├── LICENSE ├── OllyDbg ├── Plugins │ ├── APIFinder.dll │ ├── APIFinder.ini │ ├── Asm2Clipboard.dll │ ├── BOOKMARK.DLL │ ├── BorlandMapImporter.dll │ ├── CmdBar.dll │ ├── CmdBar.ini │ ├── CmdBar_PEdiy_Fixed.dll │ ├── Cmdline.dll │ ├── DBGHELP.DLL │ ├── DataRipper.dll │ ├── DataRipper_Readme.txt │ ├── DebugActiveProcessStop.dll │ ├── DiffSnake.dll │ ├── EXP │ │ ├── AdvAPI32_ExPression.exp │ │ ├── CRYPTBASE_ExPression.exp │ │ ├── ComCtl32_ExPression.exp │ │ ├── ComDlg32_ExPression.exp │ │ ├── Crypt32_ExPression.exp │ │ ├── DbgHelp_ExPression.exp │ │ ├── Gdi32_ExPression.exp │ │ ├── GdiPlus_ExPression.exp │ │ ├── Htmlhelp_ExPression.exp │ │ ├── IPHlpApi_ExPression.exp │ │ ├── ImageHlp_ExPression.exp │ │ ├── KERNELBASE_ExPression.exp │ │ ├── Make ExP Files │ │ │ ├── GetAPInameFromInc.exe │ │ │ ├── go-version OR go version │ │ │ ├── lib2inc.exe │ │ │ └── version.inc │ │ ├── MsWSock_ExPression.exp │ │ ├── Ollydbg110_ExPression.exp │ │ ├── SHLWAPI_ExPression.exp │ │ ├── Secur32_ExPression.exp │ │ ├── ShFolder_ExPression.exp │ │ ├── Thunk32_ExPression.exp │ │ ├── Urlmon_ExPression.exp │ │ ├── Version_ExPression.exp │ │ ├── WS2_32_ExPression.exp │ │ ├── WSock32_ExPression.exp │ │ ├── WinInet_ExPression.exp │ │ ├── httpapi_ExPression.exp │ │ ├── ida64_wll_ExPression.exp │ │ ├── ida_wll_ExPression.exp │ │ ├── kernel32_ExPression.exp │ │ ├── mscoreei_ExPression.exp │ │ ├── msvbvm60_ExPression.exp │ │ ├── msvcrt_ExPression.exp │ │ ├── ntdll_ExPression.exp │ │ ├── ntoskrnl_ExPression.exp │ │ ├── ollydbg_ExPression.exp │ │ ├── shell32_ExPression.exp │ │ ├── user32_ExPression.exp │ │ ├── winhttp_ExPression.exp │ │ ├── x32_bridge_ExPression.exp │ │ └── x32_dbg_ExPression.exp │ ├── FindWindow_and_Time.dll │ ├── GODUP.dll │ ├── HideDebugger.dll │ ├── HideDebugger.ini │ ├── HideOD.dll │ ├── HookLibraryx86.dll │ ├── Invalid_HandleException.dll │ ├── Invisible.dll │ ├── IsDebug.dll │ ├── Jumper.ini │ ├── Jumper2.DLL │ ├── LabelArgsOlly2.dll │ ├── Labeler.def │ ├── Labeler.dll │ ├── Labeler.ini │ ├── Labelmaster.dll │ ├── MD5Sniffer.dll │ ├── NonaWrite.dll │ ├── NtApiCollection.ini │ ├── OD2ExPlug.DLL │ ├── OD2ExPlug.ini │ ├── ODbgScript.dll │ ├── Ollight.dll │ ├── OllyDump.dll │ ├── OllyDumpEx_Od20.dll │ ├── OllyGraph.old │ ├── OllyMSDN.dll │ ├── OllyMoreMenu_1.5.dll │ ├── OllyPlgn.dll │ ├── OllyScript.dll │ ├── OllySnake.dll │ ├── OllySpelunk.dll │ ├── OllyStepNSearch.dll │ ├── OllyTraceGraph.dll │ ├── PSAPI.DLL │ ├── ParentProcess.dll │ ├── PuntosMagicos.dll │ ├── Push0x86Trace.dll │ ├── SICETricks.dll │ ├── SIDT.dll │ ├── ScyllaHideOlly2.dll │ ├── Traceapi.dll │ ├── TurboDebug.dll │ ├── UnhExcFlt.DLL │ ├── UnhandledExceptionFilter.dll │ ├── WatchMan.dll │ ├── advancedolly.dll │ ├── analyzethis.dll │ ├── antiAnti.dll │ ├── attachanyway.dll │ ├── cfg.ini │ ├── coderipper.dll │ ├── coderipper_readme.txt │ ├── dumpsig.exe │ ├── extracopy.dll │ ├── file_id.diz │ ├── findcrypt.dll │ ├── hashsniffer.dll │ ├── multiasm │ │ ├── 1.asm │ │ └── tabs.ini │ ├── multiasm_odbg2.dll │ ├── olly_bp_man.dll │ ├── olly_hardware_breakpoint.dll │ ├── olly_polymorphic_breakpoint.dll │ ├── ollyadvanced.chm │ ├── ollygraph.dll │ ├── ollyvbhelper.dll │ ├── qwingraph.exe │ ├── scylla_hide.ini │ ├── sleeppReadme.txt │ ├── snd.nfo │ ├── stayontop.dll │ ├── ustrref.dll │ ├── windowjuggler.dll │ └── xADT_ap0x.dll └── Theme │ └── ollydbg.ini ├── README.md ├── Target ├── Fishing │ ├── Sample1.exe │ └── Sample2.exe ├── Keygen │ ├── KeyGen1.exe │ └── KeyGen2.exe ├── Patching │ ├── Crack Me1.exe │ ├── Crack Me2.exe │ ├── Crack Me3.exe │ └── Crack Me4.exe └── exploitation │ ├── HeapOverflow │ ├── bin │ │ ├── win-heap-overflow-1.exe │ │ ├── win-heap-overflow-2.exe │ │ └── win-heap-overflow-3.exe │ ├── win-heap-overflow-1.c │ ├── win-heap-overflow-2.c │ └── win-heap-overflow-3.c │ └── StackOverflow │ ├── bin │ └── stack-overflow-1.exe │ └── stack-overflow-1.c └── resources └── images └── logo.png /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 xiosec 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/APIFinder.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/APIFinder.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/APIFinder.ini: -------------------------------------------------------------------------------- 1 | [dll] 2 | user32.dll 3 | kernel32.dll 4 | shell32.dll 5 | version.dll 6 | ntdll.dll 7 | [end] 8 | [last function] 9 | MessageBoxA 10 | [end] 11 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/Asm2Clipboard.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Asm2Clipboard.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/BOOKMARK.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/BOOKMARK.DLL -------------------------------------------------------------------------------- /OllyDbg/Plugins/BorlandMapImporter.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/BorlandMapImporter.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/CmdBar.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/CmdBar.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/CmdBar.ini: -------------------------------------------------------------------------------- 1 | [Option] 2 | Show Command Bar Window=1 3 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/CmdBar_PEdiy_Fixed.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/CmdBar_PEdiy_Fixed.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Cmdline.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Cmdline.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/DBGHELP.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/DBGHELP.DLL -------------------------------------------------------------------------------- /OllyDbg/Plugins/DataRipper.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/DataRipper.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/DataRipper_Readme.txt: -------------------------------------------------------------------------------- 1 | Ollydbg plugin - Data Ripper 1.21 2 | 3 | 26th February 2006 - 1.21 release 4 | 5 | 1) fixed window handle bug 6 | 7 | 28th January 2006 - 1.2 release 8 | 9 | 1) Improved handling of Ollydbg close when Data Ripper is open. 10 | 2) Compatiblity with Ollydbg Shadow 11 | 3) Data Ripper dialog stays on top (option) 12 | 13 | 14 | 17th January 2006 - 1.1 release 15 | 16 | 1) "Data Ripper" menu added to dissassembler window. Code bytes can now be ripped as data. 17 | 2) Added option to override the warning to save file. 18 | 3) Added option to rip data immediately Data Ripper is launched using previous settings. 19 | 4) Added "Apply" function to Settings dialog. 20 | 5) Handled issue with multiple plugin instances. 21 | 22 | 23 | 24 | 10th January 2006 - first release 25 | 26 | Data Ripper is an easy way to rip any kind of data from an app being debugged using Ollydbg. The ripped data can be formatted and "declared" in the syntax of the popular programming languages MASM, C/C++ and Delphi. 27 | 28 | Data Ripper is useful whenever you need to rip data, tables etc out of an app so the data can be used in another compiled program. 29 | 30 | 31 | NOTES 32 | 33 | 1) To install copy DataRipper.dll to the Ollydbg plugin directory 34 | 35 | 2) Data Ripper maintains settings between debugging sessions in the Ollydbg.ini file. Temporary data is stored in a file DataRipper.tmp. 36 | 37 | 3) Data Ripper can rip data up to the Windows size limit. 38 | 39 | 40 | 41 | HELP 42 | 43 | Basic Use 44 | 45 | 1) Highlight the data to be ripped in any memory window of Ollydbg. 46 | 47 | 2) Right click and select "Data Ripper" in the Ollydbg popup window 48 | 49 | 3) The Data Ripper dialog will popup with an empty file "untitled" 50 | 51 | 4) Select the "Settings" dialog and check the "Language" "Format" and other settings are ok. You can specify 52 | 53 | Language : ASM, C/C++, Delphi, Comma Separated Values CSV or Data String. 54 | "Declare" : indicates whether the programming language declaration information header 55 | and trailer are required 56 | Format : select bytes, words or dwords. Note if the number of data bytes selected in Ollydbg 57 | does not correspond exactly with the word or dword format setting, trailing bytes 58 | are set to zero. 59 | Hex : if set output is in hexadecimal otherwise decimal 60 | Items/Line: how many bytes, words, dwords per line (Max 255) 61 | Indent : spaces indented on each line (max 255) 62 | 63 | 5) Press "Rip Data" and the app data will be ripped and formatted into a Data Ripper file. 64 | 65 | 6) Data Ripper provides basic "richedit" editing functions. After any editing, merging with other files etc is done, save the ripped data file. 66 | 67 | 7) If you want to change the langugage, format, items/line etc, open up the "Settings" dialog, "Save" the new settings and press "Rip Data" again. Data Ripper will ask you if you want the save the file that is already there before the reformatted data is displayed. 68 | 69 | 8) Close Data Ripper. 70 | 71 | 72 | Report any problems to http://www.sndforum.da.ru 73 | 74 | Ziggy 75 | January 2006 76 | 77 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/DebugActiveProcessStop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/DebugActiveProcessStop.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/DiffSnake.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/DiffSnake.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/CRYPTBASE_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | [ExPressionType] 4 | Type=1 5 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/ComCtl32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AddMRUStringW 4 | 2=CreateMRUListW 5 | 3=CreateMappedBitmap 6 | 4=CreatePropertySheetPageA 7 | 5=CreatePropertySheetPage 8 | 6=CreatePropertySheetPageW 9 | 7=CreateStatusWindowA 10 | 8=CreateStatusWindow 11 | 9=CreateStatusWindowW 12 | 10=CreateToolbar 13 | 11=CreateToolbarEx 14 | 12=CreateUpDownControl 15 | 13=DPA_Clone 16 | 14=DPA_Create 17 | 15=DPA_CreateEx 18 | 16=DPA_DeleteAllPtrs 19 | 17=DPA_DeletePtr 20 | 18=DPA_Destroy 21 | 19=DPA_DestroyCallback 22 | 20=DPA_EnumCallback 23 | 21=DPA_GetPtr 24 | 22=DPA_GetPtrIndex 25 | 23=DPA_GetSize 26 | 24=DPA_Grow 27 | 25=DPA_InsertPtr 28 | 26=DPA_LoadStream 29 | 27=DPA_Merge 30 | 28=DPA_SaveStream 31 | 29=DPA_Search 32 | 30=DPA_SetPtr 33 | 31=DPA_Sort 34 | 32=DSA_Clone 35 | 33=DSA_Create 36 | 34=DSA_DeleteAllItems 37 | 35=DSA_DeleteItem 38 | 36=DSA_Destroy 39 | 37=DSA_DestroyCallback 40 | 38=DSA_EnumCallback 41 | 39=DSA_GetItem 42 | 40=DSA_GetItemPtr 43 | 41=DSA_GetSize 44 | 42=DSA_InsertItem 45 | 43=DSA_SetItem 46 | 44=DSA_Sort 47 | 45=DefSubclassProc 48 | 46=DestroyPropertySheetPage 49 | 47=DrawInsert 50 | 48=DrawShadowText 51 | 49=DrawStatusTextA 52 | 50=DrawStatusText 53 | 51=DrawStatusTextW 54 | 52=EnumMRUListW 55 | 53=FlatSB_EnableScrollBar 56 | 54=FlatSB_GetScrollInfo 57 | 55=FlatSB_GetScrollPos 58 | 56=FlatSB_GetScrollProp 59 | 57=FlatSB_GetScrollRange 60 | 58=FlatSB_SetScrollInfo 61 | 59=FlatSB_SetScrollPos 62 | 60=FlatSB_SetScrollProp 63 | 61=FlatSB_SetScrollRange 64 | 62=FlatSB_ShowScrollBar 65 | 63=FreeMRUList 66 | 64=GetEffectiveClientRect 67 | 65=GetMUILanguage 68 | 66=GetWindowSubclass 69 | 67=HIMAGELIST_QueryInterface 70 | 68=ImageList_Add 71 | 69=ImageList_AddIcon 72 | 70=ImageList_AddMasked 73 | 71=ImageList_BeginDrag 74 | 72=ImageList_CoCreateInstance 75 | 73=ImageList_Copy 76 | 74=ImageList_Create 77 | 75=ImageList_Destroy 78 | 76=ImageList_DragEnter 79 | 77=ImageList_DragLeave 80 | 78=ImageList_DragMove 81 | 79=ImageList_DragShowNolock 82 | 80=ImageList_Draw 83 | 81=ImageList_DrawEx 84 | 82=ImageList_DrawIndirect 85 | 83=ImageList_Duplicate 86 | 84=ImageList_EndDrag 87 | 85=ImageList_GetBkColor 88 | 86=ImageList_GetDragImage 89 | 87=ImageList_GetIcon 90 | 88=ImageList_GetIconSize 91 | 89=ImageList_GetImageCount 92 | 90=ImageList_GetImageInfo 93 | 91=ImageList_GetImageRect 94 | 92=ImageList_LoadImageA 95 | 93=ImageList_LoadImage 96 | 94=ImageList_LoadImageW 97 | 95=ImageList_Merge 98 | 96=ImageList_Read 99 | 97=ImageList_ReadEx 100 | 98=ImageList_Remove 101 | 99=ImageList_Replace 102 | 100=ImageList_ReplaceIcon 103 | 101=ImageList_SetBkColor 104 | 102=ImageList_SetDragCursorImage 105 | 103=ImageList_SetFilter 106 | 104=ImageList_SetIconSize 107 | 105=ImageList_SetImageCount 108 | 106=ImageList_SetOverlayImage 109 | 107=ImageList_Write 110 | 108=ImageList_WriteEx 111 | 109=InitCommonControls 112 | 110=InitCommonControlsEx 113 | 111=InitMUILanguage 114 | 112=InitializeFlatSB 115 | 113=LBItemFromPt 116 | 114=LoadIconMetric 117 | 115=LoadIconWithScaleDown 118 | 116=MakeDragList 119 | 117=MenuHelp 120 | 118=PropertySheetA 121 | 119=PropertySheet 122 | 120=PropertySheetW 123 | 121=RemoveWindowSubclass 124 | 122=SetWindowSubclass 125 | 123=ShowHideMenuCtl 126 | 124=Str_SetPtrW 127 | 125= 3 | 1=ChooseColorA 4 | 2=ChooseColor 5 | 3=ChooseColorW 6 | 4=ChooseFontA 7 | 5=ChooseFont 8 | 6=ChooseFontW 9 | 7=CommDlgExtendedError 10 | 8=FindTextA 11 | 9=FindText 12 | 10=FindTextW 13 | 11=GetFileTitleA 14 | 12=GetFileTitle 15 | 13=GetFileTitleW 16 | 14=GetOpenFileNameA 17 | 15=GetOpenFileName 18 | 16=GetOpenFileNameW 19 | 17=GetSaveFileNameA 20 | 18=GetSaveFileName 21 | 19=GetSaveFileNameW 22 | 20=PageSetupDlgA 23 | 21=PageSetupDlg 24 | 22=PageSetupDlgW 25 | 23=PrintDlgA 26 | 24=PrintDlg 27 | 25=PrintDlgExA 28 | 26=PrintDlgEx 29 | 27=PrintDlgExW 30 | 28=PrintDlgW 31 | 29=ReplaceTextA 32 | 30=ReplaceText 33 | 31=ReplaceTextW 34 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Crypt32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=CertAddCRLContextToStore 4 | 2=CertAddCRLLinkToStore 5 | 3=CertAddCTLContextToStore 6 | 4=CertAddCTLLinkToStore 7 | 5=CertAddCertificateContextToStore 8 | 6=CertAddCertificateLinkToStore 9 | 7=CertAddEncodedCRLToStore 10 | 8=CertAddEncodedCTLToStore 11 | 9=CertAddEncodedCertificateToStore 12 | 10=CertAddEncodedCertificateToSystemStoreA 13 | 11=CertAddEncodedCertificateToSystemStore 14 | 12=CertAddEncodedCertificateToSystemStoreW 15 | 13=CertAddEnhancedKeyUsageIdentifier 16 | 14=CertAddRefServerOcspResponse 17 | 15=CertAddRefServerOcspResponseContext 18 | 16=CertAddSerializedElementToStore 19 | 17=CertAddStoreToCollection 20 | 18=CertAlgIdToOID 21 | 19=CertCloseServerOcspResponse 22 | 20=CertCloseStore 23 | 21=CertCompareCertificate 24 | 22=CertCompareCertificateName 25 | 23=CertCompareIntegerBlob 26 | 24=CertComparePublicKeyInfo 27 | 25=CertControlStore 28 | 26=CertCreateCRLContext 29 | 27=CertCreateCTLContext 30 | 28=CertCreateCTLEntryFromCertificateContextProperties 31 | 29=CertCreateCertificateChainEngine 32 | 30=CertCreateCertificateContext 33 | 31=CertCreateContext 34 | 32=CertCreateSelfSignCertificate 35 | 33=CertDeleteCRLFromStore 36 | 34=CertDeleteCTLFromStore 37 | 35=CertDeleteCertificateFromStore 38 | 36=CertDuplicateCRLContext 39 | 37=CertDuplicateCTLContext 40 | 38=CertDuplicateCertificateChain 41 | 39=CertDuplicateCertificateContext 42 | 40=CertDuplicateStore 43 | 41=CertEnumCRLContextProperties 44 | 42=CertEnumCRLsInStore 45 | 43=CertEnumCTLContextProperties 46 | 44=CertEnumCTLsInStore 47 | 45=CertEnumCertificateContextProperties 48 | 46=CertEnumCertificatesInStore 49 | 47=CertEnumPhysicalStore 50 | 48=CertEnumSubjectInSortedCTL 51 | 49=CertEnumSystemStore 52 | 50=CertEnumSystemStoreLocation 53 | 51=CertFindAttribute 54 | 52=CertFindCRLInStore 55 | 53=CertFindCTLInStore 56 | 54=CertFindCertificateInCRL 57 | 55=CertFindCertificateInStore 58 | 56=CertFindChainInStore 59 | 57=CertFindExtension 60 | 58=CertFindRDNAttr 61 | 59=CertFindSubjectInCTL 62 | 60=CertFindSubjectInSortedCTL 63 | 61=CertFreeCRLContext 64 | 62=CertFreeCTLContext 65 | 63=CertFreeCertificateChain 66 | 64=CertFreeCertificateChainEngine 67 | 65=CertFreeCertificateChainList 68 | 66=CertFreeCertificateContext 69 | 67=CertFreeServerOcspResponseContext 70 | 68=CertGetCRLContextProperty 71 | 69=CertGetCRLFromStore 72 | 70=CertGetCTLContextProperty 73 | 71=CertGetCertificateChain 74 | 72=CertGetCertificateContextProperty 75 | 73=CertGetEnhancedKeyUsage 76 | 74=CertGetIntendedKeyUsage 77 | 75=CertGetIssuerCertificateFromStore 78 | 76=CertGetNameStringA 79 | 77=CertGetNameString 80 | 78=CertGetNameStringW 81 | 79=CertGetPublicKeyLength 82 | 80=CertGetServerOcspResponseContext 83 | 81=CertGetStoreProperty 84 | 82=CertGetSubjectCertificateFromStore 85 | 83=CertGetValidUsages 86 | 84=CertIsRDNAttrsInCertificateName 87 | 85=CertIsValidCRLForCertificate 88 | 86=CertNameToStrA 89 | 87=CertNameToStr 90 | 88=CertNameToStrW 91 | 89=CertOIDToAlgId 92 | 90=CertOpenServerOcspResponse 93 | 91=CertOpenStore 94 | 92=CertOpenSystemStoreA 95 | 93=CertOpenSystemStore 96 | 94=CertOpenSystemStoreW 97 | 95=CertRDNValueToStrA 98 | 96=CertRDNValueToStr 99 | 97=CertRDNValueToStrW 100 | 98=CertRegisterPhysicalStore 101 | 99=CertRegisterSystemStore 102 | 100=CertRemoveEnhancedKeyUsageIdentifier 103 | 101=CertRemoveStoreFromCollection 104 | 102=CertResyncCertificateChainEngine 105 | 103=CertRetrieveLogoOrBiometricInfo 106 | 104=CertSaveStore 107 | 105=CertSelectCertificateChains 108 | 106=CertSerializeCRLStoreElement 109 | 107=CertSerializeCTLStoreElement 110 | 108=CertSerializeCertificateStoreElement 111 | 109=CertSetCRLContextProperty 112 | 110=CertSetCTLContextProperty 113 | 111=CertSetCertificateContextPropertiesFromCTLEntry 114 | 112=CertSetCertificateContextProperty 115 | 113=CertSetEnhancedKeyUsage 116 | 114=CertSetStoreProperty 117 | 115=CertStrToNameA 118 | 116=CertStrToName 119 | 117=CertStrToNameW 120 | 118=CertUnregisterPhysicalStore 121 | 119=CertUnregisterSystemStore 122 | 120=CertVerifyCRLRevocation 123 | 121=CertVerifyCRLTimeValidity 124 | 122=CertVerifyCTLUsage 125 | 123=CertVerifyCertificateChainPolicy 126 | 124=CertVerifyRevocation 127 | 125=CertVerifySubjectCertificateContext 128 | 126=CertVerifyTimeValidity 129 | 127=CertVerifyValidityNesting 130 | 128=CryptAcquireCertificatePrivateKey 131 | 129=CryptBinaryToStringA 132 | 130=CryptBinaryToString 133 | 131=CryptBinaryToStringW 134 | 132=CryptCloseAsyncHandle 135 | 133=CryptCreateAsyncHandle 136 | 134=CryptCreateKeyIdentifierFromCSP 137 | 135=CryptDecodeMessage 138 | 136=CryptDecodeObject 139 | 137=CryptDecodeObjectEx 140 | 138=CryptDecryptAndVerifyMessageSignature 141 | 139=CryptDecryptMessage 142 | 140=CryptEncodeObject 143 | 141=CryptEncodeObjectEx 144 | 142=CryptEncryptMessage 145 | 143=CryptEnumKeyIdentifierProperties 146 | 144=CryptEnumOIDFunction 147 | 145=CryptEnumOIDInfo 148 | 146=CryptExportPKCS8 149 | 147=CryptExportPublicKeyInfo 150 | 148=CryptExportPublicKeyInfoEx 151 | 149=CryptExportPublicKeyInfoFromBCryptKeyHandle 152 | 150=CryptFindCertificateKeyProvInfo 153 | 151=CryptFindLocalizedName 154 | 152=CryptFindOIDInfo 155 | 153=CryptFormatObject 156 | 154=CryptFreeOIDFunctionAddress 157 | 155=CryptGetAsyncParam 158 | 156=CryptGetDefaultOIDDllList 159 | 157=CryptGetDefaultOIDFunctionAddress 160 | 158=CryptGetKeyIdentifierProperty 161 | 159=CryptGetMessageCertificates 162 | 160=CryptGetMessageSignerCount 163 | 161=CryptGetOIDFunctionAddress 164 | 162=CryptGetOIDFunctionValue 165 | 163=CryptHashCertificate2 166 | 164=CryptHashCertificate 167 | 165=CryptHashMessage 168 | 166=CryptHashPublicKeyInfo 169 | 167=CryptHashToBeSigned 170 | 168=CryptImportPKCS8 171 | 169=CryptImportPublicKeyInfo 172 | 170=CryptImportPublicKeyInfoEx2 173 | 171=CryptImportPublicKeyInfoEx 174 | 172=CryptInitOIDFunctionSet 175 | 173=CryptInstallDefaultContext 176 | 174=CryptInstallOIDFunctionAddress 177 | 175=CryptLoadSip 178 | 176=CryptMemAlloc 179 | 177=CryptMemFree 180 | 178=CryptMemRealloc 181 | 179=CryptMsgCalculateEncodedLength 182 | 180=CryptMsgClose 183 | 181=CryptMsgControl 184 | 182=CryptMsgCountersign 185 | 183=CryptMsgCountersignEncoded 186 | 184=CryptMsgDuplicate 187 | 185=CryptMsgEncodeAndSignCTL 188 | 186=CryptMsgGetAndVerifySigner 189 | 187=CryptMsgGetParam 190 | 188=CryptMsgOpenToDecode 191 | 189=CryptMsgOpenToEncode 192 | 190=CryptMsgSignCTL 193 | 191=CryptMsgUpdate 194 | 192=CryptMsgVerifyCountersignatureEncoded 195 | 193=CryptMsgVerifyCountersignatureEncodedEx 196 | 194=CryptProtectData 197 | 195=CryptProtectMemory 198 | 196=CryptQueryObject 199 | 197=CryptRegisterDefaultOIDFunction 200 | 198=CryptRegisterOIDFunction 201 | 199=CryptRegisterOIDInfo 202 | 200=CryptRetrieveTimeStamp 203 | 201=CryptSIPAddProvider 204 | 202=CryptSIPCreateIndirectData 205 | 203=CryptSIPGetSignedDataMsg 206 | 204=CryptSIPLoad 207 | 205=CryptSIPPutSignedDataMsg 208 | 206=CryptSIPRemoveProvider 209 | 207=CryptSIPRemoveSignedDataMsg 210 | 208=CryptSIPRetrieveSubjectGuid 211 | 209=CryptSIPRetrieveSubjectGuidForCatalogFile 212 | 210=CryptSIPVerifyIndirectData 213 | 211=CryptSetAsyncParam 214 | 212=CryptSetKeyIdentifierProperty 215 | 213=CryptSetOIDFunctionValue 216 | 214=CryptSignAndEncodeCertificate 217 | 215=CryptSignAndEncryptMessage 218 | 216=CryptSignCertificate 219 | 217=CryptSignMessage 220 | 218=CryptSignMessageWithKey 221 | 219=CryptStringToBinaryA 222 | 220=CryptStringToBinary 223 | 221=CryptStringToBinaryW 224 | 222=CryptUninstallDefaultContext 225 | 223=CryptUnprotectData 226 | 224=CryptUnprotectMemory 227 | 225=CryptUnregisterDefaultOIDFunction 228 | 226=CryptUnregisterOIDFunction 229 | 227=CryptUnregisterOIDInfo 230 | 228=CryptUpdateProtectedState 231 | 229=CryptVerifyCertificateSignature 232 | 230=CryptVerifyCertificateSignatureEx 233 | 231=CryptVerifyDetachedMessageHash 234 | 232=CryptVerifyDetachedMessageSignature 235 | 233=CryptVerifyMessageHash 236 | 234=CryptVerifyMessageSignature 237 | 235=CryptVerifyMessageSignatureWithKey 238 | 236=CryptVerifyTimeStampSignature 239 | 237=DbgInitOSS 240 | 238=DbgPrintf 241 | 239=PFXExportCertStore2 242 | 240=PFXExportCertStore 243 | 241=PFXExportCertStoreEx 244 | 242=PFXImportCertStore 245 | 243=PFXIsPFXBlob 246 | 244=PFXVerifyPassword 247 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/DbgHelp_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=DbgHelpCreateUserDump 4 | 2=DbgHelpCreateUserDumpW 5 | 3=EnumDirTree 6 | 4=EnumDirTreeW 7 | 5=EnumerateLoadedModules64 8 | 6=EnumerateLoadedModules 9 | 7=EnumerateLoadedModulesEx 10 | 8=EnumerateLoadedModulesExW 11 | 9=EnumerateLoadedModulesW64 12 | 10=ExtensionApiVersion 13 | 11=FindDebugInfoFile 14 | 12=FindDebugInfoFileEx 15 | 13=FindDebugInfoFileExW 16 | 14=FindExecutableImage 17 | 15=FindExecutableImageEx 18 | 16=FindExecutableImageExW 19 | 17=FindFileInPath 20 | 18=FindFileInSearchPath 21 | 19=GetTimestampForLoadedLibrary 22 | 20=ImageDirectoryEntryToData 23 | 21=ImageDirectoryEntryToDataEx 24 | 22=ImageNtHeader 25 | 23=ImageRvaToSection 26 | 24=ImageRvaToVa 27 | 25=ImagehlpApiVersion 28 | 26=ImagehlpApiVersionEx 29 | 27=MakeSureDirectoryPathExists 30 | 28=MapDebugInformation 31 | 29=MiniDumpReadDumpStream 32 | 30=MiniDumpWriteDump 33 | 31=SearchTreeForFile 34 | 32=SearchTreeForFileW 35 | 33=StackWalk64 36 | 34=StackWalk 37 | 35=SymAddSourceStreamA 38 | 36=SymAddSourceStream 39 | 37=SymAddSourceStreamW 40 | 38=SymAddSymbol 41 | 39=SymAddSymbolW 42 | 40=SymCleanup 43 | 41=SymDeleteSymbol 44 | 42=SymDeleteSymbolW 45 | 43=SymEnumLines 46 | 44=SymEnumLinesW 47 | 45=SymEnumProcesses 48 | 46=SymEnumSourceFileTokens 49 | 47=SymEnumSourceFiles 50 | 48=SymEnumSourceFilesW 51 | 49=SymEnumSourceLines 52 | 50=SymEnumSourceLinesW 53 | 51=SymEnumSym 54 | 52=SymEnumSymbols 55 | 53=SymEnumSymbolsForAddr 56 | 54=SymEnumSymbolsForAddrW 57 | 55=SymEnumSymbolsW 58 | 56=SymEnumTypes 59 | 57=SymEnumTypesByName 60 | 58=SymEnumTypesByNameW 61 | 59=SymEnumTypesW 62 | 60=SymEnumerateModules64 63 | 61=SymEnumerateModules 64 | 62=SymEnumerateModulesW64 65 | 63=SymEnumerateSymbols64 66 | 64=SymEnumerateSymbols 67 | 65=SymEnumerateSymbolsW64 68 | 66=SymEnumerateSymbolsW 69 | 67=SymFindDebugInfoFile 70 | 68=SymFindDebugInfoFileW 71 | 69=SymFindExecutableImage 72 | 70=SymFindExecutableImageW 73 | 71=SymFindFileInPath 74 | 72=SymFindFileInPathW 75 | 73=SymFromAddr 76 | 74=SymFromAddrW 77 | 75=SymFromIndex 78 | 76=SymFromIndexW 79 | 77=SymFromName 80 | 78=SymFromNameW 81 | 79=SymFromToken 82 | 80=SymFromTokenW 83 | 81=SymFunctionTableAccess64 84 | 82=SymFunctionTableAccess 85 | 83=SymGetFileLineOffsets64 86 | 84=SymGetHomeDirectory 87 | 85=SymGetHomeDirectoryW 88 | 86=SymGetLineFromAddr64 89 | 87=SymGetLineFromAddr 90 | 88=SymGetLineFromAddrW64 91 | 89=SymGetLineFromName64 92 | 90=SymGetLineFromName 93 | 91=SymGetLineFromNameW64 94 | 92=SymGetLineNext64 95 | 93=SymGetLineNext 96 | 94=SymGetLineNextW64 97 | 95=SymGetLinePrev64 98 | 96=SymGetLinePrev 99 | 97=SymGetLinePrevW64 100 | 98=SymGetModuleBase64 101 | 99=SymGetModuleBase 102 | 100=SymGetModuleInfo64 103 | 101=SymGetModuleInfo 104 | 102=SymGetModuleInfoW64 105 | 103=SymGetModuleInfoW 106 | 104=SymGetOmaps 107 | 105=SymGetOptions 108 | 106=SymGetScope 109 | 107=SymGetScopeW 110 | 108=SymGetSearchPath 111 | 109=SymGetSearchPathW 112 | 110=SymGetSourceFile 113 | 111=SymGetSourceFileFromToken 114 | 112=SymGetSourceFileFromTokenW 115 | 113=SymGetSourceFileToken 116 | 114=SymGetSourceFileTokenW 117 | 115=SymGetSourceFileW 118 | 116=SymGetSourceVarFromToken 119 | 117=SymGetSourceVarFromTokenW 120 | 118=SymGetSymFromAddr64 121 | 119=SymGetSymFromAddr 122 | 120=SymGetSymFromName64 123 | 121=SymGetSymFromName 124 | 122=SymGetSymNext64 125 | 123=SymGetSymNext 126 | 124=SymGetSymPrev64 127 | 125=SymGetSymPrev 128 | 126=SymGetSymbolFile 129 | 127=SymGetSymbolFileW 130 | 128=SymGetTypeFromName 131 | 129=SymGetTypeFromNameW 132 | 130=SymGetTypeInfo 133 | 131=SymGetTypeInfoEx 134 | 132=SymGetUnwindInfo 135 | 133=SymInitialize 136 | 134=SymInitializeW 137 | 135=SymLoadModule64 138 | 136=SymLoadModule 139 | 137=SymLoadModuleEx 140 | 138=SymLoadModuleExW 141 | 139=SymMatchFileName 142 | 140=SymMatchFileNameW 143 | 141=SymMatchStringA 144 | 142=SymMatchString 145 | 143=SymMatchStringW 146 | 144=SymNext 147 | 145=SymNextW 148 | 146=SymPrev 149 | 147=SymPrevW 150 | 148=SymRefreshModuleList 151 | 149=SymRegisterCallback64 152 | 150=SymRegisterCallback 153 | 151=SymRegisterCallbackW64 154 | 152=SymRegisterFunctionEntryCallback64 155 | 153=SymRegisterFunctionEntryCallback 156 | 154=SymSearch 157 | 155=SymSearchW 158 | 156=SymSetContext 159 | 157=SymSetHomeDirectory 160 | 158=SymSetHomeDirectoryW 161 | 159=SymSetOptions 162 | 160=SymSetParentWindow 163 | 161=SymSetScopeFromAddr 164 | 162=SymSetScopeFromIndex 165 | 163=SymSetSearchPath 166 | 164=SymSetSearchPathW 167 | 165=SymSrvDeltaName 168 | 166=SymSrvDeltaNameW 169 | 167=SymSrvGetFileIndexInfo 170 | 168=SymSrvGetFileIndexInfoW 171 | 169=SymSrvGetFileIndexString 172 | 170=SymSrvGetFileIndexStringW 173 | 171=SymSrvGetFileIndexes 174 | 172=SymSrvGetFileIndexesW 175 | 173=SymSrvGetSupplement 176 | 174=SymSrvGetSupplementW 177 | 175=SymSrvIsStore 178 | 176=SymSrvIsStoreW 179 | 177=SymSrvStoreFile 180 | 178=SymSrvStoreFileW 181 | 179=SymSrvStoreSupplement 182 | 180=SymSrvStoreSupplementW 183 | 181=SymUnDName64 184 | 182=SymUnDName 185 | 183=SymUnloadModule64 