
qwData = SdbReadQWORDTag(lpdb, tiChild, ~0ULL);
if (qwData == ~0ULL)
bOutput &= PrintString(hOutput, L"\r\n");
else
if ((tChild == TAG_BIN_FILE_VERSION)
|| (tChild == TAG_BIN_PRODUCT_VERSION)
|| (tChild == TAG_UPTO_BIN_PRODUCT_VERSION)
|| (tChild == TAG_UPTO_BIN_FILE_VERSION))
bOutput &= PrintFormat(hOutput,
L": %hu.%hu.%hu.%hu\r\n",
(WORD) (qwData >> 48), (WORD) (qwData >> 32), (WORD) (qwData >> 16), (WORD) qwData);
else if (tChild != TAG_TIME)
bOutput &= PrintFormat(hOutput, L": 0x%016I64X\r\n", qwData);
else
if (!FileTimeToSystemTime((LPFILETIME) &qwData, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu\n",
GetLastError());
else
bOutput &= PrintFormat(hOutput,
L": %ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03hu UTC\r\n",
szDayOfWeek[st.wDayOfWeek],
st.wYear, st.wMonth, st.wDay, st.wHour,
st.wMinute, st.wSecond, st.wMilliseconds);
break;
case TAG_TYPE_STRING:
case TAG_TYPE_STRINGREF:
bOutput &= PrintFormat(hOutput,
L": %ls\r\n",
SdbGetStringTagPtr(lpdb, tiChild));
break;
case TAG_TYPE_BYTE:
case TAG_TYPE_BINARY:
lpData = SdbGetBinaryTagData(lpdb, tiChild);
dwData = SdbGetTagDataSize(lpdb, tiChild);
if ((dwData == sizeof(GUID))
&& ((tChild == TAG_EXE_ID)
|| (tChild == TAG_MSI_PACKAGE_ID)
|| (tChild == TAG_DATABASE_ID)
|| (tChild == TAG_CONTEXT_PLATFORM_ID)
|| (tChild == TAG_CONTEXT_BRANCH_ID)
|| (tChild == TAG_FIX_ID)
|| (tChild == TAG_APP_ID)))
if (!SdbGUIDToString((LPGUID) lpData, szGUID))
PrintConsole(hConsole,
L"SdbGUIDToString() returned FALSE!\n");
else
bOutput &= PrintFormat(hOutput, L": %ls\r\n", szGUID);
else if (tChild == TAG_PATCH_BITS)
{
bOutput &= PrintString(hOutput, L":\r\n");
while (dwData > 0)
{
lpPatch = (LPPATCH_ACTION) lpData;
if ((lpPatch->Opcode == PATCH_STOP)
&& (lpPatch->ActionSize == 0))
break;
dwData -= lpPatch->ActionSize;
lpData += lpPatch->ActionSize;
if ((lpPatch->Opcode != PATCH_REPLACE)
&& (lpPatch->Opcode != PATCH_MATCH))
continue;
bOutput &= PrintFormat(hOutput,
L"%ls Action = %lu (%ls)\r\n"
L"%ls Module = %.32ls\r\n"
L"%ls RVA = 0x%08lX\r\n"
L"%ls Length = %lu\r\n"
L"%ls Pattern = 0x",
L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
lpPatch->Opcode,
lpPatch->Opcode == PATCH_MATCH ? L"MATCH" : L"REPLACE",
L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
lpPatch->ModuleName,
L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
lpPatch->RVA,
L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
lpPatch->PatternSize,
L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel);
for (dw = 0; dw < lpPatch->PatternSize; dw++)
bOutput &= PrintFormat(hOutput, L"%02X", lpPatch->Pattern[dw]);
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"%ls Unknown = 0x%08lX\r\n",
L"\t\t\t\t\t\t\t\t\t\t" + 7 - dwLevel,
lpPatch->Reserved);
}
#if 0
if (dwData != 8)
PrintConsole(hConsole,
L"Sequence of \'PATCH_ACTION\' structures not properly terminated!\n");
#endif
}
else
{
if (dwData > 0)
bOutput &= PrintString(hOutput, L": 0x");
for (dw = 0; dw < dwData; dw++)
bOutput &= PrintFormat(hOutput, L"%02X", lpData[dw]);
bOutput &= PrintString(hOutput, L"\r\n");
}
break;
case TAG_TYPE_LIST:
bOutput &= PrintString(hOutput, L"\r\n");
Children(hConsole, hOutput, lpdb, tiChild, dwLevel + 1);
break;
default:
bOutput &= PrintString(hOutput, L"\r\n");
PrintConsole(hConsole,
L"Undefined TAG_TYPE 0x%04hX for TAGID 0x%08lX\n",
tChild, tiChild);
}
tiChild = SdbGetNextChild(lpdb, tiParent, tiChild);
}
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for level %lu\n",
GetLastError(), dwLevel);
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
PDB lpdb;
LPWSTR *lpArguments;
INT nArguments;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwMajor, dwMinor;
HANDLE hOutput;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments != 2)
PrintConsole(hConsole,
L"Bad arguments: a single file or path name of a shim database must be given!\n");
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"GetStdHandle() returned error %lu\n",
dwError = GetLastError());
else
{
if (!FlushFileBuffers(hOutput))
PrintConsole(hConsole,
L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
dwError = GetLastError());
else
{
dwError = ERROR_SUCCESS;
if (SdbGetDatabaseVersion(lpArguments[1], &dwMajor, &dwMinor))
PrintConsole(hConsole,
L"Shim database version: %lu.%lu\n",
dwMajor, dwMinor);
lpdb = SdbOpenDatabase(lpArguments[1], DOS_PATH);
if (lpdb == NULL)
PrintConsole(hConsole,
L"SdbOpenDatabase() returned NULL for file \'%ls\'\n",
lpArguments[1]);
else
{
if (!PrintFormat(hOutput,
L"\xFEFF" // UTF-16LE BOM
L"Shim database file:\t%ls\r\n"
L"Shim database version:\t%lu.%lu\r\n"
L"\r\n"
L"TAGID\t\tTAG = TAGSTRING: TAGVALUE\r\n"
L"\r\n",
lpArguments[1],
dwMajor, dwMinor))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
Children(hConsole, hOutput, lpdb, TAGID_ROOT, 0);
SdbCloseDatabase(lpdb);
}
}
if (!CloseHandle(hOutput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
#else // _DLL
__declspec(dllexport)
long SdbCloseDatabase(void *_1)
{ return 0; }
__declspec(dllexport)
long SdbGetBinaryTagData(void *_1, long _2)
{ return 0; }
__declspec(dllexport)
long SdbGetDatabaseVersion(void *_1, void *_2, void *_3)
{ return 0; }
__declspec(dllexport)
long SdbGetFirstChild(void *_1, long _2)
{ return 0; }
__declspec(dllexport)
long SdbGetNextChild(void *_1, long _2, long _3)
{ return 0; }
__declspec(dllexport)
long SdbGetStringTagPtr(void *_1, long _2)
{ return 0; }
__declspec(dllexport)
long SdbGetTagDataSize(void *_1, long _2)
{ return 0; }
__declspec(dllexport)
long SdbGetTagFromTagID(void *_1, long _2)
{ return 0; }
__declspec(dllexport)
long SdbGUIDToString(void *_1, void *_2)
{ return 0; }
__declspec(dllexport)
long SdbOpenDatabase(void *_1, long _2)
{ return 0; }
__declspec(dllexport)
long SdbReadDWORDTag(void *_1, long _2, long _3)
{ return 0; }
__declspec(dllexport)
long SdbReadQWORDTag(void *_1, long _2, long long _3)
{ return 0; }
__declspec(dllexport)
long SdbReadWORDTag(void *_1, long _2, short _3)
{ return 0; }
__declspec(dllexport)
long SdbTagToString(short _1)
{ return 0; }
#endif // _DLL
Run the following four command lines to compile the source file
APPHELP.C
created in step 1. a first time,
generate the import library APPHELP.LIB
from the
compiled object file APPHELP.OBJ
and cleanup
afterwards:
SET CL=/Gz /LD /MD /W4 /wd4100 /X /Zl SET LINK=/EXPORT:SdbCloseDatabase /EXPORT:SdbGetBinaryTagData /EXPORT:SdbGetDatabaseVersion /EXPORT:SdbGetFirstChild /EXPORT:SdbGetNextChild /EXPORT:SdbGetStringTagPtr /EXPORT:SdbGetTagDataSize /EXPORT:SdbGetTagFromTagID /EXPORT:SdbGUIDToString /EXPORT:SdbOpenDatabase /EXPORT:SdbReadDWORDTag /EXPORT:SdbReadQWORDTag /EXPORT:SdbReadWORDTag /EXPORT:SdbTagToString /NODEFAULTLIB /NOENTRY CL.EXE APPHELP.C ERASE APPHELP.DLL APPHELP.EXP APPHELP.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. APPHELP.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. … Creating library APPHELP.lib and object APPHELP.exp
Run the following four command lines to compile the source file
APPHELP.C
created in step 1. a second time, link
the compiled object file APPHELP.OBJ
with the import
library APPHELP.LIB
generated in step 2. and
cleanup afterwards:
SET CL=/GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:APPHELP.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeAPPHELP.COM APPHELP.C ERASE APPHELP.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. APPHELP.C APPHELP.C(222) : warning C4213: nonstandard extension used : cast on l-value APPHELP.C(274) : warning C4310: cast truncates constant value Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file APPHELP.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0a 00 00 ......#.........
00 10 00 00 00 00 00 00 a1 15 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 01 00 00 00 2f 03 05 00 01 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 4b bd 00 00 03 00 00 85 .0......K.......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
78 2c 00 00 50 00 00 00 00 00 00 00 00 00 00 00 x,..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 10 2c 00 00 40 00 00 00 .........,..@...
00 00 00 00 00 00 00 00 00 20 00 00 78 00 00 00 ......... ..x...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
0c 09 00 00 00 10 00 00 00 0a 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 48 0f 00 00 00 20 00 00 .const..H.... ..
00 10 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 70 20 40 00 8b f0 .......P..p @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 3c 20 40 00 85 .....P.u...< @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 08 08 00 00 8d 45 10 50 ff 75 0c 8d 85 ........E.P.u...
f8 f7 ff ff 50 ff 15 70 20 40 00 85 c0 75 02 c9 ....P..p @...u..
c3 56 57 8d 3c 00 8d b5 f8 f7 ff ff 6a 00 8d 45 .VW.<.......j..E
fc 50 57 56 ff 75 08 ff 15 40 20 40 00 85 c0 74 .PWV.u...@ @...t
0f 03 75 fc 2b 7d fc 75 e3 33 c0 40 5f 5e c9 c3 ..u.+}.u.3.@_^..
33 c0 eb f8 55 8b ec 56 8b 75 10 57 8b 7d 0c 03 3...U..V.u.W.}..
f6 6a 00 8d 45 10 50 56 57 ff 75 08 ff 15 40 20 .j..E.PVW.u...@
40 00 85 c0 74 11 03 7d 10 2b 75 10 75 e3 33 c0 @...t..}.+u.u.3.
40 5f 5e 5d c2 0c 00 33 c0 eb f6 55 8b ec 83 ec @_^]...3...U....
7c ff 75 14 c7 45 fc 01 00 00 00 ff 75 10 ff 15 |.u..E......u...
28 20 40 00 89 45 f8 85 c0 0f 84 9e 04 00 00 8b ( @..E..........
45 18 53 03 c0 c7 45 f4 d6 28 40 00 29 45 f4 56 E.S...E..(@.)E.V
57 ff 75 f8 ff 75 10 ff 15 24 20 40 00 0f b7 f8 W.u..u...$ @....
57 8b f7 ff 15 20 20 40 00 8b 5d 0c 50 56 ff 75 W.... @..].PV.u
f4 ff 75 f8 68 94 28 40 00 53 e8 0f ff ff ff 21 ..u.h.(@.S.....!
45 fc 8b c6 25 00 f0 00 00 b9 00 50 00 00 83 c4 E...%......P....
18 3b c1 0f 87 ac 01 00 00 0f 84 11 01 00 00 3d .;.............=
00 10 00 00 74 34 3d 00 20 00 00 0f 84 e5 01 00 ....t4=. .......
00 3d 00 30 00 00 0f 84 cc 00 00 00 3d 00 40 00 .=.0........=.@.
00 0f 85 a6 01 00 00 6a ff ff 75 f8 ff 75 10 ff .......j..u..u..
15 1c 20 40 00 83 f8 ff 75 12 6a 02 68 8c 28 40 .. @....u.j.h.(@
00 53 e8 fd fe ff ff e9 ad 03 00 00 b9 1d 40 00 .S............@.
00 66 3b f9 74 11 41 66 3b f9 74 0b 50 68 74 28 .f;.t.Af;.t.Pht(
40 00 e9 89 03 00 00 b9 80 96 98 00 f7 e1 05 00 @...............
80 3e d5 81 d2 de b1 9d 01 89 45 e4 89 55 e8 8d .>........E..U..
45 d4 50 8d 45 e4 50 ff 15 48 20 40 00 85 c0 75 E.P.E.P..H @...u
16 ff 15 44 20 40 00 50 68 48 28 40 00 68 14 28 ...D @.PhH(@.h.(
40 00 e9 3f 01 00 00 0f b7 45 e2 50 0f b7 45 e0 @..?.....E.P..E.
50 0f b7 45 de 50 0f b7 45 dc 50 0f b7 45 da 50 P..E.P..E.P..E.P
0f b7 45 d6 50 0f b7 45 d4 50 0f b7 45 d8 ff 34 ..E.P..E.P..E..4
85 c8 20 40 00 68 a0 27 40 00 53 e8 0e fe ff ff .. @.h.'@.S.....
83 c4 28 e9 11 03 00 00 68 ff ff 00 00 ff 75 f8 ..(.....h.....u.
ff 75 10 ff 15 18 20 40 00 0f b7 c0 83 f8 ff 0f .u.... @........
84 35 ff ff ff 50 68 84 27 40 00 e9 e0 02 00 00 .5...Ph.'@......
6a ff 6a ff ff 75 f8 ff 75 10 ff 15 14 20 40 00 j.j..u..u.... @.
8b c8 23 ca 89 45 e4 89 55 e8 83 f9 ff 0f 84 07 ..#..E..U.......
ff ff ff b9 02 50 00 00 66 3b f9 74 3b 41 66 3b .....P..f;.t;Af;
f9 74 35 b9 06 50 00 00 66 3b f9 74 2b 83 c1 07 .t5..P..f;.t+...
66 3b f9 74 23 b9 01 50 00 00 66 3b f9 0f 84 1c f;.t#..P..f;....
ff ff ff 52 50 68 64 27 40 00 53 e8 7e fd ff ff ...RPhd'@.S.~...
83 c4 10 e9 81 02 00 00 0f b7 c8 51 8b ca 0f ac ...........Q....
c8 10 0f b7 c0 50 0f b7 45 e8 50 c1 ea 10 52 68 .....P..E.P...Rh
3c 27 40 00 53 c1 e9 10 e8 51 fd ff ff 83 c4 18 <'@.S....Q......
e9 54 02 00 00 3d 00 60 00 00 0f 84 2e 02 00 00 .T...=.`........
3d 00 70 00 00 0f 84 fd 01 00 00 3d 00 80 00 00 =.p........=....
0f 84 18 02 00 00 3d 00 90 00 00 74 29 6a 02 68 ......=....t)j.h
8c 28 40 00 53 e8 6a fd ff ff ff 75 f8 21 45 fc .(@.S.j....u.!E.
56 68 e0 26 40 00 ff 75 08 e8 b2 fc ff ff 83 c4 Vh.&@..u........
10 e9 06 02 00 00 ff 75 f8 ff 75 10 ff 15 10 20 .......u..u....
40 00 ff 75 f8 8b d8 ff 75 10 ff 15 0c 20 40 00 @..u....u.... @.
8b f0 89 75 f0 83 fe 10 75 72 b8 04 90 00 00 66 ...u....ur.....f
3b f8 74 34 83 c0 02 66 3b f8 74 2c b8 07 90 00 ;.t4...f;.t,....
00 66 3b f8 74 22 40 66 3b f8 74 1c b8 09 90 00 .f;.t"@f;.t.....
00 66 3b f8 74 12 83 c0 07 66 3b f8 74 0a b8 11 .f;.t....f;.t...
90 00 00 66 3b f8 75 34 8d 45 84 50 53 ff 15 08 ...f;.u4.E.PS...
20 40 00 85 c0 75 14 68 98 26 40 00 ff 75 08 e8 @...u.h.&@..u..
2c fc ff ff 59 59 e9 81 01 00 00 8d 45 84 50 68 ,...YY......E.Ph
88 26 40 00 ff 75 0c e9 65 01 00 00 b8 02 90 00 .&@..u..e.......
00 66 3b f8 0f 85 d5 00 00 00 6a 03 68 80 26 40 .f;.......j.h.&@
00 ff 75 0c e8 9b fc ff ff 21 45 fc 85 f6 0f 84 ..u......!E.....
48 01 00 00 83 3b 00 8b f3 75 0a 83 7b 04 00 0f H....;...u..{...
84 37 01 00 00 8b 43 04 8b 0e 29 45 f0 03 d8 89 .7....C...)E....
5d ec 83 f9 02 74 09 83 f9 04 0f 85 80 00 00 00 ]....t..........
ba 74 26 40 00 83 f9 04 74 05 ba 64 26 40 00 8b .t&@....t..d&@..
45 18 03 c0 bf d2 28 40 00 2b f8 57 ff 76 08 8d E.....(@.+.W.v..
46 14 57 ff 76 0c 57 50 57 52 51 57 68 90 25 40 F.W.v.WPWRQWh.%@
00 ff 75 0c e8 d5 fb ff ff 21 45 fc 33 db 83 c4 ..u......!E.3...
30 39 5e 08 76 20 0f b6 44 1e 54 6a 02 8d 04 85 09^.v ..D.Tj....
e8 20 40 00 50 ff 75 0c e8 07 fc ff ff 21 45 fc . @.P.u......!E.
43 3b 5e 08 72 e0 ff 76 10 57 68 58 25 40 00 ff C;^.r..v.WhX%@..
75 0c e8 97 fb ff ff 8b 5d ec 83 c4 10 21 45 fc u.......]....!E.
83 7d f0 00 0f 87 4a ff ff ff e9 8d 00 00 00 85 .}....J.........
f6 74 12 6a 04 68 4c 25 40 00 ff 75 0c e8 c2 fb .t.j.hL%@..u....
ff ff 21 45 fc 33 ff 85 f6 74 1e 0f b6 04 1f 6a ..!E.3...t.....j
02 8d 04 85 e8 20 40 00 50 ff 75 0c e8 a3 fb ff ..... @.P.u.....
ff 21 45 fc 47 3b fe 72 e2 6a 02 68 8c 28 40 00 .!E.G;.r.j.h.(@.
ff 75 0c e9 8a fc ff ff 6a 02 68 8c 28 40 00 53 .u......j.h.(@.S
e8 7f fb ff ff 21 45 fc 8b 45 18 40 50 ff 75 f8 .....!E..E.@P.u.
ff 75 10 53 ff 75 08 e8 9f fb ff ff eb 1e ff 75 .u.S.u.........u
f8 ff 75 10 ff 15 04 20 40 00 50 68 88 26 40 00 ..u.... @.Ph.&@.
53 e8 f8 fa ff ff 83 c4 0c 21 45 fc ff 75 f8 ff S........!E..u..
75 14 ff 75 10 ff 15 00 20 40 00 89 45 f8 85 c0 u..u.... @..E...
0f 85 9b fb ff ff 5f 5e 5b 39 45 fc 75 1f ff 75 ......_^[9E.u..u
18 ff 15 44 20 40 00 50 68 38 25 40 00 68 e8 24 ...D @.Ph8%@.h.$
40 00 ff 75 08 e8 66 fa ff ff 83 c4 14 c9 c2 14 @..u..f.........
00 83 ec 18 55 57 6a f4 bd a0 00 00 00 ff 15 60 ....UWj........`
20 40 00 8b f8 83 ff ff 75 0d ff 15 44 20 40 00 @......u...D @.
8b e8 e9 a4 01 00 00 53 56 8d 44 24 24 50 ff 15 .......SV.D$$P..
5c 20 40 00 50 e8 9a 01 00 00 8b 35 44 20 40 00 \ @.P......5D @.
89 44 24 10 85 c0 75 14 ff d6 8b e8 55 68 e0 2b .D$...u.....Uh.+
40 00 bb 14 28 40 00 e9 46 01 00 00 83 7c 24 24 @...(@..F....|$$
02 bb 14 28 40 00 74 12 68 48 2b 40 00 57 e8 ed ...(@.t.hH+@.W..
f9 ff ff 59 59 e9 12 01 00 00 6a f5 ff 15 60 20 ...YY.....j...`
40 00 89 44 24 14 83 f8 ff 75 0f ff d6 8b e8 55 @..D$....u.....U
68 2c 2b 40 00 e9 e8 00 00 00 50 ff 15 58 20 40 h,+@......P..X @
00 85 c0 75 11 ff d6 8b e8 55 68 08 2b 40 00 68 ...u.....Uh.+@.h
78 2a 40 00 eb 5b 8d 44 24 18 50 8d 44 24 20 50 x*@..[.D$.P.D$ P
8b 44 24 18 ff 70 04 33 ed ff 15 34 20 40 00 85 .D$..p.3...4 @..
c0 74 16 ff 74 24 18 ff 74 24 20 68 38 2a 40 00 .t..t$..t$ h8*@.
57 e8 7a f9 ff ff 83 c4 10 8b 44 24 10 6a 00 ff W.z.......D$.j..
70 04 ff 15 30 20 40 00 89 44 24 20 85 c0 8b 44 p...0 @..D$ ...D
24 10 75 18 ff 70 04 68 18 2a 40 00 68 d0 29 40 $.u..p.h.*@.h.)@
00 57 e8 49 f9 ff ff 83 c4 10 eb 50 ff 74 24 18 .W.I.......P.t$.
ff 74 24 20 ff 70 04 68 08 29 40 00 ff 74 24 24 .t$ .p.h.)@..t$$
e8 79 f9 ff ff 83 c4 14 85 c0 75 14 ff d6 8b e8 .y........u.....
55 68 38 25 40 00 53 57 e8 13 f9 ff ff 83 c4 10 Uh8%@.SW........
6a 00 6a 00 ff 74 24 28 ff 74 24 20 57 e8 d9 f9 j.j..t$(.t$ W...
ff ff ff 74 24 20 ff 15 2c 20 40 00 ff 74 24 14 ...t$ .., @..t$.
ff 15 54 20 40 00 85 c0 75 12 ff d6 50 68 f0 28 ..T @...u...Ph.(
40 00 53 57 e8 d7 f8 ff ff 83 c4 10 ff 74 24 10 @.SW.........t$.
ff 15 50 20 40 00 85 c0 74 12 ff d6 50 68 dc 28 ..P @...t...Ph.(
40 00 53 57 e8 b7 f8 ff ff 83 c4 10 57 ff 15 54 @.SW........W..T
20 40 00 85 c0 75 12 ff d6 50 68 f0 28 40 00 53 @...u...Ph.(@.S
57 e8 9a f8 ff ff 83 c4 10 5e 5b 55 ff 15 4c 20 W........^[U..L
40 00 5f 5d 55 8b ec 51 8b 45 08 53 56 33 f6 57 @._]U..Q.E.SV3.W
8b f8 89 75 08 89 75 fc 39 75 0c 0f 84 6a 01 00 ...u..u.9u...j..
00 3b c6 0f 84 62 01 00 00 0f b7 08 66 3b ce 0f .;...b......f;..
84 56 01 00 00 83 f9 20 74 0a 83 f9 09 74 05 33 .V..... t....t.3
db 43 eb 02 33 db 39 75 08 75 2b 66 83 f9 20 74 .C..3.9u.u+f.. t
06 66 83 f9 09 75 1f 89 75 fc 83 c0 02 0f b7 08 .f...u..u.......
83 f9 20 74 f5 83 f9 09 74 f0 33 c9 66 39 30 0f .. t....t.3.f90.
95 c1 03 d9 eb 23 66 83 f9 5c 75 06 83 75 fc 01 .....#f..\u..u..
eb 14 39 75 fc 75 0c 66 83 f9 22 75 06 83 75 08 ..9u.u.f.."u..u.
01 eb 03 89 75 fc 83 c0 02 0f b7 08 66 3b ce 75 ....u.......f;.u
a5 2b c7 83 c0 02 d1 f8 8d 44 58 02 03 c0 50 6a .+.......DX...Pj
40 ff 15 68 20 40 00 8b f0 33 d2 3b f2 0f 84 d0 @..h @...3.;....
00 00 00 8d 44 9e 04 33 db 89 06 89 55 08 89 5d ....D..3....U..]
fc 83 7d 08 00 75 34 0f b7 0f 83 f9 20 74 05 83 ..}..u4..... t..
f9 09 75 27 33 d2 33 c9 66 89 08 83 c7 02 0f b7 ..u'3.3.f.......
0f 83 f9 20 74 f5 83 f9 09 74 f0 66 39 17 74 71 ... t....t.f9.tq
43 8b c7 89 5d fc 89 3c 9e eb 5c 0f b7 0f 83 f9 C...]..<..\.....
5c 75 03 42 eb 48 83 f9 22 75 41 6a 02 8d 5a 01 \u.B.H.."uAj..Z.
d1 eb 59 f7 db 03 f9 8d 04 58 f6 c2 01 74 0a 6a ..Y......X...t.j
22 5a 66 89 10 03 c1 eb 1c 83 7d 08 00 74 12 66 "Zf.......}..t.f
83 3f 22 75 0c 6a 22 5a 66 89 10 03 c1 03 f9 eb .?"u.j"Zf.......
04 83 75 08 01 8b 5d fc 33 d2 eb 0b 33 d2 66 89 ..u...].3...3.f.
08 83 c0 02 83 c7 02 66 83 3f 00 0f 85 60 ff ff .......f.?...`..
ff 33 c9 43 66 89 08 21 0c 9e 8b 45 0c 89 18 39 .3.Cf..!...E...9
4d 08 74 0f 68 a0 00 00 00 eb 02 6a 57 ff 15 64 M.t.h......jW..d
20 40 00 5f 8b c6 5e 5b c9 c2 08 00 00 00 00 00 @._..^[........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
40 2d 00 00 52 2d 00 00 68 2d 00 00 7a 2d 00 00 @-..R-..h-..z-..
8e 2d 00 00 a4 2d 00 00 b6 2d 00 00 c8 2d 00 00 .-...-...-...-..
da 2d 00 00 ec 2d 00 00 02 2e 00 00 16 2e 00 00 .-...-..........
2a 2e 00 00 3c 2e 00 00 00 00 00 00 60 2e 00 00 *...<.......`...
70 2e 00 00 7c 2e 00 00 8c 2e 00 00 a4 2e 00 00 p...|...........
b2 2e 00 00 be 2e 00 00 cc 2e 00 00 e0 2e 00 00 ................
f2 2e 00 00 02 2f 00 00 12 2f 00 00 00 00 00 00 ...../.../......
2e 2f 00 00 00 00 00 00 53 00 61 00 74 00 75 00 ./......S.a.t.u.
72 00 00 00 46 00 72 00 69 00 00 00 54 00 68 00 r...F.r.i...T.h.
75 00 72 00 73 00 00 00 57 00 65 00 64 00 6e 00 u.r.s...W.e.d.n.
65 00 73 00 00 00 00 00 54 00 75 00 65 00 73 00 e.s.....T.u.e.s.
00 00 00 00 4d 00 6f 00 6e 00 00 00 53 00 75 00 ....M.o.n...S.u.
6e 00 00 00 00 00 00 00 bc 20 40 00 b4 20 40 00 n........ @.. @.
a8 20 40 00 98 20 40 00 8c 20 40 00 84 20 40 00 . @.. @.. @.. @.
78 20 40 00 00 00 00 00 30 00 30 00 30 00 31 00 x @.....0.0.0.1.
30 00 32 00 30 00 33 00 30 00 34 00 30 00 35 00 0.2.0.3.0.4.0.5.
30 00 36 00 30 00 37 00 30 00 38 00 30 00 39 00 0.6.0.7.0.8.0.9.
30 00 41 00 30 00 42 00 30 00 43 00 30 00 44 00 0.A.0.B.0.C.0.D.
30 00 45 00 30 00 46 00 31 00 30 00 31 00 31 00 0.E.0.F.1.0.1.1.
31 00 32 00 31 00 33 00 31 00 34 00 31 00 35 00 1.2.1.3.1.4.1.5.
31 00 36 00 31 00 37 00 31 00 38 00 31 00 39 00 1.6.1.7.1.8.1.9.
31 00 41 00 31 00 42 00 31 00 43 00 31 00 44 00 1.A.1.B.1.C.1.D.
31 00 45 00 31 00 46 00 32 00 30 00 32 00 31 00 1.E.1.F.2.0.2.1.
32 00 32 00 32 00 33 00 32 00 34 00 32 00 35 00 2.2.2.3.2.4.2.5.
32 00 36 00 32 00 37 00 32 00 38 00 32 00 39 00 2.6.2.7.2.8.2.9.
32 00 41 00 32 00 42 00 32 00 43 00 32 00 44 00 2.A.2.B.2.C.2.D.
32 00 45 00 32 00 46 00 33 00 30 00 33 00 31 00 2.E.2.F.3.0.3.1.
33 00 32 00 33 00 33 00 33 00 34 00 33 00 35 00 3.2.3.3.3.4.3.5.
33 00 36 00 33 00 37 00 33 00 38 00 33 00 39 00 3.6.3.7.3.8.3.9.
33 00 41 00 33 00 42 00 33 00 43 00 33 00 44 00 3.A.3.B.3.C.3.D.
33 00 45 00 33 00 46 00 34 00 30 00 34 00 31 00 3.E.3.F.4.0.4.1.
34 00 32 00 34 00 33 00 34 00 34 00 34 00 35 00 4.2.4.3.4.4.4.5.
34 00 36 00 34 00 37 00 34 00 38 00 34 00 39 00 4.6.4.7.4.8.4.9.
34 00 41 00 34 00 42 00 34 00 43 00 34 00 44 00 4.A.4.B.4.C.4.D.
34 00 45 00 34 00 46 00 35 00 30 00 35 00 31 00 4.E.4.F.5.0.5.1.
35 00 32 00 35 00 33 00 35 00 34 00 35 00 35 00 5.2.5.3.5.4.5.5.
35 00 36 00 35 00 37 00 35 00 38 00 35 00 39 00 5.6.5.7.5.8.5.9.
35 00 41 00 35 00 42 00 35 00 43 00 35 00 44 00 5.A.5.B.5.C.5.D.
35 00 45 00 35 00 46 00 36 00 30 00 36 00 31 00 5.E.5.F.6.0.6.1.
36 00 32 00 36 00 33 00 36 00 34 00 36 00 35 00 6.2.6.3.6.4.6.5.
36 00 36 00 36 00 37 00 36 00 38 00 36 00 39 00 6.6.6.7.6.8.6.9.
36 00 41 00 36 00 42 00 36 00 43 00 36 00 44 00 6.A.6.B.6.C.6.D.
36 00 45 00 36 00 46 00 37 00 30 00 37 00 31 00 6.E.6.F.7.0.7.1.
37 00 32 00 37 00 33 00 37 00 34 00 37 00 35 00 7.2.7.3.7.4.7.5.
37 00 36 00 37 00 37 00 37 00 38 00 37 00 39 00 7.6.7.7.7.8.7.9.
37 00 41 00 37 00 42 00 37 00 43 00 37 00 44 00 7.A.7.B.7.C.7.D.
37 00 45 00 37 00 46 00 38 00 30 00 38 00 31 00 7.E.7.F.8.0.8.1.
38 00 32 00 38 00 33 00 38 00 34 00 38 00 35 00 8.2.8.3.8.4.8.5.
38 00 36 00 38 00 37 00 38 00 38 00 38 00 39 00 8.6.8.7.8.8.8.9.
38 00 41 00 38 00 42 00 38 00 43 00 38 00 44 00 8.A.8.B.8.C.8.D.
38 00 45 00 38 00 46 00 39 00 30 00 39 00 31 00 8.E.8.F.9.0.9.1.
39 00 32 00 39 00 33 00 39 00 34 00 39 00 35 00 9.2.9.3.9.4.9.5.
39 00 36 00 39 00 37 00 39 00 38 00 39 00 39 00 9.6.9.7.9.8.9.9.
39 00 41 00 39 00 42 00 39 00 43 00 39 00 44 00 9.A.9.B.9.C.9.D.
39 00 45 00 39 00 46 00 41 00 30 00 41 00 31 00 9.E.9.F.A.0.A.1.
41 00 32 00 41 00 33 00 41 00 34 00 41 00 35 00 A.2.A.3.A.4.A.5.
41 00 36 00 41 00 37 00 41 00 38 00 41 00 39 00 A.6.A.7.A.8.A.9.
41 00 41 00 41 00 42 00 41 00 43 00 41 00 44 00 A.A.A.B.A.C.A.D.
41 00 45 00 41 00 46 00 42 00 30 00 42 00 31 00 A.E.A.F.B.0.B.1.
42 00 32 00 42 00 33 00 42 00 34 00 42 00 35 00 B.2.B.3.B.4.B.5.
42 00 36 00 42 00 37 00 42 00 38 00 42 00 39 00 B.6.B.7.B.8.B.9.
42 00 41 00 42 00 42 00 42 00 43 00 42 00 44 00 B.A.B.B.B.C.B.D.
42 00 45 00 42 00 46 00 43 00 30 00 43 00 31 00 B.E.B.F.C.0.C.1.
43 00 32 00 43 00 33 00 43 00 34 00 43 00 35 00 C.2.C.3.C.4.C.5.
43 00 36 00 43 00 37 00 43 00 38 00 43 00 39 00 C.6.C.7.C.8.C.9.
43 00 41 00 43 00 42 00 43 00 43 00 43 00 44 00 C.A.C.B.C.C.C.D.
43 00 45 00 43 00 46 00 44 00 30 00 44 00 31 00 C.E.C.F.D.0.D.1.
44 00 32 00 44 00 33 00 44 00 34 00 44 00 35 00 D.2.D.3.D.4.D.5.
44 00 36 00 44 00 37 00 44 00 38 00 44 00 39 00 D.6.D.7.D.8.D.9.
44 00 41 00 44 00 42 00 44 00 43 00 44 00 44 00 D.A.D.B.D.C.D.D.
44 00 45 00 44 00 46 00 45 00 30 00 45 00 31 00 D.E.D.F.E.0.E.1.
45 00 32 00 45 00 33 00 45 00 34 00 45 00 35 00 E.2.E.3.E.4.E.5.
45 00 36 00 45 00 37 00 45 00 38 00 45 00 39 00 E.6.E.7.E.8.E.9.
45 00 41 00 45 00 42 00 45 00 43 00 45 00 44 00 E.A.E.B.E.C.E.D.
45 00 45 00 45 00 46 00 46 00 30 00 46 00 31 00 E.E.E.F.F.0.F.1.
46 00 32 00 46 00 33 00 46 00 34 00 46 00 35 00 F.2.F.3.F.4.F.5.
46 00 36 00 46 00 37 00 46 00 38 00 46 00 39 00 F.6.F.7.F.8.F.9.
46 00 41 00 46 00 42 00 46 00 43 00 46 00 44 00 F.A.F.B.F.C.F.D.
46 00 45 00 46 00 46 00 25 00 6c 00 73 00 28 00 F.E.F.F.%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 6c 00 65 00 76 00 65 00 6c 00 20 00 25 00 .l.e.v.e.l. .%.
6c 00 75 00 0a 00 00 00 57 00 72 00 69 00 74 00 l.u.....W.r.i.t.
65 00 46 00 69 00 6c 00 65 00 00 00 3a 00 20 00 e.F.i.l.e...:. .
30 00 78 00 00 00 00 00 0d 00 0a 00 25 00 6c 00 0.x.........%.l.
73 00 20 00 55 00 6e 00 6b 00 6e 00 6f 00 77 00 s. .U.n.k.n.o.w.
6e 00 20 00 3d 00 20 00 30 00 78 00 25 00 30 00 n. .=. .0.x.%.0.
38 00 6c 00 58 00 0d 00 0a 00 00 00 00 00 00 00 8.l.X...........
25 00 6c 00 73 00 20 00 41 00 63 00 74 00 69 00 %.l.s. .A.c.t.i.
6f 00 6e 00 20 00 20 00 3d 00 20 00 25 00 6c 00 o.n. . .=. .%.l.
75 00 20 00 28 00 25 00 6c 00 73 00 29 00 0d 00 u. .(.%.l.s.)...
0a 00 25 00 6c 00 73 00 20 00 4d 00 6f 00 64 00 ..%.l.s. .M.o.d.
75 00 6c 00 65 00 20 00 20 00 3d 00 20 00 25 00 u.l.e. . .=. .%.
2e 00 33 00 32 00 6c 00 73 00 0d 00 0a 00 25 00 ..3.2.l.s.....%.
6c 00 73 00 20 00 52 00 56 00 41 00 20 00 20 00 l.s. .R.V.A. . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 25 00 . . .=. .0.x.%.
30 00 38 00 6c 00 58 00 0d 00 0a 00 25 00 6c 00 0.8.l.X.....%.l.
73 00 20 00 4c 00 65 00 6e 00 67 00 74 00 68 00 s. .L.e.n.g.t.h.
20 00 20 00 3d 00 20 00 25 00 6c 00 75 00 0d 00 . .=. .%.l.u...
0a 00 25 00 6c 00 73 00 20 00 50 00 61 00 74 00 ..%.l.s. .P.a.t.
74 00 65 00 72 00 6e 00 20 00 3d 00 20 00 30 00 t.e.r.n. .=. .0.
78 00 00 00 52 00 45 00 50 00 4c 00 41 00 43 00 x...R.E.P.L.A.C.
45 00 00 00 4d 00 41 00 54 00 43 00 48 00 00 00 E...M.A.T.C.H...
3a 00 0d 00 0a 00 00 00 3a 00 20 00 25 00 6c 00 :.......:. .%.l.
73 00 0d 00 0a 00 00 00 53 00 64 00 62 00 47 00 s.......S.d.b.G.
55 00 49 00 44 00 54 00 6f 00 53 00 74 00 72 00 U.I.D.T.o.S.t.r.
69 00 6e 00 67 00 28 00 29 00 20 00 72 00 65 00 i.n.g.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 46 00 t.u.r.n.e.d. .F.
41 00 4c 00 53 00 45 00 21 00 0a 00 00 00 00 00 A.L.S.E.!.......
55 00 6e 00 64 00 65 00 66 00 69 00 6e 00 65 00 U.n.d.e.f.i.n.e.
64 00 20 00 54 00 41 00 47 00 5f 00 54 00 59 00 d. .T.A.G._.T.Y.
50 00 45 00 20 00 30 00 78 00 25 00 30 00 34 00 P.E. .0.x.%.0.4.
68 00 58 00 20 00 66 00 6f 00 72 00 20 00 54 00 h.X. .f.o.r. .T.
41 00 47 00 49 00 44 00 20 00 30 00 78 00 25 00 A.G.I.D. .0.x.%.
30 00 38 00 6c 00 58 00 0a 00 00 00 3a 00 20 00 0.8.l.X.....:. .
25 00 68 00 75 00 2e 00 25 00 68 00 75 00 2e 00 %.h.u...%.h.u...
25 00 68 00 75 00 2e 00 25 00 68 00 75 00 0d 00 %.h.u...%.h.u...
0a 00 00 00 3a 00 20 00 30 00 78 00 25 00 30 00 ....:. .0.x.%.0.
31 00 36 00 49 00 36 00 34 00 58 00 0d 00 0a 00 1.6.I.6.4.X.....
00 00 00 00 3a 00 20 00 30 00 78 00 25 00 30 00 ....:. .0.x.%.0.
34 00 68 00 58 00 0d 00 0a 00 00 00 00 00 00 00 4.h.X...........
3a 00 20 00 25 00 6c 00 73 00 64 00 61 00 79 00 :. .%.l.s.d.a.y.
2c 00 20 00 25 00 30 00 34 00 68 00 75 00 2d 00 ,. .%.0.4.h.u.-.
25 00 30 00 32 00 68 00 75 00 2d 00 25 00 30 00 %.0.2.h.u.-.%.0.
32 00 68 00 75 00 20 00 25 00 30 00 32 00 68 00 2.h.u. .%.0.2.h.
75 00 3a 00 25 00 30 00 32 00 68 00 75 00 3a 00 u.:.%.0.2.h.u.:.
25 00 30 00 32 00 68 00 75 00 2e 00 25 00 30 00 %.0.2.h.u...%.0.
33 00 68 00 75 00 20 00 55 00 54 00 43 00 0d 00 3.h.u. .U.T.C...
0a 00 00 00 25 00 6c 00 73 00 28 00 29 00 20 00 ....%.l.s.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 46 00 69 00 6c 00 65 00 l.u.....F.i.l.e.
54 00 69 00 6d 00 65 00 54 00 6f 00 53 00 79 00 T.i.m.e.T.o.S.y.
73 00 74 00 65 00 6d 00 54 00 69 00 6d 00 65 00 s.t.e.m.T.i.m.e.
00 00 00 00 3a 00 20 00 30 00 78 00 25 00 30 00 ....:. .0.x.%.0.
38 00 6c 00 58 00 0d 00 0a 00 00 00 0d 00 0a 00 8.l.X...........
00 00 00 00 30 00 78 00 25 00 30 00 38 00 6c 00 ....0.x.%.0.8.l.
58 00 25 00 6c 00 73 00 30 00 78 00 25 00 30 00 X.%.l.s.0.x.%.0.
34 00 68 00 58 00 20 00 3d 00 20 00 25 00 6c 00 4.h.X. .=. .%.l.
73 00 00 00 09 00 09 00 09 00 09 00 09 00 09 00 s...............
09 00 09 00 09 00 09 00 00 00 00 00 4c 00 6f 00 ............L.o.
63 00 61 00 6c 00 46 00 72 00 65 00 65 00 00 00 c.a.l.F.r.e.e...
43 00 6c 00 6f 00 73 00 65 00 48 00 61 00 6e 00 C.l.o.s.e.H.a.n.
64 00 6c 00 65 00 00 00 ff fe 53 00 68 00 69 00 d.l.e.....S.h.i.
6d 00 20 00 64 00 61 00 74 00 61 00 62 00 61 00 m. .d.a.t.a.b.a.
73 00 65 00 20 00 66 00 69 00 6c 00 65 00 3a 00 s.e. .f.i.l.e.:.
09 00 25 00 6c 00 73 00 0d 00 0a 00 53 00 68 00 ..%.l.s.....S.h.
69 00 6d 00 20 00 64 00 61 00 74 00 61 00 62 00 i.m. .d.a.t.a.b.
61 00 73 00 65 00 20 00 76 00 65 00 72 00 73 00 a.s.e. .v.e.r.s.
69 00 6f 00 6e 00 3a 00 09 00 25 00 6c 00 75 00 i.o.n.:...%.l.u.
2e 00 25 00 6c 00 75 00 0d 00 0a 00 0d 00 0a 00 ..%.l.u.........
54 00 41 00 47 00 49 00 44 00 09 00 09 00 54 00 T.A.G.I.D.....T.
41 00 47 00 20 00 20 00 20 00 20 00 3d 00 20 00 A.G. . . . .=. .
54 00 41 00 47 00 53 00 54 00 52 00 49 00 4e 00 T.A.G.S.T.R.I.N.
47 00 3a 00 20 00 54 00 41 00 47 00 56 00 41 00 G.:. .T.A.G.V.A.
4c 00 55 00 45 00 0d 00 0a 00 0d 00 0a 00 00 00 L.U.E...........
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 4e 00 t.u.r.n.e.d. .N.
55 00 4c 00 4c 00 20 00 66 00 6f 00 72 00 20 00 U.L.L. .f.o.r. .
66 00 69 00 6c 00 65 00 20 00 27 00 25 00 6c 00 f.i.l.e. .'.%.l.
73 00 27 00 0a 00 00 00 53 00 64 00 62 00 4f 00 s.'.....S.d.b.O.
70 00 65 00 6e 00 44 00 61 00 74 00 61 00 62 00 p.e.n.D.a.t.a.b.
61 00 73 00 65 00 00 00 53 00 68 00 69 00 6d 00 a.s.e...S.h.i.m.
20 00 64 00 61 00 74 00 61 00 62 00 61 00 73 00 .d.a.t.a.b.a.s.
65 00 20 00 76 00 65 00 72 00 73 00 69 00 6f 00 e. .v.e.r.s.i.o.
6e 00 3a 00 20 00 25 00 6c 00 75 00 2e 00 25 00 n.:. .%.l.u...%.
6c 00 75 00 0a 00 00 00 25 00 6c 00 73 00 28 00 l.u.....%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 3a 00 20 00 73 00 74 00 .%.l.u.:. .s.t.
61 00 6e 00 64 00 61 00 72 00 64 00 20 00 6f 00 a.n.d.a.r.d. .o.
75 00 74 00 70 00 75 00 74 00 20 00 69 00 73 00 u.t.p.u.t. .i.s.
20 00 6e 00 6f 00 74 00 20 00 72 00 65 00 64 00 .n.o.t. .r.e.d.
69 00 72 00 65 00 63 00 74 00 65 00 64 00 20 00 i.r.e.c.t.e.d. .
74 00 6f 00 20 00 61 00 20 00 66 00 69 00 6c 00 t.o. .a. .f.i.l.
65 00 21 00 0a 00 00 00 46 00 6c 00 75 00 73 00 e.!.....F.l.u.s.
68 00 46 00 69 00 6c 00 65 00 42 00 75 00 66 00 h.F.i.l.e.B.u.f.
66 00 65 00 72 00 73 00 00 00 00 00 47 00 65 00 f.e.r.s.....G.e.
74 00 53 00 74 00 64 00 48 00 61 00 6e 00 64 00 t.S.t.d.H.a.n.d.
6c 00 65 00 00 00 00 00 4e 00 6f 00 20 00 61 00 l.e.....N.o. .a.
72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 3a 00 r.g.u.m.e.n.t.:.
20 00 61 00 20 00 73 00 69 00 6e 00 67 00 6c 00 .a. .s.i.n.g.l.
65 00 20 00 66 00 69 00 6c 00 65 00 20 00 6f 00 e. .f.i.l.e. .o.
72 00 20 00 70 00 61 00 74 00 68 00 20 00 6e 00 r. .p.a.t.h. .n.
61 00 6d 00 65 00 20 00 6f 00 66 00 20 00 61 00 a.m.e. .o.f. .a.
20 00 73 00 68 00 69 00 6d 00 20 00 64 00 61 00 .s.h.i.m. .d.a.
74 00 61 00 62 00 61 00 73 00 65 00 20 00 6d 00 t.a.b.a.s.e. .m.
75 00 73 00 74 00 20 00 62 00 65 00 20 00 67 00 u.s.t. .b.e. .g.
69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 00 00 i.v.e.n.!.......
43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 C.o.m.m.a.n.d.L.
69 00 6e 00 65 00 54 00 6f 00 41 00 72 00 67 00 i.n.e.T.o.A.r.g.
76 00 00 00 00 00 00 00 b9 79 37 9e 00 00 00 00 v........y7.....
68 00 00 00 45 54 41 44 10 00 00 00 00 00 00 00 h...ETAD........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 08 00 00 00 00 08 2c 40 00 .............,@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 c8 2c 00 00 00 00 00 00 .........,......
00 00 00 00 54 2e 00 00 00 20 00 00 04 2d 00 00 ....T.... ...-..
00 00 00 00 00 00 00 00 20 2f 00 00 3c 20 00 00 ........ /..< ..
38 2d 00 00 00 00 00 00 00 00 00 00 3c 2f 00 00 8-..........</..
70 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 p ..............
00 00 00 00 00 00 00 00 40 2d 00 00 52 2d 00 00 ........@-..R-..
68 2d 00 00 7a 2d 00 00 8e 2d 00 00 a4 2d 00 00 h-..z-...-...-..
b6 2d 00 00 c8 2d 00 00 da 2d 00 00 ec 2d 00 00 .-...-...-...-..
02 2e 00 00 16 2e 00 00 2a 2e 00 00 3c 2e 00 00 ........*...<...
00 00 00 00 60 2e 00 00 70 2e 00 00 7c 2e 00 00 ....`...p...|...
8c 2e 00 00 a4 2e 00 00 b2 2e 00 00 be 2e 00 00 ................
cc 2e 00 00 e0 2e 00 00 f2 2e 00 00 02 2f 00 00 ............./..
12 2f 00 00 00 00 00 00 2e 2f 00 00 00 00 00 00 ./......./......
1b 00 53 64 62 47 65 74 4e 65 78 74 43 68 69 6c ..SdbGetNextChil
64 00 1f 00 53 64 62 47 65 74 53 74 72 69 6e 67 d...SdbGetString
54 61 67 50 74 72 00 00 12 00 53 64 62 47 55 49 TagPtr....SdbGUI
44 54 6f 53 74 72 69 6e 67 00 20 00 53 64 62 47 DToString. .SdbG
65 74 54 61 67 44 61 74 61 53 69 7a 65 00 14 00 etTagDataSize...
53 64 62 47 65 74 42 69 6e 61 72 79 54 61 67 44 SdbGetBinaryTagD
61 74 61 00 2f 00 53 64 62 52 65 61 64 51 57 4f ata./.SdbReadQWO
52 44 54 61 67 00 31 00 53 64 62 52 65 61 64 57 RDTag.1.SdbReadW
4f 52 44 54 61 67 00 00 2e 00 53 64 62 52 65 61 ORDTag....SdbRea
64 44 57 4f 52 44 54 61 67 00 3a 00 53 64 62 54 dDWORDTag.:.SdbT
61 67 54 6f 53 74 72 69 6e 67 00 00 21 00 53 64 agToString..!.Sd
62 47 65 74 54 61 67 46 72 6f 6d 54 61 67 49 44 bGetTagFromTagID
00 00 18 00 53 64 62 47 65 74 46 69 72 73 74 43 ....SdbGetFirstC
68 69 6c 64 00 00 05 00 53 64 62 43 6c 6f 73 65 hild....SdbClose
44 61 74 61 62 61 73 65 00 00 2a 00 53 64 62 4f Database..*.SdbO
70 65 6e 44 61 74 61 62 61 73 65 00 16 00 53 64 penDatabase...Sd
62 47 65 74 44 61 74 61 62 61 73 65 56 65 72 73 bGetDatabaseVers
69 6f 6e 00 41 50 50 48 45 4c 50 2e 64 6c 6c 00 ion.APPHELP.dll.
24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 $.WriteConsoleW.
25 05 57 72 69 74 65 46 69 6c 65 00 02 02 47 65 %.WriteFile...Ge
74 4c 61 73 74 45 72 72 6f 72 00 00 25 01 46 69 tLastError..%.Fi
6c 65 54 69 6d 65 54 6f 53 79 73 74 65 6d 54 69 leTimeToSystemTi
6d 65 00 00 19 01 45 78 69 74 50 72 6f 63 65 73 me....ExitProces
73 00 48 03 4c 6f 63 61 6c 46 72 65 65 00 52 00 s.H.LocalFree.R.
43 6c 6f 73 65 48 61 6e 64 6c 65 00 57 01 46 6c CloseHandle.W.Fl
75 73 68 46 69 6c 65 42 75 66 66 65 72 73 00 00 ushFileBuffers..
87 01 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 ..GetCommandLine
57 00 64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 W.d.GetStdHandle
00 00 73 04 53 65 74 4c 61 73 74 45 72 72 6f 72 ..s.SetLastError
00 00 44 03 4c 6f 63 61 6c 41 6c 6c 6f 63 00 00 ..D.LocalAlloc..
4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 35 03 KERNEL32.dll..5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file APPHELP.TXT
created in
step 4. to recreate the console application
Shim Database Decoder:
CERTUTIL.EXE /DecodeHex /V APPHELP.TXT APPHELP.COM
Input Length = 30464 Output Length = 7168 CertUtil: -decodehex command completed successfully.
WaitForDebugEvent()
ContinueDebugEvent()
DEBUG_EVENT
CREATE_PROCESS_DEBUG_INFO
CREATE_THREAD_DEBUG_INFO
EXIT_PROCESS_DEBUG_INFO
EXIT_THREAD_DEBUG_INFO
LOAD_DLL_DEBUG_INFO
UNLOAD_DLL_DEBUG_INFO
OUTPUT_DEBUG_STRING_INFO
RIP_INFO
EXCEPTION_DEBUG_INFO
EXCEPTION_RECORD
Process Functions for Debugging
Thread Functions for Debugging
Exception Handling Functions for Debugging
Debugger Exception Handling
DEBUGGER.COM [ ‹debuggee› ] ‹quoted command line›Note: the optional first argument is the absolute or relative path name of the debuggee; when omitted, the first token of the then first and only argument, a properly quoted command line, is used as file name of the debuggee and searched in the
PATH
.
CreateProcess()
Cmd.exe
as debuggee and use a 24 (in words: twenty-four)
year old bug to let it crash with an unhandled integer overflow
exception raised from the division
~2147483647 ÷ ~0 = −2147483648 ÷ −1 = 2147483648:
VER .\DEBUGGER.COM "%COMSPEC%" "CMD /E:ON /D /C SET /A ~2147483647 % ~0"
Microsoft Windows [Version 6.1.7601] Command line: 'CMD /E:ON /D /C SET /A ~2147483647 % ~0' Application name: 'C:\Windows\system32\cmd.exe' Application type: 0 = 32-bit Windows DbgHelp API: Version = 4.0 Revision = 5 Reserved = 0 Debuggee process loaded from image file 'C:\Windows\SysWOW64\cmd.exe' Debuggee process version is 6.1 Debuggee process 5844 with primary thread 4632 created Process 5844 created with primary thread 4632: Symbol search path: . Process filename = C:\Windows\SysWOW64\cmd.exe Base address = 0x4AAB0000 Start address = 0x4AAB829A TEB address = 0x7EFDD000 DLL loaded in process 5844 by thread 4632: SymRefreshModuleList() returned error 0x8000000D DLL filename = ntdll.dll Base address = 0x770E0000 ntdll DLL unloaded from process 5844 by thread 4632: Base address = 0x76E00000 SymUnloadModule64() returned error 87 DLL unloaded from process 5844 by thread 4632: Base address = 0x76930000 SymUnloadModule64() returned error 87 DLL unloaded from process 5844 by thread 4632: Base address = 0x76E00000 SymUnloadModule64() returned error 87 DLL unloaded from process 5844 by thread 4632: Base address = 0x76D00000 SymUnloadModule64() returned error 87 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\kernel32.dll Base address = 0x76930000 kernel32 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\KERNELBASE.dll Base address = 0x75080000 KERNELBASE DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\ADVAPI32.DLL Base address = 0x749B0000 ADVAPI32 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\msvcrt.dll Base address = 0x74F30000 msvcrt DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\SysWOW64\sechost.dll Base address = 0x754F0000 sechost DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\RPCRT4.dll Base address = 0x76BC0000 RPCRT4 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\SspiCli.dll Base address = 0x74800000 SspiCli DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\CRYPTBASE.dll Base address = 0x747F0000 CRYPTBASE DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\SysWOW64\WINBRAND.dll Base address = 0x6BDE0000 WINBRAND DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\USER32.dll Base address = 0x75BB0000 USER32!Ordinal2451 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\GDI32.dll Base address = 0x75320000 GDI32 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\LPK.dll Base address = 0x75040000 LPK DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\USP10.dll Base address = 0x75270000 USP10 First chance exception in thread 4632 of process 5844: Description = Breakpoint Code = 0x80000003 Flags = 0x00000000 (continuable) Address = 0x771810A6 ntdll!LdrVerifyImageMatchesChecksum+0xF21 Parameters[1] = 0x00000000 Call stack: Address = 0x771810A7 ntdll!LdrVerifyImageMatchesChecksum+0xF22 Address = 0x77160FF3 ntdll!RtlUlonglongByteSwap+0x4283 Address = 0x77129F31 ntdll!RtlSetUnhandledExceptionFilter+0x50 Address = 0x77119799 ntdll!LdrInitializeThunk+0x10 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\SysWOW64\IMM32.DLL Base address = 0x753B0000 IMM32 DLL loaded in process 5844 by thread 4632: DLL filename = C:\Windows\syswow64\MSCTF.dll Base address = 0x74E60000 MSCTF First chance exception in thread 4632 of process 5844: Description = Breakpoint Code = 0x80000003 Flags = 0x00000000 (continuable) Address = 0x7715D315 ntdll!RtlUlonglongByteSwap+0x5A5 Parameters[1] = 0x00000000 Call stack: Address = 0x7711EA8E ntdll!wcspbrk+0x415 Address = 0x7715D3FF ntdll!RtlUlonglongByteSwap+0x68F Address = 0x75092E6A KERNELBASE!LoadLibraryExW+0x233 Address = 0x769B3B3F kernel32!LocalHandle+0x252 Address = 0x7696DE97 kernel32!CreateProcessAsUserW+0x952 Address = 0x75BCCE74 USER32!User32InitializeImmEntryTable+0xF40 Address = 0x75BC9D92 USER32!PostQuitMessage+0x2C5 Address = 0x75BCB98D USER32!UserClientDllInitialize+0x283 Address = 0x77119280 ntdll!RtlQueryEnvironmentVariable+0x241 Address = 0x7711FEB7 ntdll!LdrResSearchResource+0xA0D Address = 0x7712B474 ntdll!RtlGetNtVersionNumbers+0x9B Address = 0x77129F31 ntdll!RtlSetUnhandledExceptionFilter+0x50 Address = 0x77119799 ntdll!LdrInitializeThunk+0x10 First chance exception in thread 4632 of process 5844: Description = Integer overflow Code = 0xC0000095 Flags = 0x00000000 (continuable) Address = 0x4AAC5176 Call stack: Address = 0x4AABF5D9 Address = 0x4AABEF9D Address = 0x4AABEF33 Address = 0x4AABEED6 Address = 0x4AABEE79 Address = 0x4AABEE1C Address = 0x4AABEDF4 Address = 0x4AABECD1 Address = 0x4AABEC6C Address = 0x4AABEC1E Address = 0x4AABBD5B Address = 0x4AAB4385 Address = 0x4AAB22C0 Address = 0x4AAB7489 Address = 0x4AAB835E Address = 0x7694343D kernel32!BaseThreadInitThunk+0x12 Address = 0x77119812 ntdll!RtlInitializeExceptionChain+0x63 Address = 0x771197E5 ntdll!RtlInitializeExceptionChain+0x36 Last chance exception in thread 4632 of process 5844: Description = Integer overflow Code = 0xC0000095 Flags = 0x00000000 (continuable) Address = 0x4AAC5176 Process 5844 exited with thread 4632: Exit code = 0x000000FF Primary thread 4632 of debuggee process 5844 exited with code 0xC0000095 Primary thread times: Real = 9.2520945 s Kernel = 0.0312002 s User = 0.0000000 s Debuggee process 5844 exited with code 255 Debuggee process times: Real = 9.2520945 s Kernel = 0.0312002 s User = 0.0000000 s
Microsoft Windows [Version 10.0.19044.2486] Command line: 'CMD /E:ON /D /C SET /A ~2147483647 % ~0' Application name: 'C:\Windows\system32\cmd.exe' Application type: 0 = 32-bit Windows DbgHelp API: Version = 4.0 Revision = 5 Reserved = 0 Debuggee process loaded from image file 'C:\Windows\SysWOW64\cmd.exe' Debuggee process version is 10.0 Debuggee process 14052 with primary thread 11164 created Process 14052 created with primary thread 11164: Symbol search path: . Process filename = C:\Windows\SysWOW64\cmd.exe Base address = 0x00220000 Start address = 0x00236B20 TEB address = 0x02A5F000 DLL loaded in process 14052 by thread 11164: SymRefreshModuleList() returned error 0x8000000D ReadProcessMemory() returned error 299 Base address = 0x77AF0000 DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\KERNEL32.DLL Base address = 0x75B80000 KERNEL32 DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\KERNELBASE.dll Base address = 0x77890000 KERNELBASE DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\ADVAPI32.DLL Base address = 0x76AF0000 ADVAPI32 DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\msvcrt.dll Base address = 0x77710000 msvcrt DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\sechost.dll Base address = 0x77480000 sechost DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\RPCRT4.dll Base address = 0x75DC0000 RPCRT4 DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\combase.dll Base address = 0x75F10000 combase DLL loaded in process 14052 by thread 11164: DLL filename = C:\Windows\SysWOW64\ucrtbase.dll Base address = 0x75C70000 ucrtbase Thread 9304 created in process 14052: Start address = 0x77B259C0 ntdll!TpCallbackIndependent+0x140 TEB address = 0x02A62000 Thread 8732 created in process 14052: Start address = 0x77B259C0 ntdll!TpCallbackIndependent+0x140 TEB address = 0x02A65000 First chance exception in thread 11164 of process 14052: Description = Breakpoint Code = 0x80000003 Flags = 0x00000000 (continuable) Address = 0x77BA1EE2 ntdll!LdrInitShimEngineDynamic+0x6E2 Parameters[1] = 0x00000000 Call stack: Address = 0x77BA1EE3 ntdll!LdrInitShimEngineDynamic+0x6E3 Address = 0x77B9C431 ntdll!RtlCaptureStackContext+0x23501 Address = 0x77B56551 ntdll!LdrInitializeThunk+0x121 Address = 0x77B56441 ntdll!LdrInitializeThunk+0x11 First chance exception in thread 11164 of process 14052: Description = Integer overflow Code = 0xC0000095 Flags = 0x00000000 (continuable) Address = 0x0023F6C7 Call stack: Address = 0x00233063 Address = 0x00232E3D Address = 0x00232D7C Address = 0x00232D20 Address = 0x00232CC4 Address = 0x00232C68 Address = 0x00232F8F Address = 0x00232DE4 Address = 0x00233366 Address = 0x0022AB45 Address = 0x0023C9F0 Address = 0x0022AFC9 Address = 0x0022E4F6 Address = 0x00230B09 Address = 0x00236A0A Address = 0x75BA00F9 KERNEL32!BaseThreadInitThunk+0x19 Address = 0x77B57BBE ntdll!RtlGetAppContainerNamedObjectPath+0x11E Address = 0x77B57B8E ntdll!RtlGetAppContainerNamedObjectPath+0xEE Last chance exception in thread 11164 of process 14052: Description = Integer overflow Code = 0xC0000095 Flags = 0x00000000 (continuable) Address = 0x0023F6C7 Thread 9304 exited from process 14052: Exit code = 0xC0000095 Thread 11164 exited from process 14052: Exit code = 0xC0000095 Process 14052 exited with thread 8732: Exit code = 0xC0000095 Primary thread 11164 of debuggee process 14052 exited with code 0xC0000095 Primary thread times: Real = 3.5438404 s Kernel = 0.0156250 s User = 0.0000000 s Debuggee process 14052 exited with code 0xC0000095 Debuggee process times: Real = 3.5712333 s Kernel = 0.0156250 s User = 0.0000000 s
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and DEBUGGER.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file DEBUGGER.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#define wmemcpy __movsw
#if _MSC_VER < 1500 // MSC 9.0 alias 2008
#include <crt\delayimp.h>
#else
#include <delayimp.h>
#endif
#ifdef SYMBOLS
#ifdef UNICODE
#define DBGHELP_TRANSLATE_TCHAR
#endif
#include <dbghelp.h>
#ifdef DBGHELP_TRANSLATE_TCHAR
#undef IMAGEHLP_CBA_EVENT
#undef SymLoadModuleEx
#endif
#endif // SYMBOLS
#define DELPHI_RUNTIME_EXCEPTION 0x0EEDFADEL
#ifndef EXCEPTION_SEGMENT_NOTIFICATION
#define EXCEPTION_SEGMENT_NOTIFICATION 0x40000005L
#endif
#ifndef EXCEPTION_FATAL_APP_EXIT
#define EXCEPTION_FATAL_APP_EXIT 0x40000015L
#endif
#ifndef EXCEPTION_WX86_SINGLE_STEP
#define EXCEPTION_WX86_SINGLE_STEP 0x4000001EL
#endif
#ifndef EXCEPTION_WX86_BREAKPOINT
#define EXCEPTION_WX86_BREAKPOINT 0x4000001FL
#endif
#ifndef DBG_PRINTEXCEPTION_C
#define DBG_PRINTEXCEPTION_C 0x40010006L
#endif
#ifndef DBG_RIPEXCEPTION
#define DBG_RIPEXCEPTION 0x40010007L
#endif
#ifndef DBG_PRINTEXCEPTION_WIDE_C
#define DBG_PRINTEXCEPTION_WIDE_C 0x4001000AL
#endif
#ifndef EXCEPTION_CPP_EXCEPTION
#define EXCEPTION_CPP_EXCEPTION 0x406D1388L
#endif
#ifndef EXCEPTION_INVALID_PARAMETER
#define EXCEPTION_INVALID_PARAMETER 0xC000000DL
#endif
#ifndef EXCEPTION_NO_MEMORY
#define EXCEPTION_NO_MEMORY 0xC0000017L
#endif
#ifndef EXCEPTION_ACCESS_DENIED
#define EXCEPTION_ACCESS_DENIED 0xC0000022L
#endif
#ifndef EXCEPTION_OBJECT_NAME_NOT_FOUND
#define EXCEPTION_OBJECT_NAME_NOT_FOUND 0xC0000034L
#endif
#ifndef EXCEPTION_OBJECT_PATH_NOT_FOUND
#define EXCEPTION_OBJECT_PATH_NOT_FOUND 0xC000003AL
#endif
#ifndef EXCEPTION_PROCEDURE_NOT_FOUND
#define EXCEPTION_PROCEDURE_NOT_FOUND 0xC000007AL
#endif
#ifndef EXCEPTION_INSTRUCTION_MISALIGNMENT
#define EXCEPTION_INSTRUCTION_MISALIGNMENT 0xC00000AAL
#endif
#ifndef EXCEPTION_DLL_NOT_FOUND
#define EXCEPTION_DLL_NOT_FOUND 0xC0000135L
#endif
#ifndef EXCEPTION_ORDINAL_NOT_FOUND
#define EXCEPTION_ORDINAL_NOT_FOUND 0xC0000138L
#endif
#ifndef EXCEPTION_ENTRYPOINT_NOT_FOUND
#define EXCEPTION_ENTRYPOINT_NOT_FOUND 0xC0000139L
#endif
#ifndef EXCEPTION_DLL_INIT_FAILED
#define EXCEPTION_DLL_INIT_FAILED 0xC0000142L
#endif
#ifndef EXCEPTION_UNHANDLED_EXCEPTION
#define EXCEPTION_UNHANDLED_EXCEPTION 0xC0000144L
#endif
#ifndef EXCEPTION_ILLEGAL_FLOAT_CONTEXT
#define EXCEPTION_ILLEGAL_FLOAT_CONTEXT 0xC000014AL
#endif
#ifndef STATUS_POSSIBLE_DEADLOCK
#define STATUS_POSSIBLE_DEADLOCK 0xC0000194L
#endif
#ifndef EXCEPTION_HANDLE_NOT_CLOSABLE
#define EXCEPTION_HANDLE_NOT_CLOSABLE 0xC0000235L
#endif
#ifndef EXCEPTION_FLOAT_MULTIPLE_FAULTS
#define EXCEPTION_FLOAT_MULTIPLE_FAULTS 0xC00002B4L
#endif
#ifndef EXCEPTION_FLOAT_MULTIPLE_TRAPS
#define EXCEPTION_FLOAT_MULTIPLE_TRAPS 0xC00002B5L
#endif
#ifndef EXCEPTION_DATATYPE_MISALIGNMENT_ERROR
#define EXCEPTION_DATATYPE_MISALIGNMENT_ERROR 0xC00002C5L
#endif
#ifndef EXCEPTION_REG_NAT_CONSUMPTION
#define EXCEPTION_REG_NAT_CONSUMPTION 0xC00002C9L
#endif
#ifndef EXCEPTION_INVALID_IMAGE_WIN_32
#define EXCEPTION_INVALID_IMAGE_WIN_32 0xC0000359L
#endif
#ifndef EXCEPTION_INVALID_IMAGE_WIN_64
#define EXCEPTION_INVALID_IMAGE_WIN_64 0xC000035AL
#endif
#ifndef EXCEPTION_HEAP_CORRUPTION
#define EXCEPTION_HEAP_CORRUPTION 0xC0000374L
#endif
#ifndef EXCEPTION_STACK_BUFFER_OVERRUN
#define EXCEPTION_STACK_BUFFER_OVERRUN 0xC0000409L
#endif
#ifndef EXCEPTION_INVALID_CRUNTIME_PARAMETER
#define EXCEPTION_INVALID_CRUNTIME_PARAMETER 0xC0000417L
#endif
#ifndef EXCEPTION_FATAL_USER_CALLBACK_EXCEPTION
#define EXCEPTION_FATAL_USER_CALLBACK_EXCEPTION 0xC000041DL
#endif
#ifndef EXCEPTION_ASSERTION_FAILURE
#define EXCEPTION_ASSERTION_FAILURE 0xC0000420L
#endif
#ifndef EXCEPTION_VERIFIER_STOP
#define EXCEPTION_VERIFIER_STOP 0xC0000421L
#endif
#ifndef EXCEPTION_FAIL_FAST_EXCEPTION
#define EXCEPTION_FAIL_FAST_EXCEPTION 0xC0000602L
#endif
#ifndef EXCEPTION_DISK_QUOTA_EXCEEDED
#define EXCEPTION_DISK_QUOTA_EXCEEDED 0xC0000802L
#endif
#ifndef EXCEPTION_DELAY_LOAD_INVALID_PARAMETER
#define EXCEPTION_DELAY_LOAD_INVALID_PARAMETER 0xC06D0057L
#endif
#ifndef EXCEPTION_DELAY_LOAD_MODULE_NOT_FOUND
#define EXCEPTION_DELAY_LOAD_MODULE_NOT_FOUND 0xC06D007EL
#endif
#ifndef EXCEPTION_DELAY_LOAD_ENTRY_NOT_FOUND
#define EXCEPTION_DELAY_LOAD_ENTRY_NOT_FOUND 0xC06D007FL
#endif
#ifndef EXCEPTION_APPLICATION_HANG
#define EXCEPTION_APPLICATION_HANG 0xCFFFFFFFL
#endif
#ifndef EXCEPTION_CLR_CCR_EXCEPTION
#define EXCEPTION_CLR_CCR_EXCEPTION 0xE0434352L // = 0xE0000000L + 'CCR'
#endif
#ifndef EXCEPTION_CLR_COM_EXCEPTION
#define EXCEPTION_CLR_COM_EXCEPTION 0xE0434F4DL // = 0xE0000000L + 'COM'
#endif
#ifndef EXCEPTION_CLR_SOFT_STACK_OVERFLOW
#define EXCEPTION_CLR_SOFT_STACK_OVERFLOW 0xE053534FL // = 0xE0000000L + 'SSO'
#endif
#ifndef EXCEPTION_SEH_VERIFICATION_EXCEPTION
#define EXCEPTION_SEH_VERIFICATION_EXCEPTION 0xE0564552L // = 0xE0000000L + 'VER'
#endif
#ifndef EXCEPTION_CLR_INTERNAL_ASSERTION
#define EXCEPTION_CLR_INTERNAL_ASSERTION 0xE0584D4EL // = 0xE0000000L + 'XMN'
#endif
#ifndef EXCEPTION_CPP_EH_EXCEPTION
#define EXCEPTION_CPP_EH_EXCEPTION 0xE06D7363L // = 0xE0000000L + 'msc'
#endif
typedef struct _THREADNAME_INFO
{
DWORD dwType; // = 0x00001000UL
LPCSTR szName; // thread name to assign
DWORD dwThreadId; // thread id (~0UL = caller thread)
DWORD dwFlags; // reserved for future use (must be 0UL)
} THREADNAME_INFO;
__forceinline
LPCWSTR WINAPI ExceptionAccess(DWORD_PTR dwAccess)
{
switch (dwAccess)
{
case EXCEPTION_READ_FAULT:
return L"reading";
case EXCEPTION_WRITE_FAULT:
return L"writing";
case EXCEPTION_EXECUTE_FAULT:
return L"executing";
default:
return L"accessing";
}
}
LPCWSTR WINAPI ExceptionName(WCHAR szBuffer[1024], EXCEPTION_RECORD *ExceptionRecord)
{
switch (ExceptionRecord->ExceptionCode)
{
case RPC_S_INVALID_BINDING: // 0x000006A6
case __HRESULT_FROM_WIN32(RPC_S_INVALID_BINDING):
return L"RPC binding handle invalid";
case RPC_S_UNKNOWN_IF: // 0x000006B5L
case __HRESULT_FROM_WIN32(RPC_S_UNKNOWN_IF):
return L"RPC interface unknown";
case RPC_S_SERVER_UNAVAILABLE: // 0x000006BA
case __HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE):
return L"RPC server unavailable";
case RPC_S_INVALID_BOUND: // 0x000006C6
case __HRESULT_FROM_WIN32(RPC_S_INVALID_BOUND):
return L"RPC array bounds invalid";
case EPT_S_NOT_REGISTERED: // 0x000006D9
case __HRESULT_FROM_WIN32(EPT_S_NOT_REGISTERED):
return L"RPC endpoint not registered";
case RPC_S_CANNOT_SUPPORT: // 0x000006E4
case __HRESULT_FROM_WIN32(RPC_S_CANNOT_SUPPORT):
return L"RPC operation not supported";
case RPC_X_SS_IN_NULL_CONTEXT: // 0x000006EF
case __HRESULT_FROM_WIN32(RPC_X_SS_IN_NULL_CONTEXT):
return L"RPC null context handle";
case RPC_X_BAD_STUB_DATA: // 0x000006F7
case __HRESULT_FROM_WIN32(RPC_X_BAD_STUB_DATA):
return L"RPC stub received bad data";
case DELPHI_RUNTIME_EXCEPTION: // 0x0EEDFADE
return L"Delphi runtime exception";
case EXCEPTION_SEGMENT_NOTIFICATION: // 0x40000005
return L"Segment notification";
case EXCEPTION_FATAL_APP_EXIT: // 0x40000015
return L"Fatal application exit";
case EXCEPTION_WX86_SINGLE_STEP: // 0x4000001E
return L"WoW64 single-step";
case EXCEPTION_WX86_BREAKPOINT: // 0x4000001F
return L"WoW64 breakpoint";
case DBG_TERMINATE_THREAD: // 0x40010003
return L"Debugger terminate thread";
case DBG_TERMINATE_PROCESS: // 0x40010004
return L"Debugger terminate process";
case DBG_CONTROL_C: // 0x40010005
return L"Ctrl-C";
case DBG_PRINTEXCEPTION_C: // 0x40010006
case DBG_PRINTEXCEPTION_WIDE_C: // 0x4001000A
return L"Debugger print exception";
case DBG_RIPEXCEPTION: // 0x40010007
return L"Debugger RIP exception";
case DBG_CONTROL_BREAK: // 0x40010008
return L"Ctrl-Break";
case DBG_COMMAND_EXCEPTION: // 0x40010009
return L"Debugger command";
case EXCEPTION_CPP_EXCEPTION: // 0x406D1388
return L"Assign thread name";
case EXCEPTION_GUARD_PAGE: // 0x80000001
return L"Guard page access";
case EXCEPTION_DATATYPE_MISALIGNMENT: // 0x80000002
return L"Data misalignment";
case EXCEPTION_BREAKPOINT: // 0x80000003
return L"Breakpoint";
case EXCEPTION_SINGLE_STEP: // 0x80000004
return L"Single-step";
case EXCEPTION_ACCESS_VIOLATION: // 0xC0000005
if (wsprintf(szBuffer,
L"Access violation %ls 0x%p",
ExceptionAccess(ExceptionRecord->ExceptionInformation[0]),
ExceptionRecord->ExceptionInformation[1]) > 0)
return szBuffer;
return L"Access violation";
case EXCEPTION_IN_PAGE_ERROR: // 0xC0000006
if (wsprintf(szBuffer,
#ifdef _WIN64
L"In-page error %ls 0x%p (0x%016I64X)",
#else
L"In-page error %ls 0x%p (0x%08lX)",
#endif
ExceptionAccess(ExceptionRecord->ExceptionInformation[0]),
ExceptionRecord->ExceptionInformation[1],
ExceptionRecord->ExceptionInformation[2]) > 0)
return szBuffer;
return L"In-page error";
case EXCEPTION_INVALID_HANDLE: // 0xC0000008
return L"Invalid handle";
case EXCEPTION_INVALID_PARAMETER: // 0xC000000D
return L"Invalid parameter";
case EXCEPTION_NO_MEMORY: // 0xC0000017
return L"Not enough quota (no virtual memory)";
case EXCEPTION_ILLEGAL_INSTRUCTION: // 0xC000001D
return L"Illegal instruction";
case EXCEPTION_ACCESS_DENIED: // 0xC0000022
return L"Access denied";
case EXCEPTION_NONCONTINUABLE_EXCEPTION: // 0xC0000025
return L"Non-continuable";
case EXCEPTION_INVALID_DISPOSITION: // 0xC0000026
return L"Invalid disposition";
case EXCEPTION_OBJECT_NAME_NOT_FOUND: // 0xC0000034
return L"Object name not found";
case EXCEPTION_OBJECT_PATH_NOT_FOUND: // 0xC000003A
return L"Object path not found";
case EXCEPTION_PROCEDURE_NOT_FOUND: // 0xC000007A
return L"Procedure not found";
case EXCEPTION_ARRAY_BOUNDS_EXCEEDED: // 0xC000008C
return L"Array bounds exceeded";
case EXCEPTION_FLT_DENORMAL_OPERAND: // 0xC000008D
return L"Denormal floating-point operand";
case EXCEPTION_FLT_DIVIDE_BY_ZERO: // 0xC000008E
return L"Floating-point divide-by-zero";
case EXCEPTION_FLT_INEXACT_RESULT: // 0xC000008F
return L"Inexact floating-point result";
case EXCEPTION_FLT_INVALID_OPERATION: // 0xC0000090
return L"Invalid floating-point operation";
case EXCEPTION_FLT_OVERFLOW: // 0xC0000091
return L"Floating-point overflow";
case EXCEPTION_FLT_STACK_CHECK: // 0xC0000092
return L"Floating-point stack check";
case EXCEPTION_FLT_UNDERFLOW: // 0xC0000093
return L"Floating-point underflow";
case EXCEPTION_INT_DIVIDE_BY_ZERO: // 0xC0000094
return L"Integer divide-by-zero";
case EXCEPTION_INT_OVERFLOW: // 0xC0000095
return L"Integer overflow";
case EXCEPTION_PRIV_INSTRUCTION: // 0xC0000096
return L"Privileged instruction";
case EXCEPTION_INSTRUCTION_MISALIGNMENT: // 0xC00000AA
return L"Instruction misalignment";
case EXCEPTION_STACK_OVERFLOW: // 0xC00000FD
return L"Stack overflow";
case EXCEPTION_DLL_NOT_FOUND: // 0xC0000135
return L"DLL not found";
case EXCEPTION_ORDINAL_NOT_FOUND: // 0xC0000138
return L"Ordinal not found";
case EXCEPTION_ENTRYPOINT_NOT_FOUND: // 0xC0000139
return L"Entrypoint not found";
case CONTROL_C_EXIT: // 0xC000013A
return L"Ctrl-C";
case EXCEPTION_DLL_INIT_FAILED: // 0xC0000142
return L"DLL initialisation failed";
case EXCEPTION_UNHANDLED_EXCEPTION: // 0xC0000144
return L"Unhandled exception";
case EXCEPTION_ILLEGAL_FLOAT_CONTEXT: // 0xC000014A
return L"No floating-point hardware";
case EXCEPTION_POSSIBLE_DEADLOCK: // 0xC0000194
return L"Possible deadlock";
case EXCEPTION_HANDLE_NOT_CLOSABLE: // 0xC0000235
return L"Close protected handle";
case EXCEPTION_FLOAT_MULTIPLE_FAULTS: // 0xC00002B4
return L"Multiple floating-point faults";
case EXCEPTION_FLOAT_MULTIPLE_TRAPS: // 0xC00002B5
return L"Multiple floating-point traps";
case EXCEPTION_DATATYPE_MISALIGNMENT_ERROR: // 0xC00002C5
return L"Alignment error";
case EXCEPTION_REG_NAT_CONSUMPTION: // 0xC00002C9
return L"Register NaT consumption fault";
case EXCEPTION_INVALID_IMAGE_WIN_32: // 0xC0000359
return L"32-bit image in 64-bit process";
case EXCEPTION_INVALID_IMAGE_WIN_64: // 0xC000035A
return L"64-bit image in 32-bit process";
case EXCEPTION_HEAP_CORRUPTION: // 0xC0000374
return L"Heap corruption";
case EXCEPTION_STACK_BUFFER_OVERRUN: // 0xC0000409
return L"Buffer overrun on stack (stack corruption)";
case EXCEPTION_INVALID_CRUNTIME_PARAMETER: // 0xC0000417
return L"C runtime exception (invalid parameter)";
case EXCEPTION_FATAL_USER_CALLBACK_EXCEPTION: // 0xC000041D
return L"Unhandled exception during user callback";
case EXCEPTION_ASSERTION_FAILURE: // 0xC0000420
return L"Assertion failed";
case EXCEPTION_VERIFIER_STOP: // 0xC0000421
return L"Application verifier stop";
case EXCEPTION_FAIL_FAST_EXCEPTION: // 0xC0000602
return L"Fail-fast exception";
case EXCEPTION_DISK_QUOTA_EXCEEDED: // 0xC0000802
return L"Disk quota exceeded";
case EXCEPTION_DELAY_LOAD_INVALID_PARAMETER: // 0xC06D0057
return L"Delay-load exception (invalid parameter)";
case EXCEPTION_DELAY_LOAD_MODULE_NOT_FOUND: // 0xC06D007E
#ifdef DELAYLOADINFO
if (wsprintf(szBuffer,
L"Delay-load exception (module %hs not found; 0x%08lX)",
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->szDll,
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dwLastError) > 0)
return szBuffer;
#else
return L"Delay-load exception (module not found)";
#endif
case EXCEPTION_DELAY_LOAD_ENTRY_NOT_FOUND: // 0xC06D007F
if (((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dlp.fImportByName)
#ifdef DELAYLOADINFO
if (wsprintf(szBuffer,
L"Delay-load exception (entry %hs not found in module %hs; 0x%08lX)",
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dlp.szProcName,
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->szDll,
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dwLastError) > 0)
return szBuffer;
else
#endif
return L"Delay-load exception (entry not found)";
else
#ifdef DELAYLOADINFO
if (wsprintf(szBuffer,
L"Delay-load exception (ordinal %lu not found in module %hs; 0x%08lX)",
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dlp.dwOrdinal,
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->szDll,
((DelayLoadInfo *) (ExceptionRecord->ExceptionInformation[0]))->dwLastError) > 0)
return szBuffer;
else
#endif
return L"Delay-load exception (ordinal not found)";
case EXCEPTION_APPLICATION_HANG: // 0xCFFFFFFF
return L"Application hang";
case EXCEPTION_CLR_CCR_EXCEPTION: // 0xE0434352 = 0xE0000000 + 'CCR'
case EXCEPTION_CLR_COM_EXCEPTION: // 0xE0434F4D = 0xE0000000 + 'COM'
case EXCEPTION_CLR_SOFT_STACK_OVERFLOW: // 0xE053534F = 0xE0000000 + 'SSO'
case EXCEPTION_CLR_INTERNAL_ASSERTION: // 0xE0584D4E = 0xE0000000 + 'XMN'
return L".NET CLR exception";
case EXCEPTION_SEH_VERIFICATION_EXCEPTION: // 0xE0564552 = 0xE0000000 + 'VER'
return L"SEH verification exception";
case EXCEPTION_CPP_EH_EXCEPTION: // 0xE06D7363 = 0xE0000000 + 'msc'
return L"C++ exception";
default:
return L"<not available>";
}
}
#ifdef SYMBOLS
typedef struct _siplus
{
SYMBOL_INFO si;
WCHAR name[MAX_SYM_NAME + sizeof("+0x0123456789ABCDEF")];
} SYMBOL_INFO_PLUS;
LPCWSTR WINAPI NameLookup(HANDLE hProcess,
DWORD64 ullAddress,
IMAGEHLP_MODULE64 *mi,
SYMBOL_INFO_PLUS *siplus)
{
DWORD64 ullDisplacement;
SIZE_T usModule;
LPWSTR lpModule;
if (!SymFromAddr(hProcess,
ullAddress,
&ullDisplacement,
&siplus->si))
{
#if 0
PrintConsole(hConsole,
L"SymFromAddr() returned error %lu\n",
GetLastError());
return L"";
#else
if (!SymGetModuleInfo64(hProcess,
ullAddress,
mi))
{
// PrintConsole(hConsole,
// L"SymGetModuleInfo64() returned error %lu\n",
// GetLastError());
return L"";
}
else
{
mi->ModuleName[sizeof(mi->ModuleName)] = L'\0';
usModule = wcslen(mi->ModuleName);
if (usModule == 0)
return L"";
mi->ModuleName[-1] = L'\t';
ullDisplacement = ullAddress - mi->BaseOfImage;
if (ullDisplacement != 0)
wsprintf(mi->ModuleName + usModule,
L"+0x%I64X",
ullDisplacement);
return mi->ModuleName - 1;
}
}
#endif
else
{
// siplus->si.Name[0] = L'\0';
if (ullDisplacement == 0)
siplus->si.Name[siplus->si.NameLen] = L'\0';
else
wsprintf(siplus->si.Name + siplus->si.NameLen,
L"+0x%I64X",
ullDisplacement);
if (!SymGetModuleInfo64(hProcess,
ullAddress,
mi))
{
// PrintConsole(hConsole,
// L"SymGetModuleInfo64() returned error %lu\n",
// GetLastError());
siplus->si.Name[-1] = L'\t';
return siplus->si.Name - 1;
}
else
{
mi->ModuleName[sizeof(mi->ModuleName)] = L'\0';
if (ullDisplacement == ~0ULL)
{
mi->ModuleName[-1] = L'\t';
return mi->ModuleName - 1;
}
else
{
usModule = wcslen(mi->ModuleName);
lpModule = siplus->si.Name - 1 - usModule;
#if 0
wcscpy(lpModule, mi->ModuleName);
#else
wmemcpy(lpModule, mi->ModuleName, usModule);
#endif
siplus->si.Name[-1] = L'!';
lpModule[-1] = L'\t';
return lpModule - 1;
}
}
}
}
#ifdef VERBOSE
LPCSTR WINAPI CallbackAction(DWORD ActionCode,
LPVOID CallbackData)
{
switch (ActionCode)
{
case CBA_DEFERRED_SYMBOL_LOAD_START:
return "DbgHelp: Deferred symbol load has started\n";
case CBA_DEFERRED_SYMBOL_LOAD_COMPLETE:
return "DbgHelp: Deferred symbol load has completed\n";
case CBA_DEFERRED_SYMBOL_LOAD_FAILURE:
return "DbgHelp: Deferred symbol load has failed\n";
case CBA_SYMBOLS_UNLOADED:
return "DbgHelp: Symbols have been unloaded\n";
case CBA_DUPLICATE_SYMBOL:
return "DbgHelp: Duplicate symbols were found\n";
case CBA_READ_MEMORY:
return "DbgHelp: The loaded image has been read\n";
case CBA_DEFERRED_SYMBOL_LOAD_CANCEL:
return "DbgHelp: Deferred symbol loading has started\n";
case CBA_SET_OPTIONS:
return "DbgHelp: Symbol options have been updated\n";
case CBA_EVENT:
#if 0
return "DbgHelp: Display verbose information\n";
#else
return ((IMAGEHLP_CBA_EVENT *) CallbackData)->desc;
#endif
break;
case CBA_DEFERRED_SYMBOL_LOAD_PARTIAL:
return "DbgHelp: Deferred symbol load has partially completed; "
"the symbol loader is unable to read the image header "
"from either the image file or the specified module\n";
case CBA_DEBUG_INFO:
return (LPCSTR) CallbackData;
#ifdef CBA_SRCSRV_INFO
case CBA_SRCSRV_INFO:
#if 0
return "DbgHelp: Display verbose information for source server\n";
#else
return (LPCSTR) CallbackData;
#endif
#endif // CBA_SRCSRV_INFO
#ifdef CBA_SRCSRV_EVENT
case CBA_SRCSRV_EVENT:
#if 0
return "DbgHelp: Display verbose information for source server\n";
#else
return ((IMAGEHLP_CBA_EVENT *) CallbackData)->desc;
#endif
#endif // CBA_SRCSRV_EVENT
default:
return "DbgHelp: Unknown action code\n";
}
}
#ifdef _WIN64
BOOL WINAPI SymRegisterCallbackProc(HANDLE hProcess,
ULONG ActionCode,
ULONG64 CallbackData,
ULONG64 UserContext)
#else
BOOL WINAPI SymRegisterCallbackProc(HANDLE hProcess,
ULONG ActionCode,
LPVOID CallbackData,
LPVOID UserContext)
#endif
{
LPCSTR lpString = CallbackAction(ActionCode, CallbackData);
DWORD dwString = strlen(lpString);
WriteConsoleA((HANDLE) UserContext, lpString, dwString, &dwString, NULL);
return (ActionCode == CBA_EVENT)
| (ActionCode == CBA_DEBUG_INFO);
}
#endif // VERBOSE
#endif // SYMBOLS
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
#if _WIN32_WINNT < 0x0600
__declspec(dllimport)
DWORD WINAPI GetMappedFileNameA(HANDLE hProcess,
LPVOID lpv,
LPSTR lpFileName,
DWORD dwSize);
__declspec(dllimport)
DWORD WINAPI GetMappedFileNameW(HANDLE hProcess,
LPVOID lpv,
LPWSTR lpFileName,
DWORD dwSize);
#ifndef UNICODE
#define GetMappedFileName GetMappedFileNameA
#else
#define GetMappedFileName GetMappedFileNameW
#endif
LPCWSTR WINAPI GetFileNameFromHandle(HANDLE hConsole,
HANDLE hFile,
WCHAR szFileName[MAX_PATH])
{
DWORD dwFileName;
LPCWSTR lpFileName;
DWORD dwDeviceName;
WCHAR szDeviceName[MAX_PATH];
WCHAR szDrive[] = L"@:";
WCHAR szBuffer[26 * sizeof("@:\\") + 1];
DWORD dwBuffer;
LPCWSTR lpBuffer = szBuffer;
LPVOID lpMapping;
HANDLE hMapping;
hMapping = CreateFileMapping(hFile,
(LPSECURITY_ATTRIBUTES) NULL,
PAGE_READONLY,
0, 1,
(LPCWSTR) NULL);
if (hMapping == NULL)
PrintConsole(hConsole,
L"CreateFileMapping() returned error %lu\n",
GetLastError());
else
{
lpMapping = MapViewOfFile(hMapping,
FILE_MAP_READ,
0, 0,
(SIZE_T) 1);
if (lpMapping == NULL)
PrintConsole(hConsole,
L"MapViewOfFile() returned error %lu\n",
GetLastError());
else
{
dwFileName = GetMappedFileName(GetCurrentProcess(),
lpMapping,
szFileName,
MAX_PATH);
if (dwFileName == 0)
PrintConsole(hConsole,
L"GetMappedFileName() returned error %lu\n",
GetLastError());
else
{
dwBuffer = GetLogicalDriveStrings(sizeof(szBuffer) / sizeof(*szBuffer) - 1,
szBuffer);
if (dwBuffer == 0)
PrintConsole(hConsole,
L"GetLogicalDriveStrings() returned error %lu\n",
GetLastError());
else
if (dwBuffer >= sizeof(szBuffer) / sizeof(*szBuffer))
PrintConsole(hConsole,
L"Buffer to small!\n");
else
do
{
szDrive[0] = lpBuffer[0];
if (QueryDosDevice(szDrive,
szDeviceName,
sizeof(szDeviceName) / sizeof(*szDeviceName)) == 0)
PrintConsole(hConsole,
L"QueryDosDevice() returned error %lu\n",
GetLastError());
else
{
dwDeviceName = wcslen(szDeviceName);
if (dwDeviceName >= MAX_PATH)
PrintConsole(hConsole,
L"Length %lu of device name \'%ls\' exceeds MAX_PATH!\n",
dwDeviceName, szDeviceName);
else
#if 1
if (szFileName[dwDeviceName] == L'\\')
{
szFileName[dwDeviceName] = L'\0';
if (wcscmp(szFileName, szDeviceName) == 0)
{
szFileName[dwDeviceName--] = L'\\';
szFileName[dwDeviceName--] = L':';
szFileName[dwDeviceName] = szDrive[0];
lpFileName = szFileName + dwDeviceName;
}
else
szFileName[dwDeviceName] = L'\\';
}
#else
if ((szFileName[dwDeviceName] == L'\\')
&& (wmemcmp(szFileName, szDeviceName, dwDeviceName) == 0))
{
szFileName[dwDeviceName--] = L'\\';
szFileName[dwDeviceName--] = L':';
szFileName[dwDeviceName] = szDrive[0];
lpFileName = szFileName + dwDeviceName;
}
#endif
}
while (*lpBuffer++ != L'\0')
continue;
} while ((lpFileName == NULL) && (*lpBuffer != L'\0'));
}
if (!UnmapViewOfFile(lpMapping))
PrintConsole(hConsole,
L"UnmapViewOfFile() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hMapping))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
return lpFileName;
}
#endif // _WIN32_WINNT
const LPCWSTR szBinaryType[7] = {L"32-bit Windows",
L"MS-DOS",
L"16-bit Windows",
L".PIF for MS-DOS",
L"POSIX",
L"16-bit OS/2",
L"64-bit Windows"};
#ifdef VERBOSE
const LPCWSTR szDirectories[3] = {L"Home ", // hdBase
L"Symbols", // hdSym
L"Sources"}; // hdSrc
const LPCWSTR szDayOfWeek[7] = {L"Sunday",
L"Monday",
L"Tuesday",
L"Wednesday",
L"Thursday",
L"Friday",
L"Saturday"};
#endif
const LPCWSTR szTimes[4] = {NULL,
L"Real ",
L"Kernel",
L"User "};
const STARTUPINFO si = {sizeof(si)};
#ifdef _M_IX86
__forceinline
struct
{
DWORD dwQuotient, dwRemainder;
} WINAPI SplitFileTime(DWORD dwLow, DWORD dwHigh)
{
__asm // returns quotient in eax and remainder in edx
{
mov eax, dwLow
mov edx, dwHigh
mov ecx, 10000000
div ecx
}
}
#endif
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
#ifdef _WIN64
BOOL bWow64 = FALSE;
WOW64_CONTEXT wow64_context;
#endif
CONTEXT context;
PEXCEPTION_RECORD lpExceptionRecord;
PROCESS_INFORMATION pi;
ULARGE_INTEGER uli[4];
DEBUG_EVENT de;
#ifdef SYMBOLS
LPAPI_VERSION lpApiVersion = ImagehlpApiVersion();
#ifdef VERBOSE // DBGHELP >= 6.1
DWORD dwDirectory;
LPWSTR lpDirectory;
WCHAR szDirectory[MAX_PATH];
SYSTEMTIME st;
DWORD64 ull;
#endif // VERBOSE
DWORD64 ullBaseOfModule;
IMAGEHLP_MODULE64 mi;
SYMBOL_INFO_PLUS siplus;
STACKFRAME64 sf;
#endif // SYMBOLS
LPWSTR *lpArguments;
INT nArguments;
WCHAR szBuffer[1024];
WCHAR szImageName[MAX_PATH];
DWORD dwImageName = MAX_PATH;
LPBYTE lpImageName;
LPBYTE lpString;
DWORD dwString;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwBinaryType;
DWORD dwVersion;
DWORD dwParameter;
DWORD dwThread;
DWORD dwProcess;
HANDLE hProcess;
HANDLE hThread;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if ((nArguments < 2)
|| (*lpArguments[1] == L'\0')
|| (nArguments > 3))
PrintConsole(hConsole,
L"Bad arguments: either a (properly quoted) command line\n"
L" or the (absolute or relative) path name of an application\n"
L" followed by a (properly quoted) command line must be given!\n");
else
{
PrintConsole(hConsole,
L"Command line: \'%ls\'\n"
L"Application name: \'%ls\'\n",
lpArguments[nArguments - 1],
lpArguments[4 - nArguments]);
if (nArguments == 3)
if (!GetBinaryType(lpArguments[1], &dwBinaryType))
PrintConsole(hConsole,
L"GetBinaryType() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"Application type: %lu = %ls\n",
dwBinaryType, szBinaryType[dwBinaryType]);
#ifdef SYMBOLS
PrintConsole(hConsole,
L"\n"
L"DbgHelp API:\n"
L"\tVersion = %hu.%hu\n"
L"\tRevision = %hu\n"
L"\tReserved = %hu\n",
lpApiVersion->MajorVersion, lpApiVersion->MinorVersion,
lpApiVersion->Revision,
lpApiVersion->Reserved);
#ifdef VERBOSE // DBGHELP >= 6.1
PrintConsole(hConsole,
L"DbgHelp Directories:\n");
for (dwDirectory = 0; dwDirectory < sizeof(szDirectories) / sizeof(*szDirectories); dwDirectory++)
{
lpDirectory = SymGetHomeDirectory(dwDirectory,
szDirectory,
sizeof(szDirectory));
if (lpDirectory == NULL)
PrintConsole(hConsole,
L"SymGetHomeDirectory() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"\t%ls = %ls\n",
szDirectories[dwDirectory], lpDirectory);
}
#endif // VERBOSE
SymSetOptions(SymGetOptions() | SYMOPT_DEBUG | SYMOPT_INCLUDE_32BIT_MODULES);
#endif // SYMBOLS
if (!CreateProcess(lpArguments[4 - nArguments],
lpArguments[nArguments - 1],
(SECURITY_ATTRIBUTES *) NULL,
(SECURITY_ATTRIBUTES *) NULL,
FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT | DEBUG_ONLY_THIS_PROCESS | NORMAL_PRIORITY_CLASS,
#if 1
NULL, // current environment block
#elif 1
L"", // empty environment block
#else
L"__COMPAT_LAYER=RunAsInvoker\0_NO_DEBUG_HEAP=1\0DBGENG_NO_DEBUG_PRIVILEGE=1\0TMP=NUL:\0",
#endif
(LPCWSTR) NULL,
&si,
&pi))
PrintConsole(hConsole,
L"CreateProcess() returned error %lu\n",
dwError = GetLastError());
else
{
dwError = ERROR_SUCCESS;
#if _WIN32_WINNT >= 0x0600
if (!QueryFullProcessImageName(pi.hProcess,
0,
szImageName,
&dwImageName))
PrintConsole(hConsole,
L"QueryFullProcessImageName() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"Debuggee process loaded from image file \'%ls\'\n",
szImageName);
#endif
dwVersion = GetProcessVersion(pi.dwProcessId);
if (dwVersion == 0)
PrintConsole(hConsole,
L"GetProcessVersion() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"Debuggee process version is %hu.%hu\n",
HIWORD(dwVersion), LOWORD(dwVersion));
PrintConsole(hConsole,
L"\n"
L"Debuggee process %lu with primary thread %lu created\n",
pi.dwProcessId, pi.dwThreadId);
if (!DebugSetProcessKillOnExit(FALSE))
PrintConsole(hConsole,
L"DebugSetProcessKillOnExit() returned error %lu\n",
dwError = GetLastError());
#ifdef SYMBOLS
mi.SizeOfStruct = sizeof(mi);
siplus.si.SizeOfStruct = sizeof(siplus.si);
siplus.si.MaxNameLen = MAX_SYM_NAME;
// siplus.si.Name[0] = L'\0';
#endif
context.ContextFlags = CONTEXT_CONTROL;
#ifdef _WIN64
wow64_context.ContextFlags = WOW64_CONTEXT_CONTROL;
#endif
do
{
if (!WaitForDebugEvent(&de, INFINITE))
{
PrintConsole(hConsole,
L"WaitForDebugEvent() returned error %lu\n",
dwError = GetLastError());
break;
}
switch (de.dwDebugEventCode)
{
case CREATE_PROCESS_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"Process %lu created with primary thread %lu:\n",
de.dwProcessId, de.dwThreadId);
hProcess = de.u.CreateProcessInfo.hProcess;
if (de.u.CreateProcessInfo.hProcess != NULL)
{
#ifdef _WIN64
if (!IsWow64Process(de.u.CreateProcessInfo.hProcess, &bWow64))
PrintConsole(hConsole,
L"IsWow64Process() returned error %lu\n",
dwError = GetLastError());
#endif
#ifdef SYMBOLS
// NOTE: on Windows 7, SymInitialize() abuses HRESULT as error code!
