HEUR:Trojan.Win32.Generic (Kaspersky), Dropped:Application.Keylogger.Ardamax.Gen (AdAware), Trojan.Win32.Bumat.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Keylogger, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0bdd03e344c9840a792568ba7980dc06
SHA1: 151cbcb324112f4dbcfc16e316ddef298b3eb860
SHA256: 704f8ff8e90efa548ed3939a9ff72dcf0f5e55a016034cb63c19da4864e24ea9
SSDeep: 49152:GKve2yFhoncdWVWqfyom4gUSCzdPVicaP6go1Z:jG2yzocEpfyoyCTicq6f
Size: 2020864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-03-08 13:32:38
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Dropped creates the following process(es):
OLLYDBG.EXE:608
PDLX.exe:752
Install.exe:1084
%original file name%.exe:1956
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process PDLX.exe:752 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk (702 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Help.lnk (658 bytes)
%System%\28463\PDLX.002 (560 bytes)
The process Install.exe:1084 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\@2.tmp (91332 bytes)
%System%\28463\PDLX.chm (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\@1.tmp (4 bytes)
%System%\28463\PDLX.007 (196 bytes)
%System%\28463\PDLX.006 (196 bytes)
%System%\28463\PDLX.001 (396 bytes)
%System%\28463\PDLX.exe (84668 bytes)
%System%\28463\key.bin (106 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\@1.tmp (0 bytes)
The process %original file name%.exe:1956 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Install.exe (12907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TBar manager.ini (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dbghelp.dll (20550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ollydbg.ini (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.EXE (20264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\register.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\RecoverMyFiles.udd (15142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\license.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BOOKMARK.DLL (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.HLP (5936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PSAPI.DLL (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Cmdline.dll (1961 bytes)
Registry activity
The process OLLYDBG.EXE:608 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 09 DB 42 D7 FF 4E 58 08 21 37 F8 6D CA 44 2B"
The process PDLX.exe:752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\ASProtect\SpecData]
"F74DB923F74DB923" = "4A DB FE 77 DE C8 20 5A BA 15 C7 F8 45 94 75 4F"
[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\0]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
"UninstallString" = "%System%\28463\Uninstall.exe"
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\InprocServer32]
"(Default)" = ""
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}]
"(Default)" = "Imoneliv"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ardamax Keylogger]
"DisplayName" = "Ardamax Keylogger 3.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\MiscStatus]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\ToolboxBitmap32]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\Version]
"(Default)" = ""
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\TypeLib]
"(Default)" = ""
[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\FLAGS]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}\1.0\0\win32]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\Control]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 6C 01 D1 6B 21 0B B1 D2 60 C9 2D DB 1F E7 0A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{FB175790-F92E-4B22-CC9A-87AB384D297E}\Programmable]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\TypeLib\{5A7FBC51-12ED-E03F-2C46-7D38CD5509CF}]
"(Default)" = ""
[HKCU\Software\ASProtect\SpecData]
"(Default)" = "F74DB923F74DB923"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDLX Agent" = "%System%\28463\PDLX.exe"
The process Install.exe:1084 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 3B 05 D8 B5 8D 4E D0 6E B8 A7 20 D9 B0 74 95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\28463]
"PDLX.exe" = "PDLX"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1956 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 8F 1E 70 05 1D 95 46 9D BC 9C 61 7C 23 F0 7B"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Dropped PE files