186 | 184=SymUnloadModule 187 | 185=UnDecorateSymbolName 188 | 186=UnDecorateSymbolNameW 189 | 187=UnmapDebugInformation 190 | 188=WinDbgExtensionDllInit 191 | 189=block 192 | 190=chksym 193 | 191=dbghelp 194 | 192=dh 195 | 193=fptr 196 | 194=homedir 197 | 195=itoldyouso 198 | 196=lmi 199 | 197=lminfo 200 | 198=omap 201 | 199=srcfiles 202 | 200=stack_force_ebp 203 | 201=stackdbg 204 | 202=sym 205 | 203=symsrv 206 | 204=vc7fpo 207 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Htmlhelp_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=HtmlHelpA 4 | 2=HtmlHelp 5 | 3=HtmlHelpW 6 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/IPHlpApi_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AddIPAddress 4 | 2=AllocateAndGetInterfaceInfoFromStack 5 | 3=AllocateAndGetIpAddrTableFromStack 6 | 4=CPNatfwtCreateProviderInstance 7 | 5=CPNatfwtDeregisterProviderInstance 8 | 6=CPNatfwtDestroyProviderInstance 9 | 7=CPNatfwtIndicateReceivedBuffers 10 | 8=CPNatfwtRegisterProviderInstance 11 | 9=CancelIPChangeNotify 12 | 10=CancelMibChangeNotify2 13 | 11=ConvertGuidToStringA 14 | 12=ConvertGuidToString 15 | 13=ConvertGuidToStringW 16 | 14=ConvertInterfaceAliasToLuid 17 | 15=ConvertInterfaceGuidToLuid 18 | 16=ConvertInterfaceIndexToLuid 19 | 17=ConvertInterfaceLuidToAlias 20 | 18=ConvertInterfaceLuidToGuid 21 | 19=ConvertInterfaceLuidToIndex 22 | 20=ConvertInterfaceLuidToNameA 23 | 21=ConvertInterfaceLuidToName 24 | 22=ConvertInterfaceLuidToNameW 25 | 23=ConvertInterfaceNameToLuidA 26 | 24=ConvertInterfaceNameToLuid 27 | 25=ConvertInterfaceNameToLuidW 28 | 26=ConvertInterfacePhysicalAddressToLuid 29 | 27=ConvertIpv4MaskToLength 30 | 28=ConvertLengthToIpv4Mask 31 | 29=ConvertRemoteInterfaceAliasToLuid 32 | 30=ConvertRemoteInterfaceGuidToLuid 33 | 31=ConvertRemoteInterfaceIndexToLuid 34 | 32=ConvertRemoteInterfaceLuidToAlias 35 | 33=ConvertRemoteInterfaceLuidToGuid 36 | 34=ConvertRemoteInterfaceLuidToIndex 37 | 35=ConvertStringToGuidA 38 | 36=ConvertStringToGuid 39 | 37=ConvertStringToGuidW 40 | 38=ConvertStringToInterfacePhysicalAddress 41 | 39=CreateAnycastIpAddressEntry 42 | 40=CreateIpForwardEntry2 43 | 41=CreateIpForwardEntry 44 | 42=CreateIpNetEntry2 45 | 43=CreateIpNetEntry 46 | 44=CreatePersistentTcpPortReservation 47 | 45=CreatePersistentUdpPortReservation 48 | 46=CreateProxyArpEntry 49 | 47=CreateSortedAddressPairs 50 | 48=CreateUnicastIpAddressEntry 51 | 49=DeleteAnycastIpAddressEntry 52 | 50=DeleteIPAddress 53 | 51=DeleteIpForwardEntry2 54 | 52=DeleteIpForwardEntry 55 | 53=DeleteIpNetEntry2 56 | 54=DeleteIpNetEntry 57 | 55=DeletePersistentTcpPortReservation 58 | 56=DeletePersistentUdpPortReservation 59 | 57=DeleteProxyArpEntry 60 | 58=DeleteUnicastIpAddressEntry 61 | 59=DisableMediaSense 62 | 60=EnableRouter 63 | 61=FlushIpNetTable2 64 | 62=FlushIpNetTable 65 | 63=FlushIpPathTable 66 | 64=FreeMibTable 67 | 65=GetAdapterIndex 68 | 66=GetAdapterOrderMap 69 | 67=GetAdaptersAddresses 70 | 68=GetAdaptersInfo 71 | 69=GetAnycastIpAddressEntry 72 | 70=GetAnycastIpAddressTable 73 | 71=GetBestInterface 74 | 72=GetBestInterfaceEx 75 | 73=GetBestRoute2 76 | 74=GetBestRoute 77 | 75=GetCurrentThreadCompartmentId 78 | 76=GetExtendedTcpTable 79 | 77=GetExtendedUdpTable 80 | 78=GetFriendlyIfIndex 81 | 79=GetIcmpStatistics 82 | 80=GetIcmpStatisticsEx 83 | 81=GetIfEntry2 84 | 82=GetIfEntry 85 | 83=GetIfStackTable 86 | 84=GetIfTable2 87 | 85=GetIfTable2Ex 88 | 86=GetIfTable 89 | 87=GetInterfaceInfo 90 | 88=GetInvertedIfStackTable 91 | 89=GetIpAddrTable 92 | 90=GetIpErrorString 93 | 91=GetIpForwardEntry2 94 | 92=GetIpForwardTable2 95 | 93=GetIpForwardTable 96 | 94=GetIpInterfaceEntry 97 | 95=GetIpInterfaceTable 98 | 96=GetIpNetEntry2 99 | 97=GetIpNetTable2 100 | 98=GetIpNetTable 101 | 99=GetIpPathEntry 102 | 100=GetIpPathTable 103 | 101=GetIpStatistics 104 | 102=GetIpStatisticsEx 105 | 103=GetMulticastIpAddressEntry 106 | 104=GetMulticastIpAddressTable 107 | 105=GetNetworkInformation 108 | 106=GetNetworkParams 109 | 107=GetNumberOfInterfaces 110 | 108=GetOwnerModuleFromPidAndInfo 111 | 109=GetOwnerModuleFromTcp6Entry 112 | 110=GetOwnerModuleFromTcpEntry 113 | 111=GetOwnerModuleFromUdp6Entry 114 | 112=GetOwnerModuleFromUdpEntry 115 | 113=GetPerAdapterInfo 116 | 114=GetPerTcp6ConnectionEStats 117 | 115=GetPerTcp6ConnectionStats 118 | 116=GetPerTcpConnectionEStats 119 | 117=GetPerTcpConnectionStats 120 | 118=GetRTTAndHopCount 121 | 119=GetSessionCompartmentId 122 | 120=GetTcp6Table2 123 | 121=GetTcp6Table 124 | 122=GetTcpStatistics 125 | 123=GetTcpStatisticsEx 126 | 124=GetTcpTable2 127 | 125=GetTcpTable 128 | 126=GetTeredoPort 129 | 127=GetUdp6Table 130 | 128=GetUdpStatistics 131 | 129=GetUdpStatisticsEx 132 | 130=GetUdpTable 133 | 131=GetUniDirectionalAdapterInfo 134 | 132=GetUnicastIpAddressEntry 135 | 133=GetUnicastIpAddressTable 136 | 134=Icmp6CreateFile 137 | 135=Icmp6ParseReplies 138 | 136=Icmp6SendEcho2 139 | 137=IcmpCloseHandle 140 | 138=IcmpCreateFile 141 | 139=IcmpParseReplies 142 | 140=IcmpSendEcho2 143 | 141=IcmpSendEcho2Ex 144 | 142=IcmpSendEcho 145 | 143=InitializeIpForwardEntry 146 | 144=InitializeIpInterfaceEntry 147 | 145=InitializeUnicastIpAddressEntry 148 | 146=InternalCleanupPersistentStore 149 | 147=InternalCreateAnycastIpAddressEntry 150 | 148=InternalCreateIpForwardEntry2 151 | 149=InternalCreateIpForwardEntry 152 | 150=InternalCreateIpNetEntry2 153 | 151=InternalCreateIpNetEntry 154 | 152=InternalCreateUnicastIpAddressEntry 155 | 153=InternalDeleteAnycastIpAddressEntry 156 | 154=InternalDeleteIpForwardEntry2 157 | 155=InternalDeleteIpForwardEntry 158 | 156=InternalDeleteIpNetEntry2 159 | 157=InternalDeleteIpNetEntry 160 | 158=InternalDeleteUnicastIpAddressEntry 161 | 159=InternalFindInterfaceByAddress 162 | 160=InternalGetAnycastIpAddressEntry 163 | 161=InternalGetAnycastIpAddressTable 164 | 162=InternalGetForwardIpTable2 165 | 163=InternalGetIfEntry2 166 | 164=InternalGetIfTable2 167 | 165=InternalGetIfTable 168 | 166=InternalGetIpAddrTable 169 | 167=InternalGetIpForwardEntry2 170 | 168=InternalGetIpForwardTable 171 | 169=InternalGetIpInterfaceEntry 172 | 170=InternalGetIpInterfaceTable 173 | 171=InternalGetIpNetEntry2 174 | 172=InternalGetIpNetTable2 175 | 173=InternalGetIpNetTable 176 | 174=InternalGetMulticastIpAddressEntry 177 | 175=InternalGetMulticastIpAddressTable 178 | 176=InternalGetTcp6Table2 179 | 177=InternalGetTcp6TableWithOwnerModule 180 | 178=InternalGetTcp6TableWithOwnerPid 181 | 179=InternalGetTcpTable2 182 | 180=InternalGetTcpTable 183 | 181=InternalGetTcpTableEx 184 | 182=InternalGetTcpTableWithOwnerModule 185 | 183=InternalGetTcpTableWithOwnerPid 186 | 184=InternalGetTunnelPhysicalAdapter 187 | 185=InternalGetUdp6TableWithOwnerModule 188 | 186=InternalGetUdp6TableWithOwnerPid 189 | 187=InternalGetUdpTable 190 | 188=InternalGetUdpTableEx 191 | 189=InternalGetUdpTableWithOwnerModule 192 | 190=InternalGetUdpTableWithOwnerPid 193 | 191=InternalGetUnicastIpAddressEntry 194 | 192=InternalGetUnicastIpAddressTable 195 | 193=InternalSetIfEntry 196 | 194=InternalSetIpForwardEntry2 197 | 195=InternalSetIpForwardEntry 198 | 196=InternalSetIpInterfaceEntry 199 | 197=InternalSetIpNetEntry2 200 | 198=InternalSetIpNetEntry 201 | 199=InternalSetIpStats 202 | 200=InternalSetTcpEntry 203 | 201=InternalSetTeredoPort 204 | 202=InternalSetUnicastIpAddressEntry 205 | 203=IpReleaseAddress 206 | 204=IpRenewAddress 207 | 205=LookupPersistentTcpPortReservation 208 | 206=LookupPersistentUdpPortReservation 209 | 207=NTPTimeToNTFileTime 210 | 208=NTTimeToNTPTime 211 | 209=NhGetGuidFromInterfaceName 212 | 210=NhGetInterfaceDescriptionFromGuid 213 | 211=NhGetInterfaceNameFromDeviceGuid 214 | 212=NhGetInterfaceNameFromGuid 215 | 213=NhpAllocateAndGetInterfaceInfoFromStack 216 | 214=NotifyAddrChange 217 | 215=NotifyIpInterfaceChange 218 | 216=NotifyRouteChange2 219 | 217=NotifyRouteChange 220 | 218=NotifyStableUnicastIpAddressTable 221 | 219=NotifyTeredoPortChange 222 | 220=NotifyUnicastIpAddressChange 223 | 221=ParseNetworkString 224 | 222=PfAddFiltersToInterface 225 | 223=PfAddGlobalFilterToInterface 226 | 224=PfBindInterfaceToIPAddress 227 | 225=PfBindInterfaceToIndex 228 | 226=PfCreateInterface 229 | 227=PfDeleteInterface 230 | 228=PfDeleteLog 231 | 229=PfGetInterfaceStatistics 232 | 230=PfMakeLog 233 | 231=PfRebindFilters 234 | 232=PfRemoveFilterHandles 235 | 233=PfRemoveFiltersFromInterface 236 | 234=PfRemoveGlobalFilterFromInterface 237 | 235=PfSetLogBuffer 238 | 236=PfTestPacket 239 | 237=PfUnBindInterface 240 | 238=ResolveIpNetEntry2 241 | 239=ResolveNeighbor 242 | 240=RestoreMediaSense 243 | 241=SendARP 244 | 242=SetAdapterIpAddress 245 | 243=SetCurrentThreadCompartmentId 246 | 244=SetIfEntry 247 | 245=SetIpForwardEntry2 248 | 246=SetIpForwardEntry 249 | 247=SetIpInterfaceEntry 250 | 248=SetIpNetEntry2 251 | 249=SetIpNetEntry 252 | 250=SetIpStatistics 253 | 251=SetIpStatisticsEx 254 | 252=SetIpTTL 255 | 253=SetNetworkInformation 256 | 254=SetPerTcp6ConnectionEStats 257 | 255=SetPerTcp6ConnectionStats 258 | 256=SetPerTcpConnectionEStats 259 | 257=SetPerTcpConnectionStats 260 | 258=SetSessionCompartmentId 261 | 259=SetTcpEntry 262 | 260=SetUnicastIpAddressEntry 263 | 261=UnenableRouter 264 | 262=if_indextoname 265 | 263=if_nametoindex 266 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/ImageHlp_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=BindImage 4 | 2=BindImageEx 5 | 3=CheckSumMappedFile 6 | 4=EnumerateLoadedModules64 7 | 5=EnumerateLoadedModules 8 | 6=EnumerateLoadedModulesEx 9 | 7=EnumerateLoadedModulesExW 10 | 8=EnumerateLoadedModulesW64 11 | 9=FindDebugInfoFile 12 | 10=FindDebugInfoFileEx 13 | 11=FindExecutableImage 14 | 12=FindExecutableImageEx 15 | 13=FindFileInPath 16 | 14=FindFileInSearchPath 17 | 15=GetImageConfigInformation 18 | 16=GetImageUnusedHeaderBytes 19 | 17=GetTimestampForLoadedLibrary 20 | 18=ImageAddCertificate 21 | 19=ImageDirectoryEntryToData 22 | 20=ImageDirectoryEntryToDataEx 23 | 21=ImageEnumerateCertificates 24 | 22=ImageGetCertificateData 25 | 23=ImageGetCertificateHeader 26 | 24=ImageGetDigestStream 27 | 25=ImageLoad 28 | 26=ImageNtHeader 29 | 27=ImageRemoveCertificate 30 | 28=ImageRvaToSection 31 | 29=ImageRvaToVa 32 | 30=ImageUnload 33 | 31=ImagehlpApiVersion 34 | 32=ImagehlpApiVersionEx 35 | 33=MakeSureDirectoryPathExists 36 | 34=MapAndLoad 37 | 35=MapDebugInformation 38 | 36=MapFileAndCheckSumA 39 | 37=MapFileAndCheckSum 40 | 38=MapFileAndCheckSumW 41 | 39=ReBaseImage64 42 | 40=ReBaseImage 43 | 41=SearchTreeForFile 44 | 42=SetImageConfigInformation 45 | 43=SplitSymbols 46 | 44=StackWalk64 47 | 45=StackWalk 48 | 46=SymCleanup 49 | 47=SymEnumSym 50 | 48=SymEnumSymbols 51 | 49=SymEnumSymbolsForAddr 52 | 50=SymEnumTypes 53 | 51=SymEnumTypesByName 54 | 52=SymEnumTypesByNameW 55 | 53=SymEnumTypesW 56 | 54=SymEnumerateModules64 57 | 55=SymEnumerateModules 58 | 56=SymEnumerateSymbols64 59 | 57=SymEnumerateSymbols 60 | 58=SymEnumerateSymbolsW64 61 | 59=SymEnumerateSymbolsW 62 | 60=SymFindFileInPath 63 | 61=SymFindFileInPathW 64 | 62=SymFromAddr 65 | 63=SymFromName 66 | 64=SymFunctionTableAccess64 67 | 65=SymFunctionTableAccess 68 | 66=SymGetLineFromAddr64 69 | 67=SymGetLineFromAddr 70 | 68=SymGetLineFromName64 71 | 69=SymGetLineFromName 72 | 70=SymGetLineNext64 73 | 71=SymGetLineNext 74 | 72=SymGetLinePrev64 75 | 73=SymGetLinePrev 76 | 74=SymGetModuleBase64 77 | 75=SymGetModuleBase 78 | 76=SymGetModuleInfo64 79 | 77=SymGetModuleInfo 80 | 78=SymGetModuleInfoW64 81 | 79=SymGetModuleInfoW 82 | 80=SymGetOptions 83 | 81=SymGetSearchPath 84 | 82=SymGetSourceFileFromTokenW 85 | 83=SymGetSourceFileTokenW 86 | 84=SymGetSourceVarFromTokenW 87 | 85=SymGetSymFromAddr64 88 | 86=SymGetSymFromAddr 89 | 87=SymGetSymFromName64 90 | 88=SymGetSymFromName 91 | 89=SymGetSymNext64 92 | 90=SymGetSymNext 93 | 91=SymGetSymPrev64 94 | 92=SymGetSymPrev 95 | 93=SymGetSymbolFile 96 | 94=SymGetSymbolFileW 97 | 95=SymGetTypeFromName 98 | 96=SymGetTypeFromNameW 99 | 97=SymGetTypeInfo 100 | 98=SymGetTypeInfoEx 101 | 99=SymInitialize 102 | 100=SymLoadModule64 103 | 101=SymLoadModule 104 | 102=SymMatchFileName 105 | 103=SymMatchFileNameW 106 | 104=SymMatchStringA 107 | 105=SymMatchString 108 | 106=SymMatchStringW 109 | 107=SymRegisterCallback64 110 | 108=SymRegisterCallback 111 | 109=SymRegisterFunctionEntryCallback64 112 | 110=SymRegisterFunctionEntryCallback 113 | 111=SymSetContext 114 | 112=SymSetOptions 115 | 113=SymSetScopeFromAddr 116 | 114=SymSetScopeFromIndex 117 | 115=SymSetSearchPath 118 | 116=SymSrvGetFileIndexString 119 | 117=SymSrvGetFileIndexStringW 120 | 118=SymSrvGetFileIndexes 121 | 119=SymSrvGetFileIndexesW 122 | 120=SymUnDName64 123 | 121=SymUnDName 124 | 122=SymUnloadModule64 125 | 123=SymUnloadModule 126 | 124=TouchFileTimes 127 | 125=UnDecorateSymbolName 128 | 126=UnMapAndLoad 129 | 127=UnmapDebugInformation 130 | 128=UpdateDebugInfoFile 131 | 129=UpdateDebugInfoFileEx 132 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Make ExP Files/GetAPInameFromInc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/EXP/Make ExP Files/GetAPInameFromInc.exe -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Make ExP Files/go-version OR go version: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/EXP/Make ExP Files/go-version OR go version -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Make ExP Files/lib2inc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/EXP/Make ExP Files/lib2inc.exe -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Make ExP Files/version.inc: -------------------------------------------------------------------------------- 1 | ; include file generated by lib2inc V1.1 2 | 3 | GetFileVersionInfoA PROTO :DWORD,:DWORD,:DWORD,:DWORD 4 | GetFileVersionInfo EQU 5 | 6 | GetFileVersionInfoSizeA PROTO :DWORD,:DWORD 7 | GetFileVersionInfoSize EQU 8 | 9 | GetFileVersionInfoSizeW PROTO :DWORD,:DWORD 10 | GetFileVersionInfoW PROTO :DWORD,:DWORD,:DWORD,:DWORD 11 | VerFindFileA PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD 12 | VerFindFile EQU 13 | 14 | VerFindFileW PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD 15 | VerInstallFileA PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD 16 | VerInstallFile EQU 17 | 18 | VerInstallFileW PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD 19 | VerQueryValueA PROTO :DWORD,:DWORD,:DWORD,:DWORD 20 | VerQueryValue EQU 21 | 22 | VerQueryValueIndexA PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD 23 | VerQueryValueIndex EQU 24 | 25 | VerQueryValueIndexW PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD 26 | VerQueryValueW PROTO :DWORD,:DWORD,:DWORD,:DWORD 27 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/MsWSock_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AcceptEx 4 | 2=EnumProtocolsA 5 | 3=EnumProtocols 6 | 4=EnumProtocolsW 7 | 5=GetAcceptExSockaddrs 8 | 6=GetAddressByNameA 9 | 7=GetAddressByName 10 | 8=GetAddressByNameW 11 | 9=GetNameByTypeA 12 | 10=GetNameByType 13 | 11=GetNameByTypeW 14 | 12=GetServiceA 15 | 13=GetService 16 | 14=GetServiceW 17 | 15=GetTypeByNameA 18 | 16=GetTypeByName 19 | 17=GetTypeByNameW 20 | 18=MigrateWinsockConfiguration 21 | 19=NPLoadNameSpaces 22 | 20=SetServiceA 23 | 21=SetService 24 | 22=SetServiceW 25 | 23=TransmitFile 26 | 24=WSARecvEx 27 | 25=dn_expand 28 | 26=getnetbyname 29 | 27=inet_network 30 | 28=rcmd 31 | 29=rexec 32 | 30=rresvport 33 | 31=s_perror 34 | 32=sethostname 35 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Ollydbg110_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=_Addsorteddata 4 | 2=_Addtolist 5 | 3=_Analysecode 6 | 4=_Animate 7 | 5=_Assemble 8 | 6=_Attachtoactiveprocess 9 | 7=_Broadcast 10 | 8=_Browsefilename 11 | 9=_Calculatecrc 12 | 10=_Checkcondition 13 | 11=_Compress 14 | 12=_Createdumpwindow 15 | 13=_Createlistwindow 16 | 14=_Createpatchwindow 17 | 15=_Createprofilewindow 18 | 16=_Creatertracewindow 19 | 17=_Createsorteddata 20 | 18=_Createthreadwindow 21 | 19=_Createwatchwindow 22 | 20=_Createwinwindow 23 | 21=_Decodeaddress 24 | 22=_Decodeascii 25 | 23=_Decodecharacter 26 | 24=_Decodefullvarname 27 | 25=_Decodeknownargument 28 | 26=_Decodename 29 | 27=_Decoderange 30 | 28=_Decoderelativeoffset 31 | 29=_Decodethreadname 32 | 30=_Decodeunicode 33 | 31=_Decompress 34 | 32=_Defaultbar 35 | 33=_Deletebreakpoints 36 | 34=_Deletehardwarebreakbyaddr 37 | 35=_Deletehardwarebreakpoint 38 | 36=_Deletenamerange 39 | 37=_Deletenonconfirmedsorteddata 40 | 38=_Deleteruntrace 41 | 39=_Deletesorteddata 42 | 40=_Deletesorteddatarange 43 | 41=_Deletewatch 44 | 42=_Demanglename 45 | 43=_Destroysorteddata 46 | 44=_Disasm 47 | 45=_Disassembleback 48 | 46=_Disassembleforward 49 | 47=_Discardquicknames 50 | 48=_Dumpbackup 51 | 49=_Error 52 | 50=_Expression 53 | 51=_Findallcommands 54 | 52=_Findalldllcalls 55 | 53=_Findallsequences 56 | 54=_Finddecode 57 | 55=_Findfileoffset 58 | 56=_Findfixup 59 | 57=_Findhittrace 60 | 58=_Findimportbyname 61 | 59=_Findlabel 62 | 60=_Findlabelbyname 63 | 61=_Findmemory 64 | 62=_Findmodule 65 | 63=_Findname 66 | 64=_Findnextname 67 | 65=_Findnextproc 68 | 66=_Findnextruntraceip 69 | 67=_Findprevproc 70 | 68=_Findprevruntraceip 71 | 69=_Findprocbegin 72 | 70=_Findprocend 73 | 71=_Findreferences 74 | 72=_Findsorteddata 75 | 73=_Findsorteddataindex 76 | 74=_Findsorteddatarange 77 | 75=_Findstrings 78 | 76=_Findsymbolicname 79 | 77=_Findthread 80 | 78=_Findunknownfunction 81 | 79=_Flash 82 | 80=_Followcall 83 | 81=_Get3dnow 84 | 82=_Get3dnowxy 85 | 83=_Getaddressfromline 86 | 84=_Getasmfindmodel 87 | 85=_Getasmfindmodelxy 88 | 86=_Getbprelname 89 | 87=_Getbreakpointtype 90 | 88=_Getbreakpointtypecount 91 | 89=_Getcputhreadid 92 | 90=_Getdisassemblerrange 93 | 91=_Getfloat 94 | 92=_Getfloat10 95 | 93=_Getfloat10xy 96 | 94=_Getfloatxy 97 | 95=_Gethexstring 98 | 96=_Gethexstringxy 99 | 97=_Getline 100 | 98=_Getlinefromaddress 101 | 99=_Getlinexy 102 | 100=_Getlong 103 | 101=_Getlongxy 104 | 102=_Getmmx 105 | 103=_Getmmxxy 106 | 104=_Getnextbreakpoint 107 | 105=_Getoriginaldatasize 108 | 106=_Getproclimits 109 | 107=_Getregxy 110 | 108=_Getresourcestring 111 | 109=_Getruntraceprofile 112 | 110=_Getruntraceregisters 113 | 111=_Getsortedbyselection 114 | 112=_Getsourcefilelimits 115 | 113=_Getstatus 116 | 114=_Gettableselectionxy 117 | 115=_Gettext 118 | 116=_Gettextxy 119 | 117=_Getwatch 120 | 118=_Go 121 | 119=_Guardmemory 122 | 120=_Hardbreakpoints 123 | 121=_Havecopyofmemory 124 | 122=_Infoline 125 | 123=_Injectcode 126 | 124=_Insertname 127 | 125=_Insertwatch 128 | 126=_Isfilling 129 | 127=_Isprefix 130 | 128=_Isretaddr 131 | 129=_Issuspicious 132 | 130=_IstextA 133 | 131=_Istext 134 | 132=_IstextW 135 | 133=_Listmemory 136 | 134=_Manualbreakpoint 137 | 135=_Mergequicknames 138 | 136=_Message 139 | 137=_Modifyhittrace 140 | 138=_Newtablewindow 141 | 139=_OpenEXEfile 142 | 140=_Painttable 143 | 141=_Plugingetvalue 144 | 142=_Pluginreadintfromini 145 | 143=_Pluginreadstringfromini 146 | 144=_Pluginsaverecord 147 | 145=_Pluginwriteinttoini 148 | 146=_Pluginwritestringtoini 149 | 147=_Print3dnow 150 | 148=_Printfloat10 151 | 149=_Printfloat4 152 | 150=_Printfloat8 153 | 151=_Printsse 154 | 152=_Progress 155 | 153=_Quickinsertname 156 | 154=_Quicktablewindow 157 | 155=_Readcommand 158 | 156=_Readmemory 159 | 157=_Redrawdisassembler 160 | 158=_Registerotclass 161 | 159=_Registerpluginclass 162 | 160=_Restoreallthreads 163 | 161=_Runsinglethread 164 | 162=_Runtracesize 165 | 163=_Scrollruntracewindow 166 | 164=_Selectandscroll 167 | 165=_Sendshortcut 168 | 166=_Setbreakpoint 169 | 167=_Setbreakpointext 170 | 168=_Setcpu 171 | 169=_Setdisasm 172 | 170=_Setdumptype 173 | 171=_Sethardwarebreakpoint 174 | 172=_Setmembreakpoint 175 | 173=_Settracecondition 176 | 174=_Settracecount 177 | 175=_Settracepauseoncommands 178 | 176=_Showsourcefromaddress 179 | 177=_Sortsorteddata 180 | 178=_Startruntrace 181 | 179=_Stringtotext 182 | 180=_Suspendprocess 183 | 181=_Tablefunction 184 | 182=_Tempbreakpoint 185 | 183=_Unregisterpluginclass 186 | 184=_Updatelist 187 | 185=_Walkreference 188 | 186=_Walkreferenceex 189 | 187=_Writememory 190 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/SHLWAPI_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AssocCreate 4 | 2=AssocGetPerceivedType 5 | 3=AssocIsDangerous 6 | 4=AssocQueryKeyA 7 | 5=AssocQueryKey 8 | 6=AssocQueryKeyW 9 | 7=AssocQueryStringA 10 | 8=AssocQueryString 11 | 9=AssocQueryStringByKeyA 12 | 10=AssocQueryStringByKey 13 | 11=AssocQueryStringByKeyW 14 | 12=AssocQueryStringW 15 | 13=ChrCmpIA 16 | 14=ChrCmpI 17 | 15=ChrCmpIW 18 | 16=ColorAdjustLuma 19 | 17=ColorHLSToRGB 20 | 18=ColorRGBToHLS 21 | 19=ConnectToConnectionPoint 22 | 20=GetAcceptLanguagesA 23 | 21=GetAcceptLanguages 24 | 22=GetAcceptLanguagesW 25 | 23=GetMenuPosFromID 26 | 24=HashData 27 | 25=IStream_Copy 28 | 26=IStream_Read 29 | 27=IStream_ReadPidl 30 | 28=IStream_ReadStr 31 | 29=IStream_Reset 32 | 30=IStream_Size 33 | 31=IStream_Write 34 | 32=IStream_WritePidl 35 | 33=IStream_WriteStr 36 | 34=IUnknown_AtomicRelease 37 | 35=IUnknown_GetSite 38 | 36=IUnknown_GetWindow 39 | 37=IUnknown_QueryService 40 | 38=IUnknown_Set 41 | 39=IUnknown_SetSite 42 | 40=IntlStrEqWorkerA 43 | 41=IntlStrEqWorker 44 | 42=IntlStrEqWorkerW 45 | 43=IsCharSpaceA 46 | 44=IsCharSpace 47 | 45=IsCharSpaceW 48 | 46=IsInternetESCEnabled 49 | 47=IsOS 50 | 48=MLFreeLibrary 51 | 49=MLLoadLibraryA 52 | 50=MLLoadLibrary 53 | 51=MLLoadLibraryW 54 | 52=ParseURLA 55 | 53=ParseURL 56 | 54=ParseURLW 57 | 55=PathAddBackslashA 58 | 56=PathAddBackslash 59 | 57=PathAddBackslashW 60 | 58=PathAddExtensionA 61 | 59=PathAddExtension 62 | 60=PathAddExtensionW 63 | 61=PathAppendA 64 | 62=PathAppend 65 | 63=PathAppendW 66 | 64=PathBuildRootA 67 | 65=PathBuildRoot 68 | 66=PathBuildRootW 69 | 67=PathCanonicalizeA 70 | 68=PathCanonicalize 71 | 69=PathCanonicalizeW 72 | 70=PathCombineA 73 | 71=PathCombine 74 | 72=PathCombineW 75 | 73=PathCommonPrefixA 76 | 74=PathCommonPrefix 77 | 75=PathCommonPrefixW 78 | 76=PathCompactPathA 79 | 77=PathCompactPath 80 | 78=PathCompactPathExA 81 | 79=PathCompactPathEx 82 | 80=PathCompactPathExW 83 | 81=PathCompactPathW 84 | 82=PathCreateFromUrlA 85 | 83=PathCreateFromUrl 86 | 84=PathCreateFromUrlAlloc 87 | 85=PathCreateFromUrlW 88 | 86=PathFileExistsA 89 | 87=PathFileExists 90 | 88=PathFileExistsW 91 | 89=PathFindExtensionA 92 | 90=PathFindExtension 93 | 91=PathFindExtensionW 94 | 92=PathFindFileNameA 95 | 93=PathFindFileName 96 | 94=PathFindFileNameW 97 | 95=PathFindNextComponentA 98 | 96=PathFindNextComponent 99 | 97=PathFindNextComponentW 100 | 98=PathFindOnPathA 101 | 99=PathFindOnPath 102 | 100=PathFindOnPathW 103 | 101=PathFindSuffixArrayA 104 | 102=PathFindSuffixArray 105 | 103=PathFindSuffixArrayW 106 | 104=PathGetArgsA 107 | 105=PathGetArgs 108 | 106=PathGetArgsW 109 | 107=PathGetCharTypeA 110 | 108=PathGetCharType 111 | 109=PathGetCharTypeW 112 | 110=PathGetDriveNumberA 113 | 111=PathGetDriveNumber 114 | 112=PathGetDriveNumberW 115 | 113=PathIsContentTypeA 116 | 114=PathIsContentType 117 | 115=PathIsContentTypeW 118 | 116=PathIsDirectoryA 119 | 117=PathIsDirectory 120 | 118=PathIsDirectoryEmptyA 121 | 119=PathIsDirectoryEmpty 122 | 120=PathIsDirectoryEmptyW 123 | 121=PathIsDirectoryW 124 | 122=PathIsFileSpecA 125 | 123=PathIsFileSpec 126 | 124=PathIsFileSpecW 127 | 125=PathIsLFNFileSpecA 128 | 126=PathIsLFNFileSpec 129 | 127=PathIsLFNFileSpecW 130 | 128=PathIsNetworkPathA 131 | 129=PathIsNetworkPath 132 | 130=PathIsNetworkPathW 133 | 131=PathIsPrefixA 134 | 132=PathIsPrefix 135 | 133=PathIsPrefixW 136 | 134=PathIsRelativeA 137 | 135=PathIsRelative 138 | 136=PathIsRelativeW 139 | 137=PathIsRootA 140 | 138=PathIsRoot 141 | 139=PathIsRootW 142 | 140=PathIsSameRootA 143 | 141=PathIsSameRoot 144 | 142=PathIsSameRootW 145 | 143=PathIsSystemFolderA 146 | 144=PathIsSystemFolder 147 | 145=PathIsSystemFolderW 148 | 146=PathIsUNCA 149 | 147=PathIsUNC 150 | 148=PathIsUNCServerA 151 | 149=PathIsUNCServer 152 | 150=PathIsUNCServerShareA 153 | 151=PathIsUNCServerShare 154 | 152=PathIsUNCServerShareW 155 | 153=PathIsUNCServerW 156 | 154=PathIsUNCW 157 | 155=PathIsURLA 158 | 156=PathIsURL 159 | 157=PathIsURLW 160 | 158=PathMakePrettyA 161 | 159=PathMakePretty 162 | 160=PathMakePrettyW 163 | 161=PathMakeSystemFolderA 164 | 162=PathMakeSystemFolder 165 | 163=PathMakeSystemFolderW 166 | 164=PathMatchSpecA 167 | 165=PathMatchSpec 168 | 166=PathMatchSpecExA 169 | 167=PathMatchSpecEx 170 | 168=PathMatchSpecExW 171 | 169=PathMatchSpecW 172 | 170=PathParseIconLocationA 173 | 171=PathParseIconLocation 174 | 172=PathParseIconLocationW 175 | 173=PathQuoteSpacesA 176 | 174=PathQuoteSpaces 177 | 175=PathQuoteSpacesW 178 | 176=PathRelativePathToA 179 | 177=PathRelativePathTo 180 | 178=PathRelativePathToW 181 | 179=PathRemoveArgsA 182 | 180=PathRemoveArgs 183 | 181=PathRemoveArgsW 184 | 182=PathRemoveBackslashA 185 | 183=PathRemoveBackslash 186 | 184=PathRemoveBackslashW 187 | 185=PathRemoveBlanksA 188 | 186=PathRemoveBlanks 189 | 187=PathRemoveBlanksW 190 | 188=PathRemoveExtensionA 191 | 189=PathRemoveExtension 192 | 190=PathRemoveExtensionW 193 | 191=PathRemoveFileSpecA 194 | 192=PathRemoveFileSpec 195 | 193=PathRemoveFileSpecW 196 | 194=PathRenameExtensionA 197 | 195=PathRenameExtension 198 | 196=PathRenameExtensionW 199 | 197=PathSearchAndQualifyA 200 | 198=PathSearchAndQualify 201 | 199=PathSearchAndQualifyW 202 | 200=PathSetDlgItemPathA 203 | 201=PathSetDlgItemPath 204 | 202=PathSetDlgItemPathW 205 | 203=PathSkipRootA 206 | 204=PathSkipRoot 207 | 205=PathSkipRootW 208 | 206=PathStripPathA 209 | 207=PathStripPath 210 | 208=PathStripPathW 211 | 209=PathStripToRootA 212 | 210=PathStripToRoot 213 | 211=PathStripToRootW 214 | 212=PathUnExpandEnvStringsA 215 | 213=PathUnExpandEnvStrings 216 | 214=PathUnExpandEnvStringsW 217 | 215=PathUndecorateA 218 | 216=PathUndecorate 219 | 217=PathUndecorateW 220 | 218=PathUnmakeSystemFolderA 221 | 219=PathUnmakeSystemFolder 222 | 220=PathUnmakeSystemFolderW 223 | 221=PathUnquoteSpacesA 224 | 222=PathUnquoteSpaces 225 | 223=PathUnquoteSpacesW 226 | 224=QISearch 227 | 225=SHAllocShared 228 | 226=SHAnsiToAnsi 229 | 227=SHAnsiToUnicode 230 | 228=SHAutoComplete 231 | 229=SHCopyKeyA 232 | 230=SHCopyKey 233 | 231=SHCopyKeyW 234 | 232=SHCreateMemStream 235 | 233=SHCreateShellPalette 236 | 234=SHCreateStreamOnFileA 237 | 235=SHCreateStreamOnFile 238 | 236=SHCreateStreamOnFileEx 239 | 237=SHCreateStreamOnFileW 240 | 238=SHCreateThread 241 | 239=SHCreateThreadRef 242 | 240=SHCreateThreadWithHandle 243 | 241=SHDeleteEmptyKeyA 244 | 242=SHDeleteEmptyKey 245 | 243=SHDeleteEmptyKeyW 246 | 244=SHDeleteKeyA 247 | 245=SHDeleteKey 248 | 246=SHDeleteKeyW 249 | 247=SHDeleteValueA 250 | 248=SHDeleteValue 251 | 249=SHDeleteValueW 252 | 250=SHEnumKeyExA 253 | 251=SHEnumKeyEx 254 | 252=SHEnumKeyExW 255 | 253=SHEnumValueA 256 | 254=SHEnumValue 257 | 255=SHEnumValueW 258 | 256=SHFormatDateTimeA 259 | 257=SHFormatDateTime 260 | 258=SHFormatDateTimeW 