if (!SymInitialize(de.u.CreateProcessInfo.hProcess,
(LPCWSTR) NULL, // evaluate _NT_SYMBOL_PATH environment variable
FALSE))
{
dwError = GetLastError();
if (dwError > 65535)
PrintConsole(hConsole,
L"SymInitialize() returned error 0x%08lX\n",
dwError);
else
PrintConsole(hConsole,
L"SymInitialize() returned error %lu\n",
dwError);
}
else
{
#ifdef VERBOSE
if (!SymRegisterCallback(de.u.CreateProcessInfo.hProcess,
SymRegisterCallbackProc,
hConsole))
PrintConsole(hConsole,
L"SymRegisterCallback() returned error %lu\n",
dwError = GetLastError());
#endif
#if 0
if (!SymSetSearchPath(de.u.CreateProcessInfo.hProcess,
L".;SRV**https://msdl.microsoft.com/download/symbols"))
PrintConsole(hConsole,
L"SymSetSearchPath() returned error %lu\n",
dwError = GetLastError());
#else
if (!SymGetSearchPath(de.u.CreateProcessInfo.hProcess,
szBuffer,
sizeof(szBuffer) / sizeof(*szBuffer)))
PrintConsole(hConsole,
L"SymGetSearchPath() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"Symbol search path: %ls\n",
szBuffer);
#endif
}
ullBaseOfModule = 0;
#endif // SYMBOLS
if (de.u.CreateProcessInfo.lpImageName != NULL)
if (!ReadProcessMemory(de.u.CreateProcessInfo.hProcess,
de.u.CreateProcessInfo.lpImageName,
&lpImageName,
sizeof(lpImageName),
(SIZE_T *) NULL))
PrintConsole(hConsole,
L"ReadProcessMemory() returned error %lu\n",
dwError = GetLastError());
else
if (lpImageName != NULL)
if (!ReadProcessMemory(de.u.CreateProcessInfo.hProcess,
lpImageName,
szImageName,
sizeof(szImageName),
(SIZE_T *) NULL))
{
dwError = GetLastError();
if (dwError != ERROR_PARTIAL_COPY)
PrintConsole(hConsole,
L"ReadProcessMemory() returned error %lu\n",
dwError);
else
goto FILENAME;
}
else
FILENAME:
if (de.u.CreateProcessInfo.fUnicode != 0)
{
PrintConsole(hConsole,
L"\tProcess filename = %ls\n",
szImageName);
#ifdef SYMBOLS // DBGHELP >= 6.0
ullBaseOfModule = SymLoadModuleExW(de.u.CreateProcessInfo.hProcess,
de.u.CreateProcessInfo.hFile,
szImageName,
(LPCWSTR) NULL,
de.u.CreateProcessInfo.lpBaseOfImage,
0,
(MODLOAD_DATA *) NULL,
0);
if (ullBaseOfModule == 0)
{
dwError = GetLastError();
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"SymLoadModuleExW() returned error %lu\n",
dwError);
}
#endif // SYMBOLS
}
else
{
PrintConsole(hConsole,
L"\tProcess filename = %hs\n",
szImageName);
#ifdef SYMBOLS
ullBaseOfModule = SymLoadModuleEx(de.u.CreateProcessInfo.hProcess,
de.u.CreateProcessInfo.hFile,
(LPCSTR) szImageName,
(LPCSTR) NULL,
de.u.CreateProcessInfo.lpBaseOfImage,
0,
(MODLOAD_DATA *) NULL,
0);
if (ullBaseOfModule == 0)
{
dwError = GetLastError();
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"SymLoadModuleEx() returned error %lu\n",
dwError);
}
#endif // SYMBOLS
}
else
goto NOFILENAME;
else
NOFILENAME:
{
#if _WIN32_WINNT < 0x0600
dwImageName = GetModuleFileNameEx(de.u.CreateProcessInfo.hProcess,
#if 0
de.u.CreateProcessInfo.lpBaseOfImage,
#else
(HMODULE) NULL,
#endif
szImageName,
sizeof(szImageName) / sizeof(*szImageName));
if (dwImageName == 0)
{
PrintConsole(hConsole,
L"GetModuleFileNameEx() returned error %lu\n",
dwError = GetLastError());
lpImageName = GetFileNameFromHandle(hConsole,
de.u.CreateProcessInfo.hFile,
szImageName);
if (lpImageName != NULL)
PrintConsole(hConsole,
L"\tProcess filename = %ls\n",
lpImageName);
}
else
PrintConsole(hConsole,
L"\tProcess filename = %ls\n",
szImageName);
#else // _WIN32_WINNT
dwImageName = GetFinalPathNameByHandle(de.u.CreateProcessInfo.hFile,
szImageName,
sizeof(szImageName) / sizeof(*szImageName),
FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);
if (dwImageName == 0)
PrintConsole(hConsole,
L"GetFinalPathNameByHandle() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"\tProcess filename = %ls\n",
szImageName + 4);
#endif // _WIN32_WINNT
#ifdef SYMBOLS
ullBaseOfModule = SymLoadModuleEx(de.u.CreateProcessInfo.hProcess,
de.u.CreateProcessInfo.hFile,
(LPCSTR) NULL,
(LPCSTR) NULL,
de.u.CreateProcessInfo.lpBaseOfImage,
0,
(MODLOAD_DATA *) NULL,
0);
if (ullBaseOfModule == 0)
{
dwError = GetLastError();
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"SymLoadModuleEx() returned error %lu\n",
dwError);
}
#endif // SYMBOLS
}
#ifdef SYMBOLS
if (ullBaseOfModule != 0)
if (!SymGetModuleInfo64(de.u.CreateProcessInfo.hProcess,
ullBaseOfModule,
&mi))
PrintConsole(hConsole,
L"SymGetModuleInfo64() returned error %lu\n",
dwError = GetLastError());
#ifdef VERBOSE
else
{
ull = __emulu(mi.TimeDateStamp, 10000000) // seconds since 1970-01-01 to
+ 116444736000000000; // 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((LPFILETIME) &ull, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu\n",
dwError = GetLastError());
PrintConsole(hConsole,
L"\tModule date = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\n"
L"\tModule size = 0x%08lX\n"
L"\tModule name = %.32ls\n"
L"\tImage name = %.256ls\n"
L"\tImage filename = %.256ls\n"
L"\tPDB filename = %.256ls\n"
L"\tSymbol count = %lu\n",
mi.TimeDateStamp,
szDayOfWeek[st.wDayOfWeek],
st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
mi.ImageSize,
mi.ModuleName,
mi.ImageName,
mi.LoadedImageName,
mi.LoadedPdbName,
mi.NumSyms);
}
#endif // VERBOSE
#endif // SYMBOLS
}
#ifdef VERBOSE
PrintConsole(hConsole,
L"\tFile handle = 0x%p\n"
L"\tProcess handle = 0x%p\n"
L"\tThread handle = 0x%p\n",
de.u.CreateProcessInfo.hFile,
de.u.CreateProcessInfo.hProcess,
de.u.CreateProcessInfo.hThread);
#endif
PrintConsole(hConsole,
L"\tBase address = 0x%p\n"
#ifndef SYMBOLS
L"\tStart address = 0x%p\n"
#else
L"\tStart address = 0x%p%ls\n"
#endif
L"\tTEB address = 0x%p\n",
de.u.CreateProcessInfo.lpBaseOfImage,
#ifndef SYMBOLS
de.u.CreateProcessInfo.lpStartAddress,
#else
de.u.CreateProcessInfo.lpStartAddress,
NameLookup(de.u.CreateProcessInfo.hProcess, de.u.CreateProcessInfo.lpStartAddress, &mi, &siplus),
#endif
de.u.CreateProcessInfo.lpThreadLocalBase);
if (de.u.CreateProcessInfo.hFile != INVALID_HANDLE_VALUE)
if (!CloseHandle(de.u.CreateProcessInfo.hFile))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
break;
case CREATE_THREAD_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"Thread %lu created in process %lu:\n"
#ifdef VERBOSE
L"\tThread handle = 0x%p\n"
#endif
#ifndef SYMBOLS
L"\tStart address = 0x%p\n"
#else
L"\tStart address = 0x%p%ls\n"
#endif
L"\tTEB address = 0x%p\n",
de.dwThreadId, de.dwProcessId,
#ifdef VERBOSE
de.u.CreateThread.hThread,
#endif
#ifndef SYMBOLS
de.u.CreateThread.lpStartAddress,
#else
de.u.CreateThread.lpStartAddress,
NameLookup(hProcess, de.u.CreateThread.lpStartAddress, &mi, &siplus),
#endif
de.u.CreateThread.lpThreadLocalBase);
break;
case EXIT_PROCESS_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"Process %lu exited with thread %lu:\n"
L"\tExit code = 0x%08lX\n",
de.dwProcessId, de.dwThreadId,
de.u.ExitProcess.dwExitCode);
#ifdef SYMBOLS
if (!SymCleanup(hProcess))
PrintConsole(hConsole,
L"SymCleanup() returned error %lu\n",
dwError = GetLastError());
#endif // SYMBOLS
hProcess = NULL;
break;
case EXIT_THREAD_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"Thread %lu exited from process %lu:\n"
L"\tExit code = 0x%08lX\n",
de.dwThreadId, de.dwProcessId,
de.u.ExitThread.dwExitCode);
break;
case LOAD_DLL_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"DLL loaded in process %lu by thread %lu:\n",
de.dwProcessId, de.dwThreadId);
#ifdef SYMBOLS // DBGHELP >= 6.5
if (!SymRefreshModuleList(hProcess))
{
dwError = GetLastError();
if (dwError > 65535)
PrintConsole(hConsole,
L"SymRefreshModuleList() returned error 0x%08lX\n",
dwError);
else
PrintConsole(hConsole,
L"SymRefreshModuleList() returned error %lu\n",
dwError);
}
ullBaseOfModule = 0;
#endif // SYMBOLS
if (de.u.LoadDll.lpImageName != NULL)
if (!ReadProcessMemory(hProcess,
de.u.LoadDll.lpImageName,
&lpImageName,
sizeof(lpImageName),
(SIZE_T *) NULL))
PrintConsole(hConsole,
L"ReadProcessMemory() returned error %lu\n",
dwError = GetLastError());
else
if (lpImageName != NULL)
{
if (!ReadProcessMemory(hProcess,
lpImageName,
szImageName,
sizeof(szImageName),
(SIZE_T *) NULL))
{
dwError = GetLastError();
if (dwError != ERROR_PARTIAL_COPY)
PrintConsole(hConsole,
L"ReadProcessMemory() returned error %lu\n",
dwError);
else
goto DLLNAME;
}
else
DLLNAME:
if (de.u.LoadDll.fUnicode != 0)
{
PrintConsole(hConsole,
L"\tDLL filename = %ls\n",
szImageName);
#ifdef SYMBOLS // DBGHELP >= 6.0
ullBaseOfModule = SymLoadModuleExW(hProcess,
de.u.LoadDll.hFile,
szImageName,
(LPCWSTR) NULL,
de.u.LoadDll.lpBaseOfDll,
0,
(MODLOAD_DATA *) NULL,
0);
if (ullBaseOfModule == 0)
{
dwError = GetLastError();
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"SymLoadModuleExW() returned error %lu\n",
dwError);
}
#endif // SYMBOLS
}
else
{
PrintConsole(hConsole,
L"\tDLL filename = %hs\n",
szImageName);
#ifdef SYMBOLS
ullBaseOfModule = SymLoadModuleEx(hProcess,
de.u.LoadDll.hFile,
(LPCSTR) szImageName,
(LPCSTR) NULL,
de.u.LoadDll.lpBaseOfDll,
0,
(MODLOAD_DATA *) NULL,
0);
if (ullBaseOfModule == 0)
{
dwError = GetLastError();
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"SymLoadModuleEx() returned error %lu\n",
dwError);
}
#endif // SYMBOLS
}
}
else
goto NODLLNAME;
else
NODLLNAME:
{
#if _WIN32_WINNT < 0x0600
dwImageName = GetModuleFileNameEx(hProcess,
de.u.LoadDll.lpBaseOfDll,
szImageName,
sizeof(szImageName) / sizeof(*szImageName));
if (dwImageName == 0)
{
PrintConsole(hConsole,
L"GetModuleFileNameEx() returned error %lu\n",
dwError = GetLastError());
lpImageName = GetFileNameFromHandle(hConsole,
de.u.LoadDll.hFile,
szImageName);
if (lpImageName != NULL)
PrintConsole(hConsole,
L"\tDLL filename = %ls\n",
lpImageName);
}
else
PrintConsole(hConsole,
L"\tDLL filename = %ls\n",
szImageName);
#else // _WIN32_WINNT
dwImageName = GetFinalPathNameByHandle(de.u.LoadDll.hFile,
szImageName,
sizeof(szImageName) / sizeof(*szImageName),
FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);
if (dwImageName == 0)
PrintConsole(hConsole,
L"GetFinalPathNameByHandle() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"\tDLL filename = %ls\n",
szImageName + 4);
#endif // _WIN32_WINNT
#ifdef SYMBOLS
ullBaseOfModule = SymLoadModuleEx(hProcess,
de.u.LoadDll.hFile,
(LPCSTR) NULL,
(LPCSTR) NULL,
de.u.LoadDll.lpBaseOfDll,
0,
(MODLOAD_DATA *) NULL,
0);
if (ullBaseOfModule == 0)
{
dwError = GetLastError();
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"SymLoadModuleEx() returned error %lu\n",
dwError);
}
#endif // SYMBOLS
}
#ifdef SYMBOLS
if (ullBaseOfModule != 0)
if (!SymGetModuleInfo64(hProcess,
ullBaseOfModule,
&mi))
PrintConsole(hConsole,
L"SymGetModuleInfo64() returned error %lu\n",
dwError = GetLastError());
#ifdef VERBOSE
else
{
ull = __emulu(mi.TimeDateStamp, 10000000) // seconds since 1970-01-01 to
+ 116444736000000000; // 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((LPFILETIME) &ull, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu\n",
dwError = GetLastError());
PrintConsole(hConsole,
L"\tModule date = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\n"
L"\tModule size = 0x%08lX\n"
L"\tModule name = %.32ls\n"
L"\tImage name = %.256ls\n"
L"\tImage filename = %.256ls\n"
L"\tPDB filename = %.256ls\n"
L"\tSymbol count = %lu\n",
mi.TimeDateStamp,
szDayOfWeek[st.wDayOfWeek],
st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
mi.ImageSize,
mi.ModuleName,
mi.ImageName,
mi.LoadedImageName,
mi.LoadedPdbName,
mi.NumSyms);
}
#endif // VERBOSE
#endif // SYMBOLS
PrintConsole(hConsole,
#ifdef VERBOSE
L"\tFile handle = 0x%p\n"
#endif
#ifndef SYMBOLS
L"\tBase address = 0x%p\n",
#ifdef VERBOSE
de.u.LoadDll.hFile,
#endif
de.u.LoadDll.lpBaseOfDll);
#else // SYMBOLS
L"\tBase address = 0x%p%ls\n",
#ifdef VERBOSE
de.u.LoadDll.hFile,
#endif
de.u.LoadDll.lpBaseOfDll,
NameLookup(hProcess, de.u.LoadDll.lpBaseOfDll, &mi, &siplus));
#endif // SYMBOLS
if (de.u.LoadDll.hFile != INVALID_HANDLE_VALUE)
if (!CloseHandle(de.u.LoadDll.hFile))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
break;
case UNLOAD_DLL_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"DLL unloaded from process %lu by thread %lu:\n"
#ifndef SYMBOLS
L"\tBase address = 0x%p\n",
#else
L"\tBase address = 0x%p%ls\n",
#endif
de.dwProcessId, de.dwThreadId,
#ifndef SYMBOLS
de.u.UnloadDll.lpBaseOfDll);
#else
de.u.UnloadDll.lpBaseOfDll,
NameLookup(hProcess, de.u.UnloadDll.lpBaseOfDll, &mi, &siplus));
if (!SymUnloadModule64(hProcess,
de.u.UnloadDll.lpBaseOfDll))
PrintConsole(hConsole,
L"SymUnloadModule64() returned error %lu\n",
dwError = GetLastError());
#endif // SYMBOLS
break;
case OUTPUT_DEBUG_STRING_EVENT:
PrintConsole(hConsole,
L"\n"
L"Output debug string in thread %lu of process %lu:\n"
L"\tString length = %hu\n"
#ifndef SYMBOLS
L"\tString address = 0x%p\n",
#else
L"\tString address = 0x%p%ls\n",
#endif
de.dwThreadId, de.dwProcessId,
de.u.DebugString.nDebugStringLength - 1,
#ifndef SYMBOLS
de.u.DebugString.lpDebugStringData);
#else
de.u.DebugString.lpDebugStringData,
NameLookup(hProcess, de.u.DebugString.lpDebugStringData, &mi, &siplus));
#endif
dwString = de.u.DebugString.nDebugStringLength;
#if 0 // NOTE: debug string is always ANSI!
if (de.u.CreateProcessInfo.fUnicode != 0)
dwString *= sizeof(L'\0');
#endif
lpString = LocalAlloc(LPTR, dwString);
if (lpString == NULL)
PrintConsole(hConsole,
L"LocalAlloc() returned error %lu\n",
dwError = GetLastError());
else
{
if (!ReadProcessMemory(hProcess,
de.u.DebugString.lpDebugStringData,
lpString,
dwString,
(SIZE_T *) NULL))
PrintConsole(hConsole,
L"ReadProcessMemory() returned error %lu\n",
dwError = GetLastError());
else
#if 0 // NOTE: debug string is always ANSI!
if (de.u.CreateProcessInfo.fUnicode != 0)
{
dwString = wcslen((LPCWSTR) lpString);
while ((dwString-- > 0)
&& ((lpString[dwString] == L' ')
|| (lpString[dwString] == L'\a')
|| (lpString[dwString] == L'\b')
|| (lpString[dwString] == L'\f')
|| (lpString[dwString] == L'\n')
|| (lpString[dwString] == L'\r')
|| (lpString[dwString] == L'\t')
|| (lpString[dwString] == L'\v')))
/* lpString[dwString] = L'\0' */;
lpString[++dwString] = L'\0';
PrintConsole(hConsole,
L"\tString value = %ls\n",
lpString);
}
else
#endif
{
dwString = strlen((LPCSTR) lpString);
while ((dwString-- > 0)
&& ((lpString[dwString] == ' ')
|| (lpString[dwString] == '\a')
|| (lpString[dwString] == '\b')
|| (lpString[dwString] == '\f')
|| (lpString[dwString] == '\n')
|| (lpString[dwString] == '\r')
|| (lpString[dwString] == '\t')
|| (lpString[dwString] == '\v')))
/* lpString[dwString] = '\0' */;
lpString[++dwString] = '\0';
PrintConsole(hConsole,
L"\tString value = %hs\n",
lpString);
}
if (LocalFree(lpString) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
dwError = GetLastError());
}
break;
case RIP_EVENT:
PrintConsole(hConsole,
L"\n"
L"RIP in thread %lu of process %lu:\n"
L"\tError = %lu\n"
L"\tType = %lu\n",
de.dwThreadId, de.dwProcessId,
de.u.RipInfo.dwError,
de.u.RipInfo.dwType);
break;
case EXCEPTION_DEBUG_EVENT:
PrintConsole(hConsole,
L"\n"
L"%ls chance exception in thread %lu of process %lu:\n"
L"\tDescription = %ls\n"
L"\tCode = 0x%08lX\n"
L"\tFlags = 0x%08lX (%lscontinuable)\n"
#ifndef SYMBOLS
L"\tAddress = 0x%p\n",
#else
L"\tAddress = 0x%p%ls\n",
#endif
de.u.Exception.dwFirstChance != 0 ? L"First" : L"Last",
de.dwThreadId, de.dwProcessId,
ExceptionName(szBuffer, &de.u.Exception.ExceptionRecord),
de.u.Exception.ExceptionRecord.ExceptionCode,
de.u.Exception.ExceptionRecord.ExceptionFlags,
de.u.Exception.ExceptionRecord.ExceptionFlags != 0 ? L"non-" : L"",
#ifndef SYMBOLS
de.u.Exception.ExceptionRecord.ExceptionAddress);
#else
de.u.Exception.ExceptionRecord.ExceptionAddress,
NameLookup(hProcess, de.u.Exception.ExceptionRecord.ExceptionAddress, &mi, &siplus));
#endif
if (de.u.Exception.dwFirstChance != 0)
{
if (de.u.Exception.ExceptionRecord.NumberParameters > 0)
{
PrintConsole(hConsole,
L"\tParameters[%lu] %lc",
de.u.Exception.ExceptionRecord.NumberParameters,
de.u.Exception.ExceptionRecord.NumberParameters > 10 ? L'\0' : L' ');
for (dwParameter = 0; dwParameter < de.u.Exception.ExceptionRecord.NumberParameters; dwParameter++)
PrintConsole(hConsole,
dwParameter == 0 ? L"= 0x%p" : L", 0x%p",
de.u.Exception.ExceptionRecord.ExceptionInformation[dwParameter]);
PrintConsole(hConsole, L"\n");
}
for (lpExceptionRecord = de.u.Exception.ExceptionRecord.ExceptionRecord;
lpExceptionRecord != NULL;
lpExceptionRecord = lpExceptionRecord->ExceptionRecord)
{
PrintConsole(hConsole,
L"\n"
L"\tChained exception:\n"
L"\t\tDescription = %ls\n"
L"\t\tCode = 0x%08lX\n"
L"\t\tFlags = 0x%08lX (%lscontinuable)\n"
#ifndef SYMBOLS
L"\t\tAddress = 0x%p\n",
#else
L"\t\tAddress = 0x%p%ls\n",
#endif
ExceptionName(szBuffer, lpExceptionRecord),
lpExceptionRecord->ExceptionCode,
lpExceptionRecord->ExceptionFlags,
lpExceptionRecord->ExceptionFlags != 0 ? L"non-" : L"",
#ifndef SYMBOLS
lpExceptionRecord->ExceptionAddress);
#else
lpExceptionRecord->ExceptionAddress,
NameLookup(hProcess, lpExceptionRecord->ExceptionAddress, &mi, &siplus));
#endif
if (lpExceptionRecord->NumberParameters > 0)
{
PrintConsole(hConsole,
L"\t\tParameters[%lu] %lc",
lpExceptionRecord->NumberParameters,
lpExceptionRecord->NumberParameters > 10 ? L'\0' : L' ');
for (dwParameter = 0; dwParameter < lpExceptionRecord->NumberParameters; dwParameter++)
PrintConsole(hConsole,
dwParameter == 0 ? L"= 0x%p" : L", 0x%p",
lpExceptionRecord->ExceptionInformation[dwParameter]);
PrintConsole(hConsole, L"\n");
}
}
#ifdef SYMBOLS
hThread = OpenThread(THREAD_GET_CONTEXT,
FALSE,
de.dwThreadId);
if (hThread == NULL)
PrintConsole(hConsole,
L"OpenThread() returned error %lu\n",
dwError = GetLastError());
else
{
#if _M_IX86
if (!GetThreadContext(hThread, &context))
PrintConsole(hConsole,
L"GetThreadContext() returned error %lu\n",
dwError = GetLastError());
else
{
#ifdef VERBOSE
PrintConsole(hConsole, L"\tRegisters:\n");
if ((context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
PrintConsole(hConsole,
L"\t\tEbp = 0x%08lX, Eip = 0x%08lX, Esp = 0x%08lX\n"
L"\t\tCs = 0x%08lX, Ss = 0x%08lX\n"
L"\t\tEfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
context.Ebp, context.Eip, context.Esp,
context.SegCs, context.SegSs,
context.EFlags,
(context.EFlags >> 12) & 0x00000003, // IOPL level
context.EFlags & 0x00100000 ? L" vip" : L"", // VIP (virtual interrupt pending)
context.EFlags & 0x00080000 ? L" vif" : L"", // VIF (virtual interrupt flag)
context.EFlags & 0x00000800 ? L"ov" : L"nv", // OF (overflow flag)
context.EFlags & 0x00000400 ? L"dn" : L"up", // DF (direction flag)
context.EFlags & 0x00000200 ? L"ei" : L"di", // IF (interrupt enable flag)
context.EFlags & 0x00000080 ? L"ng" : L"pl", // SF (sign flag)
context.EFlags & 0x00000040 ? L"zr" : L"nz", // ZF (zero flag)
context.EFlags & 0x00000010 ? L"ac" : L"na", // AF (aux carry flag)
context.EFlags & 0x00000004 ? L"pe" : L"po", // PF (parity flag)
context.EFlags & 0x00000001 ? L"cy" : L"nc"); // CF (carry flag)
if ((context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
PrintConsole(hConsole,
L"\t\tEax = 0x%08lX, Ebx = 0x%08lX, Ecx = 0x%08lX, Edx = 0x%08lX\n"
L"\t\tEdi = 0x%08lX, Esi = 0x%08lX\n",
context.Eax, context.Ebx, context.Ecx, context.Edx,
context.Edi, context.Esi);
if ((context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
PrintConsole(hConsole,
L"\t\tDs = 0x%08lX, Es = 0x%08lX, Fs = 0x%08lX, Gs = 0x%08lX\n",
context.SegDs, context.SegEs, context.SegFs, context.SegGs);
if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
PrintConsole(hConsole,
L"\t\tDr0 = 0x%08lX, Dr1 = 0x%08lX, Dr2 = 0x%08lX, Dr3 = 0x%08lX\n"
L"\t\tDr6 = 0x%08lX, Dr7 = 0x%08lX\n",
context.Dr0, context.Dr1, context.Dr2, context.Dr3,
context.Dr6, context.Dr7);
if ((context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
;
if ((context.ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS)
;
#endif // VERBOSE
sf.AddrPC.Offset = context.Eip;
sf.AddrPC.Mode = AddrModeFlat;
sf.AddrReturn.Mode = AddrModeFlat;
sf.AddrFrame.Offset = context.Ebp;
sf.AddrFrame.Mode = AddrModeFlat;
sf.AddrStack.Offset = context.Esp;
sf.AddrStack.Mode = AddrModeFlat;
PrintConsole(hConsole, L"\tCall stack:\n");
while (StackWalk64(IMAGE_FILE_MACHINE_I386,
hProcess,
hThread,
&sf,
&context,
#if 1
NULL,
#else
ReadProcessMemory,
#endif
SymFunctionTableAccess64,
SymGetModuleBase64,
NULL))
#ifdef VERBOSE
PrintConsole(hConsole,
L"\t\tAddress = 0x%08lX%ls\n"
L"\t\tReturn = 0x%08lX\n"
L"\t\tFrame = 0x%08lX\n"
L"\t\tStack = 0x%08lX\n"
L"\t\tParameter = 0x%08lX, 0x%08lX, 0x%08lX, 0x%08lX\n",
(DWORD) sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
(DWORD) sf.AddrReturn.Offset,
(DWORD) sf.AddrFrame.Offset,
(DWORD) sf.AddrStack.Offset,
(DWORD) sf.Params[0],
(DWORD) sf.Params[1],
(DWORD) sf.Params[2],
(DWORD) sf.Params[3]);
#else
PrintConsole(hConsole,
L"\t\tAddress = 0x%08lX%ls\n",
(DWORD) sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
}
#elif _M_AMD64
if (bWow64)
{
if (!Wow64GetThreadContext(hThread, &wow64_context))
PrintConsole(hConsole,
L"Wow64GetThreadContext() returned error %lu\n",
dwError = GetLastError());
else
{
#ifdef VERBOSE
PrintConsole(hConsole, L"\tRegisters:\n");
if ((wow64_context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
PrintConsole(hConsole,
L"\t\tEbp = 0x%08lX, Eip = 0x%08lX, Esp = 0x%08lX\n"
L"\t\tCs = 0x%08lX, Ss = 0x%08lX\n"
L"\t\tEfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
wow64_context.Ebp, wow64_context.Eip, wow64_context.Esp,
wow64_context.SegCs, wow64_context.SegSs,
wow64_context.EFlags,
(wow64_context.EFlags >> 12) & 0x00000003, // IOPL level
wow64_context.EFlags & 0x00100000 ? L" vip" : L"", // VIP (virtual interrupt pending)
wow64_context.EFlags & 0x00080000 ? L" vif" : L"", // VIF (virtual interrupt flag)
wow64_context.EFlags & 0x00000800 ? L"ov" : L"nv", // OF (overflow flag)
wow64_context.EFlags & 0x00000400 ? L"dn" : L"up", // DF (direction flag)
wow64_context.EFlags & 0x00000200 ? L"ei" : L"di", // IF (interrupt enable flag)
wow64_context.EFlags & 0x00000080 ? L"ng" : L"pl", // SF (sign flag)
wow64_context.EFlags & 0x00000040 ? L"zr" : L"nz", // ZF (zero flag)
wow64_context.EFlags & 0x00000010 ? L"ac" : L"na", // AF (aux carry flag)
wow64_context.EFlags & 0x00000004 ? L"pe" : L"po", // PF (parity flag)
wow64_context.EFlags & 0x00000001 ? L"cy" : L"nc"); // CF (carry flag)
if ((wow64_context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
PrintConsole(hConsole,
L"\t\tEax = 0x%08lX, Ebx = 0x%08lX, Ecx = 0x%08lX, Edx = 0x%08lX\n"
L"\t\tEdi = 0x%08lX, Esi = 0x%08lX\n",
wow64_context.Eax, wow64_context.Ebx, wow64_context.Ecx, wow64_context.Edx,
wow64_context.Edi, wow64_context.Esi);
if ((wow64_context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
PrintConsole(hConsole,
L"\t\tDs = 0x%08lX, Es = 0x%08lX, Fs = 0x%08lX, Gs = 0x%08lX\n",
wow64_context.SegDs, wow64_context.SegEs, wow64_context.SegFs, wow64_context.SegGs);
if ((wow64_context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
PrintConsole(hConsole,
L"\t\tDr0 = 0x%08lX, Dr1 = 0x%08lX, Dr2 = 0x%08lX, Dr3 = 0x%08lX\n"
L"\t\tDr6 = 0x%08lX, Dr7 = 0x%08lX\n",
wow64_context.Dr0, wow64_context.Dr1, wow64_context.Dr2, wow64_context.Dr3,
wow64_context.Dr6, wow64_context.Dr7);
if ((wow64_context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
;
if ((wow64_context.ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS)
;
#endif // VERBOSE
sf.AddrPC.Offset = wow64_context.Eip;
sf.AddrPC.Mode = AddrModeFlat;
sf.AddrReturn.Mode = AddrModeFlat;
sf.AddrFrame.Offset = wow64_context.Ebp;
sf.AddrFrame.Mode = AddrModeFlat;
sf.AddrStack.Offset = wow64_context.Esp;
sf.AddrStack.Mode = AddrModeFlat;
PrintConsole(hConsole, L"\tCall stack:\n");
while (StackWalk64(IMAGE_FILE_MACHINE_I386,
hProcess,
hThread,
&sf,
&wow64_context,
#if 1
NULL,
#else
ReadProcessMemory,
#endif
SymFunctionTableAccess64,
SymGetModuleBase64,
NULL))
#ifdef VERBOSE
PrintConsole(hConsole,
L"\t\tAddress = 0x%08lX%ls\n"
L"\t\tReturn = 0x%08lX\n"
L"\t\tFrame = 0x%08lX\n"
L"\t\tStack = 0x%08lX\n"
L"\t\tParameter = 0x%08lX, 0x%08lX, 0x%08lX, 0x%08lX\n",
(DWORD) sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
(DWORD) sf.AddrReturn.Offset,
(DWORD) sf.AddrFrame.Offset,
(DWORD) sf.AddrStack.Offset,
(DWORD) sf.Params[0],
(DWORD) sf.Params[1],
(DWORD) sf.Params[2],
(DWORD) sf.Params[3]);
#else
PrintConsole(hConsole,
L"\t\tAddress = 0x%08lX%ls\n",
(DWORD) sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
}
}
else
{
if (!GetThreadContext(hThread, &context))
PrintConsole(hConsole,
L"GetThreadContext() returned error %lu\n",
dwError = GetLastError());
else
{
#ifdef VERBOSE
PrintConsole(hConsole, L"\tRegisters:\n");
if ((context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
PrintConsole(hConsole,
L"\t\tRip = 0x%016I64X, Rsp = 0x%016I64X\n"
L"\t\tCs = %04hX, Ss = %04hX\n"
L"\t\tRfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
context.Rip, context.Rsp,
context.SegCs, context.SegSs,
context.EFlags,
(context.EFlags >> 12) & 0x00000003, // IOPL level
context.EFlags & 0x00100000 ? L" vip" : L"", // VIP (virtual interrupt pending)
context.EFlags & 0x00080000 ? L" vif" : L"", // VIF (virtual interrupt flag)
context.EFlags & 0x00000800 ? L"ov" : L"nv", // OF (overflow flag)
context.EFlags & 0x00000400 ? L"dn" : L"up", // DF (direction flag)
context.EFlags & 0x00000200 ? L"ei" : L"di", // IF (interrupt enable flag)
context.EFlags & 0x00000080 ? L"ng" : L"pl", // SF (sign flag)
context.EFlags & 0x00000040 ? L"zr" : L"nz", // ZF (zero flag)
context.EFlags & 0x00000010 ? L"ac" : L"na", // AF (aux carry flag)
context.EFlags & 0x00000004 ? L"pe" : L"po", // PF (parity flag)
context.EFlags & 0x00000001 ? L"cy" : L"nc"); // CF (carry flag)
if ((context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
PrintConsole(hConsole,
L"\t\tRax = 0x%016I64X, Rbx = 0x%016I64X, Rcx = 0x%016I64X, Rdx = 0x%016I64X\n"
L"\t\tRbp = 0x%016I64X, Rdi = 0x%016I64X, Rsi = 0x%016I64X\n"
L"\t\tR08 = 0x%016I64X, R09 = 0x%016I64X, R10 = 0x%016I64X, R11 = 0x%016I64X\n"
L"\t\tR12 = 0x%016I64X, R13 = 0x%016I64X, R14 = 0x%016I64X, R15 = 0x%016I64X\n",
context.Rax, context.Rbx, context.Rcx, context.Rdx,
context.Rbp, context.Rdi, context.Rsi,
context.R08, context.R09, context.R10, context.R11,
context.R12, context.R13, context.R14, context.R15);
if ((context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
PrintConsole(hConsole,
L"\t\tDs = %04hX, Es = %04hX, Fs = %04hX, Gs = %04hX\n",
context.SegDs, context.SegEs, context.SegFs, context.SegGs);
if ((context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
PrintConsole(hConsole,
L"\t\tDr0 = 0x%016I64X, Dr1 = 0x%016I64X, Dr2 = 0x%016I64X, Dr3 = 0x%016I64X\n"
L"\t\tDr6 = 0x%016I64X, Dr7 = 0x%016I64X\n",
context.Dr0, context.Dr1, context.Dr2, context.Dr3,
context.Dr6, context.Dr7);
if ((context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
;
#endif // VERBOSE
sf.AddrPC.Offset = context.Rip;
sf.AddrPC.Mode = AddrModeFlat;
sf.AddrReturn.Mode = AddrModeFlat;
sf.AddrFrame.Offset = context.Rbp;
sf.AddrFrame.Mode = AddrModeFlat;
sf.AddrStack.Offset = context.Rsp;
sf.AddrStack.Mode = AddrModeFlat;
PrintConsole(hConsole, L"\tCall stack:\n");
while (StackWalk64(IMAGE_FILE_MACHINE_AMD64,
hProcess,
hThread,
&sf,
&context,
#if 1
NULL,
#else
ReadProcessMemory,
#endif
SymFunctionTableAccess64,
SymGetModuleBase64,
NULL))
#ifdef VERBOSE
PrintConsole(hConsole,
L"\t\tAddress = 0x%016I64X%ls\n"
L"\t\tReturn = 0x%016I64X\n"
L"\t\tFrame = 0x%016I64X\n"
L"\t\tStack = 0x%016I64X\n"
L"\t\tParameter = 0x%016I64X, 0x%016I64X, 0x%016I64X, 0x%016I64X\n",
sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
sf.AddrReturn.Offset,
sf.AddrFrame.Offset,
sf.AddrStack.Offset,
sf.Params[0],
sf.Params[1],
sf.Params[2],
sf.Params[3]);
#else
PrintConsole(hConsole,
L"\t\tAddress = 0x%016I64X%ls\n",
sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
}
}
#elif _M_IA64
if (bWow64)
{
if (!Wow64GetThreadContext(hThread, &wow64_context))
PrintConsole(hConsole,
L"Wow64GetThreadContext() returned error %lu\n",
dwError = GetLastError());
else
{
#ifdef VERBOSE
PrintConsole(hConsole, L"\tRegisters:\n");
if ((wow64_context.ContextFlags & CONTEXT_CONTROL) == CONTEXT_CONTROL)
PrintConsole(hConsole,
L"\t\tEbp = 0x%08lX, Eip = 0x%08lX, Esp = 0x%08lX\n"
L"\t\tCs = 0x%08lX, Ss = 0x%08lX\n"
L"\t\tEfl = 0x%08lX: Iopl %1lu,%ls%ls %ls %ls %ls %ls %ls %ls %ls %ls\n",
wow64_context.Ebp, wow64_context.Eip, wow64_context.Esp,
wow64_context.SegCs, wow64_context.SegSs,
wow64_context.EFlags,
(wow64_context.EFlags >> 12) & 0x00000003, // IOPL level
wow64_context.EFlags & 0x00100000 ? L" vip" : L"", // VIP (virtual interrupt pending)
wow64_context.EFlags & 0x00080000 ? L" vif" : L"", // VIF (virtual interrupt flag)
wow64_context.EFlags & 0x00000800 ? L"ov" : L"nv", // OF (overflow flag)
wow64_context.EFlags & 0x00000400 ? L"dn" : L"up", // DF (direction flag)
wow64_context.EFlags & 0x00000200 ? L"ei" : L"di", // IF (interrupt enable flag)
wow64_context.EFlags & 0x00000080 ? L"ng" : L"pl", // SF (sign flag)
wow64_context.EFlags & 0x00000040 ? L"zr" : L"nz", // ZF (zero flag)
wow64_context.EFlags & 0x00000010 ? L"ac" : L"na", // AF (aux carry flag)
wow64_context.EFlags & 0x00000004 ? L"pe" : L"po", // PF (parity flag)
wow64_context.EFlags & 0x00000001 ? L"cy" : L"nc"); // CF (carry flag)
if ((wow64_context.ContextFlags & CONTEXT_INTEGER) == CONTEXT_INTEGER)
PrintConsole(hConsole,
L"\t\tEax = 0x%08lX, Ebx = 0x%08lX, Ecx = 0x%08lX, Edx = 0x%08lX\n"
L"\t\tEdi = 0x%08lX, Esi = 0x%08lX\n",
wow64_context.Eax, wow64_context.Ebx, wow64_context.Ecx, wow64_context.Edx,
wow64_context.Edi, wow64_context.Esi);
if ((wow64_context.ContextFlags & CONTEXT_SEGMENTS) == CONTEXT_SEGMENTS)
PrintConsole(hConsole,
L"\t\tDs = 0x%08lX, Es = 0x%08lX, Fs = 0x%08lX, Gs = 0x%08lX\n",
wow64_context.SegDs, wow64_context.SegEs, wow64_context.SegFs, wow64_context.SegGs);
if ((wow64_context.ContextFlags & CONTEXT_DEBUG_REGISTERS) == CONTEXT_DEBUG_REGISTERS)
PrintConsole(hConsole,
L"\t\tDr0 = 0x%08lX, Dr1 = 0x%08lX, Dr2 = 0x%08lX, Dr3 = 0x%08lX\n"
L"\t\tDr6 = 0x%08lX, Dr7 = 0x%08lX\n",
wow64_context.Dr0, wow64_context.Dr1, wow64_context.Dr2, wow64_context.Dr3,
wow64_context.Dr6, wow64_context.Dr7);
if ((wow64_context.ContextFlags & CONTEXT_FLOATING_POINT) == CONTEXT_FLOATING_POINT)
;
if ((wow64_context.ContextFlags & CONTEXT_EXTENDED_REGISTERS) == CONTEXT_EXTENDED_REGISTERS)
;
#endif // VERBOSE
sf.AddrPC.Offset = wow64_context.Eip;
sf.AddrPC.Mode = AddrModeFlat;
sf.AddrReturn.Mode = AddrModeFlat;
sf.AddrFrame.Offset = wow64_context.Ebp;
sf.AddrFrame.Mode = AddrModeFlat;
sf.AddrStack.Offset = wow64_context.Esp;
sf.AddrStack.Mode = AddrModeFlat;
PrintConsole(hConsole, L"\tCall stack:\n");
while (StackWalk64(IMAGE_FILE_MACHINE_I386,
hProcess,
hThread,
&sf,
&wow64_context,
#if 1
NULL,
#else
ReadProcessMemory,
#endif
SymFunctionTableAccess64,
SymGetModuleBase64,
NULL))
#ifdef VERBOSE
PrintConsole(hConsole,
L"\t\tAddress = 0x%08lX%ls\n"
L"\t\tReturn = 0x%08lX\n"
L"\t\tFrame = 0x%08lX\n"
L"\t\tStack = 0x%08lX\n"
L"\t\tParameter = 0x%08lX, 0x%08lX, 0x%08lX, 0x%08lX\n",
(DWORD) sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
(DWORD) sf.AddrReturn.Offset,
(DWORD) sf.AddrFrame.Offset,
(DWORD) sf.AddrStack.Offset,
(DWORD) sf.Params[0],
(DWORD) sf.Params[1],
(DWORD) sf.Params[2],
(DWORD) sf.Params[3]);
#else
PrintConsole(hConsole,
L"\t\tAddress = 0x%08lX%ls\n",
(DWORD) sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
}
}
else
{
if (!GetThreadContext(hThread, &context))
PrintConsole(hConsole,
L"GetThreadContext() returned error %lu\n",
dwError = GetLastError());
else
{
sf.AddrPC.Offset = context.StIIP;
sf.AddrPC.Mode = AddrModeFlat;
sf.AddrReturn.Mode = AddrModeFlat;
sf.AddrFrame.Mode = AddrModeFlat;
sf.AddrStack.Offset = context.IntSp;
sf.AddrStack.Mode = AddrModeFlat;
sf.AddrBStore.Offset = context.RsBSP;
sf.AddrBStore.Mode = AddrModeFlat;
PrintConsole(hConsole, L"\tCall stack:\n");
while (StackWalk64(IMAGE_FILE_MACHINE_IA64,
hProcess,
hThread,
&sf,
&context,
#if 1
NULL,
#else
ReadProcessMemory,
#endif
SymFunctionTableAccess64,
SymGetModuleBase64,
NULL))
#ifdef VERBOSE
PrintConsole(hConsole,
L"\t\tAddress = 0x%016I64X%ls\n"
L"\t\tReturn = 0x%016I64X\n"
L"\t\tFrame = 0x%016I64X\n"
L"\t\tStack = 0x%016I64X\n"
L"\t\tParameter = 0x%016I64X, 0x%016I64X, 0x%016I64X, 0x%016I64X\n",
sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus),
sf.AddrReturn.Offset,
sf.AddrFrame.Offset,
sf.AddrStack.Offset,
sf.Params[0],
sf.Params[1],
sf.Params[2],
sf.Params[3]);
#else
PrintConsole(hConsole,
L"\t\tAddress = 0x%016I64X%ls\n",
sf.AddrPC.Offset,
NameLookup(hProcess, sf.AddrPC.Offset, &mi, &siplus));
#endif // VERBOSE
}
}
#else
#error Only I386, AMD64 and IA64 supported!
#endif
if (!CloseHandle(hThread))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
}
#endif // SYMBOLS
}
break;
default:
PrintConsole(hConsole,
L"\n"
L"Unknown debug event %lu in thread %lu of process %lu\n",
de.dwDebugEventCode,
de.dwThreadId, de.dwProcessId);
}
// NOTE: DBG_EXCEPTION_NOT_HANDLED repeats OUTPUT_DEBUG_STRING_EVENT once!
if (!ContinueDebugEvent(de.dwProcessId,
de.dwThreadId,
de.dwDebugEventCode == EXCEPTION_DEBUG_EVENT ? DBG_EXCEPTION_NOT_HANDLED : DBG_CONTINUE))
{
PrintConsole(hConsole,
L"ContinueDebugEvent() returned error %lu\n",
dwError = GetLastError());
break;
}
} while (hProcess != NULL);
PrintConsole(hConsole, L"\n");
if (WaitForSingleObject(pi.hThread, INFINITE) == WAIT_FAILED)
PrintConsole(hConsole,
L"WaitForSingleObject() returned error %lu\n",
dwError = GetLastError());
if (!GetExitCodeThread(pi.hThread, &dwThread))
PrintConsole(hConsole,
L"GetExitCodeThread() returned error %lu\n",
dwError = GetLastError());
else
if (dwThread > 65535)
PrintConsole(hConsole,
L"Primary thread %lu of debuggee process %lu exited with code 0x%08lX\n",
pi.dwThreadId, pi.dwProcessId, dwThread);
else
PrintConsole(hConsole,
L"Primary thread %lu of debuggee process %lu exited with code %lu\n",
pi.dwThreadId, pi.dwProcessId, dwThread);
if (!GetThreadTimes(pi.hThread,
(LPFILETIME) uli,
(LPFILETIME) uli + 1,
(LPFILETIME) uli + 2,
(LPFILETIME) uli + 3))
PrintConsole(hConsole,
L"GetThreadTimes() returned error %lu\n",
dwError = GetLastError());
else
{
PrintConsole(hConsole,
L"Primary thread times:\n");
uli[1].QuadPart -= uli[0].QuadPart;
for (dwThread = 1; dwThread < 4; dwThread++)
PrintConsole(hConsole,
L"\t%ls = %10lu.%07lu s\n",
szTimes[dwThread],
#ifdef _M_IX86
SplitFileTime(uli[dwThread].LowPart, uli[dwThread].HighPart));
#else
(DWORD) (uli[dwThread].QuadPart / 10000000),
(DWORD) (uli[dwThread].QuadPart % 10000000));
#endif
}
if (!CloseHandle(pi.hThread))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
if (WaitForSingleObject(pi.hProcess, INFINITE) == WAIT_FAILED)
PrintConsole(hConsole,
L"WaitForSingleObject() returned error %lu\n",
dwError = GetLastError());
if (!GetExitCodeProcess(pi.hProcess, &dwProcess))
PrintConsole(hConsole,
L"GetExitCodeProcess() returned error %lu\n",
dwError = GetLastError());
else
if (dwProcess > 65535)
PrintConsole(hConsole,
L"Debuggee process %lu exited with code 0x%08lX\n",
pi.dwProcessId, dwProcess);
else
PrintConsole(hConsole,
L"Debuggee process %lu exited with code %lu\n",
pi.dwProcessId, dwProcess);
if (!GetProcessTimes(pi.hProcess,
(LPFILETIME) uli,
(LPFILETIME) uli + 1,
(LPFILETIME) uli + 2,
(LPFILETIME) uli + 3))
PrintConsole(hConsole,
L"GetProcessTimes() returned error %lu\n",
dwError = GetLastError());
else
{
PrintConsole(hConsole,
L"Debuggee process times:\n");
uli[1].QuadPart -= uli[0].QuadPart;
for (dwProcess = 1; dwProcess < 4; dwProcess++)
PrintConsole(hConsole,
L"\t%ls = %10lu.%07lu s\n",
szTimes[dwProcess],
#ifdef _M_IX86
SplitFileTime(uli[dwProcess].LowPart, uli[dwProcess].HighPart));
#else
(DWORD) (uli[dwProcess].QuadPart / 10000000),
(DWORD) (uli[dwProcess].QuadPart % 10000000));
#endif
}
if (!CloseHandle(pi.hProcess))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
DEBUGGER.C
created in step 1., link the compiled
object file DEBUGGER.OBJ
and cleanup afterwards:
SET CL=/DDELAYLOADINFO /DSYMBOLS /GAFS /Gs69632 /Gy /O1isy /UVERBOSE /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:6.0 /RELEASE /STACK:1048576,65536 /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeDEBUGGER.COM DEBUGGER.C ERASE DEBUGGER.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. DEBUGGER.C delayimp.h(67) : warning C4201: nonstandard extension used : nameless struct/union DEBUGGER.C(754) : warning C4100: 'hProcess' : unreferenced formal parameter DEBUGGER.C(1122) : warning C4090: 'function' : different 'const' qualifiers DEBUGGER.C(1290) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1290) : warning C4024: 'SymLoadModuleExW' : different types for formal and actual parameter 5 DEBUGGER.C(1316) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1316) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5 DEBUGGER.C(1386) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1386) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5 DEBUGGER.C(1464) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPTHREAD_START_ROUTINE' DEBUGGER.C(1464) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1497) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPTHREAD_START_ROUTINE' DEBUGGER.C(1497) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1592) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1592) : warning C4024: 'SymLoadModuleExW' : different types for formal and actual parameter 5 DEBUGGER.C(1618) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1618) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5 DEBUGGER.C(1686) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1686) : warning C4024: 'SymLoadModuleEx' : different types for formal and actual parameter 5 DEBUGGER.C(1757) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1757) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1781) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1781) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1784) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPVOID' DEBUGGER.C(1784) : warning C4024: 'SymUnloadModule64' : different types for formal and actual parameter 2 DEBUGGER.C(1808) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'LPSTR' DEBUGGER.C(1808) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1920) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'PVOID' DEBUGGER.C(1920) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1962) : warning C4047: 'function' : 'DWORD64' differs in levels of indirection from 'PVOID' DEBUGGER.C(1962) : warning C4024: 'NameLookup' : different types for formal and actual parameter 2 DEBUGGER.C(1499) : warning C4701: potentially uninitialized local variable 'hProcess' used Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file DEBUGGER.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 1a 00 00 ......#.........
00 2e 00 00 00 00 00 00 a7 18 00 00 00 10 00 00 ................
00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 .0....@.........
06 00 00 00 00 00 2f 03 06 00 00 00 00 00 00 00 ....../.........
00 60 00 00 00 02 00 00 51 76 00 00 03 00 00 85 .`......Qv......
00 00 10 00 00 00 01 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
80 58 00 00 50 00 00 00 00 00 00 00 00 00 00 00 .X..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 58 00 00 40 00 00 00 .........X..@...
00 00 00 00 00 00 00 00 00 30 00 00 b4 00 00 00 .........0......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
a7 19 00 00 00 10 00 00 00 1a 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 c0 2c 00 00 00 30 00 00 .const...,...0..
00 2e 00 00 00 1c 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 53 56 8b 75 0c 8b 06 b9 8d 00 00 c0 57 U..SV.u........W
3b c1 0f 87 aa 03 00 00 0f 84 9a 03 00 00 b9 02 ;...............
00 00 80 3b c1 0f 87 60 01 00 00 0f 84 50 01 00 ...;...`.....P..
00 b9 1f 00 00 40 3b c1 0f 87 a7 00 00 00 0f 84 .....@;.........
97 00 00 00 b9 ef 06 00 00 3b c1 77 3f 0f 84 9b .........;.w?...
02 00 00 2d a6 06 00 00 0f 84 86 01 00 00 83 e8 ...-............
14 0f 84 73 01 00 00 83 e8 0c 0f 84 60 01 00 00 ...s........`...
83 e8 13 0f 84 89 01 00 00 83 e8 0b 0f 85 52 06 ..............R.
00 00 b8 e4 42 40 00 e9 69 06 00 00 2d f7 06 00 ....B@..i...-...
00 0f 84 4d 02 00 00 2d e7 f3 ed 0e 74 33 2d 27 ...M...-....t3-'
05 12 31 74 22 83 e8 10 74 13 83 e8 09 0f 85 21 ..1t"...t......!
06 00 00 b8 c0 42 40 00 e9 38 06 00 00 b8 90 42 .....B@..8.....B
40 00 e9 2e 06 00 00 b8 64 42 40 00 e9 24 06 00 @.......dB@..$..
00 b8 30 42 40 00 e9 1a 06 00 00 b8 0c 42 40 00 ..0B@........B@.
e9 10 06 00 00 b9 08 00 01 40 3b c1 77 4b 74 3f .........@;.wKt?
2d 03 00 01 40 74 2e 48 74 21 48 74 14 48 74 6d -...@t.Ht!Ht.Htm
48 0f 85 cd 05 00 00 b8 dc 41 40 00 e9 e4 05 00 H........A@.....
00 b8 cc 41 40 00 e9 da 05 00 00 b8 94 41 40 00 ...A@........A@.
e9 d0 05 00 00 b8 60 41 40 00 e9 c6 05 00 00 b8 ......`A@.......
48 41 40 00 e9 bc 05 00 00 3d 09 00 01 40 74 37 HA@......=...@t7
3d 0a 00 01 40 74 26 3d 88 13 6d 40 74 15 3d 01 =...@t&=..m@t.=.
00 00 80 0f 85 7b 05 00 00 b8 24 41 40 00 e9 92 .....{....$A@...
05 00 00 b8 fc 40 40 00 e9 88 05 00 00 b8 c8 40 .....@@........@
40 00 e9 7e 05 00 00 b8 a4 40 40 00 e9 74 05 00 @..~.....@@..t..
00 b8 80 40 40 00 e9 6a 05 00 00 b9 08 00 00 c0 ...@@..j........
3b c1 0f 87 6a 01 00 00 0f 84 5a 01 00 00 b9 d9 ;...j.....Z.....
06 07 80 3b c1 77 65 74 59 3d 03 00 00 80 74 48 ...;.wetY=....tH
3d 04 00 00 80 74 37 3d a6 06 07 80 74 26 3d ba =....t7=....t&=.
06 07 80 74 15 3d c6 06 07 80 0f 85 04 05 00 00 ...t.=..........
b8 4c 40 40 00 e9 1b 05 00 00 b8 1c 40 40 00 e9 .L@@........@@..
11 05 00 00 b8 e4 3f 40 00 e9 07 05 00 00 b8 cc ......?@........
3f 40 00 e9 fd 04 00 00 b8 b4 3f 40 00 e9 f3 04 ?@........?@....
00 00 b8 7c 3f 40 00 e9 e9 04 00 00 3d e4 06 07 ...|?@......=...
80 0f 84 6b fe ff ff 3d ef 06 07 80 0f 84 cc 00 ...k...=........
00 00 3d f7 06 07 80 0f 84 b7 00 00 00 3d 05 00 ..=..........=..
00 c0 74 5b 3d 06 00 00 c0 0f 85 95 04 00 00 8b ..t[=...........
46 14 83 e8 00 74 1d 48 74 13 83 e8 07 74 07 b8 F....t.Ht....t..
48 32 40 00 eb 13 b8 34 32 40 00 eb 0c b8 24 32 H2@....42@....$2
40 00 eb 05 b8 14 32 40 00 ff 76 1c ff 76 18 50 @.....2@..v..v.P
68 38 3f 40 00 ff 75 08 ff 15 6c 30 40 00 83 c4 h8?@..u...l0@...
14 85 c0 7f 4d b8 18 3f 40 00 e9 66 04 00 00 8b ....M..?@..f....
46 14 83 e8 00 74 1d 48 74 13 83 e8 07 74 07 b8 F....t.Ht....t..
48 32 40 00 eb 13 b8 34 32 40 00 eb 0c b8 24 32 H2@....42@....$2
40 00 eb 05 b8 14 32 40 00 ff 76 18 50 68 e4 3e @.....2@..v.Ph.>
40 00 ff 75 08 ff 15 6c 30 40 00 83 c4 10 85 c0 @..u...l0@......
7e 08 8b 45 08 e9 1b 04 00 00 b8 c0 3e 40 00 e9 ~..E........>@..
11 04 00 00 b8 88 3e 40 00 e9 07 04 00 00 b8 58 ......>@.......X
3e 40 00 e9 fd 03 00 00 b8 38 3e 40 00 e9 f3 03 >@.......8>@....
00 00 b9 26 00 00 c0 3b c1 77 65 74 59 3d 0d 00 ...&...;.wetY=..
00 c0 74 48 3d 17 00 00 c0 74 37 3d 1d 00 00 c0 ..tH=....t7=....
74 26 3d 22 00 00 c0 74 15 3d 25 00 00 c0 0f 85 t&="...t.=%.....
a0 03 00 00 b8 18 3e 40 00 e9 b7 03 00 00 b8 fc ......>@........
3d 40 00 e9 ad 03 00 00 b8 d4 3d 40 00 e9 a3 03 =@........=@....
00 00 b8 88 3d 40 00 e9 99 03 00 00 b8 64 3d 40 ....=@.......d=@
00 e9 8f 03 00 00 b8 3c 3d 40 00 e9 85 03 00 00 .......<=@......
3d 34 00 00 c0 74 37 3d 3a 00 00 c0 74 26 3d 7a =4...t7=:...t&=z
00 00 c0 74 15 3d 8c 00 00 c0 0f 85 44 03 00 00 ...t.=......D...
b8 10 3d 40 00 e9 5b 03 00 00 b8 e8 3c 40 00 e9 ..=@..[.....<@..
51 03 00 00 b8 bc 3c 40 00 e9 47 03 00 00 b8 90 Q.....<@..G.....
3c 40 00 e9 3d 03 00 00 b8 50 3c 40 00 e9 33 03 <@..=....P<@..3.
00 00 b9 aa 00 00 c0 3b c1 77 7b 74 6f 05 72 ff .......;.w{to.r.
ff 3f 83 f8 08 0f 87 f9 02 00 00 ff 24 85 fc 16 .?..........$...
40 00 b8 10 3c 40 00 e9 09 03 00 00 b8 d4 3b 40 @...<@........;@
00 e9 ff 02 00 00 b8 90 3b 40 00 e9 f5 02 00 00 ........;@......
b8 5c 3b 40 00 e9 eb 02 00 00 b8 24 3b 40 00 e9 .\;@.......$;@..
e1 02 00 00 b8 f0 3a 40 00 e9 d7 02 00 00 b8 c0 ......:@........
3a 40 00 e9 cd 02 00 00 b8 9c 3a 40 00 e9 c3 02 :@........:@....
00 00 b8 6c 3a 40 00 e9 b9 02 00 00 b8 38 3a 40 ...l:@.......8:@
00 e9 af 02 00 00 b9 09 04 00 c0 3b c1 0f 87 4d ...........;...M
01 00 00 0f 84 3d 01 00 00 b9 94 01 00 c0 3b c1 .....=........;.
0f 87 9c 00 00 00 0f 84 8c 00 00 00 83 c1 a6 3b ...............;
c1 77 4e 0f 84 98 fc ff ff 3d fd 00 00 c0 74 37 .wN......=....t7
3d 35 01 00 c0 74 26 3d 38 01 00 c0 74 15 3d 39 =5...t&=8...t.=9
01 00 c0 0f 85 3b 02 00 00 b8 0c 3a 40 00 e9 52 .....;.....:@..R
02 00 00 b8 e8 39 40 00 e9 48 02 00 00 b8 cc 39 .....9@..H.....9
40 00 e9 3e 02 00 00 b8 ac 39 40 00 e9 34 02 00 @..>.....9@..4..
00 3d 42 01 00 c0 74 26 3d 44 01 00 c0 74 15 3d .=B...t&=D...t.=
4a 01 00 c0 0f 85 fa 01 00 00 b8 74 39 40 00 e9 J..........t9@..
11 02 00 00 b8 4c 39 40 00 e9 07 02 00 00 b8 18 .....L9@........
39 40 00 e9 fd 01 00 00 b8 f4 38 40 00 e9 f3 01 9@........8@....
00 00 b9 c9 02 00 c0 3b c1 77 54 74 48 3d 35 02 .......;.wTtH=5.
00 c0 74 37 3d b4 02 00 c0 74 26 3d b5 02 00 c0 ..t7=....t&=....
74 15 3d c5 02 00 c0 0f 85 a7 01 00 00 b8 d4 38 t.=............8
40 00 e9 be 01 00 00 b8 98 38 40 00 e9 b4 01 00 @........8@.....
00 b8 58 38 40 00 e9 aa 01 00 00 b8 28 38 40 00 ..X8@.......(8@.
e9 a0 01 00 00 b8 e8 37 40 00 e9 96 01 00 00 3d .......7@......=
59 03 00 c0 74 26 3d 5a 03 00 c0 74 15 3d 74 03 Y...t&=Z...t.=t.
00 c0 0f 85 5c 01 00 00 b8 c8 37 40 00 e9 73 01 ....\.....7@..s.
00 00 b8 88 37 40 00 e9 69 01 00 00 b8 48 37 40 ....7@..i....H7@
00 e9 5f 01 00 00 b8 f0 36 40 00 e9 55 01 00 00 .._.....6@..U...
b9 7f 00 6d c0 3b c1 0f 87 f6 00 00 00 8b 5d 08 ...m.;........].
8b 3d 6c 30 40 00 0f 84 a9 00 00 00 b9 02 06 00 .=l0@...........
c0 3b c1 77 54 74 48 3d 17 04 00 c0 74 37 3d 1d .;.wTtH=....t7=.
04 00 c0 74 26 3d 20 04 00 c0 74 15 3d 21 04 00 ...t&= ...t.=!..
c0 0f 85 ed 00 00 00 b8 b8 36 40 00 e9 04 01 00 .........6@.....
00 b8 94 36 40 00 e9 fa 00 00 00 b8 40 36 40 00 ...6@.......@6@.
e9 f0 00 00 00 b8 f0 35 40 00 e9 e6 00 00 00 b8 .......5@.......
c4 35 40 00 e9 dc 00 00 00 3d 02 08 00 c0 74 3b .5@......=....t;
3d 57 00 6d c0 74 2a 3d 7e 00 6d c0 0f 85 a2 00 =W.m.t*=~.m.....
00 00 8b 46 14 ff 70 20 ff 70 0c 68 58 35 40 00 ...F..p .p.hX5@.
53 ff d7 83 c4 10 85 c0 7e 1b 8b c3 e9 a4 00 00 S.......~.......
00 b8 00 35 40 00 e9 9a 00 00 00 b8 d4 34 40 00 ...5@........4@.
e9 90 00 00 00 8b 46 14 83 78 10 00 ff 70 20 ff ......F..x...p .
70 0c ff 70 14 74 16 68 50 34 40 00 53 ff d7 83 p..p.t.hP4@.S...
c4 14 85 c0 7f c4 b8 00 34 40 00 eb 68 68 78 33 ........4@..hhx3
40 00 53 ff d7 83 c4 14 85 c0 7f ae b8 20 33 40 @.S.......... 3@
00 eb 52 3d ff ff ff cf 74 46 3d 52 43 43 e0 74 ..R=....tF=RCC.t
38 3d 4d 4f 43 e0 74 31 3d 4f 53 53 e0 74 2a 3d 8=MOC.t1=OSS.t*=
52 45 56 e0 74 1c 3d 4e 4d 58 e0 74 1c 3d 63 73 REV.t.=NMX.t.=cs
6d e0 74 07 b8 fc 32 40 00 eb 1a b8 e0 32 40 00 m.t...2@.....2@.
eb 13 b8 a8 32 40 00 eb 0c b8 80 32 40 00 eb 05 ....2@.....2@...
b8 5c 32 40 00 5f 5e 5b 5d c2 08 00 e2 13 40 00 .\2@._^[].....@.
ec 13 40 00 f6 13 40 00 00 14 40 00 0a 14 40 00 ..@...@...@...@.
14 14 40 00 1e 14 40 00 28 14 40 00 32 14 40 00 ..@...@.(.@.2.@.
55 8b ec 51 51 53 8b 5d 18 56 57 8b 7d 10 53 8d U..QQS.].VW.}.S.
45 f8 50 57 ff 75 0c ff 75 08 ff 15 a8 30 40 00 E.PW.u..u....0@.
85 c0 75 78 8b 75 14 56 57 ff 75 0c ff 75 08 ff ..ux.u.VW.u..u..
15 ac 30 40 00 85 c0 75 0a b8 30 43 40 00 e9 ef ..0@...u..0C@...
00 00 00 33 c0 66 89 86 a4 00 00 00 8d 46 24 8d ...3.f.......F$.
50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 P.f.....f..u.+..
f8 74 d6 6a 09 59 66 89 4e 22 8b 4d 0c 2b 4e 08 .t.j.Yf.N".M.+N.
1b 7e 0c 8b d1 0b d7 89 4d f8 89 7d fc 74 15 57 .~......M..}.t.W
51 8d 44 46 24 68 1c 43 40 00 50 ff 15 6c 30 40 Q.DF$h.C@.P..l0@
00 83 c4 10 8d 46 22 e9 96 00 00 00 8b 45 f8 0b .....F"......E..
45 fc 8b 43 4c 75 09 33 c9 66 89 4c 43 54 eb 19 E..CLu.3.f.LCT..
ff 75 fc 8d 44 43 54 ff 75 f8 68 1c 43 40 00 50 .u..DCT.u.h.C@.P
ff 15 6c 30 40 00 83 c4 10 8b 75 14 56 57 ff 75 ..l0@.....u.VW.u
0c ff 75 08 ff 15 ac 30 40 00 85 c0 75 05 8d 43 ..u....0@...u..C
52 eb 49 33 c0 66 89 86 a4 00 00 00 8b 45 f8 23 R.I3.f.......E.#
45 fc 83 f8 ff 75 05 8d 46 22 eb 30 83 c6 24 8b E....u..F".0..$.
c6 8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b ..P.f.....f..u.+
c2 6a 29 d1 f8 59 2b c8 8d 14 4b 8b c8 6a 21 8b .j)..Y+...K..j!.
fa 58 66 f3 a5 66 89 43 52 8d 42 fe 6a 09 59 66 .Xf..f.CR.B.j.Yf
89 08 5f 5e 5b c9 c2 14 00 55 8b ec 81 ec 08 08 .._^[....U......
00 00 56 8d 45 10 50 ff 75 0c 8d 85 f8 f7 ff ff ..V.E.P.u.......
50 ff 15 68 30 40 00 8b f0 85 f6 75 04 33 c0 eb P..h0@.....u.3..
23 6a 00 8d 45 fc 50 56 8d 85 f8 f7 ff ff 50 ff #j..E.PV......P.
75 08 ff 15 3c 30 40 00 85 c0 74 e1 33 c0 39 75 u...<0@...t.3.9u
fc 0f 94 c0 5e c9 c3 55 8d 6c 24 88 81 ec 78 2b ....^..U.l$...x+
00 00 53 56 57 c7 45 54 04 01 00 00 c7 45 74 a0 ..SVW.ET.....Et.
00 00 00 ff 15 74 30 40 00 6a f4 89 45 64 ff 15 .....t0@.j..Ed..
10 30 40 00 8b d8 89 5d 5c 83 fb ff 75 0e ff 15 .0@....]\...u...
14 30 40 00 89 45 74 e9 f5 0e 00 00 8d 45 50 50 .0@..Et......EPP
ff 15 18 30 40 00 50 e8 13 0f 00 00 8b 3d 14 30 ...0@.P......=.0
40 00 89 45 4c 85 c0 75 15 ff d7 50 89 45 74 68 @..EL..u...P.Eth
e8 57 40 00 be b4 57 40 00 e9 9c 0e 00 00 8b 45 .W@...W@.......E
50 be b4 57 40 00 83 f8 02 0f 82 69 0e 00 00 8b P..W@......i....
4d 4c 8b 49 04 66 83 39 00 0f 84 59 0e 00 00 83 ML.I.f.9...Y....
f8 03 0f 87 50 0e 00 00 8b 4d 4c 6a 04 5a 2b d0 ....P....MLj.Z+.
ff 34 91 ff 74 81 fc 68 50 57 40 00 53 e8 f7 fe .4..t..hPW@.S...
ff ff 83 c4 10 83 7d 50 03 75 38 8d 45 48 50 8b ......}P.u8.EHP.
45 4c ff 70 04 ff 15 1c 30 40 00 85 c0 75 0b ff EL.p....0@...u..
d7 50 68 34 57 40 00 56 eb 10 8b 45 48 ff 34 85 .Ph4W@.V...EH.4.
a0 31 40 00 50 68 f8 56 40 00 53 e8 b9 fe ff ff .1@.Ph.V@.S.....
83 c4 10 8b 45 64 0f b7 48 06 51 0f b7 48 04 51 ....Ed..H.Q..H.Q
0f b7 48 02 0f b7 00 51 50 68 70 56 40 00 53 e8 ..H....QPhpV@.S.
95 fe ff ff 83 c4 18 ff 15 78 30 40 00 0d 00 20 .........x0@...
00 80 50 ff 15 7c 30 40 00 8b 4d 50 8d 45 38 50 ..P..|0@..MP.E8P
68 d0 31 40 00 33 c0 50 50 68 32 04 00 04 50 50 h.1@.3.PPh2...PP
50 8b 45 4c ff 74 88 fc 6a 04 5a 2b d1 ff 34 90 P.EL.t..j.Z+..4.
ff 15 20 30 40 00 85 c0 75 1a ff d7 50 68 54 56 .. 0@...u...PhTV
40 00 56 53 89 45 74 e8 3d fe ff ff 83 c4 10 e9 @.VS.Et.=.......
81 0d 00 00 83 65 74 00 8d 45 54 50 8d 85 a8 fc .....et..ETP....
ff ff 50 6a 00 ff 75 38 ff 15 24 30 40 00 85 c0 ..Pj..u8..$0@...
75 17 ff d7 50 68 20 56 40 00 56 53 89 45 74 e8 u...Ph V@.VS.Et.
05 fe ff ff 83 c4 10 eb 15 8d 85 a8 fc ff ff 50 ...............P
68 c0 55 40 00 53 e8 ee fd ff ff 83 c4 0c ff 75 h.U@.S.........u
40 ff 15 28 30 40 00 85 c0 75 0e ff d7 50 68 9c @..(0@...u...Ph.
55 40 00 89 45 74 56 eb 0d 0f b7 c8 51 c1 e8 10 U@..EtV.....Q...
50 68 50 55 40 00 53 e8 bd fd ff ff 83 c4 10 ff PhPU@.S.........
75 44 ff 75 40 68 e0 54 40 00 53 e8 a9 fd ff ff uD.u@h.T@.S.....
83 c4 10 6a 00 ff 15 2c 30 40 00 85 c0 75 15 ff ...j...,0@...u..
d7 50 68 a8 54 40 00 56 53 89 45 74 e8 88 fd ff .Ph.T@.VS.Et....
ff 83 c4 10 c7 85 24 ed ff ff b8 0c 00 00 c7 85 ......$.........
00 d5 ff ff 58 00 00 00 c7 85 50 d5 ff ff d0 07 ....X.....P.....
00 00 c7 85 dc f9 ff ff 01 00 01 00 6a ff 8d 45 ............j..E
d8 50 ff 15 30 30 40 00 85 c0 0f 84 17 0a 00 00 .P..00@.........
8b 4d d8 8d 41 ff 83 f8 08 0f 87 c2 09 00 00 ff .M..A...........
24 85 eb 27 40 00 ff 75 e0 ff 75 dc 68 48 54 40 $..'@..u..u.hHT@
00 53 e8 22 fd ff ff 8b 45 e8 83 c4 10 89 45 6c .S."....E.....El
85 c0 0f 84 04 02 00 00 6a 00 6a 00 50 ff 15 80 ........j.j.P...
30 40 00 85 c0 75 19 ff d7 50 89 45 74 68 28 54 0@...u...P.Eth(T
40 00 3d ff ff 00 00 76 2b 68 ec 53 40 00 eb 25 @.=....v+h.S@..%
68 01 04 00 00 8d 85 20 e5 ff ff 50 ff 75 e8 ff h...... ...P.u..
15 84 30 40 00 85 c0 75 17 ff d7 50 89 45 74 68 ..0@...u...P.Eth
c8 53 40 00 56 53 e8 be fc ff ff 83 c4 10 eb 15 .S@.VS..........
8d 85 20 e5 ff ff 50 68 94 53 40 00 53 e8 a7 fc .. ...Ph.S@.S...
ff ff 83 c4 0c 83 7d 04 00 0f 84 09 01 00 00 6a ......}........j
00 6a 04 8d 45 58 50 ff 75 04 ff 75 e8 ff 15 34 .j..EXP.u..u...4
30 40 00 85 c0 75 0d ff d7 50 68 70 53 40 00 e9 0@...u...PhpS@..
5b 01 00 00 83 7d 58 00 0f 84 da 00 00 00 6a 00 [....}X.......j.
68 08 02 00 00 8d 85 a8 fc ff ff 50 ff 75 58 ff h..........P.uX.
75 e8 ff 15 34 30 40 00 85 c0 75 17 ff d7 89 45 u...40@...u....E
74 3d 2b 01 00 00 74 0b 50 68 70 53 40 00 e9 1f t=+...t.PhpS@...
01 00 00 66 83 7d 08 00 8d 85 a8 fc ff ff 50 74 ...f.}........Pt
4f 68 3c 53 40 00 53 e8 1d fc ff ff 8b 45 f0 83 Oh<S@.S......E..
c4 0c 33 c9 51 51 51 99 52 50 51 8d 85 a8 fc ff ..3.QQQ.RPQ.....
ff 50 ff 75 e4 ff 75 e8 ff 15 88 30 40 00 8b c8 .P.u..u....0@...
0b ca 0f 85 b9 00 00 00 ff d7 89 45 74 85 c0 0f ...........Et...
84 d7 00 00 00 50 68 18 53 40 00 e9 c2 00 00 00 .....Ph.S@......
68 e4 52 40 00 53 e8 ce fb ff ff 8b 45 f0 83 c4 h.R@.S......E...
0c 33 c9 51 51 51 99 52 50 51 8d 85 a8 fc ff ff .3.QQQ.RPQ......
50 ff 75 e4 ff 75 e8 ff 15 8c 30 40 00 8b c8 0b P.u..u....0@....
ca 75 6e ff d7 89 45 74 85 c0 0f 84 8c 00 00 00 .un...Et........
50 68 c4 52 40 00 eb 7a 6a 00 68 04 01 00 00 8d Ph.R@..zj.h.....
85 a8 fc ff ff 50 ff 75 e4 ff 15 38 30 40 00 89 .....P.u...80@..
45 54 85 c0 75 17 ff d7 50 68 90 52 40 00 56 53 ET..u...Ph.R@.VS
89 45 74 e8 61 fb ff ff 83 c4 10 eb 15 8d 85 b0 .Et.a...........
fc ff ff 50 68 3c 53 40 00 53 e8 4a fb ff ff 83 ...Ph<S@.S.J....
c4 0c 8b 45 f0 33 c9 51 51 51 99 52 50 51 51 eb ...E.3.QQQ.RPQQ.
80 8d 8d 24 ed ff ff 51 52 50 ff 75 e8 ff 15 ac ...$...QRP.u....
30 40 00 85 c0 75 15 ff d7 50 68 68 52 40 00 89 0@...u...PhhR@..
45 74 56 53 e8 10 fb ff ff 83 c4 10 ff 75 fc 8d EtVS.........u..
85 00 d5 ff ff 50 8d 85 24 ed ff ff 50 6a 00 ff .....P..$...Pj..
75 00 ff 75 e8 e8 b6 f9 ff ff 50 ff 75 00 ff 75 u..u......P.u..u
f0 68 c8 51 40 00 53 e8 dd fa ff ff 83 c4 18 83 .h.Q@.S.........
7d e4 ff 0f 84 6d 07 00 00 ff 75 e4 ff 15 60 30 }....m....u...`0
40 00 85 c0 0f 85 5c 07 00 00 ff d7 50 68 b0 51 @.....\.....Ph.Q
40 00 56 53 89 45 74 e8 ad fa ff ff 83 c4 10 e9 @.VS.Et.........
42 07 00 00 ff 75 e8 8d 85 00 d5 ff ff 50 8d 85 B....u.......P..
24 ed ff ff 50 6a 00 ff 75 ec ff 75 6c e8 4e f9 $...Pj..u..ul.N.
ff ff 50 ff 75 ec ff 75 dc ff 75 e0 68 08 51 40 ..P.u..u..u.h.Q@
00 53 e8 72 fa ff ff 83 c4 1c e9 07 07 00 00 ff .S.r............
75 e4 ff 75 e0 ff 75 dc 68 90 50 40 00 53 e8 56 u..u..u.h.P@.S.V
fa ff ff 83 c4 14 ff 75 6c ff 15 90 30 40 00 85 .......ul...0@..
c0 75 15 ff d7 50 68 78 50 40 00 56 53 89 45 74 .u...PhxP@.VS.Et
e8 34 fa ff ff 83 c4 10 83 65 6c 00 e9 c5 06 00 .4.......el.....
00 ff 75 e4 ff 75 dc ff 75 e0 68 00 50 40 00 e9 ..u..u..u.h.P@..
a9 06 00 00 ff 75 e0 ff 75 dc 68 a8 4f 40 00 53 .....u..u.h.O@.S
e8 04 fa ff ff 83 c4 10 ff 75 6c ff 15 94 30 40 .........ul...0@
00 85 c0 75 23 ff d7 50 89 45 74 68 78 4f 40 00 ...u#..P.EthxO@.
3d ff ff 00 00 76 07 68 ec 53 40 00 eb 01 56 53 =....v.h.S@...VS
e8 d4 f9 ff ff 83 c4 10 83 7d f4 00 0f 84 09 01 .........}......
00 00 6a 00 6a 04 8d 45 58 50 ff 75 f4 ff 75 6c ..j.j..EXP.u..ul
ff 15 34 30 40 00 85 c0 75 0d ff d7 50 68 70 53 ..40@...u...PhpS
40 00 e9 5b 01 00 00 83 7d 58 00 0f 84 da 00 00 @..[....}X......
00 6a 00 68 08 02 00 00 8d 85 a8 fc ff ff 50 ff .j.h..........P.
75 58 ff 75 6c ff 15 34 30 40 00 85 c0 75 17 ff uX.ul..40@...u..
d7 89 45 74 3d 2b 01 00 00 74 0b 50 68 70 53 40 ..Et=+...t.PhpS@
00 e9 1f 01 00 00 66 83 7d f8 00 8d 85 a8 fc ff ......f.}.......
ff 50 74 4f 68 48 4f 40 00 53 e8 4a f9 ff ff 8b .PtOhHO@.S.J....
45 e8 83 c4 0c 33 c9 51 51 51 99 52 50 51 8d 85 E....3.QQQ.RPQ..
a8 fc ff ff 50 ff 75 e4 ff 75 6c ff 15 88 30 40 ....P.u..ul...0@
00 8b c8 0b ca 0f 85 b9 00 00 00 ff d7 89 45 74 ..............Et
85 c0 0f 84 d7 00 00 00 50 68 18 53 40 00 e9 c2 ........Ph.S@...
00 00 00 68 18 4f 40 00 53 e8 fb f8 ff ff 8b 45 ...h.O@.S......E
e8 83 c4 0c 33 c9 51 51 51 99 52 50 51 8d 85 a8 ....3.QQQ.RPQ...
fc ff ff 50 ff 75 e4 ff 75 6c ff 15 8c 30 40 00 ...P.u..ul...0@.
8b c8 0b ca 75 6e ff d7 89 45 74 85 c0 0f 84 8c ....un...Et.....
00 00 00 50 68 c4 52 40 00 eb 7a 6a 00 68 04 01 ...Ph.R@..zj.h..
00 00 8d 85 a8 fc ff ff 50 ff 75 e4 ff 15 38 30 ........P.u...80
40 00 89 45 54 85 c0 75 17 ff d7 50 68 90 52 40 @..ET..u...Ph.R@
00 56 53 89 45 74 e8 8e f8 ff ff 83 c4 10 eb 15 .VS.Et..........
8d 85 b0 fc ff ff 50 68 48 4f 40 00 53 e8 77 f8 ......PhHO@.S.w.
ff ff 83 c4 0c 8b 45 e8 33 c9 51 51 51 99 52 50 ......E.3.QQQ.RP
51 51 eb 80 8d 8d 24 ed ff ff 51 52 50 ff 75 6c QQ....$...QRP.ul
ff 15 ac 30 40 00 85 c0 75 15 ff d7 50 68 68 52 ...0@...u...PhhR
40 00 89 45 74 56 53 e8 3d f8 ff ff 83 c4 10 8d @..EtVS.=.......
85 00 d5 ff ff 50 8d 85 24 ed ff ff 50 8b 45 e8 .....P..$...P.E.
99 52 50 ff 75 6c e8 e5 f6 ff ff 50 ff 75 e8 68 .RP.ul.....P.u.h
e0 4e 40 00 53 e8 0f f8 ff ff 83 c4 10 e9 2d fd .N@.S.........-.
ff ff 8d 85 00 d5 ff ff 50 8d 85 24 ed ff ff 50 ........P..$...P
8b 45 e4 99 52 50 ff 75 6c e8 b2 f6 ff ff 50 ff .E..RP.ul.....P.
75 e4 ff 75 e0 ff 75 dc 68 50 4e 40 00 53 e8 d6 u..u..u.hPN@.S..
f7 ff ff 8b 45 e4 83 c4 18 99 52 50 ff 75 6c ff ....E.....RP.ul.
15 98 30 40 00 85 c0 0f 85 59 04 00 00 ff d7 50 ..0@.....Y.....P
68 28 4e 40 00 e9 f8 fc ff ff 8d 85 00 d5 ff ff h(N@............
50 8d 85 24 ed ff ff 50 8b 45 e4 99 52 50 ff 75 P..$...P.E..RP.u
6c e8 5a f6 ff ff 50 ff 75 e4 0f b7 45 ea 48 50 l.Z...P.u...E.HP
ff 75 dc ff 75 e0 68 60 4d 40 00 53 e8 78 f7 ff .u..u.h`M@.S.x..
ff 0f b7 45 ea 83 c4 1c 50 6a 40 89 45 64 ff 15 ...E....Pj@.Ed..
04 30 40 00 89 45 70 85 c0 75 0d ff d7 50 68 48 .0@..Ep..u...PhH
4d 40 00 e9 9a fc ff ff 6a 00 ff 75 64 ff 75 70 M@......j..ud.up
ff 75 e4 ff 75 6c ff 15 34 30 40 00 85 c0 75 17 .u..ul..40@...u.
ff d7 50 68 70 53 40 00 56 53 89 45 74 e8 27 f7 ..PhpS@.VS.Et.'.
ff ff 83 c4 10 eb 5b 8b 45 70 8d 50 01 8a 08 40 ......[.Ep.P...@
84 c9 75 f9 2b c2 8b c8 48 85 c9 74 2e 8b 4d 70 ..u.+...H..t..Mp
8a 0c 01 80 f9 20 74 ee 80 f9 07 74 e9 80 f9 08 ..... t....t....
74 e4 80 f9 0c 74 df 80 f9 0a 74 da 80 f9 0d 74 t....t....t....t
d5 80 f9 09 74 d0 80 f9 0b 74 cb 8b 4d 70 51 68 ....t....t..MpQh
18 4d 40 00 53 c6 44 01 01 00 e8 ca f6 ff ff 83 .M@.S.D.........
c4 0c ff 75 70 ff 15 08 30 40 00 85 c0 0f 84 53 ...up...0@.....S
03 00 00 ff d7 50 68 04 4d 40 00 e9 f2 fb ff ff .....Ph.M@......
ff 75 e8 ff 75 e4 ff 75 dc ff 75 e0 68 88 4c 40 .u..u..u..u.h.L@
00 53 e8 92 f6 ff ff 83 c4 18 e9 27 03 00 00 83 .S.........'....
7d e8 00 c7 45 70 7c 4c 40 00 75 07 c7 45 70 30 }...Ep|L@.u..Ep0
43 40 00 83 7d 34 00 c7 45 64 70 4c 40 00 75 07 C@..}4..EdpL@.u.
c7 45 64 64 4c 40 00 8d 85 00 d5 ff ff 50 8d 85 .EddL@.......P..
24 ed ff ff 50 8b 45 f0 99 52 50 ff 75 6c e8 0d $...P.E..RP.ul..
f5 ff ff 50 ff 75 f0 8d 45 e4 ff 75 70 ff 75 e8 ...P.u..E..up.u.
ff 75 e4 50 8d 85 20 e5 ff ff 50 e8 d0 ed ff ff .u.P.. ...P.....
50 ff 75 dc ff 75 e0 ff 75 64 68 f8 4a 40 00 53 P.u..u..udh.J@.S
e8 14 f6 ff ff 83 c4 2c 83 7d 34 00 0f 84 a4 02 .......,.}4.....
00 00 83 7d f4 00 76 63 6a 0a 58 3b 45 f4 1b c0 ...}..vcj.X;E...
83 e0 e0 83 c0 20 50 ff 75 f4 68 c4 4a 40 00 53 ..... P.u.h.J@.S
e8 e4 f5 ff ff 83 65 70 00 83 c4 10 83 7d f4 00 ......ep.....}..
76 2c 83 7d 70 00 b8 b4 4a 40 00 74 05 b8 a4 4a v,.}p...J@.t...J
40 00 8b 4d 70 ff 74 8d f8 50 53 e8 b9 f5 ff ff @..Mp.t..PS.....
83 c4 0c ff 45 70 8b 45 70 3b 45 f4 72 d4 68 a0 ....Ep.Ep;E.r.h.
4a 40 00 53 e8 a0 f5 ff ff 59 59 8b 5d ec e9 ca J@.S.....YY.]...
00 00 00 83 7b 04 00 c7 45 64 7c 4c 40 00 75 07 ....{...Ed|L@.u.
c7 45 64 30 43 40 00 8d 85 00 d5 ff ff 50 8d 85 .Ed0C@.......P..
24 ed ff ff 50 8b 43 0c 99 52 50 ff 75 6c e8 2d $...P.C..RP.ul.-
f4 ff ff 50 ff 73 0c 8d 85 20 e5 ff ff ff 75 64 ...P.s... ....ud
ff 73 04 ff 33 53 50 e8 f4 ec ff ff 50 68 68 49 .s..3SP.....PhhI
40 00 ff 75 5c e8 3f f5 ff ff 8b 43 10 83 c4 20 @..u\.?....C...
85 c0 74 66 6a 0a 59 3b c8 1b c9 83 e1 e0 83 c1 ..tfj.Y;........
20 51 50 68 34 49 40 00 ff 75 5c e8 19 f5 ff ff QPh4I@..u\.....
83 65 70 00 83 c4 10 83 7b 10 00 76 2e 83 7d 70 .ep.....{..v..}p
00 b8 b4 4a 40 00 74 05 b8 a4 4a 40 00 8b 4d 70 ...J@.t...J@..Mp
ff 74 8b 14 50 ff 75 5c e8 ec f4 ff ff 83 c4 0c .t..P.u\........
ff 45 70 8b 45 70 3b 43 10 72 d2 68 a0 4a 40 00 .Ep.Ep;C.r.h.J@.
ff 75 5c e8 d1 f4 ff ff 59 59 8b 5b 08 85 db 0f .u\.....YY.[....
85 2e ff ff ff ff 75 e0 53 6a 08 ff 15 54 30 40 ......u.Sj...T0@
00 89 45 70 85 c0 75 0d ff d7 50 68 1c 49 40 00 ..Ep..u...Ph.I@.
e9 23 01 00 00 8d 8d dc f9 ff ff 51 50 ff 15 5c .#.........QP..\
30 40 00 85 c0 75 1c ff d7 50 68 f8 48 40 00 56 0@...u...Ph.H@.V
ff 75 5c 89 45 74 e8 7e f4 ff ff 83 c4 10 e9 e0 .u\.Et.~........
00 00 00 8b 85 94 fa ff ff 8b 8d 90 fa ff ff 6a ...............j
03 89 85 b0 fe ff ff 58 33 db 89 8d d0 fe ff ff .......X3.......
8b 8d a0 fa ff ff 68 dc 48 40 00 ff 75 5c 89 9d ......h.H@..u\..
b4 fe ff ff 89 85 bc fe ff ff 89 85 cc fe ff ff ................
89 9d d4 fe ff ff 89 85 dc fe ff ff 89 8d e0 fe ................
ff ff 89 9d e4 fe ff ff 89 85 ec fe ff ff e8 16 ................
f4 ff ff 59 59 53 ff 35 9c 30 40 00 ff 35 a0 30 ...YYS.5.0@..5.0
40 00 53 8b 1d a4 30 40 00 eb 49 8d 85 00 d5 ff @.S...0@..I.....
ff 50 8d 85 24 ed ff ff 50 ff b5 b4 fe ff ff ff .P..$...P.......
b5 b0 fe ff ff ff 75 6c e8 a3 f2 ff ff 50 ff b5 ......ul.....P..
b0 fe ff ff 68 a8 48 40 00 ff 75 5c e8 c8 f3 ff ....h.H@..u\....
ff 83 c4 10 6a 00 ff 35 9c 30 40 00 ff 35 a0 30 ....j..5.0@..5.0
40 00 6a 00 8d 85 dc f9 ff ff 50 8d 85 b0 fe ff @.j.......P.....
ff 50 ff 75 70 ff 75 6c 68 4c 01 00 00 ff d3 85 .P.up.ulhL......
c0 75 98 ff 75 70 ff 15 60 30 40 00 85 c0 75 26 .u..up..`0@...u&
ff d7 50 68 b0 51 40 00 56 ff 75 5c e9 c3 f8 ff ..Ph.Q@.V.u\....
ff ff 75 dc ff 75 e0 51 68 38 48 40 00 53 e8 66 ..u..u.Qh8H@.S.f
f3 ff ff 83 c4 14 8b 45 d8 48 f7 d8 1b c0 25 01 .......E.H....%.
00 00 80 05 01 00 01 80 50 ff 75 e0 ff 75 dc ff ........P.u..u..
15 58 30 40 00 85 c0 74 18 83 7d 6c 00 8b 5d 5c .X0@...t..}l..]\
74 27 e9 d5 f5 ff ff ff d7 50 68 10 48 40 00 eb t'.......Ph.H@..
0b ff d7 8b 5d 5c 50 68 e8 47 40 00 56 53 89 45 ....]\Ph.G@.VS.E
74 e8 13 f3 ff ff 83 c4 10 68 a0 4a 40 00 53 e8 t........h.J@.S.
05 f3 ff ff 59 59 6a ff ff 75 3c ff 15 00 30 40 ....YYj..u<...0@
00 83 f8 ff 75 15 ff d7 50 68 c0 47 40 00 56 53 ....u...Ph.G@.VS
89 45 74 e8 e1 f2 ff ff 83 c4 10 8d 45 68 50 ff .Et.........EhP.
75 3c ff 15 50 30 40 00 85 c0 75 17 ff d7 50 68 u<..P0@...u...Ph
9c 47 40 00 56 53 89 45 74 e8 bb f2 ff ff 83 c4 .G@.VS.Et.......
10 eb 27 81 7d 68 ff ff 00 00 ff 75 68 ff 75 40 ..'.}h.....uh.u@
ff 75 44 76 07 68 10 47 40 00 eb 05 68 88 46 40 .uDv.h.G@...h.F@
00 53 e8 92 f2 ff ff 83 c4 14 8d 45 d0 50 8d 45 .S.........E.P.E
c8 50 8d 45 c0 50 8d 45 b8 50 ff 75 3c ff 15 4c .P.E.P.E.P.u<..L
30 40 00 85 c0 75 17 ff d7 50 68 64 46 40 00 56 0@...u...PhdF@.V
53 89 45 74 e8 60 f2 ff ff 83 c4 10 eb 61 68 34 S.Et.`.......ah4
46 40 00 53 e8 50 f2 ff ff 8b 45 b8 29 45 c0 8b F@.S.P....E.)E..
45 bc 59 19 45 c4 59 c7 45 68 01 00 00 00 8b 45 E.Y.E.Y.Eh.....E
68 8b 4c c5 bc 8b 44 c5 b8 89 4d 64 89 45 70 8b h.L...D...Md.Ep.
45 70 8b 55 64 b9 80 96 98 00 f7 f1 52 50 8b 45 Ep.Ud.......RP.E
68 ff 34 85 bc 31 40 00 68 08 46 40 00 53 e8 06 h.4..1@.h.F@.S..
f2 ff ff 83 c4 14 ff 45 68 83 7d 68 04 72 bf ff .......Eh.}h.r..
75 3c ff 15 60 30 40 00 85 c0 75 15 ff d7 50 68 u<..`0@...u...Ph
b0 51 40 00 56 53 89 45 74 e8 db f1 ff ff 83 c4 .Q@.VS.Et.......
10 6a ff ff 75 38 ff 15 00 30 40 00 83 f8 ff 75 .j..u8...0@....u
15 ff d7 50 68 c0 47 40 00 56 53 89 45 74 e8 b6 ...Ph.G@.VS.Et..
f1 ff ff 83 c4 10 8d 45 60 50 ff 75 38 ff 15 48 .......E`P.u8..H
30 40 00 85 c0 75 0e ff d7 50 68 e0 45 40 00 89 0@...u...Ph.E@..
45 74 56 eb 1b 81 7d 60 ff ff 00 00 ff 75 60 ff EtV...}`.....u`.
75 40 76 07 68 80 45 40 00 eb 05 68 28 45 40 00 u@v.h.E@...h(E@.
53 e8 73 f1 ff ff 83 c4 10 8d 45 d0 50 8d 45 c8 S.s.......E.P.E.
50 8d 45 c0 50 8d 45 b8 50 ff 75 38 ff 15 44 30 P.E.P.E.P.u8..D0
40 00 85 c0 75 17 ff d7 50 68 04 45 40 00 56 53 @...u...Ph.E@.VS
89 45 74 e8 41 f1 ff ff 83 c4 10 eb 61 68 d0 44 .Et.A.......ah.D
40 00 53 e8 31 f1 ff ff 8b 45 b8 29 45 c0 8b 45 @.S.1....E.)E..E
bc 59 19 45 c4 59 c7 45 60 01 00 00 00 8b 45 60 .Y.E.Y.E`.....E`
8b 4c c5 bc 8b 44 c5 b8 89 4d 64 89 45 70 8b 45 .L...D...Md.Ep.E
70 8b 55 64 b9 80 96 98 00 f7 f1 52 50 8b 45 60 p.Ud.......RP.E`
ff 34 85 bc 31 40 00 68 08 46 40 00 53 e8 e7 f0 .4..1@.h.F@.S...
ff ff 83 c4 14 ff 45 60 83 7d 60 04 72 bf ff 75 ......E`.}`.r..u
38 ff 15 60 30 40 00 85 c0 75 1a ff d7 50 68 b0 8..`0@...u...Ph.
51 40 00 e9 7a f2 ff ff 68 38 43 40 00 53 e8 b6 Q@..z...h8C@.S..
f0 ff ff 59 59 ff 75 4c ff 15 08 30 40 00 85 c0 ...YY.uL...0@...
74 12 ff d7 50 68 04 4d 40 00 56 53 e8 98 f0 ff t...Ph.M@.VS....
ff 83 c4 10 53 ff 15 60 30 40 00 85 c0 75 12 ff ....S..`0@...u..
d7 50 68 b0 51 40 00 56 53 e8 7b f0 ff ff 83 c4 .Ph.Q@.VS.{.....
10 ff 75 74 ff 15 40 30 40 00 90 cf 21 40 00 b4 ..ut..@0@...!@..
1d 40 00 26 1b 40 00 31 1e 40 00 ef 1d 40 00 44 .@.&.@.1.@...@.D
1e 40 00 52 20 40 00 aa 20 40 00 b0 21 40 00 55 .@.R @.. @..!@.U
8b ec 51 8b 45 08 53 56 33 f6 57 8b f8 89 75 08 ..Q.E.SV3.W...u.
89 75 fc 39 75 0c 0f 84 6a 01 00 00 3b c6 0f 84 .u.9u...j...;...
62 01 00 00 0f b7 08 66 3b ce 0f 84 56 01 00 00 b......f;...V...
83 f9 20 74 0a 83 f9 09 74 05 33 db 43 eb 02 33 .. t....t.3.C..3
db 39 75 08 75 2b 66 83 f9 20 74 06 66 83 f9 09 .9u.u+f.. t.f...
75 1f 89 75 fc 83 c0 02 0f b7 08 83 f9 20 74 f5 u..u......... t.
83 f9 09 74 f0 33 c9 66 39 30 0f 95 c1 03 d9 eb ...t.3.f90......
23 66 83 f9 5c 75 06 83 75 fc 01 eb 14 39 75 fc #f..\u..u....9u.
75 0c 66 83 f9 22 75 06 83 75 08 01 eb 03 89 75 u.f.."u..u.....u
fc 83 c0 02 0f b7 08 66 3b ce 75 a5 2b c7 83 c0 .......f;.u.+...
02 d1 f8 8d 44 58 02 03 c0 50 6a 40 ff 15 04 30 ....DX...Pj@...0
40 00 8b f0 33 d2 3b f2 0f 84 d0 00 00 00 8d 44 @...3.;........D
9e 04 33 db 89 06 89 55 08 89 5d fc 83 7d 08 00 ..3....U..]..}..
75 34 0f b7 0f 83 f9 20 74 05 83 f9 09 75 27 33 u4..... t....u'3
d2 33 c9 66 89 08 83 c7 02 0f b7 0f 83 f9 20 74 .3.f.......... t
f5 83 f9 09 74 f0 66 39 17 74 71 43 8b c7 89 5d ....t.f9.tqC...]
fc 89 3c 9e eb 5c 0f b7 0f 83 f9 5c 75 03 42 eb ..<..\.....\u.B.
48 83 f9 22 75 41 6a 02 8d 5a 01 d1 eb 59 f7 db H.."uAj..Z...Y..
03 f9 8d 04 58 f6 c2 01 74 0a 6a 22 5a 66 89 10 ....X...t.j"Zf..
03 c1 eb 1c 83 7d 08 00 74 12 66 83 3f 22 75 0c .....}..t.f.?"u.
6a 22 5a 66 89 10 03 c1 03 f9 eb 04 83 75 08 01 j"Zf.........u..
8b 5d fc 33 d2 eb 0b 33 d2 66 89 08 83 c0 02 83 .].3...3.f......
c7 02 66 83 3f 00 0f 85 60 ff ff ff 33 c9 43 66 ..f.?...`...3.Cf
89 08 21 0c 9e 8b 45 0c 89 18 39 4d 08 74 0f 68 ..!...E...9M.t.h
a0 00 00 00 eb 02 6a 57 ff 15 0c 30 40 00 5f 8b ......jW...0@._.
c6 5e 5b c9 c2 08 00 00 00 00 00 00 00 00 00 00 .^[.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1e 5b 00 00 78 5b 00 00 6c 5b 00 00 7c 5c 00 00 .[..x[..l[..|\..
6c 5c 00 00 5c 5c 00 00 4a 5c 00 00 38 5c 00 00 l\..\\..J\..8\..
26 5c 00 00 08 5c 00 00 f4 5b 00 00 d8 5b 00 00 &\...\...[...[..
c4 5b 00 00 b0 5b 00 00 94 5b 00 00 b2 5a 00 00 .[...[...[...Z..
c2 5a 00 00 d0 5a 00 00 e2 5a 00 00 f8 5a 00 00 .Z...Z...Z...Z..
0a 5b 00 00 5e 5b 00 00 34 5b 00 00 4a 5b 00 00 .[..^[..4[..J[..
86 5b 00 00 00 00 00 00 a6 5c 00 00 9a 5c 00 00 .[.......\...\..
00 00 00 00 90 5a 00 00 80 5a 00 00 70 5a 00 00 .....Z...Z..pZ..
5e 5a 00 00 4a 5a 00 00 36 5a 00 00 24 5a 00 00 ^Z..JZ..6Z..$Z..
16 5a 00 00 fe 59 00 00 ea 59 00 00 d4 59 00 00 .Z...Y...Y...Y..
b8 59 00 00 aa 59 00 00 9a 59 00 00 84 59 00 00 .Y...Y...Y...Y..
00 00 00 00 00 00 00 00 55 00 73 00 65 00 72 00 ........U.s.e.r.
20 00 20 00 00 00 00 00 4b 00 65 00 72 00 6e 00 . .....K.e.r.n.
65 00 6c 00 00 00 00 00 52 00 65 00 61 00 6c 00 e.l.....R.e.a.l.
20 00 20 00 00 00 00 00 36 00 34 00 2d 00 62 00 . .....6.4.-.b.
69 00 74 00 20 00 57 00 69 00 6e 00 64 00 6f 00 i.t. .W.i.n.d.o.
77 00 73 00 00 00 00 00 31 00 36 00 2d 00 62 00 w.s.....1.6.-.b.
69 00 74 00 20 00 4f 00 53 00 2f 00 32 00 00 00 i.t. .O.S./.2...
50 00 4f 00 53 00 49 00 58 00 00 00 2e 00 50 00 P.O.S.I.X.....P.
49 00 46 00 20 00 66 00 6f 00 72 00 20 00 4d 00 I.F. .f.o.r. .M.
53 00 2d 00 44 00 4f 00 53 00 00 00 31 00 36 00 S.-.D.O.S...1.6.
2d 00 62 00 69 00 74 00 20 00 57 00 69 00 6e 00 -.b.i.t. .W.i.n.
64 00 6f 00 77 00 73 00 00 00 00 00 4d 00 53 00 d.o.w.s.....M.S.
2d 00 44 00 4f 00 53 00 00 00 00 00 33 00 32 00 -.D.O.S.....3.2.
2d 00 62 00 69 00 74 00 20 00 57 00 69 00 6e 00 -.b.i.t. .W.i.n.
64 00 6f 00 77 00 73 00 00 00 00 00 00 00 00 00 d.o.w.s.........
7c 31 40 00 6c 31 40 00 4c 31 40 00 2c 31 40 00 |1@.l1@.L1@.,1@.
20 31 40 00 08 31 40 00 e8 30 40 00 00 00 00 00 1@..1@..0@.....
d8 30 40 00 c8 30 40 00 b8 30 40 00 00 00 00 00 .0@..0@..0@.....
44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 72 00 65 00 61 00 64 00 69 00 6e 00 ....r.e.a.d.i.n.
67 00 00 00 77 00 72 00 69 00 74 00 69 00 6e 00 g...w.r.i.t.i.n.
67 00 00 00 65 00 78 00 65 00 63 00 75 00 74 00 g...e.x.e.c.u.t.
69 00 6e 00 67 00 00 00 61 00 63 00 63 00 65 00 i.n.g...a.c.c.e.
73 00 73 00 69 00 6e 00 67 00 00 00 41 00 70 00 s.s.i.n.g...A.p.
70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 p.l.i.c.a.t.i.o.
6e 00 20 00 68 00 61 00 6e 00 67 00 00 00 00 00 n. .h.a.n.g.....
2e 00 4e 00 45 00 54 00 20 00 43 00 4c 00 52 00 ..N.E.T. .C.L.R.
20 00 65 00 78 00 63 00 65 00 70 00 74 00 69 00 .e.x.c.e.p.t.i.
6f 00 6e 00 00 00 00 00 53 00 45 00 48 00 20 00 o.n.....S.E.H. .
76 00 65 00 72 00 69 00 66 00 69 00 63 00 61 00 v.e.r.i.f.i.c.a.
74 00 69 00 6f 00 6e 00 20 00 65 00 78 00 63 00 t.i.o.n. .e.x.c.
65 00 70 00 74 00 69 00 6f 00 6e 00 00 00 00 00 e.p.t.i.o.n.....
43 00 2b 00 2b 00 20 00 65 00 78 00 63 00 65 00 C.+.+. .e.x.c.e.
70 00 74 00 69 00 6f 00 6e 00 00 00 3c 00 6e 00 p.t.i.o.n...<.n.
6f 00 74 00 20 00 61 00 76 00 61 00 69 00 6c 00 o.t. .a.v.a.i.l.
61 00 62 00 6c 00 65 00 3e 00 00 00 00 00 00 00 a.b.l.e.>.......
44 00 65 00 6c 00 61 00 79 00 2d 00 6c 00 6f 00 D.e.l.a.y.-.l.o.
61 00 64 00 20 00 65 00 78 00 63 00 65 00 70 00 a.d. .e.x.c.e.p.
74 00 69 00 6f 00 6e 00 20 00 28 00 6f 00 72 00 t.i.o.n. .(.o.r.
64 00 69 00 6e 00 61 00 6c 00 20 00 6e 00 6f 00 d.i.n.a.l. .n.o.
74 00 20 00 66 00 6f 00 75 00 6e 00 64 00 29 00 t. .f.o.u.n.d.).
00 00 00 00 00 00 00 00 44 00 65 00 6c 00 61 00 ........D.e.l.a.
79 00 2d 00 6c 00 6f 00 61 00 64 00 20 00 65 00 y.-.l.o.a.d. .e.
78 00 63 00 65 00 70 00 74 00 69 00 6f 00 6e 00 x.c.e.p.t.i.o.n.
20 00 28 00 6f 00 72 00 64 00 69 00 6e 00 61 00 .(.o.r.d.i.n.a.
6c 00 20 00 25 00 6c 00 75 00 20 00 6e 00 6f 00 l. .%.l.u. .n.o.
74 00 20 00 66 00 6f 00 75 00 6e 00 64 00 20 00 t. .f.o.u.n.d. .
69 00 6e 00 20 00 6d 00 6f 00 64 00 75 00 6c 00 i.n. .m.o.d.u.l.
65 00 20 00 25 00 68 00 73 00 3b 00 20 00 30 00 e. .%.h.s.;. .0.
78 00 25 00 30 00 38 00 6c 00 58 00 29 00 00 00 x.%.0.8.l.X.)...
44 00 65 00 6c 00 61 00 79 00 2d 00 6c 00 6f 00 D.e.l.a.y.-.l.o.
61 00 64 00 20 00 65 00 78 00 63 00 65 00 70 00 a.d. .e.x.c.e.p.
74 00 69 00 6f 00 6e 00 20 00 28 00 65 00 6e 00 t.i.o.n. .(.e.n.
74 00 72 00 79 00 20 00 6e 00 6f 00 74 00 20 00 t.r.y. .n.o.t. .
66 00 6f 00 75 00 6e 00 64 00 29 00 00 00 00 00 f.o.u.n.d.).....
44 00 65 00 6c 00 61 00 79 00 2d 00 6c 00 6f 00 D.e.l.a.y.-.l.o.
61 00 64 00 20 00 65 00 78 00 63 00 65 00 70 00 a.d. .e.x.c.e.p.
74 00 69 00 6f 00 6e 00 20 00 28 00 65 00 6e 00 t.i.o.n. .(.e.n.
74 00 72 00 79 00 20 00 25 00 68 00 73 00 20 00 t.r.y. .%.h.s. .
6e 00 6f 00 74 00 20 00 66 00 6f 00 75 00 6e 00 n.o.t. .f.o.u.n.
64 00 20 00 69 00 6e 00 20 00 6d 00 6f 00 64 00 d. .i.n. .m.o.d.
75 00 6c 00 65 00 20 00 25 00 68 00 73 00 3b 00 u.l.e. .%.h.s.;.
20 00 30 00 78 00 25 00 30 00 38 00 6c 00 58 00 .0.x.%.0.8.l.X.
29 00 00 00 44 00 69 00 73 00 6b 00 20 00 71 00 )...D.i.s.k. .q.
75 00 6f 00 74 00 61 00 20 00 65 00 78 00 63 00 u.o.t.a. .e.x.c.