MD5 | File path |
---|---|
8a8fb246f5bbb650c2ed039265ddd631 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\BOOKMARK.DLL |
022e81e0fae5e1d727b413b3a746a300 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\Cmdline.dll |
86f5d6c9f13576e6344627f40c9f1b49 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\Install.exe |
bd3abb4ac01da6edb30006cc55953be8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\OLLYDBG.EXE |
abbc53dbdb01df277a7dd8f86da1c168 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\PSAPI.DLL |
820baff3cda72e782dd621bfad8968f7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\dbghelp.dll |
35b24c473bdcdb4411e326c6c437e8ed | c:\WINDOWS\system32\28463\PDLX.006 |
a8e19de6669e831956049685225058a8 | c:\WINDOWS\system32\28463\PDLX.007 |
b863a9ac3bcdcde2fd7408944d5bf976 | c:\WINDOWS\system32\28463\PDLX.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
OLLYDBG.EXE:608
PDLX.exe:752
Install.exe:1084
%original file name%.exe:1956 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk (702 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ardamax Keylogger\Help.lnk (658 bytes)
%System%\28463\PDLX.002 (560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\@2.tmp (91332 bytes)
%System%\28463\PDLX.chm (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\@1.tmp (4 bytes)
%System%\28463\PDLX.007 (196 bytes)
%System%\28463\PDLX.006 (196 bytes)
%System%\28463\PDLX.001 (396 bytes)
%System%\28463\PDLX.exe (84668 bytes)
%System%\28463\key.bin (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Install.exe (12907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\TBar manager.ini (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dbghelp.dll (20550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ollydbg.ini (595 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.EXE (20264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\register.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\RecoverMyFiles.udd (15142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\license.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BOOKMARK.DLL (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\OLLYDBG.HLP (5936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PSAPI.DLL (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Cmdline.dll (1961 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDLX Agent" = "%System%\28463\PDLX.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.6001.18702
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 8.00.6001.18702Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE Internal Name: Wextract File Version: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 43568 | 44032 | 4.49092 | 01bd9281049701d15cfdc4ea914085d3 |
.data | 49152 | 8800 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
.rsrc | 61440 | 1970488 | 1970688 | 5.53964 | 508050657a73d25051787cd9ce9d5733 |
.reloc | 2035712 | 3280 | 3584 | 3.32738 | 0d1a3239e0dfa95a30f03f130df7797e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1956:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
advapi32.dll
advapi32.dll
wininit.ini
wininit.ini
advpack.dll
advpack.dll
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
_acmdln
_acmdln
_amsg_exit
_amsg_exit
msvcrt.dll
msvcrt.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
BOOKMARK.DLL
BOOKMARK.DLL
Cmdline.dll
Cmdline.dll
dbghelp.dll
dbghelp.dll
license.txt
license.txt
OLLYDBG.EXE
OLLYDBG.EXE
OLLYDBG.HLP
OLLYDBG.HLP
ollydbg.ini
ollydbg.ini
PSAPI.DLL
PSAPI.DLL
readme.txt
readme.txt
RecoverMyFiles.udd
RecoverMyFiles.udd
register.txt
register.txt
TBar manager.ini
TBar manager.ini
Install.exe
Install.exe
.Xu's{#
.Xu's{#
W|e6T'%u
W|e6T'%u
l.KeM
l.KeM
.PBA:
.PBA:
u%xM@
u%xM@
xzpX%x
xzpX%x
AM.Dq
AM.Dq
B:\CMy
B:\CMy
6^P%S0{
6^P%S0{
^.bA_
^.bA_
f*m
f*m
.AlZ/j_
.AlZ/j_
dUT.Sh
dUT.Sh
.BN5IP
.BN5IP
%s8 (
%s8 (
Nmr%x10
Nmr%x10
m!9.hiN7
m!9.hiN7
fzw.kTOH
fzw.kTOH
%uN=p
%uN=p
D.Zhs
D.Zhs
%UKf2
%UKf2
?/.MU
?/.MU
-_%F;
-_%F;
L2.rw?
L2.rw?
ÛYI
ÛYI
dL.Do
dL.Do
.pE!vw
.pE!vw
T;%cH
T;%cH
mSgz
mSgz
k.WjD
k.WjD
e8.tex-
e8.tex-
)s.JC
)s.JC
gv>%Uu
gv>%Uu
Av÷G
Av÷G
%fgMO
%fgMO
p<.vuhw>
p<.vuhw>
%u\gC
%u\gC
.uZ;.
.uZ;.
f0J%U
f0J%U
8{m%c
8{m%c
.Jk8&
.Jk8&
5YË
5YË
{.qNys
{.qNys
=~
=~
"l.Mr
"l.Mr
P%Xp't
P%Xp't
>2|J{.bV
>2|J{.bV
.mgeK.
.mgeK.