261 | 259=SHFreeShared 262 | 260=SHGetInverseCMAP 263 | 261=SHGetThreadRef 264 | 262=SHGetValueA 265 | 263=SHGetValue 266 | 264=SHGetValueW 267 | 265=SHGetViewStatePropertyBag 268 | 266=SHGlobalCounterDecrement 269 | 267=SHGlobalCounterGetValue 270 | 268=SHGlobalCounterIncrement 271 | 269=SHIsChildOrSelf 272 | 270=SHIsLowMemoryMachine 273 | 271=SHLoadIndirectString 274 | 272=SHLockShared 275 | 273=SHMessageBoxCheckA 276 | 274=SHMessageBoxCheck 277 | 275=SHMessageBoxCheckW 278 | 276=SHOpenRegStream2A 279 | 277=SHOpenRegStream2 280 | 278=SHOpenRegStream2W 281 | 279=SHOpenRegStreamA 282 | 280=SHOpenRegStream 283 | 281=SHOpenRegStreamW 284 | 282=SHPropertyBag_ReadStrAlloc 285 | 283=SHPropertyBag_WriteBSTR 286 | 284=SHQueryInfoKeyA 287 | 285=SHQueryInfoKey 288 | 286=SHQueryInfoKeyW 289 | 287=SHQueryValueExA 290 | 288=SHQueryValueEx 291 | 289=SHQueryValueExW 292 | 290=SHRegCloseUSKey 293 | 291=SHRegCreateUSKeyA 294 | 292=SHRegCreateUSKey 295 | 293=SHRegCreateUSKeyW 296 | 294=SHRegDeleteEmptyUSKeyA 297 | 295=SHRegDeleteEmptyUSKey 298 | 296=SHRegDeleteEmptyUSKeyW 299 | 297=SHRegDeleteUSValueA 300 | 298=SHRegDeleteUSValue 301 | 299=SHRegDeleteUSValueW 302 | 300=SHRegDuplicateHKey 303 | 301=SHRegEnumUSKeyA 304 | 302=SHRegEnumUSKey 305 | 303=SHRegEnumUSKeyW 306 | 304=SHRegEnumUSValueA 307 | 305=SHRegEnumUSValue 308 | 306=SHRegEnumUSValueW 309 | 307=SHRegGetBoolUSValueA 310 | 308=SHRegGetBoolUSValue 311 | 309=SHRegGetBoolUSValueW 312 | 310=SHRegGetIntW 313 | 311=SHRegGetPathA 314 | 312=SHRegGetPath 315 | 313=SHRegGetPathW 316 | 314=SHRegGetUSValueA 317 | 315=SHRegGetUSValue 318 | 316=SHRegGetUSValueW 319 | 317=SHRegGetValueA 320 | 318=SHRegGetValue 321 | 319=SHRegGetValueW 322 | 320=SHRegOpenUSKeyA 323 | 321=SHRegOpenUSKey 324 | 322=SHRegOpenUSKeyW 325 | 323=SHRegQueryInfoUSKeyA 326 | 324=SHRegQueryInfoUSKey 327 | 325=SHRegQueryInfoUSKeyW 328 | 326=SHRegQueryUSValueA 329 | 327=SHRegQueryUSValue 330 | 328=SHRegQueryUSValueW 331 | 329=SHRegSetPathA 332 | 330=SHRegSetPath 333 | 331=SHRegSetPathW 334 | 332=SHRegSetUSValueA 335 | 333=SHRegSetUSValue 336 | 334=SHRegSetUSValueW 337 | 335=SHRegWriteUSValueA 338 | 336=SHRegWriteUSValue 339 | 337=SHRegWriteUSValueW 340 | 338=SHReleaseThreadRef 341 | 339=SHRunIndirectRegClientCommand 342 | 340=SHSendMessageBroadcastA 343 | 341=SHSendMessageBroadcast 344 | 342=SHSendMessageBroadcastW 345 | 343=SHSetThreadRef 346 | 344=SHSetValueA 347 | 345=SHSetValue 348 | 346=SHSetValueW 349 | 347=SHSkipJunction 350 | 348=SHStrDupA 351 | 349=SHStrDup 352 | 350=SHStrDupW 353 | 351=SHStripMneumonicA 354 | 352=SHStripMneumonic 355 | 353=SHStripMneumonicW 356 | 354=SHUnicodeToAnsi 357 | 355=SHUnicodeToUnicode 358 | 356=SHUnlockShared 359 | 357=ShellMessageBoxA 360 | 358=ShellMessageBox 361 | 359=ShellMessageBoxW 362 | 360=StrCSpnA 363 | 361=StrCSpn 364 | 362=StrCSpnIA 365 | 363=StrCSpnI 366 | 364=StrCSpnIW 367 | 365=StrCSpnW 368 | 366=StrCatBuffA 369 | 367=StrCatBuff 370 | 368=StrCatBuffW 371 | 369=StrCatChainW 372 | 370=StrCatW 373 | 371=StrChrA 374 | 372=StrChr 375 | 373=StrChrIA 376 | 374=StrChrI 377 | 375=StrChrIW 378 | 376=StrChrNIW 379 | 377=StrChrNW 380 | 378=StrChrW 381 | 379=StrCmpCA 382 | 380=StrCmpC 383 | 381=StrCmpCW 384 | 382=StrCmpICA 385 | 383=StrCmpIC 386 | 384=StrCmpICW 387 | 385=StrCmpIW 388 | 386=StrCmpLogicalW 389 | 387=StrCmpNA 390 | 388=StrCmpN 391 | 389=StrCmpNCA 392 | 390=StrCmpNC 393 | 391=StrCmpNCW 394 | 392=StrCmpNIA 395 | 393=StrCmpNI 396 | 394=StrCmpNICA 397 | 395=StrCmpNIC 398 | 396=StrCmpNICW 399 | 397=StrCmpNIW 400 | 398=StrCmpNW 401 | 399=StrCmpW 402 | 400=StrCpyNW 403 | 401=StrCpyW 404 | 402=StrDupA 405 | 403=StrDup 406 | 404=StrDupW 407 | 405=StrFormatByteSize64A 408 | 406=StrFormatByteSize64 409 | 407=StrFormatByteSizeA 410 | 408=StrFormatByteSize 411 | 409=StrFormatByteSizeEx 412 | 410=StrFormatByteSizeW 413 | 411=StrFormatKBSizeA 414 | 412=StrFormatKBSize 415 | 413=StrFormatKBSizeW 416 | 414=StrFromTimeIntervalA 417 | 415=StrFromTimeInterval 418 | 416=StrFromTimeIntervalW 419 | 417=StrIsIntlEqualA 420 | 418=StrIsIntlEqual 421 | 419=StrIsIntlEqualW 422 | 420=StrNCatA 423 | 421=StrNCat 424 | 422=StrNCatW 425 | 423=StrPBrkA 426 | 424=StrPBrk 427 | 425=StrPBrkW 428 | 426=StrRChrA 429 | 427=StrRChr 430 | 428=StrRChrIA 431 | 429=StrRChrI 432 | 430=StrRChrIW 433 | 431=StrRChrW 434 | 432=StrRStrIA 435 | 433=StrRStrI 436 | 434=StrRStrIW 437 | 435=StrRetToBSTR 438 | 436=StrRetToBufA 439 | 437=StrRetToBuf 440 | 438=StrRetToBufW 441 | 439=StrRetToStrA 442 | 440=StrRetToStr 443 | 441=StrRetToStrW 444 | 442=StrSpnA 445 | 443=StrSpn 446 | 444=StrSpnW 447 | 445=StrStrA 448 | 446=StrStr 449 | 447=StrStrIA 450 | 448=StrStrI 451 | 449=StrStrIW 452 | 450=StrStrNIW 453 | 451=StrStrNW 454 | 452=StrStrW 455 | 453=StrToInt64ExA 456 | 454=StrToInt64Ex 457 | 455=StrToInt64ExW 458 | 456=StrToIntA 459 | 457=StrToInt 460 | 458=StrToIntExA 461 | 459=StrToIntEx 462 | 460=StrToIntExW 463 | 461=StrToIntW 464 | 462=StrTrimA 465 | 463=StrTrim 466 | 464=StrTrimW 467 | 465=UrlApplySchemeA 468 | 466=UrlApplyScheme 469 | 467=UrlApplySchemeW 470 | 468=UrlCanonicalizeA 471 | 469=UrlCanonicalize 472 | 470=UrlCanonicalizeW 473 | 471=UrlCombineA 474 | 472=UrlCombine 475 | 473=UrlCombineW 476 | 474=UrlCompareA 477 | 475=UrlCompare 478 | 476=UrlCompareW 479 | 477=UrlCreateFromPathA 480 | 478=UrlCreateFromPath 481 | 479=UrlCreateFromPathW 482 | 480=UrlEscapeA 483 | 481=UrlEscape 484 | 482=UrlEscapeW 485 | 483=UrlFixupW 486 | 484=UrlGetLocationA 487 | 485=UrlGetLocation 488 | 486=UrlGetLocationW 489 | 487=UrlGetPartA 490 | 488=UrlGetPart 491 | 489=UrlGetPartW 492 | 490=UrlHashA 493 | 491=UrlHash 494 | 492=UrlHashW 495 | 493=UrlIsA 496 | 494=UrlIs 497 | 495=UrlIsNoHistoryA 498 | 496=UrlIsNoHistory 499 | 497=UrlIsNoHistoryW 500 | 498=UrlIsOpaqueA 501 | 499=UrlIsOpaque 502 | 500=UrlIsOpaqueW 503 | 501=UrlIsW 504 | 502=UrlUnescapeA 505 | 503=UrlUnescape 506 | 504=UrlUnescapeW 507 | 505=WhichPlatform 508 | 506=wnsprintfA 509 | 507=wnsprintf 510 | 508=wnsprintfW 511 | 509=wvnsprintfA 512 | 510=wvnsprintf 513 | 511=wvnsprintfW 514 | [ExPressionType] 515 | Type=1 516 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Secur32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AcceptSecurityContext 4 | 2=AcquireCredentialsHandleA 5 | 3=AcquireCredentialsHandle 6 | 4=AcquireCredentialsHandleW 7 | 5=AddCredentialsA 8 | 6=AddCredentials 9 | 7=AddCredentialsW 10 | 8=AddSecurityPackageA 11 | 9=AddSecurityPackage 12 | 10=AddSecurityPackageW 13 | 11=ApplyControlToken 14 | 12=ChangeAccountPasswordA 15 | 13=ChangeAccountPassword 16 | 14=ChangeAccountPasswordW 17 | 15=CompleteAuthToken 18 | 16=DecryptMessage 19 | 17=DeleteSecurityContext 20 | 18=DeleteSecurityPackageA 21 | 19=DeleteSecurityPackage 22 | 20=DeleteSecurityPackageW 23 | 21=EncryptMessage 24 | 22=EnumerateSecurityPackagesA 25 | 23=EnumerateSecurityPackages 26 | 24=EnumerateSecurityPackagesW 27 | 25=ExportSecurityContext 28 | 26=FreeContextBuffer 29 | 27=FreeCredentialsHandle 30 | 28=GetComputerObjectNameA 31 | 29=GetComputerObjectName 32 | 30=GetComputerObjectNameW 33 | 31=GetSecurityUserInfo 34 | 32=GetUserNameExA 35 | 33=GetUserNameEx 36 | 34=GetUserNameExW 37 | 35=ImpersonateSecurityContext 38 | 36=ImportSecurityContextA 39 | 37=ImportSecurityContext 40 | 38=ImportSecurityContextW 41 | 39=InitSecurityInterfaceA 42 | 40=InitSecurityInterface 43 | 41=InitSecurityInterfaceW 44 | 42=InitializeSecurityContextA 45 | 43=InitializeSecurityContext 46 | 44=InitializeSecurityContextW 47 | 45=LsaCallAuthenticationPackage 48 | 46=LsaConnectUntrusted 49 | 47=LsaDeregisterLogonProcess 50 | 48=LsaEnumerateLogonSessions 51 | 49=LsaFreeReturnBuffer 52 | 50=LsaGetLogonSessionData 53 | 51=LsaLogonUser 54 | 52=LsaLookupAuthenticationPackage 55 | 53=LsaRegisterLogonProcess 56 | 54=LsaRegisterPolicyChangeNotification 57 | 55=LsaUnregisterPolicyChangeNotification 58 | 56=MakeSignature 59 | 57=QueryContextAttributesA 60 | 58=QueryContextAttributes 61 | 59=QueryContextAttributesW 62 | 60=QueryCredentialsAttributesA 63 | 61=QueryCredentialsAttributes 64 | 62=QueryCredentialsAttributesW 65 | 63=QuerySecurityContextToken 66 | 64=QuerySecurityPackageInfoA 67 | 65=QuerySecurityPackageInfo 68 | 66=QuerySecurityPackageInfoW 69 | 67=RevertSecurityContext 70 | 68=SaslAcceptSecurityContext 71 | 69=SaslEnumerateProfilesA 72 | 70=SaslEnumerateProfiles 73 | 71=SaslEnumerateProfilesW 74 | 72=SaslGetContextOption 75 | 73=SaslGetProfilePackageA 76 | 74=SaslGetProfilePackage 77 | 75=SaslGetProfilePackageW 78 | 76=SaslIdentifyPackageA 79 | 77=SaslIdentifyPackage 80 | 78=SaslIdentifyPackageW 81 | 79=SaslInitializeSecurityContextA 82 | 80=SaslInitializeSecurityContext 83 | 81=SaslInitializeSecurityContextW 84 | 82=SaslSetContextOption 85 | 83=SealMessage 86 | 84=SeciAllocateAndSetCallFlags 87 | 85=SeciAllocateAndSetIPAddress 88 | 86=SeciFreeCallContext 89 | 87=SetContextAttributesA 90 | 88=SetContextAttributes 91 | 89=SetContextAttributesW 92 | 90=SetCredentialsAttributesA 93 | 91=SetCredentialsAttributes 94 | 92=SetCredentialsAttributesW 95 | 93=SspiCompareAuthIdentities 96 | 94=SspiCopyAuthIdentity 97 | 95=SspiDecryptAuthIdentity 98 | 96=SspiEncodeAuthIdentityAsStrings 99 | 97=SspiEncodeStringsAsAuthIdentity 100 | 98=SspiEncryptAuthIdentity 101 | 99=SspiExcludePackage 102 | 100=SspiFreeAuthIdentity 103 | 101=SspiGetTargetHostName 104 | 102=SspiIsAuthIdentityEncrypted 105 | 103=SspiLocalFree 106 | 104=SspiMarshalAuthIdentity 107 | 105=SspiPrepareForCredRead 108 | 106=SspiPrepareForCredWrite 109 | 107=SspiUnmarshalAuthIdentity 110 | 108=SspiValidateAuthIdentity 111 | 109=SspiZeroAuthIdentity 112 | 110=TranslateNameA 113 | 111=TranslateName 114 | 112=TranslateNameW 115 | 113=UnsealMessage 116 | 114=VerifySignature 117 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/ShFolder_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=SHGetFolderPathA 4 | 2=SHGetFolderPath 5 | 3=SHGetFolderPathW 6 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Thunk32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=Callback12 4 | 2=Callback16 5 | 3=Callback20 6 | 4=Callback24 7 | 5=Callback28 8 | 6=Callback32 9 | 7=Callback36 10 | 8=Callback40 11 | 9=Callback44 12 | 10=Callback48 13 | 11=Callback4 14 | 12=Callback52 15 | 13=Callback56 16 | 14=Callback60 17 | 15=Callback64 18 | 16=Callback8 19 | 17=FT_Exit0 20 | 18=FT_Exit12 21 | 19=FT_Exit16 22 | 20=FT_Exit20 23 | 21=FT_Exit24 24 | 22=FT_Exit28 25 | 23=FT_Exit32 26 | 24=FT_Exit36 27 | 25=FT_Exit4 28 | 26=FT_Exit40 29 | 27=FT_Exit44 30 | 28=FT_Exit48 31 | 29=FT_Exit52 32 | 30=FT_Exit56 33 | 31=FT_Exit8 34 | 32=FT_Prolog 35 | 33=FT_Thunk 36 | 34=K32Thk1632Epilog 37 | 35=K32Thk1632Prolog 38 | 36=MapHInstLS 39 | 37=MapHInstLS_PN 40 | 38=MapHInstSL 41 | 39=MapHInstSL_PN 42 | 40=MapLS 43 | 41=MapSL 44 | 42=MapSLFix 45 | 43=QT_Thunk 46 | 44=SMapLS 47 | 45=SMapLS_IP_EBP_12 48 | 46=SMapLS_IP_EBP_16 49 | 47=SMapLS_IP_EBP_20 50 | 48=SMapLS_IP_EBP_24 51 | 49=SMapLS_IP_EBP_28 52 | 50=SMapLS_IP_EBP_32 53 | 51=SMapLS_IP_EBP_36 54 | 52=SMapLS_IP_EBP_40 55 | 53=SMapLS_IP_EBP_8 56 | 54=SUnMapLS 57 | 55=SUnMapLS_IP_EBP_12 58 | 56=SUnMapLS_IP_EBP_16 59 | 57=SUnMapLS_IP_EBP_20 60 | 58=SUnMapLS_IP_EBP_24 61 | 59=SUnMapLS_IP_EBP_28 62 | 60=SUnMapLS_IP_EBP_32 63 | 61=SUnMapLS_IP_EBP_36 64 | 62=SUnMapLS_IP_EBP_40 65 | 63=SUnMapLS_IP_EBP_8 66 | 64=ThunkConnect32 67 | 65=UnMapLS 68 | 66=UnMapSLFixArray 69 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Urlmon_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=BindAsyncMoniker 4 | 2=CoGetClassObjectFromURL 5 | 3=CoInternetCanonicalizeIUri 6 | 4=CoInternetCombineIUri 7 | 5=CoInternetCombineUrl 8 | 6=CoInternetCombineUrlEx 9 | 7=CoInternetCompareUrl 10 | 8=CoInternetCreateSecurityManager 11 | 9=CoInternetCreateZoneManager 12 | 10=CoInternetGetProtocolFlags 13 | 11=CoInternetGetSecurityUrl 14 | 12=CoInternetGetSecurityUrlEx 15 | 13=CoInternetGetSession 16 | 14=CoInternetIsFeatureEnabled 17 | 15=CoInternetIsFeatureEnabledForIUri 18 | 16=CoInternetIsFeatureEnabledForUrl 19 | 17=CoInternetIsFeatureZoneElevationEnabled 20 | 18=CoInternetParseIUri 21 | 19=CoInternetParseUrl 22 | 20=CoInternetQueryInfo 23 | 21=CoInternetSetFeatureEnabled 24 | 22=CompareSecurityIds 25 | 23=CompatFlagsFromClsid 26 | 24=CopyBindInfo 27 | 25=CopyStgMedium 28 | 26=CreateAsyncBindCtx 29 | 27=CreateAsyncBindCtxEx 30 | 28=CreateFormatEnumerator 31 | 29=CreateIUriBuilder 32 | 30=CreateURLMoniker 33 | 31=CreateURLMonikerEx2 34 | 32=CreateURLMonikerEx 35 | 33=CreateUri 36 | 34=CreateUriFromMultiByteString 37 | 35=CreateUriPriv 38 | 36=CreateUriWithFragment 39 | 37=Extract 40 | 38=FaultInIEFeature 41 | 39=FindMediaType 42 | 40=FindMediaTypeClass 43 | 41=FindMimeFromData 44 | 42=GetClassFileOrMime 45 | 43=GetClassURL 46 | 44=GetComponentIDFromCLSSPEC 47 | 45=GetIUriPriv 48 | 46=GetLabelsFromNamedHost 49 | 47=GetPortFromUrlScheme 50 | 48=GetPropertyFromName 51 | 49=GetPropertyName 52 | 50=GetSoftwareUpdateInfo 53 | 51=HlinkGoBack 54 | 52=HlinkGoForward 55 | 53=HlinkNavigateMoniker 56 | 54=HlinkNavigateString 57 | 55=HlinkSimpleNavigateToMoniker 58 | 56=HlinkSimpleNavigateToString 59 | 57=IEInstallScope 60 | 58=IsAsyncMoniker 61 | 59=IsDWORDProperty 62 | 60=IsJITInProgress 63 | 61=IsLoggingEnabledA 64 | 62=IsLoggingEnabled 65 | 63=IsLoggingEnabledW 66 | 64=IsStringProperty 67 | 65=IsValidURL 68 | 66=MkParseDisplayNameEx 69 | 67=ObtainUserAgentString 70 | 68=RegisterBindStatusCallback 71 | 69=RegisterFormatEnumerator 72 | 70=RegisterMediaTypeClass 73 | 71=RegisterMediaTypes 74 | 72=ReleaseBindInfo 75 | 73=RevokeBindStatusCallback 76 | 74=RevokeFormatEnumerator 77 | 75=SetSoftwareUpdateAdvertisementState 78 | 76=URLDownloadA 79 | 77=URLDownload 80 | 78=URLDownloadToCacheFileA 81 | 79=URLDownloadToCacheFile 82 | 80=URLDownloadToCacheFileW 83 | 81=URLDownloadToFileA 84 | 82=URLDownloadToFile 85 | 83=URLDownloadToFileW 86 | 84=URLDownloadW 87 | 85=URLOpenBlockingStreamA 88 | 86=URLOpenBlockingStream 89 | 87=URLOpenBlockingStreamW 90 | 88=URLOpenPullStreamA 91 | 89=URLOpenPullStream 92 | 90=URLOpenPullStreamW 93 | 91=URLOpenStreamA 94 | 92=URLOpenStream 95 | 93=URLOpenStreamW 96 | 94=UrlMkBuildVersion 97 | 95=UrlMkGetSessionOption 98 | 96=UrlMkSetSessionOption 99 | 97=WriteHitLogging 100 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/Version_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=GetFileVersionInfoA 4 | 2=GetFileVersionInfo 5 | 3=GetFileVersionInfoExW 6 | 4=GetFileVersionInfoSizeA 7 | 5=GetFileVersionInfoSize 8 | 6=GetFileVersionInfoSizeExW 9 | 7=GetFileVersionInfoSizeW 10 | 8=GetFileVersionInfoW 11 | 9=VerFindFileA 12 | 10=VerFindFile 13 | 11=VerFindFileW 14 | 12=VerInstallFileA 15 | 13=VerInstallFile 16 | 14=VerInstallFileW 17 | 15=VerQueryValueA 18 | 16=VerQueryValue 19 | 17=VerQueryValueW 20 | [ExPressionType] 21 | Type=1 22 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/WS2_32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AddressFamilyInformation 4 | 2=FreeAddrInfoEx 5 | 3=FreeAddrInfoExW 6 | 4=FreeAddrInfoW 7 | 5=GetAddrInfoExA 8 | 6=GetAddrInfoEx 9 | 7=GetAddrInfoExW 10 | 8=GetAddrInfoW 11 | 9=GetNameInfoW 12 | 10=InetNtopW 13 | 11=InetPtonW 14 | 12=SetAddrInfoExA 15 | 13=SetAddrInfoEx 16 | 14=SetAddrInfoExW 17 | 15=WEP 18 | 16=WPUCompleteOverlappedRequest 19 | 17=WSAAccept 20 | 18=WSAAddressToStringA 21 | 19=WSAAddressToString 22 | 20=WSAAddressToStringW 23 | 21=WSAAdvertiseProvider 24 | 22=WSAAsyncGetHostByAddr 25 | 23=WSAAsyncGetHostByName 26 | 24=WSAAsyncGetProtoByName 27 | 25=WSAAsyncGetProtoByNumber 28 | 26=WSAAsyncGetServByName 29 | 27=WSAAsyncGetServByPort 30 | 28=WSAAsyncSelect 31 | 29=WSACancelAsyncRequest 32 | 30=WSACancelBlockingCall 33 | 31=WSACleanup 34 | 32=WSACloseEvent 35 | 33=WSAConnect 36 | 34=WSAConnectByList 37 | 35=WSAConnectByNameA 38 | 36=WSAConnectByName 39 | 37=WSAConnectByNameW 40 | 38=WSACreateEvent 41 | 39=WSADuplicateSocketA 42 | 40=WSADuplicateSocket 43 | 41=WSADuplicateSocketW 44 | 42=WSAEnumNameSpaceProvidersA 45 | 43=WSAEnumNameSpaceProviders 46 | 44=WSAEnumNameSpaceProvidersExA 47 | 45=WSAEnumNameSpaceProvidersEx 48 | 46=WSAEnumNameSpaceProvidersExW 49 | 47=WSAEnumNameSpaceProvidersW 50 | 48=WSAEnumNetworkEvents 51 | 49=WSAEnumProtocolsA 52 | 50=WSAEnumProtocols 53 | 51=WSAEnumProtocolsW 54 | 52=WSAEventSelect 55 | 53=WSAGetLastError 56 | 54=WSAGetOverlappedResult 57 | 55=WSAGetQOSByName 58 | 56=WSAGetServiceClassInfoA 59 | 57=WSAGetServiceClassInfo 60 | 58=WSAGetServiceClassInfoW 61 | 59=WSAGetServiceClassNameByClassIdA 62 | 60=WSAGetServiceClassNameByClassId 63 | 61=WSAGetServiceClassNameByClassIdW 64 | 62=WSAHtonl 65 | 63=WSAHtons 66 | 64=WSAInstallServiceClassA 67 | 65=WSAInstallServiceClass 68 | 66=WSAInstallServiceClassW 69 | 67=WSAIoctl 70 | 68=WSAIsBlocking 71 | 69=WSAJoinLeaf 72 | 70=WSALookupServiceBeginA 73 | 71=WSALookupServiceBegin 74 | 72=WSALookupServiceBeginW 75 | 73=WSALookupServiceEnd 76 | 74=WSALookupServiceNextA 77 | 75=WSALookupServiceNext 78 | 76=WSALookupServiceNextW 79 | 77=WSANSPIoctl 80 | 78=WSANtohl 81 | 79=WSANtohs 82 | 80=WSAPoll 83 | 81=WSAProviderCompleteAsyncCall 84 | 82=WSAProviderConfigChange 85 | 83=WSARecv 86 | 84=WSARecvDisconnect 87 | 85=WSARecvFrom 88 | 86=WSARemoveServiceClass 89 | 87=WSAResetEvent 90 | 88=WSASend 91 | 89=WSASendDisconnect 92 | 90=WSASendMsg 93 | 91=WSASendTo 94 | 92=WSASetBlockingHook 95 | 93=WSASetEvent 96 | 94=WSASetLastError 97 | 95=WSASetServiceA 98 | 96=WSASetService 99 | 97=WSASetServiceW 100 | 98=WSASocketA 101 | 99=WSASocket 102 | 100=WSASocketW 103 | 101=WSAStartup 104 | 102=WSAStringToAddressA 105 | 103=WSAStringToAddress 106 | 104=WSAStringToAddressW 107 | 105=WSAUnadvertiseProvider 108 | 106=WSAUnhookBlockingHook 109 | 107=WSAWaitForMultipleEvents 110 | 108=WSCDeinstallProvider 111 | 109=WSCEnableNSProvider 112 | 110=WSCEnumProtocols 113 | 111=WSCGetApplicationCategory 114 | 112=WSCGetProviderInfo 115 | 113=WSCGetProviderPath 116 | 114=WSCInstallNameSpace 117 | 115=WSCInstallNameSpaceEx 118 | 116=WSCInstallProvider 119 | 117=WSCInstallProviderAndChains 120 | 118=WSCSetApplicationCategory 121 | 119=WSCSetProviderInfo 122 | 120=WSCUnInstallNameSpace 123 | 121=WSCUpdateProvider 124 | 122=WSCWriteNameSpaceOrder 125 | 123=WSCWriteProviderOrder 126 | 124=WahCloseApcHelper 127 | 125=WahCloseHandleHelper 128 | 126=WahCloseNotificationHandleHelper 129 | 127=WahCloseSocketHandle 130 | 128=WahCloseThread 131 | 129=WahCompleteRequest 132 | 130=WahCreateHandleContextTable 133 | 131=WahCreateNotificationHandle 134 | 132=WahCreateSocketHandle 135 | 133=WahDestroyHandleContextTable 136 | 134=WahDisableNonIFSHandleSupport 137 | 135=WahEnableNonIFSHandleSupport 138 | 136=WahEnumerateHandleContexts 139 | 137=WahInsertHandleContext 140 | 138=WahNotifyAllProcesses 141 | 139=WahOpenApcHelper 142 | 140=WahOpenCurrentThread 143 | 141=WahOpenHandleHelper 144 | 142=WahOpenNotificationHandleHelper 145 | 143=WahQueueUserApc 146 | 144=WahReferenceContextByHandle 147 | 145=WahRemoveHandleContext 148 | 146=WahWaitForNotification 149 | 147=WahWriteLSPEvent 150 | 148=__WSAFDIsSet 151 | 149=accept 152 | 150=bind 153 | 151=closesocket 154 | 152=connect 155 | 153=eui48_broadcast 156 | 154=freeaddrinfo 157 | 155=getaddrinfo 158 | 156=gethostbyaddr 159 | 157=gethostbyname 160 | 158=gethostname 161 | 159=getnameinfo 162 | 160=getpeername 163 | 161=getprotobyname 164 | 162=getprotobynumber 165 | 163=getservbyname 166 | 164=getservbyport 167 | 165=getsockname 168 | 166=getsockopt 169 | 167=htonl 170 | 168=htons 171 | 169=in4addr_alligmpv3routersonlink 172 | 170=in4addr_allnodesonlink 173 | 171=in4addr_allroutersonlink 174 | 172=in4addr_allteredohostsonlink 175 | 173=in4addr_any 176 | 174=in4addr_broadcast 177 | 175=in4addr_linklocalprefix 178 | 176=in4addr_loopback 179 | 177=in4addr_multicastprefix 180 | 178=in6addr_6to4prefix 181 | 179=in6addr_allmldv2routersonlink 182 | 180=in6addr_allnodesonlink 183 | 181=in6addr_allnodesonnode 184 | 182=in6addr_allroutersonlink 185 | 183=in6addr_any 186 | 184=in6addr_linklocalprefix 187 | 185=in6addr_loopback 188 | 186=in6addr_multicastprefix 189 | 187=in6addr_solicitednodemulticastprefix 190 | 188=in6addr_teredoinitiallinklocaladdress 191 | 189=in6addr_teredoprefix 192 | 190=in6addr_teredoprefix_old 193 | 191=in6addr_v4mappedprefix 194 | 192=inet_addr 195 | 193=inet_ntoa 196 | 194=inet_ntop 197 | 195=inet_pton 198 | 196=ioctlsocket 199 | 197=listen 200 | 198=ntohl 201 | 199=ntohs 202 | 200=recv 203 | 201=recvfrom 204 | 202=scopeid_unspecified 205 | 203=select 206 | 204=send 207 | 205=sendto 208 | 206=setsockopt 209 | 207=shutdown 210 | 208=sockaddr_size 211 | 209=socket 212 | 210=sourceroute_unspecified 213 | 211=socket 214 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/WSock32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AcceptEx 4 | 2=EnumProtocolsA 5 | 3=EnumProtocols 6 | 4=EnumProtocolsW 7 | 5=GetAcceptExSockaddrs 8 | 6=GetAddressByNameA 9 | 7=GetAddressByName 10 | 8=GetAddressByNameW 11 | 9=GetNameByTypeA 12 | 10=GetNameByType 13 | 11=GetNameByTypeW 14 | 12=GetServiceA 15 | 13=GetService 16 | 14=GetServiceW 17 | 15=GetTypeByNameA 18 | 16=GetTypeByName 19 | 17=GetTypeByNameW 20 | 18=MigrateWinsockConfiguration 21 | 19=NPLoadNameSpaces 22 | 20=SetServiceA 23 | 21=SetService 24 | 22=SetServiceW 25 | 23=TransmitFile 26 | 24=WEP 27 | 25=WSAAsyncGetHostByAddr 28 | 26=WSAAsyncGetHostByName 29 | 27=WSAAsyncGetProtoByName 30 | 28=WSAAsyncGetProtoByNumber 31 | 29=WSAAsyncGetServByName 32 | 30=WSAAsyncGetServByPort 33 | 31=WSAAsyncSelect 34 | 32=WSACancelAsyncRequest 35 | 33=WSACancelBlockingCall 36 | 34=WSACleanup 37 | 35=WSAGetLastError 38 | 36=WSAIsBlocking 39 | 37=WSARecvEx 40 | 38=WSASetBlockingHook 41 | 39=WSASetLastError 42 | 40=WSAStartup 43 | 41=WSAUnhookBlockingHook 44 | 42=__WSAFDIsSet 45 | 43=accept 46 | 44=bind 47 | 45=closesocket 48 | 46=connect 49 | 47=dn_expand 50 | 48=gethostbyaddr 51 | 49=gethostbyname 52 | 50=gethostname 53 | 51=getnetbyname 54 | 52=getpeername 55 | 53=getprotobyname 56 | 54=getprotobynumber 57 | 55=getservbyname 58 | 56=getservbyport 59 | 57=getsockname 60 | 58=getsockopt 61 | 59=htonl 62 | 60=htons 63 | 61=inet_addr 64 | 62=inet_network 65 | 63=inet_ntoa 66 | 64=ioctlsocket 67 | 65=listen 68 | 66=ntohl 69 | 67=ntohs 70 | 68=rcmd 71 | 69=recv 72 | 70=recvfrom 73 | 71=rexec 74 | 72=rresvport 75 | 73=s_perror 76 | 74=select 77 | 75=send 78 | 76=sendto 79 | 77=sethostname 80 | 78=setsockopt 81 | 79=shutdown 82 | 80=socket 83 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/WinInet_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=CommitUrlCacheEntryA 4 | 2=CommitUrlCacheEntry 5 | 3=CommitUrlCacheEntryW 6 | 4=CreateMD5SSOHash 7 | 5=CreateUrlCacheContainerA 8 | 6=CreateUrlCacheContainer 9 | 7=CreateUrlCacheContainerW 10 | 8=CreateUrlCacheEntryA 11 | 9=CreateUrlCacheEntry 12 | 10=CreateUrlCacheEntryW 13 | 11=CreateUrlCacheGroup 14 | 12=DeleteIE3Cache 15 | 13=DeleteUrlCacheContainerA 16 | 14=DeleteUrlCacheContainer 17 | 15=DeleteUrlCacheContainerW 18 | 16=DeleteUrlCacheEntryA 19 | 17=DeleteUrlCacheEntry 20 | 18=DeleteUrlCacheEntryW 21 | 19=DeleteUrlCacheGroup 22 | 20=DeleteWpadCacheForNetworks 23 | 21=DetectAutoProxyUrl 24 | 22=DoConnectoidsExist 25 | 23=ExportCookieFileA 26 | 24=ExportCookieFile 27 | 25=ExportCookieFileW 28 | 26=FindCloseUrlCache 29 | 27=FindFirstUrlCacheContainerA 30 | 28=FindFirstUrlCacheContainer 31 | 29=FindFirstUrlCacheContainerW 32 | 30=FindFirstUrlCacheEntryA 33 | 31=FindFirstUrlCacheEntry 34 | 32=FindFirstUrlCacheEntryExA 35 | 33=FindFirstUrlCacheEntryEx 36 | 34=FindFirstUrlCacheEntryExW 37 | 35=FindFirstUrlCacheEntryW 38 | 36=FindFirstUrlCacheGroup 39 | 37=FindNextUrlCacheContainerA 40 | 38=FindNextUrlCacheContainer 41 | 39=FindNextUrlCacheContainerW 42 | 40=FindNextUrlCacheEntryA 43 | 41=FindNextUrlCacheEntry 44 | 42=FindNextUrlCacheEntryExA 45 | 43=FindNextUrlCacheEntryEx 46 | 44=FindNextUrlCacheEntryExW 47 | 45=FindNextUrlCacheEntryW 48 | 46=FindNextUrlCacheGroup 49 | 47=FindP3PPolicySymbol 50 | 48=ForceNexusLookup 51 | 49=ForceNexusLookupExW 52 | 50=FreeP3PObject 53 | 51=FreeUrlCacheSpaceA 54 | 52=FreeUrlCacheSpace 55 | 53=FreeUrlCacheSpaceW 56 | 54=FtpCommandA 57 | 55=FtpCommand 58 | 56=FtpCommandW 59 | 57=FtpCreateDirectoryA 60 | 58=FtpCreateDirectory 61 | 59=FtpCreateDirectoryW 62 | 60=FtpDeleteFileA 63 | 61=FtpDeleteFile 64 | 62=FtpDeleteFileW 65 | 63=FtpFindFirstFileA 66 | 64=FtpFindFirstFile 67 | 65=FtpFindFirstFileW 68 | 66=FtpGetCurrentDirectoryA 69 | 67=FtpGetCurrentDirectory 70 | 68=FtpGetCurrentDirectoryW 71 | 69=FtpGetFileA 72 | 70=FtpGetFile 73 | 71=FtpGetFileEx 74 | 72=FtpGetFileSize 75 | 73=FtpGetFileW 76 | 74=FtpOpenFileA 77 | 75=FtpOpenFile 78 | 76=FtpOpenFileW 79 | 77=FtpPutFileA 80 | 78=FtpPutFile 81 | 79=FtpPutFileEx 82 | 80=FtpPutFileW 83 | 81=FtpRemoveDirectoryA 84 | 82=FtpRemoveDirectory 85 | 83=FtpRemoveDirectoryW 86 | 84=FtpRenameFileA 87 | 85=FtpRenameFile 88 | 86=FtpRenameFileW 89 | 87=FtpSetCurrentDirectoryA 90 | 88=FtpSetCurrentDirectory 91 | 89=FtpSetCurrentDirectoryW 92 | 90=GetDiskInfoA 93 | 91=GetDiskInfo 94 | 92=GetP3PPolicy 95 | 93=GetP3PRequestStatus 96 | 94=GetUrlCacheConfigInfoA 97 | 95=GetUrlCacheConfigInfo 98 | 96=GetUrlCacheConfigInfoW 99 | 97=GetUrlCacheEntryInfoA 100 | 98=GetUrlCacheEntryInfo 101 | 99=GetUrlCacheEntryInfoExA 102 | 100=GetUrlCacheEntryInfoEx 103 | 101=GetUrlCacheEntryInfoExW 104 | 102=GetUrlCacheEntryInfoW 105 | 103=GetUrlCacheGroupAttributeA 106 | 104=GetUrlCacheGroupAttribute 107 | 105=GetUrlCacheGroupAttributeW 108 | 106=GetUrlCacheHeaderData 109 | 107=GopherCreateLocatorA 110 | 108=GopherCreateLocator 111 | 109=GopherCreateLocatorW 112 | 110=GopherFindFirstFileA 113 | 111=GopherFindFirstFile 114 | 112=GopherFindFirstFileW 115 | 113=GopherGetAttributeA 116 | 114=GopherGetAttribute 117 | 115=GopherGetAttributeW 118 | 116=GopherGetLocatorTypeA 119 | 117=GopherGetLocatorType 120 | 118=GopherGetLocatorTypeW 121 | 119=GopherOpenFileA 122 | 120=GopherOpenFile 123 | 121=GopherOpenFileW 124 | 122=HttpAddRequestHeadersA 125 | 123=HttpAddRequestHeaders 126 | 124=HttpAddRequestHeadersW 127 | 125=HttpCheckDavComplianceA 128 | 126=HttpCheckDavCompliance 129 | 127=HttpCheckDavComplianceW 130 | 128=HttpEndRequestA 131 | 129=HttpEndRequest 132 | 130=HttpEndRequestW 133 | 131=HttpOpenRequestA 134 | 132=HttpOpenRequest 135 | 133=HttpOpenRequestW 136 | 134=HttpQueryInfoA 137 | 135=HttpQueryInfo 138 | 136=HttpQueryInfoW 139 | 137=HttpSendRequestA 140 | 138=HttpSendRequest 141 | 139=HttpSendRequestExA 142 | 140=HttpSendRequestEx 143 | 141=HttpSendRequestExW 144 | 142=HttpSendRequestW 145 | 143=ImportCookieFileA 146 | 144=ImportCookieFile 147 | 145=ImportCookieFileW 148 | 146=IncrementUrlCacheHeaderData 149 | 147=InternalInternetGetCookie 150 | 148=InternetAlgIdToStringA 151 | 149=InternetAlgIdToString 152 | 150=InternetAlgIdToStringW 153 | 151=InternetAttemptConnect 154 | 152=InternetAutodial 155 | 153=InternetAutodialCallback 156 | 154=InternetAutodialHangup 