65 00 65 00 64 00 65 00 64 00 00 00 00 00 00 00 e.e.d.e.d.......
44 00 65 00 6c 00 61 00 79 00 2d 00 6c 00 6f 00 D.e.l.a.y.-.l.o.
61 00 64 00 20 00 65 00 78 00 63 00 65 00 70 00 a.d. .e.x.c.e.p.
74 00 69 00 6f 00 6e 00 20 00 28 00 69 00 6e 00 t.i.o.n. .(.i.n.
76 00 61 00 6c 00 69 00 64 00 20 00 70 00 61 00 v.a.l.i.d. .p.a.
72 00 61 00 6d 00 65 00 74 00 65 00 72 00 29 00 r.a.m.e.t.e.r.).
00 00 00 00 00 00 00 00 44 00 65 00 6c 00 61 00 ........D.e.l.a.
79 00 2d 00 6c 00 6f 00 61 00 64 00 20 00 65 00 y.-.l.o.a.d. .e.
78 00 63 00 65 00 70 00 74 00 69 00 6f 00 6e 00 x.c.e.p.t.i.o.n.
20 00 28 00 6d 00 6f 00 64 00 75 00 6c 00 65 00 .(.m.o.d.u.l.e.
20 00 25 00 68 00 73 00 20 00 6e 00 6f 00 74 00 .%.h.s. .n.o.t.
20 00 66 00 6f 00 75 00 6e 00 64 00 3b 00 20 00 .f.o.u.n.d.;. .
30 00 78 00 25 00 30 00 38 00 6c 00 58 00 29 00 0.x.%.0.8.l.X.).
00 00 00 00 46 00 61 00 69 00 6c 00 2d 00 66 00 ....F.a.i.l.-.f.
61 00 73 00 74 00 20 00 65 00 78 00 63 00 65 00 a.s.t. .e.x.c.e.
70 00 74 00 69 00 6f 00 6e 00 00 00 00 00 00 00 p.t.i.o.n.......
43 00 20 00 72 00 75 00 6e 00 74 00 69 00 6d 00 C. .r.u.n.t.i.m.
65 00 20 00 65 00 78 00 63 00 65 00 70 00 74 00 e. .e.x.c.e.p.t.
69 00 6f 00 6e 00 20 00 28 00 69 00 6e 00 76 00 i.o.n. .(.i.n.v.
61 00 6c 00 69 00 64 00 20 00 70 00 61 00 72 00 a.l.i.d. .p.a.r.
61 00 6d 00 65 00 74 00 65 00 72 00 29 00 00 00 a.m.e.t.e.r.)...
55 00 6e 00 68 00 61 00 6e 00 64 00 6c 00 65 00 U.n.h.a.n.d.l.e.
64 00 20 00 65 00 78 00 63 00 65 00 70 00 74 00 d. .e.x.c.e.p.t.
69 00 6f 00 6e 00 20 00 64 00 75 00 72 00 69 00 i.o.n. .d.u.r.i.
6e 00 67 00 20 00 75 00 73 00 65 00 72 00 20 00 n.g. .u.s.e.r. .
63 00 61 00 6c 00 6c 00 62 00 61 00 63 00 6b 00 c.a.l.l.b.a.c.k.
00 00 00 00 41 00 73 00 73 00 65 00 72 00 74 00 ....A.s.s.e.r.t.
69 00 6f 00 6e 00 20 00 66 00 61 00 69 00 6c 00 i.o.n. .f.a.i.l.
65 00 64 00 00 00 00 00 41 00 70 00 70 00 6c 00 e.d.....A.p.p.l.
69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 i.c.a.t.i.o.n. .
76 00 65 00 72 00 69 00 66 00 69 00 65 00 72 00 v.e.r.i.f.i.e.r.
20 00 73 00 74 00 6f 00 70 00 00 00 00 00 00 00 .s.t.o.p.......
42 00 75 00 66 00 66 00 65 00 72 00 20 00 6f 00 B.u.f.f.e.r. .o.
76 00 65 00 72 00 72 00 75 00 6e 00 20 00 6f 00 v.e.r.r.u.n. .o.
6e 00 20 00 73 00 74 00 61 00 63 00 6b 00 20 00 n. .s.t.a.c.k. .
28 00 73 00 74 00 61 00 63 00 6b 00 20 00 63 00 (.s.t.a.c.k. .c.
6f 00 72 00 72 00 75 00 70 00 74 00 69 00 6f 00 o.r.r.u.p.t.i.o.
6e 00 29 00 00 00 00 00 33 00 32 00 2d 00 62 00 n.).....3.2.-.b.
69 00 74 00 20 00 69 00 6d 00 61 00 67 00 65 00 i.t. .i.m.a.g.e.
20 00 69 00 6e 00 20 00 36 00 34 00 2d 00 62 00 .i.n. .6.4.-.b.
69 00 74 00 20 00 70 00 72 00 6f 00 63 00 65 00 i.t. .p.r.o.c.e.
73 00 73 00 00 00 00 00 36 00 34 00 2d 00 62 00 s.s.....6.4.-.b.
69 00 74 00 20 00 69 00 6d 00 61 00 67 00 65 00 i.t. .i.m.a.g.e.
20 00 69 00 6e 00 20 00 33 00 32 00 2d 00 62 00 .i.n. .3.2.-.b.
69 00 74 00 20 00 70 00 72 00 6f 00 63 00 65 00 i.t. .p.r.o.c.e.
73 00 73 00 00 00 00 00 48 00 65 00 61 00 70 00 s.s.....H.e.a.p.
20 00 63 00 6f 00 72 00 72 00 75 00 70 00 74 00 .c.o.r.r.u.p.t.
69 00 6f 00 6e 00 00 00 52 00 65 00 67 00 69 00 i.o.n...R.e.g.i.
73 00 74 00 65 00 72 00 20 00 4e 00 61 00 54 00 s.t.e.r. .N.a.T.
20 00 63 00 6f 00 6e 00 73 00 75 00 6d 00 70 00 .c.o.n.s.u.m.p.
74 00 69 00 6f 00 6e 00 20 00 66 00 61 00 75 00 t.i.o.n. .f.a.u.
6c 00 74 00 00 00 00 00 43 00 6c 00 6f 00 73 00 l.t.....C.l.o.s.
65 00 20 00 70 00 72 00 6f 00 74 00 65 00 63 00 e. .p.r.o.t.e.c.
74 00 65 00 64 00 20 00 68 00 61 00 6e 00 64 00 t.e.d. .h.a.n.d.
6c 00 65 00 00 00 00 00 4d 00 75 00 6c 00 74 00 l.e.....M.u.l.t.
69 00 70 00 6c 00 65 00 20 00 66 00 6c 00 6f 00 i.p.l.e. .f.l.o.
61 00 74 00 69 00 6e 00 67 00 2d 00 70 00 6f 00 a.t.i.n.g.-.p.o.
69 00 6e 00 74 00 20 00 66 00 61 00 75 00 6c 00 i.n.t. .f.a.u.l.
74 00 73 00 00 00 00 00 4d 00 75 00 6c 00 74 00 t.s.....M.u.l.t.
69 00 70 00 6c 00 65 00 20 00 66 00 6c 00 6f 00 i.p.l.e. .f.l.o.
61 00 74 00 69 00 6e 00 67 00 2d 00 70 00 6f 00 a.t.i.n.g.-.p.o.
69 00 6e 00 74 00 20 00 74 00 72 00 61 00 70 00 i.n.t. .t.r.a.p.
73 00 00 00 41 00 6c 00 69 00 67 00 6e 00 6d 00 s...A.l.i.g.n.m.
65 00 6e 00 74 00 20 00 65 00 72 00 72 00 6f 00 e.n.t. .e.r.r.o.
72 00 00 00 50 00 6f 00 73 00 73 00 69 00 62 00 r...P.o.s.s.i.b.
6c 00 65 00 20 00 64 00 65 00 61 00 64 00 6c 00 l.e. .d.e.a.d.l.
6f 00 63 00 6b 00 00 00 44 00 4c 00 4c 00 20 00 o.c.k...D.L.L. .
69 00 6e 00 69 00 74 00 69 00 61 00 6c 00 69 00 i.n.i.t.i.a.l.i.
73 00 61 00 74 00 69 00 6f 00 6e 00 20 00 66 00 s.a.t.i.o.n. .f.
61 00 69 00 6c 00 65 00 64 00 00 00 55 00 6e 00 a.i.l.e.d...U.n.
68 00 61 00 6e 00 64 00 6c 00 65 00 64 00 20 00 h.a.n.d.l.e.d. .
65 00 78 00 63 00 65 00 70 00 74 00 69 00 6f 00 e.x.c.e.p.t.i.o.
6e 00 00 00 4e 00 6f 00 20 00 66 00 6c 00 6f 00 n...N.o. .f.l.o.
61 00 74 00 69 00 6e 00 67 00 2d 00 70 00 6f 00 a.t.i.n.g.-.p.o.
69 00 6e 00 74 00 20 00 68 00 61 00 72 00 64 00 i.n.t. .h.a.r.d.
77 00 61 00 72 00 65 00 00 00 00 00 53 00 74 00 w.a.r.e.....S.t.
61 00 63 00 6b 00 20 00 6f 00 76 00 65 00 72 00 a.c.k. .o.v.e.r.
66 00 6c 00 6f 00 77 00 00 00 00 00 44 00 4c 00 f.l.o.w.....D.L.
4c 00 20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00 L. .n.o.t. .f.o.
75 00 6e 00 64 00 00 00 4f 00 72 00 64 00 69 00 u.n.d...O.r.d.i.
6e 00 61 00 6c 00 20 00 6e 00 6f 00 74 00 20 00 n.a.l. .n.o.t. .
66 00 6f 00 75 00 6e 00 64 00 00 00 45 00 6e 00 f.o.u.n.d...E.n.
74 00 72 00 79 00 70 00 6f 00 69 00 6e 00 74 00 t.r.y.p.o.i.n.t.
20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00 75 00 .n.o.t. .f.o.u.
6e 00 64 00 00 00 00 00 49 00 6e 00 73 00 74 00 n.d.....I.n.s.t.
72 00 75 00 63 00 74 00 69 00 6f 00 6e 00 20 00 r.u.c.t.i.o.n. .
6d 00 69 00 73 00 61 00 6c 00 69 00 67 00 6e 00 m.i.s.a.l.i.g.n.
6d 00 65 00 6e 00 74 00 00 00 00 00 50 00 72 00 m.e.n.t.....P.r.
69 00 76 00 69 00 6c 00 65 00 67 00 65 00 64 00 i.v.i.l.e.g.e.d.
20 00 69 00 6e 00 73 00 74 00 72 00 75 00 63 00 .i.n.s.t.r.u.c.
74 00 69 00 6f 00 6e 00 00 00 00 00 49 00 6e 00 t.i.o.n.....I.n.
74 00 65 00 67 00 65 00 72 00 20 00 6f 00 76 00 t.e.g.e.r. .o.v.
65 00 72 00 66 00 6c 00 6f 00 77 00 00 00 00 00 e.r.f.l.o.w.....
49 00 6e 00 74 00 65 00 67 00 65 00 72 00 20 00 I.n.t.e.g.e.r. .
64 00 69 00 76 00 69 00 64 00 65 00 2d 00 62 00 d.i.v.i.d.e.-.b.
79 00 2d 00 7a 00 65 00 72 00 6f 00 00 00 00 00 y.-.z.e.r.o.....
46 00 6c 00 6f 00 61 00 74 00 69 00 6e 00 67 00 F.l.o.a.t.i.n.g.
2d 00 70 00 6f 00 69 00 6e 00 74 00 20 00 75 00 -.p.o.i.n.t. .u.
6e 00 64 00 65 00 72 00 66 00 6c 00 6f 00 77 00 n.d.e.r.f.l.o.w.
00 00 00 00 46 00 6c 00 6f 00 61 00 74 00 69 00 ....F.l.o.a.t.i.
6e 00 67 00 2d 00 70 00 6f 00 69 00 6e 00 74 00 n.g.-.p.o.i.n.t.
20 00 73 00 74 00 61 00 63 00 6b 00 20 00 63 00 .s.t.a.c.k. .c.
68 00 65 00 63 00 6b 00 00 00 00 00 46 00 6c 00 h.e.c.k.....F.l.
6f 00 61 00 74 00 69 00 6e 00 67 00 2d 00 70 00 o.a.t.i.n.g.-.p.
6f 00 69 00 6e 00 74 00 20 00 6f 00 76 00 65 00 o.i.n.t. .o.v.e.
72 00 66 00 6c 00 6f 00 77 00 00 00 00 00 00 00 r.f.l.o.w.......
49 00 6e 00 76 00 61 00 6c 00 69 00 64 00 20 00 I.n.v.a.l.i.d. .
66 00 6c 00 6f 00 61 00 74 00 69 00 6e 00 67 00 f.l.o.a.t.i.n.g.
2d 00 70 00 6f 00 69 00 6e 00 74 00 20 00 6f 00 -.p.o.i.n.t. .o.
70 00 65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 p.e.r.a.t.i.o.n.
00 00 00 00 49 00 6e 00 65 00 78 00 61 00 63 00 ....I.n.e.x.a.c.
74 00 20 00 66 00 6c 00 6f 00 61 00 74 00 69 00 t. .f.l.o.a.t.i.
6e 00 67 00 2d 00 70 00 6f 00 69 00 6e 00 74 00 n.g.-.p.o.i.n.t.
20 00 72 00 65 00 73 00 75 00 6c 00 74 00 00 00 .r.e.s.u.l.t...
46 00 6c 00 6f 00 61 00 74 00 69 00 6e 00 67 00 F.l.o.a.t.i.n.g.
2d 00 70 00 6f 00 69 00 6e 00 74 00 20 00 64 00 -.p.o.i.n.t. .d.
69 00 76 00 69 00 64 00 65 00 2d 00 62 00 79 00 i.v.i.d.e.-.b.y.
2d 00 7a 00 65 00 72 00 6f 00 00 00 00 00 00 00 -.z.e.r.o.......
44 00 65 00 6e 00 6f 00 72 00 6d 00 61 00 6c 00 D.e.n.o.r.m.a.l.
20 00 66 00 6c 00 6f 00 61 00 74 00 69 00 6e 00 .f.l.o.a.t.i.n.
67 00 2d 00 70 00 6f 00 69 00 6e 00 74 00 20 00 g.-.p.o.i.n.t. .
6f 00 70 00 65 00 72 00 61 00 6e 00 64 00 00 00 o.p.e.r.a.n.d...
4f 00 62 00 6a 00 65 00 63 00 74 00 20 00 6e 00 O.b.j.e.c.t. .n.
61 00 6d 00 65 00 20 00 6e 00 6f 00 74 00 20 00 a.m.e. .n.o.t. .
66 00 6f 00 75 00 6e 00 64 00 00 00 4f 00 62 00 f.o.u.n.d...O.b.
6a 00 65 00 63 00 74 00 20 00 70 00 61 00 74 00 j.e.c.t. .p.a.t.
68 00 20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00 h. .n.o.t. .f.o.
75 00 6e 00 64 00 00 00 50 00 72 00 6f 00 63 00 u.n.d...P.r.o.c.
65 00 64 00 75 00 72 00 65 00 20 00 6e 00 6f 00 e.d.u.r.e. .n.o.
74 00 20 00 66 00 6f 00 75 00 6e 00 64 00 00 00 t. .f.o.u.n.d...
41 00 72 00 72 00 61 00 79 00 20 00 62 00 6f 00 A.r.r.a.y. .b.o.
75 00 6e 00 64 00 73 00 20 00 65 00 78 00 63 00 u.n.d.s. .e.x.c.
65 00 65 00 64 00 65 00 64 00 00 00 49 00 6e 00 e.e.d.e.d...I.n.
76 00 61 00 6c 00 69 00 64 00 20 00 64 00 69 00 v.a.l.i.d. .d.i.
73 00 70 00 6f 00 73 00 69 00 74 00 69 00 6f 00 s.p.o.s.i.t.i.o.
6e 00 00 00 49 00 6e 00 76 00 61 00 6c 00 69 00 n...I.n.v.a.l.i.
64 00 20 00 70 00 61 00 72 00 61 00 6d 00 65 00 d. .p.a.r.a.m.e.
74 00 65 00 72 00 00 00 4e 00 6f 00 74 00 20 00 t.e.r...N.o.t. .
65 00 6e 00 6f 00 75 00 67 00 68 00 20 00 71 00 e.n.o.u.g.h. .q.
75 00 6f 00 74 00 61 00 20 00 28 00 6e 00 6f 00 u.o.t.a. .(.n.o.
20 00 76 00 69 00 72 00 74 00 75 00 61 00 6c 00 .v.i.r.t.u.a.l.
20 00 6d 00 65 00 6d 00 6f 00 72 00 79 00 29 00 .m.e.m.o.r.y.).
00 00 00 00 49 00 6c 00 6c 00 65 00 67 00 61 00 ....I.l.l.e.g.a.
6c 00 20 00 69 00 6e 00 73 00 74 00 72 00 75 00 l. .i.n.s.t.r.u.
63 00 74 00 69 00 6f 00 6e 00 00 00 41 00 63 00 c.t.i.o.n...A.c.
63 00 65 00 73 00 73 00 20 00 64 00 65 00 6e 00 c.e.s.s. .d.e.n.
69 00 65 00 64 00 00 00 4e 00 6f 00 6e 00 2d 00 i.e.d...N.o.n.-.
63 00 6f 00 6e 00 74 00 69 00 6e 00 75 00 61 00 c.o.n.t.i.n.u.a.
62 00 6c 00 65 00 00 00 49 00 6e 00 76 00 61 00 b.l.e...I.n.v.a.
6c 00 69 00 64 00 20 00 68 00 61 00 6e 00 64 00 l.i.d. .h.a.n.d.
6c 00 65 00 00 00 00 00 52 00 50 00 43 00 20 00 l.e.....R.P.C. .
6e 00 75 00 6c 00 6c 00 20 00 63 00 6f 00 6e 00 n.u.l.l. .c.o.n.
74 00 65 00 78 00 74 00 20 00 68 00 61 00 6e 00 t.e.x.t. .h.a.n.
64 00 6c 00 65 00 00 00 52 00 50 00 43 00 20 00 d.l.e...R.P.C. .
73 00 74 00 75 00 62 00 20 00 72 00 65 00 63 00 s.t.u.b. .r.e.c.
65 00 69 00 76 00 65 00 64 00 20 00 62 00 61 00 e.i.v.e.d. .b.a.
64 00 20 00 64 00 61 00 74 00 61 00 00 00 00 00 d. .d.a.t.a.....
41 00 63 00 63 00 65 00 73 00 73 00 20 00 76 00 A.c.c.e.s.s. .v.
69 00 6f 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 i.o.l.a.t.i.o.n.
00 00 00 00 41 00 63 00 63 00 65 00 73 00 73 00 ....A.c.c.e.s.s.
20 00 76 00 69 00 6f 00 6c 00 61 00 74 00 69 00 .v.i.o.l.a.t.i.
6f 00 6e 00 20 00 25 00 6c 00 73 00 20 00 30 00 o.n. .%.l.s. .0.
78 00 25 00 70 00 00 00 49 00 6e 00 2d 00 70 00 x.%.p...I.n.-.p.
61 00 67 00 65 00 20 00 65 00 72 00 72 00 6f 00 a.g.e. .e.r.r.o.
72 00 00 00 00 00 00 00 49 00 6e 00 2d 00 70 00 r.......I.n.-.p.
61 00 67 00 65 00 20 00 65 00 72 00 72 00 6f 00 a.g.e. .e.r.r.o.
72 00 20 00 25 00 6c 00 73 00 20 00 30 00 78 00 r. .%.l.s. .0.x.
25 00 70 00 20 00 28 00 30 00 78 00 25 00 30 00 %.p. .(.0.x.%.0.
38 00 6c 00 58 00 29 00 00 00 00 00 52 00 50 00 8.l.X.).....R.P.
43 00 20 00 65 00 6e 00 64 00 70 00 6f 00 69 00 C. .e.n.d.p.o.i.
6e 00 74 00 20 00 6e 00 6f 00 74 00 20 00 72 00 n.t. .n.o.t. .r.
65 00 67 00 69 00 73 00 74 00 65 00 72 00 65 00 e.g.i.s.t.e.r.e.
64 00 00 00 42 00 72 00 65 00 61 00 6b 00 70 00 d...B.r.e.a.k.p.
6f 00 69 00 6e 00 74 00 00 00 00 00 53 00 69 00 o.i.n.t.....S.i.
6e 00 67 00 6c 00 65 00 2d 00 73 00 74 00 65 00 n.g.l.e.-.s.t.e.
70 00 00 00 52 00 50 00 43 00 20 00 62 00 69 00 p...R.P.C. .b.i.
6e 00 64 00 69 00 6e 00 67 00 20 00 68 00 61 00 n.d.i.n.g. .h.a.
6e 00 64 00 6c 00 65 00 20 00 69 00 6e 00 76 00 n.d.l.e. .i.n.v.
61 00 6c 00 69 00 64 00 00 00 00 00 52 00 50 00 a.l.i.d.....R.P.
43 00 20 00 73 00 65 00 72 00 76 00 65 00 72 00 C. .s.e.r.v.e.r.
20 00 75 00 6e 00 61 00 76 00 61 00 69 00 6c 00 .u.n.a.v.a.i.l.
61 00 62 00 6c 00 65 00 00 00 00 00 52 00 50 00 a.b.l.e.....R.P.
43 00 20 00 61 00 72 00 72 00 61 00 79 00 20 00 C. .a.r.r.a.y. .
62 00 6f 00 75 00 6e 00 64 00 73 00 20 00 69 00 b.o.u.n.d.s. .i.
6e 00 76 00 61 00 6c 00 69 00 64 00 00 00 00 00 n.v.a.l.i.d.....
44 00 61 00 74 00 61 00 20 00 6d 00 69 00 73 00 D.a.t.a. .m.i.s.
61 00 6c 00 69 00 67 00 6e 00 6d 00 65 00 6e 00 a.l.i.g.n.m.e.n.
74 00 00 00 44 00 65 00 62 00 75 00 67 00 67 00 t...D.e.b.u.g.g.
65 00 72 00 20 00 63 00 6f 00 6d 00 6d 00 61 00 e.r. .c.o.m.m.a.
6e 00 64 00 00 00 00 00 44 00 65 00 62 00 75 00 n.d.....D.e.b.u.
67 00 67 00 65 00 72 00 20 00 70 00 72 00 69 00 g.g.e.r. .p.r.i.
6e 00 74 00 20 00 65 00 78 00 63 00 65 00 70 00 n.t. .e.x.c.e.p.
74 00 69 00 6f 00 6e 00 00 00 00 00 41 00 73 00 t.i.o.n.....A.s.
73 00 69 00 67 00 6e 00 20 00 74 00 68 00 72 00 s.i.g.n. .t.h.r.
65 00 61 00 64 00 20 00 6e 00 61 00 6d 00 65 00 e.a.d. .n.a.m.e.
00 00 00 00 47 00 75 00 61 00 72 00 64 00 20 00 ....G.u.a.r.d. .
70 00 61 00 67 00 65 00 20 00 61 00 63 00 63 00 p.a.g.e. .a.c.c.
65 00 73 00 73 00 00 00 43 00 74 00 72 00 6c 00 e.s.s...C.t.r.l.
2d 00 42 00 72 00 65 00 61 00 6b 00 00 00 00 00 -.B.r.e.a.k.....
44 00 65 00 62 00 75 00 67 00 67 00 65 00 72 00 D.e.b.u.g.g.e.r.
20 00 74 00 65 00 72 00 6d 00 69 00 6e 00 61 00 .t.e.r.m.i.n.a.
74 00 65 00 20 00 74 00 68 00 72 00 65 00 61 00 t.e. .t.h.r.e.a.
64 00 00 00 44 00 65 00 62 00 75 00 67 00 67 00 d...D.e.b.u.g.g.
65 00 72 00 20 00 74 00 65 00 72 00 6d 00 69 00 e.r. .t.e.r.m.i.
6e 00 61 00 74 00 65 00 20 00 70 00 72 00 6f 00 n.a.t.e. .p.r.o.
63 00 65 00 73 00 73 00 00 00 00 00 43 00 74 00 c.e.s.s.....C.t.
72 00 6c 00 2d 00 43 00 00 00 00 00 44 00 65 00 r.l.-.C.....D.e.
62 00 75 00 67 00 67 00 65 00 72 00 20 00 52 00 b.u.g.g.e.r. .R.
49 00 50 00 20 00 65 00 78 00 63 00 65 00 70 00 I.P. .e.x.c.e.p.
74 00 69 00 6f 00 6e 00 00 00 00 00 57 00 6f 00 t.i.o.n.....W.o.
57 00 36 00 34 00 20 00 62 00 72 00 65 00 61 00 W.6.4. .b.r.e.a.
6b 00 70 00 6f 00 69 00 6e 00 74 00 00 00 00 00 k.p.o.i.n.t.....
44 00 65 00 6c 00 70 00 68 00 69 00 20 00 72 00 D.e.l.p.h.i. .r.
75 00 6e 00 74 00 69 00 6d 00 65 00 20 00 65 00 u.n.t.i.m.e. .e.
78 00 63 00 65 00 70 00 74 00 69 00 6f 00 6e 00 x.c.e.p.t.i.o.n.
00 00 00 00 53 00 65 00 67 00 6d 00 65 00 6e 00 ....S.e.g.m.e.n.
74 00 20 00 6e 00 6f 00 74 00 69 00 66 00 69 00 t. .n.o.t.i.f.i.
63 00 61 00 74 00 69 00 6f 00 6e 00 00 00 00 00 c.a.t.i.o.n.....
46 00 61 00 74 00 61 00 6c 00 20 00 61 00 70 00 F.a.t.a.l. .a.p.
70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 p.l.i.c.a.t.i.o.
6e 00 20 00 65 00 78 00 69 00 74 00 00 00 00 00 n. .e.x.i.t.....
57 00 6f 00 57 00 36 00 34 00 20 00 73 00 69 00 W.o.W.6.4. .s.i.
6e 00 67 00 6c 00 65 00 2d 00 73 00 74 00 65 00 n.g.l.e.-.s.t.e.
70 00 00 00 52 00 50 00 43 00 20 00 6f 00 70 00 p...R.P.C. .o.p.
65 00 72 00 61 00 74 00 69 00 6f 00 6e 00 20 00 e.r.a.t.i.o.n. .
6e 00 6f 00 74 00 20 00 73 00 75 00 70 00 70 00 n.o.t. .s.u.p.p.
6f 00 72 00 74 00 65 00 64 00 00 00 2b 00 30 00 o.r.t.e.d...+.0.
78 00 25 00 49 00 36 00 34 00 58 00 00 00 00 00 x.%.I.6.4.X.....
00 00 00 00 00 00 00 00 42 00 61 00 64 00 20 00 ........B.a.d. .
61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 a.r.g.u.m.e.n.t.
73 00 3a 00 20 00 65 00 69 00 74 00 68 00 65 00 s.:. .e.i.t.h.e.
72 00 20 00 61 00 20 00 28 00 70 00 72 00 6f 00 r. .a. .(.p.r.o.
70 00 65 00 72 00 6c 00 79 00 20 00 71 00 75 00 p.e.r.l.y. .q.u.
6f 00 74 00 65 00 64 00 29 00 20 00 63 00 6f 00 o.t.e.d.). .c.o.
6d 00 6d 00 61 00 6e 00 64 00 20 00 6c 00 69 00 m.m.a.n.d. .l.i.
6e 00 65 00 0a 00 20 00 20 00 20 00 20 00 20 00 n.e... . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 6f 00 72 00 20 00 74 00 68 00 65 00 . .o.r. .t.h.e.
20 00 28 00 61 00 62 00 73 00 6f 00 6c 00 75 00 .(.a.b.s.o.l.u.
74 00 65 00 20 00 6f 00 72 00 20 00 72 00 65 00 t.e. .o.r. .r.e.
6c 00 61 00 74 00 69 00 76 00 65 00 29 00 20 00 l.a.t.i.v.e.). .
70 00 61 00 74 00 68 00 20 00 6e 00 61 00 6d 00 p.a.t.h. .n.a.m.
65 00 20 00 6f 00 66 00 20 00 61 00 6e 00 20 00 e. .o.f. .a.n. .
61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 a.p.p.l.i.c.a.t.
69 00 6f 00 6e 00 0a 00 20 00 20 00 20 00 20 00 i.o.n... . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 66 00 6f 00 6c 00 6c 00 6f 00 . . .f.o.l.l.o.
77 00 65 00 64 00 20 00 62 00 79 00 20 00 61 00 w.e.d. .b.y. .a.
20 00 28 00 70 00 72 00 6f 00 70 00 65 00 72 00 .(.p.r.o.p.e.r.
6c 00 79 00 20 00 71 00 75 00 6f 00 74 00 65 00 l.y. .q.u.o.t.e.
64 00 29 00 20 00 63 00 6f 00 6d 00 6d 00 61 00 d.). .c.o.m.m.a.
6e 00 64 00 20 00 6c 00 69 00 6e 00 65 00 20 00 n.d. .l.i.n.e. .
6d 00 75 00 73 00 74 00 20 00 62 00 65 00 20 00 m.u.s.t. .b.e. .
67 00 69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 g.i.v.e.n.!.....
44 00 65 00 62 00 75 00 67 00 67 00 65 00 65 00 D.e.b.u.g.g.e.e.
20 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 .p.r.o.c.e.s.s.
20 00 74 00 69 00 6d 00 65 00 73 00 3a 00 0a 00 .t.i.m.e.s.:...
00 00 00 00 47 00 65 00 74 00 50 00 72 00 6f 00 ....G.e.t.P.r.o.
63 00 65 00 73 00 73 00 54 00 69 00 6d 00 65 00 c.e.s.s.T.i.m.e.
73 00 00 00 00 00 00 00 44 00 65 00 62 00 75 00 s.......D.e.b.u.
67 00 67 00 65 00 65 00 20 00 70 00 72 00 6f 00 g.g.e.e. .p.r.o.
63 00 65 00 73 00 73 00 20 00 25 00 6c 00 75 00 c.e.s.s. .%.l.u.
20 00 65 00 78 00 69 00 74 00 65 00 64 00 20 00 .e.x.i.t.e.d. .
77 00 69 00 74 00 68 00 20 00 63 00 6f 00 64 00 w.i.t.h. .c.o.d.
65 00 20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 e. .%.l.u.......
44 00 65 00 62 00 75 00 67 00 67 00 65 00 65 00 D.e.b.u.g.g.e.e.
20 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 .p.r.o.c.e.s.s.
20 00 25 00 6c 00 75 00 20 00 65 00 78 00 69 00 .%.l.u. .e.x.i.
74 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 t.e.d. .w.i.t.h.
20 00 63 00 6f 00 64 00 65 00 20 00 30 00 78 00 .c.o.d.e. .0.x.
25 00 30 00 38 00 6c 00 58 00 0a 00 00 00 00 00 %.0.8.l.X.......
47 00 65 00 74 00 45 00 78 00 69 00 74 00 43 00 G.e.t.E.x.i.t.C.
6f 00 64 00 65 00 50 00 72 00 6f 00 63 00 65 00 o.d.e.P.r.o.c.e.
73 00 73 00 00 00 00 00 09 00 25 00 6c 00 73 00 s.s.......%.l.s.
20 00 3d 00 20 00 25 00 31 00 30 00 6c 00 75 00 .=. .%.1.0.l.u.
2e 00 25 00 30 00 37 00 6c 00 75 00 20 00 73 00 ..%.0.7.l.u. .s.
0a 00 00 00 50 00 72 00 69 00 6d 00 61 00 72 00 ....P.r.i.m.a.r.
79 00 20 00 74 00 68 00 72 00 65 00 61 00 64 00 y. .t.h.r.e.a.d.
20 00 74 00 69 00 6d 00 65 00 73 00 3a 00 0a 00 .t.i.m.e.s.:...
00 00 00 00 47 00 65 00 74 00 54 00 68 00 72 00 ....G.e.t.T.h.r.
65 00 61 00 64 00 54 00 69 00 6d 00 65 00 73 00 e.a.d.T.i.m.e.s.
00 00 00 00 00 00 00 00 50 00 72 00 69 00 6d 00 ........P.r.i.m.
61 00 72 00 79 00 20 00 74 00 68 00 72 00 65 00 a.r.y. .t.h.r.e.
61 00 64 00 20 00 25 00 6c 00 75 00 20 00 6f 00 a.d. .%.l.u. .o.
66 00 20 00 64 00 65 00 62 00 75 00 67 00 67 00 f. .d.e.b.u.g.g.
65 00 65 00 20 00 70 00 72 00 6f 00 63 00 65 00 e.e. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 20 00 65 00 s.s. .%.l.u. .e.
78 00 69 00 74 00 65 00 64 00 20 00 77 00 69 00 x.i.t.e.d. .w.i.
74 00 68 00 20 00 63 00 6f 00 64 00 65 00 20 00 t.h. .c.o.d.e. .
25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 00 00 %.l.u...........
50 00 72 00 69 00 6d 00 61 00 72 00 79 00 20 00 P.r.i.m.a.r.y. .
74 00 68 00 72 00 65 00 61 00 64 00 20 00 25 00 t.h.r.e.a.d. .%.
6c 00 75 00 20 00 6f 00 66 00 20 00 64 00 65 00 l.u. .o.f. .d.e.
62 00 75 00 67 00 67 00 65 00 65 00 20 00 70 00 b.u.g.g.e.e. .p.
72 00 6f 00 63 00 65 00 73 00 73 00 20 00 25 00 r.o.c.e.s.s. .%.
6c 00 75 00 20 00 65 00 78 00 69 00 74 00 65 00 l.u. .e.x.i.t.e.
64 00 20 00 77 00 69 00 74 00 68 00 20 00 63 00 d. .w.i.t.h. .c.
6f 00 64 00 65 00 20 00 30 00 78 00 25 00 30 00 o.d.e. .0.x.%.0.
38 00 6c 00 58 00 0a 00 00 00 00 00 47 00 65 00 8.l.X.......G.e.
74 00 45 00 78 00 69 00 74 00 43 00 6f 00 64 00 t.E.x.i.t.C.o.d.
65 00 54 00 68 00 72 00 65 00 61 00 64 00 00 00 e.T.h.r.e.a.d...
57 00 61 00 69 00 74 00 46 00 6f 00 72 00 53 00 W.a.i.t.F.o.r.S.
69 00 6e 00 67 00 6c 00 65 00 4f 00 62 00 6a 00 i.n.g.l.e.O.b.j.
65 00 63 00 74 00 00 00 43 00 6f 00 6e 00 74 00 e.c.t...C.o.n.t.
69 00 6e 00 75 00 65 00 44 00 65 00 62 00 75 00 i.n.u.e.D.e.b.u.
67 00 45 00 76 00 65 00 6e 00 74 00 00 00 00 00 g.E.v.e.n.t.....
57 00 61 00 69 00 74 00 46 00 6f 00 72 00 44 00 W.a.i.t.F.o.r.D.
65 00 62 00 75 00 67 00 45 00 76 00 65 00 6e 00 e.b.u.g.E.v.e.n.
74 00 00 00 00 00 00 00 0a 00 55 00 6e 00 6b 00 t.........U.n.k.
6e 00 6f 00 77 00 6e 00 20 00 64 00 65 00 62 00 n.o.w.n. .d.e.b.
75 00 67 00 20 00 65 00 76 00 65 00 6e 00 74 00 u.g. .e.v.e.n.t.
20 00 25 00 6c 00 75 00 20 00 69 00 6e 00 20 00 .%.l.u. .i.n. .
74 00 68 00 72 00 65 00 61 00 64 00 20 00 25 00 t.h.r.e.a.d. .%.
6c 00 75 00 20 00 6f 00 66 00 20 00 70 00 72 00 l.u. .o.f. .p.r.
6f 00 63 00 65 00 73 00 73 00 20 00 25 00 6c 00 o.c.e.s.s. .%.l.
75 00 0a 00 00 00 00 00 09 00 09 00 41 00 64 00 u...........A.d.
64 00 72 00 65 00 73 00 73 00 20 00 20 00 20 00 d.r.e.s.s. . . .
3d 00 20 00 30 00 78 00 25 00 30 00 38 00 6c 00 =. .0.x.%.0.8.l.
58 00 25 00 6c 00 73 00 0a 00 00 00 09 00 43 00 X.%.l.s.......C.
61 00 6c 00 6c 00 20 00 73 00 74 00 61 00 63 00 a.l.l. .s.t.a.c.
6b 00 3a 00 0a 00 00 00 47 00 65 00 74 00 54 00 k.:.....G.e.t.T.
68 00 72 00 65 00 61 00 64 00 43 00 6f 00 6e 00 h.r.e.a.d.C.o.n.
74 00 65 00 78 00 74 00 00 00 00 00 4f 00 70 00 t.e.x.t.....O.p.
65 00 6e 00 54 00 68 00 72 00 65 00 61 00 64 00 e.n.T.h.r.e.a.d.
00 00 00 00 09 00 09 00 50 00 61 00 72 00 61 00 ........P.a.r.a.
6d 00 65 00 74 00 65 00 72 00 73 00 5b 00 25 00 m.e.t.e.r.s.[.%.
6c 00 75 00 5d 00 20 00 20 00 20 00 20 00 25 00 l.u.]. . . . .%.
6c 00 63 00 00 00 00 00 0a 00 09 00 43 00 68 00 l.c.........C.h.
61 00 69 00 6e 00 65 00 64 00 20 00 65 00 78 00 a.i.n.e.d. .e.x.
63 00 65 00 70 00 74 00 69 00 6f 00 6e 00 3a 00 c.e.p.t.i.o.n.:.
0a 00 09 00 09 00 44 00 65 00 73 00 63 00 72 00 ......D.e.s.c.r.
69 00 70 00 74 00 69 00 6f 00 6e 00 20 00 20 00 i.p.t.i.o.n. . .
20 00 20 00 20 00 20 00 20 00 3d 00 20 00 25 00 . . . . .=. .%.
6c 00 73 00 0a 00 09 00 09 00 43 00 6f 00 64 00 l.s.......C.o.d.
65 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 e. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 25 00 30 00 38 00 6c 00 58 00 .0.x.%.0.8.l.X.
0a 00 09 00 09 00 46 00 6c 00 61 00 67 00 73 00 ......F.l.a.g.s.
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 . . . . .=. .0.
78 00 25 00 30 00 38 00 6c 00 58 00 20 00 28 00 x.%.0.8.l.X. .(.
25 00 6c 00 73 00 63 00 6f 00 6e 00 74 00 69 00 %.l.s.c.o.n.t.i.
6e 00 75 00 61 00 62 00 6c 00 65 00 29 00 0a 00 n.u.a.b.l.e.)...
09 00 09 00 41 00 64 00 64 00 72 00 65 00 73 00 ....A.d.d.r.e.s.
73 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 s. . . . . . . .
20 00 20 00 20 00 20 00 3d 00 20 00 30 00 78 00 . . . .=. .0.x.
25 00 70 00 25 00 6c 00 73 00 0a 00 00 00 00 00 %.p.%.l.s.......
0a 00 00 00 2c 00 20 00 30 00 78 00 25 00 70 00 ....,. .0.x.%.p.
00 00 00 00 3d 00 20 00 30 00 78 00 25 00 70 00 ....=. .0.x.%.p.
00 00 00 00 09 00 50 00 61 00 72 00 61 00 6d 00 ......P.a.r.a.m.
65 00 74 00 65 00 72 00 73 00 5b 00 25 00 6c 00 e.t.e.r.s.[.%.l.
75 00 5d 00 20 00 20 00 20 00 20 00 25 00 6c 00 u.]. . . . .%.l.
63 00 00 00 00 00 00 00 0a 00 25 00 6c 00 73 00 c.........%.l.s.
20 00 63 00 68 00 61 00 6e 00 63 00 65 00 20 00 .c.h.a.n.c.e. .
65 00 78 00 63 00 65 00 70 00 74 00 69 00 6f 00 e.x.c.e.p.t.i.o.
6e 00 20 00 69 00 6e 00 20 00 74 00 68 00 72 00 n. .i.n. .t.h.r.
65 00 61 00 64 00 20 00 25 00 6c 00 75 00 20 00 e.a.d. .%.l.u. .
6f 00 66 00 20 00 70 00 72 00 6f 00 63 00 65 00 o.f. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 3a 00 0a 00 s.s. .%.l.u.:...
09 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 ..D.e.s.c.r.i.p.
74 00 69 00 6f 00 6e 00 20 00 20 00 20 00 20 00 t.i.o.n. . . . .
20 00 20 00 20 00 3d 00 20 00 25 00 6c 00 73 00 . . .=. .%.l.s.
0a 00 09 00 43 00 6f 00 64 00 65 00 20 00 20 00 ....C.o.d.e. . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 3d 00 20 00 30 00 78 00 . . . .=. .0.x.
25 00 30 00 38 00 6c 00 58 00 0a 00 09 00 46 00 %.0.8.l.X.....F.
6c 00 61 00 67 00 73 00 20 00 20 00 20 00 20 00 l.a.g.s. . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 25 00 30 00 38 00 .=. .0.x.%.0.8.
6c 00 58 00 20 00 28 00 25 00 6c 00 73 00 63 00 l.X. .(.%.l.s.c.
6f 00 6e 00 74 00 69 00 6e 00 75 00 61 00 62 00 o.n.t.i.n.u.a.b.
6c 00 65 00 29 00 0a 00 09 00 41 00 64 00 64 00 l.e.).....A.d.d.
72 00 65 00 73 00 73 00 20 00 20 00 20 00 20 00 r.e.s.s. . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 25 00 70 00 25 00 6c 00 73 00 .0.x.%.p.%.l.s.
0a 00 00 00 4c 00 61 00 73 00 74 00 00 00 00 00 ....L.a.s.t.....
46 00 69 00 72 00 73 00 74 00 00 00 6e 00 6f 00 F.i.r.s.t...n.o.
6e 00 2d 00 00 00 00 00 0a 00 52 00 49 00 50 00 n.-.......R.I.P.
20 00 69 00 6e 00 20 00 74 00 68 00 72 00 65 00 .i.n. .t.h.r.e.
61 00 64 00 20 00 25 00 6c 00 75 00 20 00 6f 00 a.d. .%.l.u. .o.
66 00 20 00 70 00 72 00 6f 00 63 00 65 00 73 00 f. .p.r.o.c.e.s.
73 00 20 00 25 00 6c 00 75 00 3a 00 0a 00 09 00 s. .%.l.u.:.....
45 00 72 00 72 00 6f 00 72 00 20 00 3d 00 20 00 E.r.r.o.r. .=. .
25 00 6c 00 75 00 0a 00 09 00 54 00 79 00 70 00 %.l.u.....T.y.p.
65 00 20 00 20 00 3d 00 20 00 25 00 6c 00 75 00 e. . .=. .%.l.u.
0a 00 00 00 4c 00 6f 00 63 00 61 00 6c 00 46 00 ....L.o.c.a.l.F.
72 00 65 00 65 00 00 00 09 00 53 00 74 00 72 00 r.e.e.....S.t.r.
69 00 6e 00 67 00 20 00 76 00 61 00 6c 00 75 00 i.n.g. .v.a.l.u.
65 00 20 00 20 00 20 00 3d 00 20 00 25 00 68 00 e. . . .=. .%.h.
73 00 0a 00 00 00 00 00 4c 00 6f 00 63 00 61 00 s.......L.o.c.a.
6c 00 41 00 6c 00 6c 00 6f 00 63 00 00 00 00 00 l.A.l.l.o.c.....
0a 00 4f 00 75 00 74 00 70 00 75 00 74 00 20 00 ..O.u.t.p.u.t. .
64 00 65 00 62 00 75 00 67 00 20 00 73 00 74 00 d.e.b.u.g. .s.t.
72 00 69 00 6e 00 67 00 20 00 69 00 6e 00 20 00 r.i.n.g. .i.n. .
74 00 68 00 72 00 65 00 61 00 64 00 20 00 25 00 t.h.r.e.a.d. .%.
6c 00 75 00 20 00 6f 00 66 00 20 00 70 00 72 00 l.u. .o.f. .p.r.
6f 00 63 00 65 00 73 00 73 00 20 00 25 00 6c 00 o.c.e.s.s. .%.l.
75 00 3a 00 0a 00 09 00 53 00 74 00 72 00 69 00 u.:.....S.t.r.i.
6e 00 67 00 20 00 6c 00 65 00 6e 00 67 00 74 00 n.g. .l.e.n.g.t.
68 00 20 00 20 00 3d 00 20 00 25 00 68 00 75 00 h. . .=. .%.h.u.
0a 00 09 00 53 00 74 00 72 00 69 00 6e 00 67 00 ....S.t.r.i.n.g.
20 00 61 00 64 00 64 00 72 00 65 00 73 00 73 00 .a.d.d.r.e.s.s.
20 00 3d 00 20 00 30 00 78 00 25 00 70 00 25 00 .=. .0.x.%.p.%.
6c 00 73 00 0a 00 00 00 53 00 79 00 6d 00 55 00 l.s.....S.y.m.U.
6e 00 6c 00 6f 00 61 00 64 00 4d 00 6f 00 64 00 n.l.o.a.d.M.o.d.
75 00 6c 00 65 00 36 00 34 00 00 00 00 00 00 00 u.l.e.6.4.......
0a 00 44 00 4c 00 4c 00 20 00 75 00 6e 00 6c 00 ..D.L.L. .u.n.l.
6f 00 61 00 64 00 65 00 64 00 20 00 66 00 72 00 o.a.d.e.d. .f.r.
6f 00 6d 00 20 00 70 00 72 00 6f 00 63 00 65 00 o.m. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 20 00 62 00 s.s. .%.l.u. .b.
79 00 20 00 74 00 68 00 72 00 65 00 61 00 64 00 y. .t.h.r.e.a.d.
20 00 25 00 6c 00 75 00 3a 00 0a 00 09 00 42 00 .%.l.u.:.....B.
61 00 73 00 65 00 20 00 61 00 64 00 64 00 72 00 a.s.e. .a.d.d.r.
65 00 73 00 73 00 20 00 3d 00 20 00 30 00 78 00 e.s.s. .=. .0.x.
25 00 70 00 25 00 6c 00 73 00 0a 00 00 00 00 00 %.p.%.l.s.......
09 00 42 00 61 00 73 00 65 00 20 00 61 00 64 00 ..B.a.s.e. .a.d.
64 00 72 00 65 00 73 00 73 00 20 00 20 00 20 00 d.r.e.s.s. . . .
3d 00 20 00 30 00 78 00 25 00 70 00 25 00 6c 00 =. .0.x.%.p.%.l.
73 00 0a 00 00 00 00 00 09 00 44 00 4c 00 4c 00 s.........D.L.L.
20 00 66 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 .f.i.l.e.n.a.m.
65 00 20 00 20 00 20 00 3d 00 20 00 25 00 68 00 e. . . .=. .%.h.
73 00 0a 00 00 00 00 00 09 00 44 00 4c 00 4c 00 s.........D.L.L.
20 00 66 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 .f.i.l.e.n.a.m.
65 00 20 00 20 00 20 00 3d 00 20 00 25 00 6c 00 e. . . .=. .%.l.
73 00 0a 00 00 00 00 00 53 00 79 00 6d 00 52 00 s.......S.y.m.R.
65 00 66 00 72 00 65 00 73 00 68 00 4d 00 6f 00 e.f.r.e.s.h.M.o.
64 00 75 00 6c 00 65 00 4c 00 69 00 73 00 74 00 d.u.l.e.L.i.s.t.
00 00 00 00 00 00 00 00 0a 00 44 00 4c 00 4c 00 ..........D.L.L.
20 00 6c 00 6f 00 61 00 64 00 65 00 64 00 20 00 .l.o.a.d.e.d. .
69 00 6e 00 20 00 70 00 72 00 6f 00 63 00 65 00 i.n. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 20 00 62 00 s.s. .%.l.u. .b.
79 00 20 00 74 00 68 00 72 00 65 00 61 00 64 00 y. .t.h.r.e.a.d.
20 00 25 00 6c 00 75 00 3a 00 0a 00 00 00 00 00 .%.l.u.:.......
0a 00 54 00 68 00 72 00 65 00 61 00 64 00 20 00 ..T.h.r.e.a.d. .
25 00 6c 00 75 00 20 00 65 00 78 00 69 00 74 00 %.l.u. .e.x.i.t.
65 00 64 00 20 00 66 00 72 00 6f 00 6d 00 20 00 e.d. .f.r.o.m. .
70 00 72 00 6f 00 63 00 65 00 73 00 73 00 20 00 p.r.o.c.e.s.s. .
25 00 6c 00 75 00 3a 00 0a 00 09 00 45 00 78 00 %.l.u.:.....E.x.
69 00 74 00 20 00 63 00 6f 00 64 00 65 00 20 00 i.t. .c.o.d.e. .
3d 00 20 00 30 00 78 00 25 00 30 00 38 00 6c 00 =. .0.x.%.0.8.l.
58 00 0a 00 00 00 00 00 53 00 79 00 6d 00 43 00 X.......S.y.m.C.
6c 00 65 00 61 00 6e 00 75 00 70 00 00 00 00 00 l.e.a.n.u.p.....
0a 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 ..P.r.o.c.e.s.s.
20 00 25 00 6c 00 75 00 20 00 65 00 78 00 69 00 .%.l.u. .e.x.i.
74 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 t.e.d. .w.i.t.h.
20 00 74 00 68 00 72 00 65 00 61 00 64 00 20 00 .t.h.r.e.a.d. .
25 00 6c 00 75 00 3a 00 0a 00 09 00 45 00 78 00 %.l.u.:.....E.x.
69 00 74 00 20 00 63 00 6f 00 64 00 65 00 20 00 i.t. .c.o.d.e. .
3d 00 20 00 30 00 78 00 25 00 30 00 38 00 6c 00 =. .0.x.%.0.8.l.
58 00 0a 00 00 00 00 00 0a 00 54 00 68 00 72 00 X.........T.h.r.
65 00 61 00 64 00 20 00 25 00 6c 00 75 00 20 00 e.a.d. .%.l.u. .
63 00 72 00 65 00 61 00 74 00 65 00 64 00 20 00 c.r.e.a.t.e.d. .
69 00 6e 00 20 00 70 00 72 00 6f 00 63 00 65 00 i.n. .p.r.o.c.e.
73 00 73 00 20 00 25 00 6c 00 75 00 3a 00 0a 00 s.s. .%.l.u.:...
09 00 53 00 74 00 61 00 72 00 74 00 20 00 61 00 ..S.t.a.r.t. .a.
64 00 64 00 72 00 65 00 73 00 73 00 20 00 3d 00 d.d.r.e.s.s. .=.
20 00 30 00 78 00 25 00 70 00 25 00 6c 00 73 00 .0.x.%.p.%.l.s.
0a 00 09 00 54 00 45 00 42 00 20 00 61 00 64 00 ....T.E.B. .a.d.
64 00 72 00 65 00 73 00 73 00 20 00 20 00 20 00 d.r.e.s.s. . . .
3d 00 20 00 30 00 78 00 25 00 70 00 0a 00 00 00 =. .0.x.%.p.....
43 00 6c 00 6f 00 73 00 65 00 48 00 61 00 6e 00 C.l.o.s.e.H.a.n.
64 00 6c 00 65 00 00 00 09 00 42 00 61 00 73 00 d.l.e.....B.a.s.
65 00 20 00 61 00 64 00 64 00 72 00 65 00 73 00 e. .a.d.d.r.e.s.
73 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 s. . . . . .=. .
30 00 78 00 25 00 70 00 0a 00 09 00 53 00 74 00 0.x.%.p.....S.t.
61 00 72 00 74 00 20 00 61 00 64 00 64 00 72 00 a.r.t. .a.d.d.r.
65 00 73 00 73 00 20 00 20 00 20 00 20 00 3d 00 e.s.s. . . . .=.
20 00 30 00 78 00 25 00 70 00 25 00 6c 00 73 00 .0.x.%.p.%.l.s.
0a 00 09 00 54 00 45 00 42 00 20 00 61 00 64 00 ....T.E.B. .a.d.
64 00 72 00 65 00 73 00 73 00 20 00 20 00 20 00 d.r.e.s.s. . . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 25 00 . . .=. .0.x.%.
70 00 0a 00 00 00 00 00 53 00 79 00 6d 00 47 00 p.......S.y.m.G.
65 00 74 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 e.t.M.o.d.u.l.e.
49 00 6e 00 66 00 6f 00 36 00 34 00 00 00 00 00 I.n.f.o.6.4.....
47 00 65 00 74 00 46 00 69 00 6e 00 61 00 6c 00 G.e.t.F.i.n.a.l.
50 00 61 00 74 00 68 00 4e 00 61 00 6d 00 65 00 P.a.t.h.N.a.m.e.
42 00 79 00 48 00 61 00 6e 00 64 00 6c 00 65 00 B.y.H.a.n.d.l.e.
00 00 00 00 53 00 79 00 6d 00 4c 00 6f 00 61 00 ....S.y.m.L.o.a.
64 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 45 00 d.M.o.d.u.l.e.E.
78 00 00 00 09 00 50 00 72 00 6f 00 63 00 65 00 x.....P.r.o.c.e.
73 00 73 00 20 00 66 00 69 00 6c 00 65 00 6e 00 s.s. .f.i.l.e.n.
61 00 6d 00 65 00 20 00 3d 00 20 00 25 00 68 00 a.m.e. .=. .%.h.
73 00 0a 00 00 00 00 00 53 00 79 00 6d 00 4c 00 s.......S.y.m.L.
6f 00 61 00 64 00 4d 00 6f 00 64 00 75 00 6c 00 o.a.d.M.o.d.u.l.
65 00 45 00 78 00 57 00 00 00 00 00 09 00 50 00 e.E.x.W.......P.
72 00 6f 00 63 00 65 00 73 00 73 00 20 00 66 00 r.o.c.e.s.s. .f.
69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 20 00 i.l.e.n.a.m.e. .
3d 00 20 00 25 00 6c 00 73 00 0a 00 00 00 00 00 =. .%.l.s.......
52 00 65 00 61 00 64 00 50 00 72 00 6f 00 63 00 R.e.a.d.P.r.o.c.
65 00 73 00 73 00 4d 00 65 00 6d 00 6f 00 72 00 e.s.s.M.e.m.o.r.
79 00 00 00 53 00 79 00 6d 00 62 00 6f 00 6c 00 y...S.y.m.b.o.l.
20 00 73 00 65 00 61 00 72 00 63 00 68 00 20 00 .s.e.a.r.c.h. .
70 00 61 00 74 00 68 00 3a 00 20 00 25 00 6c 00 p.a.t.h.:. .%.l.
73 00 0a 00 00 00 00 00 53 00 79 00 6d 00 47 00 s.......S.y.m.G.
65 00 74 00 53 00 65 00 61 00 72 00 63 00 68 00 e.t.S.e.a.r.c.h.
50 00 61 00 74 00 68 00 00 00 00 00 25 00 6c 00 P.a.t.h.....%.l.
73 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 s.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 30 00 78 00 25 00 30 00 38 00 o.r. .0.x.%.0.8.
6c 00 58 00 0a 00 00 00 53 00 79 00 6d 00 49 00 l.X.....S.y.m.I.
6e 00 69 00 74 00 69 00 61 00 6c 00 69 00 7a 00 n.i.t.i.a.l.i.z.
65 00 00 00 00 00 00 00 0a 00 50 00 72 00 6f 00 e.........P.r.o.
63 00 65 00 73 00 73 00 20 00 25 00 6c 00 75 00 c.e.s.s. .%.l.u.
20 00 63 00 72 00 65 00 61 00 74 00 65 00 64 00 .c.r.e.a.t.e.d.
20 00 77 00 69 00 74 00 68 00 20 00 70 00 72 00 .w.i.t.h. .p.r.
69 00 6d 00 61 00 72 00 79 00 20 00 74 00 68 00 i.m.a.r.y. .t.h.
72 00 65 00 61 00 64 00 20 00 25 00 6c 00 75 00 r.e.a.d. .%.l.u.
3a 00 0a 00 00 00 00 00 44 00 65 00 62 00 75 00 :.......D.e.b.u.
67 00 53 00 65 00 74 00 50 00 72 00 6f 00 63 00 g.S.e.t.P.r.o.c.
65 00 73 00 73 00 4b 00 69 00 6c 00 6c 00 4f 00 e.s.s.K.i.l.l.O.
6e 00 45 00 78 00 69 00 74 00 00 00 00 00 00 00 n.E.x.i.t.......
0a 00 44 00 65 00 62 00 75 00 67 00 67 00 65 00 ..D.e.b.u.g.g.e.
65 00 20 00 70 00 72 00 6f 00 63 00 65 00 73 00 e. .p.r.o.c.e.s.
73 00 20 00 25 00 6c 00 75 00 20 00 77 00 69 00 s. .%.l.u. .w.i.
74 00 68 00 20 00 70 00 72 00 69 00 6d 00 61 00 t.h. .p.r.i.m.a.
72 00 79 00 20 00 74 00 68 00 72 00 65 00 61 00 r.y. .t.h.r.e.a.
64 00 20 00 25 00 6c 00 75 00 20 00 63 00 72 00 d. .%.l.u. .c.r.
65 00 61 00 74 00 65 00 64 00 0a 00 00 00 00 00 e.a.t.e.d.......
44 00 65 00 62 00 75 00 67 00 67 00 65 00 65 00 D.e.b.u.g.g.e.e.
20 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 .p.r.o.c.e.s.s.
20 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 .v.e.r.s.i.o.n.
20 00 69 00 73 00 20 00 25 00 68 00 75 00 2e 00 .i.s. .%.h.u...
25 00 68 00 75 00 0a 00 00 00 00 00 47 00 65 00 %.h.u.......G.e.
74 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 t.P.r.o.c.e.s.s.
56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 V.e.r.s.i.o.n...
44 00 65 00 62 00 75 00 67 00 67 00 65 00 65 00 D.e.b.u.g.g.e.e.
20 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 .p.r.o.c.e.s.s.
20 00 6c 00 6f 00 61 00 64 00 65 00 64 00 20 00 .l.o.a.d.e.d. .
66 00 72 00 6f 00 6d 00 20 00 69 00 6d 00 61 00 f.r.o.m. .i.m.a.
67 00 65 00 20 00 66 00 69 00 6c 00 65 00 20 00 g.e. .f.i.l.e. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
51 00 75 00 65 00 72 00 79 00 46 00 75 00 6c 00 Q.u.e.r.y.F.u.l.
6c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 l.P.r.o.c.e.s.s.
49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 I.m.a.g.e.N.a.m.
65 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 e...C.r.e.a.t.e.
50 00 72 00 6f 00 63 00 65 00 73 00 73 00 00 00 P.r.o.c.e.s.s...
0a 00 44 00 62 00 67 00 48 00 65 00 6c 00 70 00 ..D.b.g.H.e.l.p.
20 00 41 00 50 00 49 00 3a 00 0a 00 09 00 56 00 .A.P.I.:.....V.
65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 20 00 e.r.s.i.o.n. . .
3d 00 20 00 25 00 68 00 75 00 2e 00 25 00 68 00 =. .%.h.u...%.h.
75 00 0a 00 09 00 52 00 65 00 76 00 69 00 73 00 u.....R.e.v.i.s.
69 00 6f 00 6e 00 20 00 3d 00 20 00 25 00 68 00 i.o.n. .=. .%.h.
75 00 0a 00 09 00 52 00 65 00 73 00 65 00 72 00 u.....R.e.s.e.r.
76 00 65 00 64 00 20 00 3d 00 20 00 25 00 68 00 v.e.d. .=. .%.h.
75 00 0a 00 00 00 00 00 41 00 70 00 70 00 6c 00 u.......A.p.p.l.
69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 i.c.a.t.i.o.n. .
74 00 79 00 70 00 65 00 3a 00 20 00 25 00 6c 00 t.y.p.e.:. .%.l.
75 00 20 00 3d 00 20 00 25 00 6c 00 73 00 0a 00 u. .=. .%.l.s...
00 00 00 00 47 00 65 00 74 00 42 00 69 00 6e 00 ....G.e.t.B.i.n.
61 00 72 00 79 00 54 00 79 00 70 00 65 00 00 00 a.r.y.T.y.p.e...
43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 C.o.m.m.a.n.d. .
6c 00 69 00 6e 00 65 00 3a 00 20 00 20 00 20 00 l.i.n.e.:. . . .
20 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 . .'.%.l.s.'...
41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 A.p.p.l.i.c.a.t.
69 00 6f 00 6e 00 20 00 6e 00 61 00 6d 00 65 00 i.o.n. .n.a.m.e.
3a 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 :. .'.%.l.s.'...
00 00 00 00 25 00 6c 00 73 00 28 00 29 00 20 00 ....%.l.s.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 43 00 6f 00 6d 00 6d 00 l.u.....C.o.m.m.
61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 54 00 a.n.d.L.i.n.e.T.
6f 00 41 00 72 00 67 00 76 00 00 00 00 00 00 00 o.A.r.g.v.......
b9 79 37 9e 00 00 00 00 68 00 00 00 45 54 41 44 .y7.....h...ETAD
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
00 00 00 00 10 58 40 00 00 00 00 00 00 00 00 00 .....X@.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 59 00 00 00 00 00 00 00 00 00 00 a6 5a 00 00 DY...........Z..
74 30 00 00 d0 58 00 00 00 00 00 00 00 00 00 00 t0...X..........
8c 5c 00 00 00 30 00 00 38 59 00 00 00 00 00 00 .\...0..8Y......
00 00 00 00 b4 5c 00 00 68 30 00 00 00 00 00 00 .....\..h0......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1e 5b 00 00 78 5b 00 00 6c 5b 00 00 7c 5c 00 00 .[..x[..l[..|\..
6c 5c 00 00 5c 5c 00 00 4a 5c 00 00 38 5c 00 00 l\..\\..J\..8\..
26 5c 00 00 08 5c 00 00 f4 5b 00 00 d8 5b 00 00 &\...\...[...[..
c4 5b 00 00 b0 5b 00 00 94 5b 00 00 b2 5a 00 00 .[...[...[...Z..
c2 5a 00 00 d0 5a 00 00 e2 5a 00 00 f8 5a 00 00 .Z...Z...Z...Z..
0a 5b 00 00 5e 5b 00 00 34 5b 00 00 4a 5b 00 00 .[..^[..4[..J[..
86 5b 00 00 00 00 00 00 a6 5c 00 00 9a 5c 00 00 .[.......\...\..
00 00 00 00 90 5a 00 00 80 5a 00 00 70 5a 00 00 .....Z...Z..pZ..
5e 5a 00 00 4a 5a 00 00 36 5a 00 00 24 5a 00 00 ^Z..JZ..6Z..$Z..
16 5a 00 00 fe 59 00 00 ea 59 00 00 d4 59 00 00 .Z...Y...Y...Y..
b8 59 00 00 aa 59 00 00 9a 59 00 00 84 59 00 00 .Y...Y...Y...Y..
00 00 00 00 66 00 53 79 6d 47 65 74 4d 6f 64 75 ....f.SymGetModu
6c 65 49 6e 66 6f 57 36 34 00 49 00 53 79 6d 46 leInfoW64.I.SymF
72 6f 6d 41 64 64 72 57 00 00 21 00 53 74 61 63 romAddrW..!.Stac
6b 57 61 6c 6b 36 34 00 51 00 53 79 6d 46 75 6e kWalk64.Q.SymFun
63 74 69 6f 6e 54 61 62 6c 65 41 63 63 65 73 73 ctionTableAccess
36 34 00 00 62 00 53 79 6d 47 65 74 4d 6f 64 75 64..b.SymGetModu
6c 65 42 61 73 65 36 34 00 00 b8 00 53 79 6d 55 leBase64....SymU
6e 6c 6f 61 64 4d 6f 64 75 6c 65 36 34 00 94 00 nloadModule64...
53 79 6d 52 65 66 72 65 73 68 4d 6f 64 75 6c 65 SymRefreshModule
4c 69 73 74 00 00 27 00 53 79 6d 43 6c 65 61 6e List..'.SymClean
75 70 00 00 89 00 53 79 6d 4c 6f 61 64 4d 6f 64 up....SymLoadMod
75 6c 65 45 78 00 8a 00 53 79 6d 4c 6f 61 64 4d uleEx...SymLoadM
6f 64 75 6c 65 45 78 57 00 00 6d 00 53 79 6d 47 oduleExW..m.SymG
65 74 53 65 61 72 63 68 50 61 74 68 57 00 86 00 etSearchPathW...
53 79 6d 49 6e 69 74 69 61 6c 69 7a 65 57 00 00 SymInitializeW..
9f 00 53 79 6d 53 65 74 4f 70 74 69 6f 6e 73 00 ..SymSetOptions.
69 00 53 79 6d 47 65 74 4f 70 74 69 6f 6e 73 00 i.SymGetOptions.
18 00 49 6d 61 67 65 68 6c 70 41 70 69 56 65 72 ..ImagehlpApiVer
73 69 6f 6e 00 00 64 62 67 68 65 6c 70 2e 64 6c sion..dbghelp.dl
6c 00 24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 l.$.WriteConsole
57 00 19 01 45 78 69 74 50 72 6f 63 65 73 73 00 W...ExitProcess.
52 02 47 65 74 50 72 6f 63 65 73 73 54 69 6d 65 R.GetProcessTime
73 00 df 01 47 65 74 45 78 69 74 43 6f 64 65 50 s...GetExitCodeP
72 6f 63 65 73 73 00 00 91 02 47 65 74 54 68 72 rocess....GetThr
65 61 64 54 69 6d 65 73 00 00 e0 01 47 65 74 45 eadTimes....GetE
78 69 74 43 6f 64 65 54 68 72 65 61 64 00 f9 04 xitCodeThread...
57 61 69 74 46 6f 72 53 69 6e 67 6c 65 4f 62 6a WaitForSingleObj
65 63 74 00 67 00 43 6f 6e 74 69 6e 75 65 44 65 ect.g.ContinueDe
62 75 67 45 76 65 6e 74 00 00 86 02 47 65 74 54 bugEvent....GetT
68 72 65 61 64 43 6f 6e 74 65 78 74 00 00 85 03 hreadContext....
4f 70 65 6e 54 68 72 65 61 64 00 00 48 03 4c 6f OpenThread..H.Lo
63 61 6c 46 72 65 65 00 44 03 4c 6f 63 61 6c 41 calFree.D.LocalA
6c 6c 6f 63 00 00 52 00 43 6c 6f 73 65 48 61 6e lloc..R.CloseHan
64 6c 65 00 f5 01 47 65 74 46 69 6e 61 6c 50 61 dle...GetFinalPa
74 68 4e 61 6d 65 42 79 48 61 6e 64 6c 65 57 00 thNameByHandleW.
c3 03 52 65 61 64 50 72 6f 63 65 73 73 4d 65 6d ..ReadProcessMem
6f 72 79 00 f6 04 57 61 69 74 46 6f 72 44 65 62 ory...WaitForDeb
75 67 45 76 65 6e 74 00 c9 00 44 65 62 75 67 53 ugEvent...DebugS
65 74 50 72 6f 63 65 73 73 4b 69 6c 6c 4f 6e 45 etProcessKillOnE
78 69 74 00 53 02 47 65 74 50 72 6f 63 65 73 73 xit.S.GetProcess
56 65 72 73 69 6f 6e 00 a2 03 51 75 65 72 79 46 Version...QueryF
75 6c 6c 50 72 6f 63 65 73 73 49 6d 61 67 65 4e ullProcessImageN
61 6d 65 57 00 00 a8 00 43 72 65 61 74 65 50 72 ameW....CreatePr
6f 63 65 73 73 57 00 00 71 01 47 65 74 42 69 6e ocessW..q.GetBin
61 72 79 54 79 70 65 57 00 00 87 01 47 65 74 43 aryTypeW....GetC
6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 02 02 47 65 ommandLineW...Ge
74 4c 61 73 74 45 72 72 6f 72 00 00 64 02 47 65 tLastError..d.Ge
74 53 74 64 48 61 6e 64 6c 65 00 00 73 04 53 65 tStdHandle..s.Se
74 4c 61 73 74 45 72 72 6f 72 00 00 4b 45 52 4e tLastError..KERN
45 4c 33 32 2e 64 6c 6c 00 00 33 03 77 73 70 72 EL32.dll..3.wspr
69 6e 74 66 57 00 35 03 77 76 73 70 72 69 6e 74 intfW.5.wvsprint
66 57 00 00 55 53 45 52 33 32 2e 64 6c 6c 00 00 fW..USER32.dll..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file DEBUGGER.TXT
created in
step 3. to recreate the console application
Non-interactive Symbolic Debugger:
CERTUTIL.EXE /DecodeHex /V DEBUGGER.TXT DEBUGGER.COM
Input Length = 80512 Output Length = 18944 CertUtil: -decodehex command completed successfully.
debug stringswritten from all processes running in the current (user) session with the Win32 function
OutputDebugString()
.
debug stringswritten with the Win32 function
OutputDebugString()
are catched and typically displayed by the debugger.
In Win32 processes that are not run under a debugger,
the Win32 function
OutputDebugString()
checks whether the shared memory section named
DBWIN_BUFFER
as well as the events named
DBWIN_BUFFER_READY
and
DBWIN_DATA_READY
exist; if yes, it waits until the
event DBWIN_BUFFER_READY
is signaled, writes the
process identifier and its argument into the shared memory section
DBWIN_BUFFER
, signals the event
DBWIN_DATA_READY
and returns to its caller.
File Mapping
Creating a File View
Creating a View Within a File
DBWINNER.COM
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and DBWINNER.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file DBWINNER.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
const LPCSTR szCtrlType[] = {"Ctrl-C",
"Ctrl-Break",
"Ctrl-Close",
NULL,
NULL,
"Ctrl-Logoff",
"Ctrl-Shutdown"};
BOOL WINAPI CtrlHandler(DWORD dwCtrlType)
{
switch (dwCtrlType)
{
case CTRL_C_EVENT:
case CTRL_BREAK_EVENT:
case CTRL_CLOSE_EVENT:
case CTRL_LOGOFF_EVENT:
case CTRL_SHUTDOWN_EVENT:
OutputDebugStringA(szCtrlType[dwCtrlType]);
return TRUE;
default:
return FALSE;
}
}
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
typedef struct _dbwin_buffer
{
DWORD dwProcessId;
CHAR szString[4096 - sizeof(DWORD)];
} DBWIN_BUFFER;
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
DBWIN_BUFFER *lpDBWin;
HANDLE hDBWin;
HANDLE hDBWinBuffer;
HANDLE hDBWinData;
DWORD dwDBWinData;
DWORD dwString;
DWORD dwError = ERROR_SUCCESS;
DWORD dwProcessId = 0;
DWORD dwCurrentProcessId = GetCurrentProcessId();
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
hDBWin = CreateFileMapping(INVALID_HANDLE_VALUE,
(LPSECURITY_ATTRIBUTES) NULL,
PAGE_READWRITE,
0,
sizeof(DBWIN_BUFFER),
L"DBWIN_BUFFER");
dwError = GetLastError();
if (hDBWin == NULL)
PrintConsole(hConsole,
L"CreateFileMapping() returned error %lu\n",
dwError);
else
{
if (dwError == ERROR_ALREADY_EXISTS)
PrintConsole(hConsole,
L"Shared section \'DBWIN_BUFFER\' already created by another process!\n");
else
{
hDBWinBuffer = CreateEvent((LPSECURITY_ATTRIBUTES) NULL,
FALSE,
FALSE,
L"DBWIN_BUFFER_READY");
dwError = GetLastError();
if (hDBWinBuffer == NULL)
PrintConsole(hConsole,
L"CreateEvent() returned error %lu\n",
dwError);
else
{
if (dwError == ERROR_ALREADY_EXISTS)
PrintConsole(hConsole,
L"Event \'DBWIN_BUFFER_READY\' already created by another process!\n");
else
{
hDBWinData = CreateEvent((LPSECURITY_ATTRIBUTES) NULL,
FALSE,
FALSE,
L"DBWIN_DATA_READY");
dwError = GetLastError();
if (hDBWinData == NULL)
PrintConsole(hConsole,
L"CreateEvent() returned error %lu\n",
dwError);
else
{
if (dwError == ERROR_ALREADY_EXISTS)
PrintConsole(hConsole,
L"Event \'DBWIN_DATA_READY\' already created by another process!\n");
else
{
lpDBWin = MapViewOfFile(hDBWin,
SECTION_MAP_READ | SECTION_MAP_WRITE,
0, 0,
(SIZE_T) 0);
if (lpDBWin == NULL)
PrintConsole(hConsole,
L"MapViewOfFile() returned error %lu\n",
dwError = GetLastError());
else
{
if (!SetConsoleCtrlHandler(CtrlHandler, TRUE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
dwError = GetLastError());
PrintConsole(hConsole,
L"Press \'Ctrl-C\' or \'Ctrl-Break\' to stop!\n"
L"\n"
L"Process\tDebug String\n");
do
{
dwDBWinData = SignalObjectAndWait(hDBWinBuffer,
hDBWinData,
INFINITE,
FALSE);
if (dwDBWinData != WAIT_OBJECT_0)
break;
dwString = strlen(lpDBWin->szString);
while ((dwString-- > 0)
&& ((lpDBWin->szString[dwString] == ' ')
|| (lpDBWin->szString[dwString] == '\a')
|| (lpDBWin->szString[dwString] == '\b')
|| (lpDBWin->szString[dwString] == '\f')
|| (lpDBWin->szString[dwString] == '\n')
|| (lpDBWin->szString[dwString] == '\r')
|| (lpDBWin->szString[dwString] == '\t')
|| (lpDBWin->szString[dwString] == '\v')))
/* lpDBWin->szString[dwString] = '\0' */;
lpDBWin->szString[++dwString] = '\0';
if (lpDBWin->dwProcessId != dwProcessId)
PrintConsole(hConsole,
L"\n"
L"%7lu\t%hs\n",
dwProcessId = lpDBWin->dwProcessId,
lpDBWin->szString);
else
PrintConsole(hConsole,
L"\t%hs\n",
lpDBWin->szString);
} while (dwProcessId != dwCurrentProcessId);
if (dwDBWinData == WAIT_FAILED)
PrintConsole(hConsole,
L"SignalObjectAndWait() returned error %lu\n",
dwError = GetLastError());
if (!SetConsoleCtrlHandler(CtrlHandler, FALSE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
GetLastError());
if (!UnmapViewOfFile(lpDBWin))
PrintConsole(hConsole,
L"UnmapViewOfFile() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hDBWinData))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hDBWinBuffer))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hDBWin))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
DBWINNER.C
created in step 1., link the compiled
object file DBWINNER.OBJ
and cleanup afterwards:
SET CL=/GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeDBWINNER.COM DBWINNER.C ERASE DBWINNER.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. DBWINNER.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file DBWINNER.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 04 00 00 ......#.........
00 06 00 00 00 00 00 00 78 10 00 00 00 10 00 00 ........x.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 e4 86 00 00 03 00 00 85 .0..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
18 24 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 .$..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 b0 23 00 00 40 00 00 00 .........#..@...
00 00 00 00 00 00 00 00 00 20 00 00 40 00 00 00 ......... ..@...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
7f 03 00 00 00 10 00 00 00 04 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 aa 05 00 00 00 20 00 00 .const....... ..
00 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
8b 44 24 04 83 f8 02 76 0a 83 f8 04 76 17 83 f8 .D$....v....v...
06 77 12 ff 34 85 7c 20 40 00 ff 15 00 20 40 00 .w..4.| @.... @.
33 c0 40 eb 02 33 c0 c2 04 00 55 8b ec 81 ec 08 3.@..3....U.....
08 00 00 56 8d 45 10 50 ff 75 0c 8d 85 f8 f7 ff ...V.E.P.u......
ff 50 ff 15 38 20 40 00 8b f0 85 f6 75 04 33 c0 .P..8 @.....u.3.
eb 23 6a 00 8d 45 fc 50 56 8d 85 f8 f7 ff ff 50 .#j..E.PV......P
ff 75 08 ff 15 04 20 40 00 85 c0 74 e1 33 c0 39 .u.... @...t.3.9
75 fc 0f 94 c0 5e c9 c3 83 ec 1c 55 57 33 ff 89 u....^.....UW3..
7c 24 0c ff 15 30 20 40 00 6a f4 89 44 24 24 ff |$...0 @.j..D$$.
15 2c 20 40 00 8b e8 83 fd ff 75 0f ff 15 28 20 ., @......u...(
40 00 89 44 24 08 e9 c8 02 00 00 53 56 bb 8c 23 @..D$......SV..#
40 00 53 68 00 10 00 00 57 6a 04 57 6a ff ff 15 @.Sh....Wj.Wj...
24 20 40 00 8b 35 28 20 40 00 89 44 24 20 ff d6 $ @..5( @..D$ ..
39 7c 24 20 89 44 24 10 bf 58 23 40 00 75 0b 50 9|$ .D$..X#@.u.P
68 34 23 40 00 e9 60 02 00 00 3d b7 00 00 00 75 h4#@..`...=....u
14 53 68 c0 22 40 00 55 e8 2d ff ff ff 83 c4 0c .Sh."@.U.-......
e9 2f 02 00 00 8b 1d 20 20 40 00 68 94 22 40 00 ./..... @.h."@.
33 c0 50 50 50 ff d3 89 44 24 1c ff d6 33 c9 89 3.PPP...D$...3..
44 24 10 39 4c 24 1c 75 0b 50 68 7c 22 40 00 e9 D$.9L$.u.Ph|"@..
f6 01 00 00 3d b7 00 00 00 75 18 68 94 22 40 00 ....=....u.h."@.
68 18 22 40 00 55 e8 df fe ff ff 83 c4 0c e9 c1 h."@.U..........
01 00 00 68 f4 21 40 00 51 51 51 ff d3 89 44 24 ...h.!@.QQQ...D$
18 ff d6 33 c9 89 44 24 10 39 4c 24 18 75 0b 50 ...3..D$.9L$.u.P
68 7c 22 40 00 e9 90 01 00 00 3d b7 00 00 00 75 h|"@......=....u
18 68 f4 21 40 00 68 18 22 40 00 55 e8 99 fe ff .h.!@.h."@.U....
ff 83 c4 0c e9 5b 01 00 00 51 51 51 6a 06 ff 74 .....[...QQQj..t
24 30 ff 15 1c 20 40 00 8b d8 89 5c 24 24 85 db $0... @....\$$..
75 11 ff d6 50 89 44 24 14 68 d8 21 40 00 e9 27 u...P.D$.h.!@..'
01 00 00 6a 01 68 00 10 40 00 ff 15 18 20 40 00 ...j.h..@.... @.
85 c0 75 16 ff d6 50 68 ac 21 40 00 57 55 89 44 ..u...Ph.!@.WU.D
24 20 e8 43 fe ff ff 83 c4 10 68 20 21 40 00 55 $ .C......h !@.U
e8 35 fe ff ff 59 59 6a 00 6a ff ff 74 24 20 ff .5...YYj.j..t$ .
74 24 28 ff 15 14 20 40 00 85 c0 0f 85 88 00 00 t$(... @........
00 8d 53 04 8b c2 8d 48 01 8a 18 40 84 db 75 f9 ..S....H...@..u.
2b c1 8b c8 48 85 c9 74 2b 8a 0c 02 80 f9 20 74 +...H..t+..... t
f1 80 f9 07 74 ec 80 f9 08 74 e7 80 f9 0c 74 e2 ....t....t....t.
80 f9 0a 74 dd 80 f9 0d 74 d8 80 f9 09 74 d3 80 ...t....t....t..
f9 0b 74 ce 8b 5c 24 24 c6 44 18 05 00 8b 03 52 ..t..\$$.D.....R
3b 44 24 18 74 15 50 68 04 21 40 00 55 89 44 24 ;D$.t.Ph.!@.U.D$
24 e8 b4 fd ff ff 83 c4 10 eb 0e 68 f8 20 40 00 $..........h. @.
55 e8 a4 fd ff ff 83 c4 0c 8b 44 24 14 3b 44 24 U.........D$.;D$
28 0f 85 60 ff ff ff eb 1b 83 f8 ff 75 16 ff d6 (..`........u...
50 68 d0 20 40 00 57 55 89 44 24 20 e8 79 fd ff Ph. @.WU.D$ .y..
ff 83 c4 10 6a 00 68 00 10 40 00 ff 15 18 20 40 ....j.h..@.... @
00 85 c0 75 12 ff d6 50 68 ac 21 40 00 57 55 e8 ...u...Ph.!@.WU.
56 fd ff ff 83 c4 10 53 ff 15 10 20 40 00 85 c0 V......S... @...
75 12 ff d6 50 68 b0 20 40 00 57 55 e8 39 fd ff u...Ph. @.WU.9..
ff 83 c4 10 ff 74 24 18 ff 15 0c 20 40 00 85 c0 .....t$.... @...
75 12 ff d6 50 68 98 20 40 00 57 55 e8 19 fd ff u...Ph. @.WU....
ff 83 c4 10 ff 74 24 1c ff 15 0c 20 40 00 85 c0 .....t$.... @...
75 12 ff d6 50 68 98 20 40 00 57 55 e8 f9 fc ff u...Ph. @.WU....
ff 83 c4 10 ff 74 24 20 ff 15 0c 20 40 00 85 c0 .....t$ ... @...
75 12 ff d6 50 68 98 20 40 00 57 55 e8 d9 fc ff u...Ph. @.WU....
ff 83 c4 10 55 ff 15 0c 20 40 00 85 c0 75 12 ff ....U... @...u..
d6 50 68 98 20 40 00 57 55 e8 bc fc ff ff 83 c4 .Ph. @.WU.......
10 5e 5b ff 74 24 08 ff 15 08 20 40 00 5f 5d 00 .^[.t$.... @._].
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
94 24 00 00 aa 24 00 00 ba 24 00 00 c8 24 00 00 .$...$...$...$..
d6 24 00 00 e8 24 00 00 fe 24 00 00 16 25 00 00 .$...$...$...%..
26 25 00 00 36 25 00 00 4c 25 00 00 5c 25 00 00 &%..6%..L%..\%..
6c 25 00 00 00 00 00 00 90 25 00 00 00 00 00 00 l%.......%......
43 74 72 6c 2d 53 68 75 74 64 6f 77 6e 00 00 00 Ctrl-Shutdown...
43 74 72 6c 2d 4c 6f 67 6f 66 66 00 43 74 72 6c Ctrl-Logoff.Ctrl
2d 43 6c 6f 73 65 00 00 43 74 72 6c 2d 42 72 65 -Close..Ctrl-Bre
61 6b 00 00 43 74 72 6c 2d 43 00 00 74 20 40 00 ak..Ctrl-C..t @.
68 20 40 00 5c 20 40 00 00 00 00 00 00 00 00 00 h @.\ @.........
50 20 40 00 40 20 40 00 43 00 6c 00 6f 00 73 00 P @.@ @.C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 00 00 e.H.a.n.d.l.e...
55 00 6e 00 6d 00 61 00 70 00 56 00 69 00 65 00 U.n.m.a.p.V.i.e.
77 00 4f 00 66 00 46 00 69 00 6c 00 65 00 00 00 w.O.f.F.i.l.e...
53 00 69 00 67 00 6e 00 61 00 6c 00 4f 00 62 00 S.i.g.n.a.l.O.b.
6a 00 65 00 63 00 74 00 41 00 6e 00 64 00 57 00 j.e.c.t.A.n.d.W.
61 00 69 00 74 00 00 00 09 00 25 00 68 00 73 00 a.i.t.....%.h.s.
0a 00 00 00 0a 00 25 00 37 00 6c 00 75 00 09 00 ......%.7.l.u...
25 00 68 00 73 00 0a 00 00 00 00 00 00 00 00 00 %.h.s...........
50 00 72 00 65 00 73 00 73 00 20 00 27 00 43 00 P.r.e.s.s. .'.C.
74 00 72 00 6c 00 2d 00 43 00 27 00 20 00 6f 00 t.r.l.-.C.'. .o.
72 00 20 00 27 00 43 00 74 00 72 00 6c 00 2d 00 r. .'.C.t.r.l.-.
42 00 72 00 65 00 61 00 6b 00 27 00 20 00 74 00 B.r.e.a.k.'. .t.
6f 00 20 00 74 00 65 00 72 00 6d 00 69 00 6e 00 o. .t.e.r.m.i.n.
61 00 74 00 65 00 21 00 0a 00 0a 00 50 00 72 00 a.t.e.!.....P.r.
6f 00 63 00 65 00 73 00 73 00 09 00 44 00 65 00 o.c.e.s.s...D.e.
62 00 75 00 67 00 20 00 4d 00 65 00 73 00 73 00 b.u.g. .M.e.s.s.
61 00 67 00 65 00 0a 00 00 00 00 00 53 00 65 00 a.g.e.......S.e.
74 00 43 00 6f 00 6e 00 73 00 6f 00 6c 00 65 00 t.C.o.n.s.o.l.e.
43 00 74 00 72 00 6c 00 48 00 61 00 6e 00 64 00 C.t.r.l.H.a.n.d.
6c 00 65 00 72 00 00 00 4d 00 61 00 70 00 56 00 l.e.r...M.a.p.V.
69 00 65 00 77 00 4f 00 66 00 46 00 69 00 6c 00 i.e.w.O.f.F.i.l.
65 00 00 00 44 00 42 00 57 00 49 00 4e 00 5f 00 e...D.B.W.I.N._.
44 00 41 00 54 00 41 00 5f 00 52 00 45 00 41 00 D.A.T.A._.R.E.A.
44 00 59 00 00 00 00 00 45 00 76 00 65 00 6e 00 D.Y.....E.v.e.n.
74 00 20 00 27 00 25 00 6c 00 73 00 27 00 20 00 t. .'.%.l.s.'. .
61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 a.l.r.e.a.d.y. .
63 00 72 00 65 00 61 00 74 00 65 00 64 00 20 00 c.r.e.a.t.e.d. .
62 00 79 00 20 00 61 00 6e 00 6f 00 74 00 68 00 b.y. .a.n.o.t.h.
65 00 72 00 20 00 70 00 72 00 6f 00 63 00 65 00 e.r. .p.r.o.c.e.
73 00 73 00 21 00 0a 00 00 00 00 00 43 00 72 00 s.s.!.......C.r.
65 00 61 00 74 00 65 00 45 00 76 00 65 00 6e 00 e.a.t.e.E.v.e.n.
74 00 00 00 44 00 42 00 57 00 49 00 4e 00 5f 00 t...D.B.W.I.N._.
42 00 55 00 46 00 46 00 45 00 52 00 5f 00 52 00 B.U.F.F.E.R._.R.
45 00 41 00 44 00 59 00 00 00 00 00 00 00 00 00 E.A.D.Y.........
53 00 68 00 61 00 72 00 65 00 64 00 20 00 73 00 S.h.a.r.e.d. .s.
65 00 63 00 74 00 69 00 6f 00 6e 00 20 00 27 00 e.c.t.i.o.n. .'.
25 00 6c 00 73 00 27 00 20 00 61 00 6c 00 72 00 %.l.s.'. .a.l.r.
65 00 61 00 64 00 79 00 20 00 63 00 72 00 65 00 e.a.d.y. .c.r.e.
61 00 74 00 65 00 64 00 20 00 62 00 79 00 20 00 a.t.e.d. .b.y. .
61 00 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 a.n.o.t.h.e.r. .
70 00 72 00 6f 00 63 00 65 00 73 00 73 00 21 00 p.r.o.c.e.s.s.!.
0a 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 ....C.r.e.a.t.e.
46 00 69 00 6c 00 65 00 4d 00 61 00 70 00 70 00 F.i.l.e.M.a.p.p.
69 00 6e 00 67 00 00 00 25 00 6c 00 73 00 28 00 i.n.g...%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 44 00 42 00 .%.l.u.....D.B.
57 00 49 00 4e 00 5f 00 42 00 55 00 46 00 46 00 W.I.N._.B.U.F.F.
45 00 52 00 00 00 00 00 b9 79 37 9e 00 00 00 00 E.R......y7.....
68 00 00 00 45 54 41 44 10 00 00 00 00 00 00 00 h...ETAD........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 08 00 00 00 00 a8 23 40 00 .............#@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 54 24 00 00 00 00 00 00 ........T$......
00 00 00 00 82 25 00 00 00 20 00 00 8c 24 00 00 .....%... ...$..
00 00 00 00 00 00 00 00 9e 25 00 00 38 20 00 00 .........%..8 ..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 94 24 00 00 aa 24 00 00 ba 24 00 00 .....$...$...$..
c8 24 00 00 d6 24 00 00 e8 24 00 00 fe 24 00 00 .$...$...$...$..
16 25 00 00 26 25 00 00 36 25 00 00 4c 25 00 00 .%..&%..6%..L%..
5c 25 00 00 6c 25 00 00 00 00 00 00 90 25 00 00 \%..l%.......%..
00 00 00 00 89 03 4f 75 74 70 75 74 44 65 62 75 ......OutputDebu
67 53 74 72 69 6e 67 41 00 00 24 05 57 72 69 74 gStringA..$.Writ
65 43 6f 6e 73 6f 6c 65 57 00 19 01 45 78 69 74 eConsoleW...Exit
50 72 6f 63 65 73 73 00 52 00 43 6c 6f 73 65 48 Process.R.CloseH
61 6e 64 6c 65 00 d6 04 55 6e 6d 61 70 56 69 65 andle...UnmapVie
77 4f 66 46 69 6c 65 00 b0 04 53 69 67 6e 61 6c wOfFile...Signal
4f 62 6a 65 63 74 41 6e 64 57 61 69 74 00 2d 04 ObjectAndWait.-.
53 65 74 43 6f 6e 73 6f 6c 65 43 74 72 6c 48 61 SetConsoleCtrlHa
6e 64 6c 65 72 00 57 03 4d 61 70 56 69 65 77 4f ndler.W.MapViewO
66 46 69 6c 65 00 85 00 43 72 65 61 74 65 45 76 fFile...CreateEv
65 6e 74 57 00 00 8c 00 43 72 65 61 74 65 46 69 entW....CreateFi
6c 65 4d 61 70 70 69 6e 67 57 00 00 02 02 47 65 leMappingW....Ge
74 4c 61 73 74 45 72 72 6f 72 00 00 64 02 47 65 tLastError..d.Ge
74 53 74 64 48 61 6e 64 6c 65 00 00 c1 01 47 65 tStdHandle....Ge
74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 49 tCurrentProcessI
64 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 d.KERNEL32.dll..
35 03 77 76 73 70 72 69 6e 74 66 57 00 00 55 53 5.wvsprintfW..US
45 52 33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 ER32.dll........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file DBWINNER.TXT
created in
step 3. to recreate the console application
Debug String Monitor:
CERTUTIL.EXE /DecodeHex /V DBWINNER.TXT DBWINNER.COM
Input Length = 13056 Output Length = 3072 CertUtil: -decodehex command completed successfully.
MAKESORTLCID
LANGIDFROMLCID
SORTIDFROMLCID
PRIMARYLANGID
SUBLANGID
MAKELANGID
VerLanguageName()
LANGUAGE.COM
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and LANGUAGE.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file LANGUAGE.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
DWORD dwError = ERROR_SUCCESS;
DWORD dwPrimaryLanguage;
DWORD dwLanguage;
WCHAR szLanguage[123];
WCHAR szNeutral[123];
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
if (VerLanguageName(0,
szNeutral,
sizeof(szNeutral) / sizeof(*szNeutral)) == 0)
PrintConsole(hConsole,
L"VerLanguageName() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), 0);
else
{
PrintConsole(hConsole,
L"\n0x%04lX = %ls\n",
0, szNeutral);
for (dwPrimaryLanguage = 0; dwPrimaryLanguage < 0x0200; dwPrimaryLanguage++)
for (dwLanguage = dwPrimaryLanguage; dwLanguage < 0x8000; dwLanguage += 0x0400)
if (VerLanguageName(dwLanguage,
szLanguage,
sizeof(szLanguage) / sizeof(*szLanguage)) == 0)
PrintConsole(hConsole,
L"VerLanguageName() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
else
if (wcscmp(szLanguage, szNeutral) != 0)
PrintConsole(hConsole,
L"\n0x%04lX = %ls\n" + (dwLanguage != dwPrimaryLanguage),
dwLanguage, szLanguage);
else
if ((dwLanguage != 0)
&& (dwLanguage == dwPrimaryLanguage))
break;
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
LANGUAGE.C
created in step 1., link the compiled
object file LANGUAGE.OBJ
and cleanup afterwards:
SET CL=/GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeLANGUAGE.COM LANGUAGE.C ERASE LANGUAGE.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. LANGUAGE.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file LANGUAGE.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 02 00 00 ......#.........
00 04 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 be 6f 00 00 03 00 00 85 .0.......o......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
70 21 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 p!..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 08 21 00 00 40 00 00 00 .........!..@...
00 00 00 00 00 00 00 00 00 20 00 00 24 00 00 00 ......... ..$...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
a9 01 00 00 00 10 00 00 00 02 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 58 02 00 00 00 20 00 00 .const..X.... ..
00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 1c 20 40 00 8b f0 .......P... @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec f8 01 00 00 53 56 57 33 f6 6a f4 89 75 .......SVW3.j..u
f8 ff 15 14 20 40 00 8b f8 83 ff ff 75 0e ff 15 .... @......u...
10 20 40 00 89 45 f8 e9 23 01 00 00 6a 7b 8d 85 . @..E..#...j{..
00 ff ff ff 50 56 ff 15 0c 20 40 00 85 c0 75 1e ....PV... @...u.
ff 15 10 20 40 00 56 50 68 90 20 40 00 57 89 45 ... @.VPh. @.W.E
f8 e8 5a ff ff ff 83 c4 10 e9 d1 00 00 00 8d 85 ..Z.............
00 ff ff ff 50 56 68 6c 20 40 00 57 e8 3f ff ff ....PVhl @.W.?..
ff 83 c4 10 89 75 fc bb 00 80 00 00 8b 75 fc e9 .....u.......u..
93 00 00 00 6a 7b 8d 85 08 fe ff ff 50 56 ff 15 ....j{......PV..
0c 20 40 00 85 c0 75 12 ff 15 10 20 40 00 56 50 . @...u.... @.VP
89 45 f8 68 90 20 40 00 eb 53 8d 8d 00 ff ff ff .E.h. @..S......
8d 85 08 fe ff ff 66 8b 10 66 3b 11 75 1e 66 85 ......f..f;.u.f.
d2 74 15 66 8b 50 02 66 3b 51 02 75 0f 83 c0 04 .t.f.P.f;Q.u....
83 c1 04 66 85 d2 75 de 33 c0 eb 05 1b c0 83 d8 ...f..u.3.......
ff 85 c0 74 23 8d 85 08 fe ff ff 50 33 c0 3b 75 ...t#......P3.;u
fc 56 0f 95 c0 8d 04 45 6c 20 40 00 50 57 e8 ad .V.....El @.PW..
fe ff ff 83 c4 10 eb 09 85 f6 74 05 3b 75 fc 74 ..........t.;u.t
0e 81 c6 00 04 00 00 3b f3 0f 82 65 ff ff ff ff .......;...e....
45 fc 81 7d fc 00 02 00 00 0f 82 4d ff ff ff 57 E..}.......M...W
ff 15 08 20 40 00 85 c0 75 15 ff 15 10 20 40 00 ... @...u.... @.
50 68 28 20 40 00 57 e8 64 fe ff ff 83 c4 0c ff Ph( @.W.d.......
75 f8 ff 15 04 20 40 00 cc 00 00 00 00 00 00 00 u.... @.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
d0 21 00 00 e0 21 00 00 ee 21 00 00 fc 21 00 00 .!...!...!...!..
10 22 00 00 20 22 00 00 00 00 00 00 3e 22 00 00 .".. "......>"..
00 00 00 00 00 00 00 00 43 00 6c 00 6f 00 73 00 ........C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 28 00 e.H.a.n.d.l.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 0a 00 30 00 .%.l.u.......0.
78 00 25 00 30 00 34 00 6c 00 58 00 20 00 3d 00 x.%.0.4.l.X. .=.
20 00 25 00 6c 00 73 00 0a 00 00 00 00 00 00 00 .%.l.s.........
56 00 65 00 72 00 4c 00 61 00 6e 00 67 00 75 00 V.e.r.L.a.n.g.u.
61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 28 00 a.g.e.N.a.m.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 4c 00 43 00 49 00 44 00 20 00 30 00 78 00 .L.C.I.D. .0.x.
25 00 30 00 34 00 6c 00 58 00 0a 00 00 00 00 00 %.0.4.l.X.......
b9 79 37 9e 00 00 00 00 68 00 00 00 45 54 41 44 .y7.....h...ETAD
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
00 00 00 00 00 21 40 00 00 00 00 00 00 00 00 00 .....!@.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ac 21 00 00 00 00 00 00 00 00 00 00 30 22 00 00 .!..........0"..
00 20 00 00 c8 21 00 00 00 00 00 00 00 00 00 00 . ...!..........
4c 22 00 00 1c 20 00 00 00 00 00 00 00 00 00 00 L"... ..........
00 00 00 00 00 00 00 00 00 00 00 00 d0 21 00 00 .............!..
e0 21 00 00 ee 21 00 00 fc 21 00 00 10 22 00 00 .!...!...!..."..
20 22 00 00 00 00 00 00 3e 22 00 00 00 00 00 00 "......>"......
24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 $.WriteConsoleW.
19 01 45 78 69 74 50 72 6f 63 65 73 73 00 52 00 ..ExitProcess.R.
43 6c 6f 73 65 48 61 6e 64 6c 65 00 e3 04 56 65 CloseHandle...Ve
72 4c 61 6e 67 75 61 67 65 4e 61 6d 65 57 00 00 rLanguageNameW..
02 02 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 ..GetLastError..
64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 d.GetStdHandle..
4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 35 03 KERNEL32.dll..5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file LANGUAGE.TXT
created in
step 3. to recreate the console application
Language Enumerator:
CERTUTIL.EXE /DecodeHex /V LANGUAGE.TXT LANGUAGE.COM
Input Length = 8704 Output Length = 2048 CertUtil: -decodehex command completed successfully.
MAKELCID
GetLocaleInfo()
GetLocaleInfo()
LOCALE.COM
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and LOCALE.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file LOCALE.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
DWORD dwError = ERROR_SUCCESS;
DWORD dwPrimaryLanguage;
DWORD dwLanguage;
BOOL bLanguage;
WCHAR szLanguage[123];
WCHAR szEnglishLanguage[123];
WCHAR szEnglishCountry[123];
#ifdef NATIVE
WCHAR szNativeLanguage[80];
WCHAR szNativeCountry[80];
#endif
WCHAR szISO639[9];
WCHAR szISO3166[9];
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
for (dwPrimaryLanguage = 0; ++dwPrimaryLanguage < 0x0200;)
{
bLanguage = FALSE;
for (dwLanguage = dwPrimaryLanguage; dwLanguage += 0x0400, dwLanguage < 0x8000;)
if (GetLocaleInfo(dwLanguage,
LOCALE_SLANGUAGE,
szLanguage,
sizeof(szLanguage) / sizeof(*szLanguage)) == 0)
{
dwError = GetLastError();
if (dwError == ERROR_INVALID_PARAMETER)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError, dwLanguage);
}
else
{
if (GetLocaleInfo(dwLanguage,
LOCALE_SISO639LANGNAME,
szISO639,
sizeof(szISO3166) / sizeof(*szISO3166)) == 0)
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
if (GetLocaleInfo(dwLanguage,
LOCALE_SISO3166CTRYNAME,
szISO3166,
sizeof(szISO3166) / sizeof(*szISO3166)) == 0)
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
if (GetLocaleInfo(dwLanguage,
LOCALE_SENGLANGUAGE,
szEnglishLanguage,
sizeof(szEnglishLanguage) / sizeof(*szEnglishLanguage)) == 0)
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
if (GetLocaleInfo(dwLanguage,
LOCALE_SENGCOUNTRY,
szEnglishCountry,
sizeof(szEnglishCountry) / sizeof(*szEnglishCountry)) == 0)
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
#ifdef NATIVE
if (GetLocaleInfo(dwLanguage,
LOCALE_SNATIVELANGNAME,
szNativeLanguage,
sizeof(szNativeLanguage) / sizeof(*szNativeLanguage)) == 0)
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
if (GetLocaleInfo(dwLanguage,
LOCALE_SNATIVECTRYNAME,
szNativeCountry,
sizeof(szNativeCountry) / sizeof(*szNativeCountry)) == 0)
PrintConsole(hConsole,
L"GetLocaleInfo() returned error %lu for LCID 0x%04lX\n",
dwError = GetLastError(), dwLanguage);
PrintConsole(hConsole,
L"\n0x%04lX = %ls // %ls-%ls;%ls (%ls), %ls (%ls)\n" + bLanguage,
dwLanguage,
szLanguage,
szISO639,
szISO3166,
szEnglishLanguage,
szEnglishCountry,
szNativeLanguage,
szNativeCountry);
#else
PrintConsole(hConsole,
L"\n0x%04lX = %ls // %ls-%ls;%ls (%ls)\n" + bLanguage,
dwLanguage,
szLanguage,
szISO639,
szISO3166,
szEnglishLanguage,
szEnglishCountry);
#endif
bLanguage = TRUE;
}
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
LOCALE.C
created in step 1., link the compiled
object file LOCALE.OBJ
and cleanup afterwards:
SET CL=/DNATIVE /GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeLOCALE.COM LOCALE.C ERASE LOCALE.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. LOCALE.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file LOCALE.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 04 00 00 ......#.........
00 04 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 ad ac 00 00 03 00 00 85 .0..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
b0 21 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 .!..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 48 21 00 00 40 00 00 00 ........H!..@...
00 00 00 00 00 00 00 00 00 20 00 00 24 00 00 00 ......... ..$...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
64 02 00 00 00 10 00 00 00 04 00 00 00 02 00 00 d...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 96 02 00 00 00 20 00 00 .const....... ..
00 04 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 1c 20 40 00 8b f0 .......P... @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 64 04 00 00 83 65 f8 00 53 56 57 6a f4 ...d....e..SVWj.
ff 15 14 20 40 00 89 45 fc 83 f8 ff 75 0e ff 15 ... @..E....u...
10 20 40 00 89 45 f8 e9 de 01 00 00 8b 3d 10 20 . @..E.......=.
40 00 c7 45 f4 01 04 00 00 c7 45 ec ff 01 00 00 @..E......E.....
be d0 20 40 00 83 65 f0 00 8b 5d f4 e9 81 01 00 .. @..e...].....
00 6a 7b 8d 85 9c fb ff ff 50 6a 02 53 ff 15 0c .j{......Pj.S...
20 40 00 85 c0 75 26 ff d7 89 45 f8 83 f8 57 75 @...u&...E...Wu
09 83 65 f8 00 e9 52 01 00 00 53 50 56 ff 75 fc ..e...R...SPV.u.
e8 2b ff ff ff 83 c4 10 e9 3f 01 00 00 6a 09 8d .+.......?...j..
45 c4 50 6a 59 53 ff 15 0c 20 40 00 85 c0 75 13 E.PjYS... @...u.
ff d7 53 50 56 ff 75 fc 89 45 f8 e8 00 ff ff ff ..SPV.u..E......
83 c4 10 6a 09 8d 45 d8 50 6a 5a 53 ff 15 0c 20 ...j..E.PjZS...
40 00 85 c0 75 13 ff d7 53 50 56 ff 75 fc 89 45 @...u...SPV.u..E
f8 e8 da fe ff ff 83 c4 10 6a 7b 8d 85 94 fc ff .........j{.....
ff 50 68 01 10 00 00 53 ff 15 0c 20 40 00 85 c0 .Ph....S... @...
75 13 ff d7 53 50 56 ff 75 fc 89 45 f8 e8 ae fe u...SPV.u..E....
ff ff 83 c4 10 6a 7b 8d 85 8c fd ff ff 50 68 02 .....j{......Ph.