5M.DO
5M.DO
%CKY(l
%CKY(l
.WQf'
.WQf'
SmD.ob
SmD.ob
W%sw#bU
W%sw#bU
%uN"o
%uN"o
}%S7f
}%S7f
d}%CN
d}%CN
9;.yZ
9;.yZ
*lr}%f
*lr}%f
,dUI%c
,dUI%c
.hmYE
.hmYE
3%D;x
3%D;x
W.snA
W.snA
%C`;nk
%C`;nk
|.gU)5V
|.gU)5V
^m/w%d
^m/w%d
%XTQ:7
%XTQ:7
%Di)4
%Di)4
Gz.wptO
Gz.wptO
7.oqr
7.oqr
.QOMD
.QOMD
o
o
Zw:%c
Zw:%c
& .yE
& .yE
w|x-X}||
w|x-X}||
&0.UP'
&0.UP'
rlR %D
rlR %D
;2rj|B
;2rj|B
F\.ih0&D
F\.ih0&D
2y%z%se
2y%z%se
%C|lv
%C|lv
^Uy&ftpz
^Uy&ftpz
.XI82
.XI82
.pUG#
.pUG#
Ie.le
Ie.le
.ub6[&R
.ub6[&R
4.RBj
4.RBj
:%FtM
:%FtM
z"n.qQ
z"n.qQ
~i.QC
~i.QC
.AI.@
.AI.@
aC.QL
aC.QL
.Th j
.Th j
.BVF%
.BVF%
%~}3
%~}3
BZ.jW
BZ.jW
8.Isg
8.Isg
25517*25
25517*25
F.nVWEG.r^
F.nVWEG.r^
Rbb%%Xd
Rbb%%Xd
<.fdelx>
<.fdelx>
$tB.RD"
$tB.RD"
Sw^.RT
Sw^.RT
dV%U7
dV%U7
\dÇ
\dÇ
.eI3g
.eI3g
fU>8.sp
fU>8.sp
.XfCH
.XfCH
%dXi.
%dXi.
c`P%CV4Z
c`P%CV4Z
5CCY
5CCY
pY.cOr
pY.cOr
.Yt^Cd
.Yt^Cd
4z.jw
4z.jw
/7L%c
/7L%c
aa%xjU
aa%xjU
4,4,4,4,6,3
4,4,4,4,6,3
%Xo!2
%Xo!2
q.qf;
q.qf;
c1c%c
c1c%c
f%f-fcfKf{f
f%f-fcfKf{f
H|.JD
H|.JD
%dLrt
%dLrt
.tv1_>
.tv1_>
o.rV0S
o.rV0S
;.pvT]U
;.pvT]U
PX%0u
PX%0u
%Cw>K
%Cw>K
OE.hY
OE.hY
KvRh%CNR4
KvRh%CNR4
JWmn%d
JWmn%d
{;9];
{;9];
ff4C
ff4C
.jOb
.jOb
%sldzf
%sldzf
%u'aZ
%u'aZ
Õ#f
Õ#f
a.qG/
a.qG/
G:=.kE
G:=.kE
g.oo[
g.oo[
l.pd{
l.pd{
.dQ /`U
.dQ /`U
U %S}C?6
U %S}C?6
K.grr
K.grr
tB%c[$Y
tB%c[$Y
Nl%csO
Nl%csO
.Ti5i
.Ti5i
p2c%D
p2c%D
OV8.IO
OV8.IO
O%uJ44
O%uJ44
vrexE
vrexE
%x{Le2
%x{Le2
Ad.xn
Ad.xn
D.zb
D.zb
Z;.GQ
Z;.GQ
QA7.nV
QA7.nV
8.uQ1
8.uQ1
}UW.OF]
}UW.OF]
%s~ZT
%s~ZT
ô
ô
.DUt%
.DUt%
"OLLYDBG.EXE"
"OLLYDBG.EXE"
"Install.exe"
"Install.exe"
wextract.manifest
wextract.manifest
Manifest to support IExpress WExtract.exe.
Manifest to support IExpress WExtract.exe.
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
00F0x0
00F0x0
Kernel32.dll
Kernel32.dll
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
WEXTRACT.EXE
WEXTRACT.EXE
Windows
Windows
8.00.6001.18702
8.00.6001.18702
OLLYDBG.EXE_608:
.text
.text
`.data
`.data
.rdata
.rdata
P.idata
P.idata
@.edata
@.edata
@.rsrc
@.rsrc
@.reloc
@.reloc
032010/.-, **)('&%$#"#"!