157 | 155=InternetCanonicalizeUrlA 158 | 156=InternetCanonicalizeUrl 159 | 157=InternetCanonicalizeUrlW 160 | 158=InternetCheckConnectionA 161 | 159=InternetCheckConnection 162 | 160=InternetCheckConnectionW 163 | 161=InternetClearAllPerSiteCookieDecisions 164 | 162=InternetCloseHandle 165 | 163=InternetCombineUrlA 166 | 164=InternetCombineUrl 167 | 165=InternetCombineUrlW 168 | 166=InternetConfirmZoneCrossingA 169 | 167=InternetConfirmZoneCrossing 170 | 168=InternetConfirmZoneCrossingW 171 | 169=InternetConnectA 172 | 170=InternetConnect 173 | 171=InternetConnectW 174 | 172=InternetCrackUrlA 175 | 173=InternetCrackUrl 176 | 174=InternetCrackUrlW 177 | 175=InternetCreateUrlA 178 | 176=InternetCreateUrl 179 | 177=InternetCreateUrlW 180 | 178=InternetDialA 181 | 179=InternetDial 182 | 180=InternetDialW 183 | 181=InternetEnumPerSiteCookieDecisionA 184 | 182=InternetEnumPerSiteCookieDecision 185 | 183=InternetEnumPerSiteCookieDecisionW 186 | 184=InternetErrorDlg 187 | 185=InternetFindNextFileA 188 | 186=InternetFindNextFile 189 | 187=InternetFindNextFileW 190 | 188=InternetFortezzaCommand 191 | 189=InternetGetCertByURLA 192 | 190=InternetGetCertByURL 193 | 191=InternetGetConnectedState 194 | 192=InternetGetConnectedStateExA 195 | 193=InternetGetConnectedStateEx 196 | 194=InternetGetConnectedStateExW 197 | 195=InternetGetCookieA 198 | 196=InternetGetCookie 199 | 197=InternetGetCookieExA 200 | 198=InternetGetCookieEx 201 | 199=InternetGetCookieExW 202 | 200=InternetGetCookieW 203 | 201=InternetGetLastResponseInfoA 204 | 202=InternetGetLastResponseInfo 205 | 203=InternetGetLastResponseInfoW 206 | 204=InternetGetPerSiteCookieDecisionA 207 | 205=InternetGetPerSiteCookieDecision 208 | 206=InternetGetPerSiteCookieDecisionW 209 | 207=InternetGetSecurityInfoByURLA 210 | 208=InternetGetSecurityInfoByURL 211 | 209=InternetGetSecurityInfoByURLW 212 | 210=InternetGoOnlineA 213 | 211=InternetGoOnline 214 | 212=InternetGoOnlineW 215 | 213=InternetHangUp 216 | 214=InternetInitializeAutoProxyDll 217 | 215=InternetLockRequestFile 218 | 216=InternetOpenA 219 | 217=InternetOpen 220 | 218=InternetOpenUrlA 221 | 219=InternetOpenUrl 222 | 220=InternetOpenUrlW 223 | 221=InternetOpenW 224 | 222=InternetQueryDataAvailable 225 | 223=InternetQueryFortezzaStatus 226 | 224=InternetQueryOptionA 227 | 225=InternetQueryOption 228 | 226=InternetQueryOptionW 229 | 227=InternetReadFile 230 | 228=InternetReadFileExA 231 | 229=InternetReadFileEx 232 | 230=InternetReadFileExW 233 | 231=InternetSecurityProtocolToStringA 234 | 232=InternetSecurityProtocolToString 235 | 233=InternetSecurityProtocolToStringW 236 | 234=InternetSetCookieA 237 | 235=InternetSetCookie 238 | 236=InternetSetCookieExA 239 | 237=InternetSetCookieEx 240 | 238=InternetSetCookieExW 241 | 239=InternetSetCookieW 242 | 240=InternetSetDialStateA 243 | 241=InternetSetDialState 244 | 242=InternetSetDialStateW 245 | 243=InternetSetFilePointer 246 | 244=InternetSetOptionA 247 | 245=InternetSetOption 248 | 246=InternetSetOptionExA 249 | 247=InternetSetOptionEx 250 | 248=InternetSetOptionExW 251 | 249=InternetSetOptionW 252 | 250=InternetSetPerSiteCookieDecisionA 253 | 251=InternetSetPerSiteCookieDecision 254 | 252=InternetSetPerSiteCookieDecisionW 255 | 253=InternetSetStatusCallbackA 256 | 254=InternetSetStatusCallback 257 | 255=InternetSetStatusCallbackW 258 | 256=InternetShowSecurityInfoByURLA 259 | 257=InternetShowSecurityInfoByURL 260 | 258=InternetShowSecurityInfoByURLW 261 | 259=InternetTimeFromSystemTimeA 262 | 260=InternetTimeFromSystemTime 263 | 261=InternetTimeFromSystemTimeW 264 | 262=InternetTimeToSystemTimeA 265 | 263=InternetTimeToSystemTime 266 | 264=InternetTimeToSystemTimeW 267 | 265=InternetUnlockRequestFile 268 | 266=InternetWriteFile 269 | 267=InternetWriteFileExA 270 | 268=InternetWriteFileEx 271 | 269=InternetWriteFileExW 272 | 270=IsDomainLegalCookieDomainA 273 | 271=IsDomainLegalCookieDomain 274 | 272=IsDomainLegalCookieDomainW 275 | 273=IsHostInProxyBypassList 276 | 274=IsProfilesEnabled 277 | 275=IsUrlCacheEntryExpiredA 278 | 276=IsUrlCacheEntryExpired 279 | 277=IsUrlCacheEntryExpiredW 280 | 278=LoadUrlCacheContent 281 | 279=MapResourceToPolicy 282 | 280=ParseX509EncodedCertificateForListBoxEntry 283 | 281=PerformOperationOverUrlCacheA 284 | 282=PerformOperationOverUrlCache 285 | 283=PrivacyGetZonePreferenceW 286 | 284=PrivacySetZonePreferenceW 287 | 285=ReadGuidsForConnectedNetworks 288 | 286=ReadUrlCacheEntryStream 289 | 287=ReadUrlCacheEntryStreamEx 290 | 288=RegisterUrlCacheNotification 291 | 289=ResumeSuspendedDownload 292 | 290=RetrieveUrlCacheEntryFileA 293 | 291=RetrieveUrlCacheEntryFile 294 | 292=RetrieveUrlCacheEntryFileW 295 | 293=RetrieveUrlCacheEntryStreamA 296 | 294=RetrieveUrlCacheEntryStream 297 | 295=RetrieveUrlCacheEntryStreamW 298 | 296=RunOnceUrlCache 299 | 297=SetUrlCacheConfigInfoA 300 | 298=SetUrlCacheConfigInfo 301 | 299=SetUrlCacheConfigInfoW 302 | 300=SetUrlCacheEntryGroupA 303 | 301=SetUrlCacheEntryGroup 304 | 302=SetUrlCacheEntryGroupW 305 | 303=SetUrlCacheEntryInfoA 306 | 304=SetUrlCacheEntryInfo 307 | 305=SetUrlCacheEntryInfoW 308 | 306=SetUrlCacheGroupAttributeA 309 | 307=SetUrlCacheGroupAttribute 310 | 308=SetUrlCacheGroupAttributeW 311 | 309=SetUrlCacheHeaderData 312 | 310=ShowCertificate 313 | 311=ShowClientAuthCerts 314 | 312=ShowSecurityInfo 315 | 313=ShowX509EncodedCertificate 316 | 314=UnlockUrlCacheEntryFileA 317 | 315=UnlockUrlCacheEntryFile 318 | 316=UnlockUrlCacheEntryFileW 319 | 317=UnlockUrlCacheEntryStream 320 | 318=UpdateUrlCacheContentPath 321 | 319=UrlZonesDetach 322 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/httpapi_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=HttpAddFragmentToCache 4 | 2=HttpAddUrl 5 | 3=HttpAddUrlToUrlGroup 6 | 4=HttpCancelHttpRequest 7 | 5=HttpCloseRequestQueue 8 | 6=HttpCloseServerSession 9 | 7=HttpCloseUrlGroup 10 | 8=HttpControlService 11 | 9=HttpCreateHttpHandle 12 | 10=HttpCreateRequestQueue 13 | 11=HttpCreateServerSession 14 | 12=HttpCreateUrlGroup 15 | 13=HttpDeleteServiceConfiguration 16 | 14=HttpFlushResponseCache 17 | 15=HttpGetCounters 18 | 16=HttpInitialize 19 | 17=HttpQueryRequestQueueProperty 20 | 18=HttpQueryServerSessionProperty 21 | 19=HttpQueryServiceConfiguration 22 | 20=HttpQueryUrlGroupProperty 23 | 21=HttpReadFragmentFromCache 24 | 22=HttpReceiveClientCertificate 25 | 23=HttpReceiveHttpRequest 26 | 24=HttpReceiveRequestEntityBody 27 | 25=HttpRemoveUrl 28 | 26=HttpRemoveUrlFromUrlGroup 29 | 27=HttpSendHttpResponse 30 | 28=HttpSendResponseEntityBody 31 | 29=HttpSetRequestQueueProperty 32 | 30=HttpSetServerSessionProperty 33 | 31=HttpSetServiceConfiguration 34 | 32=HttpSetUrlGroupProperty 35 | 33=HttpShutdownRequestQueue 36 | 34=HttpTerminate 37 | 35=HttpWaitForDemandStart 38 | 36=HttpWaitForDisconnect 39 | 37=HttpWaitForDisconnectEx 40 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/mscoreei_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=PostError 4 | 2=InitSSAutoEnterThread 5 | 3=UpdateError 6 | 4=CloseCtrs 7 | 5=LoadStringRC 8 | 6=ReOpenMetaDataWithMemory 9 | 7=CollectCtrs 10 | 8=CorDllMainWorker 11 | 9=CorDllMainWorkerForThunk 12 | 10=EEDllGetClassObjectFromClass 13 | 11=GetPrivateContextsPerfCounters 14 | 12=GetProcessExecutableHeap 15 | 13=GetStartupFlags 16 | 14=GetTargetForVTableEntry 17 | 15=GetTokenForVTableEntry 18 | 16=LogHelp_LogAssert 19 | 17=LogHelp_NoGuiOnAssert 20 | 18=LogHelp_TerminateOnAssert 21 | 19=OnShimDllMainCalled 22 | 20=OpenCtrs 23 | 21=PostErrorVA 24 | 22=RegisterShimImplCallback 25 | 23=SetTargetForVTableEntry 26 | 24=CLRCreateInstance 27 | 25=CallFunctionShim 28 | 26=ClrCreateManagedInstance 29 | 27=CoEEShutDownCOM 30 | 28=CoInitializeCor 31 | 29=CoInitializeEE 32 | 30=CoUninitializeCor 33 | 31=CoUninitializeEE 34 | 32=CorBindToCurrentRuntime 35 | 33=CorBindToRuntime 36 | 34=CorBindToRuntimeByCfg 37 | 35=CorBindToRuntimeByPath 38 | 36=CorBindToRuntimeByPathEx 39 | 37=CorBindToRuntimeEx 40 | 38=CorBindToRuntimeHost 41 | 39=CorExitProcess 42 | 40=CorGetSvc 43 | 41=CorIsLatestSvc 44 | 42=CorMarkThreadInThreadPool 45 | 43=CorTickleSvc 46 | 44=CreateConfigStream 47 | 45=CreateDebuggingInterfaceFromVersion 48 | 46=CreateInterface 49 | 47=DllCanUnloadNow 50 | 48=DllGetClassObject 51 | 49=DllRegisterServer 52 | 50=DllUnregisterServer 53 | 51=EEDllRegisterServer 54 | 52=EEDllUnregisterServer 55 | 53=GetAssemblyMDImport 56 | 54=GetCORRequiredVersion 57 | 55=GetCORRootDirectory 58 | 56=GetCORSystemDirectory 59 | 57=GetCORSystemDirectory_RetAddr 60 | 58=GetCORVersion 61 | 59=GetCompileInfo 62 | 60=GetFileVersion 63 | 61=GetHashFromAssemblyFile 64 | 62=GetHashFromAssemblyFileW 65 | 63=GetHashFromBlob 66 | 64=GetHashFromFile 67 | 65=GetHashFromFileW 68 | 66=GetHashFromHandle 69 | 67=GetHostConfigurationFile 70 | 68=GetMetaDataInternalInterface 71 | 69=GetMetaDataInternalInterfaceFromPublic 72 | 70=GetMetaDataPublicInterfaceFromInternal 73 | 71=GetPermissionRequests 74 | 72=GetRealProcAddress 75 | 73=GetRequestedRuntimeInfo 76 | 74=GetRequestedRuntimeVersion 77 | 75=GetRequestedRuntimeVersionForCLSID 78 | 76=GetVersionFromProcess 79 | 77=GetXMLElement 80 | 78=GetXMLElementAttribute 81 | 79=GetXMLObject 82 | 80=IEE 83 | 81=LoadLibraryShim 84 | 82=LoadLibraryWithPolicyShim 85 | 83=LoadStringRCEx 86 | 84=LockClrVersion 87 | 85=MetaDataGetDispenser 88 | 86=ND_CopyObjDst 89 | 87=ND_CopyObjSrc 90 | 88=ND_RI2 91 | 89=ND_RI4 92 | 90=ND_RI8 93 | 91=ND_RU1 94 | 92=ND_WI2 95 | 93=ND_WI4 96 | 94=ND_WI8 97 | 95=ND_WU1 98 | 96=ReOpenMetaDataWithMemoryEx 99 | 97=RunDll32ShimW 100 | 98=RuntimeOSHandle 101 | 99=RuntimeOpenImage 102 | 100=RuntimeReleaseHandle 103 | 101=StrongNameCompareAssemblies 104 | 102=StrongNameErrorInfo 105 | 103=StrongNameFreeBuffer 106 | 104=StrongNameGetBlob 107 | 105=StrongNameGetBlobFromImage 108 | 106=StrongNameGetPublicKey 109 | 107=StrongNameHashSize 110 | 108=StrongNameKeyDelete 111 | 109=StrongNameKeyGen 112 | 110=StrongNameKeyGenEx 113 | 111=StrongNameKeyInstall 114 | 112=StrongNameSignatureGeneration 115 | 113=StrongNameSignatureGenerationEx 116 | 114=StrongNameSignatureSize 117 | 115=StrongNameSignatureVerification 118 | 116=StrongNameSignatureVerificationEx 119 | 117=StrongNameSignatureVerificationFromImage 120 | 118=StrongNameTokenFromAssembly 121 | 119=StrongNameTokenFromAssemblyEx 122 | 120=StrongNameTokenFromPublicKey 123 | 121=TranslateSecurityAttributes 124 | 122=_CorDllMain 125 | 123=_CorExeMain2 126 | 124=_CorExeMain 127 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/msvbvm60_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=BASIC_CLASS_AddRef 4 | 2=BASIC_CLASS_GetIDsOfNames 5 | 3=BASIC_CLASS_Invoke 6 | 4=BASIC_CLASS_QueryInterface 7 | 5=BASIC_CLASS_Release 8 | 6=BASIC_DISPINTERFACE_GetTICount 9 | 7=BASIC_DISPINTERFACE_GetTypeInfo 10 | 8=CopyRecord 11 | 9=CreateIExprSrvObj 12 | 10=DLLGetDocumentation 13 | 11=DllCanUnloadNow 14 | 12=DllFunctionCall 15 | 13=DllGetClassObject 16 | 14=DllRegisterServer 17 | 15=DllUnregisterServer 18 | 16=EVENT_SINK2_AddRef 19 | 17=EVENT_SINK2_Release 20 | 18=EVENT_SINK_AddRef 21 | 19=EVENT_SINK_GetIDsOfNames 22 | 20=EVENT_SINK_Invoke 23 | 21=EVENT_SINK_QueryInterface 24 | 22=EVENT_SINK_Release 25 | 23=EbCreateContext 26 | 24=EbDestroyContext 27 | 25=EbGetErrorInfo 28 | 26=EbGetHandleOfExecutingProject 29 | 27=EbGetObjConnectionCounts 30 | 28=EbGetVBAObject 31 | 29=EbIsProjectOnStack 32 | 30=EbLibraryLoad 33 | 31=EbLibraryUnload 34 | 32=EbLoadRunTime 35 | 33=EbResetProject 36 | 34=EbResetProjectNormal 37 | 35=EbSetContextWorkerThread 38 | 36=GetMem1 39 | 37=GetMem2 40 | 38=GetMem4 41 | 39=GetMem8 42 | 40=GetMemEvent 43 | 41=GetMemNewObj 44 | 42=GetMemObj 45 | 43=GetMemStr 46 | 44=GetMemVar 47 | 45=IID_IVbaHost 48 | 46=MethCallEngine 49 | 47=ProcCallEngine 50 | 48=PutMem1 51 | 49=PutMem2 52 | 50=PutMem4 53 | 51=PutMem8 54 | 52=PutMemEvent 55 | 53=PutMemNewObj 56 | 54=PutMemObj 57 | 55=PutMemStr 58 | 56=PutMemVar 59 | 57=SetMemEvent 60 | 58=SetMemNewObj 61 | 59=SetMemObj 62 | 60=SetMemVar 63 | 61=ThunRTMain 64 | 62=TipCreateInstanceEx 65 | 63=TipCreateInstanceProject2 66 | 64=TipGetAddressOfPredeclaredInstance 67 | 65=TipInvokeMethod 68 | 66=TipInvokeMethod2 69 | 67=TipSetOption 70 | 68=TipUnloadInstance 71 | 69=TipUnloadProject 72 | 70=UserDllMain 73 | 71=VBDllCanUnloadNow 74 | 72=VBDllGetClassObject 75 | 73=VBDllRegisterServer 76 | 74=VBDllUnRegisterServer 77 | 75=VarPtr 78 | 76=Zombie_AddRef 79 | 77=Zombie_GetIDsOfNames 80 | 78=Zombie_GetTypeInfo 81 | 79=Zombie_GetTypeInfoCount 82 | 80=Zombie_Invoke 83 | 81=Zombie_QueryInterface 84 | 82=Zombie_Release 85 | 83=_CIatan 86 | 84=_CIcos 87 | 85=_CIexp 88 | 86=_CIlog 89 | 87=_CIsin 90 | 88=_CIsqrt 91 | 89=_CItan 92 | 90=__vbaAptOffset 93 | 91=__vbaAryConstruct 94 | 92=__vbaAryConstruct2 95 | 93=__vbaAryCopy 96 | 94=__vbaAryDestruct 97 | 95=__vbaAryLock 98 | 96=__vbaAryMove 99 | 97=__vbaAryRebase1Var 100 | 98=__vbaAryRecCopy 101 | 99=__vbaAryRecMove 102 | 100=__vbaAryUnlock 103 | 101=__vbaAryVar 104 | 102=__vbaAryVarVarg 105 | 103=__vbaBoolErrVar 106 | 104=__vbaBoolStr 107 | 105=__vbaBoolVar 108 | 106=__vbaBoolVarNull 109 | 107=__vbaCVarAryUdt 110 | 108=__vbaCastObj 111 | 109=__vbaCastObjVar 112 | 110=__vbaCheckType 113 | 111=__vbaCheckTypeVar 114 | 112=__vbaChkstk 115 | 113=__vbaCopyBytes 116 | 114=__vbaCopyBytesZero 117 | 115=__vbaCyAbs 118 | 116=__vbaCyAdd 119 | 117=__vbaCyErrVar 120 | 118=__vbaCyFix 121 | 119=__vbaCyForInit 122 | 120=__vbaCyForNext 123 | 121=__vbaCyI2 124 | 122=__vbaCyI4 125 | 123=__vbaCyInt 126 | 124=__vbaCyMul 127 | 125=__vbaCyMulI2 128 | 126=__vbaCySgn 129 | 127=__vbaCyStr 130 | 128=__vbaCySub 131 | 129=__vbaCyUI1 132 | 130=__vbaCyVar 133 | 131=__vbaDateR4 134 | 132=__vbaDateR8 135 | 133=__vbaDateStr 136 | 134=__vbaDateVar 137 | 135=__vbaDerefAry 138 | 136=__vbaDerefAry1 139 | 137=__vbaEnd 140 | 138=__vbaErase 141 | 139=__vbaEraseKeepData 142 | 140=__vbaEraseNoPop 143 | 141=__vbaError 144 | 142=__vbaErrorOverflow 145 | 143=__vbaExceptHandler 146 | 144=__vbaExitEachAry 147 | 145=__vbaExitEachColl 148 | 146=__vbaExitEachVar 149 | 147=__vbaExitProc 150 | 148=__vbaFPException 151 | 149=__vbaFPFix 152 | 150=__vbaFPInt 153 | 151=__vbaFailedFriend 154 | 152=__vbaFileClose 155 | 153=__vbaFileCloseAll 156 | 154=__vbaFileLock 157 | 155=__vbaFileOpen 158 | 156=__vbaFileSeek 159 | 157=__vbaFixstrConstruct 160 | 158=__vbaForEachAry 161 | 159=__vbaForEachCollAd 162 | 160=__vbaForEachCollObj 163 | 161=__vbaForEachCollVar 164 | 162=__vbaForEachVar 165 | 163=__vbaFpCDblR4 166 | 164=__vbaFpCDblR8 167 | 165=__vbaFpCSngR4 168 | 166=__vbaFpCSngR8 169 | 167=__vbaFpCmpCy 170 | 168=__vbaFpCy 171 | 169=__vbaFpI2 172 | 170=__vbaFpI4 173 | 171=__vbaFpR4 174 | 172=__vbaFpR8 175 | 173=__vbaFpUI1 176 | 174=__vbaFreeObj 177 | 175=__vbaFreeObjList 178 | 176=__vbaFreeStr 179 | 177=__vbaFreeStrList 180 | 178=__vbaFreeVar 181 | 179=__vbaFreeVarList 182 | 180=__vbaFreeVarg 183 | 181=__vbaGenerateBoundsError 184 | 182=__vbaGet3 185 | 183=__vbaGet4 186 | 184=__vbaGetFxStr3 187 | 185=__vbaGetFxStr4 188 | 186=__vbaGetOwner3 189 | 187=__vbaGetOwner4 190 | 188=__vbaGosub 191 | 189=__vbaGosubFree 192 | 190=__vbaGosubReturn 193 | 191=__vbaHresultCheck 194 | 192=__vbaHresultCheckNonvirt 195 | 193=__vbaHresultCheckObj 196 | 194=__vbaI2Abs 197 | 195=__vbaI2Cy 198 | 196=__vbaI2ErrVar 199 | 197=__vbaI2ForNextCheck 200 | 198=__vbaI2I4 201 | 199=__vbaI2Sgn 202 | 200=__vbaI2Str 203 | 201=__vbaI2Var 204 | 202=__vbaI4Abs 205 | 203=__vbaI4Cy 206 | 204=__vbaI4ErrVar 207 | 205=__vbaI4ForNextCheck 208 | 206=__vbaI4Sgn 209 | 207=__vbaI4Str 210 | 208=__vbaI4Var 211 | 209=__vbaInStr 212 | 210=__vbaInStrB 213 | 211=__vbaInStrVar 214 | 212=__vbaInStrVarB 215 | 213=__vbaInputFile 216 | 214=__vbaLateIdCall 217 | 215=__vbaLateIdCallLd 218 | 216=__vbaLateIdCallSt 219 | 217=__vbaLateIdNamedCall 220 | 218=__vbaLateIdNamedCallLd 221 | 219=__vbaLateIdNamedCallSt 222 | 220=__vbaLateIdNamedStAd 223 | 221=__vbaLateIdSt 224 | 222=__vbaLateIdStAd 225 | 223=__vbaLateMemCall 226 | 224=__vbaLateMemCallLd 227 | 225=__vbaLateMemCallSt 228 | 226=__vbaLateMemNamedCall 229 | 227=__vbaLateMemNamedCallLd 230 | 228=__vbaLateMemNamedCallSt 231 | 229=__vbaLateMemNamedStAd 232 | 230=__vbaLateMemSt 233 | 231=__vbaLateMemStAd 234 | 232=__vbaLbound 235 | 233=__vbaLdZeroAry 236 | 234=__vbaLenBstr 237 | 235=__vbaLenBstrB 238 | 236=__vbaLenVar 239 | 237=__vbaLenVarB 240 | 238=__vbaLineInputStr 241 | 239=__vbaLineInputVar 242 | 240=__vbaLsetFixstr 243 | 241=__vbaLsetFixstrFree 244 | 242=__vbaMidStmtBstr 245 | 243=__vbaMidStmtBstrB 246 | 244=__vbaMidStmtVar 247 | 245=__vbaMidStmtVarB 248 | 246=__vbaNameFile 249 | 247=__vbaNew 250 | 248=__vbaNew2 251 | 249=__vbaNextEachAry 252 | 250=__vbaNextEachCollAd 253 | 251=__vbaNextEachCollObj 254 | 252=__vbaNextEachCollVar 255 | 253=__vbaNextEachVar 256 | 254=__vbaObjAddref 257 | 255=__vbaObjIs 258 | 256=__vbaObjSet 259 | 257=__vbaObjSetAddref 260 | 258=__vbaObjVar 261 | 259=__vbaOnError 262 | 260=__vbaOnGoCheck 263 | 261=__vbaPowerR8 264 | 262=__vbaPrintFile 265 | 263=__vbaPrintObj 266 | 264=__vbaPut3 267 | 265=__vbaPut4 268 | 266=__vbaPutFxStr3 269 | 267=__vbaPutFxStr4 270 | 268=__vbaPutOwner3 271 | 269=__vbaPutOwner4 272 | 270=__vbaR4Cy 273 | 271=__vbaR4ErrVar 274 | 272=__vbaR4ForNextCheck 275 | 273=__vbaR4Sgn 276 | 274=__vbaR4Str 277 | 275=__vbaR4Var 278 | 276=__vbaR8Cy 279 | 277=__vbaR8ErrVar 280 | 278=__vbaR8FixI2 281 | 279=__vbaR8FixI4 282 | 280=__vbaR8ForNextCheck 283 | 281=__vbaR8IntI2 284 | 282=__vbaR8IntI4 285 | 283=__vbaR8Sgn 286 | 284=__vbaR8Str 287 | 285=__vbaR8Var 288 | 286=__vbaRaiseEvent 289 | 287=__vbaRecAnsiToUni 290 | 288=__vbaRecAssign 291 | 289=__vbaRecDestruct 292 | 290=__vbaRecDestructAnsi 293 | 291=__vbaRecUniToAnsi 294 | 292=__vbaRedim 295 | 293=__vbaRedimPreserve 296 | 294=__vbaRedimPreserveVar 297 | 295=__vbaRedimPreserveVar2 298 | 296=__vbaRedimVar 299 | 297=__vbaRedimVar2 300 | 298=__vbaRefVarAry 301 | 299=__vbaResume 302 | 300=__vbaRsetFixstr 303 | 301=__vbaRsetFixstrFree 304 | 302=__vbaSetSystemError 305 | 303=__vbaStopExe 306 | 304=__vbaStr2Vec 307 | 305=__vbaStrAryToAnsi 308 | 306=__vbaStrAryToUnicode 309 | 307=__vbaStrBool 310 | 308=__vbaStrCat 311 | 309=__vbaStrCmp 312 | 310=__vbaStrComp 313 | 311=__vbaStrCompVar 314 | 312=__vbaStrCopy 315 | 313=__vbaStrCy 316 | 314=__vbaStrDate 317 | 315=__vbaStrErrVarCopy 318 | 316=__vbaStrFixstr 319 | 317=__vbaStrI2 320 | 318=__vbaStrI4 321 | 319=__vbaStrLike 322 | 320=__vbaStrMove 323 | 321=__vbaStrR4 324 | 322=__vbaStrR8 325 | 323=__vbaStrTextCmp 326 | 324=__vbaStrTextLike 327 | 325=__vbaStrToAnsi 328 | 326=__vbaStrToUnicode 329 | 327=__vbaStrUI1 330 | 328=__vbaStrVarCopy 331 | 329=__vbaStrVarMove 332 | 330=__vbaStrVarVal 333 | 331=__vbaUI1Cy 334 | 332=__vbaUI1ErrVar 335 | 333=__vbaUI1I2 336 | 334=__vbaUI1I4 337 | 335=__vbaUI1Sgn 338 | 336=__vbaUI1Str 339 | 337=__vbaUI1Var 340 | 338=__vbaUbound 341 | 339=__vbaUdtVar 342 | 340=__vbaUnkVar 343 | 341=__vbaVar2Vec 344 | 342=__vbaVarAbs 345 | 343=__vbaVarAdd 346 | 344=__vbaVarAnd 347 | 345=__vbaVarCat 348 | 346=__vbaVarCmpEq 349 | 347=__vbaVarCmpGe 350 | 348=__vbaVarCmpGt 351 | 349=__vbaVarCmpLe 352 | 350=__vbaVarCmpLt 353 | 351=__vbaVarCmpNe 354 | 352=__vbaVarCopy 355 | 353=__vbaVarDateVar 356 | 354=__vbaVarDiv 357 | 355=__vbaVarDup 358 | 356=__vbaVarEqv 359 | 357=__vbaVarErrI4 360 | 358=__vbaVarFix 361 | 359=__vbaVarForInit 362 | 360=__vbaVarForNext 363 | 361=__vbaVarIdiv 364 | 362=__vbaVarImp 365 | 363=__vbaVarIndexLoad 366 | 364=__vbaVarIndexLoadRef 367 | 365=__vbaVarIndexLoadRefLock 368 | 366=__vbaVarIndexStore 369 | 367=__vbaVarIndexStoreObj 370 | 368=__vbaVarInt 371 | 369=__vbaVarLateMemCallLd 372 | 370=__vbaVarLateMemCallLdRf 373 | 371=__vbaVarLateMemCallSt 374 | 372=__vbaVarLateMemSt 375 | 373=__vbaVarLateMemStAd 376 | 374=__vbaVarLike 377 | 375=__vbaVarLikeVar 378 | 376=__vbaVarMod 379 | 377=__vbaVarMove 380 | 378=__vbaVarMul 381 | 379=__vbaVarNeg 382 | 380=__vbaVarNot 383 | 381=__vbaVarOr 384 | 382=__vbaVarPow 385 | 383=__vbaVarSetObj 386 | 384=__vbaVarSetObjAddref 387 | 385=__vbaVarSetUnk 388 | 386=__vbaVarSetUnkAddref 389 | 387=__vbaVarSetVar 390 | 388=__vbaVarSetVarAddref 391 | 389=__vbaVarSub 392 | 390=__vbaVarTextCmpEq 393 | 391=__vbaVarTextCmpGe 394 | 392=__vbaVarTextCmpGt 395 | 393=__vbaVarTextCmpLe 396 | 394=__vbaVarTextCmpLt 397 | 395=__vbaVarTextCmpNe 398 | 396=__vbaVarTextLike 399 | 397=__vbaVarTextLikeVar 400 | 398=__vbaVarTextTstEq 401 | 399=__vbaVarTextTstGe 402 | 400=__vbaVarTextTstGt 403 | 401=__vbaVarTextTstLe 404 | 402=__vbaVarTextTstLt 405 | 403=__vbaVarTextTstNe 406 | 404=__vbaVarTstEq 407 | 405=__vbaVarTstGe 408 | 406=__vbaVarTstGt 409 | 407=__vbaVarTstLe 410 | 408=__vbaVarTstLt 411 | 409=__vbaVarTstNe 412 | 410=__vbaVarVargNofree 413 | 411=__vbaVarXor 414 | 412=__vbaVarZero 415 | 413=__vbaVargObj 416 | 414=__vbaVargObjAddref 417 | 415=__vbaVargParmRef 418 | 416=__vbaVargUnk 419 | 417=__vbaVargUnkAddref 420 | 418=__vbaVargVar 421 | 419=__vbaVargVarCopy 422 | 420=__vbaVargVarMove 423 | 421=__vbaVargVarRef 424 | 422=__vbaVerifyVarObj 425 | 423=__vbaWriteFile 426 | 424=_adj_fdiv_m16i 427 | 425=_adj_fdiv_m32 428 | 426=_adj_fdiv_m32i 429 | 427=_adj_fdiv_m64 430 | 428=_adj_fdiv_r 431 | 429=_adj_fdivr_m16i 432 | 430=_adj_fdivr_m32 433 | 431=_adj_fdivr_m32i 434 | 432=_adj_fdivr_m64 435 | 433=_adj_fpatan 436 | 434=_adj_fprem 437 | 435=_adj_fprem1 438 | 436=_adj_fptan 439 | 437=_allmul 440 | 438=rtBoolFromErrVar 441 | 439=rtBstrFromErrVar 442 | 440=rtCyFromErrVar 443 | 441=rtDecFromVar 444 | 442=rtI2FromErrVar 445 | 443=rtI4FromErrVar 446 | 444=rtR4FromErrVar 447 | 445=rtR8FromErrVar 448 | 446=rtUI1FromErrVar 449 | 447=rtcAbsVar 450 | 448=rtcAnsiValueBstr 451 | 449=rtcAppActivate 452 | 450=rtcAppleScript 453 | 451=rtcArray 454 | 452=rtcAtn 455 | 453=rtcBeep 456 | 454=rtcBstrFromAnsi 457 | 455=rtcBstrFromByte 458 | 456=rtcBstrFromChar 459 | 457=rtcBstrFromError 460 | 458=rtcBstrFromFormatVar 461 | 459=rtcByteValueBstr 462 | 460=rtcCVErrFromVar 463 | 461=rtcCallByName 464 | 462=rtcChangeDir 465 | 463=rtcChangeDrive 466 | 464=rtcCharValueBstr 467 | 465=rtcChoose 468 | 466=rtcCommandBstr 469 | 467=rtcCommandVar 470 | 468=rtcCompareBstr 471 | 469=rtcCos 472 | 470=rtcCreateObject 473 | 471=rtcCreateObject2 474 | 472=rtcCurrentDir 475 | 473=rtcCurrentDirBstr 476 | 474=rtcDDB 477 | 475=rtcDateAdd 478 | 476=rtcDateDiff 479 | 477=rtcDateFromVar 480 | 478=rtcDatePart 481 | 479=rtcDeleteSetting 482 | 480=rtcDir 483 | 481=rtcDoEvents 484 | 482=rtcEndOfFile 485 | 483=rtcEnvironBstr 486 | 484=rtcEnvironVar 487 | 485=rtcErrObj 488 | 486=rtcExp 489 | 487=rtcFV 490 | 488=rtcFileAttributes 491 | 489=rtcFileCopy 492 | 490=rtcFileDateTime 493 | 491=rtcFileLen 494 | 492=rtcFileLength 495 | 493=rtcFileLocation 496 | 494=rtcFileReset 497 | 495=rtcFileSeek 498 | 496=rtcFileWidth 499 | 497=rtcFilter 500 | 498=rtcFixVar 501 | 499=rtcFormatCurrency 502 | 500=rtcFormatDateTime 503 | 501=rtcFormatNumber 504 | 502=rtcFormatPercent 505 | 503=rtcFreeFile 506 | 504=rtcGetAllSettings 507 | 505=rtcGetCurrentCalendar 508 | 506=rtcGetDateBstr 509 | 507=rtcGetDateValue 510 | 508=rtcGetDateVar 511 | 509=rtcGetDayOfMonth 512 | 510=rtcGetDayOfWeek 513 | 511=rtcGetErl 514 | 512=rtcGetFileAttr 515 | 513=rtcGetHostLCID 516 | 514=rtcGetHourOfDay 517 | 515=rtcGetMinuteOfHour 518 | 516=rtcGetMonthOfYear 519 | 517=rtcGetObject 520 | 518=rtcGetPresentDate 521 | 519=rtcGetSecondOfMinute 522 | 520=rtcGetSetting 523 | 521=rtcGetTimeBstr 524 | 522=rtcGetTimeValue 525 | 523=rtcGetTimeVar 526 | 524=rtcGetTimer 527 | 525=rtcGetYear 528 | 526=rtcHexBstrFromVar 529 | 527=rtcHexVarFromVar 530 | 528=rtcIMEStatus 531 | 529=rtcIPMT 532 | 530=rtcIRR 533 | 531=rtcImmediateIf 534 | 532=rtcInStr 535 | 533=rtcInStrChar 536 | 534=rtcInStrRev 537 | 535=rtcInputBox 538 | 536=rtcInputCharCount 539 | 537=rtcInputCharCountVar 540 | 538=rtcInputCount 541 | 539=rtcInputCountVar 542 | 540=rtcIntVar 543 | 541=rtcIsArray 544 | 542=rtcIsDate 545 | 543=rtcIsEmpty 546 | 544=rtcIsError 547 | 545=rtcIsMissing 548 | 546=rtcIsNull 549 | 547=rtcIsNumeric 550 | 548=rtcIsObject 551 | 549=rtcJoin 552 | 550=rtcKillFiles 553 | 551=rtcLeftBstr 554 | 552=rtcLeftCharBstr 555 | 553=rtcLeftCharVar 556 | 554=rtcLeftTrimBstr 557 | 555=rtcLeftTrimVar 558 | 556=rtcLeftVar 559 | 557=rtcLenCharVar 560 | 558=rtcLenVar 561 | 559=rtcLog 562 | 560=rtcLowerCaseBstr 563 | 561=rtcLowerCaseVar 564 | 562=rtcMIRR 565 | 563=rtcMacId 566 | 564=rtcMakeDir 567 | 565=rtcMidBstr 568 | 566=rtcMidCharBstr 569 | 567=rtcMidCharVar 570 | 568=rtcMidVar 571 | 569=rtcMonthName 572 | 570=rtcMsgBox 573 | 571=rtcNPV 574 | 572=rtcNPer 575 | 573=rtcOctBstrFromVar 576 | 574=rtcOctVarFromVar 577 | 575=rtcPMT 578 | 576=rtcPPMT 579 | 577=rtcPV 580 | 578=rtcPackDate 581 | 579=rtcPackTime 582 | 580=rtcPartition 583 | 581=rtcQBColor 584 | 582=rtcR8ValFromBstr 585 | 583=rtcRandomNext 586 | 584=rtcRandomize 587 | 585=rtcRate 588 | 586=rtcRemoveDir 589 | 587=rtcReplace 590 | 588=rtcRgb 591 | 589=rtcRightBstr 592 | 590=rtcRightCharBstr 593 | 591=rtcRightCharVar 594 | 592=rtcRightTrimBstr 595 | 593=rtcRightTrimVar 596 | 594=rtcRightVar 597 | 595=rtcRound 598 | 596=rtcSLN 599 | 597=rtcSYD 600 | 598=rtcSaveSetting 601 | 599=rtcSendKeys 602 | 600=rtcSetCurrentCalendar 603 | 601=rtcSetDateBstr 604 | 602=rtcSetDateVar 605 | 603=rtcSetFileAttr 606 | 604=rtcSetTimeBstr 607 | 605=rtcSetTimeVar 608 | 606=rtcSgnVar 609 | 607=rtcShell 610 | 608=rtcSin 611 | 609=rtcSpaceBstr 612 | 610=rtcSpaceVar 613 | 611=rtcSplit 614 | 612=rtcSqr 615 | 613=rtcStrConvVar 616 | 614=rtcStrConvVar2 617 | 615=rtcStrFromVar 618 | 616=rtcStrReverse 619 | 617=rtcStringBstr 620 | 618=rtcStringVar 621 | 619=rtcSwitch 622 | 620=rtcTan 623 | 621=rtcTrimBstr 624 | 622=rtcTrimVar 625 | 623=rtcTypeName 626 | 624=rtcUpperCaseBstr 627 | 625=rtcUpperCaseVar 628 | 626=rtcVarBstrFromAnsi 629 | 627=rtcVarBstrFromByte 630 | 628=rtcVarBstrFromChar 631 | 629=rtcVarDateFromVar 632 | 630=rtcVarFromError 633 | 631=rtcVarFromFormatVar 634 | 632=rtcVarFromVar 635 | 633=rtcVarStrFromVar 636 | 634=rtcVarType 637 | 635=rtcWeekdayName 638 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/ollydbg_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=Absolutizepath 4 | 2=Activatetablewindow 5 | 3=Addjump 6 | 4=Addnesteddata 7 | 5=Addprotocolrange 8 | 6=Addrange 9 | 7=Addsimpledata 10 | 8=Addsorteddata 11 | 9=Addstringtocombolist 12 | 10=Addtohistory 13 | 11=Addtolist 14 | 12=Addtosettings 15 | 13=Alignselection 16 | 14=Arelocaljumpscallstorange 17 | 15=Asciitounicode 18 | 16=Asmindump 19 | 17=Assemble 20 | 18=Assembleallforms 21 | 19=Backupusercode 22 | 20=Binaryedit 23 | 21=Bitcount 24 | 22=Broadcast 25 | 23=Browsecodelocations 26 | 24=Browsedirectory 27 | 25=Browsefilename 28 | 26=Byteregtodwordreg 29 | 27=Callmenufunction 30 | 28=Cexpression 31 | 29=Checkcondition 32 | 30=Checkfordebugevent 33 | 31=Checkhistory 34 | 32=Closeprocess 35 | 33=Closetaggedfile 36 | 34=Cmdinfo 37 | 35=Commentaddress 38 | 36=Commentcharacter 39 | 