10 00 00 53 ff 15 0c 20 40 00 85 c0 75 13 ff d7 ...S... @...u...
53 50 56 ff 75 fc 89 45 f8 e8 82 fe ff ff 83 c4 SPV.u..E........
10 6a 50 8d 85 24 ff ff ff 50 6a 04 53 ff 15 0c .jP..$...Pj.S...
20 40 00 85 c0 75 13 ff d7 53 50 56 ff 75 fc 89 @...u...SPV.u..
45 f8 e8 59 fe ff ff 83 c4 10 6a 50 8d 85 84 fe E..Y......jP....
ff ff 50 6a 08 53 ff 15 0c 20 40 00 85 c0 75 13 ..Pj.S... @...u.
ff d7 53 50 56 ff 75 fc 89 45 f8 e8 30 fe ff ff ..SPV.u..E..0...
83 c4 10 8d 85 84 fe ff ff 50 8d 85 24 ff ff ff .........P..$...
50 8d 85 8c fd ff ff 50 8d 85 94 fc ff ff 50 8d P......P......P.
45 d8 50 8d 45 c4 50 8d 85 9c fb ff ff 50 8b 45 E.P.E.P......P.E
f0 53 8d 04 45 70 20 40 00 50 ff 75 fc e8 ee fd .S..Ep @.P.u....
ff ff 83 c4 28 c7 45 f0 01 00 00 00 81 c3 00 04 ....(.E.........
00 00 81 fb 00 80 00 00 0f 82 73 fe ff ff ff 45 ..........s....E
f4 ff 4d ec 0f 85 5b fe ff ff ff 75 fc ff 15 08 ..M...[....u....
20 40 00 85 c0 75 13 ff d7 50 68 28 20 40 00 ff @...u...Ph( @..
75 fc e8 a9 fd ff ff 83 c4 0c ff 75 f8 ff 15 04 u..........u....
20 40 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 @..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
10 22 00 00 20 22 00 00 2e 22 00 00 3c 22 00 00 .".. "..."..<"..
4e 22 00 00 5e 22 00 00 00 00 00 00 7c 22 00 00 N"..^"......|"..
00 00 00 00 00 00 00 00 43 00 6c 00 6f 00 73 00 ........C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 28 00 e.H.a.n.d.l.e.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 00 00 00 00 .%.l.u.........
0a 00 30 00 78 00 25 00 30 00 34 00 6c 00 58 00 ..0.x.%.0.4.l.X.
20 00 3d 00 20 00 25 00 6c 00 73 00 20 00 2f 00 .=. .%.l.s. ./.
2f 00 20 00 25 00 6c 00 73 00 2d 00 25 00 6c 00 /. .%.l.s.-.%.l.
73 00 3b 00 25 00 6c 00 73 00 20 00 28 00 25 00 s.;.%.l.s. .(.%.
6c 00 73 00 29 00 2c 00 20 00 25 00 6c 00 73 00 l.s.).,. .%.l.s.
20 00 28 00 25 00 6c 00 73 00 29 00 0a 00 00 00 .(.%.l.s.).....
47 00 65 00 74 00 4c 00 6f 00 63 00 61 00 6c 00 G.e.t.L.o.c.a.l.
65 00 49 00 6e 00 66 00 6f 00 28 00 29 00 20 00 e.I.n.f.o.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 20 00 66 00 6f 00 72 00 20 00 4c 00 l.u. .f.o.r. .L.
43 00 49 00 44 00 20 00 30 00 78 00 25 00 30 00 C.I.D. .0.x.%.0.
34 00 6c 00 58 00 0a 00 00 00 00 00 00 00 00 00 4.l.X...........
b9 79 37 9e 00 00 00 00 68 00 00 00 45 54 41 44 .y7.....h...ETAD
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
00 00 00 00 40 21 40 00 00 00 00 00 00 00 00 00 ....@!@.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ec 21 00 00 00 00 00 00 00 00 00 00 6e 22 00 00 .!..........n"..
00 20 00 00 08 22 00 00 00 00 00 00 00 00 00 00 . ..."..........
8a 22 00 00 1c 20 00 00 00 00 00 00 00 00 00 00 ."... ..........
00 00 00 00 00 00 00 00 00 00 00 00 10 22 00 00 ............."..
20 22 00 00 2e 22 00 00 3c 22 00 00 4e 22 00 00 "..."..<"..N"..
5e 22 00 00 00 00 00 00 7c 22 00 00 00 00 00 00 ^"......|"......
24 05 57 72 69 74 65 43 6f 6e 73 6f 6c 65 57 00 $.WriteConsoleW.
19 01 45 78 69 74 50 72 6f 63 65 73 73 00 52 00 ..ExitProcess.R.
43 6c 6f 73 65 48 61 6e 64 6c 65 00 06 02 47 65 CloseHandle...Ge
74 4c 6f 63 61 6c 65 49 6e 66 6f 57 00 00 02 02 tLocaleInfoW....
47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 64 02 GetLastError..d.
47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 4b 45 GetStdHandle..KE
52 4e 45 4c 33 32 2e 64 6c 6c 00 00 35 03 77 76 RNEL32.dll..5.wv
73 70 72 69 6e 74 66 57 00 00 55 53 45 52 33 32 sprintfW..USER32
2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 .dll............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file LOCALE.TXT
created in
step 3. to recreate the console application
Locale Enumerator:
CERTUTIL.EXE /DecodeHex /V LOCALE.TXT LOCALE.COM
Input Length = 10880 Output Length = 2560 CertUtil: -decodehex command completed successfully.
WNetOpenEnum()
WNetEnumResource()
WNetCloseEnum()
NETRESOURCE structure
NETWORK.COM
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and NETWORK.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file NETWORK.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winnetwk.h>
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
const LPCWSTR szDisplayType[] = {L"Generic",
L"Domain",
L"Server",
L"Share",
L"File",
L"Group",
L"Network",
L"Root",
L"Administrative Share",
L"Directory",
L"Tree",
L"NDS Container"};
__declspec(safebuffers)
VOID WINAPI Network(HANDLE hConsole, LPNETRESOURCE lpNR, DWORD dwLevel)
{
NETRESOURCE nr[80];
HANDLE hNetwork;
DWORD dwCount;
DWORD dwSize;
DWORD dwError = WNetOpenEnum(RESOURCE_GLOBALNET,
RESOURCETYPE_ANY,
#if 0
RESOURCEUSAGE_ALL,
#else
0,
#endif
lpNR,
&hNetwork);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"WNetOpenEnum() returned error %lu\n",
dwError);
else
{
for (;;)
{
dwCount = 1;
dwSize = sizeof(nr);
dwError = WNetEnumResource(hNetwork,
&dwCount,
nr,
&dwSize);
if (dwError != ERROR_SUCCESS)
break;
PrintConsole(hConsole,
L"\n"
L"%lsScope:\t\t%lu\n"
L"%lsType:\t\t%lu\n"
L"%lsDisplay Type:\t%lu = %ls\n"
L"%lsUsage:\t\t0x%08lX\n"
L"%lsLocal Name:\t%ls\n"
L"%lsRemote Name:\t%ls\n"
L"%lsComment:\t%ls\n"
L"%lsProvider:\t%ls\n",
L"\t\t\t" + 3 + dwLevel, nr->dwScope,
L"\t\t\t" + 3 + dwLevel, nr->dwType,
L"\t\t\t" + 3 + dwLevel, nr->dwDisplayType,
nr->dwDisplayType < sizeof(szDisplayType) / sizeof(*szDisplayType) ? szDisplayType[nr->dwDisplayType] : L"Unknown",
L"\t\t\t" + 3 + dwLevel, nr->dwUsage,
L"\t\t\t" + 3 + dwLevel, nr->lpLocalName,
L"\t\t\t" + 3 + dwLevel, nr->lpRemoteName,
L"\t\t\t" + 3 + dwLevel, nr->lpComment,
L"\t\t\t" + 3 + dwLevel, nr->lpProvider);
if (nr->dwUsage & RESOURCEUSAGE_CONTAINER)
Network(hConsole, nr, dwLevel - 1);
}
if (dwError != ERROR_NO_MORE_ITEMS)
PrintConsole(hConsole,
L"WNetEnumResource() returned error %lu\n",
dwError);
dwError = WNetCloseEnum(hNetwork);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"WNetCloseEnum() returned error %lu\n",
dwError);
}
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
DWORD dwError = ERROR_SUCCESS;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
Network(hConsole, (LPNETRESOURCE) NULL, 0);
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
NETWORK.C
created in step 1., link the compiled
object file NETWORK.OBJ
and cleanup afterwards:
SET CL=/GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:MPR.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeNETWORK.COM NETWORK.C ERASE NETWORK.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. NETWORK.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file NETWORK.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 02 00 00 ......#.........
00 06 00 00 00 00 00 00 ac 11 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 db ba 00 00 03 00 00 85 .0..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
98 23 00 00 50 00 00 00 00 00 00 00 00 00 00 00 .#..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 30 23 00 00 40 00 00 00 ........0#..@...
00 00 00 00 00 00 00 00 00 20 00 00 30 00 00 00 ......... ..0...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
ff 01 00 00 00 10 00 00 00 02 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 c8 04 00 00 00 20 00 00 .const....... ..
00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 28 20 40 00 8b f0 .......P..( @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 08 0a 00 00 8d 45 fc 50 ff 75 0c 6a 00 ........E.P.u.j.
6a 00 6a 02 ff 15 1c 20 40 00 85 c0 74 1b 50 68 j.j.... @...t.Ph
f0 22 40 00 68 bc 22 40 00 ff 75 08 e8 7f ff ff ."@.h."@..u.....
ff 83 c4 10 e9 1f 01 00 00 56 57 8b 3d 18 20 40 .........VW.=. @
00 8d 45 0c 50 8d 85 f8 f5 ff ff 50 8d 45 f8 50 ..E.P......P.E.P
ff 75 fc c7 45 f8 01 00 00 00 c7 45 0c 00 0a 00 .u..E......E....
00 ff d7 85 c0 0f 85 ae 00 00 00 8b 75 10 8d 34 ............u..4
75 ba 22 40 00 8b 8d 00 f6 ff ff 83 f9 0c 73 09 u."@..........s.
8b 04 8d 08 21 40 00 eb 05 b8 a4 22 40 00 ff b5 ....!@....."@...
14 f6 ff ff 56 ff b5 10 f6 ff ff 56 ff b5 0c f6 ....V......V....
ff ff 56 ff b5 08 f6 ff ff 56 ff b5 04 f6 ff ff ..V......V......
56 50 51 56 ff b5 fc f5 ff ff 56 ff b5 f8 f5 ff VPQV......V.....
ff 56 68 78 21 40 00 ff 75 08 e8 e1 fe ff ff 83 .Vhx!@..u.......
c4 4c f6 85 04 f6 ff ff 02 74 14 8b 45 10 48 50 .L.......t..E.HP
8d 85 f8 f5 ff ff 50 ff 75 08 e8 0f ff ff ff 8d ......P.u.......
45 0c 50 8d 85 f8 f5 ff ff 50 8d 45 f8 50 ff 75 E.P......P.E.P.u
fc c7 45 f8 01 00 00 00 c7 45 0c 00 0a 00 00 ff ..E......E......
d7 85 c0 0f 84 5c ff ff ff be bc 22 40 00 3d 03 .....\....."@.=.
01 00 00 74 12 50 68 54 21 40 00 56 ff 75 08 e8 ...t.PhT!@.V.u..
7c fe ff ff 83 c4 10 ff 75 fc ff 15 20 20 40 00 |.......u... @.
85 c0 74 12 50 68 38 21 40 00 56 ff 75 08 e8 5d ..t.Ph8!@.V.u..]
fe ff ff 83 c4 10 5f 5e c9 c2 0c 00 56 57 6a f4 ......_^....VWj.
33 ff ff 15 10 20 40 00 8b f0 83 fe ff 75 0a ff 3.... @......u..
15 0c 20 40 00 8b f8 eb 2d 57 57 56 e8 7d fe ff .. @....-WWV.}..
ff 56 ff 15 08 20 40 00 85 c0 75 1a ff 15 0c 20 .V... @...u....
40 00 50 68 0c 23 40 00 68 bc 22 40 00 56 e8 0d @.Ph.#@.h."@.V..
fe ff ff 83 c4 10 57 ff 15 04 20 40 00 5f 5e 00 ......W... @._^.
18 24 00 00 28 24 00 00 36 24 00 00 44 24 00 00 .$..($..6$..D$..
54 24 00 00 00 00 00 00 82 24 00 00 96 24 00 00 T$.......$...$..
72 24 00 00 00 00 00 00 ae 24 00 00 00 00 00 00 r$.......$......
4e 00 44 00 53 00 20 00 43 00 6f 00 6e 00 74 00 N.D.S. .C.o.n.t.
61 00 69 00 6e 00 65 00 72 00 00 00 54 00 72 00 a.i.n.e.r...T.r.
65 00 65 00 00 00 00 00 44 00 69 00 72 00 65 00 e.e.....D.i.r.e.
63 00 74 00 6f 00 72 00 79 00 00 00 41 00 64 00 c.t.o.r.y...A.d.
6d 00 69 00 6e 00 69 00 73 00 74 00 72 00 61 00 m.i.n.i.s.t.r.a.
74 00 69 00 76 00 65 00 20 00 53 00 68 00 61 00 t.i.v.e. .S.h.a.
72 00 65 00 00 00 00 00 52 00 6f 00 6f 00 74 00 r.e.....R.o.o.t.
00 00 00 00 4e 00 65 00 74 00 77 00 6f 00 72 00 ....N.e.t.w.o.r.
6b 00 00 00 47 00 72 00 6f 00 75 00 70 00 00 00 k...G.r.o.u.p...
46 00 69 00 6c 00 65 00 00 00 00 00 53 00 68 00 F.i.l.e.....S.h.
61 00 72 00 65 00 00 00 53 00 65 00 72 00 76 00 a.r.e...S.e.r.v.
65 00 72 00 00 00 00 00 44 00 6f 00 6d 00 61 00 e.r.....D.o.m.a.
69 00 6e 00 00 00 00 00 47 00 65 00 6e 00 65 00 i.n.....G.e.n.e.
72 00 69 00 63 00 00 00 f8 20 40 00 e8 20 40 00 r.i.c.... @.. @.
d8 20 40 00 cc 20 40 00 c0 20 40 00 b4 20 40 00 . @.. @.. @.. @.
a4 20 40 00 98 20 40 00 6c 20 40 00 58 20 40 00 . @.. @.l @.X @.
4c 20 40 00 30 20 40 00 57 00 4e 00 65 00 74 00 L @.0 @.W.N.e.t.
43 00 6c 00 6f 00 73 00 65 00 45 00 6e 00 75 00 C.l.o.s.e.E.n.u.
6d 00 00 00 57 00 4e 00 65 00 74 00 45 00 6e 00 m...W.N.e.t.E.n.
75 00 6d 00 52 00 65 00 73 00 6f 00 75 00 72 00 u.m.R.e.s.o.u.r.
63 00 65 00 00 00 00 00 0a 00 25 00 6c 00 73 00 c.e.......%.l.s.
53 00 63 00 6f 00 70 00 65 00 3a 00 09 00 09 00 S.c.o.p.e.:.....
25 00 6c 00 75 00 0a 00 25 00 6c 00 73 00 54 00 %.l.u...%.l.s.T.
79 00 70 00 65 00 3a 00 09 00 09 00 25 00 6c 00 y.p.e.:.....%.l.
75 00 0a 00 25 00 6c 00 73 00 44 00 69 00 73 00 u...%.l.s.D.i.s.
70 00 6c 00 61 00 79 00 20 00 54 00 79 00 70 00 p.l.a.y. .T.y.p.
65 00 3a 00 09 00 25 00 6c 00 75 00 20 00 3d 00 e.:...%.l.u. .=.
20 00 25 00 6c 00 73 00 0a 00 25 00 6c 00 73 00 .%.l.s...%.l.s.
55 00 73 00 61 00 67 00 65 00 3a 00 09 00 09 00 U.s.a.g.e.:.....
30 00 78 00 25 00 30 00 38 00 6c 00 58 00 0a 00 0.x.%.0.8.l.X...
25 00 6c 00 73 00 4c 00 6f 00 63 00 61 00 6c 00 %.l.s.L.o.c.a.l.
20 00 4e 00 61 00 6d 00 65 00 3a 00 09 00 25 00 .N.a.m.e.:...%.
6c 00 73 00 0a 00 25 00 6c 00 73 00 52 00 65 00 l.s...%.l.s.R.e.
6d 00 6f 00 74 00 65 00 20 00 4e 00 61 00 6d 00 m.o.t.e. .N.a.m.
65 00 3a 00 09 00 25 00 6c 00 73 00 0a 00 25 00 e.:...%.l.s...%.
6c 00 73 00 43 00 6f 00 6d 00 6d 00 65 00 6e 00 l.s.C.o.m.m.e.n.
74 00 3a 00 09 00 25 00 6c 00 73 00 0a 00 25 00 t.:...%.l.s...%.
6c 00 73 00 50 00 72 00 6f 00 76 00 69 00 64 00 l.s.P.r.o.v.i.d.
65 00 72 00 3a 00 09 00 25 00 6c 00 73 00 0a 00 e.r.:...%.l.s...
00 00 00 00 55 00 6e 00 6b 00 6e 00 6f 00 77 00 ....U.n.k.n.o.w.
6e 00 00 00 09 00 09 00 09 00 00 00 25 00 6c 00 n...........%.l.
73 00 28 00 29 00 20 00 72 00 65 00 74 00 75 00 s.(.). .r.e.t.u.
72 00 6e 00 65 00 64 00 20 00 65 00 72 00 72 00 r.n.e.d. .e.r.r.
6f 00 72 00 20 00 25 00 6c 00 75 00 0a 00 00 00 o.r. .%.l.u.....
57 00 4e 00 65 00 74 00 4f 00 70 00 65 00 6e 00 W.N.e.t.O.p.e.n.
45 00 6e 00 75 00 6d 00 00 00 00 00 43 00 6c 00 E.n.u.m.....C.l.
6f 00 73 00 65 00 48 00 61 00 6e 00 64 00 6c 00 o.s.e.H.a.n.d.l.
65 00 00 00 00 00 00 00 b9 79 37 9e 00 00 00 00 e........y7.....
68 00 00 00 45 54 41 44 10 00 00 00 00 00 00 00 h...ETAD........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 08 00 00 00 00 28 23 40 00 ............(#@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 e8 23 00 00 00 00 00 00 .........#......
00 00 00 00 64 24 00 00 00 20 00 00 00 24 00 00 ....d$... ...$..
00 00 00 00 00 00 00 00 a6 24 00 00 18 20 00 00 .........$... ..
10 24 00 00 00 00 00 00 00 00 00 00 bc 24 00 00 .$...........$..
28 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ( ..............
00 00 00 00 00 00 00 00 18 24 00 00 28 24 00 00 .........$..($..
36 24 00 00 44 24 00 00 54 24 00 00 00 00 00 00 6$..D$..T$......
82 24 00 00 96 24 00 00 72 24 00 00 00 00 00 00 .$...$..r$......
ae 24 00 00 00 00 00 00 24 05 57 72 69 74 65 43 .$......$.WriteC
6f 6e 73 6f 6c 65 57 00 19 01 45 78 69 74 50 72 onsoleW...ExitPr
6f 63 65 73 73 00 52 00 43 6c 6f 73 65 48 61 6e ocess.R.CloseHan
64 6c 65 00 02 02 47 65 74 4c 61 73 74 45 72 72 dle...GetLastErr
6f 72 00 00 64 02 47 65 74 53 74 64 48 61 6e 64 or..d.GetStdHand
6c 65 00 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c le..KERNEL32.dll
00 00 10 00 57 4e 65 74 43 6c 6f 73 65 45 6e 75 ....WNetCloseEnu
6d 00 1c 00 57 4e 65 74 45 6e 75 6d 52 65 73 6f m...WNetEnumReso
75 72 63 65 57 00 3d 00 57 4e 65 74 4f 70 65 6e urceW.=.WNetOpen
45 6e 75 6d 57 00 4d 50 52 2e 64 6c 6c 00 35 03 EnumW.MPR.dll.5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file NETWORK.TXT
created in
step 3. to recreate the console application
Network Enumerator:
CERTUTIL.EXE /DecodeHex /V NETWORK.TXT NETWORK.COM
Input Length = 10880 Output Length = 2560 CertUtil: -decodehex command completed successfully.
NOTIFIER.COM ‹directory name› …
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and NOTIFIER.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file NOTIFIER.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#define FILE_NOTIFY_CHANGE_UNDOCUMENTED 0x00000E80UL
#define FILE_NOTIFY_CHANGE_ANY 0x00000FFFUL
#define FILE_NOTIFY_CHANGE_INVALID 0xFFFFF000UL
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
HANDLE hThreads[MAXIMUM_WAIT_OBJECTS];
DWORD dwThreads = 0;
const LPCWSTR szCtrlType[] = {L"C",
L"Break",
L"Close",
NULL,
NULL,
L"Logoff",
L"Shutdown"};
BOOL WINAPI CtrlHandler(DWORD dwCtrlType)
{
DWORD dwThread = dwThreads;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
switch (dwCtrlType)
{
case CTRL_C_EVENT:
case CTRL_BREAK_EVENT:
case CTRL_CLOSE_EVENT:
case CTRL_LOGOFF_EVENT:
case CTRL_SHUTDOWN_EVENT:
PrintConsole(hConsole,
L"Ctrl-%ls\n",
szCtrlType[dwCtrlType]);
while (dwThread-- > 0)
if (!CancelSynchronousIo(hThreads[dwThread]))
PrintConsole(hConsole,
L"CancelSynchronousIo() returned error %lu for thread 0x%p\n",
GetLastError(), hThreads[dwThread]);
return TRUE;
default:
return FALSE;
}
}
const LPCWSTR lpAction[] = {NULL,
L"Added",
L"Removed",
L"Modified",
L"Renamed from",
L"Renamed to"};
__declspec(safebuffers)
DWORD WINAPI ThreadProc(LPCWSTR lpArgument)
{
FILE_NOTIFY_INFORMATION *lpEntry;
#if 0
BY_HANDLE_FILE_INFORMATION bhfi;
#else
FILE_ATTRIBUTE_TAG_INFO fati;
#endif
HANDLE hArgument;
WCHAR szArgument[MAX_PATH];
DWORD dwArgument;
DWORD dwError = ERROR_SUCCESS;
DWORD dwEntry;
DWORD dwBuffer[65536 / sizeof(DWORD)];
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
hArgument = CreateFile(lpArgument,
FILE_LIST_DIRECTORY,
FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE,
(LPSECURITY_ATTRIBUTES) NULL,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS,
(HANDLE) NULL);
if (hArgument == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"CreateFile() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
#if 0
if (!GetFileInformationByHandle(hArgument,
&bhfi))
PrintConsole(hConsole,
L"GetFileInformationByHandle() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
if (((bhfi.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
|| ((bhfi.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == FILE_ATTRIBUTE_REPARSE_POINT))
#else
if (!GetFileInformationByHandleEx(hArgument,
FileAttributeTagInfo,
&fati,
sizeof(fati)))
PrintConsole(hConsole,
L"GetFileInformationByHandleEx() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
if (((fati.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != FILE_ATTRIBUTE_DIRECTORY)
|| ((fati.FileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == FILE_ATTRIBUTE_REPARSE_POINT))
#endif
PrintConsole(hConsole,
L"Argument \'%ls\' is not a directory!\n",
lpArgument);
else
{
dwArgument = GetFinalPathNameByHandle(hArgument,
szArgument,
sizeof(szArgument) / sizeof(*szArgument),
FILE_NAME_NORMALIZED | VOLUME_NAME_DOS);
if (dwArgument == 0)
PrintConsole(hConsole,
L"GetFinalPathNameByHandle() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
while (ReadDirectoryChangesW(hArgument,
dwBuffer,
sizeof(dwBuffer),
TRUE,
#ifdef FILE_NOTIFY_CHANGE_ALL
FILE_NOTIFY_CHANGE_ALL,
#else
FILE_NOTIFY_CHANGE_ATTRIBUTES | FILE_NOTIFY_CHANGE_CREATION | FILE_NOTIFY_CHANGE_DIR_NAME | FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_LAST_ACCESS | FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_SECURITY | FILE_NOTIFY_CHANGE_SIZE,
#endif
&dwEntry,
(LPOVERLAPPED) NULL,
(LPOVERLAPPED_COMPLETION_ROUTINE) NULL))
for (lpEntry = (PFILE_NOTIFY_INFORMATION) dwBuffer;
dwEntry != 0;
lpEntry = (PFILE_NOTIFY_INFORMATION) ((LPBYTE) lpEntry + dwEntry))
{
dwEntry = lpEntry->NextEntryOffset;
lpEntry->FileName[lpEntry->FileNameLength / sizeof(lpEntry->FileName[0])] = L'\0';
PrintConsole(hConsole,
L"%ls %ls\\%ls\n",
lpAction[lpEntry->Action], szArgument + 4, lpEntry->FileName);
}
PrintConsole(hConsole,
L"ReadDirectoryChanges() returned error %lu for directory \'%ls\'\n",
dwError = GetLastError(), szArgument + 4);
}
}
if (!CloseHandle(hArgument))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 1;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwThreadId;
HANDLE hThread;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 2)
PrintConsole(hConsole,
L"Too few arguments: at least one directory name must be given!\n");
else if (nArguments > sizeof(hThreads) / sizeof(*hThreads) + 1)
PrintConsole(hConsole,
L"Too many arguments: at most %lu directory names may be given!\n",
sizeof(hThreads) / sizeof(*hThreads));
else
{
do
{
hThread = CreateThread((LPSECURITY_ATTRIBUTES) NULL,
(SIZE_T) 65536,
ThreadProc,
lpArguments[nArgument],
0,
&dwThreadId);
if (hThread == NULL)
PrintConsole(hConsole,
L"CreateThread() returned error %lu\n",
dwError = GetLastError());
else
{
hThreads[dwThreads++] = hThread;
PrintConsole(hConsole,
L"Thread %lu created for argument \'%ls\'\n",
dwThreadId, lpArguments[nArgument]);
}
} while (++nArgument < nArguments);
if (dwThreads > 0)
{
if (!SetConsoleCtrlHandler(CtrlHandler, TRUE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
dwError = GetLastError());
PrintConsole(hConsole,
L"Press \'Ctrl-C\' or \'Ctrl-Break\' to stop!\n"
L"\n");
if (WaitForMultipleObjects(dwThreads,
hThreads,
TRUE,
INFINITE) == WAIT_FAILED)
PrintConsole(hConsole,
L"WaitForMultipleObjects() returned error %lu\n",
dwError = GetLastError());
else
do
if (!CloseHandle(hThreads[--dwThreads]))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
while (dwThreads > 0);
if (!SetConsoleCtrlHandler(CtrlHandler, FALSE))
PrintConsole(hConsole,
L"SetConsoleCtrlHandler() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
ReadDirectoryChangesW()
Run the following four command lines to compile the source file
NOTIFIER.C
created in step 1., link the compiled
object file NOTIFIER.OBJ
and cleanup afterwards:
SET CL=/GAFS /Gs69632 /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:6.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeNOTIFIER.COM NOTIFIER.C ERASE NOTIFIER.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. NOTIFIER.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file NOTIFIER.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 03 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 08 00 00 ......#.........
00 0c 00 00 00 00 00 00 a4 12 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
06 00 00 00 00 00 2f 03 06 00 00 00 00 00 00 00 ....../.........
00 40 00 00 00 02 00 00 ad dd 00 00 03 00 00 85 .@..............
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
b8 26 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 .&..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 50 26 00 00 40 00 00 00 ........P&..@...
00 00 00 00 00 00 00 00 00 20 00 00 50 00 00 00 ......... ..P...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
5e 06 00 00 00 10 00 00 00 08 00 00 00 02 00 00 ^...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 ae 08 00 00 00 20 00 00 .const....... ..
00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 ....@..@.bss....
20 01 00 00 00 30 00 00 00 00 00 00 00 00 00 00 ....0..........
00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 48 20 40 00 8b f0 .......P..H @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 53 57 .t.3.9u....^..SW
8b 3d 00 30 40 00 6a f4 ff 15 0c 20 40 00 8b d8 .=.0@.j.... @...
8b 44 24 0c 83 f8 02 76 0a 83 f8 04 76 59 83 f8 .D$....v....vY..
06 77 54 ff 34 85 f4 20 40 00 68 a4 21 40 00 53 .wT.4.. @.h.!@.S
e8 7b ff ff ff 83 c4 0c 85 ff 74 36 56 4f 8d 34 .{........t6VO.4
bd 20 30 40 00 ff 36 ff 15 08 20 40 00 85 c0 75 . 0@..6... @...u
1c ff 36 ff 15 04 20 40 00 50 68 7c 21 40 00 68 ..6... @.Ph|!@.h
28 21 40 00 53 e8 46 ff ff ff 83 c4 14 85 ff 75 (!@.S.F........u
cc 5e 33 c0 40 eb 02 33 c0 5f 5b c2 04 00 55 8b .^3.@..3._[...U.
ec 81 ec 18 02 01 00 56 57 6a f4 33 ff ff 15 0c .......VWj.3....
20 40 00 8b f0 89 75 f8 83 fe ff 75 0d ff 15 04 @....u....u....
20 40 00 8b f8 e9 a2 01 00 00 53 8b 5d 08 57 68 @........S.].Wh
00 00 00 02 6a 03 57 6a 07 6a 01 53 ff 15 20 20 ....j.Wj.j.S..
40 00 89 45 08 83 f8 ff 75 22 ff 15 04 20 40 00 @..E....u"... @.
53 8b f8 57 68 c4 23 40 00 68 68 23 40 00 56 e8 S..Wh.#@.hh#@.V.
cc fe ff ff 83 c4 14 e9 5f 01 00 00 6a 08 8d 4d ........_...j..M
f0 51 6a 09 50 ff 15 1c 20 40 00 85 c0 75 11 ff .Qj.P... @...u..
15 04 20 40 00 53 8b f8 57 68 28 23 40 00 eb 40 .. @.S..Wh(#@..@
f6 45 f0 10 0f 84 fb 00 00 00 f7 45 f0 00 04 00 .E.........E....
00 0f 85 ee 00 00 00 57 68 04 01 00 00 8d 85 e8 .......Wh.......
fd ff ff 50 ff 75 08 ff 15 18 20 40 00 85 c0 75 ...P.u.... @...u
22 ff 15 04 20 40 00 53 8b f8 57 68 f4 22 40 00 "... @.S..Wh."@.
68 68 23 40 00 56 e8 55 fe ff ff 83 c4 14 e9 c1 hh#@.V.U........
00 00 00 57 57 8b 3d 14 20 40 00 8d 45 fc 50 68 ...WW.=. @..E.Ph
ff 0f 00 00 6a 01 bb 00 00 01 00 53 8d 85 e8 fd ....j......S....
fe ff 50 ff 75 08 ff d7 85 c0 74 6a 8d b5 e8 fd ..P.u.....tj....
fe ff eb 39 8b 06 89 45 fc 8b 46 08 d1 e8 33 c9 ...9...E..F...3.
66 89 4c 46 0c 8d 46 0c 50 8d 85 f0 fd ff ff 50 f.LF..F.P......P
8b 46 04 ff 34 85 10 21 40 00 68 d8 22 40 00 ff .F..4..!@.h."@..
75 f8 e8 e9 fd ff ff 83 c4 14 03 75 fc 83 7d fc u..........u..}.
00 75 c1 6a 00 6a 00 8d 45 fc 50 68 ff 0f 00 00 .u.j.j..E.Ph....
6a 01 53 8d 85 e8 fd fe ff 50 ff 75 08 ff d7 85 j.S......P.u....
c0 75 99 8b 75 f8 ff 15 04 20 40 00 8b f8 8d 85 .u..u.... @.....
f0 fd ff ff 50 57 68 ac 22 40 00 68 50 22 40 00 ....PWh."@.hP"@.
e9 40 ff ff ff 53 68 08 22 40 00 56 e8 8f fd ff .@...Sh."@.V....
ff 83 c4 0c ff 75 08 ff 15 10 20 40 00 85 c0 75 .....u.... @...u
1a ff 15 04 20 40 00 50 68 ec 21 40 00 68 b8 21 .... @.Ph.!@.h.!
40 00 56 e8 68 fd ff ff 83 c4 10 5b 8b c7 5f 5e @.V.h......[.._^
c9 c2 04 00 83 ec 14 53 55 6a f4 c7 44 24 0c 01 .......SUj..D$..
00 00 00 bd a0 00 00 00 ff 15 0c 20 40 00 8b d8 ........... @...
83 fb ff 75 0d ff 15 04 20 40 00 8b e8 e9 eb 01 ...u.... @......
00 00 56 57 8d 44 24 14 50 ff 15 38 20 40 00 50 ..VW.D$.P..8 @.P
e8 e1 01 00 00 8b 35 04 20 40 00 89 44 24 18 85 ......5. @..D$..
c0 75 14 ff d6 8b e8 55 68 20 26 40 00 bf b8 21 .u.....Uh &@...!
40 00 e9 8d 01 00 00 83 7c 24 14 02 bf b8 21 40 @.......|$....!@
00 73 12 68 a0 25 40 00 53 e8 e2 fc ff ff 59 59 .s.h.%@.S.....YY
e9 59 01 00 00 83 7c 24 14 41 76 15 6a 40 68 20 .Y....|$.Av.j@h
25 40 00 53 e8 c7 fc ff ff 83 c4 0c e9 3d 01 00 %@.S.........=..
00 8b 4c 24 18 8b 44 24 10 8d 04 81 8d 4c 24 20 ..L$..D$.....L$
51 6a 00 ff 30 89 44 24 28 68 ce 10 40 00 68 00 Qj..0.D$(h..@.h.
00 01 00 6a 00 ff 15 34 20 40 00 85 c0 75 0d ff ...j...4 @...u..
d6 8b e8 55 68 00 25 40 00 57 eb 22 8b 0d 00 30 ...Uh.%@.W."...0
40 00 ff 05 00 30 40 00 89 04 8d 20 30 40 00 8b @....0@.... 0@..
44 24 1c ff 30 ff 74 24 24 68 b0 24 40 00 53 e8 D$..0.t$$h.$@.S.
5c fc ff ff 83 c4 10 ff 44 24 10 8b 44 24 10 3b \.......D$..D$.;
44 24 14 72 8c 83 3d 00 30 40 00 00 0f 86 bc 00 D$.r..=.0@......
00 00 6a 01 68 4e 10 40 00 ff 15 30 20 40 00 85 ..j.hN.@...0 @..
c0 75 14 ff d6 8b e8 55 68 80 24 40 00 57 53 e8 .u.....Uh.$@.WS.
1c fc ff ff 83 c4 10 68 20 24 40 00 53 e8 0e fc .......h $@.S...
ff ff 59 59 6a ff 6a 01 68 20 30 40 00 ff 35 00 ..YYj.j.h 0@..5.
30 40 00 ff 15 2c 20 40 00 83 f8 ff 75 16 ff d6 0@..., @....u...
8b e8 55 68 f0 23 40 00 57 53 e8 e1 fb ff ff 83 ..Uh.#@.WS......
c4 10 eb 37 ff 0d 00 30 40 00 a1 00 30 40 00 ff ...7...0@...0@..
34 85 20 30 40 00 ff 15 10 20 40 00 85 c0 75 12 4. 0@.... @...u.
ff d6 50 68 ec 21 40 00 57 53 e8 b1 fb ff ff 83 ..Ph.!@.WS......
c4 10 83 3d 00 30 40 00 00 77 c9 6a 00 68 4e 10 ...=.0@..w.j.hN.
40 00 ff 15 30 20 40 00 85 c0 75 12 ff d6 50 68 @...0 @...u...Ph
80 24 40 00 57 53 e8 85 fb ff ff 83 c4 10 ff 74 .$@.WS.........t
24 18 ff 15 28 20 40 00 85 c0 74 12 ff d6 50 68 $...( @...t...Ph
dc 23 40 00 57 53 e8 65 fb ff ff 83 c4 10 53 ff .#@.WS.e......S.
15 10 20 40 00 85 c0 75 12 ff d6 50 68 ec 21 40 .. @...u...Ph.!@
00 57 53 e8 48 fb ff ff 83 c4 10 5f 5e 55 ff 15 .WS.H......_^U..
24 20 40 00 5d 5b 55 8b ec 51 8b 45 08 53 56 33 $ @.][U..Q.E.SV3
f6 57 8b f8 89 75 08 89 75 fc 39 75 0c 0f 84 6a .W...u..u.9u...j
01 00 00 3b c6 0f 84 62 01 00 00 0f b7 08 66 3b ...;...b......f;
ce 0f 84 56 01 00 00 83 f9 20 74 0a 83 f9 09 74 ...V..... t....t
05 33 db 43 eb 02 33 db 39 75 08 75 2b 66 83 f9 .3.C..3.9u.u+f..
20 74 06 66 83 f9 09 75 1f 89 75 fc 83 c0 02 0f t.f...u..u.....
b7 08 83 f9 20 74 f5 83 f9 09 74 f0 33 c9 66 39 .... t....t.3.f9
30 0f 95 c1 03 d9 eb 23 66 83 f9 5c 75 06 83 75 0......#f..\u..u
fc 01 eb 14 39 75 fc 75 0c 66 83 f9 22 75 06 83 ....9u.u.f.."u..
75 08 01 eb 03 89 75 fc 83 c0 02 0f b7 08 66 3b u.....u.......f;
ce 75 a5 2b c7 83 c0 02 d1 f8 8d 44 58 02 03 c0 .u.+.......DX...
50 6a 40 ff 15 40 20 40 00 8b f0 33 d2 3b f2 0f Pj@..@ @...3.;..
84 d0 00 00 00 8d 44 9e 04 33 db 89 06 89 55 08 ......D..3....U.
89 5d fc 83 7d 08 00 75 34 0f b7 0f 83 f9 20 74 .]..}..u4..... t
05 83 f9 09 75 27 33 d2 33 c9 66 89 08 83 c7 02 ....u'3.3.f.....
0f b7 0f 83 f9 20 74 f5 83 f9 09 74 f0 66 39 17 ..... t....t.f9.
74 71 43 8b c7 89 5d fc 89 3c 9e eb 5c 0f b7 0f tqC...]..<..\...
83 f9 5c 75 03 42 eb 48 83 f9 22 75 41 6a 02 8d ..\u.B.H.."uAj..
5a 01 d1 eb 59 f7 db 03 f9 8d 04 58 f6 c2 01 74 Z...Y......X...t
0a 6a 22 5a 66 89 10 03 c1 eb 1c 83 7d 08 00 74 .j"Zf.......}..t
12 66 83 3f 22 75 0c 6a 22 5a 66 89 10 03 c1 03 .f.?"u.j"Zf.....
f9 eb 04 83 75 08 01 8b 5d fc 33 d2 eb 0b 33 d2 ....u...].3...3.
66 89 08 83 c0 02 83 c7 02 66 83 3f 00 0f 85 60 f........f.?...`
ff ff ff 33 c9 43 66 89 08 21 0c 9e 8b 45 0c 89 ...3.Cf..!...E..
18 39 4d 08 74 0f 68 a0 00 00 00 eb 02 6a 57 ff .9M.t.h......jW.
15 3c 20 40 00 5f 8b c6 5e 5b c9 c2 08 00 00 00 .< @._..^[......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 27 00 00 54 27 00 00 64 27 00 00 7a 27 00 00 D'..T'..d'..z'..
8a 27 00 00 98 27 00 00 b0 27 00 00 cc 27 00 00 .'...'...'...'..
ec 27 00 00 fa 27 00 00 08 28 00 00 14 28 00 00 .'...'...(...(..
2e 28 00 00 46 28 00 00 56 28 00 00 68 28 00 00 .(..F(..V(..h(..
78 28 00 00 00 00 00 00 94 28 00 00 00 00 00 00 x(.......(......
52 00 65 00 6e 00 61 00 6d 00 65 00 64 00 20 00 R.e.n.a.m.e.d. .
74 00 6f 00 00 00 00 00 52 00 65 00 6e 00 61 00 t.o.....R.e.n.a.
6d 00 65 00 64 00 20 00 66 00 72 00 6f 00 6d 00 m.e.d. .f.r.o.m.
00 00 00 00 4d 00 6f 00 64 00 69 00 66 00 69 00 ....M.o.d.i.f.i.
65 00 64 00 00 00 00 00 52 00 65 00 6d 00 6f 00 e.d.....R.e.m.o.
76 00 65 00 64 00 00 00 41 00 64 00 64 00 65 00 v.e.d...A.d.d.e.
64 00 00 00 53 00 68 00 75 00 74 00 64 00 6f 00 d...S.h.u.t.d.o.
77 00 6e 00 00 00 00 00 4c 00 6f 00 67 00 6f 00 w.n.....L.o.g.o.
66 00 66 00 00 00 00 00 43 00 6c 00 6f 00 73 00 f.f.....C.l.o.s.
65 00 00 00 42 00 72 00 65 00 61 00 6b 00 00 00 e...B.r.e.a.k...
43 00 00 00 f0 20 40 00 e4 20 40 00 d8 20 40 00 C.... @.. @.. @.
00 00 00 00 00 00 00 00 c8 20 40 00 b4 20 40 00 ......... @.. @.
00 00 00 00 a8 20 40 00 98 20 40 00 84 20 40 00 ..... @.. @.. @.
68 20 40 00 50 20 40 00 25 00 6c 00 73 00 28 00 h @.P @.%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 74 00 68 00 72 00 65 00 61 00 64 00 20 00 .t.h.r.e.a.d. .
30 00 78 00 25 00 70 00 0a 00 00 00 43 00 61 00 0.x.%.p.....C.a.
6e 00 63 00 65 00 6c 00 53 00 79 00 6e 00 63 00 n.c.e.l.S.y.n.c.
68 00 72 00 6f 00 6e 00 6f 00 75 00 73 00 49 00 h.r.o.n.o.u.s.I.
6f 00 00 00 43 00 74 00 72 00 6c 00 2d 00 25 00 o...C.t.r.l.-.%.
6c 00 73 00 0a 00 00 00 25 00 6c 00 73 00 28 00 l.s.....%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 43 00 6c 00 .%.l.u.....C.l.
6f 00 73 00 65 00 48 00 61 00 6e 00 64 00 6c 00 o.s.e.H.a.n.d.l.
65 00 00 00 00 00 00 00 41 00 72 00 67 00 75 00 e.......A.r.g.u.
6d 00 65 00 6e 00 74 00 20 00 27 00 25 00 6c 00 m.e.n.t. .'.%.l.
73 00 27 00 20 00 69 00 73 00 20 00 6e 00 6f 00 s.'. .i.s. .n.o.
74 00 20 00 61 00 20 00 64 00 69 00 72 00 65 00 t. .a. .d.i.r.e.
63 00 74 00 6f 00 72 00 79 00 21 00 0a 00 00 00 c.t.o.r.y.!.....
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 64 00 69 00 72 00 .f.o.r. .d.i.r.
65 00 63 00 74 00 6f 00 72 00 79 00 20 00 27 00 e.c.t.o.r.y. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 52 00 65 00 %.l.s.'.....R.e.
61 00 64 00 44 00 69 00 72 00 65 00 63 00 74 00 a.d.D.i.r.e.c.t.
6f 00 72 00 79 00 43 00 68 00 61 00 6e 00 67 00 o.r.y.C.h.a.n.g.
65 00 73 00 00 00 00 00 25 00 6c 00 73 00 20 00 e.s.....%.l.s. .
25 00 6c 00 73 00 5c 00 25 00 6c 00 73 00 0a 00 %.l.s.\.%.l.s...
00 00 00 00 47 00 65 00 74 00 46 00 69 00 6e 00 ....G.e.t.F.i.n.
61 00 6c 00 50 00 61 00 74 00 68 00 4e 00 61 00 a.l.P.a.t.h.N.a.
6d 00 65 00 42 00 79 00 48 00 61 00 6e 00 64 00 m.e.B.y.H.a.n.d.
6c 00 65 00 00 00 00 00 47 00 65 00 74 00 46 00 l.e.....G.e.t.F.
69 00 6c 00 65 00 49 00 6e 00 66 00 6f 00 72 00 i.l.e.I.n.f.o.r.
6d 00 61 00 74 00 69 00 6f 00 6e 00 42 00 79 00 m.a.t.i.o.n.B.y.
48 00 61 00 6e 00 64 00 6c 00 65 00 45 00 78 00 H.a.n.d.l.e.E.x.
00 00 00 00 00 00 00 00 25 00 6c 00 73 00 28 00 ........%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 .a.r.g.u.m.e.n.
74 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 t. .'.%.l.s.'...
00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 ....C.r.e.a.t.e.
46 00 69 00 6c 00 65 00 00 00 00 00 4c 00 6f 00 F.i.l.e.....L.o.
63 00 61 00 6c 00 46 00 72 00 65 00 65 00 00 00 c.a.l.F.r.e.e...
57 00 61 00 69 00 74 00 46 00 6f 00 72 00 4d 00 W.a.i.t.F.o.r.M.
75 00 6c 00 74 00 69 00 70 00 6c 00 65 00 4f 00 u.l.t.i.p.l.e.O.
62 00 6a 00 65 00 63 00 74 00 73 00 00 00 00 00 b.j.e.c.t.s.....
50 00 72 00 65 00 73 00 73 00 20 00 27 00 43 00 P.r.e.s.s. .'.C.
74 00 72 00 6c 00 2d 00 43 00 27 00 20 00 6f 00 t.r.l.-.C.'. .o.
72 00 20 00 27 00 43 00 74 00 72 00 6c 00 2d 00 r. .'.C.t.r.l.-.
42 00 72 00 65 00 61 00 6b 00 27 00 20 00 74 00 B.r.e.a.k.'. .t.
6f 00 20 00 74 00 65 00 72 00 6d 00 69 00 6e 00 o. .t.e.r.m.i.n.
61 00 74 00 65 00 21 00 0a 00 0a 00 00 00 00 00 a.t.e.!.........
53 00 65 00 74 00 43 00 6f 00 6e 00 73 00 6f 00 S.e.t.C.o.n.s.o.
6c 00 65 00 43 00 74 00 72 00 6c 00 48 00 61 00 l.e.C.t.r.l.H.a.
6e 00 64 00 6c 00 65 00 72 00 00 00 00 00 00 00 n.d.l.e.r.......
54 00 68 00 72 00 65 00 61 00 64 00 20 00 25 00 T.h.r.e.a.d. .%.
6c 00 75 00 20 00 63 00 72 00 65 00 61 00 74 00 l.u. .c.r.e.a.t.
65 00 64 00 20 00 66 00 6f 00 72 00 20 00 61 00 e.d. .f.o.r. .a.
72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 20 00 r.g.u.m.e.n.t. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
43 00 72 00 65 00 61 00 74 00 65 00 54 00 68 00 C.r.e.a.t.e.T.h.
72 00 65 00 61 00 64 00 00 00 00 00 00 00 00 00 r.e.a.d.........
54 00 6f 00 6f 00 20 00 6d 00 61 00 6e 00 79 00 T.o.o. .m.a.n.y.
20 00 61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 .a.r.g.u.m.e.n.
74 00 73 00 3a 00 20 00 61 00 74 00 20 00 6d 00 t.s.:. .a.t. .m.
6f 00 73 00 74 00 20 00 25 00 6c 00 75 00 20 00 o.s.t. .%.l.u. .
64 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 d.i.r.e.c.t.o.r.
79 00 20 00 6e 00 61 00 6d 00 65 00 73 00 20 00 y. .n.a.m.e.s. .
6d 00 61 00 79 00 20 00 62 00 65 00 20 00 67 00 m.a.y. .b.e. .g.
69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 00 00 i.v.e.n.!.......
54 00 6f 00 6f 00 20 00 66 00 65 00 77 00 20 00 T.o.o. .f.e.w. .
61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 a.r.g.u.m.e.n.t.
73 00 3a 00 20 00 61 00 74 00 20 00 6c 00 65 00 s.:. .a.t. .l.e.
61 00 73 00 74 00 20 00 6f 00 6e 00 65 00 20 00 a.s.t. .o.n.e. .
64 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 d.i.r.e.c.t.o.r.
79 00 20 00 6e 00 61 00 6d 00 65 00 20 00 6d 00 y. .n.a.m.e. .m.
75 00 73 00 74 00 20 00 62 00 65 00 20 00 67 00 u.s.t. .b.e. .g.
69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 00 00 i.v.e.n.!.......
43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 C.o.m.m.a.n.d.L.
69 00 6e 00 65 00 54 00 6f 00 41 00 72 00 67 00 i.n.e.T.o.A.r.g.
76 00 00 00 00 00 00 00 b9 79 37 9e 00 00 00 00 v........y7.....
68 00 00 00 45 54 41 44 10 00 00 00 00 00 00 00 h...ETAD........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 08 00 00 00 00 48 26 40 00 ............H&@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f4 26 00 00 00 00 00 00 .........&......
00 00 00 00 86 28 00 00 00 20 00 00 3c 27 00 00 .....(... ..<'..
00 00 00 00 00 00 00 00 a2 28 00 00 48 20 00 00 .........(..H ..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 44 27 00 00 54 27 00 00 64 27 00 00 ....D'..T'..d'..
7a 27 00 00 8a 27 00 00 98 27 00 00 b0 27 00 00 z'...'...'...'..
cc 27 00 00 ec 27 00 00 fa 27 00 00 08 28 00 00 .'...'...'...(..
14 28 00 00 2e 28 00 00 46 28 00 00 56 28 00 00 .(...(..F(..V(..
68 28 00 00 78 28 00 00 00 00 00 00 94 28 00 00 h(..x(.......(..
00 00 00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f ....$.WriteConso
6c 65 57 00 02 02 47 65 74 4c 61 73 74 45 72 72 leW...GetLastErr
6f 72 00 00 44 00 43 61 6e 63 65 6c 53 79 6e 63 or..D.CancelSync
68 72 6f 6e 6f 75 73 49 6f 00 64 02 47 65 74 53 hronousIo.d.GetS
74 64 48 61 6e 64 6c 65 00 00 52 00 43 6c 6f 73 tdHandle..R.Clos
65 48 61 6e 64 6c 65 00 bf 03 52 65 61 64 44 69 eHandle...ReadDi
72 65 63 74 6f 72 79 43 68 61 6e 67 65 73 57 00 rectoryChangesW.
f5 01 47 65 74 46 69 6e 61 6c 50 61 74 68 4e 61 ..GetFinalPathNa
6d 65 42 79 48 61 6e 64 6c 65 57 00 ed 01 47 65 meByHandleW...Ge
74 46 69 6c 65 49 6e 66 6f 72 6d 61 74 69 6f 6e tFileInformation
42 79 48 61 6e 64 6c 65 45 78 00 00 8f 00 43 72 ByHandleEx....Cr
65 61 74 65 46 69 6c 65 57 00 19 01 45 78 69 74 eateFileW...Exit
50 72 6f 63 65 73 73 00 48 03 4c 6f 63 61 6c 46 Process.H.LocalF
72 65 65 00 f7 04 57 61 69 74 46 6f 72 4d 75 6c ree...WaitForMul
74 69 70 6c 65 4f 62 6a 65 63 74 73 00 00 2d 04 tipleObjects..-.
53 65 74 43 6f 6e 73 6f 6c 65 43 74 72 6c 48 61 SetConsoleCtrlHa
6e 64 6c 65 72 00 b5 00 43 72 65 61 74 65 54 68 ndler...CreateTh
72 65 61 64 00 00 87 01 47 65 74 43 6f 6d 6d 61 read....GetComma
6e 64 4c 69 6e 65 57 00 73 04 53 65 74 4c 61 73 ndLineW.s.SetLas
74 45 72 72 6f 72 00 00 44 03 4c 6f 63 61 6c 41 tError..D.LocalA
6c 6c 6f 63 00 00 4b 45 52 4e 45 4c 33 32 2e 64 lloc..KERNEL32.d
6c 6c 00 00 35 03 77 76 73 70 72 69 6e 74 66 57 ll..5.wvsprintfW
00 00 55 53 45 52 33 32 2e 64 6c 6c 00 00 00 00 ..USER32.dll....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file NOTIFIER.TXT
created in
step 3. to recreate the console application
Directory Change Notifier;
CERTUTIL.EXE /DecodeHex /V NOTIFIER.TXT NOTIFIER.COM
Input Length = 21760 Output Length = 5120 CertUtil: -decodehex command completed successfully.
portable executableimage files, i.e. applications, (resource) DLLs, drivers etc., print them in UTF-16LE encoding on
standard output(which must be redirected to a file or piped into an application that reads from
standard input, like Clip, Find or More).
portable executableimage files; Matt Pietrek’s MSDN magazine articles Peering Inside the PE - A Tour of the Win32 Portable Executable File Format, An In-Depth Look into the Win32 Portable Executable File Format An In-Depth Look into the Win32 Portable Executable File Format and An In-Depth Look into the Win32 Portable Executable File Format, Part 2 An In-Depth Look into the Win32 Portable Executable File Format, Part 2 provide additional information. ASN.1 Encoding/Decoding Return Values Certificate and Trust Return Values
PECOFFIN.COM ‹image file name› >‹output file name› PECOFFIN.COM ‹image file name› | MORE.COM
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and PECOFFIN.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
is not supported!
The MSDN article Console Handles provides background information.
Create the text file PECOFFIN.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <wintrust.h>
#include <shellapi.h>
#if ANYSIZE_ARRAY != 1
#error ANYSIZE_ARRAY must be defined as 1!
#endif
#ifndef IMAGE_DEBUG_TYPE_VC_FEATURE
#define IMAGE_DEBUG_TYPE_VC_FEATURE 12
#endif
#ifndef IMAGE_DEBUG_TYPE_POGO
#define IMAGE_DEBUG_TYPE_POGO 13
#endif
#ifndef IMAGE_DEBUG_TYPE_ILTCG
#define IMAGE_DEBUG_TYPE_ILTCG 14
#endif
#ifndef IMAGE_DEBUG_TYPE_MPX
#define IMAGE_DEBUG_TYPE_MPX 15
#endif
#ifndef IMAGE_DEBUG_TYPE_REPRO
#define IMAGE_DEBUG_TYPE_REPRO 16
#endif
#define IMAGE_DLLCHARACTERISTICS_RESERVED 0x000FU
#ifndef IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
#define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA 0x0020U
#endif
#ifndef IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
#define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040U
#endif
#ifndef IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
#define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080U
#endif
#ifndef IMAGE_DLLCHARACTERISTICS_NX_COMPAT
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100U
#endif
#ifndef IMAGE_DLLCHARACTERISTICS_APPCONTAINER
#define IMAGE_DLLCHARACTERISTICS_APPCONTAINER 0x1000U
#endif
#ifndef IMAGE_DLLCHARACTERISTICS_GUARD_CF
#define IMAGE_DLLCHARACTERISTICS_GUARD_CF 0x4000U
#endif
#ifndef IMAGE_LOADER_FLAGS_COMPLUS
#define IMAGE_LOADER_FLAGS_COMPLUS 0x00000001UL
#endif
#ifndef IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL
#define IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL 0x01000000UL
#endif
#ifndef IMAGE_FILE_16BIT_MACHINE
#define IMAGE_FILE_16BIT_MACHINE 0x0040U
#endif
#ifndef IMAGE_FILE_MACHINE_TARGET_HOST
#define IMAGE_FILE_MACHINE_TARGET_HOST 0x0001U
#endif
#ifndef IMAGE_FILE_MACHINE_I860
#define IMAGE_FILE_MACHINE_I860 0x014DU
#endif
#ifndef IMAGE_FILE_MACHINE_ARMNT
#define IMAGE_FILE_MACHINE_ARMNT 0x01C4U
#endif
#ifndef IMAGE_FILE_MACHINE_M68K
#define IMAGE_FILE_MACHINE_M68K 0x0268U
#endif
#ifndef IMAGE_FILE_MACHINE_PARISC
#define IMAGE_FILE_MACHINE_PARISC 0x0290U
#endif
#ifndef IMAGE_FILE_MACHINE_CHPE_X86
#define IMAGE_FILE_MACHINE_CHPE_X86 0x3A64U // Compiled Hybrid PE
#endif
#ifndef IMAGE_FILE_MACHINE_RISCV32
#define IMAGE_FILE_MACHINE_RISCV32 0x5032U
#endif
#ifndef IMAGE_FILE_MACHINE_RISCV64
#define IMAGE_FILE_MACHINE_RISCV64 0x5064U
#endif
#ifndef IMAGE_FILE_MACHINE_RISCV128
#define IMAGE_FILE_MACHINE_RISCV128 0x5128U
#endif
#ifndef IMAGE_FILE_MACHINE_LOONGARCH32
#define IMAGE_FILE_MACHINE_LOONGARCH32 0x6232U
#endif
#ifndef IMAGE_FILE_MACHINE_LOONGARCH64
#define IMAGE_FILE_MACHINE_LOONGARCH64 0x6264U
#endif
#ifndef IMAGE_FILE_MACHINE_ARM64
#define IMAGE_FILE_MACHINE_ARM64 0xAA64U
#endif
#ifndef IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION
#define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
#endif
#ifndef IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG
#define IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG 17
#endif
#ifndef IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT
#define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100UL
#define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200UL
#define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400UL
#define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800UL
#define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000UL
#define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000UL
#define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000UL
#define IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION 0x00008000UL
#define IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT 0x00010000UL
#define IMAGE_GUARD_RF_INSTRUMENTED 0x00020000UL
#define IMAGE_GUARD_RF_ENABLE 0x00040000UL
#define IMAGE_GUARD_RF_STRICT 0x00080000UL
#define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK 0xF0000000UL
#define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT 28
#endif
#ifndef LOAD_LIBRARY_SEARCH_DEFAULT_DIRS
#define LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR 0x00000100UL
#define LOAD_LIBRARY_SEARCH_APPLICATION_DIR 0x00000200UL
#define LOAD_LIBRARY_SEARCH_USER_DIRS 0x00000400UL
#define LOAD_LIBRARY_SEARCH_SYSTEM32 0x00000800UL
#define LOAD_LIBRARY_SEARCH_DEFAULT_DIRS 0x00001000UL
#define LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS 0x00002000UL
#define LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER 0x00004000UL
#define LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY 0x00008000UL
#endif
typedef struct _IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY
{
DWORD BeginAddress;
DWORD UnwindData;
} IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY, *LPIMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY, *PIMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY;
typedef struct _IMAGE_DELAYLOAD_DESCRIPTOR
{
union
{
DWORD AllAttributes;
struct
{
DWORD RvaBased : 1;
DWORD ReservedAttributes : 31;
};
} Attributes;
DWORD DllNameRVA;
DWORD ModuleHandleRVA;
DWORD ImportAddressTableRVA;
DWORD ImportNameTableRVA;
DWORD BoundImportAddressTableRVA;
DWORD UnloadInformationTableRVA;
DWORD TimeDateStamp;
} IMAGE_DELAYLOAD_DESCRIPTOR, *LPIMAGE_DELAYLOAD_DESCRIPTOR, *PIMAGE_DELAYLOAD_DESCRIPTOR;
typedef struct _IMAGE_LOAD_CONFIGURATION_DIRECTORY32
{
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD DeCommitFreeBlockThreshold;
DWORD DeCommitTotalFreeThreshold;
DWORD LockPrefixTable;
DWORD MaximumAllocationSize;
DWORD VirtualMemoryThreshold;
DWORD ProcessHeapFlags;
DWORD ProcessAffinityMask;
WORD CSDVersion;
#if 0
WORD Reserved1;
#else
WORD DependentLoadFlags;
#endif
DWORD EditList;
DWORD SecurityCookie;
DWORD SEHandlerTable;
DWORD SEHandlerCount;
// Threshold 1 (1507)
DWORD GuardCFCheckFunctionPointer;
DWORD GuardCFDispatchFunctionPointer;
DWORD GuardCFFunctionTable;
DWORD GuardCFFunctionCount;
DWORD GuardFlags;
// Threshold 2 (1511)
struct // _IMAGE_LOAD_CONFIG_CODE_INTEGRITY
{
WORD Flags;
WORD Catalog;
DWORD CatalogOffset;
DWORD Reserved;
} CodeIntegrity;
// Redstone 1 (1607)
DWORD GuardAddressTakenIatEntryTable;
DWORD GuardAddressTakenIatEntryCount;
DWORD GuardLongJumpTargetTable;
DWORD GuardLongJumpTargetCount;
//
DWORD DynamicValueRelocTable;
DWORD CHPEMetadataPointer;
// Redstone 2 (1703)
DWORD GuardRFFailureRoutine;
DWORD GuardRFFailureRoutineFunctionPointer;
DWORD DynamicValueRelocTableOffset;
WORD DynamicValueRelocTableSection;
WORD Reserved2;
//
DWORD GuardRFVerifyStackPointerFunctionPointer;
DWORD HotPatchTableOffset;
// Redstone 3 (1709)
DWORD Reserved3;
DWORD EnclaveConfigurationPointer;
// Redstone 4 (1803)
DWORD VolatileMetadataPointer;
// Redstone 5 (1809)
DWORD GuardEHContinuationTable;
DWORD GuardEHContinuationCount;
// Vanadium 1 (1903)
// Vanadium 2 (1909)
// Vibranium 1 (2004)
// Vibranium 2 (20H2)
// Vibranium 3 (21H1)
DWORD GuardXFGCheckFunctionPointer;
DWORD GuardXFGDispatchFunctionPointer;
DWORD GuardXFGTableDispatchFunctionPointer;
// Vibranium 4 (21H2)
DWORD CastGuardOsDeterminedFailureMode;
// Vibranium 5 (22H2)
DWORD GuardMemcpyFunctionPointer;
} IMAGE_LOAD_CONFIGURATION_DIRECTORY32, *LPIMAGE_LOAD_CONFIGURATION_DIRECTORY32, *PIMAGE_LOAD_CONFIGURATION_DIRECTORY32;
typedef struct _IMAGE_LOAD_CONFIGURATION_DIRECTORY64
{
DWORD Size;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD GlobalFlagsClear;
DWORD GlobalFlagsSet;
DWORD CriticalSectionDefaultTimeout;
DWORD64 DeCommitFreeBlockThreshold;
DWORD64 DeCommitTotalFreeThreshold;
DWORD64 LockPrefixTable;
DWORD64 MaximumAllocationSize;
DWORD64 VirtualMemoryThreshold;
DWORD64 ProcessAffinityMask;
DWORD ProcessHeapFlags;
WORD CSDVersion;
#if 0
WORD Reserved1;
#else
WORD DependentLoadFlags;
#endif
DWORD64 EditList;
DWORD64 SecurityCookie;
DWORD64 SEHandlerTable;
DWORD64 SEHandlerCount;
// Threshold 1 (1507)
DWORD64 GuardCFCheckFunctionPointer;
DWORD64 GuardCFDispatchFunctionPointer;
DWORD64 GuardCFFunctionTable;
DWORD64 GuardCFFunctionCount;
DWORD GuardFlags;
// Threshold 2 (1511)
struct // _IMAGE_LOAD_CONFIG_CODE_INTEGRITY
{
WORD Flags;
WORD Catalog;
DWORD CatalogOffset;
DWORD Reserved;
} CodeIntegrity;
// Redstone 1 (1607)
DWORD64 GuardAddressTakenIatEntryTable;
DWORD64 GuardAddressTakenIatEntryCount;
DWORD64 GuardLongJumpTargetTable;
DWORD64 GuardLongJumpTargetCount;
//
DWORD64 DynamicValueRelocTable;
DWORD64 CHPEMetadataPointer;
// Redstone 2 (1703)
DWORD64 GuardRFFailureRoutine;
DWORD64 GuardRFFailureRoutineFunctionPointer;
DWORD DynamicValueRelocTableOffset;
WORD DynamicValueRelocTableSection;
WORD Reserved2;
//
DWORD64 GuardRFVerifyStackPointerFunctionPointer;
DWORD HotPatchTableOffset;
// Redstone 3 (1709)
DWORD Reserved3;
DWORD64 EnclaveConfigurationPointer;
// Redstone 4 (1803)
DWORD64 VolatileMetadataPointer;
// Redstone 5 (1809)
DWORD64 GuardEHContinuationTable;
DWORD64 GuardEHContinuationCount;
// Vanadium 1 (1903)
// Vanadium 2 (1909)
// Vibranium 1 (2004)
// Vibranium 2 (20H2)
// Vibranium 3 (21H1)
DWORD64 GuardXFGCheckFunctionPointer;
DWORD64 GuardXFGDispatchFunctionPointer;
DWORD64 GuardXFGTableDispatchFunctionPointer;
// Vibranium 4 (21H2)
DWORD64 CastGuardOsDeterminedFailureMode;
// Vibranium 5 (22H2)
DWORD64 GuardMemcpyFunctionPointer;
} IMAGE_LOAD_CONFIGURATION_DIRECTORY64, *LPIMAGE_LOAD_CONFIGURATION_DIRECTORY64, *PIMAGE_LOAD_CONFIGURATION_DIRECTORY64;
#ifndef RT_MENUEX
#define RT_MENUEX MAKEINTRESOURCE(13)
#endif
#ifndef RT_NAMETABLE
#define RT_NAMETABLE MAKEINTRESOURCE(15)
#endif
#ifndef RT_DIALOGEX
#define RT_DIALOGEX MAKEINTRESOURCE(18)
#endif
#ifndef RT_DLGINIT
#define RT_DLGINIT MAKEINTRESOURCE(240)
#endif
#ifndef RT_TOOLBAR
#define RT_TOOLBAR MAKEINTRESOURCE(241)
#endif
#ifndef RT_LOCALE
#define RT_LOCALE MAKEINTRESOURCE(255)
#endif
#ifndef WIN_CERT_TYPE_PKCS1_SIGN
#define WIN_CERT_TYPE_PKCS1_SIGN 0x0009
#endif
typedef struct _COFFStringTable
{
DWORD Size;
CHAR Strings[ANYSIZE_ARRAY];
} COFFStringTable;
typedef struct _CV_INFO_PDB20
{
DWORD Magic; // '01BN' = "NB10"
DWORD Offset;
DWORD Signature; // seconds since 1970-01-01
DWORD Age;
CHAR PdbFileName[ANYSIZE_ARRAY];
} CV_INFO_PDB20, *LPCV_INFO_PDB20, *PCV_INFO_PDB20;
typedef struct _CV_INFO_PDB70
{
DWORD Magic; // 'SDSR' = "RSDS"
GUID Signature;
DWORD Age;
CHAR PdbFileName[ANYSIZE_ARRAY];
} CV_INFO_PDB70, *LPCV_INFO_PDB70, *PCV_INFO_PDB70;
typedef struct _POGO
{
DWORD Magic; // 'LTCG' = "GCTL"
struct
{
DWORD Address;
DWORD Size;
CHAR Section[ANYSIZE_ARRAY];
} Entries[ANYSIZE_ARRAY];
} POGO, *LPPOGO, *PPOGO;
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
LPBYTE lpOutput;
DWORD dwOutput;
DWORD dwFile;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
dwOutput *= sizeof(*szOutput);
lpOutput = (LPBYTE) szOutput;
do
{
if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpOutput += dwFile;
dwOutput -= dwFile;
} while (dwOutput > 0);
return TRUE;
}
#define PrintString(HANDLE, LITERAL) PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)
__inline
BOOL WINAPI PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
DWORD dwFile;
dwString *= sizeof(*lpString);
do
{
if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
dwString -= dwFile;
} while (dwString > 0);
return TRUE;
}
LPCWSTR WINAPI CertificateTypeName(WORD wType)
{
switch (wType)
{
case WIN_CERT_TYPE_X509:
return L"X.509";
case WIN_CERT_TYPE_PKCS_SIGNED_DATA:
return L"PKCS";
case WIN_CERT_TYPE_RESERVED_1:
return L"(reserved)";
case WIN_CERT_TYPE_TS_STACK_SIGNED:
return L"Terminal Server";
case WIN_CERT_TYPE_PKCS1_SIGN:
return L"PKCS1_MODULE_SIGN";
default:
return L"<undefined>";
}
}
LPCWSTR WINAPI DebugTypeName(DWORD dwType)
{
switch (dwType)
{
case IMAGE_DEBUG_TYPE_UNKNOWN:
return L"Unknown";
case IMAGE_DEBUG_TYPE_COFF:
return L"COFF";
case IMAGE_DEBUG_TYPE_CODEVIEW:
return L"Codeview";
case IMAGE_DEBUG_TYPE_FPO:
return L"Frame pointer omission";
case IMAGE_DEBUG_TYPE_MISC:
return L"Misc";
case IMAGE_DEBUG_TYPE_EXCEPTION:
return L"Exception";
case IMAGE_DEBUG_TYPE_FIXUP:
return L"Fixup";
case IMAGE_DEBUG_TYPE_OMAP_TO_SRC:
return L"OMAP to source";
case IMAGE_DEBUG_TYPE_OMAP_FROM_SRC:
return L"OMAP from source";
case IMAGE_DEBUG_TYPE_BORLAND:
return L"Borland";
case IMAGE_DEBUG_TYPE_RESERVED10:
return L"Reserved";
case IMAGE_DEBUG_TYPE_CLSID:
return L"CLSID";
case IMAGE_DEBUG_TYPE_VC_FEATURE:
return L"VC feature";
case IMAGE_DEBUG_TYPE_POGO:
return L"Profile guided optimization";
case IMAGE_DEBUG_TYPE_ILTCG:
return L"Link time code generation";
case IMAGE_DEBUG_TYPE_MPX:
return L"MPX";
case IMAGE_DEBUG_TYPE_REPRO:
return L"Repro";
default:
return L"<undefined>";
}
}
LPCWSTR WINAPI MachineTypeName(WORD wMachine)
{
switch (wMachine)
{
case IMAGE_FILE_MACHINE_UNKNOWN: // 0x0000
return L"Unknown";
case IMAGE_FILE_MACHINE_TARGET_HOST: // 0x0001
return L"Target host";
case IMAGE_FILE_MACHINE_I386: // 0x014C
return L"Intel IA-32";
case IMAGE_FILE_MACHINE_I860: // 0x014D
return L"Intel i860";
case 0x0160:
return L"MIPS R3000, big-endian";
case IMAGE_FILE_MACHINE_R3000: // 0x0162
return L"MIPS R3000, little-endian";
case IMAGE_FILE_MACHINE_R4000: // 0x0166
return L"MIPS R4000, little-endian";
case IMAGE_FILE_MACHINE_R10000: // 0x0168
return L"MIPS R10000, little-endian";
case IMAGE_FILE_MACHINE_WCEMIPSV2: // 0x0169
return L"MIPS, little-endian, Windows CE v2";
case IMAGE_FILE_MACHINE_ALPHA: // 0x0184
return L"DEC Alpha AXP";
case IMAGE_FILE_MACHINE_SH3: // 0x01A2
return L"Hitachi SuperH 3, little-endian";
case IMAGE_FILE_MACHINE_SH3DSP: // 0x01A3
return L"Hitachi SuperH 3 with DSP";
case IMAGE_FILE_MACHINE_SH3E: // 0x01A4
return L"Hitachi SuperH 3E, little-endian";
case IMAGE_FILE_MACHINE_SH4: // 0x01A6
return L"Hitachi SuperH 4, little-endian";
case IMAGE_FILE_MACHINE_SH5: // 0x01A8
return L"Hitachi SuperH 5";
case IMAGE_FILE_MACHINE_ARM: // 0x01C0
return L"ARM, little-endian";
case IMAGE_FILE_MACHINE_THUMB: // 0x01C2
return L"ARM Thumb, little-endian";
case IMAGE_FILE_MACHINE_ARMNT: // 0x01C4
return L"ARM Thumb-2, little-endian";
case IMAGE_FILE_MACHINE_AM33: // 0x01D3
return L"Matsushita AM33";
case IMAGE_FILE_MACHINE_POWERPC: // 0x01F0
return L"IBM PowerPC, little-endian";
case IMAGE_FILE_MACHINE_POWERPCFP: // 0x01F1
return L"IBM PowerPC with FPU";
case IMAGE_FILE_MACHINE_IA64: // 0x0200
return L"Intel IA-64";
case IMAGE_FILE_MACHINE_MIPS16: // 0x0266
return L"MIPS, 16-bit instructions";
case IMAGE_FILE_MACHINE_M68K: // 0x0268
return L"Motorola MC68000";
case IMAGE_FILE_MACHINE_ALPHA64: // 0x0284
// case IMAGE_FILE_MACHINE_AXP64:
return L"DEC Alpha AXP64";
case IMAGE_FILE_MACHINE_PARISC: // 0x0290
return L"Hewlett-Packard PA-RISC";
case IMAGE_FILE_MACHINE_MIPSFPU: // 0x0366
return L"MIPS with FPU";
case IMAGE_FILE_MACHINE_MIPSFPU16: // 0x0466
return L"MIPS with FPU, 16-bit instructions";
case IMAGE_FILE_MACHINE_TRICORE: // 0x0520
return L"Infineon TriCore";
case 0x0601:
return L"Motorola PowerPC 601";
case IMAGE_FILE_MACHINE_CEF: // 0x0CEF
return L"CEF";
case IMAGE_FILE_MACHINE_EBC: // 0x0EBC
return L"EFI Byte Code";
case IMAGE_FILE_MACHINE_CHPE_X86: // 0x3A64
return L"Compiled Hybrid PE";
case IMAGE_FILE_MACHINE_RISCV32: // 0x5032
return L"RISC-V, 32-bit address space";
case IMAGE_FILE_MACHINE_RISCV64: // 0x5064
return L"RISC-V, 64-bit address space";
case IMAGE_FILE_MACHINE_RISCV128: // 0x5128
return L"RISC-V, 128-bit address space";
case IMAGE_FILE_MACHINE_LOONGARCH32: // 0x6232
return L"LoongArch, 32-bit";
case IMAGE_FILE_MACHINE_LOONGARCH64: // 0x6264
return L"LoongArch, 64-bit";
case IMAGE_FILE_MACHINE_AMD64: // 0x8664
return L"AMD64";
case IMAGE_FILE_MACHINE_M32R: // 0x9041
return L"Mitsubishi M32R, little-endian";
case IMAGE_FILE_MACHINE_ARM64: // 0xAA64
return L"ARMv8, 64-bit mode, little-endian";
case IMAGE_FILE_MACHINE_CEE: // 0xC0EE
return L"CEE";
default:
return L"<undefined>";
}
}
LPCWSTR WINAPI SubsystemName(WORD wSubsystem)
{
switch (wSubsystem)
{
case IMAGE_SUBSYSTEM_UNKNOWN:
return L"Unknown";
case IMAGE_SUBSYSTEM_NATIVE:
return L"Native";
case IMAGE_SUBSYSTEM_WINDOWS_GUI:
return L"Windows GUI";
case IMAGE_SUBSYSTEM_WINDOWS_CUI:
return L"Windows CUI";
case IMAGE_SUBSYSTEM_OS2_CUI:
return L"OS/2 CUI";
case IMAGE_SUBSYSTEM_POSIX_CUI:
return L"POSIX CUI";
case IMAGE_SUBSYSTEM_NATIVE_WINDOWS:
return L"Native Windows 9x driver";
case IMAGE_SUBSYSTEM_WINDOWS_CE_GUI:
return L"Windows CE";
case IMAGE_SUBSYSTEM_EFI_APPLICATION:
return L"EFI application";
case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
return L"EFI driver with boot services";
case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
return L"EFI driver with run-time services";
case IMAGE_SUBSYSTEM_EFI_ROM:
return L"EFI ROM image";
case IMAGE_SUBSYSTEM_XBOX:
return L"Xbox";
case IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION:
return L"Boot application";
case IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG:
return L"Xbox code catalog";
default:
return L"<undefined>";
}
}
LPCWSTR WINAPI ResourceTypeName(WORD wResType)
{
switch (wResType)
{
case RT_CURSOR: // MAKEINTRESOURCE(1)
return L"RT_CURSOR";
case RT_BITMAP: // MAKEINTRESOURCE(2)
return L"RT_BITMAP";
case RT_ICON: // MAKEINTRESOURCE(3)
return L"RT_ICON";
case RT_MENU: // MAKEINTRESOURCE(4)
return L"RT_MENU";
case RT_DIALOG: // MAKEINTRESOURCE(5)
return L"RT_DIALOG";
case RT_STRING: // MAKEINTRESOURCE(6)
#if 1
return L"RT_STRING";
#else
return L"RT_STRINGTABLE";
#endif
case RT_FONTDIR: // MAKEINTRESOURCE(7)
return L"RT_FONTDIR";
case RT_FONT: // MAKEINTRESOURCE(8)
return L"RT_FONT";
case RT_ACCELERATOR: // MAKEINTRESOURCE(9)
return L"RT_ACCELERATOR";
case RT_RCDATA: // MAKEINTRESOURCE(10)
return L"RT_RCDATA";
case RT_MESSAGETABLE: // MAKEINTRESOURCE(11)
return L"RT_MESSAGETABLE";
case RT_GROUP_CURSOR: // MAKEINTRESOURCE(12)
return L"RT_GROUP_CURSOR";
case RT_MENUEX: // MAKEINTRESOURCE(13)
return L"RT_MENUEX";
case RT_GROUP_ICON: // MAKEINTRESOURCE(14)
return L"RT_GROUP_ICON";
case RT_NAMETABLE: // MAKEINTRESOURCE(15)
return L"RT_NAMETABLE";
case RT_VERSION: // MAKEINTRESOURCE(16)
return L"RT_VERSION";
case RT_DLGINCLUDE: // MAKEINTRESOURCE(17)
return L"RT_DLGINCLUDE";
case RT_DIALOGEX: // MAKEINTRESOURCE(18)
return L"RT_DIALOGEX";
case RT_PLUGPLAY: // MAKEINTRESOURCE(19)
return L"RT_PLUGPLAY";
case RT_VXD: // MAKEINTRESOURCE(20)
return L"RT_VXD";
case RT_ANICURSOR: // MAKEINTRESOURCE(21)
return L"RT_ANICURSOR";
case RT_ANIICON: // MAKEINTRESOURCE(22)
return L"RT_ANIICON";
case RT_HTML: // MAKEINTRESOURCE(23)
return L"RT_HTML";
case RT_MANIFEST: // MAKEINTRESOURCE(24)
return L"RT_MANIFEST";
case RT_DLGINIT: // MAKEINTRESOURCE(240)
return L"RT_DLGINIT";
case RT_TOOLBAR: // MAKEINTRESOURCE(241)
return L"RT_TOOLBAR";
case RT_LOCALE: // MAKEINTRESOURCE(255)
return L"RT_LOCALE";
default:
return NULL;
}
}
BOOL WINAPI Resource(HANDLE hOutput,
IMAGE_RESOURCE_DIRECTORY *lpRoot,
IMAGE_RESOURCE_DIRECTORY *lpLevel,
DWORD dwLevel) // 0, 1, 2
{
BOOL bOutput = TRUE;
DWORD dwEntry;
IMAGE_RESOURCE_DIRECTORY_ENTRY *lpEntry;
IMAGE_RESOURCE_DIR_STRING_U *lpUnicode;
IMAGE_RESOURCE_DATA_ENTRY *lpData;
for (lpEntry = (IMAGE_RESOURCE_DIRECTORY_ENTRY *) (lpLevel + 1),
dwEntry = lpLevel->NumberOfNamedEntries + lpLevel->NumberOfIdEntries;
dwEntry > 0;
dwEntry--,
lpEntry++)
{
if ((lpEntry->Name & IMAGE_RESOURCE_NAME_IS_STRING) == IMAGE_RESOURCE_NAME_IS_STRING)
{
lpUnicode = (IMAGE_RESOURCE_DIR_STRING_U *) ((BYTE *) lpRoot + (lpEntry->Name ^ IMAGE_RESOURCE_NAME_IS_STRING));
bOutput &= PrintDirect(hOutput, L"\t\t\t\tName = " + 2 - dwLevel, dwLevel + 11);
bOutput &= PrintDirect(hOutput, lpUnicode->NameString, lpUnicode->Length);
bOutput &= PrintString(hOutput, L"\r\n");
bOutput &= PrintFormat(hOutput, L"\t\t\t\tOffset = 0x%08lX\r\n" + 2 - dwLevel, lpEntry->OffsetToData);
}
else if (dwLevel > 1)
bOutput &= PrintFormat(hOutput,
L"\t\t\t\tLanguage = %hu\r\n"
L"\t\t\t\tOffset = 0x%08lX\r\n",
lpEntry->Id,
lpEntry->OffsetToData);
else if (dwLevel > 0)
bOutput &= PrintFormat(hOutput,
L"\t\t\tId = %hu\r\n"
L"\t\t\tOffset = 0x%08lX\r\n",
lpEntry->Id,
lpEntry->OffsetToData);
else
bOutput &= PrintFormat(hOutput,
L"\t\tType = %hu (%ls)\r\n"
L"\t\tOffset = 0x%08lX\r\n",
lpEntry->Id, ResourceTypeName(lpEntry->Id),
lpEntry->OffsetToData);
if ((lpEntry->OffsetToData & IMAGE_RESOURCE_DATA_IS_DIRECTORY) == IMAGE_RESOURCE_DATA_IS_DIRECTORY)
bOutput &= Resource(hOutput,
lpRoot,
(IMAGE_RESOURCE_DIRECTORY *) ((BYTE *) lpRoot + (lpEntry->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)),
dwLevel + 1);
else
{
lpData = (IMAGE_RESOURCE_DATA_ENTRY *) ((BYTE *) lpRoot + lpEntry->OffsetToData);
bOutput &= PrintFormat(hOutput,
L"\t\t\t\t\tAddress = 0x%08lX\r\n"
L"\t\t\t\t\tSize = %lu\r\n"
L"\t\t\t\t\tCode Page = %lu\r\n"
L"\t\t\t\t\tReserved = 0x%08lX\r\n",
lpData->OffsetToData,
lpData->Size,
lpData->CodePage,
lpData->Reserved);
}
}
return bOutput;
}
const LPCWSTR szDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES] = {L"Export",
L"Import",
L"Resource",
L"Exception Handler",
L"Security",
L"Base Relocation",
L"Debug",
L"Architecture",
L"Global Pointer",
L"Thread Local Storage",
L"Load Configuration",
L"Bound Import",
L"Import Address Table",
L"Delay Load Import",
L"COM+ Descriptor",
L"Reserved"};
LPVOID WINAPI RVA2Image(BYTE *lpImage,
IMAGE_SECTION_HEADER *lpSection,
DWORD dwSection,
DWORD dwRVA,
DWORD dwDirectory,
HANDLE hConsole)
{
while (dwSection > 0)
{
if ((dwRVA >= lpSection->VirtualAddress)
&& (dwRVA < lpSection->VirtualAddress + lpSection->SizeOfRawData))
return lpImage + dwRVA - lpSection->VirtualAddress + lpSection->PointerToRawData;
lpSection++;
dwSection--;
}
PrintConsole(hConsole,
L"RVA 0x%08lX in IMAGE_DATA_DIRECTORY[%lu] outside of COFF sections!\n",
dwRVA, dwDirectory);
return NULL;
}
const LPCWSTR szDayOfWeek[7] = {L"Sunday",
L"Monday",
L"Tuesday",
L"Wednesday",
L"Thursday",
L"Friday",
L"Saturday"};
const LPCWSTR szRelocation[16] = {L"ABSOLUTE",
L"HIGH",
L"LOW",
L"HIGHLOW",
L"HIGHADJ",
L"ARM_MOV32", // also L"MIPS_JMPADDR" or L"RISCV_HIGH20"
L"SECTION",
L"THUMB_MOV32", // also L"REL32" or L"RISCV_LOW12I"
L"RISCV_LOW12S", // also L"LOONGARCH32_MARK_LA" or L"LOONGARCH64_MARK_LA"
L"IA64_IMM64", // also L"MIPS_JMPADDR16"
L"DIR64",
L"HIGH3ADJ",
NULL,
NULL,
NULL,
NULL};
const LPCWSTR szGlobalFlags[32] = {L"Stop on exception",
L"Show loader snaps",
NULL,
NULL,
L"Enable heap tail checking",
L"Enable heap free checking",
L"Enable heap parameter checking",
L"Enable heap validation on call",
L"Enable application verifier",
L"Enable silent process exit monitoring",
NULL,
L"Enable heap tagging",
L"Create user mode stack trace database",
NULL,
NULL,
L"Enable heap tagging by DLL",
L"Disable stack extension",
NULL,
NULL,
NULL,
L"Enable system critical breaks",
L"Disable heap coalesce on free",
L"Enable close exception",
NULL,
NULL,
L"Enable page heap",
NULL,
L"Buffer DbgPrint output",
L"Early critical section event creation",
L"Stop on unhandled user-mode exception",
L"Enable bad handles detection",
L"Disable protected DLL verification"};
#ifdef RDN
const DWORD dwStrType = CERT_NAME_STR_REVERSE_FLAG | CERT_X500_NAME_STR;
#endif
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
IMAGE_DOS_HEADER *lpMZ;
IMAGE_NT_HEADERS *lpPE;
IMAGE_NT_HEADERS32 *lpPE32;
IMAGE_NT_HEADERS64 *lpPE64;
IMAGE_SECTION_HEADER *lpSection;
IMAGE_SECTION_HEADER *lpArchitecture = NULL;
IMAGE_SECTION_HEADER *lpTLS = NULL;
IMAGE_DATA_DIRECTORY *lpDirectory;
IMAGE_DEBUG_DIRECTORY *lpDebug = NULL;
IMAGE_EXPORT_DIRECTORY *lpExport = NULL;
IMAGE_IMPORT_DESCRIPTOR *lpImport = NULL;
IMAGE_THUNK_DATA32 *lpThunk32;
IMAGE_THUNK_DATA64 *lpThunk64;
IMAGE_IMPORT_BY_NAME *lpAddress;
IMAGE_DEBUG_MISC *lpMisc;
IMAGE_BASE_RELOCATION *lpRelocation = NULL;
IMAGE_TLS_DIRECTORY32 *lpTLS32;
IMAGE_TLS_DIRECTORY64 *lpTLS64;
IMAGE_COR20_HEADER *lpCOMPlus;
IMAGE_RESOURCE_DIRECTORY *lpResource = NULL;
IMAGE_BOUND_IMPORT_DESCRIPTOR *lpDescriptor;
IMAGE_DELAYLOAD_DESCRIPTOR *lpDelay = NULL;
IMAGE_RUNTIME_FUNCTION_ENTRY *lpRuntime;
IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY *lpAlpha;
IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY *lpAlpha64;
IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY *lpARM;
IMAGE_LOAD_CONFIGURATION_DIRECTORY32 *lpLoadCfg32;
IMAGE_LOAD_CONFIGURATION_DIRECTORY64 *lpLoadCfg64;
COFFStringTable *lpCOFF;
CV_INFO_PDB70 *lpCodeView;
WIN_CERTIFICATE *lpCertificate;
CERT_CONTEXT *lpSigner;
CERT_BLOB blob;
HCERTSTORE hStore;
HCRYPTMSG hMsg;
SYSTEMTIME st;
LPWSTR *lpArguments;
INT nArguments;
BOOL bOutput;
HANDLE hOutput;
HANDLE hInput;
DWORD dwInput;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwIndex;
DWORD dwImage;
HANDLE hImage;
BYTE *lpImage;
BYTE *lpBound;
WORD *lpWord;
DWORD dwSigner;
LPWSTR szSigner;
LPCSTR lpString;
BYTE *lpModule;
BYTE *lpException = NULL;
DWORD *lpFunctions;
WORD *lpOrdinals;
DWORD *lpNames;
DWORD dwNames;
DWORD dwFlags;
DWORD dwDebug;
DWORD dwDescriptor;
DWORD dwCertificate;
DWORD dwRelocation;
DWORD dwException;
DWORD dwDirectory;
DWORD dwSection;
DWORD dwCheckSum;
DWORD dwAccumulator;
DWORD dwCode;
DWORD dwData;
DWORD dwSize;
DWORD dwFile;
DWORD dwOffset;
DWORD dwMemory;
DWORD dwRVA;
DWORD dwBase;
DWORD64 qwBase;
DWORD64 qw;
DWORD64 *lpCookie64;
DWORD *lpCookie32;
DWORD *lpHandler;
DWORD dwHandler;
DWORD dwPogo;
POGO *lpPogo;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments != 2)
PrintConsole(hConsole,
L"No argument: a single file or path name of an image file must be given!\n");
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"GetStdHandle() returned error %lu\n",
dwError = GetLastError());
else
{
if (!FlushFileBuffers(hOutput))
PrintConsole(hConsole,
L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
dwError = GetLastError());
else
{
hInput = CreateFile(lpArguments[1],
FILE_READ_DATA,
FILE_SHARE_READ,
(SECURITY_ATTRIBUTES *) NULL,
OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
(HANDLE) NULL);
if (hInput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"CreateFile() returned error %lu\n",
dwError = GetLastError());
else
{
dwInput = GetFileSize(hInput, (DWORD *) NULL);
if (dwInput == INVALID_FILE_SIZE)
PrintConsole(hConsole,
L"GetFileSize() returned error %lu\n",
dwError = GetLastError());
else
{
hImage = CreateFileMapping(hInput,
(LPSECURITY_ATTRIBUTES) NULL,
PAGE_WRITECOPY,
0, 0,
(LPCWSTR) NULL);
if (hImage == NULL)
PrintConsole(hConsole,
L"CreateFileMapping() returned error %lu\n",
dwError = GetLastError());
else
{
lpImage = MapViewOfFile(hImage,
FILE_MAP_COPY,
0, 0,
(SIZE_T) 0);
if (lpImage == NULL)
PrintConsole(hConsole,
L"MapViewOfFile() returned error %lu\n",
dwError = GetLastError());
else
{
dwError = ERROR_INVALID_EXE_SIGNATURE;
lpMZ = (IMAGE_DOS_HEADER *) lpImage;
if (lpMZ->e_magic != IMAGE_DOS_SIGNATURE)
PrintConsole(hConsole,
L"No signature \'%ls\' at offset 0x%08lX in file \'%ls\'!\n",
L"MZ", 0, lpArguments[1]);
else
{
dwImage = dwInput;
lpPE = (IMAGE_NT_HEADERS *) ((BYTE *) lpMZ + lpMZ->e_lfanew);
if (((DWORD) lpMZ->e_lfanew > dwImage)
|| (lpPE->Signature != IMAGE_NT_SIGNATURE))
PrintConsole(hConsole,
L"No signature \'%ls\' at offset 0x%08lX in file \'%ls\'!\n",
L"PE\\0\\0", lpMZ->e_lfanew, lpArguments[1]);
else
{
dwError = ERROR_SUCCESS;
qw = __emulu(lpPE->FileHeader.TimeDateStamp, 10000000)
+ 116444736000000000; // seconds since 1970-01-01 to
// 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu\n",
dwError = GetLastError());
bOutput = PrintFormat(hOutput,
L"\xFEFF" // UTF-16LE BOM
L"Image File = %ls\r\n"
L"Image Size = %lu\r\n"
L"\r\n"
L"File Header:\r\n"
L"\tMachine = 0x%04hX (%ls)\r\n"
L"\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n"
L"\tPointer to Symbol Table = 0x%08lX\r\n"
L"\tNumber of Symbols = %lu\r\n"
L"\tSize of Optional Header = 0x%04hX\r\n"
L"\tCharacteristics = 0x%04hX\r\n",
lpArguments[1],
dwImage,
lpPE->FileHeader.Machine, MachineTypeName(lpPE->FileHeader.Machine),
lpPE->FileHeader.TimeDateStamp,
szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
lpPE->FileHeader.PointerToSymbolTable,
lpPE->FileHeader.NumberOfSymbols,
lpPE->FileHeader.SizeOfOptionalHeader,
lpPE->FileHeader.Characteristics);
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED) == IMAGE_FILE_RELOCS_STRIPPED)
bOutput &= PrintString(hOutput, L"\t\tRelocation information stripped\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE) == IMAGE_FILE_EXECUTABLE_IMAGE)
bOutput &= PrintString(hOutput, L"\t\tExecutable image\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_LINE_NUMS_STRIPPED) == IMAGE_FILE_LINE_NUMS_STRIPPED)
bOutput &= PrintString(hOutput, L"\t\tLine numbers stripped\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_LOCAL_SYMS_STRIPPED) == IMAGE_FILE_LOCAL_SYMS_STRIPPED)
bOutput &= PrintString(hOutput, L"\t\tLocal symbols stripped\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_AGGRESIVE_WS_TRIM) == IMAGE_FILE_AGGRESIVE_WS_TRIM)
bOutput &= PrintString(hOutput, L"\t\tAggressively trim working set\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_LARGE_ADDRESS_AWARE) == IMAGE_FILE_LARGE_ADDRESS_AWARE)
bOutput &= PrintString(hOutput, L"\t\tHandles addresses above 2 GB\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_16BIT_MACHINE) == IMAGE_FILE_16BIT_MACHINE)
bOutput &= PrintString(hOutput, L"\t\t16 bit word machine\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE) == IMAGE_FILE_32BIT_MACHINE)
bOutput &= PrintString(hOutput, L"\t\t32 bit word machine\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_DEBUG_STRIPPED) == IMAGE_FILE_DEBUG_STRIPPED)
bOutput &= PrintString(hOutput, L"\t\tDebugging information stripped\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP) == IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP)
bOutput &= PrintString(hOutput, L"\t\tRun image on CD from swap file\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_NET_RUN_FROM_SWAP) == IMAGE_FILE_NET_RUN_FROM_SWAP)
bOutput &= PrintString(hOutput, L"\t\tRun image on network from swap file\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_SYSTEM) == IMAGE_FILE_SYSTEM)
bOutput &= PrintString(hOutput, L"\t\tSystem file\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_DLL) == IMAGE_FILE_DLL)
bOutput &= PrintString(hOutput, L"\t\tDLL\r\n");
if ((lpPE->FileHeader.Characteristics & IMAGE_FILE_UP_SYSTEM_ONLY) == IMAGE_FILE_UP_SYSTEM_ONLY)
bOutput &= PrintString(hOutput, L"\t\tUniprocessor machine only\r\n");
if (((lpPE->FileHeader.Characteristics & IMAGE_FILE_BYTES_REVERSED_LO) == IMAGE_FILE_BYTES_REVERSED_LO)
|| ((lpPE->FileHeader.Characteristics & IMAGE_FILE_BYTES_REVERSED_HI) == IMAGE_FILE_BYTES_REVERSED_HI))
bOutput &= PrintString(hOutput, L"\t\tBytes of machine word are reversed\r\n");
if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
if (lpPE->FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER64))
PrintConsole(hConsole,
L"Size of %ls differs from size of %ls structure!\n",
L"optional header", L"IMAGE_OPTIONAL_HEADER64");
lpPE64 = (IMAGE_NT_HEADERS64 *) lpPE;
// lpSection = (IMAGE_SECTION_HEADER *) (lpPE64->OptionalHeader.DataDirectory + lpPE64->OptionalHeader.NumberOfRvaAndSizes);
lpDirectory = lpPE64->OptionalHeader.DataDirectory;
// dwDirectory = lpPE64->OptionalHeader.NumberOfRvaAndSizes;
qwBase = lpPE64->OptionalHeader.ImageBase;
// dwBase = lpPE64->OptionalHeader.BaseOfCode;
dwCode = lpPE64->OptionalHeader.SizeOfCode;
dwData = lpPE64->OptionalHeader.SizeOfInitializedData;
dwSize = lpPE64->OptionalHeader.SizeOfUninitializedData;
dwOffset = lpPE64->OptionalHeader.SizeOfHeaders;
dwMemory = lpPE64->OptionalHeader.SectionAlignment;
dwFile = lpPE64->OptionalHeader.FileAlignment;
}
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
if (lpPE->FileHeader.SizeOfOptionalHeader != sizeof(IMAGE_OPTIONAL_HEADER32))
PrintConsole(hConsole,
L"Size of %ls differs from size of %ls structure!\n",
L"optional header", L"IMAGE_OPTIONAL_HEADER32");
lpPE32 = (IMAGE_NT_HEADERS32 *) lpPE;
// lpSection = (IMAGE_SECTION_HEADER *) (lpPE32->OptionalHeader.DataDirectory + lpPE32->OptionalHeader.NumberOfRvaAndSizes);
lpDirectory = lpPE32->OptionalHeader.DataDirectory;
// dwDirectory = lpPE32->OptionalHeader.NumberOfRvaAndSizes;
dwBase = lpPE32->OptionalHeader.ImageBase;
// dwBase = lpPE32->OptionalHeader.BaseOfCode;
dwCode = lpPE32->OptionalHeader.SizeOfCode;
dwData = lpPE32->OptionalHeader.SizeOfInitializedData;
dwSize = lpPE32->OptionalHeader.SizeOfUninitializedData;
dwOffset = lpPE32->OptionalHeader.SizeOfHeaders;
dwMemory = lpPE32->OptionalHeader.SectionAlignment;
dwFile = lpPE32->OptionalHeader.FileAlignment;
}
else
PrintConsole(hConsole,
L"Image format is neither PE32 (32-bit) nor PE32+ (64-bit)!\n");
dwFile--;
if ((dwFile & (dwFile + 1)) != 0)
PrintConsole(hConsole,
L"File alignment is not a power of 2!\n");
else if ((dwMemory & dwFile) != 0)
PrintConsole(hConsole,
L"Section alignment is not a multiple of file alignment!\n");
#if 0
dwMemory--;
if ((dwMemory & (dwMemory + 1)) != 0)
PrintConsole(hConsole,
L"Section alignment is not a power of 2!\n");
#else
if ((dwMemory & (dwMemory - 1)) != 0)
PrintConsole(hConsole,
L"Section alignment is not a power of 2!\n");
dwMemory--;
#endif
dwRVA = (dwOffset + dwMemory) & ~dwMemory;
bOutput &= PrintFormat(hOutput,
L"\tNumber of COFF Sections = %hu\r\n",
lpPE->FileHeader.NumberOfSections);
for (lpSection = (IMAGE_SECTION_HEADER *) ((BYTE *) &(lpPE->OptionalHeader) + lpPE->FileHeader.SizeOfOptionalHeader),
dwSection = lpPE->FileHeader.NumberOfSections;
dwSection > 0;
dwSection--, lpSection++)
{
if ((lpSection->VirtualAddress & dwMemory) != 0)
PrintConsole(hConsole,
L"Address of \'%.8hs\' section is not aligned!\n",
lpSection->Name);
if (lpSection->VirtualAddress != dwRVA)
PrintConsole(hConsole,
L"Address of \'%.8hs\' section is not contiguous!\n",
lpSection->Name);
if ((lpSection->PointerToRawData & dwFile) != 0)
PrintConsole(hConsole,
L"Offset of \'%.8hs\' section is not aligned!\n",
lpSection->Name);
if ((lpSection->PointerToRawData != 0)
&& (lpSection->PointerToRawData != dwOffset))
PrintConsole(hConsole,
L"Offset of \'%.8hs\' section is not contiguous!\n",
lpSection->Name);
if ((lpSection->PointerToRawData != 0)
&& (lpSection->SizeOfRawData != 0))
dwOffset = lpSection->PointerToRawData + lpSection->SizeOfRawData;
if ((lpSection->SizeOfRawData & dwFile) != 0)
PrintConsole(hConsole,
L"Data of \'%.8hs\' section is not aligned!\n",
lpSection->Name);
dwRVA = (lpSection->Misc.VirtualSize + dwMemory) & ~dwMemory;
if (lpSection->SizeOfRawData > dwRVA)
PrintConsole(hConsole,
L"Data of \'%.8hs\' section exceeds its size!\n",
lpSection->Name);
dwRVA += lpSection->VirtualAddress;
if (memcmp(lpSection->Name, ".arch", sizeof(".arch")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_ARCHITECTURE;
lpArchitecture = lpSection;
}
else if (memcmp(lpSection->Name, ".debug", sizeof(".debug")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_DEBUG;
lpDebug = (IMAGE_DEBUG_DIRECTORY *) lpSection;
}
else if (memcmp(lpSection->Name, ".didat", sizeof(".didat")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT;
lpDelay = (IMAGE_DELAYLOAD_DESCRIPTOR *) lpSection;
}
else if (memcmp(lpSection->Name, ".edata", sizeof(".edata")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_EXPORT;
lpExport = (IMAGE_EXPORT_DIRECTORY *) lpSection;
}
else if (memcmp(lpSection->Name, ".idata", sizeof(".idata")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_IMPORT;
lpImport = (IMAGE_IMPORT_DESCRIPTOR *) lpSection;
}
else if (memcmp(lpSection->Name, ".pdata", sizeof(".pdata")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_EXCEPTION;
lpException = (BYTE *) lpSection;
}
else if (memcmp(lpSection->Name, ".reloc", sizeof(".reloc")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_BASERELOC;
lpRelocation = (IMAGE_BASE_RELOCATION *) lpSection;
}
else if (memcmp(lpSection->Name, ".rsrc", sizeof(".rsrc")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_RESOURCE;
lpResource = (IMAGE_RESOURCE_DIRECTORY *) lpSection;
}
else if (memcmp(lpSection->Name, ".tls", sizeof(".tls")) == 0)
{
dwDirectory = IMAGE_DIRECTORY_ENTRY_TLS;
lpTLS = lpSection;
}
else
dwDirectory = IMAGE_NUMBEROF_DIRECTORY_ENTRIES;
if (dwDirectory < IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
{
if ((lpDirectory[dwDirectory].VirtualAddress == 0)
&& (lpDirectory[dwDirectory].Size == 0))
PrintConsole(hConsole,
L"No IMAGE_DATA_DIRECTORY[%lu] for \'%.8hs\' section!\n",
dwDirectory, lpSection->Name);
else if ((dwDirectory != IMAGE_DIRECTORY_ENTRY_TLS)
&& ((lpDirectory[dwDirectory].VirtualAddress != lpSection->VirtualAddress)
|| (lpDirectory[dwDirectory].Size != lpSection->Misc.VirtualSize)))
PrintConsole(hConsole,
L"Address/size of IMAGE_DATA_DIRECTORY[%lu] differ from address/size of \'%.8hs\' section!\n",
dwDirectory, lpSection->Name);
}
bOutput &= PrintFormat(hOutput,
L"\t%.8hs:\r\n"
L"\t\tVirtual Address & Size = 0x%08lX, 0x%08lX\r\n"
L"\t\tFile Offset & Raw Size = 0x%08lX, 0x%08lX\r\n"
L"\t\tCharacteristics = 0x%08lX\r\n",
lpSection->Name,
lpSection->VirtualAddress,
lpSection->Misc.VirtualSize,
lpSection->PointerToRawData,
lpSection->SizeOfRawData,
lpSection->Characteristics);
#ifdef IMAGE_SCN_TYPE_REG
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_REG) == IMAGE_SCN_TYPE_REG)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
#ifdef IMAGE_SCN_TYPE_DSECT
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_DSECT) == IMAGE_SCN_TYPE_DSECT)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
#ifdef IMAGE_SCN_TYPE_NOLOAD
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_NOLOAD) == IMAGE_SCN_TYPE_NOLOAD)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
#ifdef IMAGE_SCN_TYPE_GROUP
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_GROUP) == IMAGE_SCN_TYPE_GROUP)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_NO_PAD) == IMAGE_SCN_TYPE_NO_PAD)
bOutput &= PrintString(hOutput, L"\t\t\tReserved (COFF)\r\n");
#ifdef IMAGE_SCN_TYPE_COPY
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_COPY) == IMAGE_SCN_TYPE_COPY)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
if ((lpSection->Characteristics & IMAGE_SCN_CNT_CODE) == IMAGE_SCN_CNT_CODE)
{
bOutput &= PrintString(hOutput, L"\t\t\tExecutable code\r\n");
dwCode -= lpSection->SizeOfRawData;
}
if ((lpSection->Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA) == IMAGE_SCN_CNT_INITIALIZED_DATA)
{
bOutput &= PrintString(hOutput, L"\t\t\tInitialized data\r\n");
dwData -= lpSection->SizeOfRawData;
}
if ((lpSection->Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) == IMAGE_SCN_CNT_UNINITIALIZED_DATA)
{
bOutput &= PrintString(hOutput, L"\t\t\tUninitialized data\r\n");
dwSize -= lpSection->Misc.VirtualSize;
}
if ((lpSection->Characteristics & IMAGE_SCN_LNK_OTHER) == IMAGE_SCN_LNK_OTHER)
bOutput &= PrintString(hOutput, L"\t\t\tReserved (COFF)\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_LNK_INFO) == IMAGE_SCN_LNK_INFO)
bOutput &= PrintString(hOutput, L"\t\t\tLinker information: .cormeta, .drectve, .idlsym or .sxdata (COFF)\r\n");
#ifdef IMAGE_SCN_TYPE_OVER
if ((lpSection->Characteristics & IMAGE_SCN_TYPE_OVER) == IMAGE_SCN_TYPE_OVER)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
#endif
if ((lpSection->Characteristics & IMAGE_SCN_LNK_REMOVE) == IMAGE_SCN_LNK_REMOVE)
bOutput &= PrintString(hOutput, L"\t\t\tRemovable content (COFF)\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_LNK_COMDAT) == IMAGE_SCN_LNK_COMDAT)
bOutput &= PrintString(hOutput, L"\t\t\tCOMDAT (COFF)\r\n");
#ifdef IMAGE_SCN_MEM_PROTECTED
if ((lpSection->Characteristics & IMAGE_SCN_MEM_PROTECTED) == IMAGE_SCN_MEM_PROTECTED)
bOutput &= PrintString(hOutput, L"\t\t\tObsolete\r\n");
#endif
if ((lpSection->Characteristics & IMAGE_SCN_NO_DEFER_SPEC_EXC) == IMAGE_SCN_NO_DEFER_SPEC_EXC)
bOutput &= PrintString(hOutput, L"\t\t\tReset speculative exceptions handling bits in the TLB entries for this section\r\n");
#ifdef IMAGE_SCN_GPREL
if ((lpSection->Characteristics & IMAGE_SCN_GPREL) == IMAGE_SCN_GPREL)
#else
if ((lpSection->Characteristics & IMAGE_SCN_MEM_FARDATA) == IMAGE_SCN_MEM_FARDATA)
#endif
bOutput &= PrintString(hOutput, L"\t\t\tGP relative data\r\n");
#ifdef IMAGE_SCN_MEM_SYSHEAP
if ((lpSection->Characteristics & IMAGE_SCN_MEM_SYSHEAP) == IMAGE_SCN_MEM_SYSHEAP)
bOutput &= PrintString(hOutput, L"\t\t\tObsolete\r\n");
#endif
if ((lpSection->Characteristics & IMAGE_SCN_MEM_PURGEABLE) == IMAGE_SCN_MEM_PURGEABLE)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_16BIT) == IMAGE_SCN_MEM_16BIT)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_LOCKED) == IMAGE_SCN_MEM_LOCKED)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_PRELOAD) == IMAGE_SCN_MEM_PRELOAD)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_ALIGN_MASK) != 0)
if ((lpSection->Characteristics & IMAGE_SCN_ALIGN_MASK) == IMAGE_SCN_ALIGN_MASK)
bOutput &= PrintString(hOutput, L"\t\t\tReserved\r\n");
else
bOutput &= PrintFormat(hOutput,
L"\t\t\t%lu-byte alignment (COFF)\r\n",
1UL << (((lpSection->Characteristics & IMAGE_SCN_ALIGN_MASK) >> 20) - 1));
if ((lpSection->Characteristics & IMAGE_SCN_LNK_NRELOC_OVFL) == IMAGE_SCN_LNK_NRELOC_OVFL)
bOutput &= PrintString(hOutput, L"\t\t\tExtended relocations\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) == IMAGE_SCN_MEM_DISCARDABLE)
bOutput &= PrintString(hOutput, L"\t\t\tDiscardable\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) == IMAGE_SCN_MEM_NOT_CACHED)
bOutput &= PrintString(hOutput, L"\t\t\tVolatile, not cacheable\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_NOT_PAGED) == IMAGE_SCN_MEM_NOT_PAGED)
bOutput &= PrintString(hOutput, L"\t\t\tResident, not pageable\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_SHARED) == IMAGE_SCN_MEM_SHARED)
bOutput &= PrintString(hOutput, L"\t\t\tShared\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_EXECUTE) == IMAGE_SCN_MEM_EXECUTE)
bOutput &= PrintString(hOutput, L"\t\t\tExecutable\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_READ) == IMAGE_SCN_MEM_READ)
bOutput &= PrintString(hOutput, L"\t\t\tReadable\r\n");
if ((lpSection->Characteristics & IMAGE_SCN_MEM_WRITE) == IMAGE_SCN_MEM_WRITE)
bOutput &= PrintString(hOutput, L"\t\t\tWritable\r\n");
}
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
if (dwCode != 0)
PrintConsole(hConsole,
L"Size of %ls differs from sum of \'*%ls\' section sizes!\n",
L"code", L"text");
if (dwData != 0)
PrintConsole(hConsole,
L"Size of %ls differs from sum of \'*%ls\' section sizes!\n",
L"initialised data", L"data");
if (dwSize != 0)
PrintConsole(hConsole,
L"Size of %ls differs from sum of \'*%ls\' section sizes!\n",
L"uninitialised data", L"bss");
if (lpPE->FileHeader.PointerToSymbolTable > dwImage)
PrintConsole(hConsole,
L"Pointer to COFF symbol table past file size 0x%08lX!\n",
dwImage);
else if (lpPE->FileHeader.PointerToSymbolTable != 0)
{
bOutput = PrintString(hOutput,
L"\r\n"
L"COFF String Table:\r\n");
lpCOFF = (COFFStringTable *) (lpImage + lpPE->FileHeader.PointerToSymbolTable
+ lpPE->FileHeader.NumberOfSymbols * sizeof(IMAGE_SYMBOL));
for (lpString = lpCOFF->Strings;
lpString < (CHAR *) lpCOFF + lpCOFF->Size;
lpString += strlen(lpString) + 1)
bOutput &= PrintFormat(hOutput,