032010/.-, **)('&%$#"#"!
t.HtXH
t.HtXH
%u8F3
%u8F3
FPU registers have indexes 0 to 7
FPU registers have indexes 0 to 7
Unknown import name
Unknown import name
Too long import name
Too long import name
Unterminated import name
Unterminated import name
Sorry, 16-bit addressing is not supported
Sorry, 16-bit addressing is not supported
Unrecognized operand
Unrecognized operand
Unsupported size of floating constant
Unsupported size of floating constant
REP %s
REP %s
REPE %s
REPE %s
REPNE %s
REPNE %s
Extra input after operand
Extra input after operand
Too few operands
Too few operands
Too many operands
Too many operands
Command does not support given operands
Command does not support given operands
Wrong number of operands
Wrong number of operands
Please specify operand size
Please specify operand size
Bad operand size
Bad operand size
Different size of operands
Different size of operands
Constant does not fit into operand
Constant does not fit into operand
Relative jump out of range, use %s LONG form
Relative jump out of range, use %s LONG form
Unary operation not supported for this data type
Unary operation not supported for this data type
Unsupported size declaration
Unsupported size declaration
Left operand of IN must be integer
Left operand of IN must be integer
Operation is not supported for these data types
Operation is not supported for these data types
Port I/O
Port I/O
Loading function descriptions from '%.*s.arg'
Loading function descriptions from '%.*s.arg'
EXPORT
EXPORT
Too many keys
Too many keys
Unknown keyword
Unknown keyword
Line %i: %s in
Line %i: %s in
Writing compiled function descriptions to 'known.bin'
Writing compiled function descriptions to 'known.bin'
known.bin
known.bin
%s.%.*s
%s.%.*s
%.*s.X
%.*s.X
X,
X,
X ???
X ???
%s %s
%s %s
hw = %X
hw = %X
("%s")
("%s")
(class="%s")
(class="%s")
X {%i.,%i.,%i.,%i.}
X {%i.,%i.,%i.,%i.}
'%s',
'%s',
class='%s',
class='%s',
wndproc=X,
wndproc=X,
parent=X
parent=X
Processing string data from '%.*s.dat'
Processing string data from '%.*s.dat'
Line %i: %s
Line %i: %s
Unable to create output file 'loaddll.bin'
Unable to create output file 'loaddll.bin'
('%c')
('%c')
%s X
%s X
,X
,X
CHAR '%c'
CHAR '%c'
XX
XX
1/(2**1/3)
1/(2**1/3)
CONST %s
CONST %s
CONST -%s
CONST -%s
%s=lX (decimal %lu.)
%s=lX (decimal %lu.)
%s=lX (decimal %lu.)
%s=lX (decimal %lu.)
%s=X
%s=X
%s=lX
%s=lX
%s.%.*s
%s.%.*s
%s=lX
%s=lX
%s(%i)
%s(%i)
%s=
%s=
XMMWORD %s
XMMWORD %s
%s %s
%s %s
(%i-BYTE) %s
(%i-BYTE) %s
X:
X:
lX=%s
lX=%s
%s X:X
%s X:X
%s X:X
%s X:X
%s=X
%s=X
(%s-bit, base %lX, size %lX)
(%s-bit, base %lX, size %lX)
%s=X
%s=X
Return to X:X
Return to X:X
Return to X (%.*s)
Return to X (%.*s)
Return to X
Return to X
X (O%i D%i T%i S%i Z%i A%i P%i C%i)
X (O%i D%i T%i S%i Z%i A%i P%i C%i)
AH=X
AH=X
FL=X
FL=X
X:
X:
PREFIX %s:
PREFIX %s:
ATTENTION, %s!
ATTENTION, %s!
Unaligned stack operation
Unaligned stack operation
Unable to restore access to memory block %s
Unable to restore access to memory block %s
OllyDbg is unable to activate memory breakpoint on address range %s. Breakpoint is completely removed.
OllyDbg is unable to activate memory breakpoint on address range %s. Breakpoint is completely removed.
OllyDbg is unable to activate memory breakpoint on the whole specified address range (%s). Breakpoint is reduced to range lX..lX.
OllyDbg is unable to activate memory breakpoint on the whole specified address range (%s). Breakpoint is reduced to range lX..lX.
You are going to set memory breakpoint in system area. This breakpoint may freeze Windows or cause system crash. Do you really want to set this breakpoint?
You are going to set memory breakpoint in system area. This breakpoint may freeze Windows or cause system crash. Do you really want to set this breakpoint?
You are going to set memory breakpoint on resource. This breakpoint, when hit within system DLL, may freeze Windows or cause system crash. Do you really want to set this breakpoint?
You are going to set memory breakpoint on resource. This breakpoint, when hit within system DLL, may freeze Windows or cause system crash. Do you really want to set this breakpoint?