37=Comparecommand 40 | 38=Comparesequence 41 | 39=Compress 42 | 40=Condbreakpoint 43 | 41=Conderror 44 | 42=Condlogbreakpoint 45 | 43=Condyesno 46 | 44=Confirmhardwarebreakpoint 47 | 45=Confirmint3breakpoint 48 | 46=Confirmint3breakpointlist 49 | 47=Confirmoverwrite 50 | 48=Confirmsorteddata 51 | 49=Copydumpselection 52 | 50=Copymemoryhex 53 | 51=Copytableselection 54 | 52=Copywholetable 55 | 53=Createdumpwindow 56 | 54=Createframewindow 57 | 55=Createnesteddata 58 | 56=Createottablewindow 59 | 57=Createsimpledata 60 | 58=Createsorteddata 61 | 59=Createtablechild 62 | 60=Createtablewindow 63 | 61=Createtabwindow 64 | 62=Createtaggedfile 65 | 63=Decodeaddress 66 | 64=Decodearglocal 67 | 65=Decodeargument 68 | 66=Decodeknownbyaddr 69 | 67=Decodeknownbyname 70 | 68=Decoderange 71 | 69=Decoderelativeoffset 72 | 70=Decodestructure 73 | 71=Decodethreadname 74 | 72=Decodetype 75 | 73=Decompress 76 | 74=Defaultactions 77 | 75=Defaultbar 78 | 76=Delayedtableredraw 79 | 77=Deletedatarange 80 | 78=Deletedatarangelist 81 | 79=Deleteinisection 82 | 80=Deletenestedrange 83 | 81=Deletenonconfirmedsorteddata 84 | 82=Deletesimpledatarange 85 | 83=Deletesorteddata 86 | 84=Deletesorteddatarange 87 | 85=DemanglenameW 88 | 86=Destroynesteddata 89 | 87=Destroysimpledata 90 | 88=Destroysorteddata 91 | 89=Detachprocess 92 | 90=Devicenametodosname 93 | 91=Disasm 94 | 92=Disassembleback 95 | 93=Disassembleforward 96 | 94=Dumpback 97 | 95=Dumpforward 98 | 96=Editmemory 99 | 97=Eexpression 100 | 98=Embeddumpwindow 101 | 99=Emptyrange 102 | 100=Enablehardbreakpoint 103 | 101=Enableint3breakpoint 104 | 102=Enablemembreakpoint 105 | 103=Endotdialog 106 | 104=Ensurememorybackup 107 | 105=Error 108 | 106=Executecommand 109 | 107=Exprcount 110 | 108=Expression 111 | 109=Fastexpression 112 | 110=Filefromini 113 | 111=Filenamefromhandle 114 | 112=Filetoini 115 | 113=Fillcombowithcodepages 116 | 114=Fillcombowithgroup 117 | 115=Fillcombowithstruct 118 | 116=Finalizetaggedfile 119 | 117=FindaddressW 120 | 118=Findcontrol 121 | 119=Finddata 122 | 120=Finddataptr 123 | 121=Finddecode 124 | 122=Findfiledump 125 | 123=Findfileoffset 126 | 124=Findfixup 127 | 125=Findfreehardbreakslot 128 | 126=Findglobalcallsto 129 | 127=Findglobaljumpscallsto 130 | 128=Findjumpfrom 131 | 129=Findlabel 132 | 130=Findlocaljumpscallsto 133 | 131=Findlocaljumpsto 134 | 132=Findmainmodule 135 | 133=Findmemory 136 | 134=Findmodule 137 | 135=Findmodulebyname 138 | 136=FindnameW 139 | 137=Findnesteddata 140 | 138=Findnextdata 141 | 139=Findnextdatalist 142 | 140=FindnextnameW 143 | 141=FindnextnamelistW 144 | 142=Findretaddrdata 145 | 143=Findruntracerecord 146 | 144=Findsimpledata 147 | 145=Findsorteddata 148 | 146=Findsorteddatarange 149 | 147=Findsortedindexrange 150 | 148=Findsource 151 | 149=Findstockobject 152 | 150=Findstructureitembyoffset 153 | 151=Findthread 154 | 152=Findthreadbyordinal 155 | 153=Flash 156 | 154=Flushmemorycache 157 | 155=Followcall 158 | 156=Fullrange 159 | 157=Get3dnow 160 | 158=Getactiveframe 161 | 159=Getactivetab 162 | 160=Getaddressrange 163 | 161=Getanalysercomment 164 | 162=Getasmsearchmodel 165 | 163=Getcharacterwidth 166 | 164=Getconstantbyname 167 | 165=Getconstantbyvalue 168 | 166=Getcpudisasmdump 169 | 167=Getcpudisasmselection 170 | 168=Getcpudisasmtable 171 | 169=Getcpuruntracebackstep 172 | 170=Getcputhreadid 173 | 171=Getdword 174 | 172=Getdwordexpression 175 | 173=Getexceptionrange 176 | 174=Getexeversion 177 | 175=Getexportfrommemory 178 | 176=Getextproclimits 179 | 177=Getfloat 180 | 178=Getfpureg 181 | 179=Getfromini 182 | 180=Getfromsettings 183 | 181=Getgotoexpression 184 | 182=Getguidname 185 | 183=Getindexbypredefinedtype 186 | 184=Getinteger 187 | 185=Getlasterror 188 | 186=Getlasterrorcode 189 | 187=Getloopcomment 190 | 188=Getmmx 191 | 189=Getmodulestring 192 | 190=Getmonitorrect 193 | 191=Getnestingdepth 194 | 192=Getnestingpattern 195 | 193=Getoriginaldatasize 196 | 194=Getpackednetint 197 | 195=Getpredefinedtypebyindex 198 | 196=Getproccomment 199 | 197=Getproclimits 200 | 198=Getrangebyindex 201 | 199=Getrangebymember 202 | 200=Getrangecount 203 | 201=Getrawdata 204 | 202=Getregister 205 | 203=Getruntrace 206 | 204=Getseqsearchmodel 207 | 205=Getsetcount 208 | 206=Getsimpledatabyindex 209 | 207=Getsimpledataindexbyaddr 210 | 208=Getsortedbyindex 211 | 209=Getsortedbyselection 212 | 210=Getsourceline 213 | 211=Getsse 214 | 212=Getstring 215 | 213=Getstructureitemcount 216 | 214=Getstructureitemvalue 217 | 215=Getstructuretype 218 | 216=Getswitchcomment 219 | 217=Gettabcount 220 | 218=Gettableselectionxy 221 | 219=Gettabletext 222 | 220=Gettaggedfiledata 223 | 221=Gettaggedrecordsize 224 | 222=Guardmemory 225 | 223=Guidtotext 226 | 224=Hardbreakpoint 227 | 225=Hardlogbreakpoint 228 | 226=Heapsort 229 | 227=Heapsortex 230 | 228=HexdumpA 231 | 229=Hexdump 232 | 230=HexdumpW 233 | 231=Hexprint4A 234 | 232=Hexprint4 235 | 233=Hexprint4W 236 | 234=Hexprint8A 237 | 235=Hexprint8 238 | 236=Hexprint8W 239 | 237=HexprintA 240 | 238=Hexprint 241 | 239=HexprintW 242 | 240=Info 243 | 241=Initset 244 | 242=Insertdata 245 | 243=InsertnameW 246 | 244=Isdataavailable 247 | 245=Isdatainrange 248 | 246=Isguid 249 | 247=Isinset 250 | 248=Isnoreturn 251 | 249=IsrareA 252 | 250=Israre 253 | 251=Isretaddr 254 | 252=Issortedinit 255 | 253=Isstring 256 | 254=Issystem 257 | 255=IstextA 258 | 256=Istext 259 | 257=IstextW 260 | 258=Iszero 261 | 259=Labeladdress 262 | 260=Linecount 263 | 261=Listmemory 264 | 262=Maketableareavisible 265 | 263=Maybecommand 266 | 264=Memalloc 267 | 265=Membreakpoint 268 | 266=Memdouble 269 | 267=Memfree 270 | 268=Memlogbreakpoint 271 | 269=Mempurge 272 | 270=Mergequickdata 273 | 271=Message 274 | 272=Moveprogress 275 | 273=Movetableselection 276 | 274=Nameoffloat 277 | 275=Ndisasm 278 | 276=Nesteddatatoudd 279 | 277=Newdumpselection 280 | 278=Opentaggedfile 281 | 279=Optostring 282 | 280=Pastememoryhex 283 | 281=Pauseprocess 284 | 282=Plugingetuniquedatatype 285 | 283=Pluginmodulechanged 286 | 284=Pluginpackedrecord 287 | 285=Pluginsaverecord 288 | 286=Pluginshowoptions 289 | 287=Plugintempbreakpoint 290 | 288=Preparedialog 291 | 289=Printfloat10 292 | 290=Printfloat4 293 | 291=Printfloat8 294 | 292=Printmmx 295 | 293=Processwmmousewheel 296 | 294=Progress 297 | 295=Quickinsertdata 298 | 296=QuickinsertnameW 299 | 297=Quicktimerflush 300 | 298=Quicktimerstart 301 | 299=Quicktimerstop 302 | 300=Readfile 303 | 301=Readmemory 304 | 302=Readmemoryex 305 | 303=Redrawcpudisasm 306 | 304=Redrawcpureg 307 | 305=Redrawlist 308 | 306=Registermodifiedbyuser 309 | 307=Relativizepath 310 | 308=Removeanalysis 311 | 309=Removehardbreakpoint 312 | 310=Removeint3breakpoint 313 | 311=Removemembreakpoint 314 | 312=Removerange 315 | 313=Removetableselection 316 | 314=Renumeratesorteddata 317 | 315=Replacegraphs 318 | 316=Replacesorteddatarange 319 | 317=Resumeallthreads 320 | 318=Run 321 | 319=Savepackedrecord 322 | 320=Savetaggedrecord 323 | 321=Scan 324 | 322=Scrolldumpwindow 325 | 323=Setactivetab 326 | 324=Setautoupdate 327 | 325=Setcondition 328 | 326=Setcpu 329 | 327=Setdumptype 330 | 328=Sethardbreakpoint 331 | 329=Setint3breakpoint 332 | 330=Setmembreakpoint 333 | 331=Setrtcond 334 | 332=Setrtprot 335 | 333=Setstatus 336 | 334=Settableselection 337 | 335=Showsourcecode 338 | 336=SignedhexA 339 | 337=Signedhex 340 | 338=SignedhexW 341 | 339=Simpleaddress 342 | 340=Skipspaces 343 | 341=Sortjumpdata 344 | 342=Sortsimpledata 345 | 343=Sortsorteddata 346 | 344=Squeezename 347 | 345=Startnextdata 348 | 346=Startnextdatalist 349 | 347=Startnextnamelist 350 | 348=StrcopyA 351 | 349=Strcopy 352 | 350=StrcopyW 353 | 351=Stringfromini 354 | 352=Stringtotext 355 | 353=StrlenA 356 | 354=Strlen 357 | 355=StrlenW 358 | 356=Substitutehkeyprefix 359 | 357=Sunkenframe 360 | 358=Suspendallthreads 361 | 359=Swapmem 362 | 360=Swprintf 363 | 361=Tempinfo 364 | 362=Threadregisters 365 | 363=Uddtonesteddata 366 | 364=Uncapitalize 367 | 365=Unicodebuffertoascii 368 | 366=Unicodetoascii 369 | 367=Unicodetoutf 370 | 368=Unmarknewsorteddata 371 | 369=Updateframe 372 | 370=Updatetable 373 | 371=Updatetabs 374 | 372=Utftounicode 375 | 373=Virtalloc 376 | 374=Virtfree 377 | 375=Walkhistory 378 | 376=Wipebreakpointrange 379 | 377=Writememory 380 | 378=Writetoini 381 | 379=_Bitcount 382 | 380=_HexdumpA 383 | 381=_Hexdump 384 | 382=_HexdumpW 385 | 383=_Hexprint4A 386 | 384=_Hexprint4 387 | 385=_Hexprint4W 388 | 386=_Hexprint8A 389 | 387=_Hexprint8 390 | 388=_Hexprint8W 391 | 389=_HexprintA 392 | 390=_Hexprint 393 | 391=_HexprintW 394 | 392=_SignedhexA 395 | 393=_Signedhex 396 | 394=_SignedhexW 397 | 395=_StrcopyA 398 | 396=_Strcopy 399 | 397=_StrcopyW 400 | 398=_StrlenA 401 | 399=_Strlen 402 | 400=_StrlenW 403 | 401=_Swapmem 404 | 402=_aqueue 405 | 403=_arguments 406 | 404=_asciicodepage 407 | 405=_bincmd 408 | 406=_bphard 409 | 407=_bpmem 410 | 408=_bpoint 411 | 409=_bppage 412 | 410=_color 413 | 411=_corexemain 414 | 412=_cpufeatures 415 | 413=_crname 416 | 414=_dbgbreakpoint 417 | 415=_debugbreak 418 | 416=_drname 419 | 417=_executable 420 | 418=_fixfont 421 | 419=_font 422 | 420=_fpuname 423 | 421=_hilite 424 | 422=_hollyinst 425 | 423=_hwclient 426 | 424=_hwollymain 427 | 425=_ischild 428 | 426=_kiuserexcept 429 | 427=_kusershareddata 430 | 428=_list 431 | 429=_mainthreadid 432 | 430=_memory 433 | 431=_mmxname 434 | 432=_module 435 | 433=_netdbg 436 | 434=_ntqueryinfo 437 | 435=_ollydir 438 | 436=_ollyfile 439 | 437=_ottable 440 | 438=_patch 441 | 439=_peblock 442 | 440=_plugindir 443 | 441=_premod 444 | 442=_procdata 445 | 443=_process 446 | 444=_processid 447 | 445=_regname 448 | 446=_restorewinpos 449 | 447=_rtcond 450 | 448=_rtprot 451 | 449=_run 452 | 450=_rundll 453 | 451=_scheme 454 | 452=_segname 455 | 453=_sizeatt 456 | 454=_sizekey 457 | 455=_sizename 458 | 456=_skipsystembp 459 | 457=_source 460 | 458=_srccode 461 | 459=_ssename 462 | 460=_sysfont 463 | 461=_systemdir 464 | 462=_thread 465 | 463=_titlefont 466 | 464=_tracefile 467 | 465=_uefilter 468 | 466=_userspacelimit 469 | 467=_watch 470 | 468=_win 471 | 469=_zwcontinue 472 | 470=aqueue 473 | 471=arguments 474 | 472=asciicodepage 475 | 473=bincmd 476 | 474=bphard 477 | 475=bpmem 478 | 476=bpoint 479 | 477=bppage 480 | 478=color 481 | 479=corexemain 482 | 480=cpufeatures 483 | 481=crname 484 | 482=dbgbreakpoint 485 | 483=debugbreak 486 | 484=drname 487 | 485=executable 488 | 486=fixfont 489 | 487=font 490 | 488=fpuname 491 | 489=hilite 492 | 490=hollyinst 493 | 491=hwclient 494 | 492=hwollymain 495 | 493=ischild 496 | 494=kiuserexcept 497 | 495=kusershareddata 498 | 496=list 499 | 497=mainthreadid 500 | 498=memory 501 | 499=mmxname 502 | 500=module 503 | 501=netdbg 504 | 502=ntqueryinfo 505 | 503=ollydir 506 | 504=ollyfile 507 | 505=ottable 508 | 506=patch 509 | 507=peblock 510 | 508=plugindir 511 | 509=premod 512 | 510=procdata 513 | 511=process 514 | 512=processid 515 | 513=regname 516 | 514=restorewinpos 517 | 515=rtcond 518 | 516=rtprot 519 | 517=run 520 | 518=rundll 521 | 519=scheme 522 | 520=segname 523 | 521=sizeatt 524 | 522=sizekey 525 | 523=sizename 526 | 524=skipsystembp 527 | 525=source 528 | 526=srccode 529 | 527=ssename 530 | 528=sysfont 531 | 529=systemdir 532 | 530=thread 533 | 531=titlefont 534 | 532=tracefile 535 | 533=uefilter 536 | 534=userspacelimit 537 | 535=watch 538 | 536=win 539 | 537=zwcontinue 540 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/shell32_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=AssocCreateForClasses 4 | 2=AssocGetDetailsOfPropKey 5 | 3=BHID_AssociationArray 6 | 4=BHID_DataObject 7 | 5=BHID_EnumAssocHandlers 8 | 6=BHID_EnumItems 9 | 7=BHID_Filter 10 | 8=BHID_LinkTargetItem 11 | 9=BHID_PropertyStore 12 | 10=BHID_SFObject 13 | 11=BHID_SFUIObject 14 | 12=BHID_SFViewObject 15 | 13=BHID_Storage 16 | 14=BHID_StorageEnum 17 | 15=BHID_Stream 18 | 16=BHID_ThumbnailHandler 19 | 17=BHID_Transfer 20 | 18=CATID_BrowsableShellExt 21 | 19=CATID_BrowseInPlace 22 | 20=CATID_CommBand 23 | 21=CATID_DeskBand 24 | 22=CATID_InfoBand 25 | 23=CATID_LocationFactory 26 | 24=CATID_LocationProvider 27 | 25=CDefFolderMenu_Create2 28 | 26=CGID_DefView 29 | 27=CGID_Explorer 30 | 28=CGID_ExplorerBarDoc 31 | 29=CGID_MENUDESKBAR 32 | 30=CGID_ShellDocView 33 | 31=CGID_ShellServiceObject 34 | 32=CGID_ShortCut 35 | 33=CIDLData_CreateFromIDArray 36 | 34=CLSID_ACLCustomMRU 37 | 35=CLSID_ACLHistory 38 | 36=CLSID_ACLMRU 39 | 37=CLSID_ACLMulti 40 | 38=CLSID_ACListISF 41 | 39=CLSID_ActiveDesktop 42 | 40=CLSID_AutoComplete 43 | 41=CLSID_CAnchorBrowsePropertyPage 44 | 42=CLSID_CDocBrowsePropertyPage 45 | 43=CLSID_CFSIconOverlayManager 46 | 44=CLSID_CImageBrowsePropertyPage 47 | 45=CLSID_CURLSearchHook 48 | 46=CLSID_CUrlHistory 49 | 47=CLSID_ControlPanel 50 | 48=CLSID_DarwinAppPublisher 51 | 49=CLSID_DocHostUIHandler 52 | 50=CLSID_DragDropHelper 53 | 51=CLSID_FileTypes 54 | 52=CLSID_FolderItem 55 | 53=CLSID_FolderItemsMultiLevel 56 | 54=CLSID_FolderShortcut 57 | 55=CLSID_HWShellExecute 58 | 56=CLSID_ISFBand 59 | 57=CLSID_Internet 60 | 58=CLSID_InternetButtons 61 | 59=CLSID_InternetShortcut 62 | 60=CLSID_LinkColumnProvider 63 | 61=CLSID_MSOButtons 64 | 62=CLSID_MenuBand 65 | 63=CLSID_MenuBandSite 66 | 64=CLSID_MenuToolbarBase 67 | 65=CLSID_MyComputer 68 | 66=CLSID_MyDocuments 69 | 67=CLSID_NetworkDomain 70 | 68=CLSID_NetworkServer 71 | 69=CLSID_NetworkShare 72 | 70=CLSID_NewMenu 73 | 71=CLSID_Printers 74 | 72=CLSID_ProgressDialog 75 | 73=CLSID_QueryAssociations 76 | 74=CLSID_QuickLinks 77 | 75=CLSID_RecycleBin 78 | 76=CLSID_ShellFldSetExt 79 | 77=CLSID_ToolbarExtButtons 80 | 78=CPFG_LOGON_PASSWORD 81 | 79=CPFG_LOGON_USERNAME 82 | 80=CPFG_SMARTCARD_PIN 83 | 81=CPFG_SMARTCARD_USERNAME 84 | 82=CheckEscapesW 85 | 83=CommandLineToArgvW 86 | 84=DAD_AutoScroll 87 | 85=DAD_DragEnterEx2 88 | 86=DAD_DragEnterEx 89 | 87=DAD_DragLeave 90 | 88=DAD_DragMove 91 | 89=DAD_SetDragImage 92 | 90=DAD_ShowDragImage 93 | 91=DoEnvironmentSubstA 94 | 92=DoEnvironmentSubst 95 | 93=DoEnvironmentSubstW 96 | 94=DragAcceptFiles 97 | 95=DragFinish 98 | 96=DragQueryFileA 99 | 97=DragQueryFile 100 | 98=DragQueryFileAorW 101 | 99=DragQueryFileW 102 | 100=DragQueryPoint 103 | 101=DriveType 104 | 102=DuplicateIcon 105 | 103=EP_AdvQueryPane 106 | 104=EP_Commands 107 | 105=EP_Commands_Organize 108 | 106=EP_Commands_View 109 | 107=EP_DetailsPane 110 | 108=EP_NavPane 111 | 109=EP_PreviewPane 112 | 110=EP_QueryPane 113 | 111=ExtractAssociatedIconA 114 | 112=ExtractAssociatedIcon 115 | 113=ExtractAssociatedIconExA 116 | 114=ExtractAssociatedIconEx 117 | 115=ExtractAssociatedIconExW 118 | 116=ExtractAssociatedIconW 119 | 117=ExtractIconA 120 | 118=ExtractIcon 121 | 119=ExtractIconExA 122 | 120=ExtractIconEx 123 | 121=ExtractIconExW 124 | 122=ExtractIconW 125 | 123=FMTID_Briefcase 126 | 124=FMTID_CustomImageProperties 127 | 125=FMTID_DRM 128 | 126=FMTID_Displaced 129 | 127=FMTID_ImageProperties 130 | 128=FMTID_InternetSite 131 | 129=FMTID_Intshcut 132 | 130=FMTID_LibraryProperties 133 | 131=FMTID_MUSIC 134 | 132=FMTID_Misc 135 | 133=FMTID_Query 136 | 134=FMTID_ShellDetails 137 | 135=FMTID_Storage 138 | 136=FMTID_Volume 139 | 137=FMTID_WebView 140 | 138=FOLDERID_AddNewPrograms 141 | 139=FOLDERID_AdminTools 142 | 140=FOLDERID_AppUpdates 143 | 141=FOLDERID_CDBurning 144 | 142=FOLDERID_ChangeRemovePrograms 145 | 143=FOLDERID_CommonAdminTools 146 | 144=FOLDERID_CommonOEMLinks 147 | 145=FOLDERID_CommonPrograms 148 | 146=FOLDERID_CommonStartMenu 149 | 147=FOLDERID_CommonStartup 150 | 148=FOLDERID_CommonTemplates 151 | 149=FOLDERID_ComputerFolder 152 | 150=FOLDERID_ConflictFolder 153 | 151=FOLDERID_ConnectionsFolder 154 | 152=FOLDERID_Contacts 155 | 153=FOLDERID_ControlPanelFolder 156 | 154=FOLDERID_Cookies 157 | 155=FOLDERID_Desktop 158 | 156=FOLDERID_DeviceMetadataStore 159 | 157=FOLDERID_Documents 160 | 158=FOLDERID_DocumentsLibrary 161 | 159=FOLDERID_Downloads 162 | 160=FOLDERID_Favorites 163 | 161=FOLDERID_Fonts 164 | 162=FOLDERID_GameTasks 165 | 163=FOLDERID_Games 166 | 164=FOLDERID_History 167 | 165=FOLDERID_HomeGroup 168 | 166=FOLDERID_ImplicitAppShortcuts 169 | 167=FOLDERID_InternetCache 170 | 168=FOLDERID_InternetFolder 171 | 169=FOLDERID_Libraries 172 | 170=FOLDERID_Links 173 | 171=FOLDERID_LocalAppData 174 | 172=FOLDERID_LocalAppDataLow 175 | 173=FOLDERID_LocalizedResourcesDir 176 | 174=FOLDERID_Music 177 | 175=FOLDERID_MusicLibrary 178 | 176=FOLDERID_NetHood 179 | 177=FOLDERID_NetworkFolder 180 | 178=FOLDERID_OriginalImages 181 | 179=FOLDERID_PhotoAlbums 182 | 180=FOLDERID_Pictures 183 | 181=FOLDERID_PicturesLibrary 184 | 182=FOLDERID_Playlists 185 | 183=FOLDERID_PrintHood 186 | 184=FOLDERID_PrintersFolder 187 | 185=FOLDERID_Profile 188 | 186=FOLDERID_ProgramData 189 | 187=FOLDERID_ProgramFiles 190 | 188=FOLDERID_ProgramFilesCommon 191 | 189=FOLDERID_ProgramFilesCommonX64 192 | 190=FOLDERID_ProgramFilesCommonX86 193 | 191=FOLDERID_ProgramFilesX64 194 | 192=FOLDERID_ProgramFilesX86 195 | 193=FOLDERID_Programs 196 | 194=FOLDERID_Public 197 | 195=FOLDERID_PublicDesktop 198 | 196=FOLDERID_PublicDocuments 199 | 197=FOLDERID_PublicDownloads 200 | 198=FOLDERID_PublicGameTasks 201 | 199=FOLDERID_PublicLibraries 202 | 200=FOLDERID_PublicMusic 203 | 201=FOLDERID_PublicPictures 204 | 202=FOLDERID_PublicRingtones 205 | 203=FOLDERID_PublicVideos 206 | 204=FOLDERID_QuickLaunch 207 | 205=FOLDERID_Recent 208 | 206=FOLDERID_RecordedTVLibrary 209 | 207=FOLDERID_RecycleBinFolder 210 | 208=FOLDERID_ResourceDir 211 | 209=FOLDERID_Ringtones 212 | 210=FOLDERID_RoamingAppData 213 | 211=FOLDERID_SEARCH_CSC 214 | 212=FOLDERID_SEARCH_MAPI 215 | 213=FOLDERID_SampleMusic 216 | 214=FOLDERID_SamplePictures 217 | 215=FOLDERID_SamplePlaylists 218 | 216=FOLDERID_SampleVideos 219 | 217=FOLDERID_SavedGames 220 | 218=FOLDERID_SavedSearches 221 | 219=FOLDERID_SearchHome 222 | 220=FOLDERID_SendTo 223 | 221=FOLDERID_SidebarDefaultParts 224 | 222=FOLDERID_SidebarParts 225 | 223=FOLDERID_StartMenu 226 | 224=FOLDERID_Startup 227 | 225=FOLDERID_SyncManagerFolder 228 | 226=FOLDERID_SyncResultsFolder 229 | 227=FOLDERID_SyncSetupFolder 230 | 228=FOLDERID_System 231 | 229=FOLDERID_SystemX86 232 | 230=FOLDERID_Templates 233 | 231=FOLDERID_UserPinned 234 | 232=FOLDERID_UserProfiles 235 | 233=FOLDERID_UserProgramFiles 236 | 234=FOLDERID_UserProgramFilesCommon 237 | 235=FOLDERID_UsersFiles 238 | 236=FOLDERID_UsersLibraries 239 | 237=FOLDERID_Videos 240 | 238=FOLDERID_VideosLibrary 241 | 239=FOLDERID_Windows 242 | 240=FOLDERTYPEID_Communications 243 | 241=FOLDERTYPEID_CompressedFolder 244 | 242=FOLDERTYPEID_Contacts 245 | 243=FOLDERTYPEID_ControlPanelCategory 246 | 244=FOLDERTYPEID_ControlPanelClassic 247 | 245=FOLDERTYPEID_Documents 248 | 246=FOLDERTYPEID_Games 249 | 247=FOLDERTYPEID_Generic 250 | 248=FOLDERTYPEID_GenericLibrary 251 | 249=FOLDERTYPEID_GenericSearchResults 252 | 250=FOLDERTYPEID_Invalid 253 | 251=FOLDERTYPEID_Music 254 | 252=FOLDERTYPEID_NetworkExplorer 255 | 253=FOLDERTYPEID_OpenSearch 256 | 254=FOLDERTYPEID_OtherUsers 257 | 255=FOLDERTYPEID_Pictures 258 | 256=FOLDERTYPEID_Printers 259 | 257=FOLDERTYPEID_PublishedItems 260 | 258=FOLDERTYPEID_RecordedTV 261 | 259=FOLDERTYPEID_RecycleBin 262 | 260=FOLDERTYPEID_SavedGames 263 | 261=FOLDERTYPEID_SearchConnector 264 | 262=FOLDERTYPEID_SearchHome 265 | 263=FOLDERTYPEID_Searches 266 | 264=FOLDERTYPEID_SoftwareExplorer 267 | 265=FOLDERTYPEID_StartMenu 268 | 266=FOLDERTYPEID_UserFiles 269 | 267=FOLDERTYPEID_UsersLibraries 270 | 268=FOLDERTYPEID_Videos 271 | 269=FindExecutableA 272 | 270=FindExecutable 273 | 271=FindExecutableW 274 | 272=GetCurrentProcessExplicitAppUserModelID 275 | 273=GetFileNameFromBrowse 276 | 274=IID_CDefView 277 | 275=IID_IACList 278 | 276=IID_IACList2 279 | 277=IID_IADesktopP2 280 | 278=IID_IActiveDesktop 281 | 279=IID_IActiveDesktopP 282 | 280=IID_IBanneredBar 283 | 281=IID_IBriefcaseStg 284 | 282=IID_IColumnProvider 285 | 283=IID_ICommDlgBrowser 286 | 284=IID_ICommDlgBrowser2 287 | 285=IID_IContextMenu 288 | 286=IID_IContextMenu2 289 | 287=IID_IContextMenu3 290 | 288=IID_ICopyHookA 291 | 289=IID_ICopyHook 292 | 290=IID_ICopyHookW 293 | 291=IID_ICurrentWorkingDirectory 294 | 292=IID_IDefViewFrame 295 | 293=IID_IDefViewID 296 | 294=IID_IDiscardableBrowserProperty 297 | 295=IID_IDocViewSite 298 | 296=IID_IDockingWindowFrame 299 | 297=IID_IDockingWindowSite 300 | 298=IID_IEnumExtraSearch 301 | 299=IID_IEnumIDList 302 | 300=IID_IExtractIconA 303 | 301=IID_IExtractIcon 304 | 302=IID_IExtractIconW 305 | 303=IID_IFileSystemBindData 306 | 304=IID_IFileViewerA 307 | 305=IID_IFileViewer 308 | 306=IID_IFileViewerSite 309 | 307=IID_IFileViewerW 310 | 308=IID_INamedPropertyBag 311 | 309=IID_INewShortcutHookA 312 | 310=IID_INewShortcutHook 313 | 311=IID_INewShortcutHookW 314 | 312=IID_IObjMgr 315 | 313=IID_IPersistFolder 316 | 314=IID_IProgressDialog 317 | 315=IID_IPropSheetPage 318 | 316=IID_IQueryAssociations 319 | 317=IID_IQueryInfo 320 | 318=IID_IRemoteComputer 321 | 319=IID_ISearchContext 322 | 320=IID_IShellBrowser 323 | 321=IID_IShellChangeNotify 324 | 322=IID_IShellDetails 325 | 323=IID_IShellExecuteHookA 326 | 324=IID_IShellExecuteHook 327 | 325=IID_IShellExecuteHookW 328 | 326=IID_IShellExtInit 329 | 327=IID_IShellFolder 330 | 328=IID_IShellFolder2 331 | 329=IID_IShellFolderBand 332 | 330=IID_IShellFolderViewCB 333 | 331=IID_IShellIcon 334 | 332=IID_IShellIconOverlay 335 | 333=IID_IShellIconOverlayIdentifier 336 | 334=IID_IShellIconOverlayManager 337 | 335=IID_IShellImageStore 338 | 336=IID_IShellLinkA 339 | 337=IID_IShellLink 340 | 338=IID_IShellLinkW 341 | 339=IID_IShellPropSheetExt 342 | 340=IID_IShellView 343 | 341=IID_IShellView2 344 | 342=IID_ISynchronizedCallBack 345 | 343=IID_IThumbnailCapture 346 | 344=IID_IURLSearchHook 347 | 345=IID_IURLSearchHook2 348 | 346=IID_IUniformResourceLocatorA 349 | 347=IID_IUniformResourceLocator 350 | 348=IID_IUniformResourceLocatorW 351 | 349=ILAppendID 352 | 350=ILClone 353 | 351=ILCloneFirst 354 | 352=ILCombine 355 | 353=ILCreateFromPathA 356 | 354=ILCreateFromPath 357 | 355=ILCreateFromPathW 358 | 356=ILFindChild 359 | 357=ILFindLastID 360 | 358=ILFree 361 | 359=ILGetNext 362 | 360=ILGetSize 363 | 361=ILIsEqual 364 | 362=ILIsParent 365 | 363=ILLoadFromStreamEx 366 | 364=ILRemoveLastID 367 | 365=ILSaveToStream 368 | 366=InitNetworkAddressControl 369 | 367=IsLFNDriveA 370 | 368=IsLFNDrive 371 | 369=IsLFNDriveW 372 | 370=IsNetDrive 373 | 371=IsUserAnAdmin 374 | 372=ItemCount_Property_GUID 375 | 373=ItemIndex_Property_GUID 376 | 374=OpenRegStream 377 | 375=PathCleanupSpec 378 | 376=PathGetShortPath 379 | 377=PathIsExe 380 | 378=PathIsSlowA 381 | 379=PathIsSlow 382 | 380=PathIsSlowW 383 | 381=PathMakeUniqueName 384 | 382=PathQualify 385 | 383=PathResolve 386 | 384=PathYetAnotherMakeUniqueName 387 | 385=PickIconDlg 388 | 386=PifMgr_CloseProperties 389 | 387=PifMgr_GetProperties 390 | 388=PifMgr_OpenProperties 391 | 389=PifMgr_SetProperties 392 | 390=ReadCabinetState 393 | 391=RealDriveType 394 | 392=RestartDialog 395 | 393=RestartDialogEx 396 | 394=SHAddDefaultPropertiesByExt 397 | 395=SHAddFromPropSheetExtArray 398 | 396=SHAddToRecentDocs 399 | 397=SHAlloc 400 | 398=SHAppBarMessage 401 | 399=SHAssocEnumHandlers 402 | 400=SHAssocEnumHandlersForProtocolByApplication 403 | 401=SHBindToFolderIDListParent 404 | 402=SHBindToFolderIDListParentEx 405 | 403=SHBindToObject 406 | 404=SHBindToParent 407 | 405=SHBrowseForFolderA 408 | 406=SHBrowseForFolder 409 | 407=SHBrowseForFolderW 410 | 408=SHCLSIDFromString 411 | 409=SHChangeNotification_Lock 412 | 410=SHChangeNotification_Unlock 413 | 411=SHChangeNotify 414 | 412=SHChangeNotifyDeregister 415 | 413=SHChangeNotifyRegister 416 | 414=SHChangeNotifyRegisterThread 417 | 415=SHCloneSpecialIDList 418 | 416=SHCoCreateInstance 419 | 417=SHCreateAssociationRegistration 420 | 418=SHCreateDataObject 421 | 419=SHCreateDefaultContextMenu 422 | 420=SHCreateDefaultExtractIcon 423 | 421=SHCreateDefaultPropertiesOp 424 | 422=SHCreateDirectory 425 | 423=SHCreateDirectoryExA 426 | 424=SHCreateDirectoryEx 427 | 425=SHCreateDirectoryExW 428 | 426=SHCreateFileExtractIconW 429 | 427=SHCreateItemFromIDList 430 | 428=SHCreateItemFromParsingName 431 | 429=SHCreateItemFromRelativeName 432 | 430=SHCreateItemInKnownFolder 433 | 431=SHCreateItemWithParent 434 | 432=SHCreateProcessAsUserW 435 | 433=SHCreatePropSheetExtArray 436 | 434=SHCreateQueryCancelAutoPlayMoniker 437 | 435=SHCreateShellFolderView 438 | 436=SHCreateShellFolderViewEx 439 | 437=SHCreateShellItem 440 | 438=SHCreateShellItemArray 441 | 439=SHCreateShellItemArrayFromDataObject 442 | 440=SHCreateShellItemArrayFromIDLists 443 | 441=SHCreateShellItemArrayFromShellItem 444 | 442=SHCreateStdEnumFmtEtc 445 | 443=SHDefExtractIconA 446 | 444=SHDefExtractIcon 447 | 445=SHDefExtractIconW 448 | 446=SHDestroyPropSheetExtArray 449 | 447=SHDoDragDrop 450 | 448=SHEmptyRecycleBinA 451 | 449=SHEmptyRecycleBin 452 | 450=SHEmptyRecycleBinW 453 | 451=SHEnumerateUnreadMailAccountsW 454 | 452=SHEvaluateSystemCommandTemplate 455 | 453=SHFileOperationA 456 | 454=SHFileOperation 457 | 455=SHFileOperationW 458 | 456=SHFindFiles 459 | 457=SHFind_InitMenuPopup 460 | 458=SHFlushSFCache 461 | 459=SHFormatDrive 462 | 460=SHFree 463 | 461=SHFreeNameMappings 464 | 462=SHGetAttributesFromDataObject 465 | 463=SHGetDataFromIDListA 466 | 464=SHGetDataFromIDList 467 | 465=SHGetDataFromIDListW 468 | 466=SHGetDesktopFolder 469 | 467=SHGetDiskFreeSpaceA 470 | 468=SHGetDiskFreeSpace 471 | 469=SHGetDiskFreeSpaceExA 472 | 470=SHGetDiskFreeSpaceEx 473 | 471=SHGetDiskFreeSpaceExW 474 | 472=SHGetDriveMedia 475 | 473=SHGetFileInfoA 476 | 474=SHGetFileInfo 477 | 475=SHGetFileInfoW 478 | 476=SHGetFolderLocation 479 | 477=SHGetFolderPathA 480 | 478=SHGetFolderPath 481 | 479=SHGetFolderPathAndSubDirA 482 | 480=SHGetFolderPathAndSubDir 483 | 481=SHGetFolderPathAndSubDirW 484 | 482=SHGetFolderPathEx 485 | 483=SHGetFolderPathW 486 | 484=SHGetIDListFromObject 487 | 485=SHGetIconOverlayIndexA 488 | 486=SHGetIconOverlayIndex 489 | 487=SHGetIconOverlayIndexW 490 | 488=SHGetImageList 491 | 489=SHGetInstanceExplorer 492 | 490=SHGetItemFromDataObject 493 | 491=SHGetItemFromObject 494 | 492=SHGetKnownFolderIDList 495 | 493=SHGetKnownFolderItem 496 | 494=SHGetKnownFolderPath 497 | 495=SHGetLocalizedName 498 | 496=SHGetMalloc 499 | 497=SHGetNameFromIDList 500 | 498=SHGetNewLinkInfoA 501 | 499=SHGetNewLinkInfo 502 | 500=SHGetNewLinkInfoW 503 | 501=SHGetPathFromIDListA 504 | 502=SHGetPathFromIDList 505 | 503=SHGetPathFromIDListEx 506 | 504=SHGetPathFromIDListW 507 | 505=SHGetPropertyStoreForWindow 508 | 506=SHGetPropertyStoreFromIDList 509 | 507=SHGetPropertyStoreFromParsingName 510 | 508=SHGetRealIDL 511 | 509=SHGetSetFolderCustomSettings 512 | 510=SHGetSetSettings 513 | 511=SHGetSettings 514 | 512=SHGetSpecialFolderLocation 515 | 513=SHGetSpecialFolderPathA 516 | 514=SHGetSpecialFolderPath 517 | 515=SHGetSpecialFolderPathW 518 | 516=SHGetStockIconInfo 519 | 