L"\t/%lu = %hs\r\n",
lpString - (CHAR *) lpCOFF, lpString);
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
}
if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
bOutput = PrintFormat(hOutput,
L"\r\n"
L"Optional Header:\r\n"
L"\tMagic = 0x%04hX (32-bit)\r\n"
L"\tSize of Code = 0x%08lX\r\n"
L"\tSize of Initialized Data = 0x%08lX\r\n"
L"\tSize of Uninitialized Data = 0x%08lX\r\n"
L"\tEntry Point = 0x%08lX\r\n"
L"\tBase of Code = 0x%08lX\r\n"
L"\tBase of Data = 0x%08lX\r\n"
L"\tImage Base = 0x%08lX\r\n"
L"\tSection Alignment = 0x%08lX\r\n"
L"\tFile Alignment = 0x%08lX\r\n"
L"\tSize of Image = 0x%08lX\r\n"
L"\tSize of Headers = 0x%08lX\r\n"
L"\tChecksum = 0x%08lX\r\n"
L"\tDLL Characteristics = 0x%04hX\r\n",
lpPE32->OptionalHeader.Magic,
lpPE32->OptionalHeader.SizeOfCode,
lpPE32->OptionalHeader.SizeOfInitializedData,
lpPE32->OptionalHeader.SizeOfUninitializedData,
lpPE32->OptionalHeader.AddressOfEntryPoint,
lpPE32->OptionalHeader.BaseOfCode,
lpPE32->OptionalHeader.BaseOfData,
lpPE32->OptionalHeader.ImageBase,
lpPE32->OptionalHeader.SectionAlignment,
lpPE32->OptionalHeader.FileAlignment,
lpPE32->OptionalHeader.SizeOfImage,
lpPE32->OptionalHeader.SizeOfHeaders,
lpPE32->OptionalHeader.CheckSum,
lpPE32->OptionalHeader.DllCharacteristics);
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_RESERVED) != 0)
bOutput &= PrintString(hOutput, L"\t\tReserved\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA) == IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA)
bOutput &= PrintString(hOutput, L"\t\tHigh entropy ASLR\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) == IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
bOutput &= PrintString(hOutput, L"\t\tDynamic base\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY) == IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)
bOutput &= PrintString(hOutput, L"\t\tCode integrity checks enforced\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) == IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
bOutput &= PrintString(hOutput, L"\t\tNX compatible\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) == IMAGE_DLLCHARACTERISTICS_NO_ISOLATION)
bOutput &= PrintString(hOutput, L"\t\tIsolation aware, but don't isolate\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH) == IMAGE_DLLCHARACTERISTICS_NO_SEH)
bOutput &= PrintString(hOutput, L"\t\tNo structured exception handler\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_BIND) == IMAGE_DLLCHARACTERISTICS_NO_BIND)
bOutput &= PrintString(hOutput, L"\t\tDon\'t bind\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_APPCONTAINER) == IMAGE_DLLCHARACTERISTICS_APPCONTAINER)
bOutput &= PrintString(hOutput, L"\t\tApp container\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_WDM_DRIVER) == IMAGE_DLLCHARACTERISTICS_WDM_DRIVER)
bOutput &= PrintString(hOutput, L"\t\tWDM driver\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) == IMAGE_DLLCHARACTERISTICS_GUARD_CF)
bOutput &= PrintString(hOutput, L"\t\tControl flow guard\r\n");
if ((lpPE32->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE) == IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE)
bOutput &= PrintString(hOutput, L"\t\tTerminal server aware\r\n");
bOutput &= PrintFormat(hOutput,
L"\tLoader Flags = 0x%08lX\r\n",
lpPE32->OptionalHeader.LoaderFlags);
if ((lpPE32->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_COMPLUS) == IMAGE_LOADER_FLAGS_COMPLUS)
bOutput &= PrintString(hOutput, L"\t\tCOM+ image\r\n");
if ((lpPE32->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL) == IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL)
bOutput &= PrintString(hOutput, L"\t\tGlobal subsections apply across TS sessions\r\n");
bOutput &= PrintFormat(hOutput,
L"\tSize of Stack Reserve = 0x%08lX\r\n"
L"\tSize of Stack Commit = 0x%08lX\r\n"
L"\tSize of Heap Reserve = 0x%08lX\r\n"
L"\tSize of Heap Commit = 0x%08lX\r\n"
L"\tNumber of Data Directories = %lu\r\n",
lpPE32->OptionalHeader.SizeOfStackReserve,
lpPE32->OptionalHeader.SizeOfStackCommit,
lpPE32->OptionalHeader.SizeOfHeapReserve,
lpPE32->OptionalHeader.SizeOfHeapCommit,
lpPE32->OptionalHeader.NumberOfRvaAndSizes);
if (lpPE32->OptionalHeader.NumberOfRvaAndSizes > 0)
bOutput &= PrintString(hOutput, L"\tData Directories:\r\n");
for (dwDirectory = 0; dwDirectory < lpPE32->OptionalHeader.NumberOfRvaAndSizes; dwDirectory++)
bOutput &= PrintFormat(hOutput,
L"\t\t%-20ls = 0x%08lX, 0x%08lX\r\n",
szDirectory[dwDirectory],
lpPE32->OptionalHeader.DataDirectory[dwDirectory].VirtualAddress,
lpPE32->OptionalHeader.DataDirectory[dwDirectory].Size);
bOutput &= PrintFormat(hOutput,
L"\tLinker Version = %u.%u\r\n"
L"\tOperating System Version = %hu.%hu\r\n"
L"\tImage Version = %hu.%hu\r\n"
L"\tSubsystem version = %hu.%hu\r\n"
L"\tWin32 Version = %lu (expected: 0)\r\n"
L"\tSubsystem = %hu (%ls)\r\n",
lpPE32->OptionalHeader.MajorLinkerVersion,
lpPE32->OptionalHeader.MinorLinkerVersion,
lpPE32->OptionalHeader.MajorOperatingSystemVersion,
lpPE32->OptionalHeader.MinorOperatingSystemVersion,
lpPE32->OptionalHeader.MajorImageVersion,
lpPE32->OptionalHeader.MinorImageVersion,
lpPE32->OptionalHeader.MajorSubsystemVersion,
lpPE32->OptionalHeader.MinorSubsystemVersion,
lpPE32->OptionalHeader.Win32VersionValue,
lpPE32->OptionalHeader.Subsystem, SubsystemName(lpPE32->OptionalHeader.Subsystem));
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
dwCheckSum = lpPE32->OptionalHeader.CheckSum;
lpPE32->OptionalHeader.CheckSum = 0;
for (lpWord = (WORD *) (lpImage + dwImage + (dwImage & 1)), dwAccumulator = 0;
lpWord > (WORD *) lpImage;
dwAccumulator += *--lpWord, dwAccumulator = HIWORD(dwAccumulator) + LOWORD(dwAccumulator))
continue;
if (dwAccumulator + dwImage != dwCheckSum)
PrintConsole(hConsole,
L"Computed checksum 0x%08lX differs from image checksum 0x%08lX!\n",
dwAccumulator + dwImage, dwCheckSum);
// lpSection = (IMAGE_SECTION_HEADER *) (lpPE32->OptionalHeader.DataDirectory + lpPE32->OptionalHeader.NumberOfRvaAndSizes);
}
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
bOutput = PrintFormat(hOutput,
L"\r\n"
L"Optional Header:\r\n"
L"\tMagic = 0x%04hX (64-bit)\r\n"
L"\tSize of Code = 0x%08lX\r\n"
L"\tSize of Initialized Data = 0x%08lX\r\n"
L"\tSize of Uninitialized Data = 0x%08lX\r\n"
L"\tEntry Point = 0x%08lX\r\n"
L"\tBase of Code = 0x%08lX\r\n"
L"\tImage Base = 0x%016I64X\r\n"
L"\tSection Alignment = 0x%08lX\r\n"
L"\tFile Alignment = 0x%08lX\r\n"
L"\tSize of Image = 0x%08lX\r\n"
L"\tSize of Headers = 0x%08lX\r\n"
L"\tChecksum = 0x%08lX\r\n"
L"\tDLL Characteristics = 0x%04hX\r\n",
lpPE64->OptionalHeader.Magic,
lpPE64->OptionalHeader.SizeOfCode,
lpPE64->OptionalHeader.SizeOfInitializedData,
lpPE64->OptionalHeader.SizeOfUninitializedData,
lpPE64->OptionalHeader.AddressOfEntryPoint,
lpPE64->OptionalHeader.BaseOfCode,
lpPE64->OptionalHeader.ImageBase,
lpPE64->OptionalHeader.SectionAlignment,
lpPE64->OptionalHeader.FileAlignment,
lpPE64->OptionalHeader.SizeOfImage,
lpPE64->OptionalHeader.SizeOfHeaders,
lpPE64->OptionalHeader.CheckSum,
lpPE64->OptionalHeader.DllCharacteristics);
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_RESERVED) != 0)
bOutput &= PrintString(hOutput, L"\t\tReserved\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA) == IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA)
bOutput &= PrintString(hOutput, L"\t\tHigh entropy ASLR\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) == IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)
bOutput &= PrintString(hOutput, L"\t\tDynamic base\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY) == IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)
bOutput &= PrintString(hOutput, L"\t\tCode integrity checks enforced\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT) == IMAGE_DLLCHARACTERISTICS_NX_COMPAT)
bOutput &= PrintString(hOutput, L"\t\tNX compatible\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_ISOLATION) == IMAGE_DLLCHARACTERISTICS_NO_ISOLATION)
bOutput &= PrintString(hOutput, L"\t\tIsolation aware, but don't isolate\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_SEH) == IMAGE_DLLCHARACTERISTICS_NO_SEH)
bOutput &= PrintString(hOutput, L"\t\tNo structured exception handler\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NO_BIND) == IMAGE_DLLCHARACTERISTICS_NO_BIND)
bOutput &= PrintString(hOutput, L"\t\tDon\'t bind\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_APPCONTAINER) == IMAGE_DLLCHARACTERISTICS_APPCONTAINER)
bOutput &= PrintString(hOutput, L"\t\tApp container\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_WDM_DRIVER) == IMAGE_DLLCHARACTERISTICS_WDM_DRIVER)
bOutput &= PrintString(hOutput, L"\t\tWDM driver\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_GUARD_CF) == IMAGE_DLLCHARACTERISTICS_GUARD_CF)
bOutput &= PrintString(hOutput, L"\t\tControl flow guard\r\n");
if ((lpPE64->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE) == IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE)
bOutput &= PrintString(hOutput, L"\t\tTerminal server aware\r\n");
bOutput &= PrintFormat(hOutput,
L"\tLoader Flags = 0x%08lX\r\n",
lpPE64->OptionalHeader.LoaderFlags);
if ((lpPE64->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_COMPLUS) == IMAGE_LOADER_FLAGS_COMPLUS)
bOutput &= PrintString(hOutput, L"\t\tCOM+ image\r\n");
if ((lpPE64->OptionalHeader.LoaderFlags & IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL) == IMAGE_LOADER_FLAGS_SYSTEM_GLOBAL)
bOutput &= PrintString(hOutput, L"\t\tGlobal subsections apply across TS sessions\r\n");
bOutput &= PrintFormat(hOutput,
L"\tSize of Stack Reserve = 0x%016I64X\r\n"
L"\tSize of Stack Commit = 0x%016I64X\r\n"
L"\tSize of Heap Reserve = 0x%016I64X\r\n"
L"\tSize of Heap Commit = 0x%016I64X\r\n"
L"\tNumber of Data Directories = %lu\r\n",
lpPE64->OptionalHeader.SizeOfStackReserve,
lpPE64->OptionalHeader.SizeOfStackCommit,
lpPE64->OptionalHeader.SizeOfHeapReserve,
lpPE64->OptionalHeader.SizeOfHeapCommit,
lpPE64->OptionalHeader.NumberOfRvaAndSizes);
if (lpPE64->OptionalHeader.NumberOfRvaAndSizes > 0)
bOutput &= PrintString(hOutput, L"\tData Directories:\r\n");
for (dwDirectory = 0; dwDirectory < lpPE64->OptionalHeader.NumberOfRvaAndSizes; dwDirectory++)
bOutput &= PrintFormat(hOutput,
L"\t\t%-20ls = 0x%08lX, 0x%08lX\r\n",
szDirectory[dwDirectory],
lpPE64->OptionalHeader.DataDirectory[dwDirectory].VirtualAddress,
lpPE64->OptionalHeader.DataDirectory[dwDirectory].Size);
bOutput &= PrintFormat(hOutput,
L"\tLinker Version = %u.%u\r\n"
L"\tOperating System Version = %hu.%hu\r\n"
L"\tImage Version = %hu.%hu\r\n"
L"\tSubsystem Version = %hu.%hu\r\n"
L"\tWin32 Version = %lu (expected: 0)\r\n"
L"\tSubsystem = %hu (%ls)\r\n",
lpPE64->OptionalHeader.MajorLinkerVersion,
lpPE64->OptionalHeader.MinorLinkerVersion,
lpPE64->OptionalHeader.MajorOperatingSystemVersion,
lpPE64->OptionalHeader.MinorOperatingSystemVersion,
lpPE64->OptionalHeader.MajorImageVersion,
lpPE64->OptionalHeader.MinorImageVersion,
lpPE64->OptionalHeader.MajorSubsystemVersion,
lpPE64->OptionalHeader.MinorSubsystemVersion,
lpPE64->OptionalHeader.Win32VersionValue,
lpPE64->OptionalHeader.Subsystem, SubsystemName(lpPE64->OptionalHeader.Subsystem));
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
dwCheckSum = lpPE64->OptionalHeader.CheckSum;
lpPE64->OptionalHeader.CheckSum = 0;
for (lpWord = (WORD *) (lpImage + dwImage + (dwImage & 1)), dwAccumulator = 0;
lpWord > (WORD *) lpImage;
dwAccumulator += *--lpWord, dwAccumulator = HIWORD(dwAccumulator) + LOWORD(dwAccumulator))
continue;
if (dwAccumulator + dwImage != dwCheckSum)
PrintConsole(hConsole,
L"Computed checksum 0x%08lX differs from image checksum 0x%08lX!\n",
dwAccumulator + dwImage, dwCheckSum);
// lpSection = (IMAGE_SECTION_HEADER *) (lpPE64->OptionalHeader.DataDirectory + lpPE64->OptionalHeader.NumberOfRvaAndSizes);
}
lpSection = (IMAGE_SECTION_HEADER *) ((BYTE *) &(lpPE->OptionalHeader) + lpPE->FileHeader.SizeOfOptionalHeader);
dwSection = lpPE->FileHeader.NumberOfSections;
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size != 0))
{
if (lpExport == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".edata", IMAGE_DIRECTORY_ENTRY_EXPORT);
lpExport = (IMAGE_EXPORT_DIRECTORY *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole);
if (lpExport != NULL)
{
lpModule = RVA2Image(lpImage, lpSection, dwSection,
lpExport->Name,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole);
qw = __emulu(lpExport->TimeDateStamp, 10000000) // seconds since 1970-01-01 to
+ 116444736000000000; // 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu for module \'%hs\'\n",
dwError = GetLastError(), lpModule);
bOutput = PrintFormat(hOutput,
L"\r\n"
L"Export Directory:\r\n"
L"\tCharacteristics = 0x%08lX\r\n"
L"\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n"
L"\tVersion = %hu.%hu\r\n"
L"\tModule Name = %hs\r\n"
L"\tBase of Ordinals = %lu\r\n"
L"\tNumber of Functions = %lu\r\n"
L"\tNumber of Names = %lu\r\n"
L"\tArray of Functions = 0x%08lX\r\n"
L"\tArray of Names = 0x%08lX\r\n"
L"\tArray of Name Ordinals = 0x%08lX\r\n",
lpExport->Characteristics,
lpExport->TimeDateStamp,
szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
lpExport->MajorVersion,
lpExport->MinorVersion,
lpModule,
lpExport->Base,
lpExport->NumberOfFunctions,
lpExport->NumberOfNames,
lpExport->AddressOfFunctions,
lpExport->AddressOfNames,
lpExport->AddressOfNameOrdinals);
lpFunctions = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
lpExport->AddressOfFunctions,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole);
if (lpFunctions != NULL)
{
if (lpExport->NumberOfNames != 0)
{
bOutput &= PrintString(hOutput, L"\tNamed Exports:\r\n");
lpOrdinals = (WORD *) RVA2Image(lpImage, lpSection, dwSection,
lpExport->AddressOfNameOrdinals,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole);
lpNames = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
lpExport->AddressOfNames,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole);
dwNames = lpExport->NumberOfNames;
do
{
if (*lpOrdinals < lpExport->NumberOfFunctions)
{
if ((lpFunctions[*lpOrdinals] < lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
|| (lpFunctions[*lpOrdinals] >= lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
+ lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size))
bOutput &= PrintFormat(hOutput,
L"\t\t%lu\t%lu\t0x%08lX\t%hs\r\n",
lpExport->Base + *lpOrdinals,
*lpOrdinals,
lpFunctions[*lpOrdinals],
RVA2Image(lpImage, lpSection, dwSection,
*lpNames,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole));
else // forwarded export
bOutput &= PrintFormat(hOutput,
L"\t\t%lu\t%lu\t-\t\t%hs -> %hs\r\n",
lpExport->Base + *lpOrdinals,
*lpOrdinals,
RVA2Image(lpImage, lpSection, dwSection,
*lpNames,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole),
RVA2Image(lpImage, lpSection, dwSection,
lpFunctions[*lpOrdinals],
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole));
lpFunctions[*lpOrdinals] = 0;
}
else
PrintConsole(hConsole,
L"Ordinal %hu of export \'%hs\' out of bounds!\n",
lpExport->Base + *lpOrdinals,
RVA2Image(lpImage, lpSection, dwSection,
*lpNames,
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole));
lpOrdinals++;
lpNames++;
dwNames--;
} while (dwNames > 0);
}
if (lpExport->NumberOfFunctions > lpExport->NumberOfNames)
{
bOutput &= PrintString(hOutput, L"\tUnnamed Exports:\r\n");
for (dwIndex = 0; dwIndex < lpExport->NumberOfFunctions; dwIndex++)
if (lpFunctions[dwIndex] != 0)
if ((lpFunctions[dwIndex] < lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
|| (lpFunctions[dwIndex] >= lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
+ lpDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size))
bOutput &= PrintFormat(hOutput,
L"\t\t%lu\t%lu\t0x%08lX\r\n",
lpExport->Base + dwIndex,
dwIndex,
lpFunctions[dwIndex]);
else // forwarded export
bOutput &= PrintFormat(hOutput,
L"\t\t%lu\t%lu\t-\t\t-> %hs\r\n",
lpExport->Base + dwIndex,
dwIndex,
RVA2Image(lpImage, lpSection, dwSection,
lpFunctions[dwIndex],
IMAGE_DIRECTORY_ENTRY_EXPORT,
hConsole));
}
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size != 0))
{
if (lpImport == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".idata", IMAGE_DIRECTORY_ENTRY_IMPORT);
lpImport = (IMAGE_IMPORT_DESCRIPTOR *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_IMPORT,
hConsole);
if (lpImport != NULL)
{
bOutput &= PrintString(hOutput,
L"\r\n"
L"Import Directory:\r\n");
while ((lpImport->OriginalFirstThunk != 0)
|| (lpImport->TimeDateStamp != 0)
|| (lpImport->ForwarderChain != 0)
|| (lpImport->Name != 0)
|| (lpImport->FirstThunk != 0))
{
lpModule = RVA2Image(lpImage, lpSection, dwSection,
lpImport->Name,
IMAGE_DIRECTORY_ENTRY_IMPORT,
hConsole);
bOutput &= PrintFormat(hOutput,
L"\tImport Descriptor:\r\n"
L"\t\tModule Name = %hs\r\n"
L"\t\tTime/Date Stamp = 0x%08lX\r\n"
L"\t\tForwarder Chain = 0x%08lX\r\n"
L"\t\tAddress Table = 0x%08lX\r\n"
L"\t\tLookup Table = 0x%08lX\r\n"
L"\t\tImports:\r\n",
lpModule,
lpImport->TimeDateStamp,
lpImport->ForwarderChain,
lpImport->FirstThunk,
lpImport->OriginalFirstThunk);
if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
lpThunk32 = (IMAGE_THUNK_DATA32 *) RVA2Image(lpImage, lpSection, dwSection,
lpImport->OriginalFirstThunk != 0 ? lpImport->OriginalFirstThunk : lpImport->FirstThunk,
IMAGE_DIRECTORY_ENTRY_IMPORT,
hConsole);
if (lpThunk32 != NULL)
while (lpThunk32->u1.AddressOfData != 0)
{
if ((lpThunk32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == IMAGE_ORDINAL_FLAG32)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\r\n",
LOWORD(lpThunk32->u1.Ordinal));
else
{
lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
lpThunk32->u1.AddressOfData,
IMAGE_DIRECTORY_ENTRY_IMPORT,
hConsole);
if (lpAddress != NULL)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\t%hs\r\n",
lpAddress->Hint,
lpAddress->Name);
}
lpThunk32++;
}
}
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
lpThunk64 = (IMAGE_THUNK_DATA64 *) RVA2Image(lpImage, lpSection, dwSection,
lpImport->OriginalFirstThunk != 0 ? lpImport->OriginalFirstThunk : lpImport->FirstThunk,
IMAGE_DIRECTORY_ENTRY_IMPORT,
hConsole);
if (lpThunk64 != NULL)
while (lpThunk64->u1.AddressOfData != 0)
{
if ((lpThunk64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) == IMAGE_ORDINAL_FLAG64)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\r\n",
LOWORD(lpThunk64->u1.Ordinal));
else
{
lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
(DWORD) lpThunk64->u1.AddressOfData,
IMAGE_DIRECTORY_ENTRY_IMPORT,
hConsole);
if (lpAddress != NULL)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\t%hs\r\n",
lpAddress->Hint,
lpAddress->Name);
}
lpThunk64++;
}
}
lpImport++;
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size != 0))
{
if (lpResource == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".rsrc", IMAGE_DIRECTORY_ENTRY_RESOURCE);
lpResource = (IMAGE_RESOURCE_DIRECTORY *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_RESOURCE,
hConsole);
if (lpResource != NULL)
{
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"Resource Directory:\r\n"
L"\tCharacteristics = 0x%08lX\r\n"
L"\tTime/Date Stamp = 0x%08lX\r\n"
L"\tVersion = %hu.%hu\r\n"
L"\tNamed Entries = %hu\r\n"
L"\tUnnamed Entries = %hu\r\n"
L"\tEntries:\r\n",
lpResource->Characteristics,
lpResource->TimeDateStamp,
lpResource->MajorVersion,
lpResource->MinorVersion,
lpResource->NumberOfNamedEntries,
lpResource->NumberOfIdEntries);
bOutput &= Resource(hOutput, lpResource, lpResource, 0);
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size != 0))
{
if (lpException == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".pdata", IMAGE_DIRECTORY_ENTRY_EXCEPTION);
dwException = lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].Size;
lpException = (BYTE *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_EXCEPTION,
hConsole);
if (lpException != NULL)
{
bOutput &= PrintString(hOutput,
L"\r\n"
L"Exception Handler Directory:\r\n");
if ((lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ARMNT)
|| (lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ARM64))
{
lpARM = (IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY *) lpException;
lpException += dwException;
do
bOutput &= PrintFormat(hOutput,
L"\tException Handler:\r\n"
L"\t\tBegin Address = 0x%08lX\r\n"
L"\t\tUnwind Data = 0x%08lX\r\n",
lpARM->BeginAddress,
lpARM->UnwindData);
while (++lpARM < (IMAGE_ARMNT_RUNTIME_FUNCTION_ENTRY *) lpException);
}
else if (lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ALPHA)
{
lpAlpha = (IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY *) lpException;
lpException += dwException;
do
bOutput &= PrintFormat(hOutput,
L"\tException Handler:\r\n"
L"\t\tBegin Address = 0x%08lX\r\n"
L"\t\tEnd Address = 0x%08lX\r\n"
L"\t\tException Handler = 0x%08lX\r\n"
L"\t\tHandler Data = 0x%08lX\r\n"
L"\t\tProlog End Address = 0x%08lX\r\n",
lpAlpha->BeginAddress,
lpAlpha->EndAddress,
lpAlpha->ExceptionHandler,
lpAlpha->HandlerData,
lpAlpha->PrologEndAddress);
while (++lpAlpha < (IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY *) lpException);
}
else if (lpPE->FileHeader.Machine == IMAGE_FILE_MACHINE_ALPHA64)
{
lpAlpha64 = (IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY *) lpException;
lpException += dwException;
do
bOutput &= PrintFormat(hOutput,
L"\tException Handler:\r\n"
L"\t\tBegin Address = 0x%016I64X\r\n"
L"\t\tEnd Address = 0x%016I64X\r\n"
L"\t\tException Handler = 0x%016I64X\r\n"
L"\t\tHandler Data = 0x%016I64X\r\n"
L"\t\tProlog End Address = 0x%016I64X\r\n",
lpAlpha64->BeginAddress,
lpAlpha64->EndAddress,
lpAlpha64->ExceptionHandler,
lpAlpha64->HandlerData,
lpAlpha64->PrologEndAddress);
while (++lpAlpha64 < (IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY *) lpException);
}
else
{
lpRuntime = (IMAGE_RUNTIME_FUNCTION_ENTRY *) lpException;
lpException += dwException;
do
bOutput &= PrintFormat(hOutput,
L"\tException Handler:\r\n"
L"\t\tStart Address = 0x%08lX\r\n"
L"\t\tEnd Address = 0x%08lX\r\n"
L"\t\tUnwind Info Address = 0x%08lX\r\n",
lpRuntime->BeginAddress,
lpRuntime->EndAddress,
lpRuntime->UnwindInfoAddress);
while (++lpRuntime < (IMAGE_RUNTIME_FUNCTION_ENTRY *) lpException);
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size != 0))
{
if (dwOffset != lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress)
PrintConsole(hConsole,
L"Authenticode signature not adjacent to last COFF section!\n");
if (dwImage != lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
+ lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size)
PrintConsole(hConsole,
L"Image file extends past authenticode signature!\n");
bOutput &= PrintString(hOutput,
L"\r\n"
L"Security Directory:\r\n");
lpCertificate = (WIN_CERTIFICATE *) (lpImage + lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress);
dwCertificate = lpDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size;
do
{
bOutput &= PrintFormat(hOutput,
L"\tCertificate Entry:\r\n"
L"\t\tRevision = %hu\r\n"
L"\t\tType = %hu (%ls)\r\n"
L"\t\tSize = %lu\r\n",
lpCertificate->wRevision,
lpCertificate->wCertificateType, CertificateTypeName(lpCertificate->wCertificateType),
lpCertificate->dwLength);
blob.cbData = lpCertificate->dwLength - (lpCertificate->bCertificate - (BYTE *) lpCertificate);
blob.pbData = lpCertificate->bCertificate;
if (!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
&blob,
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED,
CERT_QUERY_FORMAT_FLAG_BINARY,
0,
(DWORD *) NULL,
(DWORD *) NULL,
(DWORD *) NULL,
&hStore,
&hMsg,
NULL))
PrintConsole(hConsole,
L"CryptQueryObject() returned error 0x%08lX\n",
dwError = GetLastError());
else
{
if (!CryptMsgGetAndVerifySigner(hMsg,
1,
&hStore,
CMSG_TRUSTED_SIGNER_FLAG,
&lpSigner,
(DWORD *) NULL))
PrintConsole(hConsole,
L"CryptMsgGetAndVerifySigner() returned error 0x%08lX\n",
dwError = GetLastError());
else
{
dwFlags = 0;
do
{
dwSigner = CertGetNameString(lpSigner,
#ifndef RDN
CERT_NAME_FRIENDLY_DISPLAY_TYPE,
dwFlags,
NULL,
#else
CERT_NAME_RDN_TYPE,
dwFlags,
&dwStrType,
#endif
(LPWSTR) NULL,
0);
if (dwSigner == 0)
PrintConsole(hConsole,
L"CertGetNameString() returned error 0x%08lX\n",
dwError = GetLastError());
else
{
szSigner = (LPWSTR) LocalAlloc(LPTR, dwSigner * sizeof(*szSigner));
if (szSigner == NULL)
PrintConsole(hConsole,
L"LocalAlloc() returned error %lu\n",
dwError = GetLastError());
else
{
dwSigner = CertGetNameString(lpSigner,
#ifndef RDN
CERT_NAME_FRIENDLY_DISPLAY_TYPE,
dwFlags,
NULL,
#else
CERT_NAME_RDN_TYPE,
dwFlags,
&dwStrType,
#endif
szSigner,
dwSigner);
if (dwSigner == 0)
PrintConsole(hConsole,
L"CertGetNameString() returned error 0x%08lX\n",
dwError = GetLastError());
else
bOutput &= PrintFormat(hOutput,
L"\t\t%ls = %ls\r\n",
dwFlags == 0 ? L"Subject" : L"Issuer ", szSigner);
if (LocalFree(szSigner) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
}
} while (dwFlags ^= CERT_NAME_ISSUER_FLAG);
if (!CertFreeCertificateContext(lpSigner))
PrintConsole(hConsole,
L"CertFreeCertificateContext() returned error 0x%08lX\n",
dwError = GetLastError());
}
if (!CryptMsgClose(hMsg))
PrintConsole(hConsole,
L"CryptMsgClose() returned error 0x%08lX\n",
dwError = GetLastError());
if (!CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG))
PrintConsole(hConsole,
L"CertCloseStore() returned error 0x%08lX\n",
dwError = GetLastError());
}
dwSize = (lpCertificate->dwLength + sizeof(DWORD64) - 1) & (0 - sizeof(DWORD64));
lpCertificate = (WIN_CERTIFICATE *) ((BYTE *) lpCertificate + dwSize);
dwCertificate -= dwSize;
} while (dwCertificate != 0);
}
else
if (dwOffset != dwImage)
PrintConsole(hConsole,
L"Image file extends past last COFF section!\n");
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size != 0))
{
if (lpRelocation == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".reloc", IMAGE_DIRECTORY_ENTRY_BASERELOC);
dwRelocation = lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
lpRelocation = (IMAGE_BASE_RELOCATION *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_BASERELOC,
hConsole);
if (lpRelocation != NULL)
{
bOutput &= PrintString(hOutput,
L"\r\n"
L"Base Relocation Directory:\r\n");
while (dwRelocation > 0)
{
bOutput &= PrintFormat(hOutput,
L"\tRelocation Block:\r\n"
L"\t\tAddress of Data = 0x%08lX\r\n"
L"\t\tSize of Block = 0x%08lX\r\n",
lpRelocation->VirtualAddress,
lpRelocation->SizeOfBlock);
lpWord = (WORD *) (lpRelocation + 1);
dwRelocation -= lpRelocation->SizeOfBlock;
lpRelocation = (IMAGE_BASE_RELOCATION *) ((BYTE *) lpRelocation + lpRelocation->SizeOfBlock);
do
bOutput &= PrintFormat(hOutput,
L"\t\t\t0x%03hX\t%ls\r\n",
*lpWord & 0x0FFF,
szRelocation[*lpWord >> 12]);
while (++lpWord < (WORD *) lpRelocation);
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size != 0))
{
if (lpDebug == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".debug", IMAGE_DIRECTORY_ENTRY_DEBUG);
dwDebug = lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].Size;
lpDebug = (IMAGE_DEBUG_DIRECTORY *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_DEBUG,
hConsole);
if (lpDebug != NULL)
{
bOutput &= PrintString(hOutput,
L"\r\n"
L"Debug Directory:\r\n");
do
{
qw = __emulu(lpDebug->TimeDateStamp, 10000000) // seconds since 1970-01-01 to
+ 116444736000000000; // 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu\n",
dwError = GetLastError());
bOutput &= PrintFormat(hOutput,
L"\tDebug Directory Entry:\r\n"
L"\t\tCharacteristics = 0x%08lX\r\n"
L"\t\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n"
L"\t\tVersion = %hu.%hu\r\n"
L"\t\tType = %lu (%ls)\r\n"
L"\t\tAddress of Data = 0x%08lX\r\n"
L"\t\tOffset of Data = 0x%08lX\r\n"
L"\t\tSize of Data = 0x%08lX\r\n",
lpDebug->Characteristics,
lpDebug->TimeDateStamp,
szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
lpDebug->MajorVersion,
lpDebug->MinorVersion,
lpDebug->Type, DebugTypeName(lpDebug->Type),
lpDebug->AddressOfRawData,
lpDebug->PointerToRawData,
lpDebug->SizeOfData);
if (lpDebug->Type == IMAGE_DEBUG_TYPE_CODEVIEW)
{
lpCodeView = (CV_INFO_PDB70 *) (lpImage + lpDebug->PointerToRawData);
if (lpCodeView->Magic == 'SDSR')
bOutput &= PrintFormat(hOutput,
L"\t\t\tFormat = RSDS\r\n"
L"\t\t\tSignature = {%08lX-%04lX-%04lX-%02X%02X-%02X%02X%02X%02X%02X%02X}\r\n"
L"\t\t\tAge = %lu\r\n"
L"\t\t\tFilename = %hs\r\n",
lpCodeView->Signature.Data1, lpCodeView->Signature.Data2, lpCodeView->Signature.Data3,
lpCodeView->Signature.Data4[0], lpCodeView->Signature.Data4[1],
lpCodeView->Signature.Data4[2], lpCodeView->Signature.Data4[3], lpCodeView->Signature.Data4[4],
lpCodeView->Signature.Data4[5], lpCodeView->Signature.Data4[6], lpCodeView->Signature.Data4[7],
lpCodeView->Age,
lpCodeView->PdbFileName);
else
bOutput &= PrintFormat(hOutput,
L"\t\t\tFormat = %.4hs\r\n",
&lpCodeView->Magic);
}
else if (lpDebug->Type == IMAGE_DEBUG_TYPE_MISC)
{
lpMisc = (IMAGE_DEBUG_MISC *) (lpImage + lpDebug->PointerToRawData);
if (lpMisc->DataType == IMAGE_DEBUG_MISC_EXENAME)
bOutput &= PrintFormat(hOutput,
lpMisc->Unicode ? L"\t\t\tFilename = %ls\r\n" : L"\t\t\tFilename = %hs\r\n",
lpMisc->Data);
}
else if (lpDebug->Type == IMAGE_DEBUG_TYPE_RESERVED10)
bOutput &= PrintFormat(hOutput,
L"\t\t\tData = 0x%08lX\r\n",
*(DWORD *) (lpImage + lpDebug->PointerToRawData));
else if (lpDebug->Type == IMAGE_DEBUG_TYPE_POGO)
{
dwPogo = lpDebug->SizeOfData - sizeof(DWORD);
lpPogo = (POGO *) (lpImage + lpDebug->PointerToRawData);
if (lpPogo->Magic == 'LTCG')
while (dwPogo > 0)
{
bOutput &= PrintFormat(hOutput,
L"\t\t%hs:\r\n"
L"\t\t\tVirtual Address & Size = 0x%08lX, 0x%08lX\r\n",
lpPogo->Entries[0].Section,
lpPogo->Entries[0].Address, lpPogo->Entries[0].Size);
dwSize = (sizeof(POGO) - sizeof(DWORD) + strlen(lpPogo->Entries[0].Section)) & (0 - sizeof(DWORD));
dwPogo -= dwSize;
lpPogo = (POGO *) ((BYTE *) lpPogo + dwSize);
}
}
lpDebug++;
dwDebug -= sizeof(IMAGE_DEBUG_DIRECTORY);
} while (dwDebug > 0);
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_ARCHITECTURE].Size != 0))
{
if (lpArchitecture == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".arch", IMAGE_DIRECTORY_ENTRY_ARCHITECTURE);
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size != 0))
{
if (lpTLS == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".tls", IMAGE_DIRECTORY_ENTRY_TLS);
if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
if (lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size != sizeof(IMAGE_TLS_DIRECTORY32))
PrintConsole(hConsole,
L"Size of \'%ls\' differs from size of %ls structure!\n",
L"_tls_used", L"IMAGE_TLS_DIRECTORY32");
lpTLS32 = (IMAGE_TLS_DIRECTORY32 *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_TLS,
hConsole);
if (lpTLS32 == NULL)
PrintConsole(hConsole,
L"No \'%ls\' alias %ls structure!\n",
L"_tls_used", L"IMAGE_TLS_DIRECTORY32");
else
{
if (lpTLS32->StartAddressOfRawData != lpTLS32->EndAddressOfRawData)
if (lpTLS == NULL)
/* PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".tls", IMAGE_DIRECTORY_ENTRY_TLS) */;
else
if ((lpTLS32->StartAddressOfRawData - dwBase != lpTLS->VirtualAddress)
|| (lpTLS32->EndAddressOfRawData - lpTLS32->StartAddressOfRawData != lpTLS->Misc.VirtualSize))
PrintConsole(hConsole,
L"Address/size of %ls differ from address/size of \'.tls\' section!\n",
L"IMAGE_TLS_DIRECTORY32");
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"Thread Local Storage Directory:\r\n"
L"\tStart Address of Data = 0x%08lX\r\n"
L"\tEnd Address of Data = 0x%08lX\r\n"
L"\tAddress of Index = 0x%08lX\r\n"
L"\tAddress of Callbacks = 0x%08lX\r\n"
L"\tSize of Zero Fill = 0x%08lX\r\n"
L"\tCharacteristics = 0x%08lX\r\n",
lpTLS32->StartAddressOfRawData,
lpTLS32->EndAddressOfRawData,
lpTLS32->AddressOfIndex,
lpTLS32->AddressOfCallBacks,
lpTLS32->SizeOfZeroFill,
lpTLS32->Characteristics);
if (lpTLS32->AddressOfCallBacks != 0)
{
bOutput &= PrintString(hOutput,
L"\tCallback Functions:\r\n");
lpCookie32 = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
lpTLS32->AddressOfCallBacks - dwBase,
IMAGE_DIRECTORY_ENTRY_TLS,
hConsole);
if (lpCookie32 != NULL)
while (*lpCookie32 != 0)
bOutput &= PrintFormat(hOutput,
L"\t\t0x%08lX\r\n",
*lpCookie32++);
}
}
}
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
if (lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size != sizeof(IMAGE_TLS_DIRECTORY64))
PrintConsole(hConsole,
L"Size of \'%ls\' differs from size of %ls structure!\n",
L"_tls_used", L"IMAGE_TLS_DIRECTORY64");
lpTLS64 = (IMAGE_TLS_DIRECTORY64 *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_TLS,
hConsole);
if (lpTLS64 == NULL)
PrintConsole(hConsole,
L"No \'%ls\' alias %ls structure!\n",
L"_tls_used", L"IMAGE_TLS_DIRECTORY64");
else
{
if (lpTLS64->StartAddressOfRawData != lpTLS64->EndAddressOfRawData)
if (lpTLS == NULL)
/* PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".tls", IMAGE_DIRECTORY_ENTRY_TLS) */;
else
if ((lpTLS64->StartAddressOfRawData - qwBase != lpTLS->VirtualAddress)
|| (lpTLS64->EndAddressOfRawData - lpTLS64->StartAddressOfRawData != lpTLS->Misc.VirtualSize))
PrintConsole(hConsole,
L"Address/size of %ls differ from address/size of \'.tls\' section!\n",
L"IMAGE_TLS_DIRECTORY64");
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"Thread Local Storage Directory:\r\n"
L"\tStart Address of Data = 0x%016I64X\r\n"
L"\tEnd Address of Data = 0x%016I64X\r\n"
L"\tAddress of Index = 0x%016I64X\r\n"
L"\tAddress of Callbacks = 0x%016I64X\r\n"
L"\tSize of Zero Fill = 0x%08lX\r\n"
L"\tCharacteristics = 0x%08lX\r\n",
lpTLS64->StartAddressOfRawData,
lpTLS64->EndAddressOfRawData,
lpTLS64->AddressOfIndex,
lpTLS64->AddressOfCallBacks,
lpTLS64->SizeOfZeroFill,
lpTLS64->Characteristics);
if (lpTLS64->AddressOfCallBacks != 0)
{
bOutput &= PrintString(hOutput,
L"\tCallback Functions:\r\n");
lpCookie64 = (DWORD64 *) RVA2Image(lpImage, lpSection, dwSection,
(DWORD) (lpTLS64->AddressOfCallBacks - qwBase),
IMAGE_DIRECTORY_ENTRY_TLS,
hConsole);
if (lpCookie64 != NULL)
while (*lpCookie64 != 0)
bOutput &= PrintFormat(hOutput,
L"\t\t0x%016I64X\r\n",
*lpCookie64++);
}
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size != 0))
{
if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
lpLoadCfg32 = (IMAGE_LOAD_CONFIGURATION_DIRECTORY32 *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
hConsole);
while (lpLoadCfg32 != NULL)
{
if (lpLoadCfg32->Size > sizeof(IMAGE_LOAD_CONFIGURATION_DIRECTORY32))
PrintConsole(hConsole,
L"Size of \'%ls\' exceeds size of %ls structure!\n",
L"_load_config_used", L"IMAGE_LOAD_CONFIGURATION_DIRECTORY32");
if (lpLoadCfg32->Size != lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size)
PrintConsole(hConsole,
L"Size member of \'%ls\' differs from size member of %ls!\n",
L"_load_config_used", L"IMAGE_DATA_DIRECTORY[10]");
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"Load Configuration:\r\n"
L"\tSize = 0x%08lX\r\n"
L"\tTime/Date Stamp = 0x%08lX\r\n"
L"\tVersion = %hu.%hu\r\n"
L"\tGlobal Flags Clear = 0x%08lX\r\n",
lpLoadCfg32->Size,
lpLoadCfg32->TimeDateStamp,
lpLoadCfg32->MajorVersion,
lpLoadCfg32->MinorVersion,
lpLoadCfg32->GlobalFlagsClear);
for (dwFlags = lpLoadCfg32->GlobalFlagsClear; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);
bOutput &= PrintFormat(hOutput,
L"\tGlobal Flags Set = 0x%08lX\r\n",
lpLoadCfg32->GlobalFlagsSet);
for (dwFlags = lpLoadCfg32->GlobalFlagsSet; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);
bOutput &= PrintFormat(hOutput,
L"\tCritical Section Timeout = %lu\r\n"
L"\tDecommit Block Threshold = 0x%08lX\r\n"
L"\tDecommit Total Threshold = 0x%08lX\r\n"
L"\tLock Prefix Table Address = 0x%08lX\r\n"
L"\tMaximum Allocation Size = 0x%08lX\r\n"
L"\tVirtual Memory Threshold = 0x%08lX\r\n"
L"\tProcess Heap Flags = 0x%08lX\r\n"
L"\tProcess Affinity Mask = 0x%08lX\r\n"
L"\tCSD Version = %hu\r\n"
L"\tDependent Load Flags = 0x%04hX\r\n",
lpLoadCfg32->CriticalSectionDefaultTimeout,
lpLoadCfg32->DeCommitFreeBlockThreshold,
lpLoadCfg32->DeCommitTotalFreeThreshold,
lpLoadCfg32->LockPrefixTable,
lpLoadCfg32->MaximumAllocationSize,
lpLoadCfg32->VirtualMemoryThreshold,
lpLoadCfg32->ProcessHeapFlags,
lpLoadCfg32->ProcessAffinityMask,
lpLoadCfg32->CSDVersion,
lpLoadCfg32->DependentLoadFlags);
if ((lpLoadCfg32->DependentLoadFlags & DONT_RESOLVE_DLL_REFERENCES) == DONT_RESOLVE_DLL_REFERENCES)
bOutput &= PrintString(hOutput, L"\t\tDon't resolve DLL references\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE) == LOAD_LIBRARY_AS_DATAFILE)
bOutput &= PrintString(hOutput, L"\t\tLoad as data file\r\n");
#ifdef LOAD_PACKAGED_LIBRARY
if ((lpLoadCfg32->DependentLoadFlags & LOAD_PACKAGED_LIBRARY) == LOAD_PACKAGED_LIBRARY)
bOutput &= PrintString(hOutput, L"\t\tLoad packaged library\r\n");
#endif
if ((lpLoadCfg32->DependentLoadFlags & LOAD_WITH_ALTERED_SEARCH_PATH) == LOAD_WITH_ALTERED_SEARCH_PATH)
bOutput &= PrintString(hOutput, L"\t\tLoad with altered search path\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_IGNORE_CODE_AUTHZ_LEVEL) == LOAD_IGNORE_CODE_AUTHZ_LEVEL)
bOutput &= PrintString(hOutput, L"\t\tIgnore AUTHZ level\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) == LOAD_LIBRARY_AS_IMAGE_RESOURCE)
bOutput &= PrintString(hOutput, L"\t\tLoad as image resource\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) == LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
bOutput &= PrintString(hOutput, L"\t\tLoad as data file exclusively\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) == LOAD_LIBRARY_REQUIRE_SIGNED_TARGET)
bOutput &= PrintString(hOutput, L"\t\tRequire signed target\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR) == LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR)
bOutput &= PrintString(hOutput, L"\t\tSearch DLL directory\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == LOAD_LIBRARY_SEARCH_APPLICATION_DIR)
bOutput &= PrintString(hOutput, L"\t\tSearch application directory\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_USER_DIRS) == LOAD_LIBRARY_SEARCH_USER_DIRS)
bOutput &= PrintString(hOutput, L"\t\tSearch user directories\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32) == LOAD_LIBRARY_SEARCH_SYSTEM32)
bOutput &= PrintString(hOutput, L"\t\tSearch system directory\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) == LOAD_LIBRARY_SEARCH_DEFAULT_DIRS)
bOutput &= PrintString(hOutput, L"\t\tSearch default directories\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS) == LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS)
bOutput &= PrintString(hOutput, L"\t\tSearch safe current directory\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER) == LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER)
bOutput &= PrintString(hOutput, L"\t\tSearch system directory, exempt (reverse) forwarder modules\r\n");
if ((lpLoadCfg32->DependentLoadFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) == LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY)
bOutput &= PrintString(hOutput, L"\t\tOS integrity continuity\r\n");
if (lpLoadCfg32->Size < 64)
break;
bOutput &= PrintFormat(hOutput,
L"\tEdit List Address = 0x%08lX\r\n"
L"\tSecurity Cookie Address = 0x%08lX\r\n",
lpLoadCfg32->EditList,
lpLoadCfg32->SecurityCookie);
if (lpLoadCfg32->SecurityCookie != 0)
{
lpCookie32 = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
lpLoadCfg32->SecurityCookie - dwBase,
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
hConsole);
if (lpCookie32 != NULL)
bOutput &= PrintFormat(hOutput,
L"\t\tSecurity Cookie = 0x%08lX (%ls)\r\n",
*lpCookie32,
*lpCookie32 == 0xBB40E64E ? L"default" : L"custom");
}
if (lpLoadCfg32->Size < 72)
break;
bOutput &= PrintFormat(hOutput,
L"\tSEH Table Address = 0x%08lX\r\n"
L"\tSEH Table Entries = %lu\r\n",
lpLoadCfg32->SEHandlerTable,
lpLoadCfg32->SEHandlerCount);
if (lpLoadCfg32->SEHandlerTable != 0)
{
lpHandler = (DWORD *) RVA2Image(lpImage, lpSection, dwSection,
lpLoadCfg32->SEHandlerTable - dwBase,
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
hConsole);
if (lpHandler != NULL)
for (dwHandler = 0; dwHandler < lpLoadCfg32->SEHandlerCount; dwHandler++)
bOutput &= PrintFormat(hOutput,
L"\t\tException Handler = 0x%08lX\r\n",
lpHandler[dwHandler]);
}
if (lpLoadCfg32->Size < 92)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG Check Function = 0x%08lX\r\n"
L"\tCFG Dispatch Function = 0x%08lX\r\n"
L"\tCFG Function Table = 0x%08lX\r\n"
L"\tCFG Function Count = %lu\r\n"
L"\tCFG Function Table Stride = %lu\r\n"
L"\tCFG Flags = 0x%08lX\r\n",
lpLoadCfg32->GuardCFCheckFunctionPointer,
lpLoadCfg32->GuardCFDispatchFunctionPointer,
lpLoadCfg32->GuardCFFunctionTable,
lpLoadCfg32->GuardCFFunctionCount,
(lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT,
lpLoadCfg32->GuardFlags & ~IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK);
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) == IMAGE_GUARD_CF_INSTRUMENTED)
bOutput &= PrintString(hOutput, L"\t\tControl flow integrity checks using system-supplied support\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CFW_INSTRUMENTED) == IMAGE_GUARD_CFW_INSTRUMENTED)
bOutput &= PrintString(hOutput, L"\t\tControl flow and write integrity checks\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT) == IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT)
bOutput &= PrintString(hOutput, L"\t\tControl flow target metadata\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_SECURITY_COOKIE_UNUSED) == IMAGE_GUARD_SECURITY_COOKIE_UNUSED)
bOutput &= PrintString(hOutput, L"\t\t/GS security cookie not used\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_PROTECT_DELAYLOAD_IAT) == IMAGE_GUARD_PROTECT_DELAYLOAD_IAT)
bOutput &= PrintString(hOutput, L"\t\tRead-only delay-load IAT\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION) == IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION)
bOutput &= PrintString(hOutput, L"\t\tDelay-load import table in own \'.didat\' section\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT) == IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT)
bOutput &= PrintString(hOutput, L"\t\tExport suppression information\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION) == IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION)
bOutput &= PrintString(hOutput, L"\t\tExport suppression\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT) == IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT)
bOutput &= PrintString(hOutput, L"\t\t\'longjmp()\' target information\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_RF_INSTRUMENTED) == IMAGE_GUARD_RF_INSTRUMENTED)
bOutput &= PrintString(hOutput, L"\t\tReturn flow instrumentation and metadata\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_RF_ENABLE) == IMAGE_GUARD_RF_ENABLE)
bOutput &= PrintString(hOutput, L"\t\tReturn flow protection\r\n");
if ((lpLoadCfg32->GuardFlags & IMAGE_GUARD_RF_STRICT) == IMAGE_GUARD_RF_STRICT)
bOutput &= PrintString(hOutput, L"\t\tReturn flow protection, strict mode\r\n");
if (lpLoadCfg32->Size < 104)
break;
bOutput &= PrintFormat(hOutput,
L"\tCode Integrity Flags = 0x%04hX\r\n"
L"\tCode Integrity Catalog = 0x%04hX\r\n"
L"\tCode Integrity Offset = 0x%08lX\r\n"
L"\tReserved = 0x%08lX\r\n",
lpLoadCfg32->CodeIntegrity.Flags,
lpLoadCfg32->CodeIntegrity.Catalog,
lpLoadCfg32->CodeIntegrity.CatalogOffset,
lpLoadCfg32->CodeIntegrity.Reserved);
if (lpLoadCfg32->Size < 120)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG IAT Entry Table = 0x%08lX\r\n"
L"\tCFG IAT Entry Count = %lu\r\n"
L"\tCFG Jump Target Table = 0x%08lX\r\n"
L"\tCFG Jump Target Count = %lu\r\n",
lpLoadCfg32->GuardAddressTakenIatEntryTable,
lpLoadCfg32->GuardAddressTakenIatEntryCount,
lpLoadCfg32->GuardLongJumpTargetTable,
lpLoadCfg32->GuardLongJumpTargetCount);
if (lpLoadCfg32->Size < 128)
break;
bOutput &= PrintFormat(hOutput,
L"\tRelocation Table = 0x%08lX\r\n"
L"\tCompiled Hybrid Metadata = 0x%08lX\r\n",
lpLoadCfg32->DynamicValueRelocTable,
lpLoadCfg32->CHPEMetadataPointer);
if (lpLoadCfg32->Size < 152)
break;
bOutput &= PrintFormat(hOutput,
L"\tRFG Failure Routine = 0x%08lX\r\n"
L"\tRFG Failure Function = 0x%08lX\r\n"
L"\tRelocation Table Offset = 0x%08lX\r\n"
L"\tRelocation Table Section = 0x%04hX\r\n"
L"\tReserved2 = %hu\r\n"
L"\tRFG Stack Pointer Function = 0x%08lX\r\n"
L"\tHot Patch Table Offset = 0x%08lX\r\n",
lpLoadCfg32->GuardRFFailureRoutine,
lpLoadCfg32->GuardRFFailureRoutineFunctionPointer,
lpLoadCfg32->DynamicValueRelocTableOffset,
lpLoadCfg32->DynamicValueRelocTableSection,
lpLoadCfg32->Reserved2,
lpLoadCfg32->GuardRFVerifyStackPointerFunctionPointer,
lpLoadCfg32->HotPatchTableOffset);
if (lpLoadCfg32->Size < 160)
break;
bOutput &= PrintFormat(hOutput,
L"\tReserved3 = %lu\r\n"
L"\tEnclave Configuration = 0x%08lX\r\n",
lpLoadCfg32->Reserved3,
lpLoadCfg32->EnclaveConfigurationPointer);
if (lpLoadCfg32->Size < 164)
break;
bOutput &= PrintFormat(hOutput,
L"\tVolatile Metadata Pointer = 0x%08lX\r\n",
lpLoadCfg32->VolatileMetadataPointer);
if (lpLoadCfg32->Size < 172)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG EH Continuation Table = 0x%08lX\r\n"
L"\tCFG EH Continuation Count = %lu\r\n",
lpLoadCfg32->GuardEHContinuationTable,
lpLoadCfg32->GuardEHContinuationCount);
if (lpLoadCfg32->Size < 184)
break;
bOutput &= PrintFormat(hOutput,
L"\tXFG Check Function = 0x%08lX\r\n"
L"\tXFG Dispatch Function = 0x%08lX\r\n"
L"\tXFG Function Table = 0x%08lX\r\n",
lpLoadCfg32->GuardXFGCheckFunctionPointer,
lpLoadCfg32->GuardXFGDispatchFunctionPointer,
lpLoadCfg32->GuardXFGTableDispatchFunctionPointer);
if (lpLoadCfg32->Size < 188)
break;
bOutput &= PrintFormat(hOutput,
L"\tCast Guard OS Failure Mode = 0x%08lX\r\n",
lpLoadCfg32->CastGuardOsDeterminedFailureMode);
if (lpLoadCfg32->Size < 192)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG memcpy() Function = 0x%08lX\r\n",
lpLoadCfg32->GuardMemcpyFunctionPointer);
break;
}
}
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
lpLoadCfg64 = (IMAGE_LOAD_CONFIGURATION_DIRECTORY64 *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
hConsole);
while (lpLoadCfg64 != NULL)
{
if (lpLoadCfg64->Size > sizeof(IMAGE_LOAD_CONFIGURATION_DIRECTORY64))
PrintConsole(hConsole,
L"Size of \'%ls\' exceeds size of %ls structure!\n",
L"_load_config_used", L"IMAGE_LOAD_CONFIGURATION_DIRECTORY64");
if (lpLoadCfg64->Size != lpDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size)
PrintConsole(hConsole,
L"Size member of \'%ls\' differs from size member of %ls!\n",
L"_load_config_used", L"IMAGE_DATA_DIRECTORY[10]");
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"Load Configuration:\r\n"
L"\tSize = 0x%08lX\r\n"
L"\tTime/Date Stamp = 0x%08lX\r\n"
L"\tVersion = %hu.%hu\r\n"
L"\tGlobal Flags Clear = 0x%08lX\r\n",
lpLoadCfg64->Size,
lpLoadCfg64->TimeDateStamp,
lpLoadCfg64->MajorVersion,
lpLoadCfg64->MinorVersion,
lpLoadCfg64->GlobalFlagsClear);
for (dwFlags = lpLoadCfg64->GlobalFlagsClear; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);
bOutput &= PrintFormat(hOutput,
L"\tGlobal Flags Set = 0x%08lX\r\n",
lpLoadCfg64->GlobalFlagsSet);
for (dwFlags = lpLoadCfg64->GlobalFlagsSet; _BitScanForward(&dwIndex, dwFlags); dwFlags &= dwFlags - 1)
bOutput &= PrintFormat(hOutput, L"\t\t%ls\r\n", szGlobalFlags[dwIndex]);
bOutput &= PrintFormat(hOutput,
L"\tCritical Section Timeout = %lu\r\n"
L"\tDecommit Block Threshold = 0x%016I64X\r\n"
L"\tDecommit Total Threshold = 0x%016I64X\r\n"
L"\tLock Prefix table Address = 0x%016I64X\r\n"
L"\tMaximum Allocation Size = 0x%016I64X\r\n"
L"\tVirtual Memory Threshold = 0x%016I64X\r\n"
L"\tProcess Affinity Mask = 0x%016I64X\r\n"
L"\tProcess Heap Flags = 0x%08lX\r\n"
L"\tCSD Version = %hu\r\n"
L"\tDependent Load Flags = 0x%04hX\r\n",
lpLoadCfg64->CriticalSectionDefaultTimeout,
lpLoadCfg64->DeCommitFreeBlockThreshold,
lpLoadCfg64->DeCommitTotalFreeThreshold,
lpLoadCfg64->LockPrefixTable,
lpLoadCfg64->MaximumAllocationSize,
lpLoadCfg64->VirtualMemoryThreshold,
lpLoadCfg64->ProcessAffinityMask,
lpLoadCfg64->ProcessHeapFlags,
lpLoadCfg64->CSDVersion,
lpLoadCfg64->DependentLoadFlags);
if ((lpLoadCfg64->DependentLoadFlags & DONT_RESOLVE_DLL_REFERENCES) == DONT_RESOLVE_DLL_REFERENCES)
bOutput &= PrintString(hOutput, L"\t\tDon't resolve DLL references\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE) == LOAD_LIBRARY_AS_DATAFILE)
bOutput &= PrintString(hOutput, L"\t\tLoad as data file\r\n");
#ifdef LOAD_PACKAGED_LIBRARY
if ((lpLoadCfg64->DependentLoadFlags & LOAD_PACKAGED_LIBRARY) == LOAD_PACKAGED_LIBRARY)
bOutput &= PrintString(hOutput, L"\t\tLoad packaged library\r\n");
#endif
if ((lpLoadCfg64->DependentLoadFlags & LOAD_WITH_ALTERED_SEARCH_PATH) == LOAD_WITH_ALTERED_SEARCH_PATH)
bOutput &= PrintString(hOutput, L"\t\tLoad with altered search path\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_IGNORE_CODE_AUTHZ_LEVEL) == LOAD_IGNORE_CODE_AUTHZ_LEVEL)
bOutput &= PrintString(hOutput, L"\t\tIgnore AUTHZ level\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) == LOAD_LIBRARY_AS_IMAGE_RESOURCE)
bOutput &= PrintString(hOutput, L"\t\tLoad as image resource\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) == LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE)
bOutput &= PrintString(hOutput, L"\t\tLoad as data file exclusively\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_REQUIRE_SIGNED_TARGET) == LOAD_LIBRARY_REQUIRE_SIGNED_TARGET)
bOutput &= PrintString(hOutput, L"\t\tRequire signed target\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR) == LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR)
bOutput &= PrintString(hOutput, L"\t\tSearch DLL directory\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == LOAD_LIBRARY_SEARCH_APPLICATION_DIR)
bOutput &= PrintString(hOutput, L"\t\tSearch application directory\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_USER_DIRS) == LOAD_LIBRARY_SEARCH_USER_DIRS)
bOutput &= PrintString(hOutput, L"\t\tSearch user directories\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32) == LOAD_LIBRARY_SEARCH_SYSTEM32)
bOutput &= PrintString(hOutput, L"\t\tSearch system directory\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) == LOAD_LIBRARY_SEARCH_DEFAULT_DIRS)
bOutput &= PrintString(hOutput, L"\t\tSearch default directories\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS) == LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS)
bOutput &= PrintString(hOutput, L"\t\tSearch safe current directory\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER) == LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER)
bOutput &= PrintString(hOutput, L"\t\tSearch system directory, exempt (reverse) forwarder modules\r\n");
if ((lpLoadCfg64->DependentLoadFlags & LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY) == LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY)
bOutput &= PrintString(hOutput, L"\t\tOS integrity continuity\r\n");
if (lpLoadCfg64->Size < 96)
break;
bOutput &= PrintFormat(hOutput,
L"\tEdit List Address = 0x%016I64X\r\n"
L"\tSecurity Cookie Address = 0x%016I64X\r\n",
lpLoadCfg64->EditList,
lpLoadCfg64->SecurityCookie);
if (lpLoadCfg64->SecurityCookie != 0)
{
lpCookie64 = (DWORD64 *) RVA2Image(lpImage, lpSection, dwSection,
(DWORD) (lpLoadCfg64->SecurityCookie - qwBase),
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
hConsole);
if (lpCookie64 != NULL)
bOutput &= PrintFormat(hOutput,
L"\t\tSecurity Cookie = 0x%016I64X (%ls)\r\n",
*lpCookie64,
*lpCookie64 == 0x00002B992DDFA232 ? L"default" : L"custom");
}
if (lpLoadCfg64->Size < 112)
break;
if ((lpLoadCfg64->SEHandlerTable != 0)
|| (lpLoadCfg64->SEHandlerCount != 0))
PrintConsole(hConsole,
L"Structured exception handler table address or entry count not 0!\n");
bOutput &= PrintFormat(hOutput,
L"\tSEH Table Address = 0x%016I64X\r\n"
L"\tSEH Table Entries = %I64u\r\n",
lpLoadCfg64->SEHandlerTable,
lpLoadCfg64->SEHandlerCount);
if (lpLoadCfg64->Size < 148)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG Check Function = 0x%016I64X\r\n"
L"\tCFG Dispatch Function = 0x%016I64X\r\n"
L"\tCFG Function Table = 0x%016I64X\r\n"
L"\tCFG Function Count = %I64u\r\n"
L"\tCFG Function Table Stride = %lu\r\n"
L"\tCFG Flags = 0x%08lX\r\n",
lpLoadCfg64->GuardCFCheckFunctionPointer,
lpLoadCfg64->GuardCFDispatchFunctionPointer,
lpLoadCfg64->GuardCFFunctionTable,
lpLoadCfg64->GuardCFFunctionCount,
(lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK) >> IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT,
lpLoadCfg64->GuardFlags & ~IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK);
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_INSTRUMENTED) == IMAGE_GUARD_CF_INSTRUMENTED)
bOutput &= PrintString(hOutput, L"\t\tControl flow integrity checks using system-supplied support\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CFW_INSTRUMENTED) == IMAGE_GUARD_CFW_INSTRUMENTED)
bOutput &= PrintString(hOutput, L"\t\tControl flow and write integrity checks\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT) == IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT)
bOutput &= PrintString(hOutput, L"\t\tControl flow target metadata\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_SECURITY_COOKIE_UNUSED) == IMAGE_GUARD_SECURITY_COOKIE_UNUSED)
bOutput &= PrintString(hOutput, L"\t\t/GS security cookie not used\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_PROTECT_DELAYLOAD_IAT) == IMAGE_GUARD_PROTECT_DELAYLOAD_IAT)
bOutput &= PrintString(hOutput, L"\t\tRead-only delay-load IAT\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION) == IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION)
bOutput &= PrintString(hOutput, L"\t\tDelay-load import table in own \'.didat\' section\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT) == IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT)
bOutput &= PrintString(hOutput, L"\t\tExport suppression information\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION) == IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION)
bOutput &= PrintString(hOutput, L"\t\tExport suppression\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT) == IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT)
bOutput &= PrintString(hOutput, L"\t\t\'longjmp()\' target information\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_RF_INSTRUMENTED) == IMAGE_GUARD_RF_INSTRUMENTED)
bOutput &= PrintString(hOutput, L"\t\tReturn flow instrumentation and metadata\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_RF_ENABLE) == IMAGE_GUARD_RF_ENABLE)
bOutput &= PrintString(hOutput, L"\t\tReturn flow protection\r\n");
if ((lpLoadCfg64->GuardFlags & IMAGE_GUARD_RF_STRICT) == IMAGE_GUARD_RF_STRICT)
bOutput &= PrintString(hOutput, L"\t\tReturn flow protection, strict mode\r\n");
if (lpLoadCfg64->Size < 160)
break;
bOutput &= PrintFormat(hOutput,
L"\tCode Integrity Flags = 0x%04hX\r\n"
L"\tCode Integrity Catalog = 0x%04hX\r\n"
L"\tCode Integrity Offset = 0x%08lX\r\n"
L"\tReserved = 0x%08lX\r\n",
lpLoadCfg64->CodeIntegrity.Flags,
lpLoadCfg64->CodeIntegrity.Catalog,
lpLoadCfg64->CodeIntegrity.CatalogOffset,
lpLoadCfg64->CodeIntegrity.Reserved);
if (lpLoadCfg64->Size < 192)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG IAT Entry Table = 0x%016I64X\r\n"
L"\tCFG IAT Entry Count = %I64u\r\n"
L"\tCFG Jump Target Table = 0x%016I64X\r\n"
L"\tCFG Jump Target Count = %I64u\r\n",
lpLoadCfg64->GuardAddressTakenIatEntryTable,
lpLoadCfg64->GuardAddressTakenIatEntryCount,
lpLoadCfg64->GuardLongJumpTargetTable,
lpLoadCfg64->GuardLongJumpTargetCount);
if (lpLoadCfg64->Size < 208)
break;
bOutput &= PrintFormat(hOutput,
L"\tRelocation Table = 0x%016I64X\r\n"
L"\tCompiled Hybrid Metadata = 0x%016I64X\r\n",
lpLoadCfg64->DynamicValueRelocTable,
lpLoadCfg64->CHPEMetadataPointer);
if (lpLoadCfg64->Size < 244)
break;
bOutput &= PrintFormat(hOutput,
L"\tRFG Failure Routine = 0x%016I64X\r\n"
L"\tRFG Failure Function = 0x%016I64X\r\n"
L"\tRelocation Table Offset = 0x%08lX\r\n"
L"\tRelocation Table Section = 0x%04hX\r\n"
L"\tReserved2 = %hu\r\n"
L"\tRFG Stack Pointer Function = 0x%016I64X\r\n"
L"\tHot Patch Table Offset = 0x%08lX\r\n",
lpLoadCfg64->GuardRFFailureRoutine,
lpLoadCfg64->GuardRFFailureRoutineFunctionPointer,
lpLoadCfg64->DynamicValueRelocTableOffset,
lpLoadCfg64->DynamicValueRelocTableSection,
lpLoadCfg64->Reserved2,
lpLoadCfg64->GuardRFVerifyStackPointerFunctionPointer,
lpLoadCfg64->HotPatchTableOffset);
if (lpLoadCfg64->Size < 256)
break;
bOutput &= PrintFormat(hOutput,
L"\tReserved3 = %lu\r\n"
L"\tEnclave Configuration = 0x%016I64X\r\n",
lpLoadCfg64->Reserved3,
lpLoadCfg64->EnclaveConfigurationPointer);
if (lpLoadCfg64->Size < 264)
break;
bOutput &= PrintFormat(hOutput,
L"\tVolatile Metadata Pointer = 0x%016I64X\r\n",
lpLoadCfg64->VolatileMetadataPointer);
if (lpLoadCfg64->Size < 280)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG EH Continuation Table = 0x%016I64X\r\n"
L"\tCFG EH Continuation Count = %I64u\r\n",
lpLoadCfg64->GuardEHContinuationTable,
lpLoadCfg64->GuardEHContinuationCount);
if (lpLoadCfg64->Size < 304)
break;
bOutput &= PrintFormat(hOutput,
L"\tXFG Check Function = 0x%016I64X\r\n"
L"\tXFG Dispatch Function = 0x%016I64X\r\n"
L"\tXFG Function Table = 0x%016I64X\r\n",
lpLoadCfg64->GuardXFGCheckFunctionPointer,
lpLoadCfg64->GuardXFGDispatchFunctionPointer,
lpLoadCfg64->GuardXFGTableDispatchFunctionPointer);
if (lpLoadCfg64->Size < 312)
break;
bOutput &= PrintFormat(hOutput,
L"\tCast Guard OS Failure Mode = 0x%016I64X\r\n",
lpLoadCfg64->CastGuardOsDeterminedFailureMode);
if (lpLoadCfg64->Size < 320)
break;
bOutput &= PrintFormat(hOutput,
L"\tCFG memcpy() Function = 0x%016I64X\r\n",
lpLoadCfg64->GuardMemcpyFunctionPointer);
break;
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size != 0))
{
bOutput &= PrintString(hOutput,
L"\r\n"
L"Bound Import Directory:\r\n");
lpBound = lpImage
+ lpDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress;
dwDescriptor = 0;
lpDescriptor = (IMAGE_BOUND_IMPORT_DESCRIPTOR *) lpBound;
while (lpDescriptor->TimeDateStamp != 0)
{
qw = __emulu(lpDescriptor->TimeDateStamp, 10000000) // seconds since 1970-01-01 to
+ 116444736000000000; // 100 nano-seconds since 1601-01-01
if (!FileTimeToSystemTime((FILETIME *) &qw, &st))
PrintConsole(hConsole,
L"FileTimeToSystemTime() returned error %lu for module \'%hs\'\n",
dwError = GetLastError(), lpBound + lpDescriptor->OffsetModuleName);
if (dwDescriptor == 0)
{
dwDescriptor = lpDescriptor->NumberOfModuleForwarderRefs;
bOutput &= PrintFormat(hOutput,
L"\tBound Import Entry:\r\n"
L"\t\tModule Name = %hs\r\n"
L"\t\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n",
lpBound + lpDescriptor->OffsetModuleName,
lpDescriptor->TimeDateStamp,
szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond);
}
else
{
dwDescriptor--;
bOutput &= PrintFormat(hOutput,
L"\t\t\tModule Name = %hs\r\n"
L"\t\t\tTime/Date Stamp = 0x%08lX (%ls, %04hu-%02hu-%02hu %02hu:%02hu:%02hu UTC)\r\n",
lpBound + lpDescriptor->OffsetModuleName,
lpDescriptor->TimeDateStamp,
szDayOfWeek[st.wDayOfWeek], st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond);
}
lpDescriptor++;
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size != 0))
{
if (lpDelay == NULL)
PrintConsole(hConsole,
L"No \'%hs\' section for IMAGE_DATA_DIRECTORY[%lu]!\n",
".didat", IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT);
lpDelay = (IMAGE_DELAYLOAD_DESCRIPTOR *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
hConsole);
if (lpDelay != NULL)
{
bOutput &= PrintString(hOutput,
L"\r\n"
L"Delay Load Import Directory:\r\n");
while (lpDelay->DllNameRVA != 0)
{
if (lpDelay->Attributes.RvaBased)
dwRVA = lpDelay->DllNameRVA;
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
dwRVA = lpDelay->DllNameRVA - dwBase;
else
dwRVA = ~0UL;
lpModule = RVA2Image(lpImage, lpSection, dwSection,
dwRVA,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
hConsole);
bOutput &= PrintFormat(hOutput,
L"\tDelay Load Import Descriptor:\r\n"
L"\t\tAttributes = 0x%08lX\r\n"
L"\t\tModule Name = %hs\r\n"
L"\t\tTime/Date Stamp = 0x%08lX\r\n"
L"\t\tHandle Address = 0x%08lX\r\n"
L"\t\tAddress Table = 0x%08lX\r\n"
L"\t\tName Table = 0x%08lX\r\n"
L"\t\tBound Name Table = 0x%08lX\r\n"
L"\t\tUnload Name Table = 0x%08lX\r\n"
L"\t\tImports:\r\n",
lpDelay->Attributes.AllAttributes,
lpModule,
lpDelay->TimeDateStamp,
lpDelay->ModuleHandleRVA,
lpDelay->ImportAddressTableRVA,
lpDelay->ImportNameTableRVA,
lpDelay->BoundImportAddressTableRVA,
lpDelay->UnloadInformationTableRVA);
if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
lpThunk32 = (IMAGE_THUNK_DATA32 *) RVA2Image(lpImage, lpSection, dwSection,
lpDelay->Attributes.RvaBased ? lpDelay->ImportNameTableRVA : lpDelay->ImportNameTableRVA - dwBase,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
hConsole);
if (lpThunk32 != NULL)
while (lpThunk32->u1.AddressOfData != 0)
{
if ((lpThunk32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) == IMAGE_ORDINAL_FLAG32)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\r\n",
LOWORD(lpThunk32->u1.Ordinal));
else
{
lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
lpDelay->Attributes.RvaBased ? lpThunk32->u1.AddressOfData : lpThunk32->u1.AddressOfData - dwBase,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
hConsole);
if (lpAddress != NULL)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\t%hs\r\n",
lpAddress->Hint,
lpAddress->Name);
}
lpThunk32++;
}
}
else if (lpPE->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
lpThunk64 = (IMAGE_THUNK_DATA64 *) RVA2Image(lpImage, lpSection, dwSection,
lpDelay->ImportNameTableRVA,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
hConsole);
if (lpThunk64 != NULL)
while (lpThunk64->u1.AddressOfData != 0)
{
if ((lpThunk64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) == IMAGE_ORDINAL_FLAG64)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\r\n",
LOWORD(lpThunk64->u1.Ordinal));
else
{
lpAddress = (IMAGE_IMPORT_BY_NAME *) RVA2Image(lpImage, lpSection, dwSection,
(DWORD) lpThunk64->u1.AddressOfData,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT,
hConsole);
if (lpAddress != NULL)
bOutput &= PrintFormat(hOutput,
L"\t\t\t%hu\t%hs\r\n",
lpAddress->Hint,
lpAddress->Name);
}
lpThunk64++;
}
}
lpDelay++;
}
}
}
if ((lpDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != 0)
&& (lpDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size != 0))
{
lpCOMPlus = (IMAGE_COR20_HEADER *) RVA2Image(lpImage, lpSection, dwSection,
lpDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress,
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR,
hConsole);
if (lpCOMPlus != NULL)
{
bOutput &= PrintFormat(hOutput,
L"\r\n"
L"COM+ Directory:\r\n"
L"\tRuntime Version = %hu.%hu\r\n"
L"\tFlags = 0x%08lX\r\n"
L"\tEntry Point Token = 0x%08lX\r\n"
L"\tMetadata = 0x%08lX\r\n"
L"\tResources = 0x%08lX\r\n"
L"\tStrong Name Signature = 0x%08lX\r\n"
L"\tCode Manager Table = 0x%08lX\r\n"
L"\tVTable Fixups = 0x%08lX\r\n"
L"\tExport Address Table Jumps = 0x%08lX\r\n"
L"\tManaged Native Header = 0x%08lX\r\n",
lpCOMPlus->MajorRuntimeVersion,
lpCOMPlus->MinorRuntimeVersion,
lpCOMPlus->Flags,
lpCOMPlus->EntryPointToken,
lpCOMPlus->MetaData,
lpCOMPlus->Resources,
lpCOMPlus->StrongNameSignature,
lpCOMPlus->CodeManagerTable,
lpCOMPlus->VTableFixups,
lpCOMPlus->ExportAddressTableJumps,
lpCOMPlus->ManagedNativeHeader);
}
}
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
}
}
if (!UnmapViewOfFile(lpImage))
PrintConsole(hConsole,
L"UnmapViewOfFile() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hImage))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hInput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (!CloseHandle(hOutput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
PECOFFIN.C
created in step 1., link the compiled
object file PECOFFIN.OBJ
and cleanup afterwards:
SET CL=/GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:CRYPT32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FePECOFFIN.COM PECOFFIN.C ERASE PECOFFIN.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. PECOFFIN.C PECOFFIN.C(186) : warning C4214: nonstandard extension used : bit field types other than int PECOFFIN.C(187) : warning C4214: nonstandard extension used : bit field types other than int PECOFFIN.C(188) : warning C4201: nonstandard extension used : nameless struct/union PECOFFIN.C(1828) : warning C4701: potentially uninitialized local variable 'lpPE64' used PECOFFIN.C(1471) : warning C4701: potentially uninitialized local variable 'lpDirectory' used PECOFFIN.C(3205) : warning C4701: potentially uninitialized local variable 'qwBase' used PECOFFIN.C(1520) : warning C4701: potentially uninitialized local variable 'dwCode' used PECOFFIN.C(1527) : warning C4701: potentially uninitialized local variable 'dwData' used PECOFFIN.C(1534) : warning C4701: potentially uninitialized local variable 'dwSize' used PECOFFIN.C(1370) : warning C4701: potentially uninitialized local variable 'dwOffset' used PECOFFIN.C(1364) : warning C4701: potentially uninitialized local variable 'dwMemory' used PECOFFIN.C(1349) : warning C4701: potentially uninitialized local variable 'dwFile' used PECOFFIN.C(1690) : warning C4701: potentially uninitialized local variable 'lpPE32' used PECOFFIN.C(3508) : warning C4701: potentially uninitialized local variable 'dwBase' used Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file PECOFFIN.TXT
with the following
content in an arbitrary, preferable empty directory:
…
Decode the dump file PECOFFIN.TXT
created in
step 3. to recreate the console application
Portable Executable Metadata Reader:
CERTUTIL.EXE /DecodeHex /V PECOFFIN.TXT PECOFFIN.COM
Input Length = 228480 Output Length = 53760 CertUtil: -decodehex command completed successfully.
external certificateprovided in a
.xrm-ms
XML file on
factory installed
OEM
machines with version 2.0 or 2.1 marker embedded in their
ACPI
SLIC
table.
System Builderinstalled machines.
hardware identificationstored on Microsoft’s activation servers, gathered on activated previous installation of Windows 7 and newer versions.
PIDGENX.COM [‹pidgenx.dll›] ‹pkeyconfig.xrm-ms› ‹product key› …
YTMG3-N6DKC-DKB77-7M9GH-8HVX7
and
VK7JG-NPHTM-C97JM-9MPGT-3V66T
for the Core
alias Home and Professional editions of
Windows 10 and Windows 11:
.\PIDGENX.COM "%SystemRoot%\System32\SPP\Tokens\PKeyConfig\PKeyConfig.xrm-ms" YTMG3-N6DKC-DKB77-7M9GH-8HVX7 VK7JG-NPHTM-C97JM-9MPGT-3V66T
Module 'C:\Windows\System32\PIDGENX.dll' Module version: 10.0:22621.1 Product version: 10.0:22621.1 Product key 'YTMG3-N6DKC-DKB77-7M9GH-8HVX7' is valid! DigitalProductId: size = 164 Product ID: 00326-10000-00000-AA527 Edition ID: [TH]X19-98868 OEM ID: Hardware ID (static): Hardware ID (dynamic): DigitalProductId4: size = 1272 Advanced Product ID: DUMMY-03261-000-000000-00-1033-9200.0000-3212022 Activation ID: 2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8 OEM ID: Edition Type: Core Edition ID: [TH]X19-98868 Key Type: Retail EULA: Retail Product key 'VK7JG-NPHTM-C97JM-9MPGT-3V66T' is valid! DigitalProductId: size = 164 Product ID: 00330-80000-00000-AA779 Edition ID: [TH]X19-98841 OEM ID: Hardware ID (static): Hardware ID (dynamic): DigitalProductId4: size = 1272 Advanced Product ID: DUMMY-03308-000-000000-00-1033-9200.0000-3212022 Activation ID: 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c OEM ID: Edition Type: Professional Edition ID: [TH]X19-98841 Key Type: Retail EULA: Retail
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and PIDGENX.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
importlibrary built from scratch;
PIDGENX.DLL
is located per
DLL search order
and loaded with the application PIDGENX.COM
.
safedirectories.
Create the text file PIDGENX.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#ifndef _DLL
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#ifndef E_FILENOTFOUND
#define E_FILENOTFOUND 0x80070002L // file not found
#endif
#ifndef E_PATHNOTFOUND
#define E_PATHNOTFOUND 0x80070003L // path not found
#endif
#ifndef E_RESERVEDKEY
#define E_RESERVEDKEY 0x8A010001L // reserved product key
#endif
#ifndef E_INVALIDKEY
#define E_INVALIDKEY 0x8A010101L // invalid product key
#endif
#define VS_BINARY 0U
#define VS_TEXT 1U
typedef struct _VS_VERSIONINFO
{
WORD wSize; // size of 'VERSION' resource
WORD wCount; // = sizeof(VS_FIXEDFILEINFO)
// (number of bytes in binary value)
WORD wType; // = VS_BINARY
WCHAR szKey[16]; // = L"VS_VERSION_INFO"
WORD wPadding; // = 0 (alignment to DWORD)
VS_FIXEDFILEINFO vsFFI;
} VS_VERSIONINFO;
typedef struct _DigitalProductId
{
DWORD dwSize; // 0x000000A4 = 164
WORD wMajorVersion; // 0x0003
WORD wMinorVersion; // 0x0000
CHAR szProductId[24]; // "DUMMY-OEM-0123456-78901"
DWORD dwKeyIdx;
CHAR szEditionId[16];
BYTE bCdKey[16];
DWORD dwCloneStatus;
DWORD dwTime;
DWORD dwRandom;
DWORD dwLt;
DWORD dwLicenseData[2];
CHAR sOemId[8];
DWORD dwBundleId;
CHAR sHardwareIdStatic[8];
DWORD dwHardwareIdTypeStatic;
DWORD dwBiosChecksumStatic;
DWORD dwVolumeSerialStatic;
DWORD dwTotalRamStatic;
DWORD dwVideoBiosChecksumStatic;
CHAR sHardwareIdDynamic[8];
DWORD dwHardwareIdTypeDynamic;
DWORD dwBiosChecksumDynamic;
DWORD dwVolumeSerialDynamic;
DWORD dwTotalRamDynamic;
DWORD dwVideoBiosChecksumDynamic;
DWORD dwCRC32;
} DPI, *LPDPI;
typedef struct _DigitalProductId4
{
DWORD dwSize; // 0x000004F8 = 1272
WORD wMajorVersion; // 0x0004
WORD wMinorVersion; // 0x0000
WCHAR szAdvancedPid[64];
WCHAR szActivationId[64];
WCHAR szOemId[8];
WCHAR szEditionType[260];
BYTE bIsUpgrade;
BYTE bReserved[7];
BYTE bCdKey[16];
BYTE bCdKey256Hash[32];
BYTE b256Hash[32];
WCHAR szEditionId[64];
WCHAR szKeyType[64];
WCHAR szEULA[64];
} DPI4, *LPDPI4;
__declspec(dllimport)
HRESULT WINAPI PidGenX(LPCWSTR lpProductKey,
LPCWSTR lpPKeyConfig,
LPCWSTR lpMPC,
LPCWSTR lpOEMId,
LPCWSTR lpProductId,
LPDPI lpDigitalProductId,
LPDPI4 lpDigitalProductId4);
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
VS_VERSIONINFO *lpVersion;
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 2;
DWORD dwError = ERROR_BAD_ARGUMENTS;
HMODULE hPidGenX;
HRSRC hResInfo;
HGLOBAL hResData;
WCHAR szPidGenX[MAX_PATH];
WCHAR szPid[24];
DPI dpi;
DPI4 dpi4;
HRESULT hr;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 3)
PrintConsole(hConsole,
L"Bad arguments: the file or path name of a \'PKeyConfig[*].xrm-ms\' data file plus\n"
L" at least one product key must be given!\n");
else
{
hPidGenX = GetModuleHandle(L"PidGenX");
if (hPidGenX == NULL)
PrintConsole(hConsole,
L"GetModuleHandle() returned error %lu\n",
dwError = GetLastError());
else
{
if (GetModuleFileName(hPidGenX, szPidGenX, sizeof(szPidGenX) / sizeof(*szPidGenX)) == 0)
PrintConsole(hConsole,
L"GetModuleFileName() returned error %lu\n",
dwError = GetLastError());
else
PrintConsole(hConsole,
L"Module \'%ls\'\n",
szPidGenX);
hResInfo = FindResource(hPidGenX, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);
if (hResInfo == NULL)
PrintConsole(hConsole,
L"FindResource() returned error %lu\n",
dwError = GetLastError());
else
{
hResData = LoadResource(hPidGenX, hResInfo);
if (hResData == NULL)
PrintConsole(hConsole,
L"LoadResource() returned error %lu\n",
dwError = GetLastError());
else
{
lpVersion = LockResource(hResData);
if (lpVersion == NULL)
PrintConsole(hConsole,
L"LockResource() returned NULL\n");
else
PrintConsole(hConsole,
L"\tModule version:\t\t%hu.%hu:%hu.%hu\n"
L"\tProduct version:\t%hu.%hu:%hu.%hu\n",
HIWORD(lpVersion->vsFFI.dwFileVersionMS), LOWORD(lpVersion->vsFFI.dwFileVersionMS),
HIWORD(lpVersion->vsFFI.dwFileVersionLS), LOWORD(lpVersion->vsFFI.dwFileVersionLS),
HIWORD(lpVersion->vsFFI.dwProductVersionMS), LOWORD(lpVersion->vsFFI.dwProductVersionMS),
HIWORD(lpVersion->vsFFI.dwProductVersionLS), LOWORD(lpVersion->vsFFI.dwProductVersionLS));
}
}
}
dpi.dwSize = sizeof(dpi);
dpi4.dwSize = sizeof(dpi4);
do
{
hr = PidGenX(lpArguments[nArgument],
lpArguments[1],
L"DUMMY",
(LPCWSTR) NULL,
szPid,
&dpi,
&dpi4);
switch (hr)
{
case ERROR_FILE_NOT_FOUND:
case ERROR_PATH_NOT_FOUND:
case E_FILENOTFOUND: // file 'PKeyConfig.xrm-ms' not found
case E_PATHNOTFOUND: // path of 'PKeyConfig.xrm-ms' not found
PrintConsole(hConsole,
L"Data file \'%ls\' not found!\n",
lpArguments[1]);
nArguments = 0;
break;
case ERROR_INVALID_PARAMETER:
case E_INVALIDARG: // malformed product key
PrintConsole(hConsole,
L"Product key \'%ls\' is malformed!\n",
lpArguments[nArgument]);
break;
case E_RESERVEDKEY: // reserved product key
PrintConsole(hConsole,
L"Product key \'%ls\' is reserved!\n",
lpArguments[nArgument]);
break;
case E_INVALIDKEY: // invalid product key
PrintConsole(hConsole,
L"Product key \'%ls\' is invalid!\n",
lpArguments[nArgument]);
break;
case S_OK:
PrintConsole(hConsole,
L"Product key \'%ls\' is valid!\n",
lpArguments[nArgument]);
#ifdef VERBOSE
if ((dpi.dwSize != sizeof(dpi))
|| (dpi.wMajorVersion != 3)
|| (dpi.wMinorVersion != 0))
PrintConsole(hConsole,
L"Size of \'DigitalProductId\' not equal %lu or version not equal 3.0\n",
sizeof(dpi));
else
PrintConsole(hConsole,
L"\n"
L"DigitalProductId: size = %lu\n"
L"\tProduct ID:\t\t%hs\n"
L"\tEdition ID:\t\t%hs\n"
L"\tOEM ID:\t\t\t%.8hs\n"
L"\tHardware ID (static):\t%.8hs\n"
L"\tHardware ID (dynamic):\t%.8hs\n",
dpi.dwSize,
dpi.szProductId,
dpi.szEditionId,
dpi.sOemId,
dpi.sHardwareIdStatic,
dpi.sHardwareIdDynamic);
if ((dpi4.dwSize != sizeof(dpi4))
|| (dpi4.wMajorVersion != 4)
|| (dpi4.wMinorVersion != 0))
PrintConsole(hConsole,
L"Size of \'DigitalProductId4\' not equal %lu or version not equal 4.0\n",
sizeof(dpi4));
else
PrintConsole(hConsole,
L"\n"
L"DigitalProductId4: size = %lu\n"
L"\tAdvanced Product ID:\t%ls\n"
L"\tActivation ID:\t\t%ls\n"
L"\tOEM ID:\t\t\t%ls\n"
L"\tEdition Type:\t\t%ls\n"
L"\tEdition ID:\t\t%ls\n"
L"\tKey Type:\t\t%ls\n"
L"\tEULA:\t\t\t%ls\n",
dpi4.dwSize,
dpi4.szAdvancedPid,
dpi4.szActivationId,
dpi4.szOemId,
dpi4.szEditionType,
dpi4.szEditionId,
dpi4.szKeyType,
dpi4.szEULA);
#endif
break;
default:
PrintConsole(hConsole,
L"PidGenX() returned error 0x%08lX\n",
dwError = hr);
}
} while (++nArgument < nArguments);
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
#else // _DLL
__declspec(dllexport)
long PidGenX(void *_1, void *_2, void *_3, void *_4, void *_5, void *_6, void *_7)
{ return 0; }
#endif // _DLL
Run the following four command lines to compile the source file
PIDGENX.C
created in step 1. a first time,
generate the import library PIDGENX.LIB
from the
compiled object file PIDGENX.OBJ
and cleanup
afterwards:
SET CL=/Gz /LD /MD /W4 /wd4100 /X /Zl SET LINK=/EXPORT:PidGenX /NODEFAULTLIB /NOENTRY CL.EXE PIDGENX.C ERASE PIDGENX.DLL PIDGENX.EXP PIDGENX.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. PIDGENX.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. … Creating library PIDGENX.lib and object PIDGENX.exp
Run the following four command lines to compile the source file
PIDGENX.C
created in step 1. a second time, link
the compiled object file PIDGENX.OBJ
with the import
library PIDGENX.LIB
generated in step 2. and
cleanup afterwards:
SET CL=/DVERBOSE /GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:PIDGENX.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FePIDGENX.COM PIDGENX.C ERASE PIDGENX.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. PIDGENX.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file PIDGENX.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 45 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 06 00 00 ......#.........
00 0c 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 9f 3b 00 00 03 00 00 85 .0.......;......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
c8 28 00 00 50 00 00 00 00 00 00 00 00 00 00 00 .(..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 60 28 00 00 40 00 00 00 ........`(..@...
00 00 00 00 00 00 00 00 00 20 00 00 4c 00 00 00 ......... ..L...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
5f 05 00 00 00 10 00 00 00 06 00 00 00 02 00 00 _...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 84 0a 00 00 00 20 00 00 .const....... ..
00 0c 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 44 20 40 00 8b f0 .......P..D @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 08 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8d .t.3.9u....^..U.
6c 24 88 81 ec ec 07 00 00 53 56 57 6a f4 c7 45 l$.......SVWj..E
6c 02 00 00 00 c7 45 74 a0 00 00 00 ff 15 34 20 l.....Et......4
40 00 8b f0 89 75 70 83 fe ff 75 0e ff 15 30 20 @....up...u...0
40 00 89 45 74 e9 33 03 00 00 8d 45 64 50 ff 15 @..Et.3....EdP..
2c 20 40 00 50 e8 2d 03 00 00 8b 3d 30 20 40 00 , @.P.-....=0 @.
89 45 68 85 c0 75 15 ff d7 50 89 45 74 68 34 28 .Eh..u...P.Eth4(
40 00 bb 00 28 40 00 e9 da 02 00 00 83 7d 64 03 @...(@.......}d.
bb 00 28 40 00 73 12 68 f0 26 40 00 56 e8 2e ff ..(@.s.h.&@.V...
ff ff 59 59 e9 a8 02 00 00 68 e0 26 40 00 ff 15 ..YY.....h.&@...
28 20 40 00 89 45 60 85 c0 75 0a ff d7 50 68 c0 ( @..E`..u...Ph.
26 40 00 eb 74 68 04 01 00 00 8d 8d 8c f8 ff ff &@..th..........
51 50 ff 15 00 20 40 00 85 c0 75 17 ff d7 50 68 QP... @...u...Ph
9c 26 40 00 53 56 89 45 74 e8 e2 fe ff ff 83 c4 .&@.SV.Et.......
10 eb 15 8d 85 8c f8 ff ff 50 68 80 26 40 00 56 .........Ph.&@.V
e8 cb fe ff ff 83 c4 0c 6a 10 6a 01 ff 75 60 ff ........j.j..u`.
15 20 20 40 00 85 c0 75 0a ff d7 50 68 64 26 40 . @...u...Phd&@
00 eb 16 50 ff 75 60 ff 15 1c 20 40 00 85 c0 75 ...P.u`... @...u
17 ff d7 50 68 48 26 40 00 53 56 89 45 74 e8 8d ...PhH&@.SV.Et..
fe ff ff 83 c4 10 eb 50 50 ff 15 18 20 40 00 85 .......PP... @..
c0 75 0f 68 0c 26 40 00 56 e8 72 fe ff ff 59 59 .u.h.&@.V.r...YY
eb 36 0f b7 48 3c 51 0f b7 48 3e 51 0f b7 48 38 .6..H<Q..H>Q..H8
51 0f b7 48 3a 51 0f b7 48 34 51 0f b7 48 36 51 Q..H:Q..H4Q..H6Q
0f b7 48 30 0f b7 40 32 51 50 68 80 25 40 00 56 ..H0..@2QPh.%@.V
e8 3b fe ff ff 83 c4 28 c7 45 bc a4 00 00 00 c7 .;.....(.E......
85 94 fa ff ff f8 04 00 00 8b 45 68 8b 4d 6c 8d ..........Eh.Ml.
34 88 8d 85 94 fa ff ff 50 8d 45 bc 50 8d 45 8c 4.......P.E.P.E.
50 8b 45 68 6a 00 68 70 25 40 00 ff 70 04 ff 36 P.Ehj.hp%@..p..6
ff 15 3c 20 40 00 b9 01 01 01 8a 3b c1 7f 36 74 ..< @......;..6t
2b 3d 02 00 07 80 7c 68 3d 03 00 07 80 7e 42 3d +=....|h=....~B=
57 00 07 80 74 32 3d 01 00 01 8a 75 53 ff 36 68 W...t2=....uS.6h
30 25 40 00 ff 75 70 e9 2b 01 00 00 ff 36 68 ec 0%@..up.+....6h.
24 40 00 eb ef 85 c0 74 55 83 f8 01 7e 32 83 f8 $@.....tU...~2..
03 7e 0e 83 f8 57 75 28 ff 36 68 a8 24 40 00 eb .~...Wu(.6h.$@..
d3 8b 45 68 ff 70 04 68 70 24 40 00 ff 75 70 e8 ..Eh.p.hp$@..up.
8c fd ff ff 83 c4 0c 83 65 64 00 e9 ef 00 00 00 ........ed......
50 68 e0 26 40 00 68 34 24 40 00 ff 75 70 89 45 Ph.&@.h4$@..up.E
74 e8 6a fd ff ff 83 c4 10 e9 d1 00 00 00 ff 36 t.j............6
8b 75 70 68 f8 23 40 00 56 e8 52 fd ff ff b8 a4 .uph.#@.V.R.....
00 00 00 83 c4 0c 39 45 bc 75 33 66 83 7d c0 03 ......9E.u3f.}..
75 2c 66 83 7d c2 00 75 25 8d 4d 40 51 8d 4d 24 u,f.}..u%.M@Q.M$
51 8d 4d 18 51 8d 4d e0 51 8d 4d c4 51 50 68 d8 Q.M.Q.M.Q.M.QPh.
22 40 00 56 e8 17 fd ff ff 83 c4 20 eb 0f 50 68 "@.V....... ..Ph
50 22 40 00 56 e8 06 fd ff ff 83 c4 0c b8 f8 04 P"@.V...........
00 00 39 85 94 fa ff ff 75 56 66 83 bd 98 fa ff ..9.....uVf.....
ff 04 75 4c 66 83 bd 9a fa ff ff 00 75 42 8d 8d ..uLf.......uB..
0c ff ff ff 51 8d 8d 8c fe ff ff 51 8d 8d 0c fe ....Q......Q....
ff ff 51 8d 8d ac fb ff ff 51 8d 8d 9c fb ff ff ..Q......Q......
51 8d 8d 1c fb ff ff 51 8d 8d 9c fa ff ff 51 50 Q......Q......QP
68 08 21 40 00 56 e8 a5 fc ff ff 83 c4 28 eb 0f h.!@.V.......(..
50 68 80 20 40 00 56 e8 94 fc ff ff 83 c4 0c ff Ph. @.V.........
45 6c 8b 45 6c 3b 45 64 0f 82 5b fe ff ff 8b 75 El.El;Ed..[....u
70 ff 75 68 ff 15 14 20 40 00 85 c0 74 12 ff d7 p.uh... @...t...
50 68 68 20 40 00 53 56 e8 63 fc ff ff 83 c4 10 Phh @.SV.c......
56 ff 15 10 20 40 00 85 c0 75 12 ff d7 50 68 50 V... @...u...PhP
20 40 00 53 56 e8 46 fc ff ff 83 c4 10 ff 75 74 @.SV.F.......ut
ff 15 0c 20 40 00 cc 55 8b ec 51 8b 45 08 53 56 ... @..U..Q.E.SV
33 f6 57 8b f8 89 75 08 89 75 fc 39 75 0c 0f 84 3.W...u..u.9u...
6a 01 00 00 3b c6 0f 84 62 01 00 00 0f b7 08 66 j...;...b......f
3b ce 0f 84 56 01 00 00 83 f9 20 74 0a 83 f9 09 ;...V..... t....
74 05 33 db 43 eb 02 33 db 39 75 08 75 2b 66 83 t.3.C..3.9u.u+f.
f9 20 74 06 66 83 f9 09 75 1f 89 75 fc 83 c0 02 . t.f...u..u....
0f b7 08 83 f9 20 74 f5 83 f9 09 74 f0 33 c9 66 ..... t....t.3.f
39 30 0f 95 c1 03 d9 eb 23 66 83 f9 5c 75 06 83 90......#f..\u..
75 fc 01 eb 14 39 75 fc 75 0c 66 83 f9 22 75 06 u....9u.u.f.."u.
83 75 08 01 eb 03 89 75 fc 83 c0 02 0f b7 08 66 .u.....u.......f
3b ce 75 a5 2b c7 83 c0 02 d1 f8 8d 44 58 02 03 ;.u.+.......DX..
c0 50 6a 40 ff 15 04 20 40 00 8b f0 33 d2 3b f2 .Pj@... @...3.;.