You are going to set memory breakpoint on stack. This doesn't work on Win95-based operating systems.
You are going to set memory breakpoint on stack. This doesn't work on Win95-based operating systems.
Corrupted breakpoint, in memory: X, old command: X
Corrupted breakpoint, in memory: X, old command: X
OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains its original value X. Probably you are debugging self-modified code or set breakpoint on data.
OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains its original value X. Probably you are debugging self-modified code or set breakpoint on data.
OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains X. Do you want to keep modified command? (If you answer 'No', old code X will be restored).
OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains X. Do you want to keep modified command? (If you answer 'No', old code X will be restored).
It looks like you are trying to set breakpoint in the middle of some command or data. If this is really the case, such breakpoint will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?
It looks like you are trying to set breakpoint in the middle of some command or data. If this is really the case, such breakpoint will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?
It looks like you are trying to set breakpoint on the data. If this is really the case, such breakpoint will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?
It looks like you are trying to set breakpoint on the data. If this is really the case, such breakpoint will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?
You want to place breakpoint outside the code section. INT3 breakpoint set on data will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?
You want to place breakpoint outside the code section. INT3 breakpoint set on data will not execute and may have disastrous influence on the debugged program. Do you really want to set breakpoint here?
%s condition at
%s condition at
when %s
when %s
When %s
When %s
, inactive condition %s
, inactive condition %s
%sass count=%u.
%sass count=%u.
Change condition at X
Change condition at X
OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains X. (Original code contained X). Probably you are debugging self-modified code or set breakpoint on data.
OllyDbg set byte at address X to X (code of command INT3, used as breakpoint). Now this byte contains X. (Original code contained X). Probably you are debugging self-modified code or set breakpoint on data.
CPU subwindows
CPU subwindows
Run trace %i. step%s back
Run trace %i. step%s back
%smodule %.*s
%smodule %.*s
%s %s at X
%s %s at X
The byte you are pointing at lies outside the executable code of any known module. Invalid EIP may have disastrous effects on the debugged program. Do you still want to change origin?
The byte you are pointing at lies outside the executable code of any known module. Invalid EIP may have disastrous effects on the debugged program. Do you still want to change origin?
Edit code at X
Edit code at X
&Hardware, on execution
&Hardware, on execution
Case %s
Case %s
Call DLL export
Call DLL export
Copy to executable
Copy to executable
Modify %s at X
Modify %s at X
Modify float at X
Modify float at X
Modify MMX data at X
Modify MMX data at X
Modify 3DNow! data at X
Modify 3DNow! data at X
Modify SSE data at X
Modify SSE data at X
Unable to locate data in executable file
Unable to locate data in executable file
OS will adjust fixups, thus modifying your code. Were you not carefull enough, this may have disastrous effects on the debugged program. Do you still want to update executable file?
OS will adjust fixups, thus modifying your code. Were you not carefull enough, this may have disastrous effects on the debugged program. Do you still want to update executable file?
Copy selection to executable file?
Copy selection to executable file?
%s label at X
%s label at X
Modify stack at X
Modify stack at X
Edit stack at X
Edit stack at X
Modify %s
Modify %s
Modify %s as 3DNow!
Modify %s as 3DNow!
%.3s X
%.3s X
EIP X
EIP X
%.1s %c %.2s X
%.1s %c %.2s X
%s %lX(%lX)
%s %lX(%lX)
%.1s %c
%.1s %c
LastErr %s (lX)
LastErr %s (lX)
EFL X (
EFL X (
FST X Cond %i %i %i %i Err %i %i %i %i %i %i %i %i
FST X Cond %i %i %i %i Err %i %i %i %i %i %i %i %i
FCW X
FCW X
s, s
s, s
DR%i X
DR%i X
??? , ??? , ??? , ???