517=SHGetTemporaryPropertyForItem 520 | 518=SHGetUnreadMailCountW 521 | 519=SHHandleUpdateImage 522 | 520=SHILCreateFromPath 523 | 521=SHInvokePrinterCommandA 524 | 522=SHInvokePrinterCommand 525 | 523=SHInvokePrinterCommandW 526 | 524=SHIsFileAvailableOffline 527 | 525=SHLimitInputEdit 528 | 526=SHLoadInProc 529 | 527=SHLoadNonloadedIconOverlayIdentifiers 530 | 528=SHMapPIDLToSystemImageListIndex 531 | 529=SHMultiFileProperties 532 | 530=SHObjectProperties 533 | 531=SHOpenFolderAndSelectItems 534 | 532=SHOpenPropSheetW 535 | 533=SHOpenWithDialog 536 | 534=SHParseDisplayName 537 | 535=SHPathPrepareForWriteA 538 | 536=SHPathPrepareForWrite 539 | 537=SHPathPrepareForWriteW 540 | 538=SHPropStgCreate 541 | 539=SHPropStgReadMultiple 542 | 540=SHPropStgWriteMultiple 543 | 541=SHQueryRecycleBinA 544 | 542=SHQueryRecycleBin 545 | 543=SHQueryRecycleBinW 546 | 544=SHQueryUserNotificationState 547 | 545=SHRemoveLocalizedName 548 | 546=SHReplaceFromPropSheetExtArray 549 | 547=SHResolveLibrary 550 | 548=SHRestricted 551 | 549=SHSetDefaultProperties 552 | 550=SHSetFolderPathA 553 | 551=SHSetFolderPath 554 | 552=SHSetFolderPathW 555 | 553=SHSetInstanceExplorer 556 | 554=SHSetKnownFolderPath 557 | 555=SHSetLocalizedName 558 | 556=SHSetTemporaryPropertyForItem 559 | 557=SHSetUnreadMailCountW 560 | 558=SHShellFolderView_Message 561 | 559=SHShowManageLibraryUI 562 | 560=SHSimpleIDListFromPath 563 | 561=SHStartNetConnectionDialogW 564 | 562=SHTestTokenMembership 565 | 563=SHUpdateImageA 566 | 564=SHUpdateImage 567 | 565=SHUpdateImageW 568 | 566=SHValidateUNC 569 | 567=SID_CtxQueryAssociations 570 | 568=SID_DefView 571 | 569=SID_MenuShellFolder 572 | 570=SID_SCommDlgBrowser 573 | 571=SID_SGetViewFromViewDual 574 | 572=SID_SInPlaceBrowser 575 | 573=SID_SMenuBandBKContextMenu 576 | 574=SID_SMenuBandBottom 577 | 575=SID_SMenuBandBottomSelected 578 | 576=SID_SMenuBandChild 579 | 577=SID_SMenuBandContextMenuModifier 580 | 578=SID_SMenuBandParent 581 | 579=SID_SMenuBandTop 582 | 580=SID_SMenuPopup 583 | 581=SID_SSearchBoxInfo 584 | 582=SID_STopLevelBrowser 585 | 583=SID_STopWindow 586 | 584=SYNCMGR_OBJECTID_BrowseContent 587 | 585=SYNCMGR_OBJECTID_ConflictStore 588 | 586=SYNCMGR_OBJECTID_EventLinkClick 589 | 587=SYNCMGR_OBJECTID_EventStore 590 | 588=SYNCMGR_OBJECTID_Icon 591 | 589=SYNCMGR_OBJECTID_QueryBeforeActivate 592 | 590=SYNCMGR_OBJECTID_QueryBeforeDeactivate 593 | 591=SYNCMGR_OBJECTID_QueryBeforeDelete 594 | 592=SYNCMGR_OBJECTID_QueryBeforeDisable 595 | 593=SYNCMGR_OBJECTID_QueryBeforeEnable 596 | 594=SYNCMGR_OBJECTID_ShowSchedule 597 | 595=SelectedItemCount_Property_GUID 598 | 596=SetCurrentProcessExplicitAppUserModelID 599 | 597=ShellAboutA 600 | 598=ShellAbout 601 | 599=ShellAboutW 602 | 600=ShellExecuteA 603 | 601=ShellExecute 604 | 602=ShellExecuteExA 605 | 603=ShellExecuteEx 606 | 604=ShellExecuteExW 607 | 605=ShellExecuteW 608 | 606=ShellHookProc 609 | 607=Shell_GetCachedImageIndexA 610 | 608=Shell_GetCachedImageIndex 611 | 609=Shell_GetCachedImageIndexW 612 | 610=Shell_GetImageLists 613 | 611=Shell_MergeMenus 614 | 612=Shell_NotifyIconA 615 | 613=Shell_NotifyIcon 616 | 614=Shell_NotifyIconGetRect 617 | 615=Shell_NotifyIconW 618 | 616=SignalFileOpen 619 | 617=StgMakeUniqueName 620 | 618=VID_Content 621 | 619=VID_Details 622 | 620=VID_LargeIcons 623 | 621=VID_List 624 | 622=VID_SmallIcons 625 | 623=VID_ThumbStrip 626 | 624=VID_Thumbnails 627 | 625=VID_Tile 628 | 626=WOWShellExecute 629 | 627=Win32DeleteFile 630 | 628=WriteCabinetState 631 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/winhttp_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=SvchostPushServiceGlobals 4 | 2=WinHttpAddRequestHeaders 5 | 3=WinHttpAutoProxySvcMain 6 | 4=WinHttpCheckPlatform 7 | 5=WinHttpCloseHandle 8 | 6=WinHttpConnect 9 | 7=WinHttpCrackUrl 10 | 8=WinHttpCreateUrl 11 | 9=WinHttpDetectAutoProxyConfigUrl 12 | 10=WinHttpGetDefaultProxyConfiguration 13 | 11=WinHttpGetIEProxyConfigForCurrentUser 14 | 12=WinHttpGetProxyForUrl 15 | 13=WinHttpOpen 16 | 14=WinHttpOpenRequest 17 | 15=WinHttpQueryAuthSchemes 18 | 16=WinHttpQueryDataAvailable 19 | 17=WinHttpQueryHeaders 20 | 18=WinHttpQueryOption 21 | 19=WinHttpReadData 22 | 20=WinHttpReceiveResponse 23 | 21=WinHttpSendRequest 24 | 22=WinHttpSetCredentials 25 | 23=WinHttpSetDefaultProxyConfiguration 26 | 24=WinHttpSetOption 27 | 25=WinHttpSetStatusCallback 28 | 26=WinHttpSetTimeouts 29 | 27=WinHttpTimeFromSystemTime 30 | 28=WinHttpTimeToSystemTime 31 | 29=WinHttpWriteData 32 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/x32_bridge_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=BridgeAlloc 4 | 2=BridgeFree 5 | 3=BridgeGetDbgVersion 6 | 4=BridgeInit 7 | 5=BridgeSettingGet 8 | 6=BridgeSettingGetUint 9 | 7=BridgeSettingSet 10 | 8=BridgeSettingSetUint 11 | 9=BridgeStart 12 | 10=DbgAssembleAt 13 | 11=DbgClearAutoBookmarkRange 14 | 12=DbgClearAutoCommentRange 15 | 13=DbgClearAutoFunctionRange 16 | 14=DbgClearAutoLabelRange 17 | 15=DbgCmdExec 18 | 16=DbgCmdExecDirect 19 | 17=DbgDisasmAt 20 | 18=DbgDisasmFastAt 21 | 19=DbgExit 22 | 20=DbgFunctionAdd 23 | 21=DbgFunctionDel 24 | 22=DbgFunctionGet 25 | 23=DbgFunctionOverlaps 26 | 24=DbgFunctions 27 | 25=DbgGetBookmarkAt 28 | 26=DbgGetBpList 29 | 27=DbgGetBpxTypeAt 30 | 28=DbgGetBranchDestination 31 | 29=DbgGetCommentAt 32 | 30=DbgGetFunctionTypeAt 33 | 31=DbgGetLabelAt 34 | 32=DbgGetLoopTypeAt 35 | 33=DbgGetModuleAt 36 | 34=DbgGetRegDump 37 | 35=DbgGetStringAt 38 | 36=DbgGetThreadList 39 | 37=DbgInit 40 | 38=DbgIsBpDisabled 41 | 39=DbgIsDebugging 42 | 40=DbgIsJumpGoingToExecute 43 | 41=DbgIsRunLocked 44 | 42=DbgIsValidExpression 45 | 43=DbgLoopAdd 46 | 44=DbgLoopDel 47 | 45=DbgLoopGet 48 | 46=DbgLoopOverlaps 49 | 47=DbgMemFindBaseAddr 50 | 48=DbgMemGetPageSize 51 | 49=DbgMemIsValidReadPtr 52 | 50=DbgMemMap 53 | 51=DbgMemRead 54 | 52=DbgMemWrite 55 | 53=DbgMenuEntryClicked 56 | 54=DbgModBaseFromName 57 | 55=DbgScriptAbort 58 | 56=DbgScriptBpGet 59 | 57=DbgScriptBpToggle 60 | 58=DbgScriptCmdExec 61 | 59=DbgScriptGetBranchInfo 62 | 60=DbgScriptGetLineType 63 | 61=DbgScriptLoad 64 | 62=DbgScriptRun 65 | 63=DbgScriptSetIp 66 | 64=DbgScriptStep 67 | 65=DbgScriptUnload 68 | 66=DbgSetAutoBookmarkAt 69 | 67=DbgSetAutoCommentAt 70 | 68=DbgSetAutoFunctionAt 71 | 69=DbgSetAutoLabelAt 72 | 70=DbgSetBookmarkAt 73 | 71=DbgSetCommentAt 74 | 72=DbgSetLabelAt 75 | 73=DbgSettingsUpdated 76 | 74=DbgStackCommentGet 77 | 75=DbgSymbolEnum 78 | 76=DbgValFromString 79 | 77=DbgValToString 80 | 78=GuiAddLogMessage 81 | 79=GuiAddRecentFile 82 | 80=GuiAddStatusBarMessage 83 | 81=GuiAutoCompleteAddCmd 84 | 82=GuiAutoCompleteClearAll 85 | 83=GuiAutoCompleteDelCmd 86 | 84=GuiDisasmAt 87 | 85=GuiDumpAt 88 | 86=GuiGetDisassembly 89 | 87=GuiGetLineWindow 90 | 88=GuiGetWindowHandle 91 | 89=GuiLogClear 92 | 90=GuiMenuAdd 93 | 91=GuiMenuAddEntry 94 | 92=GuiMenuAddSeparator 95 | 93=GuiMenuClear 96 | 94=GuiReferenceAddColumn 97 | 95=GuiReferenceDeleteAllColumns 98 | 96=GuiReferenceGetCellContent 99 | 97=GuiReferenceGetRowCount 100 | 98=GuiReferenceReloadData 101 | 99=GuiReferenceSetCellContent 102 | 100=GuiReferenceSetProgress 103 | 101=GuiReferenceSetRowCount 104 | 102=GuiReferenceSetSearchStartCol 105 | 103=GuiReferenceSetSingleSelection 106 | 104=GuiRepaintTableView 107 | 105=GuiScriptAdd 108 | 106=GuiScriptClear 109 | 107=GuiScriptEnableHighlighting 110 | 108=GuiScriptError 111 | 109=GuiScriptMessage 112 | 110=GuiScriptMsgyn 113 | 111=GuiScriptSetInfoLine 114 | 112=GuiScriptSetIp 115 | 113=GuiScriptSetTitle 116 | 114=GuiSelectionGet 117 | 115=GuiSelectionSet 118 | 116=GuiSetDebugState 119 | 117=GuiSetLastException 120 | 118=GuiStackDumpAt 121 | 119=GuiSymbolLogAdd 122 | 120=GuiSymbolLogClear 123 | 121=GuiSymbolSetProgress 124 | 122=GuiSymbolUpdateModuleList 125 | 123=GuiUpdateAllViews 126 | 124=GuiUpdateBreakpointsView 127 | 125=GuiUpdateDisassemblyView 128 | 126=GuiUpdateDumpView 129 | 127=GuiUpdatePatches 130 | 128=GuiUpdateRegisterView 131 | 129=GuiUpdateSideBar 132 | 130=GuiUpdateThreadView 133 | 131=GuiUpdateWindowTitle 134 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/EXP/x32_dbg_ExPression.exp: -------------------------------------------------------------------------------- 1 | [ExPression] 2 | 0= 3 | 1=DllMain 4 | 2=_dbg_addrinfoget 5 | 3=_dbg_addrinfoset 6 | 4=_dbg_bpgettypeat 7 | 5=_dbg_dbgcmddirectexec 8 | 6=_dbg_dbgcmdexec 9 | 7=_dbg_dbgexitsignal 10 | 8=_dbg_dbginit 11 | 9=_dbg_functionoverlaps 12 | 10=_dbg_getbplist 13 | 11=_dbg_getbranchdestination 14 | 12=_dbg_getregdump 15 | 13=_dbg_isdebugging 16 | 14=_dbg_isjumpgoingtoexecute 17 | 15=_dbg_memfindbaseaddr 18 | 16=_dbg_memisvalidreadptr 19 | 17=_dbg_memmap 20 | 18=_dbg_memread 21 | 19=_dbg_memwrite 22 | 20=_dbg_sendmessage 23 | 21=_dbg_valfromstring 24 | 22=_dbg_valtostring 25 | 23=_plugin_debugpause 26 | 24=_plugin_debugskipexceptions 27 | 25=_plugin_logprintf 28 | 26=_plugin_logputs 29 | 27=_plugin_menuadd 30 | 28=_plugin_menuaddentry 31 | 29=_plugin_menuaddseparator 32 | 30=_plugin_menuclear 33 | 31=_plugin_registercallback 34 | 32=_plugin_registercommand 35 | 33=_plugin_unregistercallback 36 | 34=_plugin_unregistercommand 37 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/FindWindow_and_Time.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/FindWindow_and_Time.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/GODUP.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/GODUP.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/HideDebugger.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/HideDebugger.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/HideDebugger.ini: -------------------------------------------------------------------------------- 1 | [Options] 2 | Parameters=1110011 3 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/HideOD.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/HideOD.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/HookLibraryx86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/HookLibraryx86.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Invalid_HandleException.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Invalid_HandleException.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Invisible.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Invisible.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/IsDebug.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/IsDebug.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Jumper.ini: -------------------------------------------------------------------------------- 1 | 2 | MessageBoxW 3 | 401000 4 | GetProcAddress+9 5 | CloseHandle 6 | ZwOpenKey 7 | NtOpenFile 8 | NtOpenKey 9 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/Jumper2.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Jumper2.DLL -------------------------------------------------------------------------------- /OllyDbg/Plugins/LabelArgsOlly2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/LabelArgsOlly2.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Labeler.def: -------------------------------------------------------------------------------- 1 | struct RECT { 2 | LONG left; 3 | LONG top; 4 | LONG right; 5 | LONG bottom; 6 | }; 7 | 8 | struct SIZE { 9 | LONG cx; 10 | LONG cy; 11 | }; 12 | 13 | struct POINT { 14 | LONG x; 15 | LONG y; 16 | }; 17 | 18 | struct LOGFONT { 19 | LONG lfHeight; 20 | LONG lfWidth; 21 | LONG lfEscapement; 22 | LONG lfOrientation; 23 | LONG lfWeight; 24 | BYTE lfItalic; 25 | BYTE lfUnderline; 26 | BYTE lfStrikeOut; 27 | BYTE lfCharSet; 28 | BYTE lfOutPrecision; 29 | BYTE lfClipPrecision; 30 | BYTE lfQuality; 31 | BYTE lfPitchAndFamily; 32 | TCHAR lfFaceName[32]; 33 | }; 34 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/Labeler.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Labeler.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Labeler.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Labeler.ini -------------------------------------------------------------------------------- /OllyDbg/Plugins/Labelmaster.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Labelmaster.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/MD5Sniffer.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/MD5Sniffer.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/NonaWrite.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/NonaWrite.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/NtApiCollection.ini: -------------------------------------------------------------------------------- 1 | [060101000109_x64_0001A2C8] 2 | NtUserQueryWindow=00017EC0 3 | NtUserBuildHwndList=00015C70 4 | NtUserFindWindowEx=0000D6E0 5 | NtUserInternalGetWindowText=00018A80 6 | NtUserGetClassName=00013C60 7 | [060101000109_x86_0001B6ED] 8 | NtUserQueryWindow=00016915 9 | NtUserBuildHwndList=000193F6 10 | NtUserFindWindowEx=000167DD 11 | NtUserInternalGetWindowText=00021E4F 12 | NtUserGetClassName=00018289 13 | [060101000100_x86_0001D711] 14 | NtUserQueryWindow=00015BAA 15 | NtUserBuildHwndList=000134D3 16 | NtUserFindWindowEx=0000B851 17 | [060200000109_x86_0000FB8E] 18 | NtUserQueryWindow=00008E2C 19 | NtUserBuildHwndList=0000C845 20 | NtUserFindWindowEx=0000C1B9 21 | [060200000109_x64_000057B0] 22 | NtUserQueryWindow=00003200 23 | NtUserBuildHwndList=00008470 24 | NtUserFindWindowEx=00005260 25 | [050103000100_x86_0000B217] 26 | NtUserQueryWindow=000086DB 27 | NtUserBuildHwndList=0001A59A 28 | NtUserFindWindowEx=0001C7AC 29 | NtUserInternalGetWindowText=0001C5D0 30 | NtUserGetClassName=00019D3F 31 | [060200000109_x86_0000F611] 32 | NtUserQueryWindow=00008FEF 33 | NtUserBuildHwndList=0000DE9D 34 | NtUserFindWindowEx=00008C66 35 | NtUserInternalGetWindowText=0002110C 36 | NtUserGetClassName=0000A274 37 | [060200000109_x64_00007E54] 38 | NtUserQueryWindow=00006AF0 39 | NtUserBuildHwndList=0000C3A0 40 | NtUserFindWindowEx=00006CF0 41 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/OD2ExPlug.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OD2ExPlug.DLL -------------------------------------------------------------------------------- /OllyDbg/Plugins/OD2ExPlug.ini: -------------------------------------------------------------------------------- 1 | [OD2-ExPlug] 2 | Notepad=C:\windows\notepad.exe 3 | Calc= 4 | HashTool= 5 | Taskmgr=C:\windows\system32\taskmgr.exe 6 | RegTool= 7 | Replace Char(0) by Space=0 8 | Replace Char(0) by Endline(\n)=1 9 | Not Replace=0 10 | Enable Counter=1 11 | Allow Count In CPU Dissam=0 12 | Enable Icon BTN=0 13 | Maximize OllyDbg On Open=0 14 | OllyDBG XPStyle(+Manifest)=1 15 | Always Fix ASM Code=1 16 | Always Export BPs 4LCB Plugin=1 17 | Allow Edit Import Comment From MAP=1 18 | Auto Insert Module Labels=1 19 | Registered Hotkey(H Key)=1 20 | Show Rectangle HWBP Window=0 21 | Close Expression Dlg When Enter=1 22 | OPPRECT=259 135 791 388 23 | HWPRECT=1066 468 1320 571 24 | HAPRECT=0 0 0 0 25 | IMPRECT=492 248 870 426 26 | LBPRECT=0 0 0 0 27 | TBPRECT=0 0 0 0 28 | AHPRECT=0 0 0 0 29 | EXPRECT=0 0 0 0 30 | REPRECT=0 0 0 0 31 | CTPRECT=860 96 1308 634 32 | Open Label Manager Table=54 (Include: 54 = Ctrl + Shift + T / 4F = Ctrl + Shift + O) 33 | Set Label Hardware Breakpoint=34 (Include: 34 = Shift + 4 / 48 = Shift + H) 34 | Set CPUDisasm Memory Breakpoint=34 3801000 (Include: 34 = Shift + 4 / 20 = Shift + Space / Change To Disable, 3801000=Execution) 35 | Set CPUDump Memory Breakpoint=34 3E01000 (Include: 34 = Shift + 4 / 4D = Shift + M / Change To Disable, 3601000=Read-Write Access / 3E01000=All) 36 | MAP File=C:\TEST_IDR.MAP 37 | UpdateURL=http://crackertool.tk/upplugin/check-update.php 38 | ;if host down :( Try -> http://cracketool.tk.hostinghood.com/upplugin/check-update.php 39 | 40 | [Customize Tools] 41 | 01= 42 | 02= 43 | 03= 44 | 04= 45 | 05= 46 | 06= 47 | 07= 48 | 08= 49 | 09= 50 | 10= 51 | 11= 52 | 12= 53 | 13= 54 | 14= 55 | 15= 56 | 16= 57 | 17= 58 | 18= 59 | 19= 60 | 20= 61 | ;.. Maximize= 20 62 | 63 | [HotKey] 64 | "1" Key=1 65 | "2" Key=1 66 | "," Key=1 67 | "." Key=1 68 | "/" Key=1 69 | "`" Key=1 70 | "[" Key=1 71 | "]" Key=1 72 | "Ctrl+Alt+Minus /" Key=1 73 | "Ctrl+Alt+Minus *" Key=1 74 | 75 | [Hint] 76 | HintParam=88 0 300000 (Include: %i=Range Of Hint, %i: 1=Enable - 0=Disable , %i = Delay Timer - Delay Timer Must > 4999) 77 | 00=-*- OD2-ExPlug -*- " Esc " [All MDIWindows] Go To Origin [EIP] 78 | 01=-*- OD2-ExPlug -*- " [ " [CPU Disasm] Go To START Of Function 79 | 02=-*- OD2-ExPlug -*- " ] " [CPU Disasm] Go To END Of Function 80 | 03=-*- OD2-ExPlug -*- " , " To Copy BYTE 81 | 04=-*- OD2-ExPlug -*- " . " To Copy WORD 82 | 05=-*- OD2-ExPlug -*- " / " To Copy DWORD 83 | 06=-*- OD2-ExPlug -*- " Gray / " To Set NETWORK Bps Group 84 | 07=-*- OD2-ExPlug -*- " Gray * " To Set Malware Bps Group 85 | 08=-*- OD2-ExPlug -*- " H " To Register/UnRegister HotKey 86 | 09=-*- OD2-ExPlug -*- " ` " [CPUDisasm & CPUDump & CPUStack] To Copy Address 87 | 10=-*- OD2-ExPlug -*- " 1 " [CPU Disasm & MDIWindows] To Open Notepad (Hold 200ms) 88 | 11=-*- OD2-ExPlug -*- " 2 " [CPU Disasm & MDIWindows] To Open Calculator (Hold 200ms) 89 | 12=-*- OD2-ExPlug -*- " Ctrl+Alt+O " Copy File Offset 90 | 13=-*- OD2-ExPlug -*- " Ctrl+Shift+H " [CPU Disasm] Open ASC-II Hint 91 | 14=-*- OD2-ExPlug -*- " Ctrl+Shift+B " [CPU Disasm] Open ByteCounter 92 | 15=-*- OD2-ExPlug -*- " Ctrl+Shift+E " [Label Master] Add New Label 93 | 16=-*- OD2-ExPlug -*- " Ctrl+Shift+G " [Label Master] Search By Google 94 | 17=-*- OD2-ExPlug -*- " Ctrl+D " [CPU Dump] Follow In Dump 95 | 18=-*- OD2-ExPlug -*- " Ctrl+Alt+D " [CPU Dump] Follow In Disassembler 96 | 19=-*- OD2-ExPlug -*- " Ctrl+Alt+C " [CPU Dump] Create DumpWindow 97 | 20=-*- OD2-ExPlug -*- " Ctrl+Alt+A " Copy ANSI String 98 | 21=-*- OD2-ExPlug -*- " Ctrl+Alt+W " Copy WIDE String 99 | 22=-*- OD2-ExPlug -*- " Ctrl+Z " Open ReverseHex 100 | 23=-*- OD2-ExPlug -*- " Ctrl+Alt+Z " [CPU Dump] Open MiNiHash (Sniff Data) 101 | 24=-*- OD2-ExPlug -*- " Ctrl+Shift+T/Ctrl+Shift+O " [Label Master] Open Label Table 102 | 25=-*- OD2-ExPlug -*- " Shift+3 " [Label Manager] Set/Remove INT3 Breakpoint 103 | 26=-*- OD2-ExPlug -*- " Shift+4/Shift+H " [Label Manager] Set/Remove Hard Breakpoint On Execution 104 | 27=-*- OD2-ExPlug -*- " Shift+S " [Label Manager] Search All Labels 105 | 28=-*- OD2-ExPlug -*- " Shift+W " [Label Manager] View Label In CPUDisasm 106 | 29=-*- OD2-ExPlug -*- " Shift+O " [Label Manager] Copy File Offset 107 | 30=-*- OD2-ExPlug -*- " Alt+Insert " [Label Manager] Copy Address To Clipboard 108 | 31=-*- OD2-ExPlug -*- " Shift+4/Shift+Space " [CPU Disasm] Set/Remove Memory Breakpoint On Execution/Setting 109 | 32=-*- OD2-ExPlug -*- " Shift+4/Shift+M " [CPU Dump] Set/Remove Memory Breakpoint On Read-Write/Setting 110 | 33=-*- OD2-ExPlug -*- " BTN VP " [Left Click] Open Victim Path 111 | 34=-*- OD2-ExPlug -*- " BTN VP " [Right Click] Copy Victim Path 112 | 35=-*- OD2-ExPlug -*- " BTN OP " [Left Click] Open OllyDbg Path 113 | 36=-*- OD2-ExPlug -*- " BTN OP " [Right Click] Copy OllyDbg Path 114 | 37=-*- OD2-ExPlug -*- " BTN RE " [Left Click] Run Regedit 115 | 38=-*- OD2-ExPlug -*- " BTN RE " [Right Click] Run External Register Tool[File 5] 116 | 39=-*- OD2-ExPlug -*- " BTN H " Open Hardware Manager 117 | 40=-*- OD2-ExPlug -*- " BTN I " [Left Click] Import Labels And Comments 118 | 41=-*- OD2-ExPlug -*- " BTN I " [Right Ckick] Import Labels 119 | 42=-*- OD2-ExPlug -*- " Ctrl+D " [Label Master] Follow In Dump Adress Of Label 120 | 43=-*- OllyGraph -*- " Ctrl+Shift+F " [CPU Disasm] General Function Flowchart 121 | 44=-*- Multiasm -*- " Ctrl+Shift+M " [CPU Disasm] Multiline Ultimate Assembler (Sniff Code) 122 | 45=-*- Multiasm -*- " Ctrl+M " [Main Menu] Open Multiline Ultimate Assembler 123 | 46=-*- OllyDbg -*- " Ctrl+T " Set Condition To Pause Run or Hit Trace 124 | 47=-*- OllyDbg -*- " Shift+F1 " Help On Command 125 | 48=-*- OllyDbg -*- " Ctrl+F1 " Help On API Function 126 | 49=-*- OllyDbg -*- " Ctrl+N " Search For All Names 127 | 50=-*- OllyDbg -*- " Ctrl+F " [CPU Disasm/CPU Dump] Search Specify Commands(One Line) 128 | 51=-*- OllyDbg -*- " Ctrl+F7 " Trace Animate Into 129 | 52=-*- OllyDbg -*- " Ctrl+F8 " Trace Animate Over 130 | 53=-*- OllyDbg -*- " Ctrl+F11 " Trace Into 131 | 54=-*- OllyDbg -*- " Ctrl+F12 " Trace Over 132 | 55=-*- OllyDbg -*- " Ctrl+F9 " Return To Till Execute code 133 | 56=-*- OllyDbg -*- " F11 " Run Thread Only 134 | 57=-*- OllyDbg -*- " F5 " Show Maximize Window 135 | 58=-*- OllyDbg -*- " Alt+F5 " Always On Top 136 | 59=-*- OllyDbg -*- " F6 " Previous Open Window 137 | 60=-*- OllyDbg -*- " Shift+F6 " Next Open Window 138 | 61=-*- OllyDbg -*- " Ctrl+Insert " Binary Copy 139 | 62=-*- OllyDbg -*- " Shift+Insert " Binary Paste 140 | 63=-*- OllyDbg -*- " Shift+F4 " [CPU Disasm] Breakpoint Condition Logs 141 | 64=-*- OllyDbg -*- " F4 " [CPU Disasm] Run To Selection 142 | 65=-*- OllyDbg -*- " Alt+Y " [CPU Disasm] Open Memory Breakpoint Window 143 | 66=-*- OllyDbg -*- " Ctrl+T " [Main Menu] Set Trace Condition 144 | 67=-*- OllyDbg -*- " Ctrl+P " [Main Menu] Set Trace Commands Protocolled 145 | 68=-*- OllyDbg -*- " Ctrl+F " [CPU Disasm/CPU Dump] Search Specify Commands(One Line) 146 | 69=-*- OllyDbg -*- " Ctrl+B " [CPU Disasm/CPU Dump] Search Binary String 147 | 70=-*- OllyDbg -*- " Ctrl+L " [All MDIWindows] Search Again 148 | 71=-*- OllyDbg -*- " Ctrl+Shift+L " [All MDIWindows] Search Reverse 149 | 72=-*- OllyDbg -*- " Alt+R " [All MDIWindows] Open References Window 150 | 73=-*- OllyDbg -*- " Ctrl+E " [CPU Disasm/CPU Dump...] Binary Edit 151 | 74=-*- OllyDbg -*- " Shift+F5 " [CPU Disasm/CPU Dump] Open Hardware Breakpoint Window 152 | 75=-*- OllyDbg -*- " Ctrl+F5 " [CPU Disasm/CPU Dump] Open Hardware Breakpoint Condition Log.. 153 | 76=-*- OllyDbg -*- " Shift+F3 " [CPU Disasm/CPU Dump] Open Memory Breakpoint Window 154 | 77=-*- OllyDbg -*- " Ctrl+F3 " [CPU Disasm/CPU Dump] Open Memory Breakpoint Condition Log.. 155 | 78=-*- OllyDbg -*- " Shift+F2 " [CPU Disasm/CPU Dump] Set INT3 Conditional 156 | 79=-*- OllyDbg -*- " Shift+F4 " [CPU Disasm/CPU Dump] Open INT3 Condition Log.. 157 | 80=-*- OD2-ExPlug -*- " Ctrl+Alt+U " [CPU Disasm/CPU Dump] Copy Unicode(string) 158 | 81=-*- OD2-ExPlug -*- " X " [CPU Dump] Open Table Exporter(Sniff Data) 159 | 82=-*- Python-loader -*- " Alt+F7 " [Main Menu] Load PyThon Script 160 | 83=-*- Python-loader -*- " Alt+F8 " [Main Menu] Open Command-Line Window 161 | 84=-*- OllyID -*- " Ctrl+S " [Main Menu] Find Signature of Protecter/Packer inside Main Module 162 | 85=-*- OllySpelunk -*- " Ctrl+Alt+C " [Main Menu] Find Code-Cave Inside Main Module 163 | 86=-*- OllyGraph -*- " Ctrl+Shift+F " [Main Menu] Generate Procedure Flow Graph 164 | 87=-*- OllyGraph -*- " Ctrl+Shift+C " [Main Menu] Generate Procedure Call Graph 165 | 88=-*- OllySocketTrace -*- " Ctrl+Shift+S " [Main Menu] Enable/Disable Socket Tracer 166 | 89=-*- OllySocketTrace -*- " Ctrl+Shift+L " [Main Menu] View Log 167 | 90=-*- OllyResourceRefs -*- " Ctrl+Shift+R " [Main Menu] Search For Resource References 168 | 91=-*- Your Plugin -*- " Shortcut/Something " [CPU Disasm] Something 169 | 170 | [OEPFinder] 171 | Always Show Find OEP Menu=1 172 | MingWin32 GCC 3.X-4.X=5589E583EC??C7042402000000FF15????????E8????????908DB426????????55++00 173 | Borland C++ Builder=EB1066623A432B2B484F--00 174 | Borland Delphi 7=558BEC83C4??B8????????E8??????????????????????E8????????8B??????????A1????????8B??8B??????????E8++00 175 | Borland Delphi 2009= 176 | Borland Delphi 2010=558BEC83C4????????????E8??????????????????????E8????????????A1????????8B??????????????EB++00 177 | FreePascal Lazarus 1.X-2.X= 178 | FreePascal Lazarus 1.X-2.X(x64)= 179 | Embarcadero Delphi XE.2= 180 | Embarcadero Delphi XE.3= 181 | Embarcadero Delphi XE.4=558BEC83C4????????????E8??????????????????????E8????????A1????????????B201E8++00 182 | Embarcadero Delphi XE.5= 183 | Embarcadero Delphi XE.6= 184 | Embarcadero Delphi XE.7= 185 | Microsoft Visual Basic 6.0=68????????E8????????00000000000030000000++00 186 | Microsoft Visual C++ 5/6.0=83????5356578965E8FF15????????33D28AD4--1D 187 | Microsoft Visual C++ 7.0=6A6068????????E8????????BF94??????8BC7E8??????????????????????56FF15++00 188 | Microsoft Visual C++ 8.0=C38B65E88B45D48945E4837DE000750650E8????????E8????????C745FCFEFFFFFF8B45E4EB1333C040C3++40 189 | Microsoft Visual C++ 9.0=C38B65E88B45DC8945E0837DE400750650E8????????E8????????C745FCFEFFFFFF8B45E0EB1333C040C3++40 190 | Microsoft Visual C++ 10.0=C3E8????????E9????????8BFF558BEC81EC28030000A3????????890D++01 191 | Microsoft Visual C++ 11.0= 192 | Microsoft Visual C++ 12.0= 193 | Microsoft Visual C++ 13.0= 194 | Microsoft Visual C++ 14.0= 195 | Microsoft MASM32[1]=C9C2????6A00E8????????A3????????++04 196 | Microsoft MASM32[2]=6A00E8????????A3????????E8????????6A??68????????6A??6A??FF35????????E8????????++00 197 | Microsoft MASM32[3]=6A00E8????????A3????????6A??68????????6A??68????????FF35????????E8????????++00 198 | 199 | [Help] 200 | HelpFile=D:\RE_Tools\WIN32.HLP 201 | PluginDir=.\\Plugins 202 | 203 | [LUAScript] 204 | File_Name=NIL 205 | Proc_Address=19C50 206 | Hook_Address=20 207 | 208 | [PyThonScript] 209 | File_Name=NIL 210 | Proc_Address=1223 211 | Hook_Address=NIL 212 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/ODbgScript.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ODbgScript.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Ollight.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Ollight.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyDump.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyDump.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyDumpEx_Od20.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyDumpEx_Od20.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyGraph.old: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyGraph.old -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyMSDN.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyMSDN.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyMoreMenu_1.5.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyMoreMenu_1.5.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyPlgn.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyPlgn.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyScript.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyScript.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllySnake.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllySnake.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllySpelunk.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllySpelunk.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyStepNSearch.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyStepNSearch.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/OllyTraceGraph.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/OllyTraceGraph.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/PSAPI.