0f 84 d0 00 00 00 8d 44 9e 04 33 db 89 06 89 55 .......D..3....U
08 89 5d fc 83 7d 08 00 75 34 0f b7 0f 83 f9 20 ..]..}..u4.....
74 05 83 f9 09 75 27 33 d2 33 c9 66 89 08 83 c7 t....u'3.3.f....
02 0f b7 0f 83 f9 20 74 f5 83 f9 09 74 f0 66 39 ...... t....t.f9
17 74 71 43 8b c7 89 5d fc 89 3c 9e eb 5c 0f b7 .tqC...]..<..\..
0f 83 f9 5c 75 03 42 eb 48 83 f9 22 75 41 6a 02 ...\u.B.H.."uAj.
8d 5a 01 d1 eb 59 f7 db 03 f9 8d 04 58 f6 c2 01 .Z...Y......X...
74 0a 6a 22 5a 66 89 10 03 c1 eb 1c 83 7d 08 00 t.j"Zf.......}..
74 12 66 83 3f 22 75 0c 6a 22 5a 66 89 10 03 c1 t.f.?"u.j"Zf....
03 f9 eb 04 83 75 08 01 8b 5d fc 33 d2 eb 0b 33 .....u...].3...3
d2 66 89 08 83 c0 02 83 c7 02 66 83 3f 00 0f 85 .f........f.?...
60 ff ff ff 33 c9 43 66 89 08 21 0c 9e 8b 45 0c `...3.Cf..!...E.
89 18 39 4d 08 74 0f 68 a0 00 00 00 eb 02 6a 57 ..9M.t.h......jW
ff 15 24 20 40 00 5f 8b c6 5e 5b c9 c2 08 00 00 ..$ @._..^[.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
e2 29 00 00 4e 2a 00 00 7a 29 00 00 8a 29 00 00 .)..N*..z)...)..
98 29 00 00 a6 29 00 00 b2 29 00 00 c2 29 00 00 .)...)...)...)..
d2 29 00 00 3e 2a 00 00 f8 29 00 00 0c 2a 00 00 .)..>*...)...*..
1e 2a 00 00 2e 2a 00 00 00 00 00 00 64 29 00 00 .*...*......d)..
00 00 00 00 6a 2a 00 00 00 00 00 00 00 00 00 00 ....j*..........
43 00 6c 00 6f 00 73 00 65 00 48 00 61 00 6e 00 C.l.o.s.e.H.a.n.
64 00 6c 00 65 00 00 00 4c 00 6f 00 63 00 61 00 d.l.e...L.o.c.a.
6c 00 46 00 72 00 65 00 65 00 00 00 00 00 00 00 l.F.r.e.e.......
53 00 69 00 7a 00 65 00 20 00 6f 00 66 00 20 00 S.i.z.e. .o.f. .
27 00 44 00 69 00 67 00 69 00 74 00 61 00 6c 00 '.D.i.g.i.t.a.l.
50 00 72 00 6f 00 64 00 75 00 63 00 74 00 49 00 P.r.o.d.u.c.t.I.
64 00 34 00 27 00 20 00 6e 00 6f 00 74 00 20 00 d.4.'. .n.o.t. .
65 00 71 00 75 00 61 00 6c 00 20 00 25 00 6c 00 e.q.u.a.l. .%.l.
75 00 20 00 6f 00 72 00 20 00 76 00 65 00 72 00 u. .o.r. .v.e.r.
73 00 69 00 6f 00 6e 00 20 00 6e 00 6f 00 74 00 s.i.o.n. .n.o.t.
20 00 65 00 71 00 75 00 61 00 6c 00 20 00 34 00 .e.q.u.a.l. .4.
2e 00 30 00 0a 00 00 00 0a 00 44 00 69 00 67 00 ..0.......D.i.g.
69 00 74 00 61 00 6c 00 50 00 72 00 6f 00 64 00 i.t.a.l.P.r.o.d.
75 00 63 00 74 00 49 00 64 00 34 00 3a 00 20 00 u.c.t.I.d.4.:. .
73 00 69 00 7a 00 65 00 20 00 3d 00 20 00 25 00 s.i.z.e. .=. .%.
6c 00 75 00 0a 00 09 00 41 00 64 00 76 00 61 00 l.u.....A.d.v.a.
6e 00 63 00 65 00 64 00 20 00 50 00 72 00 6f 00 n.c.e.d. .P.r.o.
64 00 75 00 63 00 74 00 20 00 49 00 44 00 3a 00 d.u.c.t. .I.D.:.
09 00 25 00 6c 00 73 00 0a 00 09 00 41 00 63 00 ..%.l.s.....A.c.
74 00 69 00 76 00 61 00 74 00 69 00 6f 00 6e 00 t.i.v.a.t.i.o.n.
20 00 49 00 44 00 3a 00 09 00 09 00 25 00 6c 00 .I.D.:.....%.l.
73 00 0a 00 09 00 4f 00 45 00 4d 00 20 00 49 00 s.....O.E.M. .I.
44 00 3a 00 09 00 09 00 09 00 25 00 6c 00 73 00 D.:.......%.l.s.
0a 00 09 00 45 00 64 00 69 00 74 00 69 00 6f 00 ....E.d.i.t.i.o.
6e 00 20 00 54 00 79 00 70 00 65 00 3a 00 09 00 n. .T.y.p.e.:...
09 00 25 00 6c 00 73 00 0a 00 09 00 45 00 64 00 ..%.l.s.....E.d.
69 00 74 00 69 00 6f 00 6e 00 20 00 49 00 44 00 i.t.i.o.n. .I.D.
3a 00 09 00 09 00 25 00 6c 00 73 00 0a 00 09 00 :.....%.l.s.....
4b 00 65 00 79 00 20 00 54 00 79 00 70 00 65 00 K.e.y. .T.y.p.e.
3a 00 09 00 09 00 25 00 6c 00 73 00 0a 00 09 00 :.....%.l.s.....
45 00 55 00 4c 00 41 00 3a 00 09 00 09 00 09 00 E.U.L.A.:.......
25 00 6c 00 73 00 0a 00 00 00 00 00 00 00 00 00 %.l.s...........
53 00 69 00 7a 00 65 00 20 00 6f 00 66 00 20 00 S.i.z.e. .o.f. .
27 00 44 00 69 00 67 00 69 00 74 00 61 00 6c 00 '.D.i.g.i.t.a.l.
50 00 72 00 6f 00 64 00 75 00 63 00 74 00 49 00 P.r.o.d.u.c.t.I.
64 00 27 00 20 00 6e 00 6f 00 74 00 20 00 65 00 d.'. .n.o.t. .e.
71 00 75 00 61 00 6c 00 20 00 25 00 6c 00 75 00 q.u.a.l. .%.l.u.
20 00 6f 00 72 00 20 00 76 00 65 00 72 00 73 00 .o.r. .v.e.r.s.
69 00 6f 00 6e 00 20 00 6e 00 6f 00 74 00 20 00 i.o.n. .n.o.t. .
65 00 71 00 75 00 61 00 6c 00 20 00 33 00 2e 00 e.q.u.a.l. .3...
30 00 0a 00 00 00 00 00 0a 00 44 00 69 00 67 00 0.........D.i.g.
69 00 74 00 61 00 6c 00 50 00 72 00 6f 00 64 00 i.t.a.l.P.r.o.d.
75 00 63 00 74 00 49 00 64 00 3a 00 20 00 73 00 u.c.t.I.d.:. .s.
69 00 7a 00 65 00 20 00 3d 00 20 00 25 00 6c 00 i.z.e. .=. .%.l.
75 00 0a 00 09 00 50 00 72 00 6f 00 64 00 75 00 u.....P.r.o.d.u.
63 00 74 00 20 00 49 00 44 00 3a 00 09 00 09 00 c.t. .I.D.:.....
25 00 68 00 73 00 0a 00 09 00 45 00 64 00 69 00 %.h.s.....E.d.i.
74 00 69 00 6f 00 6e 00 20 00 49 00 44 00 3a 00 t.i.o.n. .I.D.:.
09 00 09 00 25 00 68 00 73 00 0a 00 09 00 4f 00 ....%.h.s.....O.
45 00 4d 00 20 00 49 00 44 00 3a 00 09 00 09 00 E.M. .I.D.:.....
09 00 25 00 2e 00 38 00 68 00 73 00 0a 00 09 00 ..%...8.h.s.....
48 00 61 00 72 00 64 00 77 00 61 00 72 00 65 00 H.a.r.d.w.a.r.e.
20 00 49 00 44 00 20 00 28 00 73 00 74 00 61 00 .I.D. .(.s.t.a.
74 00 69 00 63 00 29 00 3a 00 09 00 25 00 2e 00 t.i.c.).:...%...
38 00 68 00 73 00 0a 00 09 00 48 00 61 00 72 00 8.h.s.....H.a.r.
64 00 77 00 61 00 72 00 65 00 20 00 49 00 44 00 d.w.a.r.e. .I.D.
20 00 28 00 64 00 79 00 6e 00 61 00 6d 00 69 00 .(.d.y.n.a.m.i.
63 00 29 00 3a 00 09 00 25 00 2e 00 38 00 68 00 c.).:...%...8.h.
73 00 0a 00 00 00 00 00 50 00 72 00 6f 00 64 00 s.......P.r.o.d.
75 00 63 00 74 00 20 00 6b 00 65 00 79 00 20 00 u.c.t. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 20 00 69 00 73 00 '.%.l.s.'. .i.s.
20 00 76 00 61 00 6c 00 69 00 64 00 21 00 0a 00 .v.a.l.i.d.!...
00 00 00 00 25 00 6c 00 73 00 28 00 29 00 20 00 ....%.l.s.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 30 00 .e.r.r.o.r. .0.
78 00 25 00 30 00 38 00 6c 00 58 00 0a 00 00 00 x.%.0.8.l.X.....
44 00 61 00 74 00 61 00 20 00 66 00 69 00 6c 00 D.a.t.a. .f.i.l.
65 00 20 00 27 00 25 00 6c 00 73 00 27 00 20 00 e. .'.%.l.s.'. .
6e 00 6f 00 74 00 20 00 66 00 6f 00 75 00 6e 00 n.o.t. .f.o.u.n.
64 00 21 00 0a 00 00 00 50 00 72 00 6f 00 64 00 d.!.....P.r.o.d.
75 00 63 00 74 00 20 00 6b 00 65 00 79 00 20 00 u.c.t. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 20 00 69 00 73 00 '.%.l.s.'. .i.s.
20 00 6d 00 61 00 6c 00 66 00 6f 00 72 00 6d 00 .m.a.l.f.o.r.m.
65 00 64 00 21 00 0a 00 00 00 00 00 50 00 72 00 e.d.!.......P.r.
6f 00 64 00 75 00 63 00 74 00 20 00 6b 00 65 00 o.d.u.c.t. .k.e.
79 00 20 00 27 00 25 00 6c 00 73 00 27 00 20 00 y. .'.%.l.s.'. .
69 00 73 00 20 00 69 00 6e 00 76 00 61 00 6c 00 i.s. .i.n.v.a.l.
69 00 64 00 21 00 0a 00 00 00 00 00 00 00 00 00 i.d.!...........
50 00 72 00 6f 00 64 00 75 00 63 00 74 00 20 00 P.r.o.d.u.c.t. .
6b 00 65 00 79 00 20 00 27 00 25 00 6c 00 73 00 k.e.y. .'.%.l.s.
27 00 20 00 69 00 73 00 20 00 72 00 65 00 73 00 '. .i.s. .r.e.s.
65 00 72 00 76 00 65 00 64 00 21 00 0a 00 00 00 e.r.v.e.d.!.....
44 00 55 00 4d 00 4d 00 59 00 00 00 00 00 00 00 D.U.M.M.Y.......
09 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 20 00 ..M.o.d.u.l.e. .
76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3a 00 v.e.r.s.i.o.n.:.
09 00 09 00 25 00 68 00 75 00 2e 00 25 00 68 00 ....%.h.u...%.h.
75 00 3a 00 25 00 68 00 75 00 2e 00 25 00 68 00 u.:.%.h.u...%.h.
75 00 0a 00 09 00 50 00 72 00 6f 00 64 00 75 00 u.....P.r.o.d.u.
63 00 74 00 20 00 76 00 65 00 72 00 73 00 69 00 c.t. .v.e.r.s.i.
6f 00 6e 00 3a 00 09 00 25 00 68 00 75 00 2e 00 o.n.:...%.h.u...
25 00 68 00 75 00 3a 00 25 00 68 00 75 00 2e 00 %.h.u.:.%.h.u...
25 00 68 00 75 00 0a 00 00 00 00 00 4c 00 6f 00 %.h.u.......L.o.
63 00 6b 00 52 00 65 00 73 00 6f 00 75 00 72 00 c.k.R.e.s.o.u.r.
63 00 65 00 28 00 29 00 20 00 72 00 65 00 74 00 c.e.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 4e 00 55 00 u.r.n.e.d. .N.U.
4c 00 4c 00 0a 00 00 00 4c 00 6f 00 61 00 64 00 L.L.....L.o.a.d.
52 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 R.e.s.o.u.r.c.e.
00 00 00 00 46 00 69 00 6e 00 64 00 52 00 65 00 ....F.i.n.d.R.e.
73 00 6f 00 75 00 72 00 63 00 65 00 00 00 00 00 s.o.u.r.c.e.....
4d 00 6f 00 64 00 75 00 6c 00 65 00 20 00 27 00 M.o.d.u.l.e. .'.
25 00 6c 00 73 00 27 00 0a 00 00 00 47 00 65 00 %.l.s.'.....G.e.
74 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 46 00 t.M.o.d.u.l.e.F.
69 00 6c 00 65 00 4e 00 61 00 6d 00 65 00 00 00 i.l.e.N.a.m.e...
47 00 65 00 74 00 4d 00 6f 00 64 00 75 00 6c 00 G.e.t.M.o.d.u.l.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 00 00 e.H.a.n.d.l.e...
50 00 69 00 64 00 47 00 65 00 6e 00 58 00 00 00 P.i.d.G.e.n.X...
42 00 61 00 64 00 20 00 61 00 72 00 67 00 75 00 B.a.d. .a.r.g.u.
6d 00 65 00 6e 00 74 00 73 00 3a 00 20 00 74 00 m.e.n.t.s.:. .t.
68 00 65 00 20 00 66 00 69 00 6c 00 65 00 20 00 h.e. .f.i.l.e. .
6f 00 72 00 20 00 70 00 61 00 74 00 68 00 20 00 o.r. .p.a.t.h. .
6e 00 61 00 6d 00 65 00 20 00 6f 00 66 00 20 00 n.a.m.e. .o.f. .
61 00 20 00 27 00 50 00 4b 00 65 00 79 00 43 00 a. .'.P.K.e.y.C.
6f 00 6e 00 66 00 69 00 67 00 5b 00 2a 00 5d 00 o.n.f.i.g.[.*.].
2e 00 78 00 72 00 6d 00 2d 00 6d 00 73 00 27 00 ..x.r.m.-.m.s.'.
20 00 64 00 61 00 74 00 61 00 20 00 66 00 69 00 .d.a.t.a. .f.i.
6c 00 65 00 20 00 70 00 6c 00 75 00 73 00 0a 00 l.e. .p.l.u.s...
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 61 00 . . . . . . .a.
74 00 20 00 6c 00 65 00 61 00 73 00 74 00 20 00 t. .l.e.a.s.t. .
6f 00 6e 00 65 00 20 00 70 00 72 00 6f 00 64 00 o.n.e. .p.r.o.d.
75 00 63 00 74 00 20 00 6b 00 65 00 79 00 20 00 u.c.t. .k.e.y. .
6d 00 75 00 73 00 74 00 20 00 62 00 65 00 20 00 m.u.s.t. .b.e. .
67 00 69 00 76 00 65 00 6e 00 21 00 0a 00 00 00 g.i.v.e.n.!.....
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
0a 00 00 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 ....C.o.m.m.a.n.
64 00 4c 00 69 00 6e 00 65 00 54 00 6f 00 41 00 d.L.i.n.e.T.o.A.
72 00 67 00 76 00 00 00 b9 79 37 9e 00 00 00 00 r.g.v....y7.....
68 00 00 00 45 54 41 44 10 00 00 00 00 00 00 00 h...ETAD........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 08 00 00 00 00 58 28 40 00 ............X(@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 54 29 00 00 00 00 00 00 ........T)......
00 00 00 00 6e 29 00 00 3c 20 00 00 18 29 00 00 ....n)..< ...)..
00 00 00 00 00 00 00 00 5c 2a 00 00 00 20 00 00 ........\*... ..
5c 29 00 00 00 00 00 00 00 00 00 00 78 2a 00 00 \)..........x*..
44 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D ..............
00 00 00 00 00 00 00 00 e2 29 00 00 4e 2a 00 00 .........)..N*..
7a 29 00 00 8a 29 00 00 98 29 00 00 a6 29 00 00 z)...)...)...)..
b2 29 00 00 c2 29 00 00 d2 29 00 00 3e 2a 00 00 .)...)...)..>*..
f8 29 00 00 0c 2a 00 00 1e 2a 00 00 2e 2a 00 00 .)...*...*...*..
00 00 00 00 64 29 00 00 00 00 00 00 6a 2a 00 00 ....d)......j*..
00 00 00 00 00 00 50 69 64 47 65 6e 58 00 50 49 ......PidGenX.PI
44 47 45 4e 58 2e 64 6c 6c 00 24 05 57 72 69 74 DGENX.dll.$.Writ
65 43 6f 6e 73 6f 6c 65 57 00 19 01 45 78 69 74 eConsoleW...Exit
50 72 6f 63 65 73 73 00 52 00 43 6c 6f 73 65 48 Process.R.CloseH
61 6e 64 6c 65 00 48 03 4c 6f 63 61 6c 46 72 65 andle.H.LocalFre
65 00 54 03 4c 6f 63 6b 52 65 73 6f 75 72 63 65 e.T.LockResource
00 00 41 03 4c 6f 61 64 52 65 73 6f 75 72 63 65 ..A.LoadResource
00 00 4e 01 46 69 6e 64 52 65 73 6f 75 72 63 65 ..N.FindResource
57 00 14 02 47 65 74 4d 6f 64 75 6c 65 46 69 6c W...GetModuleFil
65 4e 61 6d 65 57 00 00 18 02 47 65 74 4d 6f 64 eNameW....GetMod
75 6c 65 48 61 6e 64 6c 65 57 00 00 87 01 47 65 uleHandleW....Ge
74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 02 02 tCommandLineW...
47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 64 02 GetLastError..d.
47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 73 04 GetStdHandle..s.
53 65 74 4c 61 73 74 45 72 72 6f 72 00 00 44 03 SetLastError..D.
4c 6f 63 61 6c 41 6c 6c 6f 63 00 00 4b 45 52 4e LocalAlloc..KERN
45 4c 33 32 2e 64 6c 6c 00 00 35 03 77 76 73 70 EL32.dll..5.wvsp
72 69 6e 74 66 57 00 00 55 53 45 52 33 32 2e 64 rintfW..USER32.d
6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ll..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file PIDGENX.TXT
created in
step 4. to recreate the console application
Product Key Validator:
CERTUTIL.EXE /DecodeHex /V PIDGENX.TXT PIDGENX.COM
Input Length = 21760 Output Length = 5120 CertUtil: -decodehex command completed successfully.
Overwrite the text file PIDGENX.C
with the following
content:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#ifndef LOAD_LIBRARY_SAFE_CURRENT_DIRS
#define LOAD_LIBRARY_SAFE_CURRENT_DIRS 0x00002000UL
#endif
#ifndef E_FILENOTFOUND
#define E_FILENOTFOUND 0x80070002L // file not found
#endif
#ifndef E_PATHNOTFOUND
#define E_PATHNOTFOUND 0x80070003L // path not found
#endif
#ifndef E_RESERVEDKEY
#define E_RESERVEDKEY 0x8A010001L // reserved product key
#endif
#ifndef E_INVALIDKEY
#define E_INVALIDKEY 0x8A010101L // invalid product key
#endif
#define VS_BINARY 0U
#define VS_TEXT 1U
typedef struct _VS_VERSIONINFO
{
WORD wSize; // size of 'VERSION' resource
WORD wCount; // = sizeof(VS_FIXEDFILEINFO)
// (number of bytes in binary value)
WORD wType; // = VS_BINARY
WCHAR szKey[16]; // = L"VS_VERSION_INFO"
WORD wPadding; // = 0 (alignment to DWORD)
VS_FIXEDFILEINFO vsFFI;
} VS_VERSIONINFO;
typedef struct _DigitalProductId
{
DWORD dwSize; // 0x000000A4 = 164
WORD wMajorVersion; // 0x0003
WORD wMinorVersion; // 0x0000
CHAR szProductId[24]; // "DUMMY-OEM-0123456-78901"
DWORD dwKeyIdx;
CHAR szEditionId[16];
BYTE bCdKey[16];
DWORD dwCloneStatus;
DWORD dwTime;
DWORD dwRandom;
DWORD dwLt;
DWORD dwLicenseData[2];
CHAR sOemId[8];
DWORD dwBundleId;
CHAR sHardwareIdStatic[8];
DWORD dwHardwareIdTypeStatic;
DWORD dwBiosChecksumStatic;
DWORD dwVolumeSerialStatic;
DWORD dwTotalRamStatic;
DWORD dwVideoBiosChecksumStatic;
CHAR sHardwareIdDynamic[8];
DWORD dwHardwareIdTypeDynamic;
DWORD dwBiosChecksumDynamic;
DWORD dwVolumeSerialDynamic;
DWORD dwTotalRamDynamic;
DWORD dwVideoBiosChecksumDynamic;
DWORD dwCRC32;
} DPI, *LPDPI;
typedef struct _DigitalProductId4
{
DWORD dwSize; // 0x000004F8 = 1272
WORD wMajorVersion; // 0x0004
WORD wMinorVersion; // 0x0000
WCHAR szAdvancedPid[64];
WCHAR szActivationId[64];
WCHAR szOemId[8];
WCHAR szEditionType[260];
BYTE bIsUpgrade;
BYTE bReserved[7];
BYTE bCdKey[16];
BYTE bCdKey256Hash[32];
BYTE b256Hash[32];
WCHAR szEditionId[64];
WCHAR szKeyType[64];
WCHAR szEULA[64];
} DPI4, *LPDPI4;
typedef HRESULT (WINAPI PIDGENX) (LPCWSTR lpProductKey,
LPCWSTR lpPKeyConfig,
LPCWSTR lpMPC,
LPCWSTR lpOEMId,
LPCWSTR lpProductId,
LPDPI lpDigitalProductId,
LPDPI4 lpDigitalProductId4);
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
VS_VERSIONINFO *lpVersion;
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 3;
DWORD dwError = ERROR_BAD_ARGUMENTS;
WCHAR szPid[24];
DPI dpi;
DPI4 dpi4;
HMODULE hPidGenX;
FARPROC fpPidGenX;
HRESULT hr;
HRSRC hResInfo;
HGLOBAL hResData;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments < 4)
PrintConsole(hConsole,
L"Bad arguments: the (absolute or relative) path names of a \'PidGenX.dll\' and\n"
L" its associated \'PKeyConfig[*].xrm-ms\' data file plus at least\n"
L" one product key \'23467-89BCD-FGHJK-MNPQR-TVWXY\' must be given!\n");
else
{
hPidGenX = LoadLibraryEx(lpArguments[1], (HANDLE) NULL, LOAD_LIBRARY_SAFE_CURRENT_DIRS);
if (hPidGenX == NULL)
PrintConsole(hConsole,
L"LoadLibraryEx() returned error %lu\n",
dwError = GetLastError());
else
{
fpPidGenX = GetProcAddress(hPidGenX, "PidGenX");
if (fpPidGenX == NULL)
PrintConsole(hConsole,
L"GetProcAddress() returned error %lu\n",
dwError = GetLastError());
else
{
hResInfo = FindResource(hPidGenX, MAKEINTRESOURCE(VS_VERSION_INFO), RT_VERSION);
if (hResInfo == NULL)
PrintConsole(hConsole,
L"FindResource() returned error %lu\n",
dwError = GetLastError());
else
{
hResData = LoadResource(hPidGenX, hResInfo);
if (hResData == NULL)
PrintConsole(hConsole,
L"LoadResource() returned error %lu\n",
dwError = GetLastError());
else
{
lpVersion = LockResource(hResData);
if (lpVersion == NULL)
PrintConsole(hConsole,
L"LockResource() returned NULL\n");
else
PrintConsole(hConsole,
L"Library version = %hu.%hu:%hu.%hu\n"
L"Product version = %hu.%hu:%hu.%hu\n",
HIWORD(lpVersion->vsFFI.dwFileVersionMS), LOWORD(lpVersion->vsFFI.dwFileVersionMS),
HIWORD(lpVersion->vsFFI.dwFileVersionLS), LOWORD(lpVersion->vsFFI.dwFileVersionLS),
HIWORD(lpVersion->vsFFI.dwProductVersionMS), LOWORD(lpVersion->vsFFI.dwProductVersionMS),
HIWORD(lpVersion->vsFFI.dwProductVersionLS), LOWORD(lpVersion->vsFFI.dwProductVersionLS));
}
}
dpi.dwSize = sizeof(dpi);
dpi4.dwSize = sizeof(dpi4);
do
{
hr = ((PIDGENX *) fpPidGenX)(lpArguments[nArgument],
lpArguments[2],
L"DUMMY",
(LPCWSTR) NULL,
szPid,
&dpi,
&dpi4);
switch (hr)
{
case ERROR_FILE_NOT_FOUND:
case ERROR_PATH_NOT_FOUND:
case E_FILENOTFOUND: // file 'PKeyConfig.xrm-ms' not found
case E_PATHNOTFOUND: // path of 'PKeyConfig.xrm-ms' not found
PrintConsole(hConsole,
L"Data file \'%ls\' not found!\n",
lpArguments[2]);
nArguments = 0;
break;
case ERROR_INVALID_PARAMETER:
case E_INVALIDARG: // malformed product key
PrintConsole(hConsole,
L"Product key \'%ls\' is malformed!\n",
lpArguments[nArgument]);
break;
case E_RESERVEDKEY: // reserved product key
PrintConsole(hConsole,
L"Product key \'%ls\' is reserved!\n",
lpArguments[nArgument]);
break;
case E_INVALIDKEY: // invalid product key
PrintConsole(hConsole,
L"Product key \'%ls\' is invalid!\n",
lpArguments[nArgument]);
break;
case S_OK:
PrintConsole(hConsole,
L"Product key \'%ls\' is valid!\n",
lpArguments[nArgument]);
#ifdef VERBOSE
if ((dpi.dwSize != sizeof(dpi))
|| (dpi.wMajorVersion != 3)
|| (dpi.wMinorVersion != 0))
PrintConsole(hConsole,
L"Size of \'DigitalProductId\' not equal %lu or version not equal 3.0\n",
sizeof(dpi));
else
PrintConsole(hConsole,
L"\n"
L"DigitalProductId: size = %lu\n"
L"\tProduct ID:\t\t%hs\n"
L"\tEdition ID:\t\t%hs\n"
L"\tOEM ID:\t\t\t%.8hs\n"
L"\tHardware ID (static):\t%.8hs\n"
L"\tHardware ID (dynamic):\t%.8hs\n",
dpi.dwSize,
dpi.szProductId,
dpi.szEditionId,
dpi.sOemId,
dpi.sHardwareIdStatic,
dpi.sHardwareIdDynamic);
if ((dpi4.dwSize != sizeof(dpi4))
|| (dpi4.wMajorVersion != 4)
|| (dpi4.wMinorVersion != 0))
PrintConsole(hConsole,
L"Size of \'DigitalProductId4\' not equal %lu or version not equal 4.0\n",
sizeof(dpi4));
else
PrintConsole(hConsole,
L"\n"
L"DigitalProductId4: size = %lu\n"
L"\tAdvanced Product ID:\t%ls\n"
L"\tActivation ID:\t\t%ls\n"
L"\tOEM ID:\t\t\t%ls\n"
L"\tEdition Type:\t\t%ls\n"
L"\tEdition ID:\t\t%ls\n"
L"\tKey Type:\t\t%ls\n"
L"\tEULA:\t\t\t%ls\n",
dpi4.dwSize,
dpi4.szAdvancedPid,
dpi4.szActivationId,
dpi4.szOemId,
dpi4.szEditionType,
dpi4.szEditionId,
dpi4.szKeyType,
dpi4.szEULA);
#endif
break;
default:
PrintConsole(hConsole,
L"PidGenX() returned error 0x%08lX\n",
dwError = hr);
}
} while (++nArgument < nArguments);
}
if (!FreeLibrary(hPidGenX))
PrintConsole(hConsole,
L"FreeLibrary() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Run the following four command lines to compile the source file
PIDGENX.C
created in step 1., link the compiled
object file PIDGENX.OBJ
and cleanup afterwards:
SET CL=/DVERBOSE /GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FePIDGENX.COM PIDGENX.C ERASE PIDGENX.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. PIDGENX.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file PIDGENX.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 06 00 00 ......#.........
00 0c 00 00 00 00 00 00 4e 10 00 00 00 10 00 00 ........N.......
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 01 00 00 00 00 00 ....../.........
00 30 00 00 00 02 00 00 0f 36 00 00 03 00 00 85 .0.......6......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
80 29 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 .)..<...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 29 00 00 40 00 00 00 .........)..@...
00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 ......... ..H...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
70 05 00 00 00 10 00 00 00 06 00 00 00 02 00 00 p...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 16 0b 00 00 00 20 00 00 .const....... ..
00 0c 00 00 00 08 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 40 20 40 00 8b f0 .......P..@ @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8d .t.3.9u....^..U.
6c 24 88 81 ec e8 05 00 00 53 56 57 6a f4 c7 45 l$.......SVWj..E
6c 03 00 00 00 c7 45 74 a0 00 00 00 ff 15 30 20 l.....Et......0
40 00 8b f0 89 75 70 83 fe ff 75 0e ff 15 2c 20 @....up...u...,
40 00 89 45 74 e9 44 03 00 00 8d 45 64 50 ff 15 @..Et.D....EdP..
28 20 40 00 50 e8 3e 03 00 00 8b 3d 2c 20 40 00 ( @.P.>....=, @.
89 45 68 85 c0 75 15 ff d7 50 89 45 74 68 ec 28 .Eh..u...P.Eth.(
40 00 bb b8 28 40 00 e9 eb 02 00 00 83 7d 64 04 @...(@.......}d.
bb b8 28 40 00 73 12 68 e8 26 40 00 56 e8 2e ff ..(@.s.h.&@.V...
ff ff 59 59 e9 b9 02 00 00 68 00 20 00 00 6a 00 ..YY.....h. ..j.
ff 70 04 ff 15 24 20 40 00 89 45 60 85 c0 75 10 .p...$ @..E`..u.
ff d7 50 89 45 74 68 c8 26 40 00 e9 88 02 00 00 ..P.Eth.&@......
68 c0 26 40 00 50 ff 15 20 20 40 00 89 45 5c 85 h.&@.P.. @..E\.
c0 75 1a ff d7 50 68 a0 26 40 00 53 56 89 45 74 .u...Ph.&@.SV.Et
e8 db fe ff ff 83 c4 10 e9 46 02 00 00 6a 10 6a .........F...j.j
01 ff 75 60 ff 15 1c 20 40 00 85 c0 75 0a ff d7 ..u`... @...u...
50 68 84 26 40 00 eb 16 50 ff 75 60 ff 15 18 20 Ph.&@...P.u`...
40 00 85 c0 75 17 ff d7 50 68 68 26 40 00 53 56 @...u...Phh&@.SV
89 45 74 e8 98 fe ff ff 83 c4 10 eb 50 50 ff 15 .Et.........PP..
14 20 40 00 85 c0 75 0f 68 2c 26 40 00 56 e8 7d . @...u.h,&@.V.}
fe ff ff 59 59 eb 36 0f b7 48 3c 51 0f b7 48 3e ...YY.6..H<Q..H>
51 0f b7 48 38 51 0f b7 48 3a 51 0f b7 48 34 51 Q..H8Q..H:Q..H4Q
0f b7 48 36 51 0f b7 48 30 0f b7 40 32 51 50 68 ..H6Q..H0..@2QPh
a0 25 40 00 56 e8 46 fe ff ff 83 c4 28 c7 45 b8 .%@.V.F.....(.E.
a4 00 00 00 c7 85 90 fa ff ff f8 04 00 00 8b 45 ...............E
68 8b 4d 6c 8d 34 88 8d 85 90 fa ff ff 50 8d 45 h.Ml.4.......P.E
b8 50 8d 45 88 50 8b 45 68 6a 00 68 90 25 40 00 .P.E.P.Ehj.h.%@.
ff 70 08 ff 36 ff 55 5c b9 01 01 01 8a 3b c1 7f .p..6.U\.....;..
36 74 2b 3d 02 00 07 80 7c 68 3d 03 00 07 80 7e 6t+=....|h=....~
42 3d 57 00 07 80 74 32 3d 01 00 01 8a 75 53 ff B=W...t2=....uS.
36 68 50 25 40 00 ff 75 70 e9 2b 01 00 00 ff 36 6hP%@..up.+....6
68 0c 25 40 00 eb ef 85 c0 74 55 83 f8 01 7e 32 h.%@.....tU...~2
83 f8 03 7e 0e 83 f8 57 75 28 ff 36 68 c8 24 40 ...~...Wu(.6h.$@
00 eb d3 8b 45 68 ff 70 08 68 90 24 40 00 ff 75 ....Eh.p.h.$@..u
70 e8 9a fd ff ff 83 c4 0c 83 65 64 00 e9 ef 00 p.........ed....
00 00 50 68 80 24 40 00 68 44 24 40 00 ff 75 70 ..Ph.$@.hD$@..up
89 45 74 e8 78 fd ff ff 83 c4 10 e9 d1 00 00 00 .Et.x...........
ff 36 8b 75 70 68 08 24 40 00 56 e8 60 fd ff ff .6.uph.$@.V.`...
b8 a4 00 00 00 83 c4 0c 39 45 b8 75 33 66 83 7d ........9E.u3f.}
bc 03 75 2c 66 83 7d be 00 75 25 8d 4d 3c 51 8d ..u,f.}..u%.M<Q.
4d 20 51 8d 4d 14 51 8d 4d dc 51 8d 4d c0 51 50 M Q.M.Q.M.Q.M.QP
68 e8 22 40 00 56 e8 25 fd ff ff 83 c4 20 eb 0f h."@.V.%..... ..
50 68 60 22 40 00 56 e8 14 fd ff ff 83 c4 0c b8 Ph`"@.V.........
f8 04 00 00 39 85 90 fa ff ff 75 56 66 83 bd 94 ....9.....uVf...
fa ff ff 04 75 4c 66 83 bd 96 fa ff ff 00 75 42 ....uLf.......uB
8d 8d 08 ff ff ff 51 8d 8d 88 fe ff ff 51 8d 8d ......Q......Q..
08 fe ff ff 51 8d 8d a8 fb ff ff 51 8d 8d 98 fb ....Q......Q....
ff ff 51 8d 8d 18 fb ff ff 51 8d 8d 98 fa ff ff ..Q......Q......
51 50 68 18 21 40 00 56 e8 b3 fc ff ff 83 c4 28 QPh.!@.V.......(
eb 0f 50 68 90 20 40 00 56 e8 a2 fc ff ff 83 c4 ..Ph. @.V.......
0c ff 45 6c 8b 45 6c 3b 45 64 0f 82 5e fe ff ff ..El.El;Ed..^...
8b 75 70 ff 75 60 ff 15 10 20 40 00 85 c0 75 12 .up.u`... @...u.
ff d7 50 68 74 20 40 00 53 56 e8 71 fc ff ff 83 ..Pht @.SV.q....
c4 10 ff 75 68 ff 15 0c 20 40 00 85 c0 74 12 ff ...uh... @...t..
d7 50 68 60 20 40 00 53 56 e8 52 fc ff ff 83 c4 .Ph` @.SV.R.....
10 56 ff 15 08 20 40 00 85 c0 75 12 ff d7 50 68 .V... @...u...Ph
48 20 40 00 53 56 e8 35 fc ff ff 83 c4 10 ff 75 H @.SV.5.......u
74 ff 15 04 20 40 00 cc 55 8b ec 51 8b 45 08 53 t... @..U..Q.E.S
56 33 f6 57 8b f8 89 75 08 89 75 fc 39 75 0c 0f V3.W...u..u.9u..
84 6a 01 00 00 3b c6 0f 84 62 01 00 00 0f b7 08 .j...;...b......
66 3b ce 0f 84 56 01 00 00 83 f9 20 74 0a 83 f9 f;...V..... t...
09 74 05 33 db 43 eb 02 33 db 39 75 08 75 2b 66 .t.3.C..3.9u.u+f
83 f9 20 74 06 66 83 f9 09 75 1f 89 75 fc 83 c0 .. t.f...u..u...
02 0f b7 08 83 f9 20 74 f5 83 f9 09 74 f0 33 c9 ...... t....t.3.
66 39 30 0f 95 c1 03 d9 eb 23 66 83 f9 5c 75 06 f90......#f..\u.
83 75 fc 01 eb 14 39 75 fc 75 0c 66 83 f9 22 75 .u....9u.u.f.."u
06 83 75 08 01 eb 03 89 75 fc 83 c0 02 0f b7 08 ..u.....u.......
66 3b ce 75 a5 2b c7 83 c0 02 d1 f8 8d 44 58 02 f;.u.+.......DX.
03 c0 50 6a 40 ff 15 38 20 40 00 8b f0 33 d2 3b ..Pj@..8 @...3.;
f2 0f 84 d0 00 00 00 8d 44 9e 04 33 db 89 06 89 ........D..3....
55 08 89 5d fc 83 7d 08 00 75 34 0f b7 0f 83 f9 U..]..}..u4.....
20 74 05 83 f9 09 75 27 33 d2 33 c9 66 89 08 83 t....u'3.3.f...
c7 02 0f b7 0f 83 f9 20 74 f5 83 f9 09 74 f0 66 ....... t....t.f
39 17 74 71 43 8b c7 89 5d fc 89 3c 9e eb 5c 0f 9.tqC...]..<..\.
b7 0f 83 f9 5c 75 03 42 eb 48 83 f9 22 75 41 6a ....\u.B.H.."uAj
02 8d 5a 01 d1 eb 59 f7 db 03 f9 8d 04 58 f6 c2 ..Z...Y......X..
01 74 0a 6a 22 5a 66 89 10 03 c1 eb 1c 83 7d 08 .t.j"Zf.......}.
00 74 12 66 83 3f 22 75 0c 6a 22 5a 66 89 10 03 .t.f.?"u.j"Zf...
c1 03 f9 eb 04 83 75 08 01 8b 5d fc 33 d2 eb 0b ......u...].3...
33 d2 66 89 08 83 c0 02 83 c7 02 66 83 3f 00 0f 3.f........f.?..
85 60 ff ff ff 33 c9 43 66 89 08 21 0c 9e 8b 45 .`...3.Cf..!...E
0c 89 18 39 4d 08 74 0f 68 a0 00 00 00 eb 02 6a ...9M.t.h......j
57 ff 15 34 20 40 00 5f 8b c6 5e 5b c9 c2 08 00 W..4 @._..^[....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04 2a 00 00 14 2a 00 00 22 2a 00 00 30 2a 00 00 .*...*.."*..0*..
3c 2a 00 00 4a 2a 00 00 5a 2a 00 00 6a 2a 00 00 <*..J*..Z*..j*..
7a 2a 00 00 8c 2a 00 00 9e 2a 00 00 b0 2a 00 00 z*...*...*...*..
c0 2a 00 00 d0 2a 00 00 e0 2a 00 00 00 00 00 00 .*...*...*......
fc 2a 00 00 00 00 00 00 43 00 6c 00 6f 00 73 00 .*......C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 00 00 e.H.a.n.d.l.e...
4c 00 6f 00 63 00 61 00 6c 00 46 00 72 00 65 00 L.o.c.a.l.F.r.e.
65 00 00 00 46 00 72 00 65 00 65 00 4c 00 69 00 e...F.r.e.e.L.i.
62 00 72 00 61 00 72 00 79 00 00 00 00 00 00 00 b.r.a.r.y.......
53 00 69 00 7a 00 65 00 20 00 6f 00 66 00 20 00 S.i.z.e. .o.f. .
27 00 44 00 69 00 67 00 69 00 74 00 61 00 6c 00 '.D.i.g.i.t.a.l.
50 00 72 00 6f 00 64 00 75 00 63 00 74 00 49 00 P.r.o.d.u.c.t.I.
64 00 34 00 27 00 20 00 6e 00 6f 00 74 00 20 00 d.4.'. .n.o.t. .
65 00 71 00 75 00 61 00 6c 00 20 00 25 00 6c 00 e.q.u.a.l. .%.l.
75 00 20 00 6f 00 72 00 20 00 76 00 65 00 72 00 u. .o.r. .v.e.r.
73 00 69 00 6f 00 6e 00 20 00 6e 00 6f 00 74 00 s.i.o.n. .n.o.t.
20 00 65 00 71 00 75 00 61 00 6c 00 20 00 34 00 .e.q.u.a.l. .4.
2e 00 30 00 0a 00 00 00 0a 00 44 00 69 00 67 00 ..0.......D.i.g.
69 00 74 00 61 00 6c 00 50 00 72 00 6f 00 64 00 i.t.a.l.P.r.o.d.
75 00 63 00 74 00 49 00 64 00 34 00 3a 00 20 00 u.c.t.I.d.4.:. .
73 00 69 00 7a 00 65 00 20 00 3d 00 20 00 25 00 s.i.z.e. .=. .%.
6c 00 75 00 0a 00 09 00 41 00 64 00 76 00 61 00 l.u.....A.d.v.a.
6e 00 63 00 65 00 64 00 20 00 50 00 72 00 6f 00 n.c.e.d. .P.r.o.
64 00 75 00 63 00 74 00 20 00 49 00 44 00 3a 00 d.u.c.t. .I.D.:.
09 00 25 00 6c 00 73 00 0a 00 09 00 41 00 63 00 ..%.l.s.....A.c.
74 00 69 00 76 00 61 00 74 00 69 00 6f 00 6e 00 t.i.v.a.t.i.o.n.
20 00 49 00 44 00 3a 00 09 00 09 00 25 00 6c 00 .I.D.:.....%.l.
73 00 0a 00 09 00 4f 00 45 00 4d 00 20 00 49 00 s.....O.E.M. .I.
44 00 3a 00 09 00 09 00 09 00 25 00 6c 00 73 00 D.:.......%.l.s.
0a 00 09 00 45 00 64 00 69 00 74 00 69 00 6f 00 ....E.d.i.t.i.o.
6e 00 20 00 54 00 79 00 70 00 65 00 3a 00 09 00 n. .T.y.p.e.:...
09 00 25 00 6c 00 73 00 0a 00 09 00 45 00 64 00 ..%.l.s.....E.d.
69 00 74 00 69 00 6f 00 6e 00 20 00 49 00 44 00 i.t.i.o.n. .I.D.
3a 00 09 00 09 00 25 00 6c 00 73 00 0a 00 09 00 :.....%.l.s.....
4b 00 65 00 79 00 20 00 54 00 79 00 70 00 65 00 K.e.y. .T.y.p.e.
3a 00 09 00 09 00 25 00 6c 00 73 00 0a 00 09 00 :.....%.l.s.....
45 00 55 00 4c 00 41 00 3a 00 09 00 09 00 09 00 E.U.L.A.:.......
25 00 6c 00 73 00 0a 00 00 00 00 00 00 00 00 00 %.l.s...........
53 00 69 00 7a 00 65 00 20 00 6f 00 66 00 20 00 S.i.z.e. .o.f. .
27 00 44 00 69 00 67 00 69 00 74 00 61 00 6c 00 '.D.i.g.i.t.a.l.
50 00 72 00 6f 00 64 00 75 00 63 00 74 00 49 00 P.r.o.d.u.c.t.I.
64 00 27 00 20 00 6e 00 6f 00 74 00 20 00 65 00 d.'. .n.o.t. .e.
71 00 75 00 61 00 6c 00 20 00 25 00 6c 00 75 00 q.u.a.l. .%.l.u.
20 00 6f 00 72 00 20 00 76 00 65 00 72 00 73 00 .o.r. .v.e.r.s.
69 00 6f 00 6e 00 20 00 6e 00 6f 00 74 00 20 00 i.o.n. .n.o.t. .
65 00 71 00 75 00 61 00 6c 00 20 00 33 00 2e 00 e.q.u.a.l. .3...
30 00 0a 00 00 00 00 00 0a 00 44 00 69 00 67 00 0.........D.i.g.
69 00 74 00 61 00 6c 00 50 00 72 00 6f 00 64 00 i.t.a.l.P.r.o.d.
75 00 63 00 74 00 49 00 64 00 3a 00 20 00 73 00 u.c.t.I.d.:. .s.
69 00 7a 00 65 00 20 00 3d 00 20 00 25 00 6c 00 i.z.e. .=. .%.l.
75 00 0a 00 09 00 50 00 72 00 6f 00 64 00 75 00 u.....P.r.o.d.u.
63 00 74 00 20 00 49 00 44 00 3a 00 09 00 09 00 c.t. .I.D.:.....
25 00 68 00 73 00 0a 00 09 00 45 00 64 00 69 00 %.h.s.....E.d.i.
74 00 69 00 6f 00 6e 00 20 00 49 00 44 00 3a 00 t.i.o.n. .I.D.:.
09 00 09 00 25 00 68 00 73 00 0a 00 09 00 4f 00 ....%.h.s.....O.
45 00 4d 00 20 00 49 00 44 00 3a 00 09 00 09 00 E.M. .I.D.:.....
09 00 25 00 2e 00 38 00 68 00 73 00 0a 00 09 00 ..%...8.h.s.....
48 00 61 00 72 00 64 00 77 00 61 00 72 00 65 00 H.a.r.d.w.a.r.e.
20 00 49 00 44 00 20 00 28 00 73 00 74 00 61 00 .I.D. .(.s.t.a.
74 00 69 00 63 00 29 00 3a 00 09 00 25 00 2e 00 t.i.c.).:...%...
38 00 68 00 73 00 0a 00 09 00 48 00 61 00 72 00 8.h.s.....H.a.r.
64 00 77 00 61 00 72 00 65 00 20 00 49 00 44 00 d.w.a.r.e. .I.D.
20 00 28 00 64 00 79 00 6e 00 61 00 6d 00 69 00 .(.d.y.n.a.m.i.
63 00 29 00 3a 00 09 00 25 00 2e 00 38 00 68 00 c.).:...%...8.h.
73 00 0a 00 00 00 00 00 50 00 72 00 6f 00 64 00 s.......P.r.o.d.
75 00 63 00 74 00 20 00 6b 00 65 00 79 00 20 00 u.c.t. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 20 00 69 00 73 00 '.%.l.s.'. .i.s.
20 00 76 00 61 00 6c 00 69 00 64 00 21 00 0a 00 .v.a.l.i.d.!...
00 00 00 00 25 00 6c 00 73 00 28 00 29 00 20 00 ....%.l.s.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 30 00 .e.r.r.o.r. .0.
78 00 25 00 30 00 38 00 6c 00 58 00 0a 00 00 00 x.%.0.8.l.X.....
50 00 69 00 64 00 47 00 65 00 6e 00 58 00 00 00 P.i.d.G.e.n.X...
44 00 61 00 74 00 61 00 20 00 66 00 69 00 6c 00 D.a.t.a. .f.i.l.
65 00 20 00 27 00 25 00 6c 00 73 00 27 00 20 00 e. .'.%.l.s.'. .
6e 00 6f 00 74 00 20 00 66 00 6f 00 75 00 6e 00 n.o.t. .f.o.u.n.
64 00 21 00 0a 00 00 00 50 00 72 00 6f 00 64 00 d.!.....P.r.o.d.
75 00 63 00 74 00 20 00 6b 00 65 00 79 00 20 00 u.c.t. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 20 00 69 00 73 00 '.%.l.s.'. .i.s.
20 00 6d 00 61 00 6c 00 66 00 6f 00 72 00 6d 00 .m.a.l.f.o.r.m.
65 00 64 00 21 00 0a 00 00 00 00 00 50 00 72 00 e.d.!.......P.r.
6f 00 64 00 75 00 63 00 74 00 20 00 6b 00 65 00 o.d.u.c.t. .k.e.
79 00 20 00 27 00 25 00 6c 00 73 00 27 00 20 00 y. .'.%.l.s.'. .
69 00 73 00 20 00 69 00 6e 00 76 00 61 00 6c 00 i.s. .i.n.v.a.l.
69 00 64 00 21 00 0a 00 00 00 00 00 00 00 00 00 i.d.!...........
50 00 72 00 6f 00 64 00 75 00 63 00 74 00 20 00 P.r.o.d.u.c.t. .
6b 00 65 00 79 00 20 00 27 00 25 00 6c 00 73 00 k.e.y. .'.%.l.s.
27 00 20 00 69 00 73 00 20 00 72 00 65 00 73 00 '. .i.s. .r.e.s.
65 00 72 00 76 00 65 00 64 00 21 00 0a 00 00 00 e.r.v.e.d.!.....
44 00 55 00 4d 00 4d 00 59 00 00 00 00 00 00 00 D.U.M.M.Y.......
4c 00 69 00 62 00 72 00 61 00 72 00 79 00 20 00 L.i.b.r.a.r.y. .
76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 v.e.r.s.i.o.n. .
3d 00 20 00 25 00 68 00 75 00 2e 00 25 00 68 00 =. .%.h.u...%.h.
75 00 3a 00 25 00 68 00 75 00 2e 00 25 00 68 00 u.:.%.h.u...%.h.
75 00 0a 00 50 00 72 00 6f 00 64 00 75 00 63 00 u...P.r.o.d.u.c.
74 00 20 00 76 00 65 00 72 00 73 00 69 00 6f 00 t. .v.e.r.s.i.o.
6e 00 20 00 3d 00 20 00 25 00 68 00 75 00 2e 00 n. .=. .%.h.u...
25 00 68 00 75 00 3a 00 25 00 68 00 75 00 2e 00 %.h.u.:.%.h.u...
25 00 68 00 75 00 0a 00 00 00 00 00 4c 00 6f 00 %.h.u.......L.o.
63 00 6b 00 52 00 65 00 73 00 6f 00 75 00 72 00 c.k.R.e.s.o.u.r.
63 00 65 00 28 00 29 00 20 00 72 00 65 00 74 00 c.e.(.). .r.e.t.
75 00 72 00 6e 00 65 00 64 00 20 00 4e 00 55 00 u.r.n.e.d. .N.U.
4c 00 4c 00 0a 00 00 00 4c 00 6f 00 61 00 64 00 L.L.....L.o.a.d.
52 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 R.e.s.o.u.r.c.e.
00 00 00 00 46 00 69 00 6e 00 64 00 52 00 65 00 ....F.i.n.d.R.e.
73 00 6f 00 75 00 72 00 63 00 65 00 00 00 00 00 s.o.u.r.c.e.....
47 00 65 00 74 00 50 00 72 00 6f 00 63 00 41 00 G.e.t.P.r.o.c.A.
64 00 64 00 72 00 65 00 73 00 73 00 00 00 00 00 d.d.r.e.s.s.....
50 69 64 47 65 6e 58 00 4c 00 6f 00 61 00 64 00 PidGenX.L.o.a.d.
4c 00 69 00 62 00 72 00 61 00 72 00 79 00 45 00 L.i.b.r.a.r.y.E.
78 00 00 00 00 00 00 00 42 00 61 00 64 00 20 00 x.......B.a.d. .
61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 a.r.g.u.m.e.n.t.
73 00 3a 00 20 00 74 00 68 00 65 00 20 00 28 00 s.:. .t.h.e. .(.
61 00 62 00 73 00 6f 00 6c 00 75 00 74 00 65 00 a.b.s.o.l.u.t.e.
20 00 6f 00 72 00 20 00 72 00 65 00 6c 00 61 00 .o.r. .r.e.l.a.
74 00 69 00 76 00 65 00 29 00 20 00 70 00 61 00 t.i.v.e.). .p.a.
74 00 68 00 20 00 6e 00 61 00 6d 00 65 00 73 00 t.h. .n.a.m.e.s.
20 00 6f 00 66 00 20 00 61 00 20 00 27 00 50 00 .o.f. .a. .'.P.
69 00 64 00 47 00 65 00 6e 00 58 00 2e 00 64 00 i.d.G.e.n.X...d.
6c 00 6c 00 27 00 20 00 61 00 6e 00 64 00 0a 00 l.l.'. .a.n.d...
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 69 00 . . . . . . .i.
74 00 73 00 20 00 61 00 73 00 73 00 6f 00 63 00 t.s. .a.s.s.o.c.
69 00 61 00 74 00 65 00 64 00 20 00 27 00 50 00 i.a.t.e.d. .'.P.
4b 00 65 00 79 00 43 00 6f 00 6e 00 66 00 69 00 K.e.y.C.o.n.f.i.
67 00 5b 00 2a 00 5d 00 2e 00 78 00 72 00 6d 00 g.[.*.]...x.r.m.
2d 00 6d 00 73 00 27 00 20 00 64 00 61 00 74 00 -.m.s.'. .d.a.t.
61 00 20 00 66 00 69 00 6c 00 65 00 20 00 70 00 a. .f.i.l.e. .p.
6c 00 75 00 73 00 20 00 61 00 74 00 20 00 6c 00 l.u.s. .a.t. .l.
65 00 61 00 73 00 74 00 0a 00 20 00 20 00 20 00 e.a.s.t... . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 6f 00 6e 00 65 00 20 00 . . . .o.n.e. .
70 00 72 00 6f 00 64 00 75 00 63 00 74 00 20 00 p.r.o.d.u.c.t. .
6b 00 65 00 79 00 20 00 27 00 32 00 33 00 34 00 k.e.y. .'.2.3.4.
36 00 37 00 2d 00 38 00 39 00 42 00 43 00 44 00 6.7.-.8.9.B.C.D.
2d 00 46 00 47 00 48 00 4a 00 4b 00 2d 00 4d 00 -.F.G.H.J.K.-.M.
4e 00 50 00 51 00 52 00 2d 00 54 00 56 00 57 00 N.P.Q.R.-.T.V.W.
58 00 59 00 27 00 20 00 6d 00 75 00 73 00 74 00 X.Y.'. .m.u.s.t.
20 00 62 00 65 00 20 00 67 00 69 00 76 00 65 00 .b.e. .g.i.v.e.
6e 00 21 00 0a 00 00 00 25 00 6c 00 73 00 28 00 n.!.....%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 43 00 6f 00 .%.l.u.....C.o.
6d 00 6d 00 61 00 6e 00 64 00 4c 00 69 00 6e 00 m.m.a.n.d.L.i.n.
65 00 54 00 6f 00 41 00 72 00 67 00 76 00 00 00 e.T.o.A.r.g.v...
b9 79 37 9e 00 00 00 00 68 00 00 00 45 54 41 44 .y7.....h...ETAD
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
00 00 00 00 10 29 40 00 00 00 00 00 00 00 00 00 .....)@.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
bc 29 00 00 00 00 00 00 00 00 00 00 ee 2a 00 00 .)...........*..
00 20 00 00 fc 29 00 00 00 00 00 00 00 00 00 00 . ...)..........
0a 2b 00 00 40 20 00 00 00 00 00 00 00 00 00 00 .+..@ ..........
00 00 00 00 00 00 00 00 00 00 00 00 04 2a 00 00 .............*..
14 2a 00 00 22 2a 00 00 30 2a 00 00 3c 2a 00 00 .*.."*..0*..<*..
4a 2a 00 00 5a 2a 00 00 6a 2a 00 00 7a 2a 00 00 J*..Z*..j*..z*..
8c 2a 00 00 9e 2a 00 00 b0 2a 00 00 c0 2a 00 00 .*...*...*...*..
d0 2a 00 00 e0 2a 00 00 00 00 00 00 fc 2a 00 00 .*...*.......*..
00 00 00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f ....$.WriteConso
6c 65 57 00 19 01 45 78 69 74 50 72 6f 63 65 73 leW...ExitProces
73 00 52 00 43 6c 6f 73 65 48 61 6e 64 6c 65 00 s.R.CloseHandle.
48 03 4c 6f 63 61 6c 46 72 65 65 00 62 01 46 72 H.LocalFree.b.Fr
65 65 4c 69 62 72 61 72 79 00 54 03 4c 6f 63 6b eeLibrary.T.Lock
52 65 73 6f 75 72 63 65 00 00 41 03 4c 6f 61 64 Resource..A.Load
52 65 73 6f 75 72 63 65 00 00 4e 01 46 69 6e 64 Resource..N.Find
52 65 73 6f 75 72 63 65 57 00 45 02 47 65 74 50 ResourceW.E.GetP
72 6f 63 41 64 64 72 65 73 73 00 00 3e 03 4c 6f rocAddress..>.Lo
61 64 4c 69 62 72 61 72 79 45 78 57 00 00 87 01 adLibraryExW....
47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 57 00 GetCommandLineW.
02 02 47 65 74 4c 61 73 74 45 72 72 6f 72 00 00 ..GetLastError..
64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 00 00 d.GetStdHandle..
73 04 53 65 74 4c 61 73 74 45 72 72 6f 72 00 00 s.SetLastError..
44 03 4c 6f 63 61 6c 41 6c 6c 6f 63 00 00 4b 45 D.LocalAlloc..KE
52 4e 45 4c 33 32 2e 64 6c 6c 00 00 35 03 77 76 RNEL32.dll..5.wv
73 70 72 69 6e 74 66 57 00 00 55 53 45 52 33 32 sprintfW..USER32
2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 00 00 .dll............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file PIDGENX.TXT
created in
step 3. to recreate the console application
Product Key Validator:
CERTUTIL.EXE /DecodeHex /V PIDGENX.TXT PIDGENX.COM
Input Length = 21760 Output Length = 5120 CertUtil: -decodehex command completed successfully.
.pol
, are used either to store the
Registry keys and entries (to be) applied by
Group Policies as well as
Local Security Policies, or to restore the previous
contents of Registry keys and entries modified by
Group Policies as well as
Local Security Policies.
The MSDN article Registry Policy File Format documents their format.
The MSKB
article
How to add, modify, or delete registry subkeys and values by using a .reg file
documents the format of Registry Editor script files,
typically created with the extension .reg
.
POLYGLOT.COM [ /MACHINE | /USER ] ‹file name› …
NTUser.pol
and
Registry.pol
files that are (eventually) present on
your machine:
VER .\POLYGLOT.COM "%USERPROFILE%\NTUser.pol" "%ALLUSERSPROFILE%\NTUser.pol" "%SystemRoot%\System32\GroupPolicy\Machine\Registry.pol" "%SystemRoot%\System32\GroupPolicy\User\Registry.pol" NET.EXE HelpMsg %ERRORLEVEL%Net services commands Ver
Microsoft Windows [Version 10.0.19044.2486] Windows Registry Editor Version 5.00 ; Registry Policy File 'C:\Users\Stefan\NTUser.pol' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Group Policy Objects\Local Group Policy Objects] '**Comment:GPO Name: Local Group Policy Objects'= [HKEY_RELATIVE\Software\Microsoft\Windows\CurrentVersion\Policies\System] 'LogonHoursAction'=dword:00000002 'DontDisplayLogonHoursWarnings'=dword:00000001 Windows Registry Editor Version 5.00 ; Registry Policy File 'C:\ProgramData\NTUser.pol' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Group Policy Objects\Local Group Policy Objects] '**Comment:GPO Name: Local Group Policy Objects'= Windows Registry Editor Version 5.00 ; Registry Policy File 'C:\Windows\System32\GroupPolicy\Machine\Registry.pol' [HKEY_RELATIVE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer] 'AuthentiCodeFlags'=dword:00000300 [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers] 'PolicyScope'=dword:00000001 'TransparentEnabled'=dword:00000002 'ExecutableTypes'=multi:'WSF','WSC','VBS','VBE','VB','TMP','SHS','SCR','PIF','PCD','OCX','MST','MSP','MSI','MDE','MDB','JSE','JS','ISP','INS','HTA','HLP','EXE','DLL','CRT','CPL','COM','CMD','BAT','BAS','AX','ADP','ADE' 'DefaultLevel'=dword:00000000 'Levels'=dword:00071000 'LogFileName'='C:\Windows\System32\LogFiles\SAFER.Log' 'AuthenticodeEnabled'=dword:00000001 [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes] @=none: [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}] 'LastModified'=qword:01cf68d87b202417 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}] 'LastModified'=qword:01cf68d87b202417 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{4fcf2556-cf02-4356-ad71-f82ca93ccd0b}] 'LastModified'=qword:01cf68d979215214 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%' [HKEY_RELATIVE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{21c0b260-2d89-4fe0-8275-1c76746b3d2b}] 'LastModified'=qword:01d57587bb48c5c4 'Description'='' 'SaferFlags'=dword:00000000 'ItemData'=expand:'%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%' CreateFile() returned error 3 for file 'C:\Windows\System32\GroupPolicy\User\Registry.pol' The system cannot find the path specified.
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and POLYGLOT.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
or standard output
is
not supported!
The MSDN article Console Handles provides background information.
Create the text file POLYGLOT.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#define REGFILE_SIGNATURE 'geRP'
#define REGISTRY_FILE_VERSION 1UL
typedef unsigned long long QWORD, *LPQWORD;
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
const LPCWSTR szHKEY[8] = {L"HKEY_CLASSES_ROOT",
L"HKEY_CURRENT_USER",
L"HKEY_LOCAL_MACHINE",
L"HKEY_USERS",
L"HKEY_PERFORMANCE_DATA",
L"HKEY_CURRENT_CONFIG",
L"HKEY_DYN_DATA",
L"HKEY_CURRENT_USER_LOCAL_SETTINGS"};
const LPCWSTR szTYPE[12] = {L"NONE",
L"SZ",
L"EXPAND_SZ",
L"BINARY",
L"DWORD", // alias DWORD_LITTLE_ENDIAN
L"DWORD_BIG_ENDIAN",
L"LINK",
L"MULTI_SZ",
L"RESOURCE_LIST",
L"FULL_RESOURCE_DESCRIPTOR",
L"RESOURCE_REQUIREMENTS_LIST",
L"QWORD"}; // alias QWORD_LITTLE_ENDIAN
const LPCWSTR szType[12] = {L"none:",
L"",
L"expand:",
L"hex:",
L"dword:",
L"dword:",
L"link:",
L"multi:",
L"hex(8):",
L"hex(9):",
L"hex(a):",
L"qword:"};
DWORD WINAPI Polyglot(HANDLE hConsole, HKEY hkHKEY, LPCWSTR lpArgument)
{
#ifdef REGISTRY
LPCWSTR lpHKEY = szHKEY[(DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT];
HKEY hkKey;
BYTE cbData[65536];
#endif
HANDLE hInput;
DWORD dwInput;
LPCWSTR lpInput;
WCHAR cwInput;
HANDLE hPolicy;
DWORD dwPolicy;
LPDWORD lpPolicy;
LPCWSTR lpKey, lpValue, lpData, lp;
DWORD dwKey, dwValue, dwData, dwType, dwSize;
DWORD dwError = ERROR_SUCCESS;
hInput = CreateFile(lpArgument,
FILE_READ_DATA,
FILE_SHARE_READ,
(LPSECURITY_ATTRIBUTES) NULL,
OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN,
(HANDLE) NULL);
if (hInput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"CreateFile() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
dwInput = GetFileSize(hInput, (LPDWORD) NULL);
if (dwInput == INVALID_FILE_SIZE)
PrintConsole(hConsole,
L"GetFileSize() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
hPolicy = CreateFileMapping(hInput,
(LPSECURITY_ATTRIBUTES) NULL,
PAGE_READONLY,
0, 0,
(LPCWSTR) NULL);
if (hPolicy == NULL)
PrintConsole(hConsole,
L"CreateFileMapping() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
lpPolicy = MapViewOfFile(hPolicy,
FILE_MAP_READ,
0, 0,
(SIZE_T) 0);
if (lpPolicy == NULL)
PrintConsole(hConsole,
L"MapViewOfFile() returned error %lu for file \'%ls\'\n",
dwError = GetLastError(), lpArgument);
else
{
if ((lpPolicy[0] != REGFILE_SIGNATURE)
|| (lpPolicy[1] != REGISTRY_FILE_VERSION))
PrintConsole(hConsole,
L"Signature \'PReg\\1\\0\\0\\0\' missing in file \'%ls\'!\n",
lpArgument);
else
{
PrintConsole(hConsole,
L"Windows Registry Editor Version 5.00\n"
L"\n"
L"; Registry Policy File \'%ls\'\n",
lpArgument);
// L'[' key L']'
// L'[' key L';' value L';' type L';' size L';' data L']'
// L'[' key L';' L"**Del." value L';' type L';' size L';' data L']'
// L'[' key L';' L"**DeleteKeys" { L';' key } ... L']'
// L'[' key L';' L"**DeleteVals" L']'
// L'[' key L';' L"**DeleteValues" { L';' value } ... L']'
// L'[' key L';' L"**SecureKey=0" L']'
// L'[' key L';' L"**SecureKey=1" L']'
//
// WCHAR key[] NUL-terminated path of registry key beneath
// HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
//
// WCHAR value[] NUL-terminated name of registry entry
//
// DWORD type registry data type
//
// DWORD size size of registry data in bytes
//
// BYTE data[] registry data
lpInput = (LPCWSTR) (lpPolicy + 2);
lpKey = NULL;
dwKey = 0;
dwPolicy = dwInput;
while ((LPBYTE) lpInput < (LPBYTE) lpPolicy + dwPolicy)
{
if (*lpInput++ != L'[')
break;
dwInput = wcslen(lpInput);
if ((dwKey == 0)
|| (dwKey != dwInput)
|| (memcmp(lpInput, lpKey, dwKey * sizeof(L'\0')) != 0))
PrintConsole(hConsole,
L"\n"
L"[HKEY_RELATIVE\\%ls]\n",
lpInput);
lpKey = lpInput;
dwKey = dwInput;
lpInput += dwInput + 1;
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
lpValue = lpInput;
dwValue = wcslen(lpInput);
lpInput += dwValue + 1;
if ((dwValue == sizeof("**securekey=1") - 1)
&& ((memcmp(lpValue, L"**securekey=1", sizeof(L"**securekey=1") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**SecureKey=1", sizeof(L"**securekey=1") - sizeof(L"")) == 0)))
{
PrintConsole(hConsole,
L"; SecureKey=1\n");
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**securekey=0") - 1)
&& ((memcmp(lpValue, L"**securekey=0", sizeof(L"**securekey=0") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**SecureKey=0", sizeof(L"**securekey=0") - sizeof(L"")) == 0)))
{
PrintConsole(hConsole,
L"; SecureKey=0\n");
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**deletevals") - 1)
&& ((memcmp(lpValue, L"**deletevals", sizeof(L"**deletevals") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Deletevals", sizeof(L"**Deletevals") - sizeof(L"")) == 0)))
{
PrintConsole(hConsole,
L"*=-\n");
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**deletevalues") - 1)
&& ((memcmp(lpValue, L"**deletevalues", sizeof(L"**deletevalues") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Deletevalues", sizeof(L"**Deletevalues") - sizeof(L"")) == 0)))
{
while (*lpInput == L';')
{
PrintConsole(hConsole,
L"\'%ls\'=-\n",
++lpInput);
lpInput += wcslen(lpInput) + 1;
}
if (*lpInput++ != L']')
break;
}
else if ((dwValue == sizeof("**deletekeys") - 1)
&& ((memcmp(lpValue, L"**deletekeys", sizeof(L"**deletekeys") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Deletekeys", sizeof(L"**Deletekeys") - sizeof(L"")) == 0)))
{
while (*lpInput == L';')
{
PrintConsole(hConsole,
L"[-HKEY_RELATIVE\\%ls\\%ls]\n",
lpKey, ++lpInput);
lpInput += wcslen(lpInput) + 1;
}
if (*lpInput++ != L']')
break;
}
else
{
if ((dwValue > sizeof("**del."))
&& ((memcmp(lpValue, L"**del.", sizeof(L"**del.") - sizeof(L"")) == 0)
|| (memcmp(lpValue, L"**Del.", sizeof(L"**Del.") - sizeof(L"")) == 0)))
{
lpValue += sizeof("**Del.") - 1;
if (dwValue == sizeof("**Del.") - 1)
PrintConsole(hConsole,
L"@=- ; =");
else
PrintConsole(hConsole,
L"\'%ls\'=- ; =", lpValue);
}
else
if (dwValue == 0)
PrintConsole(hConsole,
L"@=");
else
PrintConsole(hConsole,
L"\'%ls\'=", lpValue);
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
dwType = *((LPDWORD) lpInput)++;
if (dwType < sizeof(szType) / sizeof(*szType))
PrintConsole(hConsole,
L"%ls", szType[dwType]);
else
PrintConsole(hConsole,
L"hex(%lx):", dwType);
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
dwSize = *((LPDWORD) lpInput)++;
cwInput = *lpInput++;
if (cwInput == L']')
continue;
if (cwInput != L';')
break;
lpData = lpInput;
(LPBYTE) lpInput += dwSize;
switch (dwType)
{
case REG_SZ:
case REG_EXPAND_SZ:
case REG_LINK:
if (dwSize == 0)
goto NEWLINE;
PrintConsole(hConsole,
L"\'%ls\'\n",
lpData);
dwData = wcslen(lpData);
if (dwSize != (dwData + 1) * sizeof(L'\0'))
PrintConsole(hConsole,
L"Size %lu of REG_%ls value data not equal length %lu of string plus terminating \'NUL\' character!\n",
dwSize, szTYPE[dwType], dwData);
break;
case REG_DWORD_BIG_ENDIAN:
*(LPDWORD) lpData = _byteswap_ulong(*(LPDWORD) lpData);
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
PrintConsole(hConsole,
L"%08lx\n",
*(LPDWORD) lpData);
if (dwSize != sizeof(DWORD))
PrintConsole(hConsole,
L"Size %lu of REG_%ls value data not equal \'sizeof(DWORD)\'!\n",
dwSize, szTYPE[dwType]);
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
PrintConsole(hConsole,
L"%016I64x\n",
*(LPQWORD) lpData);
if (dwSize != sizeof(QWORD))
PrintConsole(hConsole,
L"Size %lu of REG_QWORD value data not equal \'sizeof(QWORD)\'!\n",
dwSize);
break;
case REG_MULTI_SZ:
if (dwSize == 0)
goto NEWLINE;
for (lp = lpData; (lp < lpInput) && (*lp != L'\0'); lp += wcslen(lp) + 1)
PrintConsole(hConsole,
L",\'%ls\'" + (lp == lpData),
lp);
PrintConsole(hConsole,
L"\n");
if ((lp > lpInput) || (*lp != L'\0'))
PrintConsole(hConsole,
L"REG_MULTI_SZ value data not terminated with extra \'NUL\' character!\n");
else
lp++;
if (lp != lpInput)
PrintConsole(hConsole,
L"Size %lu of REG_MULTI_SZ value data not equal sum of string lengths plus terminating \'NUL\' characters!\n",
dwSize);
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
default:
for (lp = lpData; lp < lpInput; (LPBYTE) lp += 1)
PrintConsole(hConsole,
L",%02x" + (lp == lpData),
*(LPBYTE) lp);
NEWLINE:
PrintConsole(hConsole,
L"\n");
}
#ifdef REGISTRY
if (hkHKEY != HKEY_CLASSES_ROOT)
{
dwError = RegOpenKeyEx(hkHKEY,
lpKey,
REG_OPTION_RESERVED,
KEY_QUERY_VALUE,
&hkKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegOpenKeyEx() returned error %lu for registry key \'%ls\\%ls\'\n",
dwError, lpHKEY, lpKey);
else
{
dwData = sizeof(cbData);
dwError = RegQueryValueEx(hkKey,
lpValue,
(LPDWORD) NULL,
&dwValue,
cbData,
&dwData);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegQueryValueEx() returned error %lu for value \'%ls\' of registry key \'%ls\\%ls\'\n",
dwError, lpValue, lpHKEY, lpKey);
else
if ((dwValue != dwType)
|| (dwData != dwSize)
|| (memcmp(lpData, cbData, dwData) != 0))
PrintConsole(hConsole,
L"MISMATCH: data type, size or value in policy file differs from registry!\n");
dwError = RegCloseKey(hkKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegCloseKey() returned error %lu for registry key \'%ls\\%ls\'\n",
dwError, lpHKEY, lpKey);
}
}
#endif // REGISTRY
if (*lpInput++ != L']')
break;
}
}
if ((LPBYTE) lpInput != (LPBYTE) lpPolicy + dwPolicy)
PrintConsole(hConsole,
L"Format error in policy file \'%ls\'!\n",
lpArgument);
}
if (!UnmapViewOfFile(lpPolicy))
PrintConsole(hConsole,
L"UnmapViewOfFile() returned error %lu for file \'%ls\'\n",
GetLastError(), lpArgument);
}
if (!CloseHandle(hPolicy))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu for file mapping \'%ls\'\n",
GetLastError(), lpArgument);
}
}
if (!CloseHandle(hInput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu for file \'%ls\'\n",
GetLastError(), lpArgument);
}
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
#ifdef WILDCARD
WIN32_FIND_DATA wfd;
HANDLE hWildCard;
DWORD dwWildCard;
WCHAR szWildCard[32768];
LPWSTR lpWildCard;
#endif
LPWSTR *lpArguments;
INT nArguments;
INT nArgument = 1;
DWORD dwError = ERROR_BAD_ARGUMENTS;
HKEY hkHKEY = HKEY_CLASSES_ROOT;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
#ifdef REGISTRY
if ((nArguments > 1)
&& (*lpArguments[1] == L'/'))
if (wcscmp(lpArguments[1], L"/MACHINE") == 0)
{
hkHKEY = HKEY_LOCAL_MACHINE;
nArgument = 2;
}
else if (wcscmp(lpArguments[1], L"/USER") == 0)
{
hkHKEY = HKEY_CURRENT_USER;
nArgument = 2;
}
else
{
PrintConsole(hConsole,
L"Bad arguments: optional first argument must be \'%ls\' or \'%ls\'!\n",
L"/MACHINE", L"/USER");
nArguments = 0;
}
if (nArguments <= nArgument)
#else
if (nArguments < 2)
#endif
PrintConsole(hConsole,
L"No arguments: at least one \'.pol\' file name must be given!\n");
else
#ifndef WILDCARD
do
dwError = Polyglot(hConsole, hkHKEY, lpArguments[nArgument]);
while (++nArgument < nArguments);
#else
do
{
hWildCard = FindFirstFile(lpArguments[nArgument], &wfd);
if (hWildCard == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"FindFirstFile() returned error %lu for argument \'%ls\'\n",
dwError = GetLastError(), lpArguments[nArgument]);
else
{
wcscpy(szWildCard, lpArguments[nArgument]);
dwWildCard = 0;
lpWildCard = NULL;
do
if (szWildCard[dwWildCard] == L'\\')
lpWildCard = szWildCard + dwWildCard;
while (szWildCard[dwWildCard++] != L'\0');
if (dwWildCard > MAX_PATH)
PrintConsole(hConsole,
L"Argument \'%ls\' exceeds MAX_PATH!\n",
lpArguments[nArgument]);
if (lpWildCard != NULL)
lpWildCard++;
else
lpWildCard = szWildCard + 2 * (szWildCard[1] == L':');
dwWildCard = 0;
do
{
if ((wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0)
continue;
dwWildCard++;
wcscpy(lpWildCard, wfd.cFileName);
dwError = Polyglot(hConsole, hkHKEY, szWildCard);
} while (FindNextFile(hWildCard, &wfd));
dwError = GetLastError();
if (dwError == ERROR_NO_MORE_FILES)
dwError = ERROR_SUCCESS;
else
PrintConsole(hConsole,
L"FindNextFile() returned error %lu for argument \'%ls\'\n",
dwError, lpArguments[nArgument]);
if (dwWildCard == 0)
PrintConsole(hConsole,
L"No match for argument \'%ls\'!\n",
lpArguments[nArgument]);
if (!FindClose(hWildCard))
PrintConsole(hConsole,
L"FindClose() returned error %lu for argument \'%ls\'\n",
GetLastError(), lpArguments[nArgument]);
}
} while (++nArgument < nArguments);
#endif // WILDCARD
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Note: with the preprocessor macro
REGISTRY
defined, an optional /MACHINE
or
/USER
is accepted as first command line argument to
compare the settings against the HKEY_LOCAL_MACHINE
or
HKEY_CURRENT_USER
branch of the
Registry!
Note: with the preprocessor macro
WILDCARD
defined, wildcard expansion of matching file
names is performed for the command line arguments!
Run the following four command lines to compile the source file
POLYGLOT.C
created in step 1., link the compiled
object file POLYGLOT.OBJ
and cleanup afterwards:
SET CL=/DREGISTRY /GAFS /Gs69632 /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /STACK:1048576,65536 /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FePOLYGLOT.COM POLYGLOT.C ERASE POLYGLOT.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. POLYGLOT.C POLYGLOT.C(313) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(330) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(341) : warning C4213: nonstandard extension used : cast on l-value POLYGLOT.C(425) : warning C4213: nonstandard extension used : cast on l-value Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file POLYGLOT.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 02 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0c 00 00 ......#.........
00 14 00 00 00 00 00 00 d4 17 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 40 00 00 00 02 00 00 ab e3 00 00 03 00 00 85 .@..............
00 00 10 00 00 00 01 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
40 30 00 00 50 00 00 00 00 00 00 00 00 00 00 00 @0..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 d8 2f 00 00 40 00 00 00 ........./..@...
00 00 00 00 00 00 00 00 00 20 00 00 54 00 00 00 ......... ..T...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
13 0b 00 00 00 10 00 00 00 0c 00 00 00 02 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 28 12 00 00 00 20 00 00 .const..(.... ..
00 14 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 ....@..@........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 4c 20 40 00 8b f0 .......P..L @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 10 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 38 00 01 00 8b 45 0c 53 8b 5d 10 56 57 ...8....E.S.].VW
33 ff 57 68 00 00 00 08 6a 03 57 6a 01 35 00 00 3.Wh....j.Wj.5..
00 80 8b 04 85 4c 23 40 00 6a 01 53 89 45 e4 89 .....L#@.j.S.E..
7d e8 ff 15 2c 20 40 00 8b f0 89 75 c8 83 fe ff }..., @....u....
75 14 ff 15 28 20 40 00 53 8b f0 56 68 2c 2e 40 u...( @.S..Vh,.@
00 e9 ff 06 00 00 57 56 ff 15 24 20 40 00 89 45 ......WV..$ @..E
fc 83 f8 ff 75 19 ff 15 28 20 40 00 53 8b f0 56 ....u...( @.S..V
68 14 2e 40 00 68 c0 2d 40 00 e9 b1 06 00 00 57 h..@.h.-@......W
57 57 6a 02 57 56 ff 15 20 20 40 00 89 45 d4 3b WWj.WV.. @..E.;
c7 75 11 ff 15 28 20 40 00 53 8b f0 56 68 9c 2d .u...( @.S..Vh.-
40 00 eb d1 57 57 57 6a 04 50 ff 15 1c 20 40 00 @...WWWj.P... @.
8b f0 89 75 d8 3b f7 75 24 ff 15 28 20 40 00 53 ...u.;.u$..( @.S
8b f0 56 68 80 2d 40 00 68 c0 2d 40 00 ff 75 08 ..Vh.-@.h.-@..u.
e8 db fe ff ff 83 c4 14 e9 34 06 00 00 81 3e 50 .........4....>P
52 65 67 0f 85 85 06 00 00 83 7e 04 01 0f 85 7b Reg.......~....{
06 00 00 53 68 f8 2c 40 00 ff 75 08 e8 af fe ff ...Sh.,@..u.....
ff 8b 45 fc 03 c6 8d 5e 08 83 c4 0c 89 7d f8 89 ..E....^.....}..
7d f0 89 45 dc 3b d8 0f 83 ad 05 00 00 eb 02 33 }..E.;.........3
ff 66 8b 03 83 c3 02 66 83 f8 5b 0f 85 99 05 00 .f.....f..[.....
00 8b c3 8d 50 02 66 8b 08 83 c0 02 66 3b cf 75 ....P.f.....f;.u
f5 2b c2 d1 f8 89 45 fc 39 7d f0 74 15 39 45 f0 .+....E.9}.t.9E.
75 10 8b 4d f0 8b 7d f8 03 c9 8b f3 33 c0 f3 a6 u..M..}.....3...
74 11 53 68 c8 2c 40 00 ff 75 08 e8 40 fe ff ff t.Sh.,@..u..@...
83 c4 0c 8b 45 fc 89 5d f8 8d 5c 43 02 89 45 f0 ....E..]..\C..E.
0f b7 03 83 c3 02 83 f8 5d 0f 84 32 05 00 00 83 ........]..2....
f8 3b 0f 85 32 05 00 00 8b d3 8b c3 89 55 f4 8d .;..2........U..
70 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c6 d1 p.f.....f..u.+..
f8 6a 0d 59 89 45 ec 8d 5c 43 02 3b c1 75 60 bf .j.Y.E..\C.;.u`.
ac 2c 40 00 8b f2 33 c0 66 f3 a7 74 11 6a 0d 59 .,@...3.f..t.j.Y
bf 90 2c 40 00 8b f2 33 c0 66 f3 a7 75 14 68 70 ..,@...3.f..u.hp
2c 40 00 ff 75 08 e8 c5 fd ff ff 59 59 e9 c3 04 ,@..u......YY...
00 00 6a 0d 59 bf 54 2c 40 00 8b f2 33 c0 66 f3 ..j.Y.T,@...3.f.
a7 74 15 6a 0d 59 bf 38 2c 40 00 8b f2 33 c0 66 .t.j.Y.8,@...3.f
f3 a7 0f 85 fa 00 00 00 68 18 2c 40 00 eb c4 83 ........h.,@....
f8 0c 75 27 6a 06 59 bf fc 2b 40 00 8b f2 33 c0 ..u'j.Y..+@...3.
f3 a7 74 10 6a 06 59 bf e0 2b 40 00 8b f2 33 c0 ..t.j.Y..+@...3.
f3 a7 75 6d 68 d4 2b 40 00 eb 98 83 f8 0e 0f 85 ..umh.+@........
b9 00 00 00 6a 07 59 bf b4 2b 40 00 8b f2 33 c0 ....j.Y..+@...3.
f3 a7 74 42 6a 07 59 bf 94 2b 40 00 8b f2 33 c0 ..tBj.Y..+@...3.
f3 a7 0f 85 9a 00 00 00 eb 2c 83 c3 02 53 68 80 .........,...Sh.
2b 40 00 ff 75 08 e8 25 fd ff ff 8b c3 83 c4 0c +@..u..%........
8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 .P.f.....f..u.+.
d1 f8 8d 5c 43 02 66 83 3b 3b 74 ce e9 04 04 00 ...\C.f.;;t.....
00 6a 06 59 bf 64 2b 40 00 8b f2 33 c0 f3 a7 74 .j.Y.d+@...3...t
41 6a 06 59 bf 48 2b 40 00 8b f2 33 c0 f3 a7 75 Aj.Y.H+@...3...u
41 eb 2f 83 c3 02 53 ff 75 f8 68 14 2b 40 00 ff A./...S.u.h.+@..
75 08 e8 c9 fc ff ff 8b c3 83 c4 10 8d 48 02 66 u............H.f
8b 10 83 c0 02 66 85 d2 75 f5 2b c1 d1 f8 8d 5c .....f..u.+....\
43 02 66 83 3b 3b 74 cb e9 a8 03 00 00 83 f8 07 C.f.;;t.........
76 40 6a 03 59 bf 04 2b 40 00 8b f2 33 c0 f3 a7 v@j.Y..+@...3...
74 10 6a 03 59 bf f4 2a 40 00 8b f2 33 c0 f3 a7 t.j.Y..*@...3...
75 1d 83 c2 0c 83 7d ec 06 89 55 f4 75 07 68 e4 u.....}...U.u.h.
2a 40 00 eb 16 ff 75 f4 68 cc 2a 40 00 eb 20 8b *@....u.h.*@.. .
45 ec 85 c0 75 11 68 c4 2a 40 00 ff 75 08 e8 4d E...u.h.*@..u..M
fc ff ff 59 59 eb 13 ff 75 f4 68 b4 2a 40 00 ff ...YY...u.h.*@..
75 08 e8 39 fc ff ff 83 c4 0c 0f b7 03 83 c3 02 u..9............
83 f8 5d 0f 84 38 03 00 00 83 f8 3b 0f 85 38 03 ..]..8.....;..8.
00 00 8b 03 89 45 fc 83 f8 0c 73 0e ff 34 85 9c .....E....s..4..
23 40 00 68 ac 2a 40 00 eb 06 50 68 98 2a 40 00 #@.h.*@...Ph.*@.
ff 75 08 e8 f8 fb ff ff 0f b7 43 04 83 c4 0c 83 .u........C.....
c3 06 83 f8 5d 0f 84 f6 02 00 00 83 f8 3b 0f 85 ....]........;..
f6 02 00 00 0f b7 43 04 8b 3b 83 c3 06 89 7d d0 ......C..;....}.
83 f8 5d 0f 84 d8 02 00 00 83 f8 3b 0f 85 d8 02 ..]........;....
00 00 8b 45 fc 8b f3 03 df 85 c0 0f 84 8a 01 00 ...E............
00 83 f8 02 0f 86 2b 01 00 00 83 f8 04 0f 84 e7 ......+.........
00 00 00 83 f8 05 0f 84 d8 00 00 00 83 f8 06 0f ................
84 10 01 00 00 83 f8 07 74 3d 83 f8 0b 0f 85 58 ........t=.....X
01 00 00 ff 76 04 ff 36 68 84 2a 40 00 ff 75 08 ....v..6h.*@..u.
e8 6b fb ff ff 83 c4 10 83 ff 08 0f 84 8b 01 00 .k..............
00 57 68 08 2a 40 00 ff 75 08 e8 51 fb ff ff 83 .Wh.*@..u..Q....
c4 0c e9 75 01 00 00 85 ff 0f 84 5e 01 00 00 8b ...u.......^....
fe 3b f3 73 3d 66 83 3f 00 74 37 33 c0 3b fe 0f .;.s=f.?.t73.;..
94 c0 57 8d 04 45 f4 29 40 00 50 ff 75 08 e8 1d ..W..E.)@.P.u...
fb ff ff 8b c7 83 c4 0c 8d 50 02 66 8b 08 83 c0 .........P.f....
02 66 85 c9 75 f5 2b c2 d1 f8 8d 7c 47 02 3b fb .f..u.+....|G.;.
72 c3 68 f0 29 40 00 ff 75 08 e8 f1 fa ff ff 59 r.h.)@..u......Y
59 3b fb 77 0b 66 83 3f 00 75 05 83 c7 02 eb 0f Y;.w.f.?.u......
68 68 29 40 00 ff 75 08 e8 d3 fa ff ff 59 59 3b hh)@..u......YY;
fb 0f 84 f5 00 00 00 ff 75 d0 68 98 28 40 00 e9 ........u.h.(@..
63 ff ff ff 8b 06 0f c8 89 06 ff 36 68 88 28 40 c..........6h.(@
00 ff 75 08 e8 a7 fa ff ff 83 c4 0c 83 ff 04 0f ..u.............
84 c7 00 00 00 8b 45 fc ff 34 85 6c 23 40 00 57 ......E..4.l#@.W
68 10 28 40 00 ff 75 08 e8 83 fa ff ff 83 c4 10 h.(@..u.........
e9 a7 00 00 00 85 ff 0f 84 90 00 00 00 56 68 fc .............Vh.
27 40 00 ff 75 08 e8 65 fa ff ff 8b c6 83 c4 0c '@..u..e........
8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 .P.f.....f..u.+.
d1 f8 8d 4c 00 02 89 45 e0 3b f9 74 6f 50 8b 45 ...L...E.;.toP.E
fc ff 34 85 6c 23 40 00 57 68 38 27 40 00 ff 75 ..4.l#@.Wh8'@..u
08 e8 2a fa ff ff 83 c4 14 eb 51 8b fe 3b f3 73 ..*.......Q..;.s
3c 0f b6 07 8b c8 c1 e8 04 0f b7 04 45 14 27 40 <...........E.'@
00 83 e1 0f 0f b7 0c 4d 14 27 40 00 51 50 33 c0 .......M.'@.QP3.
3b fe 0f 94 c0 8d 04 45 04 27 40 00 50 ff 75 08 ;......E.'@.P.u.
e8 eb f9 ff ff 83 c4 10 47 3b fb 72 c4 68 f0 29 ........G;.r.h.)
40 00 ff 75 08 e8 d6 f9 ff ff 59 59 81 7d 0c 00 @..u......YY.}..
00 00 80 0f 84 cc 00 00 00 8d 45 cc 50 6a 01 6a ..........E.Pj.j
00 ff 75 f8 ff 75 0c ff 15 04 20 40 00 89 45 e8 ..u..u.... @..E.
85 c0 74 11 ff 75 f8 ff 75 e4 50 68 e8 26 40 00 ..t..u..u.Ph.&@.
e9 90 00 00 00 8d 45 e0 50 8d 85 c8 ff fe ff 50 ......E.P......P
8d 45 ec 50 6a 00 ff 75 f4 c7 45 e0 00 00 01 00 .E.Pj..u..E.....
ff 75 cc ff 15 00 20 40 00 85 c0 74 21 ff 75 f8 .u.... @...t!.u.
ff 75 e4 ff 75 f4 50 68 c8 26 40 00 68 40 26 40 .u..u.Ph.&@.h@&@
00 ff 75 08 e8 57 f9 ff ff 83 c4 1c eb 2b 8b 45 ..u..W.......+.E
fc 39 45 ec 75 14 8b 4d e0 3b 4d d0 75 0c 8d bd .9E.u..M.;M.u...
c8 ff fe ff 33 c0 f3 a6 74 0f 68 a8 25 40 00 ff ....3...t.h.%@..
75 08 e8 29 f9 ff ff 59 59 ff 75 cc ff 15 08 20 u..)...YY.u....
40 00 89 45 e8 85 c0 74 1c ff 75 f8 ff 75 e4 50 @..E...t..u..u.P
68 8c 25 40 00 68 20 25 40 00 ff 75 08 e8 fe f8 h.%@.h %@..u....
ff ff 83 c4 18 66 8b 03 83 c3 02 66 83 f8 5d 75 .....f.....f..]u
09 3b 5d dc 0f 82 55 fa ff ff 3b 5d dc 8b 5d 10 .;]...U...;]..].
74 11 53 68 d8 24 40 00 ff 75 08 e8 d0 f8 ff ff t.Sh.$@..u......
83 c4 0c 8b 75 d8 56 ff 15 18 20 40 00 85 c0 75 ....u.V... @...u
1d 53 ff 15 28 20 40 00 50 68 b4 24 40 00 68 c0 .S..( @.Ph.$@.h.
2d 40 00 ff 75 08 e8 a5 f8 ff ff 83 c4 14 8b 75 -@..u..........u
e8 ff 75 d4 ff 15 14 20 40 00 85 c0 75 1d 53 ff ..u.... @...u.S.
15 28 20 40 00 50 68 9c 24 40 00 68 38 24 40 00 .( @.Ph.$@.h8$@.
ff 75 08 e8 78 f8 ff ff 83 c4 14 ff 75 c8 ff 15 .u..x.......u...
14 20 40 00 85 c0 75 1d 53 ff 15 28 20 40 00 50 . @...u.S..( @.P
68 9c 24 40 00 68 c0 2d 40 00 ff 75 08 e8 4e f8 h.$@.h.-@..u..N.
ff ff 83 c4 14 5f 8b c6 5e 5b c9 c2 0c 00 53 68 ....._..^[....Sh
d0 23 40 00 ff 75 08 e8 34 f8 ff ff 83 c4 0c e9 .#@..u..4.......
62 ff ff ff 55 8b ec 83 ec 18 53 56 33 f6 46 6a b...U.....SV3.Fj
f4 89 75 f0 c7 45 f4 a0 00 00 00 c7 45 ec 00 00 ..u..E......E...
00 80 ff 15 3c 20 40 00 89 45 fc 83 f8 ff 75 0e ....< @..E....u.
ff 15 28 20 40 00 89 45 f4 e9 63 01 00 00 8d 45 ..( @..E..c....E
f8 50 ff 15 38 20 40 00 50 e8 5d 01 00 00 89 45 .P..8 @.P.]....E
e8 85 c0 75 14 ff 15 28 20 40 00 50 89 45 f4 68 ...u...( @.P.E.h
a8 2f 40 00 e9 ff 00 00 00 39 75 f8 0f 86 ce 00 ./@......9u.....
00 00 8b 40 04 66 83 38 2f 0f 85 9d 00 00 00 bb ...@.f.8/.......
94 2f 40 00 8b d3 8b c8 66 8b 31 66 3b 32 75 1e ./@.....f.1f;2u.
66 85 f6 74 15 66 8b 71 02 66 3b 72 02 75 0f 83 f..t.f.q.f;r.u..
c1 04 83 c2 04 66 85 f6 75 de 33 c9 eb 05 1b c9 .....f..u.3.....
83 d9 ff 85 c9 75 09 c7 45 ec 02 00 00 80 eb 3d .....u..E......=
be 88 2f 40 00 8b ce 66 8b 10 66 3b 11 75 1e 66 ../@...f..f;.u.f
85 d2 74 15 66 8b 50 02 66 3b 51 02 75 0f 83 c0 ..t.f.P.f;Q.u...
04 83 c1 04 66 85 d2 75 de 33 c0 eb 05 1b c0 83 ....f..u.3......
d8 ff 85 c0 75 10 c7 45 ec 01 00 00 80 c7 45 f0 ....u..E......E.
02 00 00 00 eb 16 56 53 68 08 2f 40 00 ff 75 fc ......VSh./@..u.
e8 1b f7 ff ff 83 c4 10 83 65 f8 00 8b 75 f0 39 .........e...u.9
75 f8 76 1c 8b 45 e8 ff 34 b0 ff 75 ec ff 75 fc u.v..E..4..u..u.
e8 49 f7 ff ff 46 89 45 f4 3b 75 f8 72 e6 eb 0f .I...F.E.;u.r...
68 90 2e 40 00 ff 75 fc e8 e3 f6 ff ff 59 59 ff h..@..u......YY.
75 e8 ff 15 34 20 40 00 85 c0 74 1c ff 15 28 20 u...4 @...t...(
40 00 50 68 78 2e 40 00 68 44 2e 40 00 ff 75 fc @.Phx.@.hD.@..u.
e8 bb f6 ff ff 83 c4 10 ff 75 fc ff 15 14 20 40 .........u.... @
00 85 c0 75 1c ff 15 28 20 40 00 50 68 9c 24 40 ...u...( @.Ph.$@
00 68 44 2e 40 00 ff 75 fc e8 92 f6 ff ff 83 c4 .hD.@..u........
10 ff 75 f4 ff 15 30 20 40 00 cc 55 8b ec 51 8b ..u...0 @..U..Q.
45 08 53 56 33 f6 57 8b f8 89 75 08 89 75 fc 39 E.SV3.W...u..u.9
75 0c 0f 84 6a 01 00 00 3b c6 0f 84 62 01 00 00 u...j...;...b...
0f b7 08 66 3b ce 0f 84 56 01 00 00 83 f9 20 74 ...f;...V..... t
0a 83 f9 09 74 05 33 db 43 eb 02 33 db 39 75 08 ....t.3.C..3.9u.
75 2b 66 83 f9 20 74 06 66 83 f9 09 75 1f 89 75 u+f.. t.f...u..u
fc 83 c0 02 0f b7 08 83 f9 20 74 f5 83 f9 09 74 ......... t....t
f0 33 c9 66 39 30 0f 95 c1 03 d9 eb 23 66 83 f9 .3.f90......#f..
5c 75 06 83 75 fc 01 eb 14 39 75 fc 75 0c 66 83 \u..u....9u.u.f.
f9 22 75 06 83 75 08 01 eb 03 89 75 fc 83 c0 02 ."u..u.....u....
0f b7 08 66 3b ce 75 a5 2b c7 83 c0 02 d1 f8 8d ...f;.u.+.......
44 58 02 03 c0 50 6a 40 ff 15 44 20 40 00 8b f0 DX...Pj@..D @...
33 d2 3b f2 0f 84 d0 00 00 00 8d 44 9e 04 33 db 3.;........D..3.
89 06 89 55 08 89 5d fc 83 7d 08 00 75 34 0f b7 ...U..]..}..u4..
0f 83 f9 20 74 05 83 f9 09 75 27 33 d2 33 c9 66 ... t....u'3.3.f
89 08 83 c7 02 0f b7 0f 83 f9 20 74 f5 83 f9 09 .......... t....
74 f0 66 39 17 74 71 43 8b c7 89 5d fc 89 3c 9e t.f9.tqC...]..<.
eb 5c 0f b7 0f 83 f9 5c 75 03 42 eb 48 83 f9 22 .\.....\u.B.H.."
75 41 6a 02 8d 5a 01 d1 eb 59 f7 db 03 f9 8d 04 uAj..Z...Y......
58 f6 c2 01 74 0a 6a 22 5a 66 89 10 03 c1 eb 1c X...t.j"Zf......
83 7d 08 00 74 12 66 83 3f 22 75 0c 6a 22 5a 66 .}..t.f.?"u.j"Zf
89 10 03 c1 03 f9 eb 04 83 75 08 01 8b 5d fc 33 .........u...].3
d2 eb 0b 33 d2 66 89 08 83 c0 02 83 c7 02 66 83 ...3.f........f.
3f 00 0f 85 60 ff ff ff 33 c9 43 66 89 08 21 0c ?...`...3.Cf..!.
9e 8b 45 0c 89 18 39 4d 08 74 0f 68 a0 00 00 00 ..E...9M.t.h....
eb 02 6a 57 ff 15 40 20 40 00 5f 8b c6 5e 5b c9 ..jW..@ @._..^[.
c2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f2 30 00 00 06 31 00 00 e4 30 00 00 00 00 00 00 .0...1...0......
24 31 00 00 34 31 00 00 42 31 00 00 54 31 00 00 $1..41..B1..T1..
64 31 00 00 7a 31 00 00 88 31 00 00 98 31 00 00 d1..z1...1...1..
a6 31 00 00 b4 31 00 00 c0 31 00 00 d2 31 00 00 .1...1...1...1..
e2 31 00 00 f2 31 00 00 00 00 00 00 0e 32 00 00 .1...1.......2..
00 00 00 00 00 00 00 00 71 00 77 00 6f 00 72 00 ........q.w.o.r.
64 00 3a 00 00 00 00 00 68 00 65 00 78 00 28 00 d.:.....h.e.x.(.
61 00 29 00 3a 00 00 00 68 00 65 00 78 00 28 00 a.).:...h.e.x.(.
39 00 29 00 3a 00 00 00 68 00 65 00 78 00 28 00 9.).:...h.e.x.(.
38 00 29 00 3a 00 00 00 6d 00 75 00 6c 00 74 00 8.).:...m.u.l.t.
69 00 3a 00 00 00 00 00 6c 00 69 00 6e 00 6b 00 i.:.....l.i.n.k.
3a 00 00 00 64 00 77 00 6f 00 72 00 64 00 3a 00 :...d.w.o.r.d.:.
00 00 00 00 68 00 65 00 78 00 3a 00 00 00 00 00 ....h.e.x.:.....
65 00 78 00 70 00 61 00 6e 00 64 00 3a 00 00 00 e.x.p.a.n.d.:...
00 00 00 00 6e 00 6f 00 6e 00 65 00 3a 00 00 00 ....n.o.n.e.:...
51 00 57 00 4f 00 52 00 44 00 00 00 52 00 45 00 Q.W.O.R.D...R.E.
53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 52 00 S.O.U.R.C.E._.R.
45 00 51 00 55 00 49 00 52 00 45 00 4d 00 45 00 E.Q.U.I.R.E.M.E.
4e 00 54 00 53 00 5f 00 4c 00 49 00 53 00 54 00 N.T.S._.L.I.S.T.
00 00 00 00 46 00 55 00 4c 00 4c 00 5f 00 52 00 ....F.U.L.L._.R.
45 00 53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 E.S.O.U.R.C.E._.
44 00 45 00 53 00 43 00 52 00 49 00 50 00 54 00 D.E.S.C.R.I.P.T.
4f 00 52 00 00 00 00 00 52 00 45 00 53 00 4f 00 O.R.....R.E.S.O.
55 00 52 00 43 00 45 00 5f 00 4c 00 49 00 53 00 U.R.C.E._.L.I.S.
54 00 00 00 4d 00 55 00 4c 00 54 00 49 00 5f 00 T...M.U.L.T.I._.
53 00 5a 00 00 00 00 00 4c 00 49 00 4e 00 4b 00 S.Z.....L.I.N.K.
00 00 00 00 44 00 57 00 4f 00 52 00 44 00 5f 00 ....D.W.O.R.D._.
42 00 49 00 47 00 5f 00 45 00 4e 00 44 00 49 00 B.I.G._.E.N.D.I.
41 00 4e 00 00 00 00 00 44 00 57 00 4f 00 52 00 A.N.....D.W.O.R.
44 00 00 00 42 00 49 00 4e 00 41 00 52 00 59 00 D...B.I.N.A.R.Y.
00 00 00 00 45 00 58 00 50 00 41 00 4e 00 44 00 ....E.X.P.A.N.D.
5f 00 53 00 5a 00 00 00 53 00 5a 00 00 00 00 00 _.S.Z...S.Z.....
4e 00 4f 00 4e 00 45 00 00 00 00 00 00 00 00 00 N.O.N.E.........
48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 H.K.E.Y._.C.U.R.
52 00 45 00 4e 00 54 00 5f 00 55 00 53 00 45 00 R.E.N.T._.U.S.E.
52 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 5f 00 R._.L.O.C.A.L._.
53 00 45 00 54 00 54 00 49 00 4e 00 47 00 53 00 S.E.T.T.I.N.G.S.
00 00 00 00 48 00 4b 00 45 00 59 00 5f 00 44 00 ....H.K.E.Y._.D.
59 00 4e 00 5f 00 44 00 41 00 54 00 41 00 00 00 Y.N._.D.A.T.A...
48 00 4b 00 45 00 59 00 5f 00 43 00 55 00 52 00 H.K.E.Y._.C.U.R.
52 00 45 00 4e 00 54 00 5f 00 43 00 4f 00 4e 00 R.E.N.T._.C.O.N.
46 00 49 00 47 00 00 00 48 00 4b 00 45 00 59 00 F.I.G...H.K.E.Y.
5f 00 50 00 45 00 52 00 46 00 4f 00 52 00 4d 00 _.P.E.R.F.O.R.M.
41 00 4e 00 43 00 45 00 5f 00 44 00 41 00 54 00 A.N.C.E._.D.A.T.
41 00 00 00 48 00 4b 00 45 00 59 00 5f 00 55 00 A...H.K.E.Y._.U.
53 00 45 00 52 00 53 00 00 00 00 00 48 00 4b 00 S.E.R.S.....H.K.
45 00 59 00 5f 00 4c 00 4f 00 43 00 41 00 4c 00 E.Y._.L.O.C.A.L.
5f 00 4d 00 41 00 43 00 48 00 49 00 4e 00 45 00 _.M.A.C.H.I.N.E.
00 00 00 00 48 00 4b 00 45 00 59 00 5f 00 43 00 ....H.K.E.Y._.C.
55 00 52 00 52 00 45 00 4e 00 54 00 5f 00 55 00 U.R.R.E.N.T._.U.
53 00 45 00 52 00 00 00 48 00 4b 00 45 00 59 00 S.E.R...H.K.E.Y.
5f 00 43 00 4c 00 41 00 53 00 53 00 45 00 53 00 _.C.L.A.S.S.E.S.
5f 00 52 00 4f 00 4f 00 54 00 00 00 28 23 40 00 _.R.O.O.T...(#@.