??? , ??? , ??? , ???
s,
s,
MXCSR X %i %4.4s %i %i %i %i %i %i %i %i %i %i %i %i %i
MXCSR X %i %4.4s %i %i %i %i %i %i %i %i %i %i %i %i %i
%s,%s
%s,%s
%s - %s
%s - %s
Open 32-bit executable
Open 32-bit executable
.exe|.dll
.exe|.dll
ollydbg.hlp
ollydbg.hlp
Open new executable (F3)
Open new executable (F3)
Pause execution (F12)
Pause execution (F12)
WINDOWS
WINDOWS
Show windows
Show windows
.exe;*.dll|.obj;*.lib
.exe;*.dll|.obj;*.lib
.c;*.cpp;*.h;*.hpp;*.asm;*.pas|.c;*.cpp|.h;*.hpp|.asm|.pas|.txt|.bak
.c;*.cpp;*.h;*.hpp;*.asm;*.pas|.c;*.cpp|.h;*.hpp|.asm|.pas|.txt|.bak
COND: %s
COND: %s
Entry point of %s
Entry point of %s
DebugBreak called from X
DebugBreak called from X
$use Shift F7/F8/F9 to pass exception to program
$use Shift F7/F8/F9 to pass exception to program
Memory breakpoint when executing [lX]
Memory breakpoint when executing [lX]
read=X
read=X
write=X
write=X
Access violation when %s [lX]%s
Access violation when %s [lX]%s
Access violation%s
Access violation%s
Break-on-access when %s [lX]
Break-on-access when %s [lX]
Array bounds exceeded%s
Array bounds exceeded%s
Denormalized floating-point operand%s
Denormalized floating-point operand%s
Floating-point division by zero%s
Floating-point division by zero%s
Inexact floating-point result%s
Inexact floating-point result%s
Invalid floating-point operation%s
Invalid floating-point operation%s
Floating-point overflow%s
Floating-point overflow%s
FPU stack error%s
FPU stack error%s
Floating-point underflow%s
Floating-point underflow%s
Integer division by zero%s
Integer division by zero%s
Integer overflow%s
Integer overflow%s
Privileged instruction%s
Privileged instruction%s
Illegal instruction%s
Illegal instruction%s
Exception is not continuable%s
Exception is not continuable%s
Stack overflow%s
Stack overflow%s
Exception X%s
Exception X%s
Exception X (%s)%s
Exception X (%s)%s
New thread with ID X created
New thread with ID X created
New process with ID X created
New process with ID X created
Main thread with ID X created
Main thread with ID X created
Thread X terminated, exit code %X
Thread X terminated, exit code %X
Thread X terminated, exit code %X (%i.)
Thread X terminated, exit code %X (%i.)
Break on thread X termination
Break on thread X termination
Thread X terminated, trace stopped
Thread X terminated, trace stopped
LOADDLL.EXE: %s
LOADDLL.EXE: %s
LOADDLL terminated: %s
LOADDLL terminated: %s
LOADDLL terminated, exit code %X
LOADDLL terminated, exit code %X
Process terminated, exit code %X
Process terminated, exit code %X
Process terminated, exit code %X (%i.)
Process terminated, exit code %X (%i.)
In order to perform action that is not supported by OS, OllyDbg has injected short piece of code into the debugged application, but received no response within 5 seconds. Do you want to wait for another 5 seconds? (If you answer No, the consistency and stability of program is not guaranteed and you should restart it as soon as possible).
In order to perform action that is not supported by OS, OllyDbg has injected short piece of code into the debugged application, but received no response within 5 seconds. Do you want to wait for another 5 seconds? (If you answer No, the consistency and stability of program is not guaranteed and you should restart it as soon as possible).
Unexpected event X in injected code. Debugged program may get unstable, please reload it as soon as possible.
Unexpected event X in injected code. Debugged program may get unstable, please reload it as soon as possible.
Unexpected exception X in injected code. Debugged program may get unstable, please reload it as soon as possible.
Unexpected exception X in injected code. Debugged program may get unstable, please reload it as soon as possible.
%s Do you REALLY want to execute this code at address X?
%s Do you REALLY want to execute this code at address X?
Don't know how to step because memory at address X is not readable. Try to change EIP or pass exception to program.
Don't know how to step because memory at address X is not readable. Try to change EIP or pass exception to program.
Don't know how to step over command at address X. Try to step in, run, change EIP or pass exception to program.
Don't know how to step over command at address X. Try to step in, run, change EIP or pass exception to program.
Don't know how to step over command at address X. Try to step in, run or change EIP.
Don't know how to step over command at address X. Try to step in, run or change EIP.
Don't know how to step command at address X. Try to run, change EIP or pass exception to program.
Don't know how to step command at address X. Try to run, change EIP or pass exception to program.
Don't know how to step command at address X. Try to change EIP or pass exception to program.
Don't know how to step command at address X. Try to change EIP or pass exception to program.