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/PSAPI.DLL -------------------------------------------------------------------------------- /OllyDbg/Plugins/ParentProcess.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ParentProcess.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/PuntosMagicos.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/PuntosMagicos.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Push0x86Trace.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Push0x86Trace.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/SICETricks.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/SICETricks.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/SIDT.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/SIDT.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/ScyllaHideOlly2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ScyllaHideOlly2.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/Traceapi.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/Traceapi.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/TurboDebug.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/TurboDebug.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/UnhExcFlt.DLL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/UnhExcFlt.DLL -------------------------------------------------------------------------------- /OllyDbg/Plugins/UnhandledExceptionFilter.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/UnhandledExceptionFilter.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/WatchMan.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/WatchMan.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/advancedolly.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/advancedolly.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/analyzethis.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/analyzethis.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/antiAnti.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/antiAnti.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/attachanyway.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/attachanyway.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/cfg.ini: -------------------------------------------------------------------------------- 1 | [Tools] 2 | 1=32-bit ASM Calculator 1.4,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\32-bit ASM Calculator 1.4\calc32.exe 3 | 2=Au3Info 3.0,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\Auto3Info\Au3Info.exe 4 | 3=Hacker's Disassembler 1.06,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\Hackers Disassembler 1.06\HDasm.exe 5 | 4=ArmaGeddon 1.9,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\ArmaG3ddon v1.9\ArmaGeddon.exe 6 | 5=Mini Cracker Tool 1.1,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\Mini_Cracker_Tools\Mini_Cracker_Tools.exe 7 | 6=Keygener Assistant 2.0.2,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\Keygener Assistant v2.0.2\keyAssistant.exe 8 | 7=SnD Reverser Tool 1.4,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\SnD Reverser Tool 1.4\SND_RT.exe 9 | 8=PE Tools 1.5 RC5,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\PETools\PETools.exe 10 | 9=ChimpREC,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\ChimpREC\CHimpREC.exe 11 | 10=DUP 2.26,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\DUP\dup2.exe 12 | 11=AsmToMachineCode,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\AsmToMachineCode\AsmToMachineCode.exe 13 | 12=ProcessHacker 2.33,C:\Program Files\Process Hacker 2\ProcessHacker.exe 14 | 13=HookShark 0.9,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\HookShark 0.9\HookShark.exe 15 | 14=Resource Binder 2.1,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\Resource Binder\Resource Binder 2.1.exe 16 | 15=Scylla v0.6,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\Scylla v0.6\Scylla_x86.exe 17 | 16=API Monitor 2,C:\Program Files\rohitab.com\API Monitor\apimonitor-x86.exe 18 | 17=RSA Tool 2,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\RSA Tools 2 1.7\RSATool2v17.exe 19 | 18=LookInside IA-32 & Intel 64,C:\Program Files\OllyDbg 2.01 Official (Vic)\Tools\LookInside IA-32 & Intel 64\LookInside.exe -------------------------------------------------------------------------------- /OllyDbg/Plugins/coderipper.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/coderipper.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/coderipper_readme.txt: -------------------------------------------------------------------------------- 1 | Ollydbg plugin - Code Ripper 1.2 2 | 3 | 26th February 2006 - Release 1.2 4 | 5 | - added option to insert a blank line before/after procedures and/or labels 6 | - fixed window handle bug 7 | - fixed handling of FFFFFFFx constants 8 | 9 | 10 | 31st January 2006 - first release 1.1 11 | 12 | Code Ripper is an easy way to rip disassembled assembler code from an app being debugged using Ollydbg. The ripped code can be formatted and saved in the syntax of the popular programming languages MASM, C/C++ (inline ASM) and Delphi (inline ASM). 13 | 14 | Code Ripper prepares the disassembled code as far as possible for easy editing and compilation. The syntax of the ripped assembler statements conforms to the selected compiler systax but, of course there are limits to what can be done to a ripped code snippet to fix all address, data references etc so the code can be compiled. Some manual interpretation and fixing will usually be required. 15 | 16 | Features 17 | 18 | 1) Rips selected code from Ollydbg disassembler window and formats according to MASM, C/C++ (in line assembler) or Delphi (inline assembler) syntax. NOTE : Ideal (Borland) and HLA (Randall Hyde) assembler syntax should work too but have not been fully tested. 19 | 20 | 2) Ollydbg comments and user comments can be ripped with the code (option). 21 | 22 | 3) Code Ripper creates labels for call and jump destinations within the code snippet. The labels include the module name and assembler address value making it easier to cross reference those call/jump destinations back to the Ollydbg disassembler and debugged application. Symbolic addresses will be used where defined. 23 | 24 | 4) Where call/jumps and call/jump destinations are inside the code snippet, Code Ripper resolves the addresses and creates the labels with the correct language syntax. 25 | 26 | 5) Where call/jump destinations are outside the code snippet, Code Ripper will warn (option) that the address is not resolved. This makes it easier to identify other code snippets which are required or to fix those addresses manually before compiling. Calls to other modules and system APIs are identified by module name. If other code snippets are ripped, the call/jumps addresses and labelled destinations in one snippet will align with the call/jump addresses and labelled destinations in another. This makes it a lot easier to rip code snippets which may be at addresses scattered through a debugged app. In other words, a number of code snippets from one app can be more easily combined and compiled. 27 | 28 | 6) Unresolved jump and call destinations will need to be corrected by hand. Code Ripper flags (option) any unresolved addresses. Where necessary, labels are created which align with the assembler code addresses. 29 | 30 | 7) Procedure start and end statements (as analysed by Ollydbg) can be flagged (option) 31 | 32 | 8) Data references include module name and address making it easier to identify what data declarations are required to compile the code and to cross reference data references back to the debugged application. 33 | 34 | 9) Code and labels can be formatted (option) to ident a selected number of spaces (max 255). 35 | 36 | 10) Comments and warnings can be formatted (option) to start at a selected column (max 255) 37 | 38 | 11) Option to format code Upper/Lower case or as code is disassembled by Ollydbg 39 | 40 | 12) Option to insert a blank line before/after procedures and labels. 41 | 42 | 43 | NOTES 44 | 45 | 1) To install copy CodeRipper.dll to the Ollydbg plugin directory 46 | 47 | 2) Code Ripper maintains settings between debugging sessions in the Ollydbg.ini file. Temporary data is stored in a file CodeRipper.tmp. 48 | 49 | 3) Code Ripper can rip code up to the Windows size limit. 50 | 51 | 4) For best results there are 3 Ollydbg disassembler options which should be set for Code Ripper 52 | 53 | Ollydbg Debugging Options - Disasm Tag 54 | 55 | - Disassembling syntax - select MASM (Microsoft) Note: Ideal (Borland) and HLA (Randall Hyde) should 56 | work but have not been fully tested 57 | - check "Show local module name" 58 | - check "Show symbolic addresses" 59 | 60 | other options can be set as required 61 | 62 | 63 | HELP 64 | 65 | Basic Use 66 | 67 | 1) Highlight the code to be ripped in the disassembler window of Ollydbg. 68 | 69 | 2) Right click and select "Code Ripper" in the Ollydbg popup window 70 | 71 | 3) The Code Ripper dialog will popup with an empty file "untitled". (If the option "Rip code at launch" is set, the code is ripped immediately - skips step 4 and 5) 72 | 73 | 4) Select the "Settings" dialog and check the "Language" "Format" and other settings are ok. You can specify 74 | 75 | Language : ASM, C/C++, Delphi. 76 | Indent : The number of spaces to indent for Code and/or Labels can be set. (Max 255 spaces) 77 | Comments : If set, user and Ollydbg comments are copied over from the Ollydbg disassembler. 78 | Warnings : If set, Code Ripper flags any unresolved addresses, indicates the start and 79 | end of procedures and embedded data. 80 | Column : Specifies the column to be used for the start of Comments and Warnings 81 | Code Format : If set to "Ollydbg" the code is formatted upper or lower case as in the Olly disassembler 82 | window. The Code Ripper Upper or Lower Case setting overrides the Ollydbg format. 83 | Insert Line : Option to insert a blank line before and/or after procedures and labels. 84 | 85 | 5) Press "Rip Code" and the app code will be ripped and formatted into a Code Ripper file. 86 | 87 | 6) Code Ripper provides basic "richedit" editing functions. After any editing, merging with other files etc is done, save the ripped code file. Code Ripper window also supports "drag and drop". 88 | 89 | 7) If you want to change the programming language, indent, Comments, warnings etc, open up the "Settings" dialog. New settings can be saved or applied to the ripped code. Settings are remembered for the next Code Ripper launch. 90 | 91 | 8) Code Ripper will warn you if you want to change any file that is already ripped without saving the code. This warning can be turned off under the "Settings" menu. 92 | 93 | 9) Close Code Ripper. 94 | 95 | 96 | Thanks to diablo2oo2 for beta testing and suggestions for improvements. 97 | 98 | 99 | Report any problems to http://www.sndforum.da.ru 100 | 101 | 102 | Ziggy 103 | January 2006 104 | 105 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/dumpsig.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/dumpsig.exe -------------------------------------------------------------------------------- /OllyDbg/Plugins/extracopy.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/extracopy.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/file_id.diz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/file_id.diz -------------------------------------------------------------------------------- /OllyDbg/Plugins/findcrypt.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/findcrypt.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/hashsniffer.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/hashsniffer.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/multiasm/1.asm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/multiasm/1.asm -------------------------------------------------------------------------------- /OllyDbg/Plugins/multiasm/tabs.ini: -------------------------------------------------------------------------------- 1 | [tabs] 2 | tabs_counter=1 3 | tabs_last_open=0 4 | tabs_file[0]=1 5 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/multiasm_odbg2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/multiasm_odbg2.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/olly_bp_man.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/olly_bp_man.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/olly_hardware_breakpoint.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/olly_hardware_breakpoint.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/olly_polymorphic_breakpoint.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/olly_polymorphic_breakpoint.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/ollyadvanced.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ollyadvanced.chm -------------------------------------------------------------------------------- /OllyDbg/Plugins/ollygraph.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ollygraph.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/ollyvbhelper.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ollyvbhelper.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/qwingraph.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/qwingraph.exe -------------------------------------------------------------------------------- /OllyDbg/Plugins/scylla_hide.ini: -------------------------------------------------------------------------------- 1 | [SETTINGS] 2 | CurrentProfile=m4n0w4r 3 | [VMProtect x86/x64] 4 | BlockInputHook=0 5 | DLLNormal=1 6 | DLLStealth=0 7 | DLLUnload=1 8 | GetLocalTimeHook=0 9 | GetSystemTimeHook=0 10 | GetTickCount64Hook=0 11 | GetTickCountHook=0 12 | KiUserExceptionDispatcherHook=0 13 | NtCloseHook=1 14 | NtContinueHook=0 15 | NtCreateThreadExHook=0 16 | NtGetContextThreadHook=0 17 | NtQueryInformationProcessHook=1 18 | NtQueryObjectHook=1 19 | NtQueryPerformanceCounterHook=0 20 | NtQuerySystemInformationHook=0 21 | NtQuerySystemTimeHook=0 22 | NtSetContextThreadHook=0 23 | NtSetDebugFilterStateHook=0 24 | NtSetInformationThreadHook=0 25 | NtUserBuildHwndListHook=0 26 | NtUserFindWindowExHook=0 27 | NtUserQueryWindowHook=0 28 | NtYieldExecutionHook=0 29 | OutputDebugStringHook=0 30 | PebBeingDebugged=1 31 | PebHeapFlags=1 32 | PebNtGlobalFlag=1 33 | PebStartupInfo=1 34 | PreventThreadCreation=0 35 | RemoveDebugPrivileges=0 36 | AutostartServer=1 37 | ServerPort=1337 38 | BreakOnTLS=1 39 | FixOllyBugs=1 40 | RemoveEPBreak=1 41 | SkipEPOutsideCode=1 42 | X64Fix=1 43 | WindowTitle=VMP 44 | [Obsidium x86] 45 | BlockInputHook=0 46 | DLLNormal=1 47 | DLLStealth=0 48 | DLLUnload=1 49 | GetLocalTimeHook=0 50 | GetSystemTimeHook=0 51 | GetTickCount64Hook=0 52 | GetTickCountHook=0 53 | KiUserExceptionDispatcherHook=0 54 | NtCloseHook=1 55 | NtContinueHook=0 56 | NtCreateThreadExHook=0 57 | NtGetContextThreadHook=0 58 | NtQueryInformationProcessHook=1 59 | NtQueryObjectHook=0 60 | NtQueryPerformanceCounterHook=0 61 | NtQuerySystemInformationHook=1 62 | NtQuerySystemTimeHook=0 63 | NtSetContextThreadHook=0 64 | NtSetDebugFilterStateHook=0 65 | NtSetInformationThreadHook=0 66 | NtUserBuildHwndListHook=1 67 | NtUserFindWindowExHook=1 68 | NtUserQueryWindowHook=0 69 | NtYieldExecutionHook=0 70 | OutputDebugStringHook=0 71 | PebBeingDebugged=1 72 | PebHeapFlags=1 73 | PebNtGlobalFlag=1 74 | PebStartupInfo=1 75 | PreventThreadCreation=0 76 | RemoveDebugPrivileges=0 77 | AutostartServer=1 78 | ServerPort=1337 79 | BreakOnTLS=1 80 | FixOllyBugs=1 81 | RemoveEPBreak=0 82 | SkipEPOutsideCode=1 83 | X64Fix=1 84 | WindowTitle=Obsidium 85 | [Themida x86] 86 | BlockInputHook=0 87 | DLLNormal=1 88 | DLLStealth=0 89 | DLLUnload=1 90 | GetLocalTimeHook=0 91 | GetSystemTimeHook=0 92 | GetTickCount64Hook=0 93 | GetTickCountHook=0 94 | KiUserExceptionDispatcherHook=0 95 | NtCloseHook=0 96 | NtContinueHook=0 97 | NtCreateThreadExHook=0 98 | NtGetContextThreadHook=0 99 | NtQueryInformationProcessHook=1 100 | NtQueryObjectHook=0 101 | NtQueryPerformanceCounterHook=0 102 | NtQuerySystemInformationHook=1 103 | NtQuerySystemTimeHook=0 104 | NtSetContextThreadHook=0 105 | NtSetDebugFilterStateHook=0 106 | NtSetInformationThreadHook=0 107 | NtSetInformationProcessHook=0 108 | NtUserBuildHwndListHook=1 109 | NtUserFindWindowExHook=1 110 | NtUserQueryWindowHook=1 111 | NtYieldExecutionHook=0 112 | OutputDebugStringHook=0 113 | PebBeingDebugged=1 114 | PebHeapFlags=1 115 | PebNtGlobalFlag=1 116 | PebStartupInfo=1 117 | PreventThreadCreation=0 118 | RemoveDebugPrivileges=0 119 | AutostartServer=1 120 | ServerPort=1337 121 | BreakOnTLS=1 122 | FixOllyBugs=1 123 | RemoveEPBreak=0 124 | SkipEPOutsideCode=1 125 | X64Fix=1 126 | WindowTitle=Themida 127 | [Armadillo x86] 128 | BlockInputHook=0 129 | DLLNormal=1 130 | DLLStealth=0 131 | DLLUnload=1 132 | GetLocalTimeHook=0 133 | GetSystemTimeHook=0 134 | GetTickCount64Hook=0 135 | GetTickCountHook=0 136 | KiUserExceptionDispatcherHook=0 137 | NtCloseHook=1 138 | NtContinueHook=0 139 | NtCreateThreadExHook=0 140 | NtGetContextThreadHook=0 141 | NtQueryInformationProcessHook=0 142 | NtQueryObjectHook=0 143 | NtQueryPerformanceCounterHook=0 144 | NtQuerySystemInformationHook=0 145 | NtQuerySystemTimeHook=0 146 | NtSetContextThreadHook=0 147 | NtSetDebugFilterStateHook=0 148 | NtSetInformationThreadHook=0 149 | NtSetInformationProcessHook=0 150 | NtUserBuildHwndListHook=0 151 | NtUserFindWindowExHook=0 152 | NtUserQueryWindowHook=0 153 | NtYieldExecutionHook=0 154 | OutputDebugStringHook=1 155 | PebBeingDebugged=1 156 | PebHeapFlags=1 157 | PebNtGlobalFlag=1 158 | PebStartupInfo=1 159 | PreventThreadCreation=0 160 | RemoveDebugPrivileges=0 161 | AutostartServer=1 162 | ServerPort=1337 163 | BreakOnTLS=0 164 | FixOllyBugs=1 165 | RemoveEPBreak=0 166 | SkipEPOutsideCode=1 167 | X64Fix=1 168 | WindowTitle=Armadillo 169 | [m4n0w4r] 170 | BlockInputHook=0 171 | DLLNormal=1 172 | DLLStealth=0 173 | DLLUnload=1 174 | GetLocalTimeHook=0 175 | GetSystemTimeHook=0 176 | GetTickCount64Hook=0 177 | GetTickCountHook=0 178 | KiUserExceptionDispatcherHook=0 179 | NtCloseHook=1 180 | NtContinueHook=0 181 | NtCreateThreadExHook=0 182 | NtGetContextThreadHook=0 183 | NtQueryInformationProcessHook=0 184 | NtQueryObjectHook=0 185 | NtQueryPerformanceCounterHook=0 186 | NtQuerySystemInformationHook=0 187 | NtQuerySystemTimeHook=0 188 | NtSetContextThreadHook=0 189 | NtSetDebugFilterStateHook=0 190 | NtSetInformationThreadHook=0 191 | NtSetInformationProcessHook=0 192 | NtUserBuildHwndListHook=0 193 | NtUserFindWindowExHook=0 194 | NtUserQueryWindowHook=0 195 | NtYieldExecutionHook=0 196 | OutputDebugStringHook=1 197 | PebBeingDebugged=1 198 | PebHeapFlags=1 199 | PebNtGlobalFlag=1 200 | PebStartupInfo=1 201 | PreventThreadCreation=0 202 | RemoveDebugPrivileges=0 203 | KillAntiAttach=0 204 | AutostartServer=1 205 | ServerPort=1337 206 | BreakOnTLS=0 207 | FixOllyBugs=1 208 | RemoveEPBreak=0 209 | SkipEPOutsideCode=1 210 | X64Fix=1 211 | WindowTitle=m4n0w4r 212 | advancedGoto=0 213 | ignoreBadPEImage=0 214 | skipCompressedDoAnalyze=0 215 | skipCompressedDoNothing=0 216 | skipLoadDllDoLoad=0 217 | skipLoadDllDoNothing=0 218 | -------------------------------------------------------------------------------- /OllyDbg/Plugins/sleeppReadme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/sleeppReadme.txt -------------------------------------------------------------------------------- /OllyDbg/Plugins/snd.nfo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/snd.nfo -------------------------------------------------------------------------------- /OllyDbg/Plugins/stayontop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/stayontop.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/ustrref.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/ustrref.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/windowjuggler.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/windowjuggler.dll -------------------------------------------------------------------------------- /OllyDbg/Plugins/xADT_ap0x.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/OllyDbg/Plugins/xADT_ap0x.dll -------------------------------------------------------------------------------- /OllyDbg/Theme/ollydbg.ini: -------------------------------------------------------------------------------- 1 | [Settings] 2 | Check DLL versions=0 3 | Show toolbar=1 4 | Status in toolbar=0 5 | Use hardware breakpoints to step=0 6 | Restore windows=45 7 | Scroll MDI=0 8 | Horizontal scroll=0 9 | Topmost window=0 10 | Index of default font=1 11 | Index of default colours=0 12 | Index of default syntax highlighting=0 13 | Log buffer size index=0 14 | Run trace buffer size index=1 15 | Group adjacent commands in profile=1 16 | Highlighted trace register=-1 17 | IDEAL disassembling mode=0 18 | Disassemble in lowercase=0 19 | Separate arguments with TAB=0 20 | Extra space between arguments=0 21 | Show default segments=1 22 | NEAR jump modifiers=0 23 | Use short form of string commands=0 24 | Use RET instead of RETN=0 25 | Size sensitive mnemonics=1 26 | SSE size decoding mode=0 27 | Top of FPU stack=1 28 | Always show memory size=1 29 | Decode registers for any IP=0 30 | Show symbolic addresses=1 31 | Show local module names=1 32 | Gray data used as filling=1 33 | Show jump direction=1 34 | Show jump path=1 35 | Show jumpfrom path=1 36 | Show path if jump is not taken=1 37 | Underline fixups=1 38 | Center FOLLOWed command=0 39 | Show stack frames=1 40 | Show local names in stack=1 41 | Extended stack trace=0 42 | Synchronize source with CPU=0 43 | Include SFX extractor in code=0 44 | SFX trace mode=0 45 | Use real SFX entry from previous run=1 46 | Ignore SFX exceptions=0 47 | First pause=2 48 | Stop on new DLL=0 49 | Stop on DLL unload=0 50 | Stop on new thread=0 51 | Stop on thread end=0 52 | Stop on debug string=0 53 | Decode SSE registers=0 54 | Enable last error=1 55 | Ignore access violations in KERNEL32=1 56 | Ignore INT3=0 57 | Ignore TRAP=0 58 | Ignore access violations=0 59 | Step in unknown commands=0 60 | Ignore division by 0=0 61 | Ignore illegal instructions=0 62 | Ignore all FPU exceptions=0 63 | Warn when frequent breaks=0 64 | Warn when break not in code=1 65 | Autoreturn=0 66 | Save original command in trace=0 67 | Show traced ESP=0 68 | Show traced flags=0 69 | Animate over system DLLs=0 70 | Trace over string commands=0 71 | Synchronize CPU and Run trace=0 72 | Ignore custom exceptions=0 73 | Smart update=1 74 | Set high priority=1 75 | Append arguments=1 76 | Use ExitProcess=1 77 | Allow injection to get WinProc=0 78 | Sort WM_XXX by name=0 79 | Type of last WinProc breakpoint=0 80 | Snow-free drawing=0 81 | Demangle symbolic names=0 82 | Keep ordinal in name=1 83 | Only ASCII printable in dump=0 84 | Allow diacritical symbols=0 85 | String decoding=0 86 | Warn if not administrator=1 87 | Warn when terminating process=1 88 | Align dialogs=1 89 | Use font of calling window=0 90 | Specified dialog font=0 91 | Number of lines that follow EIP=0 92 | Restore window positions=1 93 | Restore width of columns=0 94 | Highlight sorted column=0 95 | Compress analysis data=1 96 | Backup UDD files=1 97 | Fill rest of command with NOPs=1 98 | Reference search mode=0 99 | Global search=1 100 | Aligned search=0 101 | Allow error margin=0 102 | Keep size of hex edit selection=1 103 | Modify tag of FPU register=1 104 | Hex inspector limits=1 105 | MMX display mode=0 106 | Last selected options card=10 107 | Last selected appearance card=5 108 | Ignore case in text search=1 109 | Letter key in Disassembler=1 110 | Looseness of code analysis=1 111 | Decode pascal strings=1 112 | Guess number of arguments=1 113 | Accept far calls and returns=0 114 | Accept direct segment modifications=0 115 | Decode VxD calls=0 116 | Accept privileged commands=0 117 | Accept I/O commands=0 118 | Accept NOPs=1 119 | Accept shifts out of range=0 120 | Accept superfluous prefixes=0 121 | Accept LOCK prefixes=0 122 | Accept unaligned stack operations=1 123 | Accept non-standard command forms=1 124 | Show ARG and LOCAL in procedures=0 125 | Save analysis to file=1 126 | Analyse main module automatically=1 127 | Analyse code structure=1 128 | Decode ifs as switches=0 129 | Save trace to file=0 130 | Trace contents of registers=1 131 | Functions preserve registers=0 132 | Decode tricks=0 133 | Automatically select register type=0 134 | Show decoded arguments=1 135 | Show decoded arguments in stack=1 136 | Show arguments in call stack=1 137 | Show induced calls=1 138 | Label display mode=0 139 | Label includes module name=0 140 | Highlight symbolic labels=0 141 | Highlight RETURNs in stack=1 142 | Ignore path in user data file=0 143 | Ignore timestamp in user data file=1 144 | Ignore CRC in user data file=0 145 | Default sort mode in Names=1 146 | Save out-of-module user data=0 147 | Tabulate columns in log file=0 148 | Append data to existing log file=0 149 | Flush gathered data to log file=0 150 | Skip spaces in source comments=1 151 | Hide non-existing source files=0 152 | Tab stops=8 153 | File graph mode=2 154 | Show internal handle names=0 155 | Hide irrelevant handles=0 156 | [Plugin Bookmarks] 157 | Restore bookmarks window=0 158 | [Plugin Command line] 159 | Restore command line window=0 160 | [Placement] 161 | OllyTest=726,127,640,480,1 162 | CPU=0,0,522,370,3 163 | CPU subwindows=325,500,319,500,535,891,497,892 164 | Breakpoints=26,26,506,187,1 165 | Log data=78,78,386,232,1 166 | Memory map=838,92,398,187,1 167 | References=78,78,626,142,1 168 | Source=130,130,380,219,1 169 | Executable modules=104,104,644,187,1 170 | [History] 171 | View file= 172 | View text file= 173 | Object file= 174 | Import library= 175 | Log file=log.txt 176 | Run trace file=rtrace.txt 177 | API help file= 178 | Text save file= 179 | Symbolic data path=C:\OllyDbg 180 | UDD path=C:\OllyDbg 181 | Plugin path=C:\OllyDbg 182 | Executable[1]= 183 | Executable[2]= 184 | Executable[3]= 185 | Executable[4]= 186 | Executable[5]= 187 | Executable[0]= 188 | [Colours] 189 | Scheme[0]=10,12,18,0,5,10,13,13 190 | Scheme name[0]=HasanHK 191 | Scheme[1]=14,12,7,1,3,7,3,13 192 | Scheme name[1]=Yellow on blue 193 | Scheme[2]=1,12,3,11,14,2,7,13 194 | Scheme name[2]=Marine 195 | Scheme[3]=15,12,10,0,9,12,7,13 196 | Scheme name[3]=Mostly black 197 | Scheme[4]=0,12,8,18,4,8,7,13 198 | Scheme name[4]=Scheme 4 199 | Scheme[5]=14,12,7,1,3,7,3,13 200 | Scheme name[5]=Scheme 5 201 | Scheme[6]=1,12,3,11,8,2,7,13 202 | Scheme name[6]=Scheme 6 203 | Scheme[7]=15,12,7,0,8,11,7,13 204 | Scheme name[7]=Scheme 7 205 | [Fonts] 206 | Font[0]=12,8,400,0,0,0,255,2,49,0 207 | Face name[0]=Terminal 208 | Font name[0]=OEM fixed font 209 | Font[1]=9,6,700,0,0,0,255,0,48,1 210 | Face name[1]=Terminal 211 | Font name[1]=Terminal 6 212 | Font[2]=15,8,400,0,0,0,0,2,49,0 213 | Face name[2]=Fixedsys 214 | Font name[2]=System fixed font 215 | Font[3]=14,0,400,0,0,0,1,2,5,0 216 | Face name[3]=Courier New 217 | Font name[3]=Courier (UNICODE) 218 | Font[4]=10,6,400,0,0,0,1,2,5,0 219 | Face name[4]=Lucida Console 220 | Font name[4]=Lucida (UNICODE) 221 | Font[5]=9,6,700,0,0,0,255,0,48,0 222 | Face name[5]=Terminal 223 | Font name[5]=Font 5 224 | Font[6]=15,8,400,0,0,0,0,2,49,0 225 | Face name[6]=Fixedsys 226 | Font name[6]=Font 6 227 | Font[7]=14,0,400,0,0,0,1,2,5,0 228 | Face name[7]=Courier New 229 | Font name[7]=Font 7 230 | [Syntax] 231 | Commands[1]=10,7,12,12,14,12,11,13,96,7,14,0,0,0 232 | Operands[1]=1,7,7,7,13,14,10,11,0,0,0,0,0,0 233 | Scheme name[1]=HasanHK 234 | Commands[5]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 235 | Operands[5]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 236 | Scheme name[5]=No highlighting 237 | Commands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 238 | Operands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 239 | Scheme name[0]=No highlighting 240 | Commands[2]=0,0,124,112,0,64,64,0,96,0,0,0,0,0 241 | Operands[2]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 242 | Scheme name[2]=Jumps'n'calls 243 | Commands[3]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 244 | Operands[3]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 245 | Scheme name[3]=Hilite 3 246 | Commands[4]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 247 | Operands[4]=0,0,0,0,0,0,0,0,0,0,0,0,0,0 248 | Scheme name[4]=Hilite 4 249 | [Arguments] 250 | Executable[1]= 251 | Executable[2]= 252 | Executable[3]= 253 | Executable[4]= 254 | Executable[5]= 255 | Executable[0]= 256 | [Appearance] 257 | CPU scheme=3 258 | CPU Disassembler=1,3,0,0,1 259 | CPU Dump=1,3,1,0,4353,0 260 | CPU Stack=1,3,1,0 261 | CPU Info=1,3,0,0 262 | CPU Registers=1,3,1,0 263 | Breakpoints=1,0,1,0,0 264 | Log data=1,0,1,0,0 265 | Memory map=1,0,1,0,0 266 | References=1,0,1,0,0 267 | Source=1,0,0,0,0 268 | Executable modules=1,0,1,0,0 269 | [Columns] 270 | CPU Disassembler=54,102,315,1536 271 | CPU Dump=54,288,102 272 | CPU Stack=54,60,1536 273 | Breakpoints=54,54,150,216,1536 274 | Log data=54,1536 275 | Memory map=54,54,54,54,72,30,48,48,1536 276 | References=54,240,1536 277 | Source=48,1536 278 | Executable modules=54,54,54,54,96,1536 279 | [System] 280 | Options position=357,173 281 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Reverse Engineering 2 | [![xiosec - Reverse-engineering](https://img.shields.io/static/v1?label=xiosec&message=Reverse-engineering&color=blue&logo=github)](https://github.com/xiosec/Reverse-engineering) 3 | [![stars - Reverse-engineering](https://img.shields.io/github/stars/xiosec/Reverse-engineering?style=social)](https://github.com/xiosec/Reverse-engineering) 4 | [![forks - Reverse-engineering](https://img.shields.io/github/forks/xiosec/Reverse-engineering?style=social)](https://github.com/xiosec/Reverse-engineering) 5 | [![GitHub release](https://img.shields.io/github/release/xiosec/Reverse-engineering?include_prereleases=&sort=semver)](https://github.com/xiosec/Reverse-engineering/releases/) 6 | [![License](https://img.shields.io/badge/License-MIT-blue)](#license) 7 | [![issues - Reverse-engineering](https://img.shields.io/github/issues/xiosec/Reverse-engineering)](https://github.com/xiosec/Reverse-engineering/issues) 8 | 9 | A set of tools for software reverse engineering.