04 23 40 00 dc 22 40 00 c4 22 40 00 98 22 40 00 .#@.."@.."@.."@.
70 22 40 00 54 22 40 00 10 22 40 00 00 22 40 00 p"@.T"@.."@.."@.
f8 21 40 00 e4 21 40 00 d4 21 40 00 c8 21 40 00 .!@..!@..!@..!@.
a4 21 40 00 98 21 40 00 84 21 40 00 68 21 40 00 .!@..!@..!@.h!@.
34 21 40 00 fc 20 40 00 f0 20 40 00 e4 20 40 00 4!@.. @.. @.. @.
e0 20 40 00 d0 20 40 00 c4 20 40 00 b4 20 40 00 . @.. @.. @.. @.
b4 20 40 00 a8 20 40 00 98 20 40 00 88 20 40 00 . @.. @.. @.. @.
78 20 40 00 68 20 40 00 58 20 40 00 00 00 00 00 x @.h @.X @.....
53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 S.i.g.n.a.t.u.r.
65 00 20 00 27 00 50 00 52 00 65 00 67 00 5c 00 e. .'.P.R.e.g.\.
31 00 5c 00 30 00 5c 00 30 00 5c 00 30 00 27 00 1.\.0.\.0.\.0.'.
20 00 6d 00 69 00 73 00 73 00 69 00 6e 00 67 00 .m.i.s.s.i.n.g.
20 00 69 00 6e 00 20 00 66 00 69 00 6c 00 65 00 .i.n. .f.i.l.e.
20 00 27 00 25 00 6c 00 73 00 27 00 21 00 0a 00 .'.%.l.s.'.!...
00 00 00 00 00 00 00 00 25 00 6c 00 73 00 28 00 ........%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 66 00 69 00 6c 00 65 00 20 00 6d 00 61 00 .f.i.l.e. .m.a.
70 00 70 00 69 00 6e 00 67 00 20 00 27 00 25 00 p.p.i.n.g. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 43 00 6c 00 l.s.'.......C.l.
6f 00 73 00 65 00 48 00 61 00 6e 00 64 00 6c 00 o.s.e.H.a.n.d.l.
65 00 00 00 55 00 6e 00 6d 00 61 00 70 00 56 00 e...U.n.m.a.p.V.
69 00 65 00 77 00 4f 00 66 00 46 00 69 00 6c 00 i.e.w.O.f.F.i.l.
65 00 00 00 00 00 00 00 46 00 6f 00 72 00 6d 00 e.......F.o.r.m.
61 00 74 00 20 00 65 00 72 00 72 00 6f 00 72 00 a.t. .e.r.r.o.r.
20 00 69 00 6e 00 20 00 70 00 6f 00 6c 00 69 00 .i.n. .p.o.l.i.
63 00 79 00 20 00 66 00 69 00 6c 00 65 00 20 00 c.y. .f.i.l.e. .
27 00 25 00 6c 00 73 00 27 00 21 00 0a 00 00 00 '.%.l.s.'.!.....
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 72 00 65 00 67 00 .f.o.r. .r.e.g.
69 00 73 00 74 00 72 00 79 00 20 00 6b 00 65 00 i.s.t.r.y. .k.e.
79 00 20 00 27 00 25 00 6c 00 73 00 5c 00 25 00 y. .'.%.l.s.\.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 52 00 65 00 l.s.'.......R.e.
67 00 43 00 6c 00 6f 00 73 00 65 00 4b 00 65 00 g.C.l.o.s.e.K.e.
79 00 00 00 00 00 00 00 4d 00 49 00 53 00 4d 00 y.......M.I.S.M.
41 00 54 00 43 00 48 00 3a 00 20 00 64 00 61 00 A.T.C.H.:. .d.a.
74 00 61 00 20 00 74 00 79 00 70 00 65 00 2c 00 t.a. .t.y.p.e.,.
20 00 73 00 69 00 7a 00 65 00 20 00 6f 00 72 00 .s.i.z.e. .o.r.
20 00 76 00 61 00 6c 00 75 00 65 00 20 00 69 00 .v.a.l.u.e. .i.
6e 00 20 00 70 00 6f 00 6c 00 69 00 63 00 79 00 n. .p.o.l.i.c.y.
20 00 66 00 69 00 6c 00 65 00 20 00 64 00 69 00 .f.i.l.e. .d.i.
66 00 66 00 65 00 72 00 73 00 20 00 66 00 72 00 f.f.e.r.s. .f.r.
6f 00 6d 00 20 00 72 00 65 00 67 00 69 00 73 00 o.m. .r.e.g.i.s.
74 00 72 00 79 00 21 00 0a 00 00 00 00 00 00 00 t.r.y.!.........
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 76 00 61 00 6c 00 .f.o.r. .v.a.l.
75 00 65 00 20 00 27 00 25 00 6c 00 73 00 27 00 u.e. .'.%.l.s.'.
20 00 6f 00 66 00 20 00 72 00 65 00 67 00 69 00 .o.f. .r.e.g.i.
73 00 74 00 72 00 79 00 20 00 6b 00 65 00 79 00 s.t.r.y. .k.e.y.
20 00 27 00 25 00 6c 00 73 00 5c 00 25 00 6c 00 .'.%.l.s.\.%.l.
73 00 27 00 0a 00 00 00 52 00 65 00 67 00 51 00 s.'.....R.e.g.Q.
75 00 65 00 72 00 79 00 56 00 61 00 6c 00 75 00 u.e.r.y.V.a.l.u.
65 00 45 00 78 00 00 00 52 00 65 00 67 00 4f 00 e.E.x...R.e.g.O.
70 00 65 00 6e 00 4b 00 65 00 79 00 45 00 78 00 p.e.n.K.e.y.E.x.
00 00 00 00 2c 00 25 00 6c 00 63 00 25 00 6c 00 ....,.%.l.c.%.l.
63 00 00 00 30 00 31 00 32 00 33 00 34 00 35 00 c...0.1.2.3.4.5.
36 00 37 00 38 00 39 00 61 00 62 00 63 00 64 00 6.7.8.9.a.b.c.d.
65 00 66 00 00 00 00 00 53 00 69 00 7a 00 65 00 e.f.....S.i.z.e.
20 00 25 00 6c 00 75 00 20 00 6f 00 66 00 20 00 .%.l.u. .o.f. .
52 00 45 00 47 00 5f 00 25 00 6c 00 73 00 20 00 R.E.G._.%.l.s. .
76 00 61 00 6c 00 75 00 65 00 20 00 64 00 61 00 v.a.l.u.e. .d.a.
74 00 61 00 20 00 6e 00 6f 00 74 00 20 00 65 00 t.a. .n.o.t. .e.
71 00 75 00 61 00 6c 00 20 00 6c 00 65 00 6e 00 q.u.a.l. .l.e.n.
67 00 74 00 68 00 20 00 25 00 6c 00 75 00 20 00 g.t.h. .%.l.u. .
6f 00 66 00 20 00 73 00 74 00 72 00 69 00 6e 00 o.f. .s.t.r.i.n.
67 00 20 00 70 00 6c 00 75 00 73 00 20 00 74 00 g. .p.l.u.s. .t.
65 00 72 00 6d 00 69 00 6e 00 61 00 74 00 69 00 e.r.m.i.n.a.t.i.
6e 00 67 00 20 00 27 00 4e 00 55 00 4c 00 27 00 n.g. .'.N.U.L.'.
20 00 63 00 68 00 61 00 72 00 61 00 63 00 74 00 .c.h.a.r.a.c.t.
65 00 72 00 21 00 0a 00 00 00 00 00 27 00 25 00 e.r.!.......'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 00 00 00 00 l.s.'...........
53 00 69 00 7a 00 65 00 20 00 25 00 6c 00 75 00 S.i.z.e. .%.l.u.
20 00 6f 00 66 00 20 00 52 00 45 00 47 00 5f 00 .o.f. .R.E.G._.
25 00 6c 00 73 00 20 00 76 00 61 00 6c 00 75 00 %.l.s. .v.a.l.u.
65 00 20 00 64 00 61 00 74 00 61 00 20 00 6e 00 e. .d.a.t.a. .n.
6f 00 74 00 20 00 65 00 71 00 75 00 61 00 6c 00 o.t. .e.q.u.a.l.
20 00 27 00 73 00 69 00 7a 00 65 00 6f 00 66 00 .'.s.i.z.e.o.f.
28 00 44 00 57 00 4f 00 52 00 44 00 29 00 27 00 (.D.W.O.R.D.).'.
21 00 0a 00 00 00 00 00 25 00 30 00 38 00 6c 00 !.......%.0.8.l.
78 00 0a 00 00 00 00 00 53 00 69 00 7a 00 65 00 x.......S.i.z.e.
20 00 25 00 6c 00 75 00 20 00 6f 00 66 00 20 00 .%.l.u. .o.f. .
52 00 45 00 47 00 5f 00 4d 00 55 00 4c 00 54 00 R.E.G._.M.U.L.T.
49 00 5f 00 53 00 5a 00 20 00 76 00 61 00 6c 00 I._.S.Z. .v.a.l.
75 00 65 00 20 00 64 00 61 00 74 00 61 00 20 00 u.e. .d.a.t.a. .
6e 00 6f 00 74 00 20 00 65 00 71 00 75 00 61 00 n.o.t. .e.q.u.a.
6c 00 20 00 73 00 75 00 6d 00 20 00 6f 00 66 00 l. .s.u.m. .o.f.
20 00 73 00 74 00 72 00 69 00 6e 00 67 00 20 00 .s.t.r.i.n.g. .
6c 00 65 00 6e 00 67 00 74 00 68 00 73 00 20 00 l.e.n.g.t.h.s. .
70 00 6c 00 75 00 73 00 20 00 74 00 65 00 72 00 p.l.u.s. .t.e.r.
6d 00 69 00 6e 00 61 00 74 00 69 00 6e 00 67 00 m.i.n.a.t.i.n.g.
20 00 27 00 4e 00 55 00 4c 00 27 00 20 00 63 00 .'.N.U.L.'. .c.
68 00 61 00 72 00 61 00 63 00 74 00 65 00 72 00 h.a.r.a.c.t.e.r.
73 00 21 00 0a 00 00 00 52 00 45 00 47 00 5f 00 s.!.....R.E.G._.
4d 00 55 00 4c 00 54 00 49 00 5f 00 53 00 5a 00 M.U.L.T.I._.S.Z.
20 00 76 00 61 00 6c 00 75 00 65 00 20 00 64 00 .v.a.l.u.e. .d.
61 00 74 00 61 00 20 00 6e 00 6f 00 74 00 20 00 a.t.a. .n.o.t. .
74 00 65 00 72 00 6d 00 69 00 6e 00 61 00 74 00 t.e.r.m.i.n.a.t.
65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 e.d. .w.i.t.h. .
65 00 78 00 74 00 72 00 61 00 20 00 27 00 4e 00 e.x.t.r.a. .'.N.
55 00 4c 00 27 00 20 00 63 00 68 00 61 00 72 00 U.L.'. .c.h.a.r.
61 00 63 00 74 00 65 00 72 00 21 00 0a 00 00 00 a.c.t.e.r.!.....
0a 00 00 00 2c 00 27 00 25 00 6c 00 73 00 27 00 ....,.'.%.l.s.'.
00 00 00 00 00 00 00 00 53 00 69 00 7a 00 65 00 ........S.i.z.e.
20 00 25 00 6c 00 75 00 20 00 6f 00 66 00 20 00 .%.l.u. .o.f. .
52 00 45 00 47 00 5f 00 51 00 57 00 4f 00 52 00 R.E.G._.Q.W.O.R.
44 00 20 00 76 00 61 00 6c 00 75 00 65 00 20 00 D. .v.a.l.u.e. .
64 00 61 00 74 00 61 00 20 00 6e 00 6f 00 74 00 d.a.t.a. .n.o.t.
20 00 65 00 71 00 75 00 61 00 6c 00 20 00 27 00 .e.q.u.a.l. .'.
73 00 69 00 7a 00 65 00 6f 00 66 00 28 00 51 00 s.i.z.e.o.f.(.Q.
57 00 4f 00 52 00 44 00 29 00 27 00 21 00 0a 00 W.O.R.D.).'.!...
00 00 00 00 25 00 30 00 31 00 36 00 49 00 36 00 ....%.0.1.6.I.6.
34 00 78 00 0a 00 00 00 68 00 65 00 78 00 28 00 4.x.....h.e.x.(.
25 00 6c 00 78 00 29 00 3a 00 00 00 25 00 6c 00 %.l.x.).:...%.l.
73 00 00 00 27 00 25 00 6c 00 73 00 27 00 3d 00 s...'.%.l.s.'.=.
00 00 00 00 40 00 3d 00 00 00 00 00 27 00 25 00 ....@.=.....'.%.
6c 00 73 00 27 00 3d 00 2d 00 20 00 3b 00 20 00 l.s.'.=.-. .;. .
3d 00 00 00 40 00 3d 00 2d 00 20 00 3b 00 20 00 =...@.=.-. .;. .
3d 00 00 00 2a 00 2a 00 44 00 65 00 6c 00 2e 00 =...*.*.D.e.l...
00 00 00 00 2a 00 2a 00 64 00 65 00 6c 00 2e 00 ....*.*.d.e.l...
00 00 00 00 5b 00 2d 00 48 00 4b 00 45 00 59 00 ....[.-.H.K.E.Y.
5f 00 52 00 45 00 4c 00 41 00 54 00 49 00 56 00 _.R.E.L.A.T.I.V.
45 00 5c 00 25 00 6c 00 73 00 5c 00 25 00 6c 00 E.\.%.l.s.\.%.l.
73 00 5d 00 0a 00 00 00 2a 00 2a 00 44 00 65 00 s.].....*.*.D.e.
6c 00 65 00 74 00 65 00 6b 00 65 00 79 00 73 00 l.e.t.e.k.e.y.s.
00 00 00 00 2a 00 2a 00 64 00 65 00 6c 00 65 00 ....*.*.d.e.l.e.
74 00 65 00 6b 00 65 00 79 00 73 00 00 00 00 00 t.e.k.e.y.s.....
27 00 25 00 6c 00 73 00 27 00 3d 00 2d 00 0a 00 '.%.l.s.'.=.-...
00 00 00 00 2a 00 2a 00 44 00 65 00 6c 00 65 00 ....*.*.D.e.l.e.
74 00 65 00 76 00 61 00 6c 00 75 00 65 00 73 00 t.e.v.a.l.u.e.s.
00 00 00 00 2a 00 2a 00 64 00 65 00 6c 00 65 00 ....*.*.d.e.l.e.
74 00 65 00 76 00 61 00 6c 00 75 00 65 00 73 00 t.e.v.a.l.u.e.s.
00 00 00 00 2a 00 3d 00 2d 00 0a 00 00 00 00 00 ....*.=.-.......
2a 00 2a 00 44 00 65 00 6c 00 65 00 74 00 65 00 *.*.D.e.l.e.t.e.
76 00 61 00 6c 00 73 00 00 00 00 00 2a 00 2a 00 v.a.l.s.....*.*.
64 00 65 00 6c 00 65 00 74 00 65 00 76 00 61 00 d.e.l.e.t.e.v.a.
6c 00 73 00 00 00 00 00 3b 00 20 00 53 00 65 00 l.s.....;. .S.e.
63 00 75 00 72 00 65 00 4b 00 65 00 79 00 3d 00 c.u.r.e.K.e.y.=.
30 00 0a 00 00 00 00 00 2a 00 2a 00 53 00 65 00 0.......*.*.S.e.
63 00 75 00 72 00 65 00 4b 00 65 00 79 00 3d 00 c.u.r.e.K.e.y.=.
30 00 00 00 2a 00 2a 00 73 00 65 00 63 00 75 00 0...*.*.s.e.c.u.
72 00 65 00 6b 00 65 00 79 00 3d 00 30 00 00 00 r.e.k.e.y.=.0...
3b 00 20 00 53 00 65 00 63 00 75 00 72 00 65 00 ;. .S.e.c.u.r.e.
4b 00 65 00 79 00 3d 00 31 00 0a 00 00 00 00 00 K.e.y.=.1.......
2a 00 2a 00 53 00 65 00 63 00 75 00 72 00 65 00 *.*.S.e.c.u.r.e.
4b 00 65 00 79 00 3d 00 31 00 00 00 2a 00 2a 00 K.e.y.=.1...*.*.
73 00 65 00 63 00 75 00 72 00 65 00 6b 00 65 00 s.e.c.u.r.e.k.e.
79 00 3d 00 31 00 00 00 0a 00 5b 00 48 00 4b 00 y.=.1.....[.H.K.
45 00 59 00 5f 00 52 00 45 00 4c 00 41 00 54 00 E.Y._.R.E.L.A.T.
49 00 56 00 45 00 5c 00 25 00 6c 00 73 00 5d 00 I.V.E.\.%.l.s.].
0a 00 00 00 00 00 00 00 57 00 69 00 6e 00 64 00 ........W.i.n.d.
6f 00 77 00 73 00 20 00 52 00 65 00 67 00 69 00 o.w.s. .R.e.g.i.
73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 s.t.r.y. .E.d.i.
74 00 6f 00 72 00 20 00 56 00 65 00 72 00 73 00 t.o.r. .V.e.r.s.
69 00 6f 00 6e 00 20 00 35 00 2e 00 30 00 30 00 i.o.n. .5...0.0.
0a 00 0a 00 3b 00 20 00 52 00 65 00 67 00 69 00 ....;. .R.e.g.i.
73 00 74 00 72 00 79 00 20 00 50 00 6f 00 6c 00 s.t.r.y. .P.o.l.
69 00 63 00 79 00 20 00 46 00 69 00 6c 00 65 00 i.c.y. .F.i.l.e.
20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 .'.%.l.s.'.....
4d 00 61 00 70 00 56 00 69 00 65 00 77 00 4f 00 M.a.p.V.i.e.w.O.
66 00 46 00 69 00 6c 00 65 00 00 00 43 00 72 00 f.F.i.l.e...C.r.
65 00 61 00 74 00 65 00 46 00 69 00 6c 00 65 00 e.a.t.e.F.i.l.e.
4d 00 61 00 70 00 70 00 69 00 6e 00 67 00 00 00 M.a.p.p.i.n.g...
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 66 00 69 00 6c 00 .f.o.r. .f.i.l.
65 00 20 00 27 00 25 00 6c 00 73 00 27 00 0a 00 e. .'.%.l.s.'...
00 00 00 00 47 00 65 00 74 00 46 00 69 00 6c 00 ....G.e.t.F.i.l.
65 00 53 00 69 00 7a 00 65 00 00 00 43 00 72 00 e.S.i.z.e...C.r.
65 00 61 00 74 00 65 00 46 00 69 00 6c 00 65 00 e.a.t.e.F.i.l.e.
00 00 00 00 25 00 6c 00 73 00 28 00 29 00 20 00 ....%.l.s.(.). .
72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 r.e.t.u.r.n.e.d.
20 00 65 00 72 00 72 00 6f 00 72 00 20 00 25 00 .e.r.r.o.r. .%.
6c 00 75 00 0a 00 00 00 4c 00 6f 00 63 00 61 00 l.u.....L.o.c.a.
6c 00 46 00 72 00 65 00 65 00 00 00 00 00 00 00 l.F.r.e.e.......
4e 00 6f 00 20 00 61 00 72 00 67 00 75 00 6d 00 N.o. .a.r.g.u.m.
65 00 6e 00 74 00 73 00 3a 00 20 00 61 00 74 00 e.n.t.s.:. .a.t.
20 00 6c 00 65 00 61 00 73 00 74 00 20 00 6f 00 .l.e.a.s.t. .o.
6e 00 65 00 20 00 27 00 2e 00 70 00 6f 00 6c 00 n.e. .'...p.o.l.
27 00 20 00 66 00 69 00 6c 00 65 00 20 00 6e 00 '. .f.i.l.e. .n.
61 00 6d 00 65 00 20 00 6d 00 75 00 73 00 74 00 a.m.e. .m.u.s.t.
20 00 62 00 65 00 20 00 67 00 69 00 76 00 65 00 .b.e. .g.i.v.e.
6e 00 21 00 0a 00 00 00 42 00 61 00 64 00 20 00 n.!.....B.a.d. .
61 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 a.r.g.u.m.e.n.t.
73 00 3a 00 20 00 6f 00 70 00 74 00 69 00 6f 00 s.:. .o.p.t.i.o.
6e 00 61 00 6c 00 20 00 66 00 69 00 72 00 73 00 n.a.l. .f.i.r.s.
74 00 20 00 61 00 72 00 67 00 75 00 6d 00 65 00 t. .a.r.g.u.m.e.
6e 00 74 00 20 00 6d 00 75 00 73 00 74 00 20 00 n.t. .m.u.s.t. .
62 00 65 00 20 00 27 00 25 00 6c 00 73 00 27 00 b.e. .'.%.l.s.'.
20 00 6f 00 72 00 20 00 27 00 25 00 6c 00 73 00 .o.r. .'.%.l.s.
27 00 21 00 0a 00 00 00 2f 00 55 00 53 00 45 00 '.!...../.U.S.E.
52 00 00 00 2f 00 4d 00 41 00 43 00 48 00 49 00 R.../.M.A.C.H.I.
4e 00 45 00 00 00 00 00 43 00 6f 00 6d 00 6d 00 N.E.....C.o.m.m.
61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 54 00 a.n.d.L.i.n.e.T.
6f 00 41 00 72 00 67 00 76 00 00 00 00 00 00 00 o.A.r.g.v.......
b9 79 37 9e 00 00 00 00 68 00 00 00 45 54 41 44 .y7.....h...ETAD
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
00 00 00 00 d0 2f 40 00 00 00 00 00 00 00 00 00 ...../@.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 30 00 00 00 00 00 00 00 00 00 00 16 31 00 00 .0...........1..
00 20 00 00 a0 30 00 00 00 00 00 00 00 00 00 00 . ...0..........
00 32 00 00 10 20 00 00 dc 30 00 00 00 00 00 00 .2... ...0......
00 00 00 00 1c 32 00 00 4c 20 00 00 00 00 00 00 .....2..L ......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f2 30 00 00 06 31 00 00 e4 30 00 00 00 00 00 00 .0...1...0......
24 31 00 00 34 31 00 00 42 31 00 00 54 31 00 00 $1..41..B1..T1..
64 31 00 00 7a 31 00 00 88 31 00 00 98 31 00 00 d1..z1...1...1..
a6 31 00 00 b4 31 00 00 c0 31 00 00 d2 31 00 00 .1...1...1...1..
e2 31 00 00 f2 31 00 00 00 00 00 00 0e 32 00 00 .1...1.......2..
00 00 00 00 30 02 52 65 67 43 6c 6f 73 65 4b 65 ....0.RegCloseKe
79 00 6e 02 52 65 67 51 75 65 72 79 56 61 6c 75 y.n.RegQueryValu
65 45 78 57 00 00 61 02 52 65 67 4f 70 65 6e 4b eExW..a.RegOpenK
65 79 45 78 57 00 41 44 56 41 50 49 33 32 2e 64 eyExW.ADVAPI32.d
6c 6c 00 00 24 05 57 72 69 74 65 43 6f 6e 73 6f ll..$.WriteConso
6c 65 57 00 52 00 43 6c 6f 73 65 48 61 6e 64 6c leW.R.CloseHandl
65 00 d6 04 55 6e 6d 61 70 56 69 65 77 4f 66 46 e...UnmapViewOfF
69 6c 65 00 57 03 4d 61 70 56 69 65 77 4f 66 46 ile.W.MapViewOfF
69 6c 65 00 8c 00 43 72 65 61 74 65 46 69 6c 65 ile...CreateFile
4d 61 70 70 69 6e 67 57 00 00 f0 01 47 65 74 46 MappingW....GetF
69 6c 65 53 69 7a 65 00 02 02 47 65 74 4c 61 73 ileSize...GetLas
74 45 72 72 6f 72 00 00 8f 00 43 72 65 61 74 65 tError....Create
46 69 6c 65 57 00 19 01 45 78 69 74 50 72 6f 63 FileW...ExitProc
65 73 73 00 48 03 4c 6f 63 61 6c 46 72 65 65 00 ess.H.LocalFree.
87 01 47 65 74 43 6f 6d 6d 61 6e 64 4c 69 6e 65 ..GetCommandLine
57 00 64 02 47 65 74 53 74 64 48 61 6e 64 6c 65 W.d.GetStdHandle
00 00 73 04 53 65 74 4c 61 73 74 45 72 72 6f 72 ..s.SetLastError
00 00 44 03 4c 6f 63 61 6c 41 6c 6c 6f 63 00 00 ..D.LocalAlloc..
4b 45 52 4e 45 4c 33 32 2e 64 6c 6c 00 00 35 03 KERNEL32.dll..5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file POLYGLOT.TXT
created in
step 3. to recreate the console application
Registry Policy Reader:
CERTUTIL.EXE /DecodeHex /V POLYGLOT.TXT POLYGLOT.COM
Input Length = 36992 Output Length = 8704 CertUtil: -decodehex command completed successfully.
offlineregistry hive formatted as .inf file in UTF-16LE encoding on
standard output(which must be redirected to a file or piped into an application that reads from
standard input, like Clip, Find or More).
ORCloseHive()
ORCloseKey()
ORCreateHive()
ORCreateKey()
ORDeleteKey()
ORDeleteValue()
OREnumKey()
OREnumValue()
ORGetKeySecurity()
ORGetValue()
ORGetVersion()
ORGetVirtualFlags()
OROpenHive()
OROpenKey()
ORQueryInfoKey()
ORSaveHive()
ORSetKeySecurity()
ORSetValue()
ORSetVirtualFlags()
OFFREG.COM ‹input file name› >‹output file name› OFFREG.COM ‹input file name› | MORE.COM
%SystemDrive%\Users\Default\NTUSER.DAT
to the file
ntuser.inf
and display it afterwards:
VER .\OFFREG.COM "%SystemDrive%\Users\Default\NTUSER.DAT" 1>ntuser.inf NET.EXE HelpMsg %ERRORLEVEL% TYPE ntuser.infNet services commands Ver
Microsoft Windows [Version 10.0.19044.2486] OFFREG.DLL version 1.0 The operation completed successfully. [Version] DriverVer = 08/15/2021,12.34.56.789 ; UTC Provider = "Stefan Kanthak" Signature = "$Windows NT$" [Strings] REG_SZ = 0x00000000 REG_BINARY = 0x00000001 REG_KEYONLY = 0x00000010 REG_MULTI_SZ = 0x00010000 REG_DWORD = 0x00010001 REG_EXPAND_SZ = 0x00020000 REG_NONE = 0x00020001 REG_COMPATIBLE = 0x00030001 ; same as REG_BINARY REG_DWORD_LITTLE_ENDIAN = 0x00040001 ; same as REG_DWORD REG_DWORD_BIG_ENDIAN = 0x00050001 REG_LINK = 0x00060000 REG_RESOURCE_LIST = 0x00080001 REG_FULL_RESOURCE_DESCRIPTOR = 0x00090001 REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001 REG_QWORD = 0x000b0001 REG_QWORD_LITTLE_ENDIAN = 0x000b0001 ; same as REG_QWORD [DefaultInstall.NT] ;AddReg = AddReg.HKO [AddReg.HKO] HKO,"AppEvents\EventLabels\.Default",,%REG_SZ%,"Default Beep" HKO,"AppEvents\EventLabels\.Default","DispFileName",%REG_SZ%,"@mmres.dll,-5824" HKO,"AppEvents\EventLabels\ActivatingDocument",,%REG_SZ%,"Complete Navigation" HKO,"AppEvents\EventLabels\ActivatingDocument","DispFileName",%REG_SZ%,"@ieframe.dll,-10321" HKO,"AppEvents\EventLabels\AppGPFault",,%REG_SZ%,"Program Error" HKO,"AppEvents\EventLabels\AppGPFault","DispFileName",%REG_SZ%,"@mmres.dll,-5825" HKO,"AppEvents\EventLabels\BlockedPopup",,%REG_SZ%,"Blocked Pop-up Window" HKO,"AppEvents\EventLabels\BlockedPopup","DispFileName",%REG_SZ%,"@ieframe.dll,-10325" HKO,"AppEvents\EventLabels\CCSelect",,%REG_SZ%,"Select" HKO,"AppEvents\EventLabels\CCSelect","DispFileName",%REG_SZ%,"@ieframe.dll,-10323" HKO,"AppEvents\EventLabels\ChangeTheme",,%REG_SZ%,"Change Theme" HKO,"AppEvents\EventLabels\ChangeTheme","DispFileName",%REG_SZ%,"@mmres.dll,-5860" HKO,"AppEvents\EventLabels\Close",,%REG_SZ%,"Close Program" HKO,"AppEvents\EventLabels\Close","DispFileName",%REG_SZ%,"@mmres.dll,-5826" HKO,"AppEvents\EventLabels\CriticalBatteryAlarm",,%REG_SZ%,"Critical Battery Alarm" HKO,"AppEvents\EventLabels\CriticalBatteryAlarm","DispFileName",%REG_SZ%,"@mmres.dll,-5827" HKO,"AppEvents\EventLabels\DeviceConnect",,%REG_SZ%,"Device Connect" HKO,"AppEvents\EventLabels\DeviceConnect","DispFileName",%REG_SZ%,"@mmres.dll,-5828" HKO,"AppEvents\EventLabels\DeviceDisconnect",,%REG_SZ%,"Device Disconnect" HKO,"AppEvents\EventLabels\DeviceDisconnect","DispFileName",%REG_SZ%,"@mmres.dll,-5829" HKO,"AppEvents\EventLabels\DeviceFail",,%REG_SZ%,"Device Failed to Connect" HKO,"AppEvents\EventLabels\DeviceFail","DispFileName",%REG_SZ%,"@mmres.dll,-5830" HKO,"AppEvents\EventLabels\DisNumbersSound",,%REG_SZ%,"Disambiguation Numbers" HKO,"AppEvents\EventLabels\DisNumbersSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5566" HKO,"AppEvents\EventLabels\EmptyRecycleBin",,%REG_SZ%,"Empty Recycle Bin" HKO,"AppEvents\EventLabels\EmptyRecycleBin","DispFileName",%REG_SZ%,"@mmres.dll,-5831" HKO,"AppEvents\EventLabels\FaxBeep",,%REG_SZ%,"New Fax Notification" HKO,"AppEvents\EventLabels\FaxBeep","DispFileName",%REG_SZ%,"@mmres.dll,-5858" HKO,"AppEvents\EventLabels\FeedDiscovered",,%REG_SZ%,"Feed Discovered" HKO,"AppEvents\EventLabels\FeedDiscovered","DispFileName",%REG_SZ%,"@ieframe.dll,-17315" HKO,"AppEvents\EventLabels\HubOffSound",,%REG_SZ%,"Off" HKO,"AppEvents\EventLabels\HubOffSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5563" HKO,"AppEvents\EventLabels\HubOnSound",,%REG_SZ%,"On" HKO,"AppEvents\EventLabels\HubOnSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5562" HKO,"AppEvents\EventLabels\HubSleepSound",,%REG_SZ%,"Sleep" HKO,"AppEvents\EventLabels\HubSleepSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5564" HKO,"AppEvents\EventLabels\LowBatteryAlarm",,%REG_SZ%,"Low Battery Alarm" HKO,"AppEvents\EventLabels\LowBatteryAlarm","DispFileName",%REG_SZ%,"@mmres.dll,-5832" HKO,"AppEvents\EventLabels\MailBeep",,%REG_SZ%,"Desktop Mail Notification" HKO,"AppEvents\EventLabels\MailBeep","DispFileName",%REG_SZ%,"@mmres.dll,-5837" HKO,"AppEvents\EventLabels\Maximize",,%REG_SZ%,"Maximize" HKO,"AppEvents\EventLabels\Maximize","DispFileName",%REG_SZ%,"@mmres.dll,-5833" HKO,"AppEvents\EventLabels\MenuCommand",,%REG_SZ%,"Menu Command" HKO,"AppEvents\EventLabels\MenuCommand","DispFileName",%REG_SZ%,"@mmres.dll,-5834" HKO,"AppEvents\EventLabels\MenuPopup",,%REG_SZ%,"Menu Pop-up" HKO,"AppEvents\EventLabels\MenuPopup","DispFileName",%REG_SZ%,"@mmres.dll,-5835" HKO,"AppEvents\EventLabels\MessageNudge",,%REG_SZ%,"Message Nudge" HKO,"AppEvents\EventLabels\MessageNudge","DispFileName",%REG_SZ%,"@mmres.dll,-5866" HKO,"AppEvents\EventLabels\Minimize",,%REG_SZ%,"Minimize" HKO,"AppEvents\EventLabels\Minimize","DispFileName",%REG_SZ%,"@mmres.dll,-5836" HKO,"AppEvents\EventLabels\MisrecoSound",,%REG_SZ%,"Misrecognition" HKO,"AppEvents\EventLabels\MisrecoSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5561" HKO,"AppEvents\EventLabels\MoveMenuItem",,%REG_SZ%,"Move Menu Item" HKO,"AppEvents\EventLabels\MoveMenuItem","DispFileName",%REG_SZ%,"@ieframe.dll,-10322" HKO,"AppEvents\EventLabels\Navigating",,%REG_SZ%,"Start Navigation" HKO,"AppEvents\EventLabels\Navigating","DispFileName",%REG_SZ%,"@ieframe.dll,-10320" HKO,"AppEvents\EventLabels\Notification.Default",,%REG_SZ%,"Notification" HKO,"AppEvents\EventLabels\Notification.Default","DispFileName",%REG_SZ%,"@mmres.dll,-5865" HKO,"AppEvents\EventLabels\Notification.IM",,%REG_SZ%,"Instant Message Notification" HKO,"AppEvents\EventLabels\Notification.IM","DispFileName",%REG_SZ%,"@mmres.dll,-5863" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm",,%REG_SZ%,"Alarm 1" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm","DispFileName",%REG_SZ%,"@mmres.dll,-5888" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm10",,%REG_SZ%,"Alarm 10" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm10","DispFileName",%REG_SZ%,"@mmres.dll,-5897" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm10","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm2",,%REG_SZ%,"Alarm 2" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm2","DispFileName",%REG_SZ%,"@mmres.dll,-5889" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm2","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm3",,%REG_SZ%,"Alarm 3" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm3","DispFileName",%REG_SZ%,"@mmres.dll,-5890" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm3","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm4",,%REG_SZ%,"Alarm 4" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm4","DispFileName",%REG_SZ%,"@mmres.dll,-5891" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm4","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm5",,%REG_SZ%,"Alarm 5" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm5","DispFileName",%REG_SZ%,"@mmres.dll,-5892" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm5","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm6",,%REG_SZ%,"Alarm 6" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm6","DispFileName",%REG_SZ%,"@mmres.dll,-5893" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm6","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm7",,%REG_SZ%,"Alarm 7" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm7","DispFileName",%REG_SZ%,"@mmres.dll,-5894" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm7","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm8",,%REG_SZ%,"Alarm 8" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm8","DispFileName",%REG_SZ%,"@mmres.dll,-5895" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm8","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Alarm9",,%REG_SZ%,"Alarm 9" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm9","DispFileName",%REG_SZ%,"@mmres.dll,-5896" HKO,"AppEvents\EventLabels\Notification.Looping.Alarm9","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call",,%REG_SZ%,"Incoming Call Notification 1" HKO,"AppEvents\EventLabels\Notification.Looping.Call","DispFileName",%REG_SZ%,"@mmres.dll,-5872" HKO,"AppEvents\EventLabels\Notification.Looping.Call","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call10",,%REG_SZ%,"Incoming Call Notification 10" HKO,"AppEvents\EventLabels\Notification.Looping.Call10","DispFileName",%REG_SZ%,"@mmres.dll,-5881" HKO,"AppEvents\EventLabels\Notification.Looping.Call10","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call2",,%REG_SZ%,"Incoming Call Notification 2" HKO,"AppEvents\EventLabels\Notification.Looping.Call2","DispFileName",%REG_SZ%,"@mmres.dll,-5873" HKO,"AppEvents\EventLabels\Notification.Looping.Call2","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call3",,%REG_SZ%,"Incoming Call Notification 3" HKO,"AppEvents\EventLabels\Notification.Looping.Call3","DispFileName",%REG_SZ%,"@mmres.dll,-5874" HKO,"AppEvents\EventLabels\Notification.Looping.Call3","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call4",,%REG_SZ%,"Incoming Call Notification 4" HKO,"AppEvents\EventLabels\Notification.Looping.Call4","DispFileName",%REG_SZ%,"@mmres.dll,-5875" HKO,"AppEvents\EventLabels\Notification.Looping.Call4","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call5",,%REG_SZ%,"Incoming Call Notification 5" HKO,"AppEvents\EventLabels\Notification.Looping.Call5","DispFileName",%REG_SZ%,"@mmres.dll,-5876" HKO,"AppEvents\EventLabels\Notification.Looping.Call5","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call6",,%REG_SZ%,"Incoming Call Notification 6" HKO,"AppEvents\EventLabels\Notification.Looping.Call6","DispFileName",%REG_SZ%,"@mmres.dll,-5877" HKO,"AppEvents\EventLabels\Notification.Looping.Call6","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call7",,%REG_SZ%,"Incoming Call Notification 7" HKO,"AppEvents\EventLabels\Notification.Looping.Call7","DispFileName",%REG_SZ%,"@mmres.dll,-5878" HKO,"AppEvents\EventLabels\Notification.Looping.Call7","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call8",,%REG_SZ%,"Incoming Call Notification 8" HKO,"AppEvents\EventLabels\Notification.Looping.Call8","DispFileName",%REG_SZ%,"@mmres.dll,-5879" HKO,"AppEvents\EventLabels\Notification.Looping.Call8","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Looping.Call9",,%REG_SZ%,"Incoming Call Notification 9" HKO,"AppEvents\EventLabels\Notification.Looping.Call9","DispFileName",%REG_SZ%,"@mmres.dll,-5880" HKO,"AppEvents\EventLabels\Notification.Looping.Call9","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\Notification.Mail",,%REG_SZ%,"New Mail Notification" HKO,"AppEvents\EventLabels\Notification.Mail","DispFileName",%REG_SZ%,"@mmres.dll,-5861" HKO,"AppEvents\EventLabels\Notification.Proximity",,%REG_SZ%,"NFP Completion" HKO,"AppEvents\EventLabels\Notification.Proximity","DispFileName",%REG_SZ%,"@mmres.dll,-5868" HKO,"AppEvents\EventLabels\Notification.Reminder",,%REG_SZ%,"Calendar Reminder" HKO,"AppEvents\EventLabels\Notification.Reminder","DispFileName",%REG_SZ%,"@mmres.dll,-5864" HKO,"AppEvents\EventLabels\Notification.SMS",,%REG_SZ%,"New Text Message Notification" HKO,"AppEvents\EventLabels\Notification.SMS","DispFileName",%REG_SZ%,"@mmres.dll,-5862" HKO,"AppEvents\EventLabels\Open",,%REG_SZ%,"Open Program" HKO,"AppEvents\EventLabels\Open","DispFileName",%REG_SZ%,"@mmres.dll,-5839" HKO,"AppEvents\EventLabels\PanelSound",,%REG_SZ%,"Disambiguation Panel" HKO,"AppEvents\EventLabels\PanelSound","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5565" HKO,"AppEvents\EventLabels\PrintComplete",,%REG_SZ%,"Print Complete" HKO,"AppEvents\EventLabels\PrintComplete","DispFileName",%REG_SZ%,"@mmres.dll,-5840" HKO,"AppEvents\EventLabels\ProximityConnection",,%REG_SZ%,"NFP Connection" HKO,"AppEvents\EventLabels\ProximityConnection","DispFileName",%REG_SZ%,"@mmres.dll,-5867" HKO,"AppEvents\EventLabels\RestoreDown",,%REG_SZ%,"Restore Down" HKO,"AppEvents\EventLabels\RestoreDown","DispFileName",%REG_SZ%,"@mmres.dll,-5841" HKO,"AppEvents\EventLabels\RestoreUp",,%REG_SZ%,"Restore Up" HKO,"AppEvents\EventLabels\RestoreUp","DispFileName",%REG_SZ%,"@mmres.dll,-5842" HKO,"AppEvents\EventLabels\SecurityBand",,%REG_SZ%,"Information Bar" HKO,"AppEvents\EventLabels\SecurityBand","DispFileName",%REG_SZ%,"@ieframe.dll,-10326" HKO,"AppEvents\EventLabels\ShowBand",,%REG_SZ%,"Show Toolbar Band" HKO,"AppEvents\EventLabels\ShowBand","DispFileName",%REG_SZ%,"@ieframe.dll,-10324" HKO,"AppEvents\EventLabels\SystemAsterisk",,%REG_SZ%,"Asterisk" HKO,"AppEvents\EventLabels\SystemAsterisk","DispFileName",%REG_SZ%,"@mmres.dll,-5843" HKO,"AppEvents\EventLabels\SystemExclamation",,%REG_SZ%,"Exclamation" HKO,"AppEvents\EventLabels\SystemExclamation","DispFileName",%REG_SZ%,"@mmres.dll,-5845" HKO,"AppEvents\EventLabels\SystemExit",,%REG_SZ%,"Exit Windows" HKO,"AppEvents\EventLabels\SystemExit","DispFileName",%REG_SZ%,"@mmres.dll,-5846" HKO,"AppEvents\EventLabels\SystemExit","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\SystemHand",,%REG_SZ%,"Critical Stop" HKO,"AppEvents\EventLabels\SystemHand","DispFileName",%REG_SZ%,"@mmres.dll,-5847" HKO,"AppEvents\EventLabels\SystemNotification",,%REG_SZ%,"System Notification" HKO,"AppEvents\EventLabels\SystemNotification","DispFileName",%REG_SZ%,"@mmres.dll,-5848" HKO,"AppEvents\EventLabels\SystemQuestion",,%REG_SZ%,"Question" HKO,"AppEvents\EventLabels\SystemQuestion","DispFileName",%REG_SZ%,"@mmres.dll,-5849" HKO,"AppEvents\EventLabels\WindowsLogoff",,%REG_SZ%,"Windows Logoff" HKO,"AppEvents\EventLabels\WindowsLogoff","DispFileName",%REG_SZ%,"@mmres.dll,-5852" HKO,"AppEvents\EventLabels\WindowsLogoff","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\WindowsLogon",,%REG_SZ%,"Windows Logon" HKO,"AppEvents\EventLabels\WindowsLogon","DispFileName",%REG_SZ%,"@mmres.dll,-5853" HKO,"AppEvents\EventLabels\WindowsLogon","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\EventLabels\WindowsUAC",,%REG_SZ%,"Windows User Account Control" HKO,"AppEvents\EventLabels\WindowsUAC","DispFileName",%REG_SZ%,"@mmres.dll,-5859" HKO,"AppEvents\EventLabels\WindowsUnlock",,%REG_SZ%,"Windows Unlock" HKO,"AppEvents\EventLabels\WindowsUnlock","DispFileName",%REG_SZ%,"@mmres.dll,-5869" HKO,"AppEvents\EventLabels\WindowsUnlock","ExcludeFromCPL",%REG_DWORD%,1 ; 0x00000001 HKO,"AppEvents\Schemes",,%REG_SZ%,".Default" HKO,"AppEvents\Schemes\Apps\.Default",,%REG_SZ%,"Windows" HKO,"AppEvents\Schemes\Apps\.Default","DispFileName",%REG_SZ%,"@mmres.dll,-5856" HKO,"AppEvents\Schemes\Apps\.Default\.Default\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\.Default\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\AppGPFault\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\AppGPFault\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\CCSelect",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\ChangeTheme\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\ChangeTheme\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\Close\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\Close\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav" HKO,"AppEvents\Schemes\Apps\.Default\CriticalBatteryAlarm\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav" HKO,"AppEvents\Schemes\Apps\.Default\DeviceConnect\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Insert.wav" HKO,"AppEvents\Schemes\Apps\.Default\DeviceConnect\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Insert.wav" HKO,"AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Remove.wav" HKO,"AppEvents\Schemes\Apps\.Default\DeviceDisconnect\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Remove.wav" HKO,"AppEvents\Schemes\Apps\.Default\DeviceFail\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Fail.wav" HKO,"AppEvents\Schemes\Apps\.Default\DeviceFail\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Hardware Fail.wav" HKO,"AppEvents\Schemes\Apps\.Default\FaxBeep\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav" HKO,"AppEvents\Schemes\Apps\.Default\FaxBeep\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav" HKO,"AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\MailBeep\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav" HKO,"AppEvents\Schemes\Apps\.Default\MailBeep\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav" HKO,"AppEvents\Schemes\Apps\.Default\Maximize\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\Maximize\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\MenuCommand\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\MenuCommand\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\MenuPopup\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\MenuPopup\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\MessageNudge\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Message Nudge.wav" HKO,"AppEvents\Schemes\Apps\.Default\MessageNudge\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Message Nudge.wav" HKO,"AppEvents\Schemes\Apps\.Default\Minimize\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\Minimize\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\Notification.Default\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify System Generic.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Default\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify System Generic.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.IM\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.IM\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm01.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm01.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm10\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm10.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm10\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm10.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm2\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm02.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm2\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm02.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm3\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm03.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm3\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm03.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm4\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm04.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm4\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm04.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm5\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm05.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm5\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm05.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm06.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm06.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm7\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm07.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm7\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm07.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm8\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm08.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm8\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm08.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm9\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm09.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm9\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Alarm09.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring01.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring01.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call10\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring10.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call10\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring10.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call2\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring02.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call2\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring02.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call3\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring03.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call3\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring03.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call4\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring04.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call4\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring04.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call5\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring05.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call5\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring05.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call6\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring06.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call6\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring06.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call7\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring07.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call7\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring07.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call8\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring08.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call8\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring08.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call9\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring09.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Looping.Call9\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Ring09.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Mail\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Mail\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Email.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Proximity\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Notification.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Proximity\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Notification.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Reminder\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Calendar.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.Reminder\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Calendar.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.SMS\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav" HKO,"AppEvents\Schemes\Apps\.Default\Notification.SMS\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Notify Messaging.wav" HKO,"AppEvents\Schemes\Apps\.Default\Open\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\Open\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\PrintComplete\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\PrintComplete\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\ProximityConnection\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Connection.wav" HKO,"AppEvents\Schemes\Apps\.Default\ProximityConnection\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Proximity Connection.wav" HKO,"AppEvents\Schemes\Apps\.Default\RestoreDown\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\RestoreDown\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\RestoreUp\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\RestoreUp\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\ShowBand",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemExclamation\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemExit\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\SystemExit\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\SystemHand\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemHand\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Foreground.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemNotification\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemNotification\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Background.wav" HKO,"AppEvents\Schemes\Apps\.Default\SystemQuestion\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\SystemQuestion\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogoff\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogoff\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogon\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Logon.wav" HKO,"AppEvents\Schemes\Apps\.Default\WindowsLogon\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Logon.wav" HKO,"AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows User Account Control.wav" HKO,"AppEvents\Schemes\Apps\.Default\WindowsUAC\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows User Account Control.wav" HKO,"AppEvents\Schemes\Apps\.Default\WindowsUnlock\.Current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Unlock.wav" HKO,"AppEvents\Schemes\Apps\.Default\WindowsUnlock\.Default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Windows Unlock.wav" HKO,"AppEvents\Schemes\Apps\Explorer",,%REG_SZ%,"File Explorer" HKO,"AppEvents\Schemes\Apps\Explorer","DispFileName",%REG_SZ%,"@mmres.dll,-5854" HKO,"AppEvents\Schemes\Apps\Explorer\ActivatingDocument",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\BlockedPopup\.default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\FeedDiscovered\.current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\FeedDiscovered\.default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\MoveMenuItem",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\Navigating\.Current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\Navigating\.Default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\SecurityBand\.current",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\Explorer\SecurityBand\.default",,%REG_KEYONLY% HKO,"AppEvents\Schemes\Apps\sapisvr",,%REG_SZ%,"Speech Recognition" HKO,"AppEvents\Schemes\Apps\sapisvr","DispFileName",%REG_SZ%,"@C:\Windows\System32\speech\speechux\sapi.cpl,-5555" HKO,"AppEvents\Schemes\Apps\sapisvr\DisNumbersSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\DisNumbersSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\HubOffSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Off.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\HubOffSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Off.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\HubOnSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech On.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\HubOnSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech On.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Sleep.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Sleep.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\MisrecoSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Misrecognition.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\MisrecoSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Misrecognition.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\PanelSound\.current",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav" HKO,"AppEvents\Schemes\Apps\sapisvr\PanelSound\.default",,%REG_EXPAND_SZ%,"%%SystemRoot%%\media\Speech Disambiguation.wav" HKO,"AppEvents\Schemes\Names\.Default",,%REG_SZ%,"@mmres.dll,-800" HKO,"AppEvents\Schemes\Names\.None",,%REG_SZ%,"@mmres.dll,-801" HKO,"Console","ColorTable00",%REG_DWORD%,789516 ; 0x000c0c0c HKO,"Console","ColorTable01",%REG_DWORD%,14300928 ; 0x00da3700 HKO,"Console","ColorTable02",%REG_DWORD%,958739 ; 0x000ea113 HKO,"Console","ColorTable03",%REG_DWORD%,14521914 ; 0x00dd963a HKO,"Console","ColorTable04",%REG_DWORD%,2035653 ; 0x001f0fc5 HKO,"Console","ColorTable05",%REG_DWORD%,9967496 ; 0x00981788 HKO,"Console","ColorTable06",%REG_DWORD%,40129 ; 0x00009cc1 HKO,"Console","ColorTable07",%REG_DWORD%,13421772 ; 0x00cccccc HKO,"Console","ColorTable08",%REG_DWORD%,7763574 ; 0x00767676 HKO,"Console","ColorTable09",%REG_DWORD%,16742459 ; 0x00ff783b HKO,"Console","ColorTable10",%REG_DWORD%,837142 ; 0x000cc616 HKO,"Console","ColorTable11",%REG_DWORD%,14079585 ; 0x00d6d661 HKO,"Console","ColorTable12",%REG_DWORD%,5654759 ; 0x005648e7 HKO,"Console","ColorTable13",%REG_DWORD%,10354868 ; 0x009e00b4 HKO,"Console","ColorTable14",%REG_DWORD%,10875385 ; 0x00a5f1f9 HKO,"Console","ColorTable15",%REG_DWORD%,15921906 ; 0x00f2f2f2 HKO,"Console","CtrlKeyShortcutsDisabled",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","CursorColor",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"Console","CursorSize",%REG_DWORD%,25 ; 0x00000019 HKO,"Console","DefaultBackground",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"Console","DefaultForeground",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"Console","EnableColorSelection",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","ExtendedEditKey",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","ExtendedEditKeyCustom",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","FaceName",%REG_SZ%,"__DefaultTTFont__" HKO,"Console","FilterOnPaste",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","FontFamily",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","FontSize",%REG_DWORD%,1048576 ; 0x00100000 HKO,"Console","FontWeight",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","ForceV2",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","FullScreen",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","HistoryBufferSize",%REG_DWORD%,50 ; 0x00000032 HKO,"Console","HistoryNoDup",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","InsertMode",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","LineSelection",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","LineWrap",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","LoadConIme",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","NumberOfHistoryBuffers",%REG_DWORD%,4 ; 0x00000004 HKO,"Console","PopupColors",%REG_DWORD%,245 ; 0x000000f5 HKO,"Console","QuickEdit",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","ScreenBufferSize",%REG_DWORD%,589889656 ; 0x23290078 HKO,"Console","ScreenColors",%REG_DWORD%,7 ; 0x00000007 HKO,"Console","ScrollScale",%REG_DWORD%,1 ; 0x00000001 HKO,"Console","TerminalScrolling",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","TrimLeadingZeros",%REG_DWORD%,0 ; 0x00000000 HKO,"Console","WindowAlpha",%REG_DWORD%,255 ; 0x000000ff HKO,"Console","WindowSize",%REG_DWORD%,1966200 ; 0x001e0078 HKO,"Console","WordDelimiters",%REG_DWORD%,0 ; 0x00000000 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ColorTable05",%REG_DWORD%,5645313 ; 0x00562401 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ColorTable06",%REG_DWORD%,15789550 ; 0x00f0edee HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","FaceName",%REG_SZ%,"Lucida Console" HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","FontFamily",%REG_DWORD%,54 ; 0x00000036 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","FontWeight",%REG_DWORD%,400 ; 0x00000190 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","PopupColors",%REG_DWORD%,243 ; 0x000000f3 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","QuickEdit",%REG_DWORD%,1 ; 0x00000001 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ScreenBufferSize",%REG_DWORD%,196608120 ; 0x0bb80078 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","ScreenColors",%REG_DWORD%,86 ; 0x00000056 HKO,"Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe","WindowSize",%REG_DWORD%,3276920 ; 0x00320078 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ColorTable05",%REG_DWORD%,5645313 ; 0x00562401 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ColorTable06",%REG_DWORD%,15789550 ; 0x00f0edee HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","FaceName",%REG_SZ%,"Lucida Console" HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","FontFamily",%REG_DWORD%,54 ; 0x00000036 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","FontWeight",%REG_DWORD%,400 ; 0x00000190 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","PopupColors",%REG_DWORD%,243 ; 0x000000f3 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","QuickEdit",%REG_DWORD%,1 ; 0x00000001 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ScreenBufferSize",%REG_DWORD%,196608120 ; 0x0bb80078 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","ScreenColors",%REG_DWORD%,86 ; 0x00000056 HKO,"Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe","WindowSize",%REG_DWORD%,3276920 ; 0x00320078 HKO,"Control Panel\Accessibility","MessageDuration",%REG_DWORD%,5 ; 0x00000005 HKO,"Control Panel\Accessibility","MinimumHitRadius",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Accessibility\AudioDescription","Locale",%REG_SZ%,"" HKO,"Control Panel\Accessibility\AudioDescription","On",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\Blind Access","On",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\HighContrast","Flags",%REG_SZ%,"126" HKO,"Control Panel\Accessibility\HighContrast","High Contrast Scheme",%REG_SZ%,"" HKO,"Control Panel\Accessibility\Keyboard Preference","On",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\Keyboard Response","AutoRepeatDelay",%REG_SZ%,"1000" HKO,"Control Panel\Accessibility\Keyboard Response","AutoRepeatRate",%REG_SZ%,"500" HKO,"Control Panel\Accessibility\Keyboard Response","BounceTime",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\Keyboard Response","DelayBeforeAcceptance",%REG_SZ%,"1000" HKO,"Control Panel\Accessibility\Keyboard Response","Flags",%REG_SZ%,"126" HKO,"Control Panel\Accessibility\Keyboard Response","Last BounceKey Setting",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Accessibility\Keyboard Response","Last Valid Delay",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Accessibility\Keyboard Response","Last Valid Repeat",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Accessibility\Keyboard Response","Last Valid Wait",%REG_DWORD%,1000 ; 0x000003e8 HKO,"Control Panel\Accessibility\MouseKeys","Flags",%REG_SZ%,"62" HKO,"Control Panel\Accessibility\MouseKeys","MaximumSpeed",%REG_SZ%,"80" HKO,"Control Panel\Accessibility\MouseKeys","TimeToMaximumSpeed",%REG_SZ%,"3000" HKO,"Control Panel\Accessibility\On","Locale",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Accessibility\On","On",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Accessibility\ShowSounds","On",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\SlateLaunch","ATapp",%REG_SZ%,"narrator" HKO,"Control Panel\Accessibility\SlateLaunch","LaunchAT",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Accessibility\SoundSentry","Flags",%REG_SZ%,"2" HKO,"Control Panel\Accessibility\SoundSentry","FSTextEffect",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\SoundSentry","TextEffect",%REG_SZ%,"0" HKO,"Control Panel\Accessibility\SoundSentry","WindowsEffect",%REG_SZ%,"1" HKO,"Control Panel\Accessibility\StickyKeys","Flags",%REG_SZ%,"510" HKO,"Control Panel\Accessibility\TimeOut","Flags",%REG_SZ%,"2" HKO,"Control Panel\Accessibility\TimeOut","TimeToWait",%REG_SZ%,"300000" HKO,"Control Panel\Accessibility\ToggleKeys","Flags",%REG_SZ%,"62" HKO,"Control Panel\Appearance\New Schemes",,%REG_KEYONLY% HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-850",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,00,00,00,00,00,00,00,00,00,00,ff,00,00,ff,ff,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,00,00,ff,ff,ff,00,00,00,ff,00,00,ff,ff,00,00,00,00,00,00,80,00,00,ff,ff,ff,00,00,00,00,00,80,80,80,00,00,ff,00,00,ff,ff,ff,00,00,00,00,00,c0,c0,c0,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,00,00,00,00,00,00,c0,c0,c0,00,80,80,ff,00,00,00,ff,00,00,ff,ff,00 HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-851",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,00,00,00,00,00,00,00,00,00,ff,ff,00,00,00,ff,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,00,ff,00,00,00,ff,00,00,00,00,00,00,00,ff,ff,00,00,00,ff,00,ff,ff,ff,00,00,00,ff,00,ff,ff,ff,00,00,00,00,00,80,80,80,00,c0,c0,c0,00,00,ff,00,00,ff,ff,ff,00,c0,c0,c0,00,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,ff,ff,00,00,c0,c0,c0,00,80,80,ff,00,00,ff,ff,00,00,00,ff,00 HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-852",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,00,00,00,00,00,00,00,00,80,00,80,00,00,80,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,00,00,00,80,00,00,00,00,00,00,80,00,80,00,ff,ff,ff,00,00,00,00,00,80,80,80,00,00,ff,00,00,ff,ff,ff,00,ff,ff,ff,00,c0,c0,c0,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,c0,c0,c0,00,80,80,ff,00,80,00,80,00,00,80,00,00 HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-853",%REG_BINARY%,02,00,00,00,46,00,00,00,01,00,00,00,11,00,00,00,11,00,00,00,14,00,00,00,14,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,fc,7f,22,14,fc,7f,b0,fe,12,00,00,00,00,00,00,00,00,00,98,23,eb,77,0f,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,f0,77,00,20,14,00,00,00,00,10,80,05,14,00,f0,1f,14,00,00,00,14,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,88,fb,e8,77,02,02,00,00,ac,b9,f0,77,00,00,00,00,20,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,7c,6b,e8,77,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,00,00,06,00,00,00,18,00,00,00,ff,ff,ff,ff,f0,4b,21,fc,00,c4,f0,77,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,53,00,61,00,6e,00,73,00,20,00,53,00,65,00,72,00,69,00,66,00,00,00,14,00,0b,00,00,00,00,ff,12,00,50,00,00,00,c0,fe,12,00,0c,10,00,01,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,80,80,80,00,c0,c0,c0,00,80,80,80,00,00,00,00,00,ff,ff,ff,00,ff,ff,ff,00,80,80,80,00,00,80,00,00,00,00,00,00,00,00,00,00,c0,c0,c0,00,00,00,00,00,c0,c0,c0,00,00,00,00,00,ff,ff,ff,00,c0,c0,c0,00,00,00,00,00,00,00,00,00,ff,ff,ff,00 HKO,"Control Panel\Appearance\Schemes","@themeui.dll,-854",%REG_BINARY%,02,00,00,00,f4,01,00,00,01,00,00,00,10,00,00,00,10,00,00,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,0c,00,00,00,0f,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,12,00,00,00,12,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,d4,d0,c8,00,3a,6e,a5,00,0a,24,6a,00,80,80,80,00,d4,d0,c8,00,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,ff,ff,ff,00,d4,d0,c8,00,d4,d0,c8,00,80,80,80,00,0a,24,6a,00,ff,ff,ff,00,d4,d0,c8,00,80,80,80,00,80,80,80,00,00,00,00,00,d4,d0,c8,00,ff,ff,ff,00,40,40,40,00,d4,d0,c8,00,00,00,00,00,ff,ff,e1,00,b5,b5,b5,00,00,00,80,00,a6,ca,f0,00,c0,c0,c0,00 HKO,"Control Panel\Colors","ActiveBorder",%REG_SZ%,"180 180 180" HKO,"Control Panel\Colors","ActiveTitle",%REG_SZ%,"153 180 209" HKO,"Control Panel\Colors","AppWorkspace",%REG_SZ%,"171 171 171" HKO,"Control Panel\Colors","Background",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","ButtonAlternateFace",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","ButtonDkShadow",%REG_SZ%,"105 105 105" HKO,"Control Panel\Colors","ButtonFace",%REG_SZ%,"240 240 240" HKO,"Control Panel\Colors","ButtonHilight",%REG_SZ%,"255 255 255" HKO,"Control Panel\Colors","ButtonLight",%REG_SZ%,"227 227 227" HKO,"Control Panel\Colors","ButtonShadow",%REG_SZ%,"160 160 160" HKO,"Control Panel\Colors","ButtonText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","GradientActiveTitle",%REG_SZ%,"185 209 234" HKO,"Control Panel\Colors","GradientInactiveTitle",%REG_SZ%,"215 228 242" HKO,"Control Panel\Colors","GrayText",%REG_SZ%,"109 109 109" HKO,"Control Panel\Colors","Hilight",%REG_SZ%,"51 153 255" HKO,"Control Panel\Colors","HilightText",%REG_SZ%,"255 255 255" HKO,"Control Panel\Colors","HotTrackingColor",%REG_SZ%,"0 102 204" HKO,"Control Panel\Colors","InactiveBorder",%REG_SZ%,"244 247 252" HKO,"Control Panel\Colors","InactiveTitle",%REG_SZ%,"191 205 219" HKO,"Control Panel\Colors","InactiveTitleText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","InfoText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","InfoWindow",%REG_SZ%,"255 255 225" HKO,"Control Panel\Colors","Menu",%REG_SZ%,"240 240 240" HKO,"Control Panel\Colors","MenuBar",%REG_SZ%,"240 240 240" HKO,"Control Panel\Colors","MenuHilight",%REG_SZ%,"51 153 255" HKO,"Control Panel\Colors","MenuText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","Scrollbar",%REG_SZ%,"200 200 200" HKO,"Control Panel\Colors","TitleText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Colors","Window",%REG_SZ%,"255 255 255" HKO,"Control Panel\Colors","WindowFrame",%REG_SZ%,"100 100 100" HKO,"Control Panel\Colors","WindowText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Cursors","AppStarting",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_working.ani" HKO,"Control Panel\Cursors","Arrow",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_arrow.cur" HKO,"Control Panel\Cursors","ContactVisualization",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Cursors","Crosshair",%REG_EXPAND_SZ%,"" HKO,"Control Panel\Cursors","CursorBaseSize",%REG_DWORD%,32 ; 0x00000020 HKO,"Control Panel\Cursors","GestureVisualization",%REG_DWORD%,31 ; 0x0000001f HKO,"Control Panel\Cursors","Hand",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_link.cur" HKO,"Control Panel\Cursors","Help",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_helpsel.cur" HKO,"Control Panel\Cursors","IBeam",%REG_EXPAND_SZ%,"" HKO,"Control Panel\Cursors","No",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_unavail.cur" HKO,"Control Panel\Cursors","NWPen",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_pen.cur" HKO,"Control Panel\Cursors","Scheme Source",%REG_DWORD%,2 ; 0x00000002 HKO,"Control Panel\Cursors","SizeAll",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_move.cur" HKO,"Control Panel\Cursors","SizeNESW",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_nesw.cur" HKO,"Control Panel\Cursors","SizeNS",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_ns.cur" HKO,"Control Panel\Cursors","SizeNWSE",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_nwse.cur" HKO,"Control Panel\Cursors","SizeWE",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_ew.cur" HKO,"Control Panel\Cursors","UpArrow",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_up.cur" HKO,"Control Panel\Cursors","Wait",%REG_EXPAND_SZ%,"%%SystemRoot%%\cursors\aero_busy.ani" HKO,"Control Panel\Desktop","ActiveWndTrackTimeout",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Desktop","BlockSendInputResets",%REG_SZ%,"0" HKO,"Control Panel\Desktop","CaretTimeout",%REG_DWORD%,5000 ; 0x00001388 HKO,"Control Panel\Desktop","CaretWidth",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Desktop","ClickLockTime",%REG_DWORD%,1200 ; 0x000004b0 HKO,"Control Panel\Desktop","CoolSwitchColumns",%REG_SZ%,"7" HKO,"Control Panel\Desktop","CoolSwitchRows",%REG_SZ%,"3" HKO,"Control Panel\Desktop","CursorBlinkRate",%REG_SZ%,"530" HKO,"Control Panel\Desktop","DockMoving",%REG_SZ%,"1" HKO,"Control Panel\Desktop","DragFromMaximize",%REG_SZ%,"1" HKO,"Control Panel\Desktop","DragFullWindows",%REG_SZ%,"1" HKO,"Control Panel\Desktop","DragHeight",%REG_SZ%,"4" HKO,"Control Panel\Desktop","DragWidth",%REG_SZ%,"4" HKO,"Control Panel\Desktop","FocusBorderHeight",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Desktop","FocusBorderWidth",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Desktop","FontSmoothing",%REG_SZ%,"2" HKO,"Control Panel\Desktop","FontSmoothingGamma",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Desktop","FontSmoothingOrientation",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Desktop","FontSmoothingType",%REG_DWORD%,2 ; 0x00000002 HKO,"Control Panel\Desktop","ForegroundFlashCount",%REG_DWORD%,7 ; 0x00000007 HKO,"Control Panel\Desktop","ForegroundLockTimeout",%REG_DWORD%,200000 ; 0x00030d40 HKO,"Control Panel\Desktop","LeftOverlapChars",%REG_SZ%,"3" HKO,"Control Panel\Desktop","MenuShowDelay",%REG_SZ%,"400" HKO,"Control Panel\Desktop","MouseWheelRouting",%REG_DWORD%,2 ; 0x00000002 HKO,"Control Panel\Desktop","PaintDesktopVersion",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Desktop","Pattern",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Desktop","RightOverlapChars",%REG_SZ%,"3" HKO,"Control Panel\Desktop","ScreenSaveActive",%REG_SZ%,"1" HKO,"Control Panel\Desktop","SnapSizing",%REG_SZ%,"1" HKO,"Control Panel\Desktop","TileWallpaper",%REG_SZ%,"0" HKO,"Control Panel\Desktop","WallPaper",%REG_SZ%,"C:\Windows\Web\Wallpaper\Windows\img0.jpg" HKO,"Control Panel\Desktop","WallpaperOriginX",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Desktop","WallpaperOriginY",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Desktop","WallpaperStyle",%REG_SZ%,"10" HKO,"Control Panel\Desktop","WheelScrollChars",%REG_SZ%,"3" HKO,"Control Panel\Desktop","WheelScrollLines",%REG_SZ%,"3" HKO,"Control Panel\Desktop","WindowArrangementActive",%REG_SZ%,"1" HKO,"Control Panel\Desktop\Colors","ActiveBorder",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","ActiveTitle",%REG_SZ%,"10 36 106" HKO,"Control Panel\Desktop\Colors","AppWorkSpace",%REG_SZ%,"128 128 128" HKO,"Control Panel\Desktop\Colors","ButtonAlternateFace",%REG_SZ%,"181 181 181" HKO,"Control Panel\Desktop\Colors","ButtonDkShadow",%REG_SZ%,"64 64 64" HKO,"Control Panel\Desktop\Colors","ButtonFace",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","ButtonHiLight",%REG_SZ%,"255 255 255" HKO,"Control Panel\Desktop\Colors","ButtonLight",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","ButtonShadow",%REG_SZ%,"128 128 128" HKO,"Control Panel\Desktop\Colors","ButtonText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Desktop\Colors","GradientActiveTitle",%REG_SZ%,"166 202 240" HKO,"Control Panel\Desktop\Colors","GradientInactiveTitle",%REG_SZ%,"192 192 192" HKO,"Control Panel\Desktop\Colors","GrayText",%REG_SZ%,"128 128 128" HKO,"Control Panel\Desktop\Colors","Hilight",%REG_SZ%,"10 36 106" HKO,"Control Panel\Desktop\Colors","HilightText",%REG_SZ%,"255 255 255" HKO,"Control Panel\Desktop\Colors","HotTrackingColor",%REG_SZ%,"0 0 128" HKO,"Control Panel\Desktop\Colors","InactiveBorder",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","InactiveTitle",%REG_SZ%,"128 128 128" HKO,"Control Panel\Desktop\Colors","InactiveTitleText",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","InfoText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Desktop\Colors","InfoWindow",%REG_SZ%,"255 255 255" HKO,"Control Panel\Desktop\Colors","Menu",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","MenuText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Desktop\Colors","Scrollbar",%REG_SZ%,"212 208 200" HKO,"Control Panel\Desktop\Colors","TitleText",%REG_SZ%,"255 255 255" HKO,"Control Panel\Desktop\Colors","Window",%REG_SZ%,"255 255 255" HKO,"Control Panel\Desktop\Colors","WindowFrame",%REG_SZ%,"0 0 0" HKO,"Control Panel\Desktop\Colors","WindowText",%REG_SZ%,"0 0 0" HKO,"Control Panel\Desktop\WindowMetrics","BorderWidth",%REG_SZ%,"#USR:Control Panel\Desktop\WindowMetrics" HKO,"Control Panel\Desktop\WindowMetrics","CaptionFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"Control Panel\Desktop\WindowMetrics","CaptionHeight",%REG_SZ%,"-270" HKO,"Control Panel\Desktop\WindowMetrics","CaptionWidth",%REG_SZ%,"-270" HKO,"Control Panel\Desktop\WindowMetrics","IconFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"Control Panel\Desktop\WindowMetrics","IconTitleWrap",%REG_SZ%,"1" HKO,"Control Panel\Desktop\WindowMetrics","MenuFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"Control Panel\Desktop\WindowMetrics","MenuHeight",%REG_SZ%,"-270" HKO,"Control Panel\Desktop\WindowMetrics","MenuWidth",%REG_SZ%,"-270" HKO,"Control Panel\Desktop\WindowMetrics","MessageFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"Control Panel\Desktop\WindowMetrics","ScrollHeight",%REG_SZ%,"-240" HKO,"Control Panel\Desktop\WindowMetrics","ScrollWidth",%REG_SZ%,"-240" HKO,"Control Panel\Desktop\WindowMetrics","Shell Icon Size",%REG_SZ%,"32" HKO,"Control Panel\Desktop\WindowMetrics","SmCaptionFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"Control Panel\Desktop\WindowMetrics","SmCaptionHeight",%REG_SZ%,"-180" HKO,"Control Panel\Desktop\WindowMetrics","SmCaptionWidth",%REG_SZ%,"-180" HKO,"Control Panel\Desktop\WindowMetrics","StatusFont",%REG_BINARY%,f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"Control Panel\Input Method","Show Status",%REG_SZ%,"1" HKO,"Control Panel\Input Method\Hot Keys\00000010","Key Modifiers",%REG_BINARY%,02,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000010","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000010","Virtual Key",%REG_BINARY%,20,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000011","Key Modifiers",%REG_BINARY%,04,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000011","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000011","Virtual Key",%REG_BINARY%,20,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000012","Key Modifiers",%REG_BINARY%,02,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000012","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000012","Virtual Key",%REG_BINARY%,be,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000070","Key Modifiers",%REG_BINARY%,02,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000070","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000070","Virtual Key",%REG_BINARY%,20,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000071","Key Modifiers",%REG_BINARY%,04,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000071","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000071","Virtual Key",%REG_BINARY%,20,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000072","Key Modifiers",%REG_BINARY%,03,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000072","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000072","Virtual Key",%REG_BINARY%,bc,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000104","Key Modifiers",%REG_BINARY%,06,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000104","Target IME",%REG_BINARY%,11,04,01,e0 HKO,"Control Panel\Input Method\Hot Keys\00000104","Virtual Key",%REG_BINARY%,30,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000200","Key Modifiers",%REG_BINARY%,03,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000200","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000200","Virtual Key",%REG_BINARY%,47,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000201","Key Modifiers",%REG_BINARY%,03,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000201","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000201","Virtual Key",%REG_BINARY%,4b,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000202","Key Modifiers",%REG_BINARY%,03,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000202","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000202","Virtual Key",%REG_BINARY%,4c,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000203","Key Modifiers",%REG_BINARY%,03,c0,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000203","Target IME",%REG_BINARY%,00,00,00,00 HKO,"Control Panel\Input Method\Hot Keys\00000203","Virtual Key",%REG_BINARY%,56,00,00,00 HKO,"Control Panel\International","Locale",%REG_SZ%,"00000407" HKO,"Control Panel\International","LocaleName",%REG_SZ%,"de-DE" HKO,"Control Panel\International","s1159",%REG_SZ%,"" HKO,"Control Panel\International","s2359",%REG_SZ%,"" HKO,"Control Panel\International","sCurrency",%REG_SZ%,"€" HKO,"Control Panel\International","sDate",%REG_SZ%,"." HKO,"Control Panel\International","sDecimal",%REG_SZ%,"," HKO,"Control Panel\International","sGrouping",%REG_SZ%,"3;0" HKO,"Control Panel\International","sLanguage",%REG_SZ%,"DEU" HKO,"Control Panel\International","sList",%REG_SZ%,";" HKO,"Control Panel\International","sLongDate",%REG_SZ%,"dddd, d. MMMM yyyy" HKO,"Control Panel\International","sMonDecimalSep",%REG_SZ%,"," HKO,"Control Panel\International","sMonGrouping",%REG_SZ%,"3;0" HKO,"Control Panel\International","sMonThousandSep",%REG_SZ%,"." HKO,"Control Panel\International","sNativeDigits",%REG_SZ%,"0123456789" HKO,"Control Panel\International","sNegativeSign",%REG_SZ%,"-" HKO,"Control Panel\International","sPositiveSign",%REG_SZ%,"" HKO,"Control Panel\International","sShortDate",%REG_SZ%,"dd.MM.yyyy" HKO,"Control Panel\International","sThousand",%REG_SZ%,"." HKO,"Control Panel\International","sTime",%REG_SZ%,":" HKO,"Control Panel\International","sTimeFormat",%REG_SZ%,"HH:mm:ss" HKO,"Control Panel\International","sShortTime",%REG_SZ%,"HH:mm" HKO,"Control Panel\International","sYearMonth",%REG_SZ%,"MMMM yyyy" HKO,"Control Panel\International","iCalendarType",%REG_SZ%,"1" HKO,"Control Panel\International","iCountry",%REG_SZ%,"49" HKO,"Control Panel\International","iCurrDigits",%REG_SZ%,"2" HKO,"Control Panel\International","iCurrency",%REG_SZ%,"3" HKO,"Control Panel\International","iDate",%REG_SZ%,"1" HKO,"Control Panel\International","iDigits",%REG_SZ%,"2" HKO,"Control Panel\International","NumShape",%REG_SZ%,"1" HKO,"Control Panel\International","iFirstDayOfWeek",%REG_SZ%,"0" HKO,"Control Panel\International","iFirstWeekOfYear",%REG_SZ%,"2" HKO,"Control Panel\International","iLZero",%REG_SZ%,"1" HKO,"Control Panel\International","iMeasure",%REG_SZ%,"0" HKO,"Control Panel\International","iNegCurr",%REG_SZ%,"8" HKO,"Control Panel\International","iNegNumber",%REG_SZ%,"1" HKO,"Control Panel\International","iPaperSize",%REG_SZ%,"9" HKO,"Control Panel\International","iTime",%REG_SZ%,"1" HKO,"Control Panel\International","iTimePrefix",%REG_SZ%,"0" HKO,"Control Panel\International","iTLZero",%REG_SZ%,"1" HKO,"Control Panel\International\Geo","Nation",%REG_SZ%,"94" HKO,"Control Panel\International\Geo","Name",%REG_SZ%,"DE" HKO,"Control Panel\International\User Profile","Languages",%REG_MULTI_SZ%,"de-DE" HKO,"Control Panel\International\User Profile","ShowAutoCorrection",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile","ShowTextPrediction",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile","ShowCasing",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile","ShowShiftLock",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile\de-DE","0407:00000407",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile System Backup","Languages",%REG_MULTI_SZ%,"de-DE" HKO,"Control Panel\International\User Profile System Backup","ShowAutoCorrection",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile System Backup","ShowTextPrediction",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile System Backup","ShowCasing",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile System Backup","ShowShiftLock",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\International\User Profile System Backup\de-DE","0407:00000407",%REG_DWORD%,1 ; 0x00000001 HKO,"Control Panel\Keyboard","InitialKeyboardIndicators",%REG_SZ%,"2147483648" HKO,"Control Panel\Keyboard","KeyboardDelay",%REG_SZ%,"1" HKO,"Control Panel\Keyboard","KeyboardSpeed",%REG_SZ%,"31" HKO,"Control Panel\Mouse","ActiveWindowTracking",%REG_DWORD%,0 ; 0x00000000 HKO,"Control Panel\Mouse","Beep",%REG_SZ%,"No" HKO,"Control Panel\Mouse","DoubleClickHeight",%REG_SZ%,"4" HKO,"Control Panel\Mouse","DoubleClickSpeed",%REG_SZ%,"500" HKO,"Control Panel\Mouse","DoubleClickWidth",%REG_SZ%,"4" HKO,"Control Panel\Mouse","ExtendedSounds",%REG_SZ%,"No" HKO,"Control Panel\Mouse","MouseHoverHeight",%REG_SZ%,"4" HKO,"Control Panel\Mouse","MouseHoverTime",%REG_SZ%,"400" HKO,"Control Panel\Mouse","MouseHoverWidth",%REG_SZ%,"4" HKO,"Control Panel\Mouse","MouseSensitivity",%REG_SZ%,"10" HKO,"Control Panel\Mouse","MouseSpeed",%REG_SZ%,"1" HKO,"Control Panel\Mouse","MouseThreshold1",%REG_SZ%,"6" HKO,"Control Panel\Mouse","MouseThreshold2",%REG_SZ%,"10" HKO,"Control Panel\Mouse","MouseTrails",%REG_SZ%,"0" HKO,"Control Panel\Mouse","SmoothMouseXCurve",%REG_BINARY%,00,00,00,00,00,00,00,00,15,6e,00,00,00,00,00,00,00,40,01,00,00,00,00,00,29,dc,03,00,00,00,00,00,00,00,28,00,00,00,00,00 HKO,"Control Panel\Mouse","SmoothMouseYCurve",%REG_BINARY%,00,00,00,00,00,00,00,00,fd,11,01,00,00,00,00,00,00,24,04,00,00,00,00,00,00,fc,12,00,00,00,00,00,00,c0,bb,01,00,00,00,00 HKO,"Control Panel\Mouse","SnapToDefaultButton",%REG_SZ%,"0" HKO,"Control Panel\Mouse","SwapMouseButtons",%REG_SZ%,"0" HKO,"Control Panel\PowerCfg","CurrentPowerPolicy",%REG_SZ%,"0" HKO,"Control Panel\PowerCfg\GlobalPowerPolicy","Policies",%REG_BINARY%,01,00,00,00,00,00,00,00,03,00,00,00,10,00,00,00,00,00,00,00,03,00,00,00,10,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,03,00,00,00,03,00,00,00,00,00,00,c0,01,00,00,00,05,00,00,00,01,00,00,00,0a,00,00,00,00,00,00,00,03,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,16,00,00,00 HKO,"Control Panel\PowerCfg\PowerPolicies\0","Description",%REG_SZ%,"This scheme is suited to most home or desktop computers that are left plugged in all the time." HKO,"Control Panel\PowerCfg\PowerPolicies\0","Name",%REG_SZ%,"Home/Office Desk" HKO,"Control Panel\PowerCfg\PowerPolicies\0","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,32,32,00,03,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,b0,04,00,00,2c,01,00,00,00,00,00,00,58,02,00,00,01,01,64,50,64,64,00,00 HKO,"Control Panel\PowerCfg\PowerPolicies\1","Description",%REG_SZ%,"This scheme is designed for extended battery life for portable computers on the road." HKO,"Control Panel\PowerCfg\PowerPolicies\1","Name",%REG_SZ%,"Portable/Laptop" HKO,"Control Panel\PowerCfg\PowerPolicies\1","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,b0,04,00,00,2c,01,00,00,32,32,03,03,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,2c,01,00,00,08,07,00,00,2c,01,00,00,01,01,64,50,64,64,00,00 HKO,"Control Panel\PowerCfg\PowerPolicies\2","Description",%REG_SZ%,"This scheme keeps the monitor on for doing presentations." HKO,"Control Panel\PowerCfg\PowerPolicies\2","Name",%REG_SZ%,"Presentation" HKO,"Control Panel\PowerCfg\PowerPolicies\2","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,32,32,03,02,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,01,01,50,50,64,64,00,00 HKO,"Control Panel\PowerCfg\PowerPolicies\3","Description",%REG_SZ%,"This scheme keeps the computer running so that it can be accessed from the network. Use this scheme if you do not have network wakeup hardware." HKO,"Control Panel\PowerCfg\PowerPolicies\3","Name",%REG_SZ%,"Always On" HKO,"Control Panel\PowerCfg\PowerPolicies\3","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,32,32,00,00,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,b0,04,00,00,84,03,00,00,00,00,00,00,08,07,00,00,00,01,64,64,64,64,00,00 HKO,"Control Panel\PowerCfg\PowerPolicies\4","Description",%REG_SZ%,"This scheme keeps the computer on and optimizes it for high performance." HKO,"Control Panel\PowerCfg\PowerPolicies\4","Name",%REG_SZ%,"Minimal Power Management" HKO,"Control Panel\PowerCfg\PowerPolicies\4","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,2c,01,00,00,32,32,03,03,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,2c,01,00,00,00,00,00,00,84,03,00,00,00,01,64,64,64,64,00,00 HKO,"Control Panel\PowerCfg\PowerPolicies\5","Description",%REG_SZ%,"This scheme is extremely aggressive for saving power." HKO,"Control Panel\PowerCfg\PowerPolicies\5","Name",%REG_SZ%,"Max Battery" HKO,"Control Panel\PowerCfg\PowerPolicies\5","Policies",%REG_BINARY%,01,00,00,00,02,00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,05,00,00,00,00,00,00,00,b0,04,00,00,78,00,00,00,32,32,03,02,04,00,00,00,04,00,00,00,00,00,00,00,00,00,00,00,84,03,00,00,3c,00,00,00,00,00,00,00,b4,00,00,00,01,01,64,32,64,64,00,00 HKO,"Control Panel\Quick Actions\Pinned",,%REG_KEYONLY% HKO,"Control Panel\Sound","Beep",%REG_SZ%,"yes" HKO,"Control Panel\Sound","ExtendedSounds",%REG_SZ%,"yes" HKO,"Environment","Path",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\WindowsApps;" HKO,"Environment","TEMP",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Temp" HKO,"Environment","TMP",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Temp" HKO,"EUDC\932","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE" HKO,"EUDC\936","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE" HKO,"EUDC\949","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE" HKO,"EUDC\950","SystemDefaultEUDCFont",%REG_SZ%,"EUDC.TTE" HKO,"Keyboard Layout\Preload","1",%REG_SZ%,"00000407" HKO,"Keyboard Layout\Substitutes",,%REG_KEYONLY% HKO,"Keyboard Layout\Toggle",,%REG_KEYONLY% HKO,"Network",,%REG_KEYONLY% HKO,"SOFTWARE\Google\Chrome\NativeMessagingHosts\com.microsoft.browsercore",,%REG_SZ%,"C:\Program Files\Windows Security\BrowserCore\manifest.json" HKO,"SOFTWARE\Microsoft\Accessibility",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","FirstTimeHelppaneStartup",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","Height",%REG_DWORD%,340 ; 0x00000154 HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","ImplicitFeedback",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","OnlineAssist",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","PositionX",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","PositionY",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","UserID",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Assistance\Client\1.0\Settings","Width",%REG_DWORD%,510 ; 0x000001fe HKO,"SOFTWARE\Microsoft\Avalon.Graphics",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\CommsAPHost\Test",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\CTF\Assemblies\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}","Default",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\CTF\Assemblies\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}","Profile",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\CTF\Assemblies\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}","KeyboardLayout",%REG_DWORD%,67568647 ; 0x04070407 HKO,"SOFTWARE\Microsoft\CTF\DirectSwitchHotkeys",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\CTF\HiddenDummyLayouts",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000","CLSID",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000","KeyboardLayout",%REG_DWORD%,67568647 ; 0x04070407 HKO,"SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000407\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000","Profile",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\CTF\SortOrder\Language","00000000",%REG_SZ%,"00000407" HKO,"SOFTWARE\Microsoft\CTF\TIP",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Fax\FaxOptions",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Fax\fxsclnt\Archive",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Fax\fxsclnt\Confirm",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Fax\Setup",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Fax\UserInfo",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\GameBarApi",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\IME",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Input\TIPC",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Input\TSF\Tsf3Override",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\InputMethod",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\InputPersonalization","RestrictImplicitInkCollection",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\InputPersonalization","RestrictImplicitTextCollection",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore","HarvestContacts",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Internet Connection Wizard","Completed",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","height",%REG_BINARY%,00,00,00,00 HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","Maximized",%REG_SZ%,"no" HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","width",%REG_BINARY%,00,00,00,80 HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","x",%REG_BINARY%,00,00,00,80 HKO,"SOFTWARE\Microsoft\Internet Explorer\Document Windows","y",%REG_BINARY%,00,00,00,00 HKO,"SOFTWARE\Microsoft\Internet Explorer\International","AcceptLanguage",%REG_SZ%,"de-DE,de;q=0.5" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Anchor Underline",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Cache_Update_Frequency",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Disable Script Debugger",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","DisableScriptDebuggerIE",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Display Inline Images",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Do404Search",%REG_BINARY%,01,00,00,00 HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Local Page",%REG_SZ%,"%%11%%\blank.htm" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Save_Session_History_On_Exit",%REG_SZ%,"no" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Search Page",%REG_SZ%,"http://go.microsoft.com/fwlink/?LinkId=54896" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_FullURL",%REG_SZ%,"no" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_StatusBar",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_ToolBar",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_URLinStatusBar",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Show_URLToolBar",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","Use_DlgBox_Colors",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","UseClearType",%REG_SZ%,"no" HKO,"SOFTWARE\Microsoft\Internet Explorer\Main","XMLHTTP",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Internet Explorer\New Windows","PopupMgr",%REG_SZ%,"yes" HKO,"SOFTWARE\Microsoft\Internet Explorer\New Windows","Use Anchor Hover Color",%REG_SZ%,"1" HKO,"SOFTWARE\Microsoft\Internet Explorer\New Windows","UseSecBand",%REG_SZ%,"1" HKO,"SOFTWARE\Microsoft\Internet Explorer\Security","Safety Warning Level",%REG_SZ%,"Query" HKO,"SOFTWARE\Microsoft\Internet Explorer\Security","Sending_Security",%REG_SZ%,"Medium" HKO,"SOFTWARE\Microsoft\Internet Explorer\Security","Viewing_Security",%REG_SZ%,"Low" HKO,"SOFTWARE\Microsoft\Internet Explorer\Services",,%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Anchor Color",%REG_SZ%,"0,0,255" HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Anchor Color Visited",%REG_SZ%,"128,0,128" HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Background Color",%REG_SZ%,"192,192,192" HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Text Color",%REG_SZ%,"0,0,0" HKO,"SOFTWARE\Microsoft\Internet Explorer\Settings","Use Anchor Hover Color",%REG_SZ%,"No" HKO,"SOFTWARE\Microsoft\Internet Explorer\TypedURLs","url1",%REG_SZ%,"http://go.microsoft.com/fwlink/p/?LinkId=255141" HKO,"SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks","{CFBFAE00-17A6-11D0-99CB-00C04FD64497}",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\MobilePC\AdaptableSettings",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Multimedia\Audio\DefaultEndpoint",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Narrator\NoRoam","RunningState",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\OneDrive","EnableDownlevelInstallOnBluePlus",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\OneDrive","EnableTHDFFeatures",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Osk","RunningState",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\PeerNet\Event_Config",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Personalization\Settings","AcceptedPrivacyPolicy",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Phone\ShellUI",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Remote Assistance",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\ScreenMagnifier","RunningState",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Sensors",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableDictation","dwm.exe",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableDictation","tabtip.exe",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableMSAA","devenv.exe",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableMSAA","taskmgr.exe",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\TabletTip\1.7",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\UEV\Agent","UserConsoleVersion",%REG_SZ%,"10.0.19041.1387" HKO,"SOFTWARE\Microsoft\WAB\WAB4\Wab File Name",,%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\WcmSvc\Tethering\Roaming",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\wfs\DraftsView",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\wfs\InboxView",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\wfs\IncomingView",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\wfs\OutboxView",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\wfs\SentItemsView",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\AssignedAccessConfiguration",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock","Override",%REG_DWORD%,5 ; 0x00000005 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock","PenWorkspaceVerb",%REG_DWORD%,3 ; 0x00000003 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\LongPressBelowLock","Override",%REG_DWORD%,5 ; 0x00000005 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\LongPressBelowLock","PenWorkspaceVerb",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\SingleClickBelowLock","Override",%REG_DWORD%,8 ; 0x00000008 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\SingleClickBelowLock","PenWorkspaceVerb",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","FeatureManagementEnabled",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","OemPreInstalledAppsEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","PreInstalledAppsEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","RotatingLockScreenEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","RotatingLockScreenOverlayEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SilentInstalledAppsEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SoftLandingEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SystemPaneSuggestionsEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager","SlideshowEnabled",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-310091","Version",%REG_SZ%,"2" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-310092","Version",%REG_SZ%,"2" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338380","Version",%REG_SZ%,"2" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338381","Version",%REG_SZ%,"2" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338387","Version",%REG_SZ%,"2" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338388","Version",%REG_SZ%,"2" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced","Start_SearchFiles",%REG_DWORD%,2 ; 0x00000002 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers","DisableAutoplay",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection",,%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers",,%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon","empty",%REG_EXPAND_SZ%,"%%SystemRoot%%\System32\imageres.dll,-55" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon","full",%REG_EXPAND_SZ%,"%%SystemRoot%%\System32\imageres.dll,-54" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","BreadCrumbBarSearchDefault",%REG_SZ%,"MSNSearch" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableAutoNavigateURL",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableAutoResolveEmailAddrs",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableResultsInNewWindow",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","DisableTabbedBrowsing",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","EditSavedSearch",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences","IEAddressBarSearchDefault",%REG_SZ%,"MSNSearch" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders","!Do not use this registry key",%REG_SZ%,"Use the SHGetFolderPath or SHGetKnownFolderPath function instead" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","AppData",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Cache",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\Windows\INetCache" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Cookies",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\Windows\INetCookies" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Desktop",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Desktop" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Favorites",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Favorites" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","History",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local\Microsoft\Windows\History" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Local AppData",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Local" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","My Music",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Music" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","My Pictures",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Pictures" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","My Video",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Videos" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","NetHood",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Network Shortcuts" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Personal",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Documents" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","PrintHood",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Programs",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Recent",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Recent" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","SendTo",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\SendTo" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Start Menu",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Startup",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","Templates",%REG_EXPAND_SZ%,"%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Templates" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders","{374DE290-123F-4565-9164-39C4925E467B}",%REG_EXPAND_SZ%,"%%USERPROFILE%%\Downloads" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\FileHistory\RestoreUI","FolderViewType",%REG_SZ%,"MediumIcons" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\FileHistory\RestoreUI","SearchResultsViewType",%REG_SZ%,"Content" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\FileHistory\RestoreUI","WindowLocation",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Holographic","FirstRunSucceeded",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Holographic\StageManagement","DisableQuickRoomSetup",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Holographic\StageManagement","DisableStageNearbyRequirement",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ActiveLearning",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","AnsiChar",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","AutoCandState",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","BallonUI",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","BeepEnable",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Big5CharOnly",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CandidateLargeFont",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CandidateSortType",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.All.ActiveAlphaNum",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.All.ZkeyAsWildCard",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.AssociatedWord",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.IsOfflineReading",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ChangJie.ReadLayout",%REG_SZ%,"0x00010030" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CharMode",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","CustomLayout",%REG_BINARY%,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","DefaultLanguage",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Delemiter",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Domain",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EnableCNSReading",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EnableExtensionA_Char",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EnableExtensionB_Char",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","EudpSCK",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Fuzzy",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","HFTLearning",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intellegnt.Eudp",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.AssociatedWord",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.AutoFinalize",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.AutoInputSwitch",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.EnableFinal",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Intelligent.EscapeFunc",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","LeadingIndicator",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.AutoFinalize",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.AutoInputSwitch",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.EnableFinal",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.EscapeFunc",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.Eudp",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Legacy.Modeless",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","MaxCharPerSentence",%REG_SZ%,"0x00000020" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewChangJie.Modeless",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewPhonetic.IntCharMode",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewPhonetic.Modeless",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","NewQuick.Modeless",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.All.ActiveAlphaNum",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.All.ZkeyAsWildCard",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.AssociatedWord",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.IntCharMode",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.IsOfflineReading",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Phonetic.ReadLayout",%REG_SZ%,"0x00020010" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PhrManEudpSortType",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PhrManSelfLearnSortType",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PluginLexiconInfo",%REG_BINARY%,00,00,00,00,00,00,00,00 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","PuncEnable",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Quick.AssociatedWord",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Quick.ZkeyAsWildCard",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ReconvertLength",%REG_SZ%,"0x00000020" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ReservedWord",%REG_BINARY%,08,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,2f,00,2f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,69,00,6c,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,74,00,70,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,68,00,74,00,74,00,70,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,6d,00,61,00,69,00,6c,00,74,00,6f,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,6e,00,65,00,77,00,73,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,00,00,00,00,00,00,00,00,00,00,77,00,77,00,77,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ReversedReadingType",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","SelfLearning",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","SharedEudp",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ShiftLeft",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","ShiftRight",%REG_SZ%,"0x00000001" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Surrogate",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","Trigram",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","UserSymbolMapping",%REG_BINARY%,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,31,00,32,00,33,00,34,00,35,00,36,00,37,00,38,00,39,00,30,00,61,00,62,00,63,00,64,00,65,00,66,00,67,00,68,00,69,00,6a,00,6b,00,6c,00,6d,00,6e,00,6f,00,70,00,71,00,72,00,73,00,74,00,75,00,76,00,77,00,78,00,79,00,7a,00,2d,00,3d,00,5c,00,5b,00,5d,00,3b,00,27,00,2c,00,2e,00,2f,00,60,00,00,30,11,ff,12,ff,13,ff,14,ff,15,ff,16,ff,17,ff,18,ff,19,ff,10,ff,41,ff,42,ff,43,ff,44,ff,45,ff,46,ff,47,ff,48,ff,49,ff,4a,ff,4b,ff,4c,ff,4d,ff,4e,ff,4f,ff,50,ff,51,ff,52,ff,53,ff,54,ff,55,ff,56,ff,57,ff,58,ff,59,ff,5a,ff,00,25,1d,ff,3c,ff,14,30,15,30,54,fe,19,20,0c,ff,02,30,0f,ff,35,20,20,00,21,00,40,00,23,00,24,00,25,00,5e,00,26,00,2a,00,28,00,29,00,41,00,42,00,43,00,44,00,45,00,46,00,47,00,48,00,49,00,4a,00,4b,00,4c,00,4d,00,4e,00,4f,00,50,00,51,00,52,00,53,00,54,00,55,00,56,00,57,00,58,00,59,00,5a,00,5f,00,2b,00,7c,00,7b,00,7d,00,3a,00,22,00,3c,00,3e,00,3f,00,7e,00,00,30,01,ff,20,ff,03,ff,04,ff,05,ff,3f,fe,06,ff,0a,ff,08,ff,09,ff,21,ff,22,ff,23,ff,24,ff,25,ff,26,ff,27,ff,28,ff,29,ff,2a,ff,2b,ff,2c,ff,2d,ff,2e,ff,2f,ff,30,ff,31,ff,32,ff,33,ff,34,ff,35,ff,36,ff,37,ff,38,ff,39,ff,3a,ff,3f,ff,0b,ff,5c,ff,5b,ff,5d,ff,1a,ff,1d,20,1c,ff,1e,ff,1f,ff,5e,ff,20,00,31,00,32,00,33,00,34,00,35,00,36,00,37,00,38,00,39,00,30,00,61,00,62,00,63,00,64,00,65,00,66,00,67,00,68,00,69,00,6a,00,6b,00,6c,00,6d,00,6e,00,6f,00,70,00,71,00,72,00,73,00,74,00,75,00,76,00,77,00,78,00,79,00,7a,00,2d,00,3d,00,5c,00,5b,00,5d,00,3b,00,27,00,2c,00,2e,00,2f,00,60,00,00,30,11,ff,12,ff,13,ff,14,ff,15,ff,16,ff,17,ff,18,ff,19,ff,10,ff,41,ff,42,ff,43,ff,44,ff,45,ff,46,ff,47,ff,48,ff,49,ff,4a,ff,4b,ff,4c,ff,4d,ff,4e,ff,4f,ff,50,ff,51,ff,52,ff,53,ff,54,ff,55,ff,56,ff,57,ff,58,ff,59,ff,5a,ff,00,25,1d,ff,3c,ff,14,30,15,30,54,fe,19,20,0c,ff,02,30,0f,ff,35,20,20,00,21,00,40,00,23,00,24,00,25,00,5e,00,26,00,2a,00,28,00,29,00,41,00,42,00,43,00,44,00,45,00,46,00,47,00,48,00,49,00,4a,00,4b,00,4c,00,4d,00,4e,00,4f,00,50,00,51,00,52,00,53,00,54,00,55,00,56,00,57,00,58,00,59,00,5a,00,5f,00,2b,00,7c,00,7b,00,7d,00,3a,00,22,00,3c,00,3e,00,3f,00,7e,00,00,30,01,ff,20,ff,03,ff,04,ff,05,ff,3f,fe,06,ff,0a,ff,08,ff,09,ff,21,ff,22,ff,23,ff,24,ff,25,ff,26,ff,27,ff,28,ff,29,ff,2a,ff,2b,ff,2c,ff,2d,ff,2e,ff,2f,ff,30,ff,31,ff,32,ff,33,ff,34,ff,35,ff,36,ff,37,ff,38,ff,39,ff,3a,ff,3f,ff,0b,ff,5c,ff,5b,ff,5d,ff,1a,ff,1d,20,1c,ff,1e,ff,1f,ff,5e,ff,20,00,31,00,32,00,33,00,34,00,35,00,36,00,37,00,38,00,39,00,30,00,61,00,62,00,63,00,64,00,65,00,66,00,67,00,68,00,69,00,6a,00,6b,00,6c,00,6d,00,6e,00,6f,00,70,00,71,00,72,00,73,00,74,00,75,00,76,00,77,00,78,00,79,00,7a,00,2d,00,3d,00,5c,00,5b,00,5d,00,3b,00,27,00,2c,00,2e,00,2f,00,60,00,00,30,11,ff,12,ff,13,ff,14,ff,15,ff,16,ff,17,ff,18,ff,19,ff,10,ff,41,ff,42,ff,43,ff,44,ff,45,ff,46,ff,47,ff,48,ff,49,ff,4a,ff,4b,ff,4c,ff,4d,ff,4e,ff,4f,ff,50,ff,51,ff,52,ff,53,ff,54,ff,55,ff,56,ff,57,ff,58,ff,59,ff,5a,ff,00,25,1d,ff,3c,ff,14,30,15,30,54,fe,19,20,0c,ff,02,30,0f,ff,35,20,20,00,21,00,40,00,23,00,24,00,25,00,5e,00,26,00,2a,00,28,00,29,00,41,00,42,00,43,00,44,00,45,00,46,00,47,00,48,00,49,00,4a,00,4b,00,4c,00,4d,00,4e,00,4f,00,50,00,51,00,52,00,53,00,54,00,55,00,56,00,57,00,58,00,59,00,5a,00,5f,00,2b,00,7c,00,7b,00,7d,00,3a,00,22,00,3c,00,3e,00,3f,00,7e,00,00,30,01,ff,20,ff,03,ff,04,ff,05,ff,3f,fe,06,ff,0a,ff,08,ff,09,ff,21,ff,22,ff,23,ff,24,ff,25,ff,26,ff,27,ff,28,ff,29,ff,2a,ff,2b,ff,2c,ff,2d,ff,2e,ff,2f,ff,30,ff,31,ff,32,ff,33,ff,34,ff,35,ff,36,ff,37,ff,38,ff,39,ff,3a,ff,3f,ff,0b,ff,5c,ff,5b,ff,5d,ff,1a,ff,1d,20,1c,ff,1e,ff,1f,ff,5e,ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70","VirtualInputMode",%REG_SZ%,"0x00000000" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme","Data",%REG_BINARY%,87,3f,00,00 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme","Name",%REG_SZ%,"{EF8C6C27-997A-4af2-BC0E-A15C84790F8C}" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","CertificateRevocation",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","DisableCachingOfSSLPages",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","IE5_UA_Backup_Flag",%REG_SZ%,"5.0" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","PrivacyAdvanced",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","SecureProtocols",%REG_DWORD%,2688 ; 0x00000a80 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings","User Agent",%REG_SZ%,"Mozilla/5.0 (compatible; MSIE 9.0; Win32)" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache","Persistent",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen","LockAppAumId",%REG_SZ%,"Microsoft.LockApp_cw5n1h2txyewy!WindowsDefaultLockScreen" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Mobility",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PenWorkspace\Notes","NotesApp",%REG_SZ%,"Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","AAPThreshold",%REG_DWORD%,2 ; 0x00000002 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","CursorSpeed",%REG_DWORD%,10 ; 0x0000000a HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","EnableEdgy",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","LeaveOnWithMouse",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","PanEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","RightClickZoneEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","ScrollDirection",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","TapAndDrag",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","TapsEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","TwoFingerTapEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad","ZoomEnabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\Status","Enabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy","TailoredExperiencesWithDiagnosticDataEnabled",%REG_DWORD%,2 ; 0x00000002 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncherCustom","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncherCustom","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncherCustom","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.DisplaySettings","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.DisplaySettings","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.DisplaySettings","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.FodHelper","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.FodHelper","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.FodHelper","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.Suggested","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.Suggested","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.Suggested","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.WindowsTip","ApplicationType",%REG_DWORD%,1073741824 ; 0x40000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.WindowsTip","Capabilities",%REG_DWORD%,9471 ; 0x000024ff HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.WindowsTip","PackageMoniker",%REG_SZ%,"System" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\RADAR","CLResolutionInterval",%REG_DWORD%,5 ; 0x00000005 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\RADAR","DisplayInterval",%REG_DWORD%,1440 ; 0x000005a0 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run","OneDriveSetup",%REG_SZ%,"C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Bubbles\Screen 1",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Bubbles\Screen 2",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Mystify\Screen 1",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Mystify\Screen 2",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Ribbons\Screen 1",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\Ribbons\Screen 2",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\ssText3d\Screen 1",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Screensavers\ssText3d\Screen 2",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync","Enabled",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\SmartGlass","UserAuthPolicy",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities","RequestMakeCall",%REG_SZ%,"DIALER.EXE" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager","DllName",%REG_EXPAND_SZ%,"%%SystemRoot%%\resources\themes\Aero\Aero.msstyles" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager","PrePolicy-DllName",%REG_SZ%,"C:\Windows\resources\themes\Aero\Aero.msstyles" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","InstallVisualStyleColor",%REG_SZ%,"NormalColor" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","InstallVisualStyleSize",%REG_SZ%,"NormalSize" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","LastHighContrastTheme",%REG_EXPAND_SZ%,"%%SystemRoot%%\resources\Ease of Access Themes\hcblack.theme" HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","ThemeChangesDesktopIcons",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes","ThemeChangesMousePointers",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize","ColorPrevalence",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize","EnableTransparency",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing","State",%REG_DWORD%,146432 ; 0x00023c00 HKO,"SOFTWARE\Microsoft\Windows\DWM","Composition",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows\TabletPC\Snipping Tool",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\TabletPC\TabSetup",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices","Microsoft XPS Document Writer",%REG_SZ%,"winspool,Ne00:" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices","Microsoft Print to PDF",%REG_SZ%,"winspool,Ne01:" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices","Fax",%REG_SZ%,"winspool,Ne02:" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts","AnyIdMax",%REG_DWORD%,5 ; 0x00000005 HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts","SameIdMax",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts","TimeWindowMinutes",%REG_DWORD%,1440 ; 0x000005a0 HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts","Microsoft XPS Document Writer",%REG_SZ%,"winspool,Ne00:,15,45" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts","Microsoft Print to PDF",%REG_SZ%,"winspool,Ne01:,15,45" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts","Fax",%REG_SZ%,"winspool,Ne02:,15,45" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","Device",%REG_SZ%,"" HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","IsMRUEstablished",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows","LegacyDefaultPrinterMode",%REG_DWORD%,4294967295 ; 0xffffffff HKO,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Pen","PenArbitrationType",%REG_DWORD%,3 ; 0x00000003 HKO,"SOFTWARE\Microsoft\Wisp\MultiTouch",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","DblDist",%REG_DWORD%,20 ; 0x00000014 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","DblTime",%REG_DWORD%,300 ; 0x0000012c HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","EraseEnable",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","FlickMode",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","FlickTolerance",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","HoldMode",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","HoldTime",%REG_DWORD%,2300 ; 0x000008fc HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","RightMaskEnable",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","Splash",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","TapTime",%REG_DWORD%,100 ; 0x00000064 HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters","WaitTime",%REG_DWORD%,300 ; 0x0000012c HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\CustomFlickCommands",,%REG_KEYONLY% HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","down",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","downLeft",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","downRight",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","left",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","right",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","up",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","upLeft",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands","upRight",%REG_SZ%,"{00000000-0000-0000-0000-000000000000}" HKO,"SOFTWARE\Microsoft\Wisp\Touch","Bouncing",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Touch","Friction",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Touch","Inertia",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchMode_hold",%REG_DWORD%,1 ; 0x00000001 HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_DtapDist",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_DtapTime",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_HoldTime_Animation",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchModeN_HoldTime_BeforeAnimation",%REG_DWORD%,50 ; 0x00000032 HKO,"SOFTWARE\Microsoft\Wisp\Touch","TouchUI",%REG_DWORD%,0 ; 0x00000000 HKO,"SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache",,%REG_KEYONLY% HKO,"SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache",,%REG_KEYONLY% HKO,"SOFTWARE\Policies\Power\PowerSettings",,%REG_KEYONLY% HKO,"System\CurrentControlSet\Control\Network\NetworkLocationWizard","ShowCount",%REG_DWORD%,0 ; 0x00000000 ; EOF
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and OFFREG.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
is not supported!
The MSDN article Console Handles provides background information.
Create the text file OFFREG.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <sddl.h>
#include <offreg.h>
#define memcpy __movsb
#define wmemcpy __movsw
#define MAX_DEPTH 512UL
#define MAX_KEY_LENGTH 255UL
#define MAX_VALUE_NAME 16383UL
#define MAX_VALUE_DATA 1048576UL
typedef unsigned long long QWORD, *LPQWORD;
BYTE cbData[MAX_VALUE_DATA];
WCHAR szKey[(MAX_KEY_LENGTH + 1) * MAX_DEPTH];
WCHAR szValue[MAX_VALUE_NAME + 1];
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
LPBYTE lpOutput;
DWORD dwOutput;
DWORD dwFile;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
dwOutput *= sizeof(*szOutput);
lpOutput = (LPBYTE) szOutput;
do
{
if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpOutput += dwFile;
dwOutput -= dwFile;
} while (dwOutput > 0);
return TRUE;
}
#define PrintString(HANDLE, LITERAL) PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)
__inline
BOOL WINAPI PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
DWORD dwFile;
dwString *= sizeof(*lpString);
do
{
if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
dwString -= dwFile;
} while (dwString > 0);
return TRUE;
}
__inline
LPCWSTR WINAPI InfEscape(LPCWSTR lpString)
{
do
if ((*lpString == L'"')
|| (*lpString == L'%'))
return lpString;
while (*lpString++ != L'\0');
return NULL;
}
#ifndef TINY
const WCHAR szBytes[256][4] = {L",00", L",01", L",02", L",03", L",04", L",05", L",06", L",07", L",08", L",09", L",0a", L",0b", L",0c", L",0d", L",0e", L",0f",
L",10", L",11", L",12", L",13", L",14", L",15", L",16", L",17", L",18", L",19", L",1a", L",1b", L",1c", L",1d", L",1e", L",1f",
L",20", L",21", L",22", L",23", L",24", L",25", L",26", L",27", L",28", L",29", L",2a", L",2b", L",2c", L",2d", L",2e", L",2f",
L",30", L",31", L",32", L",33", L",34", L",35", L",36", L",37", L",38", L",39", L",3a", L",3b", L",3c", L",3d", L",3e", L",3f",
L",40", L",41", L",42", L",43", L",44", L",45", L",46", L",47", L",48", L",49", L",4a", L",4b", L",4c", L",4d", L",4e", L",4f",
L",50", L",51", L",52", L",53", L",54", L",55", L",56", L",57", L",58", L",59", L",5a", L",5b", L",5c", L",5d", L",5e", L",5f",
L",60", L",61", L",62", L",63", L",64", L",65", L",66", L",67", L",68", L",69", L",6a", L",6b", L",6c", L",6d", L",6e", L",6f",
L",70", L",71", L",72", L",73", L",74", L",75", L",76", L",77", L",78", L",79", L",7a", L",7b", L",7c", L",7d", L",7e", L",7f",
L",80", L",81", L",82", L",83", L",84", L",85", L",86", L",87", L",88", L",89", L",8a", L",8b", L",8c", L",8d", L",8e", L",8f",
L",90", L",91", L",92", L",93", L",94", L",95", L",96", L",97", L",98", L",99", L",9a", L",9b", L",9c", L",9d", L",9e", L",9f",
L",a0", L",a1", L",a2", L",a3", L",a4", L",a5", L",a6", L",a7", L",a8", L",a9", L",aa", L",ab", L",ac", L",ad", L",ae", L",af",
L",b0", L",b1", L",b2", L",b3", L",b4", L",b5", L",b6", L",b7", L",b8", L",b9", L",ba", L",bb", L",bc", L",bd", L",be", L",bf",
L",c0", L",c1", L",c2", L",c3", L",c4", L",c5", L",c6", L",c7", L",c8", L",c9", L",ca", L",cb", L",cc", L",cd", L",ce", L",cf",
L",d0", L",d1", L",d2", L",d3", L",d4", L",d5", L",d6", L",d7", L",d8", L",d9", L",da", L",db", L",dc", L",dd", L",de", L",df",
L",e0", L",e1", L",e2", L",e3", L",e4", L",e5", L",e6", L",e7", L",e8", L",e9", L",ea", L",eb", L",ec", L",ed", L",ee", L",ef",
L",f0", L",f1", L",f2", L",f3", L",f4", L",f5", L",f6", L",f7", L",f8", L",f9", L",fa", L",fb", L",fc", L",fd", L",fe", L",ff"};
#endif
const LPCWSTR szType[12] = {L"NONE",
L"SZ",
L"EXPAND_SZ",
L"BINARY",
L"DWORD", // alias DWORD_LITTLE_ENDIAN
L"DWORD_BIG_ENDIAN",
L"LINK",
L"MULTI_SZ",
L"RESOURCE_LIST",
L"FULL_RESOURCE_DESCRIPTOR",
L"RESOURCE_REQUIREMENTS_LIST",
L"QWORD"}; // alias QWORD_LITTLE_ENDIAN
DWORD WINAPI Offline(HANDLE hConsole, HANDLE hOutput, ORHKEY hkKey, DWORD dwKey)
{
BOOL bOutput;
ORHKEY hkSubKey;
LPCWSTR lpSubKey = szKey + dwKey + 1;
LPCWSTR lpData, lpEscape, lpLast, lpMulti;
#ifdef SANITY
LPCWSTR lpCount;
DWORD dwCount, dwChars;
#endif
DWORD dwError;
DWORD dwSubKeys, dwSubKey;
DWORD dwValues, dwValue, dwType, dwData, dwBytes;
#ifdef SECURITY
dwData = sizeof(cbData);
dwError = ORGetKeySecurity(hkKey,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
cbData,
&dwData);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"ORGetKeySecurity() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
if (!ConvertSecurityDescriptorToStringSecurityDescriptor(cbData,
SDDL_REVISION_1,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
&lpData,
(LPDWORD) NULL))
PrintConsole(hConsole,
L"ConvertSecurityDescriptorToStringSecurityDescriptor() returned error %lu for registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
else
{
if (dwKey < sizeof("HKEY_OFFLINE"))
bOutput = PrintString(hOutput,
L"HKO,,,%REG_KEYONLY%\r\n");
else
bOutput = PrintFormat(hOutput,
L"HKO,\"%ls\",,%%REG_KEYONLY%%\r\n",
szKey + sizeof("HKEY_OFFLINE"));
bOutput &= PrintString(hOutput, L"; ");
bOutput &= PrintDirect(hOutput, lpData, wcslen(lpData));
bOutput &= PrintString(hOutput, L"\r\n");
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
if (LocalFree(lpData) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
#endif
for (dwValues = 0;; dwValues++)
{
// *szValue = L'\0';
dwValue = sizeof(szValue) / sizeof(*szValue);
dwData = sizeof(cbData);
dwError = OREnumValue(hkKey,
dwValues,
szValue,
&dwValue,
&dwType,
cbData,
&dwData);
if (dwError == ERROR_NO_MORE_ITEMS)
break;
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OREnumValue() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
#ifdef SANITY
dwChars = wcslen(szValue);
if (dwValue < dwChars)
PrintConsole(hConsole,
L"ERROR: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)!\n",
dwValue, szValue, dwChars, szKey);
else if (dwValue > dwChars)
PrintConsole(hConsole,
L"WARNING: size (%lu characters) of value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
dwValue, szValue, dwChars, szKey);
if (dwData == 0)
PrintConsole(hConsole,
L"WARNING: no value data for value name \'%ls\' in registry key \'%ls\'\n",
szValue, szKey);
else
switch (dwType)
{
case REG_LINK:
if (dwData % sizeof(L'\0') != 0)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' not a multiple of WCHAR size!\n",
dwData, szValue, szKey);
break;
case REG_DWORD_BIG_ENDIAN:
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
if (dwData < sizeof(DWORD))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than DWORD size!\n",
dwData, szValue, szKey);
else if (dwData > sizeof(DWORD))
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than DWORD size\n",
dwData, szValue, szKey);
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
if (dwData < sizeof(QWORD))
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than QWORD size!\n",
dwData, szValue, szKey);
else if (dwData > sizeof(QWORD))
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than QWORD size\n",
dwData, szValue, szKey);
break;
case REG_SZ:
case REG_EXPAND_SZ:
dwChars = wcslen((LPCWSTR) cbData);
dwBytes = (dwChars + 1) * sizeof(L'\0');
if (dwData < dwBytes)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu + 1 characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwBytes);
else if (dwData > dwBytes)
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu + 1 characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwBytes);
break;
case REG_MULTI_SZ:
dwChars = 0;
dwCount = 1;
lpCount = (LPCWSTR) cbData;
while (*lpCount != L'\0')
{
dwChars += wcslen(lpCount);
dwCount++;
lpCount += wcslen(lpCount) + 1;
}
dwBytes = (dwChars + dwCount) * sizeof(L'\0');
if (dwData < dwBytes)
PrintConsole(hConsole,
L"ERROR: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' smaller than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwCount, dwBytes);
else if (dwData > dwBytes)
PrintConsole(hConsole,
L"WARNING: size (%lu bytes) of value data for value name \'%ls\' in registry key \'%ls\' greater than sum of actual string lengths (%lu + %lu characters = %lu bytes)\n",
dwData, szValue, szKey, dwChars, dwCount, dwBytes);
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
}
#ifdef UNKNOWN
if (dwType > REG_QWORD)
PrintConsole(hConsole,
L"WARNING: unknown data type (0x%08lx) for value name \'%ls\' in registry key \'%ls\'\n",
dwType, szValue, szKey);
#endif
#endif // SANITY
if (dwKey < sizeof("HKEY_OFFLINE"))
bOutput = PrintFormat(hOutput,
L"HKO,,");
else
bOutput = PrintFormat(hOutput,
L"HKO,\"%ls\",",
szKey + sizeof("HKEY_OFFLINE"));
if (dwType < sizeof(szType) / sizeof(*szType))
if (dwValue == 0)
bOutput &= PrintFormat(hOutput, L",%%REG_%ls%%", szType[dwType]);
else
bOutput &= PrintFormat(hOutput, L"\"%ls\",%%REG_%ls%%", szValue, szType[dwType]);
else
if (dwValue == 0)
bOutput &= PrintFormat(hOutput, L",0x%08lx", dwType);
else
bOutput &= PrintFormat(hOutput, L"\"%ls\",0x%08lx", szValue, dwType);
if (dwData == 0)
bOutput &= PrintString(hOutput, L"\r\n");
else
switch (dwType)
{
case REG_LINK:
if (dwData % sizeof(L'\0') != 0)
goto DEFAULT;
bOutput &= PrintString(hOutput, L",\"");
bOutput &= PrintDirect(hOutput, (LPCWSTR) cbData, dwData / sizeof(L'\0'));
bOutput &= PrintString(hOutput, L"\"\r\n");
break;
case REG_SZ:
case REG_EXPAND_SZ:
if (dwData % sizeof(L'\0') != 0)
goto DEFAULT;
if (*(LPCWSTR) cbData == L'\0')
bOutput &= PrintString(hOutput, L",\"\"\r\n");
else
{
lpData = (LPCWSTR) cbData;
((LPWSTR) lpData)[dwData / sizeof(L'\0')] = L'\0';
dwData = wcslen(lpData);
bOutput &= PrintString(hOutput, L",\"");
for (lpEscape = InfEscape(lpData); lpEscape != NULL; lpData = lpEscape, lpEscape = InfEscape(lpEscape + 1))
bOutput &= PrintDirect(hOutput, lpData, lpEscape + 1 - lpData);
bOutput &= PrintDirect(hOutput, lpData, (LPCWSTR) cbData + dwData - lpData);
bOutput &= PrintString(hOutput, L"\"\r\n");
}
break;
case REG_MULTI_SZ:
if (dwData % sizeof(L'\0') != 0)
goto DEFAULT;
if ((dwData == sizeof(L'\0'))
&& (*(LPCWSTR) cbData == L'\0'))
bOutput &= PrintString(hOutput, L";\r\n");
else
{
lpData = (LPCWSTR) cbData;
dwData /= sizeof(L'\0');
lpLast = lpData + dwData;
if ((dwData > 1)
&& (lpData[dwData - 1] == L'\0')
&& (lpData[dwData - 2] == L'\0'))
lpLast--;
else
*(LPWSTR) lpLast = L'\0';
do
if (*lpData == L'\0')
bOutput &= PrintString(hOutput, L";\"\"");
else
{
dwData = wcslen(lpData);
bOutput &= PrintString(hOutput, L",\"");
for (lpEscape = InfEscape(lpMulti = lpData), lpData += dwData;
lpEscape != NULL; lpMulti = lpEscape,
lpEscape = InfEscape(lpEscape + 1))
bOutput &= PrintDirect(hOutput, lpMulti, lpEscape + 1 - lpMulti);
bOutput &= PrintDirect(hOutput, lpMulti, lpData - lpMulti);
bOutput &= PrintString(hOutput, L"\"");
}
while (++lpData < lpLast);
bOutput &= PrintString(hOutput, L"\r\n");
}
break;
case REG_DWORD_BIG_ENDIAN:
if (dwData != sizeof(DWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%lu\r\n", _byteswap_ulong(*(LPDWORD) cbData));
#else
bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", _byteswap_ulong(*(LPDWORD) cbData), *(LPDWORD) cbData);
#endif
break;
case REG_DWORD_LITTLE_ENDIAN:
// case REG_DWORD:
if (dwData != sizeof(DWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%lu\r\n", *(LPDWORD) cbData);
#else
bOutput &= PrintFormat(hOutput, L",%lu ; 0x%08lx\r\n", *(LPDWORD) cbData, *(LPDWORD) cbData);
#endif
break;
case REG_QWORD_LITTLE_ENDIAN:
// case REG_QWORD:
if (dwData != sizeof(QWORD))
goto DEFAULT;
#if 0
bOutput &= PrintFormat(hOutput, L",%I64u\r\n", *(LPQWORD) cbData);
#else
bOutput &= PrintFormat(hOutput, L",%I64u ; 0x%016I64x\r\n", *(LPQWORD) cbData, *(LPQWORD) cbData);
#endif
break;
// case REG_NONE:
// case REG_BINARY:
// case REG_RESOURCE_LIST:
// case REG_FULL_RESOURCE_DESCRIPTOR:
// case REG_RESOURCE_REQUIREMENTS_LIST:
default:
DEFAULT:
for (dwBytes = 0; dwBytes < dwData; dwBytes++)
#ifdef TINY
bOutput &= PrintFormat(hOutput, L",%02x", cbData[dwBytes]);
#else
bOutput &= PrintDirect(hOutput, szBytes[cbData[dwBytes]], 3);
#endif
bOutput &= PrintString(hOutput, L"\r\n");
}
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for value \'%ls\' of registry key \'%ls\'\n",
dwError = GetLastError(), szValue, szKey);
}
}
for (dwSubKeys = 0;; dwSubKeys++)
{
dwSubKey = sizeof(szKey) / sizeof(*szKey) - dwKey - 1;
dwError = OREnumKey(hkKey,
dwSubKeys,
lpSubKey,
&dwSubKey,
(LPWSTR) NULL,
(LPDWORD) NULL,
(LPFILETIME) NULL);
if (dwError == ERROR_NO_MORE_ITEMS)
break;
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OREnumKey() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
#ifdef SANITY
dwChars = wcslen(lpSubKey);
if (dwChars > dwSubKey)
PrintConsole(hConsole,
L"ERROR: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' smaller than actual string length (%lu characters)\n",
dwSubKey, lpSubKey, szKey, dwChars);
else if (dwChars < dwSubKey)
PrintConsole(hConsole,
L"WARNING: size (%lu characters) of subkey name \'%ls\' in registry key \'%ls\' greater than actual string length (%lu characters)\n",
dwSubKey, lpSubKey, szKey, dwChars);
#endif // SANITY
szKey[dwKey] = L'\\';
dwError = OROpenKey(hkKey,
lpSubKey,
&hkSubKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OROpenKey() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
dwError = Offline(hConsole, hOutput, hkSubKey, dwKey + 1 + dwSubKey);
dwValue = ORCloseKey(hkSubKey);
if (dwValue != ERROR_SUCCESS)
PrintConsole(hConsole,
L"ORCloseKey() returned error %lu for registry key \'%ls\'\n",
dwValue, szKey);
}
szKey[dwKey] = L'\0';
}
}
#ifndef SECURITY
if ((dwValues == 0) && (dwSubKeys == 0))
{
if (dwKey < sizeof("HKEY_OFFLINE"))
bOutput = PrintString(hOutput,
L"HKO,,,%REG_KEYONLY%\r\n");
else
bOutput = PrintFormat(hOutput,
L"HKO,\"%ls\",,%%REG_KEYONLY%%\r\n",
szKey + sizeof("HKEY_OFFLINE"));
if (!bOutput)
PrintConsole(hConsole,
L"WriteFile() returned error %lu for empty registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
}
#endif
return dwError;
}
__declspec(noreturn)
VOID WINAPI wmainCRTStartup(VOID)
{
SYSTEMTIME st;
LPWSTR *lpArguments;
INT nArguments;
DWORD dwError = ERROR_BAD_ARGUMENTS;
DWORD dwMajor, dwMinor;
HKEY hkRoot;
HANDLE hOutput;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
lpArguments = CommandLineToArgvW(GetCommandLine(), &nArguments);
if (lpArguments == NULL)
PrintConsole(hConsole,
L"CommandLineToArgv() returned error %lu\n",
dwError = GetLastError());
else
{
if (nArguments != 2)
PrintConsole(hConsole,
L"Bad arguments: a single file or path name of a registry hive must be given!\n");
else
{
hOutput = GetStdHandle(STD_OUTPUT_HANDLE);
if (hOutput == INVALID_HANDLE_VALUE)
PrintConsole(hConsole,
L"GetStdHandle() returned error %lu\n",
dwError = GetLastError());
else
{
if (!FlushFileBuffers(hOutput))
PrintConsole(hConsole,
L"FlushFileBuffers() returned error %lu: standard output is not redirected to a file!\n",
dwError = GetLastError());
else
{
ORGetVersion(&dwMajor, &dwMinor);
PrintConsole(hConsole,
L"OFFREG.DLL version %lu.%lu\n",
dwMajor, dwMinor);
dwError = OROpenHive(lpArguments[1], &hkRoot);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"OROpenHive() returned error %lu\n",
dwError);
else
{
GetSystemTime(&st);
if (!PrintFormat(hOutput,
L"\xFEFF" // UTF-16LE BOM
L"[Version]\r\n"
L"DriverVer = %02hu/%02hu/%04hu,%02hu.%02hu.%02hu.%03hu ; UTC\r\n"
L"Provider = \"Stefan Kanthak\"\r\n"
L"Signature = \"$Windows NT$\"\r\n"
L"\r\n"
L"[Strings]\r\n"
L"REG_SZ = 0x00000000\r\n"
L"REG_BINARY = 0x00000001\r\n"
L"REG_KEYONLY = 0x00000010\r\n"
L"REG_MULTI_SZ = 0x00010000\r\n"
L"REG_DWORD = 0x00010001\r\n"
L"REG_EXPAND_SZ = 0x00020000\r\n"
L"REG_NONE = 0x00020001\r\n"
L"REG_COMPATIBLE = 0x00030001 ; same as REG_BINARY\r\n"
L"REG_DWORD_LITTLE_ENDIAN = 0x00040001 ; same as REG_DWORD\r\n"
L"REG_DWORD_BIG_ENDIAN = 0x00050001\r\n"
L"REG_LINK = 0x00060000\r\n"
L"REG_RESOURCE_LIST = 0x00080001\r\n"
L"REG_FULL_RESOURCE_DESCRIPTOR = 0x00090001\r\n"
L"REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001\r\n"
L"REG_QWORD = 0x000b0001\r\n"
L"REG_QWORD_LITTLE_ENDIAN = 0x000b0001 ; same as REG_QWORD\r\n"
L"\r\n"
L"[DefaultInstall.NT]\r\n"
L";AddReg = AddReg.HKO\r\n"
L"\r\n"
L"[AddReg.HKO]\r\n",
st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
#if 0
wmemcpy(szKey, L"HKEY_OFFLINE", sizeof("HKEY_OFFLINE"));
#else
memcpy(szKey, L"HKEY_OFFLINE", sizeof(L"HKEY_OFFLINE"));
#endif
dwError = Offline(hConsole, hOutput, hkRoot, sizeof("HKEY_OFFLINE") - 1);
if (!PrintString(hOutput,
L"\r\n"
L"; EOF\r\n"))
PrintConsole(hConsole,
L"WriteFile() returned error %lu\n",
dwError = GetLastError());
dwError = ORCloseHive(hkRoot);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"ORCloseHive() returned error %lu\n",
dwError);
}
}
if (!CloseHandle(hOutput))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
}
if (LocalFree(lpArguments) != NULL)
PrintConsole(hConsole,
L"LocalFree() returned error %lu\n",
GetLastError());
}
if (!CloseHandle(hConsole))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
GetLastError());
}
ExitProcess(dwError);
}
Note: with the preprocessor macro
SANITY
defined, several consistency and sanity checks
regarding the size of key and value names as well as value data and
value data types are performed.
Note: with the preprocessor macro
SECURITY
defined, the
security descriptors
of enumerated keys are printed in
Security Descriptor Definition Language
notation.
Note: with the preprocessor macro TINY
defined, the application gets 2036 bytes smaller, but also a little
slower!
Run the following four command lines to compile the source file
OFFREG.C
created in step 1., link the compiled
object file OFFREG.OBJ
and cleanup afterwards:
SET CL=/GAFS /Gy /O1isy /W4 /Zl SET LINK=/DEFAULTLIB:ADVAPI32.LIB /DEFAULTLIB:KERNEL32.LIB /DEFAULTLIB:OFFREG.LIB /DEFAULTLIB:SHELL32.LIB /DEFAULTLIB:USER32.LIB /ENTRY:mainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /OSVERSION:5.0 /RELEASE /SUBSYSTEM:CONSOLE /SWAPRUN:CD,NET /VERSION:0.815 CL.EXE /FeOFFREG.COM OFFREG.C ERASE OFFREG.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the
MSDN article
Use the Microsoft C++ toolset from the command line
for an introduction.
Note: the command lines can be copied and pasted as block into a Command Processor window!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. OFFREG.C OFFREG.C(523) : warning C4090: 'function' : different 'const' qualifiers Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Create the text file OFFREG.TXT
with the following
content in an arbitrary, preferable empty directory:
4d 5a 90 00 01 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
d0 00 00 00 43 00 00 00 40 00 00 00 00 00 00 00 ....C...@.......
00 00 00 00 19 57 04 27 00 00 00 00 00 00 00 00 .....W.'........
00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 00 ................
28 43 29 6f 70 79 72 69 67 68 74 20 32 30 30 34 (C)opyright 2004
2d 32 30 32 33 2c 20 53 74 65 66 61 6e 20 4b 61 -2023, Stefan Ka
6e 74 68 61 6b 20 3c 73 74 65 66 61 6e 2e 6b 61 nthak <stefan.ka
6e 74 68 61 6b 40 6e 65 78 67 6f 2e 64 65 3e 0d nthak@nexgo.de>.
0a 07 24 0e 1f 33 d2 b4 09 cd 21 b8 01 4c cd 21 ..$..3....!..L.!
50 45 00 00 4c 01 03 00 56 4f 49 44 00 00 00 00 PE..L...VOID....
00 00 00 00 e0 00 23 0d 0b 01 0a 00 00 0c 00 00 ......#.........
00 1a 00 00 00 80 14 00 91 16 00 00 00 10 00 00 ................
00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
05 00 00 00 00 00 2f 03 05 00 00 00 00 00 00 00 ....../.........
00 c0 14 00 00 02 00 00 1c 63 00 00 03 00 00 85 .........c......
00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
a0 37 00 00 50 00 00 00 00 00 00 00 00 00 00 00 .7..P...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 38 37 00 00 40 00 00 00 ........87..@...
00 00 00 00 00 00 00 00 00 20 00 00 5c 00 00 00 ......... ..\...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 2e 63 6f 64 65 00 00 00 .........code...
6b 0a 00 00 00 10 00 00 00 0c 00 00 00 02 00 00 k...............
00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
2e 63 6f 6e 73 74 00 00 98 19 00 00 00 20 00 00 .const....... ..
00 1a 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 ....@..@.bss....
00 80 14 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@..........
00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 ................
55 8b ec 81 ec 08 08 00 00 56 8d 45 10 50 ff 75 U........V.E.P.u
0c 8d 85 f8 f7 ff ff 50 ff 15 54 20 40 00 8b f0 .......P..T @...
85 f6 75 04 33 c0 eb 23 6a 00 8d 45 fc 50 56 8d ..u.3..#j..E.PV.
85 f8 f7 ff ff 50 ff 75 08 ff 15 00 20 40 00 85 .....P.u.... @..
c0 74 e1 33 c0 39 75 fc 0f 94 c0 5e c9 c3 55 8b .t.3.9u....^..U.
ec 81 ec 08 08 00 00 8d 45 10 50 ff 75 0c 8d 85 ........E.P.u...
f8 f7 ff ff 50 ff 15 54 20 40 00 85 c0 75 02 c9 ....P..T @...u..
c3 56 57 8d 3c 00 8d b5 f8 f7 ff ff 6a 00 8d 45 .VW.<.......j..E
fc 50 57 56 ff 75 08 ff 15 04 20 40 00 85 c0 74 .PWV.u.... @...t
0f 03 75 fc 2b 7d fc 75 e3 33 c0 40 5f 5e c9 c3 ..u.+}.u.3.@_^..
33 c0 eb f8 55 8b ec 56 8b 75 10 57 8b 7d 0c 03 3...U..V.u.W.}..
f6 6a 00 8d 45 10 50 56 57 ff 75 08 ff 15 04 20 .j..E.PVW.u....
40 00 85 c0 74 11 03 7d 10 2b 75 10 75 e3 33 c0 @...t..}.+u.u.3.
40 5f 5e 5d c2 0c 00 33 c0 eb f6 8b 44 24 04 0f @_^]...3....D$..
b7 08 83 f9 22 74 0f 83 f9 25 74 0a 83 c0 02 66 ...."t...%t....f
85 c9 75 eb 33 c0 c2 04 00 55 8b ec 83 ec 24 53 ..u.3....U....$S
56 57 8d 45 fc 50 be 00 c0 44 00 56 8d 45 e4 50 VW.E.P...D.V.E.P
8d 45 f8 50 33 db 68 00 40 44 00 53 ff 75 10 89 .E.P3.h.@D.S.u..
5d ec c7 45 f8 00 40 00 00 c7 45 fc 00 00 10 00 ]..E..@...E.....
ff 15 40 20 40 00 bf 03 01 00 00 e9 eb 03 00 00 ..@ @...........
3b c3 74 20 68 00 40 40 00 50 68 dc 2c 40 00 68 ;.t h.@@.Ph.,@.h
78 2c 40 00 ff 75 08 e8 a4 fe ff ff 83 c4 14 e9 x,@..u..........
98 03 00 00 83 7d 14 0d 73 11 68 6c 2c 40 00 ff .....}..s.hl,@..
75 0c e8 d7 fe ff ff 59 59 eb 15 68 1a 40 40 00 u......YY..h.@@.
68 54 2c 40 00 ff 75 0c e8 c1 fe ff ff 83 c4 0c hT,@..u.........
8b d8 8b 45 e4 83 f8 0c 73 2b 83 7d f8 00 ff 34 ...E....s+.}...4
85 80 29 40 00 75 12 68 38 2c 40 00 ff 75 0c e8 ..)@.u.h8,@..u..
9a fe ff ff 83 c4 0c eb 2f 68 00 40 44 00 68 14 ......../h.@D.h.
2c 40 00 eb 18 83 7d f8 00 50 75 07 68 00 2c 40 ,@....}..Pu.h.,@
00 eb d9 68 00 40 44 00 68 e4 2b 40 00 ff 75 0c ...h.@D.h.+@..u.
e8 69 fe ff ff 83 c4 10 23 d8 8b 45 fc 33 d2 3b .i......#..E.3.;
c2 0f 84 c8 02 00 00 8b 4d e4 3b ca 0f 86 8d 02 ........M.;.....
00 00 83 f9 02 0f 86 df 01 00 00 83 f9 04 0f 84 ................
c5 01 00 00 83 f9 05 0f 84 95 01 00 00 83 f9 06 ................
0f 84 56 01 00 00 83 f9 07 74 36 83 f9 0b 0f 85 ..V......t6.....
5b 02 00 00 83 f8 08 0f 85 52 02 00 00 a1 04 c0 [........R......
44 00 8b 0d 00 c0 44 00 50 51 50 51 68 b8 2b 40 D.....D.PQPQh.+@
00 ff 75 0c e8 f5 fd ff ff 83 c4 18 e9 6d 02 00 ..u..........m..
00 a8 01 0f 85 26 02 00 00 83 f8 02 75 15 66 39 .....&......u.f9
15 00 c0 44 00 75 0c 6a 03 68 b0 2b 40 00 e9 43 ...D.u.j.h.+@..C
02 00 00 d1 e8 8d 0c 45 00 c0 44 00 8b fe 89 45 .......E..D....E
fc 89 4d e0 83 f8 01 76 19 8d 51 fe 66 83 3a 00 ..M....v..Q.f.:.
75 10 66 83 3c 45 fc bf 44 00 00 75 05 89 55 e0 u.f.<E..D..u..U.
eb 05 33 c0 66 89 01 66 83 3f 00 75 0c 6a 03 68 ..3.f..f.?.u.j.h
a8 2b 40 00 e9 84 00 00 00 8b c7 8d 50 02 66 8b .+@.........P.f.
08 83 c0 02 66 85 c9 75 f5 6a 02 2b c2 68 a0 2b ....f..u.j.+.h.+
40 00 ff 75 0c d1 f8 89 45 fc e8 b5 fd ff ff 57 @..u....E......W
23 d8 89 7d f4 e8 e1 fd ff ff 8b 4d fc 8d 3c 4f #..}.......M..<O
eb 28 8b 45 e8 2b 45 f4 83 c0 02 d1 f8 50 ff 75 .(.E.+E......P.u
f4 ff 75 0c e8 8b fd ff ff 23 d8 8b 45 e8 89 45 ..u......#..E..E
f4 83 c0 02 50 e8 b1 fd ff ff 89 45 e8 85 c0 75 ....P......E...u
d1 8b c7 2b 45 f4 d1 f8 50 ff 75 f4 ff 75 0c e8 ...+E...P.u..u..
60 fd ff ff 6a 01 23 d8 68 9c 2b 40 00 ff 75 0c `...j.#.h.+@..u.
e8 4f fd ff ff 83 c7 02 23 d8 3b 7d e0 0f 82 54 .O......#.;}...T
ff ff ff 6a 02 68 94 2b 40 00 ff 75 0c e8 32 fd ...j.h.+@..u..2.
ff ff bf 03 01 00 00 e9 52 01 00 00 a8 01 0f 85 ........R.......
0b 01 00 00 6a 02 68 a0 2b 40 00 ff 75 0c e8 11 ....j.h.+@..u...
fd ff ff 23 d8 8b 45 fc d1 e8 50 56 ff 75 0c e8 ...#..E...PV.u..
00 fd ff ff 6a 03 23 d8 68 8c 2b 40 00 e9 14 01 ....j.#.h.+@....
00 00 83 f8 04 0f 85 d4 00 00 00 a1 00 c0 44 00 ..............D.
50 0f c8 50 68 68 2b 40 00 ff 75 0c e8 7d fc ff P..Phh+@..u..}..
ff 83 c4 10 e9 f5 00 00 00 83 f8 04 0f 85 ad 00 ................
00 00 a1 00 c0 44 00 50 eb d9 a8 01 0f 85 9d 00 .....D.P........
00 00 66 39 15 00 c0 44 00 75 0c 6a 05 68 5c 2b ..f9...D.u.j.h\+
40 00 e9 bf 00 00 00 d1 e8 33 c9 66 89 0c 45 00 @........3.f..E.
c0 44 00 8b c6 89 75 f4 8d 48 02 66 8b 10 83 c0 .D....u..H.f....
02 66 85 d2 75 f5 6a 02 2b c1 68 a0 2b 40 00 ff .f..u.j.+.h.+@..
75 0c d1 f8 89 45 fc e8 68 fc ff ff 56 eb 1d 8b u....E..h...V...
c7 2b 45 f4 83 c0 02 d1 f8 50 ff 75 f4 ff 75 0c .+E......P.u..u.
e8 4f fc ff ff 89 7d f4 83 c7 02 57 23 d8 e8 78 .O....}....W#..x
fc ff ff 8b f8 85 ff 75 d6 8b 45 fc 03 c0 2b 45 .......u..E...+E
f4 03 c6 d1 f8 50 ff 75 f4 ff 75 0c e8 23 fc ff .....P.u..u..#..
ff 6a 03 23 d8 68 8c 2b 40 00 e9 db fe ff ff 89 .j.#.h.+@.......
55 f4 3b c2 76 29 8b 45 f4 0f b6 80 00 c0 44 00 U.;.v).E......D.
6a 03 8d 04 c5 80 21 40 00 50 ff 75 0c e8 f2 fb j.....!@.P.u....
ff ff 23 d8 ff 45 f4 8b 45 f4 3b 45 fc 72 d7 6a ..#..E..E.;E.r.j
02 68 94 2b 40 00 ff 75 0c e8 d6 fb ff ff 23 d8 .h.+@..u......#.
85 db 75 26 ff 15 08 20 40 00 68 00 40 40 00 68 ..u&... @.h.@@.h
00 40 44 00 50 68 48 2b 40 00 68 c8 2a 40 00 ff .@D.PhH+@.h.*@..
75 08 e8 09 fb ff ff 83 c4 18 33 db ff 45 ec 8d u.........3..E..
45 fc 50 56 8d 45 e4 50 8d 45 f8 50 68 00 40 44 E.PV.E.P.E.Ph.@D
00 ff 75 ec c7 45 f8 00 40 00 00 ff 75 10 c7 45 ..u..E..@...u..E
fc 00 00 10 00 ff 15 40 20 40 00 3b c7 0f 85 0d .......@ @.;....
fc ff ff 8b 75 14 53 b8 ff ff 01 00 2b c6 53 89 ....u.S.....+.S.
45 e0 89 45 f0 53 8d 45 f0 50 8d 04 75 02 40 40 E..E.S.E.P..u.@@
00 50 89 5d f4 53 e9 bb 00 00 00 39 5d 14 74 1f .P.].S.....9].t.
68 00 40 40 00 ff 75 14 68 b4 2a 40 00 68 78 2c h.@@..u.h.*@.hx,
40 00 ff 75 08 e8 86 fa ff ff 83 c4 14 eb 7c 6a @..u..........|j
5c 58 66 89 04 75 00 40 40 00 8d 45 dc 50 8d 04 \Xf..u.@@..E.P..
75 02 40 40 00 50 ff 75 10 ff 15 3c 20 40 00 3b u.@@.P.u...< @.;
c3 74 0d 68 00 40 40 00 50 68 a0 2a 40 00 eb 31 .t.h.@@.Ph.*@..1
8b 45 f0 8d 44 30 01 50 ff 75 dc ff 75 0c ff 75 .E..D0.P.u..u..u
08 e8 33 fb ff ff ff 75 dc ff 15 38 20 40 00 89 ..3....u...8 @..
45 f8 3b c3 74 1b 68 00 40 40 00 50 68 88 2a 40 E.;.t.h.@@.Ph.*@
00 68 78 2c 40 00 ff 75 08 e8 12 fa ff ff 83 c4 .hx,@..u........
14 33 c0 66 89 04 75 00 40 40 00 8b 45 e0 ff 45 .3.f..u.@@..E..E
f4 53 53 89 45 f0 53 8d 45 f0 50 8d 04 75 02 40 .SS.E.S.E.P..u.@
40 00 50 ff 75 f4 ff 75 10 ff 15 34 20 40 00 89 @.P.u..u...4 @..
45 14 3b c7 0f 85 31 ff ff ff 39 5d ec 75 58 39 E.;...1...9].uX9
5d f4 75 53 83 fe 0d 73 11 6a 15 68 5c 2a 40 00 ].uS...s.j.h\*@.
ff 75 0c e8 5c fa ff ff eb 15 68 1a 40 40 00 68 .u..\.....h.@@.h
20 2a 40 00 ff 75 0c e8 f2 f9 ff ff 83 c4 0c 3b *@..u.........;
c3 75 24 ff 15 08 20 40 00 68 00 40 40 00 50 68 .u$... @.h.@@.Ph
48 2b 40 00 68 b0 29 40 00 ff 75 08 89 45 14 e8 H+@.h.)@..u..E..
7c f9 ff ff 83 c4 14 8b 45 14 5f 5e 5b c9 c2 10 |.......E._^[...
00 83 ec 2c 56 57 6a f4 bf a0 00 00 00 ff 15 24 ...,VWj........$
20 40 00 8b f0 89 74 24 08 83 fe ff 75 0d ff 15 @....t$....u...
08 20 40 00 8b f8 e9 0f 02 00 00 53 55 8d 44 24 . @........SU.D$
20 50 ff 15 20 20 40 00 50 e8 05 02 00 00 8b 2d P.. @.P......-
08 20 40 00 89 44 24 1c 85 c0 75 14 ff d5 8b f8 . @..D$...u.....
57 68 0c 37 40 00 bb d8 36 40 00 e9 b1 01 00 00 Wh.7@...6@......
83 7c 24 20 02 bb d8 36 40 00 74 12 68 40 36 40 .|$ ...6@.t.h@6@
00 56 e8 f9 f8 ff ff 59 59 e9 7d 01 00 00 6a f5 .V.....YY.}...j.
ff 15 24 20 40 00 89 44 24 14 83 f8 ff 75 0f ff ..$ @..D$....u..
d5 8b f8 57 68 24 36 40 00 e9 53 01 00 00 50 ff ...Wh$6@..S...P.
15 1c 20 40 00 85 c0 75 11 ff d5 8b f8 57 68 00 .. @...u.....Wh.
36 40 00 68 70 35 40 00 eb 45 8d 44 24 24 50 8d 6@.hp5@..E.D$$P.
44 24 2c 50 ff 15 4c 20 40 00 ff 74 24 24 ff 74 D$,P..L @..t$$.t
24 2c 68 38 35 40 00 56 e8 93 f8 ff ff 83 c4 10 $,h85@.V........
8d 44 24 18 50 8b 44 24 20 ff 70 04 ff 15 48 20 .D$.P.D$ .p...H
40 00 8b f8 85 ff 74 15 57 68 20 35 40 00 53 56 @.....t.Wh 5@.SV
e8 6b f8 ff ff 83 c4 10 e9 ce 00 00 00 8d 44 24 .k............D$
2c 50 ff 15 18 20 40 00 0f b7 44 24 3a 50 0f b7 ,P... @...D$:P..
44 24 3c 50 0f b7 44 24 3e 50 0f b7 44 24 40 50 D$<P..D$>P..D$@P
0f b7 44 24 3c 50 0f b7 44 24 46 50 0f b7 44 24 ..D$<P..D$FP..D$
46 50 68 68 2d 40 00 ff 74 24 34 e8 6e f8 ff ff FPhh-@..t$4.n...
83 c4 24 85 c0 75 12 ff d5 50 68 48 2b 40 00 53 ..$..u...PhH+@.S
56 e8 0a f8 ff ff 83 c4 10 6a 1a 59 6a 0c ff 74 V........j.Yj..t
24 1c bf 00 40 40 00 ff 74 24 1c be 4c 2d 40 00 $...@@..t$..L-@.
ff 74 24 1c f3 a4 e8 de f8 ff ff 6a 09 68 38 2d .t$........j.h8-
40 00 ff 74 24 1c e8 79 f8 ff ff 85 c0 75 15 ff @..t$..y.....u..
d5 50 68 48 2b 40 00 53 ff 74 24 1c e8 bf f7 ff .PhH+@.S.t$.....
ff 83 c4 10 ff 74 24 18 ff 15 44 20 40 00 8b f8 .....t$...D @...
85 ff 74 13 57 68 20 2d 40 00 53 ff 74 24 1c e8 ..t.Wh -@.S.t$..
9c f7 ff ff 83 c4 10 8b 74 24 10 ff 74 24 14 ff ........t$..t$..
15 14 20 40 00 85 c0 75 12 ff d5 50 68 08 2d 40 .. @...u...Ph.-@
00 53 56 e8 78 f7 ff ff 83 c4 10 ff 74 24 1c ff .SV.x.......t$..
15 10 20 40 00 85 c0 74 12 ff d5 50 68 f4 2c 40 .. @...t...Ph.,@
00 53 56 e8 58 f7 ff ff 83 c4 10 56 ff 15 14 20 .SV.X......V...
40 00 85 c0 75 12 ff d5 50 68 08 2d 40 00 53 56 @...u...Ph.-@.SV
e8 3b f7 ff ff 83 c4 10 5d 5b 57 ff 15 0c 20 40 .;......][W... @
00 5f 5e 55 8b ec 51 8b 45 08 53 56 33 f6 57 8b ._^U..Q.E.SV3.W.
f8 89 75 08 89 75 fc 39 75 0c 0f 84 6a 01 00 00 ..u..u.9u...j...
3b c6 0f 84 62 01 00 00 0f b7 08 66 3b ce 0f 84 ;...b......f;...
56 01 00 00 83 f9 20 74 0a 83 f9 09 74 05 33 db V..... t....t.3.
43 eb 02 33 db 39 75 08 75 2b 66 83 f9 20 74 06 C..3.9u.u+f.. t.
66 83 f9 09 75 1f 89 75 fc 83 c0 02 0f b7 08 83 f...u..u........
f9 20 74 f5 83 f9 09 74 f0 33 c9 66 39 30 0f 95 . t....t.3.f90..
c1 03 d9 eb 23 66 83 f9 5c 75 06 83 75 fc 01 eb ....#f..\u..u...
14 39 75 fc 75 0c 66 83 f9 22 75 06 83 75 08 01 .9u.u.f.."u..u..
eb 03 89 75 fc 83 c0 02 0f b7 08 66 3b ce 75 a5 ...u.......f;.u.
2b c7 83 c0 02 d1 f8 8d 44 58 02 03 c0 50 6a 40 +.......DX...Pj@
ff 15 2c 20 40 00 8b f0 33 d2 3b f2 0f 84 d0 00 .., @...3.;.....
00 00 8d 44 9e 04 33 db 89 06 89 55 08 89 5d fc ...D..3....U..].
83 7d 08 00 75 34 0f b7 0f 83 f9 20 74 05 83 f9 .}..u4..... t...
09 75 27 33 d2 33 c9 66 89 08 83 c7 02 0f b7 0f .u'3.3.f........
83 f9 20 74 f5 83 f9 09 74 f0 66 39 17 74 71 43 .. t....t.f9.tqC
8b c7 89 5d fc 89 3c 9e eb 5c 0f b7 0f 83 f9 5c ...]..<..\.....\
75 03 42 eb 48 83 f9 22 75 41 6a 02 8d 5a 01 d1 u.B.H.."uAj..Z..
eb 59 f7 db 03 f9 8d 04 58 f6 c2 01 74 0a 6a 22 .Y......X...t.j"
5a 66 89 10 03 c1 eb 1c 83 7d 08 00 74 12 66 83 Zf.......}..t.f.
3f 22 75 0c 6a 22 5a 66 89 10 03 c1 03 f9 eb 04 ?"u.j"Zf........
83 75 08 01 8b 5d fc 33 d2 eb 0b 33 d2 66 89 08 .u...].3...3.f..
83 c0 02 83 c7 02 66 83 3f 00 0f 85 60 ff ff ff ......f.?...`...
33 c9 43 66 89 08 21 0c 9e 8b 45 0c 89 18 39 4d 3.Cf..!...E...9M
08 74 0f 68 a0 00 00 00 eb 02 6a 57 ff 15 28 20 .t.h......jW..(
40 00 5f 8b c6 5e 5b c9 c2 08 00 00 00 00 00 00 @._..^[.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4c 38 00 00 5c 38 00 00 68 38 00 00 78 38 00 00 L8..\8..h8..x8..
86 38 00 00 92 38 00 00 a0 38 00 00 b0 38 00 00 .8...8...8...8..
c4 38 00 00 d6 38 00 00 e6 38 00 00 f6 38 00 00 .8...8...8...8..
00 00 00 00 12 39 00 00 1e 39 00 00 2c 39 00 00 .....9...9..,9..
38 39 00 00 46 39 00 00 54 39 00 00 62 39 00 00 89..F9..T9..b9..
00 00 00 00 7e 39 00 00 00 00 00 00 00 00 00 00 ....~9..........
51 00 57 00 4f 00 52 00 44 00 00 00 52 00 45 00 Q.W.O.R.D...R.E.
53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 52 00 S.O.U.R.C.E._.R.
45 00 51 00 55 00 49 00 52 00 45 00 4d 00 45 00 E.Q.U.I.R.E.M.E.
4e 00 54 00 53 00 5f 00 4c 00 49 00 53 00 54 00 N.T.S._.L.I.S.T.
00 00 00 00 46 00 55 00 4c 00 4c 00 5f 00 52 00 ....F.U.L.L._.R.
45 00 53 00 4f 00 55 00 52 00 43 00 45 00 5f 00 E.S.O.U.R.C.E._.
44 00 45 00 53 00 43 00 52 00 49 00 50 00 54 00 D.E.S.C.R.I.P.T.
4f 00 52 00 00 00 00 00 52 00 45 00 53 00 4f 00 O.R.....R.E.S.O.
55 00 52 00 43 00 45 00 5f 00 4c 00 49 00 53 00 U.R.C.E._.L.I.S.
54 00 00 00 4d 00 55 00 4c 00 54 00 49 00 5f 00 T...M.U.L.T.I._.
53 00 5a 00 00 00 00 00 4c 00 49 00 4e 00 4b 00 S.Z.....L.I.N.K.
00 00 00 00 44 00 57 00 4f 00 52 00 44 00 5f 00 ....D.W.O.R.D._.
42 00 49 00 47 00 5f 00 45 00 4e 00 44 00 49 00 B.I.G._.E.N.D.I.
41 00 4e 00 00 00 00 00 44 00 57 00 4f 00 52 00 A.N.....D.W.O.R.
44 00 00 00 42 00 49 00 4e 00 41 00 52 00 59 00 D...B.I.N.A.R.Y.
00 00 00 00 45 00 58 00 50 00 41 00 4e 00 44 00 ....E.X.P.A.N.D.
5f 00 53 00 5a 00 00 00 53 00 5a 00 00 00 00 00 _.S.Z...S.Z.....
4e 00 4f 00 4e 00 45 00 00 00 00 00 00 00 00 00 N.O.N.E.........
2c 00 30 00 30 00 00 00 2c 00 30 00 31 00 00 00 ,.0.0...,.0.1...
2c 00 30 00 32 00 00 00 2c 00 30 00 33 00 00 00 ,.0.2...,.0.3...
2c 00 30 00 34 00 00 00 2c 00 30 00 35 00 00 00 ,.0.4...,.0.5...
2c 00 30 00 36 00 00 00 2c 00 30 00 37 00 00 00 ,.0.6...,.0.7...
2c 00 30 00 38 00 00 00 2c 00 30 00 39 00 00 00 ,.0.8...,.0.9...
2c 00 30 00 61 00 00 00 2c 00 30 00 62 00 00 00 ,.0.a...,.0.b...
2c 00 30 00 63 00 00 00 2c 00 30 00 64 00 00 00 ,.0.c...,.0.d...
2c 00 30 00 65 00 00 00 2c 00 30 00 66 00 00 00 ,.0.e...,.0.f...
2c 00 31 00 30 00 00 00 2c 00 31 00 31 00 00 00 ,.1.0...,.1.1...
2c 00 31 00 32 00 00 00 2c 00 31 00 33 00 00 00 ,.1.2...,.1.3...
2c 00 31 00 34 00 00 00 2c 00 31 00 35 00 00 00 ,.1.4...,.1.5...
2c 00 31 00 36 00 00 00 2c 00 31 00 37 00 00 00 ,.1.6...,.1.7...
2c 00 31 00 38 00 00 00 2c 00 31 00 39 00 00 00 ,.1.8...,.1.9...
2c 00 31 00 61 00 00 00 2c 00 31 00 62 00 00 00 ,.1.a...,.1.b...
2c 00 31 00 63 00 00 00 2c 00 31 00 64 00 00 00 ,.1.c...,.1.d...
2c 00 31 00 65 00 00 00 2c 00 31 00 66 00 00 00 ,.1.e...,.1.f...
2c 00 32 00 30 00 00 00 2c 00 32 00 31 00 00 00 ,.2.0...,.2.1...
2c 00 32 00 32 00 00 00 2c 00 32 00 33 00 00 00 ,.2.2...,.2.3...
2c 00 32 00 34 00 00 00 2c 00 32 00 35 00 00 00 ,.2.4...,.2.5...
2c 00 32 00 36 00 00 00 2c 00 32 00 37 00 00 00 ,.2.6...,.2.7...
2c 00 32 00 38 00 00 00 2c 00 32 00 39 00 00 00 ,.2.8...,.2.9...
2c 00 32 00 61 00 00 00 2c 00 32 00 62 00 00 00 ,.2.a...,.2.b...
2c 00 32 00 63 00 00 00 2c 00 32 00 64 00 00 00 ,.2.c...,.2.d...
2c 00 32 00 65 00 00 00 2c 00 32 00 66 00 00 00 ,.2.e...,.2.f...
2c 00 33 00 30 00 00 00 2c 00 33 00 31 00 00 00 ,.3.0...,.3.1...
2c 00 33 00 32 00 00 00 2c 00 33 00 33 00 00 00 ,.3.2...,.3.3...
2c 00 33 00 34 00 00 00 2c 00 33 00 35 00 00 00 ,.3.4...,.3.5...
2c 00 33 00 36 00 00 00 2c 00 33 00 37 00 00 00 ,.3.6...,.3.7...
2c 00 33 00 38 00 00 00 2c 00 33 00 39 00 00 00 ,.3.8...,.3.9...
2c 00 33 00 61 00 00 00 2c 00 33 00 62 00 00 00 ,.3.a...,.3.b...
2c 00 33 00 63 00 00 00 2c 00 33 00 64 00 00 00 ,.3.c...,.3.d...
2c 00 33 00 65 00 00 00 2c 00 33 00 66 00 00 00 ,.3.e...,.3.f...
2c 00 34 00 30 00 00 00 2c 00 34 00 31 00 00 00 ,.4.0...,.4.1...
2c 00 34 00 32 00 00 00 2c 00 34 00 33 00 00 00 ,.4.2...,.4.3...
2c 00 34 00 34 00 00 00 2c 00 34 00 35 00 00 00 ,.4.4...,.4.5...
2c 00 34 00 36 00 00 00 2c 00 34 00 37 00 00 00 ,.4.6...,.4.7...
2c 00 34 00 38 00 00 00 2c 00 34 00 39 00 00 00 ,.4.8...,.4.9...
2c 00 34 00 61 00 00 00 2c 00 34 00 62 00 00 00 ,.4.a...,.4.b...
2c 00 34 00 63 00 00 00 2c 00 34 00 64 00 00 00 ,.4.c...,.4.d...
2c 00 34 00 65 00 00 00 2c 00 34 00 66 00 00 00 ,.4.e...,.4.f...
2c 00 35 00 30 00 00 00 2c 00 35 00 31 00 00 00 ,.5.0...,.5.1...
2c 00 35 00 32 00 00 00 2c 00 35 00 33 00 00 00 ,.5.2...,.5.3...
2c 00 35 00 34 00 00 00 2c 00 35 00 35 00 00 00 ,.5.4...,.5.5...
2c 00 35 00 36 00 00 00 2c 00 35 00 37 00 00 00 ,.5.6...,.5.7...
2c 00 35 00 38 00 00 00 2c 00 35 00 39 00 00 00 ,.5.8...,.5.9...
2c 00 35 00 61 00 00 00 2c 00 35 00 62 00 00 00 ,.5.a...,.5.b...
2c 00 35 00 63 00 00 00 2c 00 35 00 64 00 00 00 ,.5.c...,.5.d...
2c 00 35 00 65 00 00 00 2c 00 35 00 66 00 00 00 ,.5.e...,.5.f...
2c 00 36 00 30 00 00 00 2c 00 36 00 31 00 00 00 ,.6.0...,.6.1...
2c 00 36 00 32 00 00 00 2c 00 36 00 33 00 00 00 ,.6.2...,.6.3...
2c 00 36 00 34 00 00 00 2c 00 36 00 35 00 00 00 ,.6.4...,.6.5...
2c 00 36 00 36 00 00 00 2c 00 36 00 37 00 00 00 ,.6.6...,.6.7...
2c 00 36 00 38 00 00 00 2c 00 36 00 39 00 00 00 ,.6.8...,.6.9...
2c 00 36 00 61 00 00 00 2c 00 36 00 62 00 00 00 ,.6.a...,.6.b...
2c 00 36 00 63 00 00 00 2c 00 36 00 64 00 00 00 ,.6.c...,.6.d...
2c 00 36 00 65 00 00 00 2c 00 36 00 66 00 00 00 ,.6.e...,.6.f...
2c 00 37 00 30 00 00 00 2c 00 37 00 31 00 00 00 ,.7.0...,.7.1...
2c 00 37 00 32 00 00 00 2c 00 37 00 33 00 00 00 ,.7.2...,.7.3...
2c 00 37 00 34 00 00 00 2c 00 37 00 35 00 00 00 ,.7.4...,.7.5...
2c 00 37 00 36 00 00 00 2c 00 37 00 37 00 00 00 ,.7.6...,.7.7...
2c 00 37 00 38 00 00 00 2c 00 37 00 39 00 00 00 ,.7.8...,.7.9...
2c 00 37 00 61 00 00 00 2c 00 37 00 62 00 00 00 ,.7.a...,.7.b...
2c 00 37 00 63 00 00 00 2c 00 37 00 64 00 00 00 ,.7.c...,.7.d...
2c 00 37 00 65 00 00 00 2c 00 37 00 66 00 00 00 ,.7.e...,.7.f...
2c 00 38 00 30 00 00 00 2c 00 38 00 31 00 00 00 ,.8.0...,.8.1...
2c 00 38 00 32 00 00 00 2c 00 38 00 33 00 00 00 ,.8.2...,.8.3...
2c 00 38 00 34 00 00 00 2c 00 38 00 35 00 00 00 ,.8.4...,.8.5...
2c 00 38 00 36 00 00 00 2c 00 38 00 37 00 00 00 ,.8.6...,.8.7...
2c 00 38 00 38 00 00 00 2c 00 38 00 39 00 00 00 ,.8.8...,.8.9...
2c 00 38 00 61 00 00 00 2c 00 38 00 62 00 00 00 ,.8.a...,.8.b...
2c 00 38 00 63 00 00 00 2c 00 38 00 64 00 00 00 ,.8.c...,.8.d...
2c 00 38 00 65 00 00 00 2c 00 38 00 66 00 00 00 ,.8.e...,.8.f...
2c 00 39 00 30 00 00 00 2c 00 39 00 31 00 00 00 ,.9.0...,.9.1...
2c 00 39 00 32 00 00 00 2c 00 39 00 33 00 00 00 ,.9.2...,.9.3...
2c 00 39 00 34 00 00 00 2c 00 39 00 35 00 00 00 ,.9.4...,.9.5...
2c 00 39 00 36 00 00 00 2c 00 39 00 37 00 00 00 ,.9.6...,.9.7...
2c 00 39 00 38 00 00 00 2c 00 39 00 39 00 00 00 ,.9.8...,.9.9...
2c 00 39 00 61 00 00 00 2c 00 39 00 62 00 00 00 ,.9.a...,.9.b...
2c 00 39 00 63 00 00 00 2c 00 39 00 64 00 00 00 ,.9.c...,.9.d...
2c 00 39 00 65 00 00 00 2c 00 39 00 66 00 00 00 ,.9.e...,.9.f...
2c 00 61 00 30 00 00 00 2c 00 61 00 31 00 00 00 ,.a.0...,.a.1...
2c 00 61 00 32 00 00 00 2c 00 61 00 33 00 00 00 ,.a.2...,.a.3...
2c 00 61 00 34 00 00 00 2c 00 61 00 35 00 00 00 ,.a.4...,.a.5...
2c 00 61 00 36 00 00 00 2c 00 61 00 37 00 00 00 ,.a.6...,.a.7...
2c 00 61 00 38 00 00 00 2c 00 61 00 39 00 00 00 ,.a.8...,.a.9...
2c 00 61 00 61 00 00 00 2c 00 61 00 62 00 00 00 ,.a.a...,.a.b...
2c 00 61 00 63 00 00 00 2c 00 61 00 64 00 00 00 ,.a.c...,.a.d...
2c 00 61 00 65 00 00 00 2c 00 61 00 66 00 00 00 ,.a.e...,.a.f...
2c 00 62 00 30 00 00 00 2c 00 62 00 31 00 00 00 ,.b.0...,.b.1...
2c 00 62 00 32 00 00 00 2c 00 62 00 33 00 00 00 ,.b.2...,.b.3...
2c 00 62 00 34 00 00 00 2c 00 62 00 35 00 00 00 ,.b.4...,.b.5...
2c 00 62 00 36 00 00 00 2c 00 62 00 37 00 00 00 ,.b.6...,.b.7...
2c 00 62 00 38 00 00 00 2c 00 62 00 39 00 00 00 ,.b.8...,.b.9...
2c 00 62 00 61 00 00 00 2c 00 62 00 62 00 00 00 ,.b.a...,.b.b...
2c 00 62 00 63 00 00 00 2c 00 62 00 64 00 00 00 ,.b.c...,.b.d...
2c 00 62 00 65 00 00 00 2c 00 62 00 66 00 00 00 ,.b.e...,.b.f...
2c 00 63 00 30 00 00 00 2c 00 63 00 31 00 00 00 ,.c.0...,.c.1...
2c 00 63 00 32 00 00 00 2c 00 63 00 33 00 00 00 ,.c.2...,.c.3...
2c 00 63 00 34 00 00 00 2c 00 63 00 35 00 00 00 ,.c.4...,.c.5...
2c 00 63 00 36 00 00 00 2c 00 63 00 37 00 00 00 ,.c.6...,.c.7...
2c 00 63 00 38 00 00 00 2c 00 63 00 39 00 00 00 ,.c.8...,.c.9...
2c 00 63 00 61 00 00 00 2c 00 63 00 62 00 00 00 ,.c.a...,.c.b...
2c 00 63 00 63 00 00 00 2c 00 63 00 64 00 00 00 ,.c.c...,.c.d...
2c 00 63 00 65 00 00 00 2c 00 63 00 66 00 00 00 ,.c.e...,.c.f...
2c 00 64 00 30 00 00 00 2c 00 64 00 31 00 00 00 ,.d.0...,.d.1...
2c 00 64 00 32 00 00 00 2c 00 64 00 33 00 00 00 ,.d.2...,.d.3...
2c 00 64 00 34 00 00 00 2c 00 64 00 35 00 00 00 ,.d.4...,.d.5...
2c 00 64 00 36 00 00 00 2c 00 64 00 37 00 00 00 ,.d.6...,.d.7...
2c 00 64 00 38 00 00 00 2c 00 64 00 39 00 00 00 ,.d.8...,.d.9...
2c 00 64 00 61 00 00 00 2c 00 64 00 62 00 00 00 ,.d.a...,.d.b...
2c 00 64 00 63 00 00 00 2c 00 64 00 64 00 00 00 ,.d.c...,.d.d...
2c 00 64 00 65 00 00 00 2c 00 64 00 66 00 00 00 ,.d.e...,.d.f...
2c 00 65 00 30 00 00 00 2c 00 65 00 31 00 00 00 ,.e.0...,.e.1...
2c 00 65 00 32 00 00 00 2c 00 65 00 33 00 00 00 ,.e.2...,.e.3...
2c 00 65 00 34 00 00 00 2c 00 65 00 35 00 00 00 ,.e.4...,.e.5...
2c 00 65 00 36 00 00 00 2c 00 65 00 37 00 00 00 ,.e.6...,.e.7...
2c 00 65 00 38 00 00 00 2c 00 65 00 39 00 00 00 ,.e.8...,.e.9...
2c 00 65 00 61 00 00 00 2c 00 65 00 62 00 00 00 ,.e.a...,.e.b...
2c 00 65 00 63 00 00 00 2c 00 65 00 64 00 00 00 ,.e.c...,.e.d...
2c 00 65 00 65 00 00 00 2c 00 65 00 66 00 00 00 ,.e.e...,.e.f...
2c 00 66 00 30 00 00 00 2c 00 66 00 31 00 00 00 ,.f.0...,.f.1...
2c 00 66 00 32 00 00 00 2c 00 66 00 33 00 00 00 ,.f.2...,.f.3...
2c 00 66 00 34 00 00 00 2c 00 66 00 35 00 00 00 ,.f.4...,.f.5...
2c 00 66 00 36 00 00 00 2c 00 66 00 37 00 00 00 ,.f.6...,.f.7...
2c 00 66 00 38 00 00 00 2c 00 66 00 39 00 00 00 ,.f.8...,.f.9...
2c 00 66 00 61 00 00 00 2c 00 66 00 62 00 00 00 ,.f.a...,.f.b...
2c 00 66 00 63 00 00 00 2c 00 66 00 64 00 00 00 ,.f.c...,.f.d...
2c 00 66 00 65 00 00 00 2c 00 66 00 66 00 00 00 ,.f.e...,.f.f...
70 21 40 00 68 21 40 00 54 21 40 00 44 21 40 00 p!@.h!@.T!@.D!@.
38 21 40 00 14 21 40 00 08 21 40 00 f4 20 40 00 8!@..!@..!@.. @.
d8 20 40 00 a4 20 40 00 6c 20 40 00 60 20 40 00 . @.. @.l @.` @.
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
20 00 66 00 6f 00 72 00 20 00 65 00 6d 00 70 00 .f.o.r. .e.m.p.
74 00 79 00 20 00 72 00 65 00 67 00 69 00 73 00 t.y. .r.e.g.i.s.
74 00 72 00 79 00 20 00 6b 00 65 00 79 00 20 00 t.r.y. .k.e.y. .
27 00 25 00 6c 00 73 00 27 00 0a 00 00 00 00 00 '.%.l.s.'.......
48 00 4b 00 4f 00 2c 00 22 00 25 00 6c 00 73 00 H.K.O.,.".%.l.s.
22 00 2c 00 2c 00 25 00 25 00 52 00 45 00 47 00 ".,.,.%.%.R.E.G.
5f 00 4b 00 45 00 59 00 4f 00 4e 00 4c 00 59 00 _.K.E.Y.O.N.L.Y.
25 00 25 00 0d 00 0a 00 00 00 00 00 48 00 4b 00 %.%.........H.K.
4f 00 2c 00 2c 00 2c 00 25 00 52 00 45 00 47 00 O.,.,.,.%.R.E.G.
5f 00 4b 00 45 00 59 00 4f 00 4e 00 4c 00 59 00 _.K.E.Y.O.N.L.Y.
25 00 0d 00 0a 00 00 00 4f 00 52 00 43 00 6c 00 %.......O.R.C.l.
6f 00 73 00 65 00 4b 00 65 00 79 00 00 00 00 00 o.s.e.K.e.y.....
4f 00 52 00 4f 00 70 00 65 00 6e 00 4b 00 65 00 O.R.O.p.e.n.K.e.
79 00 00 00 4f 00 52 00 45 00 6e 00 75 00 6d 00 y...O.R.E.n.u.m.
4b 00 65 00 79 00 00 00 25 00 6c 00 73 00 28 00 K.e.y...%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 76 00 61 00 6c 00 75 00 65 00 20 00 27 00 .v.a.l.u.e. .'.
25 00 6c 00 73 00 27 00 20 00 6f 00 66 00 20 00 %.l.s.'. .o.f. .
72 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 r.e.g.i.s.t.r.y.
20 00 6b 00 65 00 79 00 20 00 27 00 25 00 6c 00 .k.e.y. .'.%.l.
73 00 27 00 0a 00 00 00 57 00 72 00 69 00 74 00 s.'.....W.r.i.t.
65 00 46 00 69 00 6c 00 65 00 00 00 2c 00 22 00 e.F.i.l.e...,.".
22 00 0d 00 0a 00 00 00 2c 00 25 00 6c 00 75 00 ".......,.%.l.u.
20 00 3b 00 20 00 30 00 78 00 25 00 30 00 38 00 .;. .0.x.%.0.8.
6c 00 78 00 0d 00 0a 00 00 00 00 00 22 00 0d 00 l.x........."...
0a 00 00 00 0d 00 0a 00 00 00 00 00 22 00 00 00 ............"...
2c 00 22 00 00 00 00 00 3b 00 22 00 22 00 00 00 ,.".....;."."...
3b 00 0d 00 0a 00 00 00 2c 00 25 00 49 00 36 00 ;.......,.%.I.6.
34 00 75 00 20 00 3b 00 20 00 30 00 78 00 25 00 4.u. .;. .0.x.%.
30 00 31 00 36 00 49 00 36 00 34 00 78 00 0d 00 0.1.6.I.6.4.x...
0a 00 00 00 22 00 25 00 6c 00 73 00 22 00 2c 00 ....".%.l.s.".,.
30 00 78 00 25 00 30 00 38 00 6c 00 78 00 00 00 0.x.%.0.8.l.x...
2c 00 30 00 78 00 25 00 30 00 38 00 6c 00 78 00 ,.0.x.%.0.8.l.x.
00 00 00 00 22 00 25 00 6c 00 73 00 22 00 2c 00 ....".%.l.s.".,.
25 00 25 00 52 00 45 00 47 00 5f 00 25 00 6c 00 %.%.R.E.G._.%.l.
73 00 25 00 25 00 00 00 2c 00 25 00 25 00 52 00 s.%.%...,.%.%.R.
45 00 47 00 5f 00 25 00 6c 00 73 00 25 00 25 00 E.G._.%.l.s.%.%.
00 00 00 00 48 00 4b 00 4f 00 2c 00 22 00 25 00 ....H.K.O.,.".%.
6c 00 73 00 22 00 2c 00 00 00 00 00 48 00 4b 00 l.s.".,.....H.K.
4f 00 2c 00 2c 00 00 00 25 00 6c 00 73 00 28 00 O.,.,...%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 20 00 66 00 6f 00 72 00 .%.l.u. .f.o.r.
20 00 72 00 65 00 67 00 69 00 73 00 74 00 72 00 .r.e.g.i.s.t.r.
79 00 20 00 6b 00 65 00 79 00 20 00 27 00 25 00 y. .k.e.y. .'.%.
6c 00 73 00 27 00 0a 00 00 00 00 00 4f 00 52 00 l.s.'.......O.R.
45 00 6e 00 75 00 6d 00 56 00 61 00 6c 00 75 00 E.n.u.m.V.a.l.u.
65 00 00 00 4c 00 6f 00 63 00 61 00 6c 00 46 00 e...L.o.c.a.l.F.
72 00 65 00 65 00 00 00 43 00 6c 00 6f 00 73 00 r.e.e...C.l.o.s.
65 00 48 00 61 00 6e 00 64 00 6c 00 65 00 00 00 e.H.a.n.d.l.e...
4f 00 52 00 43 00 6c 00 6f 00 73 00 65 00 48 00 O.R.C.l.o.s.e.H.
69 00 76 00 65 00 00 00 0d 00 0a 00 3b 00 20 00 i.v.e.......;. .
45 00 4f 00 46 00 0d 00 0a 00 00 00 48 00 4b 00 E.O.F.......H.K.
45 00 59 00 5f 00 4f 00 46 00 46 00 4c 00 49 00 E.Y._.O.F.F.L.I.
4e 00 45 00 00 00 00 00 ff fe 5b 00 56 00 65 00 N.E.......[.V.e.
72 00 73 00 69 00 6f 00 6e 00 5d 00 0d 00 0a 00 r.s.i.o.n.].....
44 00 72 00 69 00 76 00 65 00 72 00 56 00 65 00 D.r.i.v.e.r.V.e.
72 00 20 00 3d 00 20 00 25 00 30 00 32 00 68 00 r. .=. .%.0.2.h.
75 00 2f 00 25 00 30 00 32 00 68 00 75 00 2f 00 u./.%.0.2.h.u./.
25 00 30 00 34 00 68 00 75 00 2c 00 25 00 30 00 %.0.4.h.u.,.%.0.
32 00 68 00 75 00 2e 00 25 00 30 00 32 00 68 00 2.h.u...%.0.2.h.
75 00 2e 00 25 00 30 00 32 00 68 00 75 00 2e 00 u...%.0.2.h.u...
25 00 30 00 33 00 68 00 75 00 20 00 3b 00 20 00 %.0.3.h.u. .;. .
55 00 54 00 43 00 0d 00 0a 00 50 00 72 00 6f 00 U.T.C.....P.r.o.
76 00 69 00 64 00 65 00 72 00 20 00 20 00 3d 00 v.i.d.e.r. . .=.
20 00 22 00 53 00 74 00 65 00 66 00 61 00 6e 00 .".S.t.e.f.a.n.
20 00 4b 00 61 00 6e 00 74 00 68 00 61 00 6b 00 .K.a.n.t.h.a.k.
22 00 0d 00 0a 00 53 00 69 00 67 00 6e 00 61 00 ".....S.i.g.n.a.
74 00 75 00 72 00 65 00 20 00 3d 00 20 00 22 00 t.u.r.e. .=. .".
24 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 $.W.i.n.d.o.w.s.
20 00 4e 00 54 00 24 00 22 00 0d 00 0a 00 0d 00 .N.T.$.".......
0a 00 5b 00 53 00 74 00 72 00 69 00 6e 00 67 00 ..[.S.t.r.i.n.g.
73 00 5d 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 s.].....R.E.G._.
53 00 5a 00 20 00 20 00 20 00 20 00 20 00 20 00 S.Z. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 30 00 . . .=. .0.x.0.
30 00 30 00 30 00 30 00 30 00 30 00 30 00 0d 00 0.0.0.0.0.0.0...
0a 00 52 00 45 00 47 00 5f 00 42 00 49 00 4e 00 ..R.E.G._.B.I.N.
41 00 52 00 59 00 20 00 20 00 20 00 20 00 20 00 A.R.Y. . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 30 00 =. .0.x.0.0.0.0.
30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 0.0.0.1.....R.E.
47 00 5f 00 4b 00 45 00 59 00 4f 00 4e 00 4c 00 G._.K.E.Y.O.N.L.
59 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 Y. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 . . . . .=. .0.
78 00 30 00 30 00 30 00 30 00 30 00 30 00 31 00 x.0.0.0.0.0.0.1.
30 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 4d 00 0.....R.E.G._.M.
55 00 4c 00 54 00 49 00 5f 00 53 00 5a 00 20 00 U.L.T.I._.S.Z. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 3d 00 20 00 30 00 78 00 30 00 30 00 . .=. .0.x.0.0.
30 00 31 00 30 00 30 00 30 00 30 00 0d 00 0a 00 0.1.0.0.0.0.....
52 00 45 00 47 00 5f 00 44 00 57 00 4f 00 52 00 R.E.G._.D.W.O.R.
44 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 D. . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 31 00 30 00 .0.x.0.0.0.1.0.
30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 47 00 0.0.1.....R.E.G.
5f 00 45 00 58 00 50 00 41 00 4e 00 44 00 5f 00 _.E.X.P.A.N.D._.
53 00 5a 00 20 00 20 00 20 00 20 00 20 00 20 00 S.Z. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 3d 00 20 00 30 00 78 00 . . . .=. .0.x.
30 00 30 00 30 00 32 00 30 00 30 00 30 00 30 00 0.0.0.2.0.0.0.0.
0d 00 0a 00 52 00 45 00 47 00 5f 00 4e 00 4f 00 ....R.E.G._.N.O.
4e 00 45 00 20 00 20 00 20 00 20 00 20 00 20 00 N.E. . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 30 00 30 00 30 00 .=. .0.x.0.0.0.
32 00 30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 2.0.0.0.1.....R.
45 00 47 00 5f 00 43 00 4f 00 4d 00 50 00 41 00 E.G._.C.O.M.P.A.
54 00 49 00 42 00 4c 00 45 00 20 00 20 00 20 00 T.I.B.L.E. . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 . . . . . .=. .
30 00 78 00 30 00 30 00 30 00 33 00 30 00 30 00 0.x.0.0.0.3.0.0.
30 00 31 00 20 00 3b 00 20 00 73 00 61 00 6d 00 0.1. .;. .s.a.m.
65 00 20 00 61 00 73 00 20 00 52 00 45 00 47 00 e. .a.s. .R.E.G.
5f 00 42 00 49 00 4e 00 41 00 52 00 59 00 0d 00 _.B.I.N.A.R.Y...
0a 00 52 00 45 00 47 00 5f 00 44 00 57 00 4f 00 ..R.E.G._.D.W.O.
52 00 44 00 5f 00 4c 00 49 00 54 00 54 00 4c 00 R.D._.L.I.T.T.L.
45 00 5f 00 45 00 4e 00 44 00 49 00 41 00 4e 00 E._.E.N.D.I.A.N.
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 34 00 =. .0.x.0.0.0.4.
30 00 30 00 30 00 31 00 20 00 3b 00 20 00 73 00 0.0.0.1. .;. .s.
61 00 6d 00 65 00 20 00 61 00 73 00 20 00 52 00 a.m.e. .a.s. .R.
45 00 47 00 5f 00 44 00 57 00 4f 00 52 00 44 00 E.G._.D.W.O.R.D.
0d 00 0a 00 52 00 45 00 47 00 5f 00 44 00 57 00 ....R.E.G._.D.W.
4f 00 52 00 44 00 5f 00 42 00 49 00 47 00 5f 00 O.R.D._.B.I.G._.
45 00 4e 00 44 00 49 00 41 00 4e 00 20 00 20 00 E.N.D.I.A.N. . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 3d 00 20 00 30 00 78 00 30 00 30 00 30 00 .=. .0.x.0.0.0.
35 00 30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 5.0.0.0.1.....R.
45 00 47 00 5f 00 4c 00 49 00 4e 00 4b 00 20 00 E.G._.L.I.N.K. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 . . . . . .=. .
30 00 78 00 30 00 30 00 30 00 36 00 30 00 30 00 0.x.0.0.0.6.0.0.
30 00 30 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 0.0.....R.E.G._.
52 00 45 00 53 00 4f 00 55 00 52 00 43 00 45 00 R.E.S.O.U.R.C.E.
5f 00 4c 00 49 00 53 00 54 00 20 00 20 00 20 00 _.L.I.S.T. . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 3d 00 20 00 30 00 78 00 30 00 . . .=. .0.x.0.
30 00 30 00 38 00 30 00 30 00 30 00 31 00 0d 00 0.0.8.0.0.0.1...
0a 00 52 00 45 00 47 00 5f 00 46 00 55 00 4c 00 ..R.E.G._.F.U.L.
4c 00 5f 00 52 00 45 00 53 00 4f 00 55 00 52 00 L._.R.E.S.O.U.R.
43 00 45 00 5f 00 44 00 45 00 53 00 43 00 52 00 C.E._.D.E.S.C.R.
49 00 50 00 54 00 4f 00 52 00 20 00 20 00 20 00 I.P.T.O.R. . . .
3d 00 20 00 30 00 78 00 30 00 30 00 30 00 39 00 =. .0.x.0.0.0.9.
30 00 30 00 30 00 31 00 0d 00 0a 00 52 00 45 00 0.0.0.1.....R.E.
47 00 5f 00 52 00 45 00 53 00 4f 00 55 00 52 00 G._.R.E.S.O.U.R.
43 00 45 00 5f 00 52 00 45 00 51 00 55 00 49 00 C.E._.R.E.Q.U.I.
52 00 45 00 4d 00 45 00 4e 00 54 00 53 00 5f 00 R.E.M.E.N.T.S._.
4c 00 49 00 53 00 54 00 20 00 3d 00 20 00 30 00 L.I.S.T. .=. .0.
78 00 30 00 30 00 30 00 61 00 30 00 30 00 30 00 x.0.0.0.a.0.0.0.
31 00 0d 00 0a 00 52 00 45 00 47 00 5f 00 51 00 1.....R.E.G._.Q.
57 00 4f 00 52 00 44 00 20 00 20 00 20 00 20 00 W.O.R.D. . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
20 00 20 00 3d 00 20 00 30 00 78 00 30 00 30 00 . .=. .0.x.0.0.
30 00 62 00 30 00 30 00 30 00 31 00 0d 00 0a 00 0.b.0.0.0.1.....
52 00 45 00 47 00 5f 00 51 00 57 00 4f 00 52 00 R.E.G._.Q.W.O.R.
44 00 5f 00 4c 00 49 00 54 00 54 00 4c 00 45 00 D._.L.I.T.T.L.E.
5f 00 45 00 4e 00 44 00 49 00 41 00 4e 00 20 00 _.E.N.D.I.A.N. .
20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 . . . . . . .=.
20 00 30 00 78 00 30 00 30 00 30 00 62 00 30 00 .0.x.0.0.0.b.0.
30 00 30 00 31 00 20 00 3b 00 20 00 73 00 61 00 0.0.1. .;. .s.a.
6d 00 65 00 20 00 61 00 73 00 20 00 52 00 45 00 m.e. .a.s. .R.E.
47 00 5f 00 51 00 57 00 4f 00 52 00 44 00 0d 00 G._.Q.W.O.R.D...
0a 00 0d 00 0a 00 5b 00 44 00 65 00 66 00 61 00 ......[.D.e.f.a.
75 00 6c 00 74 00 49 00 6e 00 73 00 74 00 61 00 u.l.t.I.n.s.t.a.
6c 00 6c 00 2e 00 4e 00 54 00 5d 00 0d 00 0a 00 l.l...N.T.].....
3b 00 41 00 64 00 64 00 52 00 65 00 67 00 20 00 ;.A.d.d.R.e.g. .
3d 00 20 00 41 00 64 00 64 00 52 00 65 00 67 00 =. .A.d.d.R.e.g.
2e 00 48 00 4b 00 4f 00 0d 00 0a 00 0d 00 0a 00 ..H.K.O.........
5b 00 41 00 64 00 64 00 52 00 65 00 67 00 2e 00 [.A.d.d.R.e.g...
48 00 4b 00 4f 00 5d 00 0d 00 0a 00 00 00 00 00 H.K.O.].........
4f 00 52 00 4f 00 70 00 65 00 6e 00 48 00 69 00 O.R.O.p.e.n.H.i.
76 00 65 00 00 00 00 00 4f 00 46 00 46 00 52 00 v.e.....O.F.F.R.
45 00 47 00 2e 00 44 00 4c 00 4c 00 20 00 76 00 E.G...D.L.L. .v.
65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 25 00 e.r.s.i.o.n. .%.
6c 00 75 00 2e 00 25 00 6c 00 75 00 0a 00 00 00 l.u...%.l.u.....
25 00 6c 00 73 00 28 00 29 00 20 00 72 00 65 00 %.l.s.(.). .r.e.
74 00 75 00 72 00 6e 00 65 00 64 00 20 00 65 00 t.u.r.n.e.d. .e.
72 00 72 00 6f 00 72 00 20 00 25 00 6c 00 75 00 r.r.o.r. .%.l.u.
3a 00 20 00 73 00 74 00 61 00 6e 00 64 00 61 00 :. .s.t.a.n.d.a.
72 00 64 00 20 00 6f 00 75 00 74 00 70 00 75 00 r.d. .o.u.t.p.u.
74 00 20 00 69 00 73 00 20 00 6e 00 6f 00 74 00 t. .i.s. .n.o.t.
20 00 72 00 65 00 64 00 69 00 72 00 65 00 63 00 .r.e.d.i.r.e.c.
74 00 65 00 64 00 20 00 74 00 6f 00 20 00 61 00 t.e.d. .t.o. .a.
20 00 66 00 69 00 6c 00 65 00 21 00 0a 00 00 00 .f.i.l.e.!.....
46 00 6c 00 75 00 73 00 68 00 46 00 69 00 6c 00 F.l.u.s.h.F.i.l.
65 00 42 00 75 00 66 00 66 00 65 00 72 00 73 00 e.B.u.f.f.e.r.s.
00 00 00 00 47 00 65 00 74 00 53 00 74 00 64 00 ....G.e.t.S.t.d.
48 00 61 00 6e 00 64 00 6c 00 65 00 00 00 00 00 H.a.n.d.l.e.....
4e 00 6f 00 20 00 61 00 72 00 67 00 75 00 6d 00 N.o. .a.r.g.u.m.
65 00 6e 00 74 00 3a 00 20 00 61 00 20 00 73 00 e.n.t.:. .a. .s.
69 00 6e 00 67 00 6c 00 65 00 20 00 66 00 69 00 i.n.g.l.e. .f.i.
6c 00 65 00 20 00 6f 00 72 00 20 00 70 00 61 00 l.e. .o.r. .p.a.
74 00 68 00 20 00 6e 00 61 00 6d 00 65 00 20 00 t.h. .n.a.m.e. .
6f 00 66 00 20 00 61 00 20 00 72 00 65 00 67 00 o.f. .a. .r.e.g.
69 00 73 00 74 00 72 00 79 00 20 00 68 00 69 00 i.s.t.r.y. .h.i.
76 00 65 00 20 00 6d 00 75 00 73 00 74 00 20 00 v.e. .m.u.s.t. .
62 00 65 00 20 00 67 00 69 00 76 00 65 00 6e 00 b.e. .g.i.v.e.n.
21 00 0a 00 00 00 00 00 25 00 6c 00 73 00 28 00 !.......%.l.s.(.
29 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 ). .r.e.t.u.r.n.
65 00 64 00 20 00 65 00 72 00 72 00 6f 00 72 00 e.d. .e.r.r.o.r.
20 00 25 00 6c 00 75 00 0a 00 00 00 43 00 6f 00 .%.l.u.....C.o.
6d 00 6d 00 61 00 6e 00 64 00 4c 00 69 00 6e 00 m.m.a.n.d.L.i.n.
65 00 54 00 6f 00 41 00 72 00 67 00 76 00 00 00 e.T.o.A.r.g.v...
b9 79 37 9e 00 00 00 00 68 00 00 00 45 54 41 44 .y7.....h...ETAD
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
00 00 00 00 30 37 40 00 00 00 00 00 00 00 00 00 ....07@.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f0 37 00 00 00 00 00 00 00 00 00 00 04 39 00 00 .7...........9..
00 20 00 00 24 38 00 00 00 00 00 00 00 00 00 00 . ..$8..........
72 39 00 00 34 20 00 00 44 38 00 00 00 00 00 00 r9..4 ..D8......
00 00 00 00 8c 39 00 00 54 20 00 00 00 00 00 00 .....9..T ......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4c 38 00 00 5c 38 00 00 68 38 00 00 78 38 00 00 L8..\8..h8..x8..
86 38 00 00 92 38 00 00 a0 38 00 00 b0 38 00 00 .8...8...8...8..
c4 38 00 00 d6 38 00 00 e6 38 00 00 f6 38 00 00 .8...8...8...8..
00 00 00 00 12 39 00 00 1e 39 00 00 2c 39 00 00 .....9...9..,9..
38 39 00 00 46 39 00 00 54 39 00 00 62 39 00 00 89..F9..T9..b9..
00 00 00 00 7e 39 00 00 00 00 00 00 24 05 57 72 ....~9......$.Wr
69 74 65 43 6f 6e 73 6f 6c 65 57 00 25 05 57 72 iteConsoleW.%.Wr
69 74 65 46 69 6c 65 00 02 02 47 65 74 4c 61 73 iteFile...GetLas
74 45 72 72 6f 72 00 00 19 01 45 78 69 74 50 72 tError....ExitPr
6f 63 65 73 73 00 48 03 4c 6f 63 61 6c 46 72 65 ocess.H.LocalFre
65 00 52 00 43 6c 6f 73 65 48 61 6e 64 6c 65 00 e.R.CloseHandle.
77 02 47 65 74 53 79 73 74 65 6d 54 69 6d 65 00 w.GetSystemTime.
57 01 46 6c 75 73 68 46 69 6c 65 42 75 66 66 65 W.FlushFileBuffe
72 73 00 00 87 01 47 65 74 43 6f 6d 6d 61 6e 64 rs....GetCommand
4c 69 6e 65 57 00 64 02 47 65 74 53 74 64 48 61 LineW.d.GetStdHa
6e 64 6c 65 00 00 73 04 53 65 74 4c 61 73 74 45 ndle..s.SetLastE
72 72 6f 72 00 00 44 03 4c 6f 63 61 6c 41 6c 6c rror..D.LocalAll
6f 63 00 00 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c oc..KERNEL32.dll
00 00 06 00 4f 52 45 6e 75 6d 4b 65 79 00 01 00 ....OREnumKey...
4f 52 43 6c 6f 73 65 4b 65 79 00 00 0d 00 4f 52 ORCloseKey....OR
4f 70 65 6e 4b 65 79 00 07 00 4f 52 45 6e 75 6d OpenKey...OREnum
56 61 6c 75 65 00 00 00 4f 52 43 6c 6f 73 65 48 Value...ORCloseH
69 76 65 00 0c 00 4f 52 4f 70 65 6e 48 69 76 65 ive...OROpenHive
00 00 0a 00 4f 52 47 65 74 56 65 72 73 69 6f 6e ....ORGetVersion
00 00 4f 46 46 52 45 47 2e 64 6c 6c 00 00 35 03 ..OFFREG.dll..5.
77 76 73 70 72 69 6e 74 66 57 00 00 55 53 45 52 wvsprintfW..USER
33 32 2e 64 6c 6c 00 00 00 00 00 00 00 00 00 00 32.dll..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Decode the dump file OFFREG.TXT
created in
step 3. to recreate the console application
Offline Registry Reader:
CERTUTIL.EXE /DecodeHex /V OFFREG.TXT OFFREG.COM
Input Length = 43520 Output Length = 10240 CertUtil: -decodehex command completed successfully.
HKCC
,
HKCR
,
HKCU
,
HKLM
,
HKLS
,
HKPD
,
HKU
) and print them as an
.inf
file in
UTF-16LE
encoding on standard output(which must be redirected to a file or piped into an application that reads from
standard input, like Clip, Find or More).
Note: to dump the entire Registry
specify the branches HKLM
and HKU
.
REGISTRY.COM { HKCC | HKEY_CURRENT_CONFIG | HKCR | HKEY_CLASSES_ROOT | HKCU | HKEY_CURRENT_USER | HKDD | HKEY_DYN_DATA | HKLM | HKEY_LOCAL_MACHINE | HKLS | HKEY_CURRENT_USER_LOCAL_SETTINGS | HKPD | HKEY_PERFORMANCE_DATA | HKU | HKEY_USERS } … >‹output file name› REGISTRY.COM { HKCC | HKEY_CURRENT_CONFIG | HKCR | HKEY_CLASSES_ROOT | HKCU | HKEY_CURRENT_USER | HKDD | HKEY_DYN_DATA | HKLM | HKEY_LOCAL_MACHINE | HKLS | HKEY_CURRENT_USER_LOCAL_SETTINGS | HKPD | HKEY_PERFORMANCE_DATA | HKU | HKEY_USERS } … | MORE.COMNote: when run under a user account which has the privilege
SeBackupPrivilege
assigned, the
Registry INF Dumper
enables it to enumerate all registry keys below the
specified branch(es).
Note: when run under a user account which has the
privilege SeSecurityPrivilege
assigned, the
Registry INF Dumper
enables it to include the
system access control list
in the optionally printed
security descriptors.
HKCC
branch of the
registry to the file HKCC.inf
and display it
afterwards:
VER .\REGISTRY.COM HKCC 1>HKCC.inf NET.EXE HelpMsg %ERRORLEVEL% TYPE HKCC.infNet services commands Ver
Microsoft Windows [Version 6.1.7601] The operation completed successfully. ; Registry of 'AMNESIAC' [Version] DriverVer = 04/27/2022,08.15.00.815 ; UTC Provider = "Stefan Kanthak" Signature = "$Windows NT$" [Strings] REG_SZ = 0x00000000 REG_BINARY = 0x00000001 REG_KEYONLY = 0x00000010 REG_MULTI_SZ = 0x00010000 REG_DWORD = 0x00010001 REG_EXPAND_SZ = 0x00020000 REG_NONE = 0x00020001 REG_COMPATIBLE = 0x00030001 ; same as REG_BINARY REG_DWORD_LITTLE_ENDIAN = 0x00040001 ; same as REG_DWORD REG_DWORD_BIG_ENDIAN = 0x00050001 REG_LINK = 0x00060000 REG_RESOURCE_LIST = 0x00080001 REG_FULL_RESOURCE_DESCRIPTOR = 0x00090001 REG_RESOURCE_REQUIREMENTS_LIST = 0x000a0001 REG_QWORD = 0x000b0001 REG_QWORD_LITTLE_ENDIAN = 0x000b0001 ; same as REG_QWORD [DefaultInstall.NT] ;AddReg = AddReg.HKU,AddReg.HKLM;AddReg.HKCU,AddReg.HKCR [AddReg.HKCC] HKCC,"Software\Fonts","LogPixels",%REG_DWORD%,96 ; 0x00000060 HKCC,"System\CurrentControlSet\Control\Print\Printers",,%REG_KEYONLY%; HKCC,"System\CurrentControlSet\Control\VIDEO",,%REG_KEYONLY%; HKCC,"System\CurrentControlSet\Enum\IDE\DISKFUJITSU_MHZ2320BJ_G2____________________0000001E\5&2223391E&0&0.0.0","CSConfigFlags",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\Enum\USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\4E0B595B&0","CSConfigFlags",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\TSDDD\DEVICE0","Attach.ToDesktop",%REG_DWORD%,1 ; 0x00000001 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.ToDesktop",%REG_DWORD%,1 ; 0x00000001 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.BitsPerPel",%REG_DWORD%,32 ; 0x00000020 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.XResolution",%REG_DWORD%,1920 ; 0x00000780 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.YResolution",%REG_DWORD%,1200 ; 0x000004b0 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.VRefresh",%REG_DWORD%,1 ; 0x00000001 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.Flags",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.XPanning",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.YPanning",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.Orientation",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","DefaultSettings.FixedOutput",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.RelativeX",%REG_DWORD%,0 ; 0x00000000 HKCC,"System\CurrentControlSet\SERVICES\VGASAVE\DEVICE0","Attach.RelativeY",%REG_DWORD%,0 ; 0x00000000 ; EOF
bigform with embedded application manifest, version information, icon plus time-stamped digital signature, and REGISTRY.COM, a
smallform without these extras.
Note: due to the design and implementation of
Windows’ (classic alias legacy) console, the
Win32 function
WriteConsole()
can only write to a console, not to a file nor a pipe, i.e.
redirection of standard error
is not supported!
The MSDN article Console Handles provides background information.
Create the text file REGISTRY.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2023, Stefan Kanthak <stefan.kanthak@nexgo.de>
// * The software is provided "as is" without any warranty, neither express
// nor implied.
// * In no event will the author be held liable for any damage(s) arising
// from the use of the software.
// * Redistribution of the software is allowed only in unmodified form.
// * Permission is granted to use the software solely for personal private
// and non-commercial purposes.
// * An individuals use of the software in his or her capacity or function
// as an agent, (independent) contractor, employee, member or officer of
// a business, corporation or organization (commercial or non-commercial)
// does not qualify as personal private and non-commercial purpose.
// * Without written approval from the author the software must not be used
// for a business, for commercial, corporate, governmental, military or
// organizational purposes of any kind, or in a commercial, corporate,
// governmental, military or organizational environment of any kind.
#define _CRT_SECURE_NO_WARNINGS
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <sddl.h>
#define memcpy __movsb
#define wmemcpy __movsw
#define MAX_DEPTH 512UL
#define MAX_KEY_LENGTH 255UL
#define MAX_VALUE_NAME 16383UL
#define MAX_VALUE_DATA 1048576UL
#define SE_SECURITY_PRIVILEGE 8UL // "SeSecurityPrivilege"
#define SE_BACKUP_PRIVILEGE 17UL // "SeBackupPrivilege"
const TOKEN_PRIVILEGES tpBackup = {1, {SE_BACKUP_PRIVILEGE, 0, SE_PRIVILEGE_ENABLED}};
#ifdef SECURITY
const TOKEN_PRIVILEGES tpSecurity = {1, {SE_SECURITY_PRIVILEGE, 0, SE_PRIVILEGE_ENABLED}};
#endif
typedef unsigned long long QWORD, *LPQWORD;
BYTE cbData[MAX_VALUE_DATA];
WCHAR szKey[(MAX_KEY_LENGTH + 1) * MAX_DEPTH];
WCHAR szValue[MAX_VALUE_NAME + 1];
__declspec(safebuffers)
BOOL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
__declspec(safebuffers)
BOOL PrintFormat(HANDLE hFile, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
LPBYTE lpOutput;
DWORD dwOutput;
DWORD dwFile;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
dwOutput *= sizeof(*szOutput);
lpOutput = (LPBYTE) szOutput;
do
{
if (!WriteFile(hFile, lpOutput, dwOutput, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpOutput += dwFile;
dwOutput -= dwFile;
} while (dwOutput > 0);
return TRUE;
}
#define PrintString(HANDLE, LITERAL) PrintDirect(HANDLE, LITERAL, sizeof(LITERAL) / sizeof(*LITERAL) - 1UL)
__inline
BOOL WINAPI PrintDirect(HANDLE hFile, LPCWSTR lpString, DWORD dwString)
{
DWORD dwFile;
dwString *= sizeof(*lpString);
do
{
if (!WriteFile(hFile, lpString, dwString, &dwFile, (LPOVERLAPPED) NULL))
return FALSE;
lpString = (LPCWSTR) ((LPBYTE) lpString + dwFile);
dwString -= dwFile;
} while (dwString > 0);
return TRUE;
}
__inline
LPCWSTR WINAPI InfEscape(LPCWSTR lpString)
{
do
if ((*lpString == L'"')
|| (*lpString == L'%'))
return lpString;
while (*lpString++ != L'\0');
return NULL;
}
#ifndef TINY
const WCHAR szBytes[256][4] = {L",00", L",01", L",02", L",03", L",04", L",05", L",06", L",07", L",08", L",09", L",0a", L",0b", L",0c", L",0d", L",0e", L",0f",
L",10", L",11", L",12", L",13", L",14", L",15", L",16", L",17", L",18", L",19", L",1a", L",1b", L",1c", L",1d", L",1e", L",1f",
L",20", L",21", L",22", L",23", L",24", L",25", L",26", L",27", L",28", L",29", L",2a", L",2b", L",2c", L",2d", L",2e", L",2f",
L",30", L",31", L",32", L",33", L",34", L",35", L",36", L",37", L",38", L",39", L",3a", L",3b", L",3c", L",3d", L",3e", L",3f",
L",40", L",41", L",42", L",43", L",44", L",45", L",46", L",47", L",48", L",49", L",4a", L",4b", L",4c", L",4d", L",4e", L",4f",
L",50", L",51", L",52", L",53", L",54", L",55", L",56", L",57", L",58", L",59", L",5a", L",5b", L",5c", L",5d", L",5e", L",5f",
L",60", L",61", L",62", L",63", L",64", L",65", L",66", L",67", L",68", L",69", L",6a", L",6b", L",6c", L",6d", L",6e", L",6f",
L",70", L",71", L",72", L",73", L",74", L",75", L",76", L",77", L",78", L",79", L",7a", L",7b", L",7c", L",7d", L",7e", L",7f",
L",80", L",81", L",82", L",83", L",84", L",85", L",86", L",87", L",88", L",89", L",8a", L",8b", L",8c", L",8d", L",8e", L",8f",
L",90", L",91", L",92", L",93", L",94", L",95", L",96", L",97", L",98", L",99", L",9a", L",9b", L",9c", L",9d", L",9e", L",9f",
L",a0", L",a1", L",a2", L",a3", L",a4", L",a5", L",a6", L",a7", L",a8", L",a9", L",aa", L",ab", L",ac", L",ad", L",ae", L",af",
L",b0", L",b1", L",b2", L",b3", L",b4", L",b5", L",b6", L",b7", L",b8", L",b9", L",ba", L",bb", L",bc", L",bd", L",be", L",bf",
L",c0", L",c1", L",c2", L",c3", L",c4", L",c5", L",c6", L",c7", L",c8", L",c9", L",ca", L",cb", L",cc", L",cd", L",ce", L",cf",
L",d0", L",d1", L",d2", L",d3", L",d4", L",d5", L",d6", L",d7", L",d8", L",d9", L",da", L",db", L",dc", L",dd", L",de", L",df",
L",e0", L",e1", L",e2", L",e3", L",e4", L",e5", L",e6", L",e7", L",e8", L",e9", L",ea", L",eb", L",ec", L",ed", L",ee", L",ef",
L",f0", L",f1", L",f2", L",f3", L",f4", L",f5", L",f6", L",f7", L",f8", L",f9", L",fa", L",fb", L",fc", L",fd", L",fe", L",ff"};
#endif
const LPCWSTR szHKey[8] = {L"HKCR",
L"HKCU",
L"HKLM",
L"HKU",
L"HKPD",
L"HKCC",
L"HKDD",
L"HKLS"};
const LPCWSTR szHKEY[8] = {L"HKEY_CLASSES_ROOT",
L"HKEY_CURRENT_USER",
L"HKEY_LOCAL_MACHINE",
L"HKEY_USERS",
L"HKEY_PERFORMANCE_DATA",
L"HKEY_CURRENT_CONFIG",
L"HKEY_DYN_DATA",
L"HKEY_CURRENT_USER_LOCAL_SETTINGS"};
const DWORD dwHKEY[8] = {sizeof("HKEY_CLASSES_ROOT"),
sizeof("HKEY_CURRENT_USER"),
sizeof("HKEY_LOCAL_MACHINE"),
sizeof("HKEY_USERS"),
sizeof("HKEY_PERFORMANCE_DATA"),
sizeof("HKEY_CURRENT_CONFIG"),
sizeof("HKEY_DYN_DATA"),
sizeof("HKEY_CURRENT_USER_LOCAL_SETTINGS")};
const LPCWSTR szType[12] = {L"NONE",
L"SZ",
L"EXPAND_SZ",
L"BINARY",
L"DWORD", // alias DWORD_LITTLE_ENDIAN
L"DWORD_BIG_ENDIAN",
L"LINK",
L"MULTI_SZ",
L"RESOURCE_LIST",
L"FULL_RESOURCE_DESCRIPTOR",
L"RESOURCE_REQUIREMENTS_LIST",
L"QWORD"}; // alias QWORD_LITTLE_ENDIAN
DWORD WINAPI Registry(HANDLE hConsole, HANDLE hOutput, QWORD qwPrivileges, HKEY hkHKEY, DWORD dwKey)
{
HKEY hkKey;
BOOL bOutput;
DWORD dwError;
DWORD dwIndex = (DWORD) hkHKEY ^ (DWORD) HKEY_CLASSES_ROOT;
DWORD dwSubKeys, dwSubKey;
DWORD dwValues, dwValue, dwType, dwData, dwBytes;
#ifdef SANITY
DWORD dwCount, dwChars;
LPCWSTR lpCount;
#endif
LPCWSTR lpHKey = szHKey[dwIndex];
LPCWSTR lpKey = dwKey < dwHKEY[dwIndex] ? NULL : szKey + dwHKEY[dwIndex];
LPCWSTR lpSubKey = szKey + dwKey + 1;
LPCWSTR lpData, lpEscape, lpLast, lpMulti;
dwError = RegOpenKeyEx(hkHKEY,
lpKey,
qwPrivileges & (1ULL << SE_BACKUP_PRIVILEGE) ? REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK : REG_OPTION_OPEN_LINK,
#ifdef SECURITY
qwPrivileges & (1ULL << SE_SECURITY_PRIVILEGE) ? ACCESS_SYSTEM_SECURITY | KEY_READ | KEY_WOW64_64KEY : KEY_READ | KEY_WOW64_64KEY,
#else
KEY_READ | KEY_WOW64_64KEY,
#endif
&hkKey);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegOpenKeyEx() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
{
#ifdef SECURITY
dwData = sizeof(cbData);
dwError = RegGetKeySecurity(hkHKEY,
qwPrivileges & (1ULL << SE_SECURITY_PRIVILEGE) ? OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION : OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
cbData,
&dwData);
if (dwError != ERROR_SUCCESS)
PrintConsole(hConsole,
L"RegGetKeySecurity() returned error %lu for registry key \'%ls\'\n",
dwError, szKey);
else
if (!ConvertSecurityDescriptorToStringSecurityDescriptor(cbData,
SDDL_REVISION_1,
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION,
&lpData,
(LPDWORD) NULL))
PrintConsole(hConsole,
L"ConvertSecurityDescriptorToStringSecurityDescriptor() returned error %lu for registry key \'%ls\'\n",
dwError = GetLastError(), szKey);
else
{
if (lpKey == NULL)
bOutput = PrintFormat(hOutput,
L"%ls,,,%%REG_KEYONLY%%\r\n",
lpHKey);
else
bOutput = PrintFormat(hOutput,
L"%ls,\"%ls\",,%%REG_KEYONLY%%\r\n",
lpHKey, lpKey);
bOutput &= PrintString(hOutput, L"; ");
bOutput &= PrintDirect(hOutput, lpData, wcslen(lpData));
bOutput &=