10 | 11 | 12 | 13 | In the following tables, you can find the tools you need according to the heading. 14 | * [Reverse Engineering](https://github.com/xiosec/Reverse-engineering) 15 | * [Debugging](#-debugging) 16 | * [Disassemblers](#-disassemblers) 17 | * [Android](#-android) 18 | * [Hex Editors](#-hex-editors) 19 | * [Binary Format](#-binary-format) 20 | * [Binary Analysis](#-binary-analysis) 21 | * [Bytecode Analysis](#-bytecode-analysis) 22 | * [Dynamic Analysis](#-dynamic-analysis) 23 | * [Document Analysis](#-document-analysis) 24 | * [Scripting](#-scripting) 25 | * [Mac Decrypt](#-mac-decrypt) 26 | * [📔 Reverse Engineering Books](#-reverse-engineering-books) 27 | * [📎 Target and Practice](#-target-and-practice) 28 | 29 | 30 | ## ⚙ Debugging 31 | Debugging Tools 32 | 33 | | Name | Descriptions | Download | 34 | | ----- | ------------ | -------- | 35 | | **`WinDbg`** | The WDK is used to develop, test, and deploy Windows drivers. | [Download](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) | 36 | | **`OllyDbg v1.10`** | OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. | [Download](http://www.ollydbg.de/) | 37 | | **`OllyDbg v2.01`** | OllyDbg (named after its author, Oleh Yuschuk) is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. |[Download](http://www.ollydbg.de/version2.html) | 38 | | **`x64dbg`** | An open-source x64/x32 debugger for windows. | [Download](http://x64dbg.com/#start) | 39 | | **`gdb`** | GDB, the GNU Project debugger, allows you to see what is going on `inside` another program while it executes -- or what another program was doing at the moment it crashed. | [Download](https://www.gnu.org/software/gdb/) | 40 | | **`vdb`** | A combined disassembler/static analysis/symbolic execution/debugger framework. More documentation is in the works. | [github](https://github.com/vivisect/vivisect) | 41 | | **`lldb`** | LLDB is a next generation, high-performance debugger. It is built as a set of reusable components which highly leverage existing libraries in the larger LLVM Project, such as the Clang expression parser and LLVM disassembler. | [Download](http://lldb.llvm.org/) | 42 | | **`qira`** | All state is tracked while a program is running, so you can debug in the past. | [Download](http://qira.me/) | 43 | | **`unicorn`** | Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, X86). | [github](https://github.com/unicorn-engine/unicorn) | 44 | | **`Immunity Debugger`** | Immunity Debugger's interfaces include the GUI and a command line. The command line is always available at the bottom of the GUI. It allows the user to type shortcuts as if they were in a typical text-based debugger, such as WinDBG or GDB. Immunity has implemented aliases to ensure that your WinDBG users do not have to be retrained and will get the full productivity boost that comes from the best debugger interface on the market. | [Download](https://www.immunityinc.com/products/debugger/) | 45 | ## 🔩 Disassemblers 46 | Disassemblers 47 | 48 | | Name | Descriptions | Download | 49 | | ----- | ------------ | -------- | 50 | | **`IDA Pro`** | IDA Pro as a disassembler is capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation (assembly language). | [Download](https://www.hex-rays.com/products/ida/index.shtml) | 51 | | **`GHIDRA`** | A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission. | [Download](https://ghidra-sre.org/) | 52 | | **`Binary Ninja`** | Our built-in decompiler works with all our architectures at one price and builds on a powerful family of ILs called BNIL. | [Download](https://binary.ninja/) | 53 | | **`Radare`** | Disassemble (and assemble for) many different architectures. | [Download](http://www.radare.org/r/) | 54 | | **`Hopper`** | Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications. | [Download](http://hopperapp.com/) | 55 | | **`objdump`** | objdump displays information about one or more object files. The options control what particular information to display. | [Download](http://linux.die.net/man/1/objdump) | 56 | | **`fREedom`** | capstone based disassembler for extracting to binnavi. | [Download](https://github.com/cseagle/fREedom) | 57 | 58 | ## 📱 Android 59 | Android tools 60 | | Name | Descriptions | Download | 61 | | ----- | ------------ | -------- | 62 | | **`Android Studio`** | Android Studio provides the fastest tools for building apps on every type of Android device. | [Download](http://developer.android.com/sdk/index.html) | 63 | | **`APKtool`** | A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. | [Download](https://ibotpeaches.github.io/Apktool/) | 64 | | **`dex2jar`** | Tools to work with android .dex and java .class files. | [github](https://github.com/pxb1988/dex2jar) | 65 | | **`IDA Pro`** | IDA Pro as a disassembler is capable of creating maps of their execution to show the binary instructions that are actually executed by the processor in a symbolic representation (assembly language). | [Download](https://hex-rays.com/ida-pro/) | 66 | | **`JaDx`** | Dex to Java decompiler. | [github](https://github.com/skylot/jadx) | 67 | | **`APKinspector`** | APKinspector is a powerful GUI tool for analysts to analyze the Android applications. | [github](https://github.com/honeynet/apkinspector/) | 68 | | **`objection`** | 📱 objection - runtime mobile exploration | [github](https://github.com/sensepost/objection) | 69 | | **`Sign.jar`** | Sign.jar automatically signs an apk with the Android test certificate. | [github](https://github.com/appium-boneyard/sign) | 70 | | **`FindSecurityBugs`** | FindSecurityBugs is a extension for FindBugs which include security rules for Java applications. | [Download](http://findbugs.sourceforge.net/) | 71 | | **`Quick Android Review Kit (Qark)`** | Tool to look for several security related Android application vulnerabilities | [github](https://github.com/linkedin/qark) | 72 | | **`AndroBugs Framework`** | AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows. | [github](https://github.com/AndroBugs/AndroBugs_Framework) | 73 | | **`Simplify`** | Tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file. | [github](https://github.com/CalebFenton/simplify) | 74 | | **`Android backup extractor`** | Utility to extract and repack Android backups created with adb backup (ICS+). More info about adb backup here. | [github](https://github.com/nelenkov/android-backup-extractor) | 75 | | **`Xposed framework`** | Use this forum to chat about xposed framework and modules to modify your device without flashing a custom ROM | [Download](https://forum.xda-developers.com/f/xposed-general.3094/) | 76 | | **`AndBug`** | AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. | [github](https://github.com/swdunlop/AndBug) | 77 | | **`Introspy-Android`** | Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues. | [github](https://github.com/iSECPartners/Introspy-Android) | 78 | | **`android-ssl-bypass`** | This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks. The tool runs as an interactive console. | [github](https://github.com/iSECPartners/android-ssl-bypass) | 79 | 80 | ## 🗄 Hex Editors 81 | Hex Editors 82 | 83 | | Name | Descriptions | Download | 84 | | ----- | ------------ | -------- | 85 | | **`HxD`** | HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size. | [Download](https://mh-nexus.de/en/hxd/) | 86 | | **`010 Editor`** | Why is 010 Editor so powerful? Unlike traditional hex editors which only display the raw hex bytes of a file. | [Download](https://www.sweetscape.com/010editor/) | 87 | | **`Hex Workshop`** | The Hex Workshop Hex Editor is a set of hexadecimal development tools for Microsoft Windows, combining advanced binary editing with the ease and flexibility of a word processor. | [Download](http://www.hexworkshop.com/) | 88 | | **`HexFiend`** | A fast and clever open source hex editor for macOS. | [Download](https://hexfiend.com/) | 89 | | **`Hiew`** | view and edit files of any length in text, hex, and decode modes. | [Download](http://www.hiew.ru/) | 90 | | **`hecate`** | The Hex Editor From Hell!. | [github](https://github.com/evanmiller/hecate) | 91 | 92 | ## 📐 Binary Format 93 | Binary Format Tools 94 | 95 | | Name | Descriptions | Download | 96 | | ----- | ------------ | -------- | 97 | | **`Cerbero Profiler`** | Inspecting a file is a primary task for every low-level professional, be it for reversing, malware triage, forensics or software development. | [Download](https://cerbero.io/) | 98 | | **`Detect It Easy`** | Detect It Easy, or abbreviated “DIE” is a program for determining types of files. | [Download](https://horsicq.github.io/) | 99 | | **`MachoView`** | MachOView is a visual Mach-O file browser. It provides a complete solution for exploring and in-place editing Intel and ARM binaries. | [Download](http://sourceforge.net/projects/machoview/) | 100 | | **`codesign`** | Code signing information usage: codesign -dvvv filename. | [Download](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/codesign.1.html) | 101 | 102 | ## 🔬 Binary Analysis 103 | Binary Analysis Resources 104 | 105 | | Name | Descriptions | Download | 106 | | ----- | ------------ | -------- | 107 | | **`Mobius Resources`** | Unpacking Virtualization Obfuscators. | [Download](https://www.msreverseengineering.com/research/) | 108 | | **`bap`** | The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a suite of utilities and libraries that enables analysis of programs in the machine code representation. | [github](https://github.com/BinaryAnalysisPlatform/bap) | 109 | | **`angr`** | angr is a platform-agnostic binary analysis framework. | [github](https://github.com/angr/angr) | 110 | 111 | ## 🔎 Bytecode Analysis 112 | Bytecode Analysis Tools 113 | 114 | | Name | Descriptions | Download | 115 | | ----- | ------------ | -------- | 116 | | **`dnSpy`** | dnSpy is a debugger and .NET assembly editor. | [github](https://github.com/dnSpy/dnSpy) | 117 | | **`Bytecode Viewer`** | SIX DIFFERENT JAVA DECOMPILERS, TWO BYTECODE EDITORS, A JAVA COMPILER,PLUGINS, SEARCHING, SUPPORTS LOADING FROM CLASSES, JARS, ANDROID APKS AND MORE. | [Download](https://bytecodeviewer.com/) | 118 | | **`JPEXS Free Flash Decompiler`** | Opensource flash SWF decompiler and editor. | [github](https://github.com/jindrapetrik/jpexs-decompiler) | 119 | | **`JD Project`** | The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process, even if you do not have them all. JD-Core is a library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type “enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library. JD-Core, JD-GUI & JD-Eclipse are open source projects released under the GPLv3 License. | [Download](http://java-decompiler.github.io/) | 120 | 121 | ## 🔨 Dynamic Analysis 122 | Dynamic Analysis Tools 123 | 124 | | Name | Descriptions | Download | 125 | | ----- | ------------ | -------- | 126 | | **`Process Explorer v16.42`** | Process Explorer shows you information about which handles and DLLs processes have opened or loaded. | [Download](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) | 127 | | **`Process Monitor v3.82`** | Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. | [Download](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) | 128 | | **`Autoruns for Windows v13.100`** | This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor. | [Download](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns) | 129 | | **`Noriben`** | Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. | [github](https://github.com/Rurik/Noriben) | 130 | | **`API Monitor`** | API Monitor is a free software that lets you monitor and control API calls made by applications and services. | [Download](http://www.rohitab.com/apimonitor) | 131 | | **`INetSim`** | INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples. | [Download](https://www.inetsim.org/) | 132 | | **`SmartSniff`** | SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter. | [Download](http://www.nirsoft.net/utils/smsniff.html) | 133 | | **`TCPView`** | TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. | [Download](https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview) | 134 | | **`Wireshark`** | Wireshark is the world’s foremost and widely-used network protocol analyzer. | [Download](https://www.wireshark.org/download.html) | 135 | | **`Fakenet`** | FakeNet is a tool that aids in the dynamic analysis of malicious software. | [Download](https://practicalmalwareanalysis.com/fakenet/) | 136 | | **`Volatility`** | An advanced memory forensics framework. | [github](https://github.com/volatilityfoundation/volatility) | 137 | | **`LiME`** | A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices. | [github](https://github.com/504ensicsLabs/LiME) | 138 | | **`Cuckoo`** | Cuckoo Sandbox is the leading open source automated malware analysis system. | [Download](https://cuckoosandbox.org/) | 139 | | **`Objective-See Utilities`** | Free Mac Security Tools | [Download](https://objective-see.com/products.html) | 140 | | **`XCode Instruments`** | XCode Instruments for Monitoring Files and Processes User Guide. | [Download](https://developer.apple.com/xcode/download/) | 141 | | **`fs_usage`** | report system calls and page faults related to filesystem activity in real-time. File I/O: fs_usage -w -f filesystem. | [Download](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/fs_usage.1.html) | 142 | | **`dmesg`** | display the system message buffer. | [Download](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/dmesg.8.html) | 143 | 144 | ## 📚 Document Analysis 145 | Document Analysis Tools 146 | 147 | | Name | Descriptions | Download | 148 | | ----- | ------------ | -------- | 149 | | **`Ole Tools`** | python-oletools is a package of python tools to analyze Microsoft OLE2 files. | [Download](http://www.decalage.info/python/oletools) | 150 | | **`Didier's PDF Tools`** | This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. | [Download](https://blog.didierstevens.com/programs/pdf-tools/) | 151 | | **`Origami`** | Origami is a Ruby framework designed to parse, analyze, and forge PDF documents. | [github](https://github.com/cogent/origami-pdf) | 152 | 153 | ## 🔗 Scripting 154 | Scripting 155 | 156 | | Name | Descriptions | Download | 157 | | ----- | ------------ | -------- | 158 | | **`IDA Python Src`** | IDAPython project for Hex-Ray's IDA Pro. | [github](https://github.com/idapython/src) | 159 | | **`IDC Functions Doc`** | The following conventions are used in the function descriptions. | [Download](https://hex-rays.com/products/ida/support/idadoc/162.shtml) | 160 | | **`IDA Plugin Contest`** | Hex-Rays Plugin Contest 2021 is now officially started. | [Download](https://hex-rays.com/contests/) | 161 | | **`onehawt IDA Plugin List`** | A list of IDA Plugins. | [github](https://github.com/onethawt/idaplugins-list) | 162 | | **`pefile`** | pefile is a multi-platform Python module to parse and work with Portable Executable (PE) files. Most of the information contained in the PE file headers is accessible, as well as all the sections' details and data. | [github](https://github.com/erocarrera/pefile) | 163 | 164 | ## 💻 Mac Decrypt 165 | | Name | Descriptions | Download | 166 | | ----- | ------------ | -------- | 167 | | **`Cerbero Profiler`** | While this PoC is about static analysis, it’s very different than applying a packer to a malware. | [Download](https://cerbero-blog.com/?p=1311) | 168 | | **`AppEncryptor`**| A command-line tool to apply or remove Apple Binary Protection from an application. | [github](https://github.com/AlanQuatermain/appencryptor) | 169 | | **`Class-dump`** | This is a command-line utility for examining the Objective-C runtime information stored in Mach-O files. | [Download](http://stevenygard.com/projects/class-dump/) | 170 | | **`readmem`** | A small OS X/iOS userland util to dump processes memory. | [github](https://github.com/gdbinit/readmem) | 171 | 172 | ## 📔 Reverse Engineering Books 173 | 174 | | Name | Descriptions | 175 | | ----- | ------------ | 176 | | **`The IDA Pro Book`** | [Description](http://amzn.to/2jTicOg) | 177 | | **`Radare2 Book`** | [github page](https://www.gitbook.com/book/radare/radare2book/details) | 178 | | **`Reverse Engineering for Beginners`** | [Description](http://beginners.re/) | 179 | | **`The Art of Memory Forensics`** | [Description](http://amzn.to/2jMJQs0) | 180 | | **`Art of Software Security Assessment`** | [Description](http://amzn.to/2jlvtyt) | 181 | | **`iOS Reverse Engineering`** | [Description](https://github.com/iosre/iOSAppReverseEngineering) | 182 | 183 | # 📎 Target and Practice 184 | 185 | | Name | Descriptions | 186 | | ----- | ----------- | 187 | | **`OSX Crackmes`** | [Description](https://reverse.put.as/crackmes/) | 188 | | **`ESET Challenges`** | [Description](http://www.joineset.com/jobs-analyst.html) | 189 | | **`Flare-on Challenges`** | [Description](http://flare-on.com/) | 190 | | **`Github CTF Archives`** | [github page](http://github.com/ctfs/) | 191 | | **`Reverse Engineering Challenges`** | [Description](http://challenges.re/) | 192 | | **`Malware Blacklist`** | [Description](http://www.malwareblacklist.com/showMDL.php) | 193 | | **`malwr.com`** | [Description](https://malwr.com/) | 194 | 195 | ## License 196 | 197 | Released under [MIT](/LICENSE) by [@xiosec](https://github.com/xiosec). -------------------------------------------------------------------------------- /Target/Fishing/Sample1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Fishing/Sample1.exe -------------------------------------------------------------------------------- /Target/Fishing/Sample2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Fishing/Sample2.exe -------------------------------------------------------------------------------- /Target/Keygen/KeyGen1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Keygen/KeyGen1.exe -------------------------------------------------------------------------------- /Target/Keygen/KeyGen2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Keygen/KeyGen2.exe -------------------------------------------------------------------------------- /Target/Patching/Crack Me1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Patching/Crack Me1.exe -------------------------------------------------------------------------------- /Target/Patching/Crack Me2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Patching/Crack Me2.exe -------------------------------------------------------------------------------- /Target/Patching/Crack Me3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Patching/Crack Me3.exe -------------------------------------------------------------------------------- /Target/Patching/Crack Me4.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/Patching/Crack Me4.exe -------------------------------------------------------------------------------- /Target/exploitation/HeapOverflow/bin/win-heap-overflow-1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/exploitation/HeapOverflow/bin/win-heap-overflow-1.exe -------------------------------------------------------------------------------- /Target/exploitation/HeapOverflow/bin/win-heap-overflow-2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/exploitation/HeapOverflow/bin/win-heap-overflow-2.exe -------------------------------------------------------------------------------- /Target/exploitation/HeapOverflow/bin/win-heap-overflow-3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/exploitation/HeapOverflow/bin/win-heap-overflow-3.exe -------------------------------------------------------------------------------- /Target/exploitation/HeapOverflow/win-heap-overflow-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char *argv[]) 6 | { 7 | long* iHeap = HeapCreate(0x00040000, 0 , 0); 8 | char *buffer1, *buffer2; 9 | 10 | buffer1 = HeapAlloc(iHeap, 0, 0x10); 11 | buffer2 = HeapAlloc(iHeap, 0, 0x10); 12 | HeapFree(iHeap, 0, buffer2); 13 | 14 | strcpy(buffer1, argv[1]); 15 | buffer2 = HeapAlloc(iHeap, 0, 0x10); 16 | 17 | HeapFree(iHeap, 0, buffer2); 18 | HeapFree(iHeap, 0, buffer1); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /Target/exploitation/HeapOverflow/win-heap-overflow-2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | typedef struct salesItem 6 | { 7 | char description[20]; 8 | int productNumber; 9 | float price; 10 | int quantity; 11 | } myItem; 12 | 13 | struct salesItem *pItem; 14 | 15 | int main(int argc, char *argv[]) 16 | { 17 | long* hHeap = HeapCreate(0x00040000, 0, 0); 18 | char *buffer1, *buffer2, *buffer3; 19 | 20 | buffer1 = HeapAlloc(hHeap, 0, 0x10); 21 | buffer2 = HeapAlloc(hHeap, 0, 0x100); 22 | struct salesItem myItem; 23 | 24 | strcpy(myItem.description, "Sample Item"); 25 | myItem.productNumber=1; 26 | myItem.price=1.00; 27 | myItem.quantity=1; 28 | 29 | memcpy(buffer2, &myItem, sizeof(struct salesItem)); 30 | 31 | strcpy(buffer1, argv[1]); // possibly buffer overflow vuln 32 | 33 | // display possibly modified item 34 | pItem = (struct salesItem*)buffer2; 35 | printf("My Item is now: %s %f %d", pItem->description, pItem->price, pItem->quantity); 36 | 37 | HeapFree(hHeap, 0, buffer2); // could seg fault if buff1 is overflowed 38 | HeapFree(hHeap, 0, buffer1); 39 | 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /Target/exploitation/HeapOverflow/win-heap-overflow-3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | /* run this program using the console pauser or add your own getch, system("pause") or input loop */ 5 | 6 | typedef struct candidate 7 | { 8 | char name[20]; 9 | int votes; 10 | } candidate; 11 | 12 | candidate *pCandidates; 13 | 14 | int vote(candidateNumber) 15 | { 16 | pCandidates[candidateNumber].votes++; 17 | return 0; 18 | } 19 | 20 | int main(int argc, char *argv[]) 21 | { 22 | long* hHeap = HeapCreate(0x00040000, 0, 0); 23 | char *buffer1; 24 | int i; 25 | 26 | buffer1 = HeapAlloc(hHeap, 0, 0x10); 27 | pCandidates = (candidate*)HeapAlloc(hHeap, 0, sizeof(candidate)*50); 28 | 29 | strcpy(pCandidates[0].name, "Phil Polstra"); 30 | pCandidates[0].votes=1; 31 | 32 | strcpy(pCandidates[1].name, "Billary Rotten"); 33 | pCandidates[1].votes=2; 34 | 35 | // simulate voting 36 | vote(0); 37 | vote(1); 38 | vote(1); 39 | 40 | strcpy(buffer1, argv[1]); // possibly buffer overflow vuln 41 | 42 | // print results 43 | for (i=0; i < 2; i++) 44 | { 45 | printf("Candidate %s has %d votes\n", pCandidates[i].name, pCandidates[i].votes); 46 | } 47 | 48 | 49 | HeapFree(hHeap, 0, pCandidates); // could seg fault if buff1 is overflowed 50 | HeapFree(hHeap, 0, buffer1); 51 | 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /Target/exploitation/StackOverflow/bin/stack-overflow-1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/Target/exploitation/StackOverflow/bin/stack-overflow-1.exe -------------------------------------------------------------------------------- /Target/exploitation/StackOverflow/stack-overflow-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int myfunction(char* param) 5 | { 6 | char* istring = "It is my function"; 7 | char localString[20]; 8 | 9 | strcpy(localString, param); 10 | 11 | return 1; 12 | } 13 | 14 | int main(int argc, char* argv[]) 15 | { 16 | char* localString = "main function"; 17 | 18 | myfunction(argv[1]); 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /resources/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xiosec/Reverse-engineering/c0bd6947d131892c05a24cb3a5b0627b88c1f868/resources/images/logo.png --------------------------------------------------------------------------------