Debugged program set single step flag (bit T in EFL). I don't know how to step command at address X correctly. Try to %sset breakpoint on next command and run.
Debugged program set single step flag (bit T in EFL). I don't know how to step command at address X correctly. Try to %sset breakpoint on next command and run.
Don't know how to continue because memory at address X is not readable. Try to change EIP or pass exception to program.
Don't know how to continue because memory at address X is not readable. Try to change EIP or pass exception to program.
Don't know how to bypass breakpoint at address X. Try to delete breakpoint, change EIP or pass exception to program.
Don't know how to bypass breakpoint at address X. Try to delete breakpoint, change EIP or pass exception to program.
Don't know how to bypass command at address X. Try to change EIP or pass exception to program.
Don't know how to bypass command at address X. Try to change EIP or pass exception to program.
Dynamic link library '%s%s' that resides in OllyDbg directory is intended for use on NT-based operating systems only. Delete it?
Dynamic link library '%s%s' that resides in OllyDbg directory is intended for use on NT-based operating systems only. Delete it?
Dynamic link library '%s%s' that resides in OllyDbg directory has lower file version (%s) than corresponding DLL in system directory (%s). Delete old library from the OllyDbg directory? (If necessary, you can restore it later from the original .zip archive)
Dynamic link library '%s%s' that resides in OllyDbg directory has lower file version (%s) than corresponding DLL in system directory (%s). Delete old library from the OllyDbg directory? (If necessary, you can restore it later from the original .zip archive)
Sorry, unable to debug under Windows 3.1
Sorry, unable to debug under Windows 3.1
Dosapp.fon
Dosapp.fon
Operands[%i]
Operands[%i]
Import library
Import library
log.txt
log.txt
rtrace.txt
rtrace.txt
Restore windows
Restore windows
Letter key in Disassembler
Letter key in Disassembler
Accept unaligned stack operations
Accept unaligned stack operations
%X,%X
%X,%X
PSAPI.DLL
PSAPI.DLL
DBGHELP.DLL
DBGHELP.DLL
PSAPI.DLL is not found. This library contains important process- and module-oriented functions for Windows NT (version for NT 4.0 is shipped with OllyDbg). Normal debugging is hardly possible. Do you nevertheless want to continue?
PSAPI.DLL is not found. This library contains important process- and module-oriented functions for Windows NT (version for NT 4.0 is shipped with OllyDbg). Normal debugging is hardly possible. Do you nevertheless want to continue?
KERNEL32.DLL
KERNEL32.DLL
Strange as it seems to be, KERNEL32.DLL is not found. This library contains important process- and module-oriented functions. Normal debugging is hardly possible. Do you nevertheless want to continue?
Strange as it seems to be, KERNEL32.DLL is not found. This library contains important process- and module-oriented functions. Normal debugging is hardly possible. Do you nevertheless want to continue?
KERNEL32.DLL on your system does not contain functions VirtualQueryEx and/or VirtualProtectEx. Maybe you have old version of the operating system. Normal debugging is hardly possible. Do you nevertheless want to continue?
KERNEL32.DLL on your system does not contain functions VirtualQueryEx and/or VirtualProtectEx. Maybe you have old version of the operating system. Normal debugging is hardly possible. Do you nevertheless want to continue?
SHELL32.DLL
SHELL32.DLL
IMAGEHLP.DLL
IMAGEHLP.DLL
SHLWAPI.DLL
SHLWAPI.DLL
ADVAPI32.DLL
ADVAPI32.DLL
NTDLL.DLL
NTDLL.DLL
OllyDbg v%i.i%s%s
OllyDbg v%i.i%s%s
UDD directory '%s' doesn't exist. Please specify valid path in Options|Appearance|Directories, otherwise breakpoints, comments and analysis data will be lost after debugged program terminates.
UDD directory '%s' doesn't exist. Please specify valid path in Options|Appearance|Directories, otherwise breakpoints, comments and analysis data will be lost after debugged program terminates.
OllyDbg is unable to attach to process X as a "just-in-time" debugger.
OllyDbg is unable to attach to process X as a "just-in-time" debugger.
%u. commands traced
%u. commands traced
X,X
X,X
\xX
\xX
X lX lX
X lX lX
Assemble at X
Assemble at X
Undefined operands allowed only for search
Undefined operands allowed only for search
HEX X
HEX X
hXXp://home.t-online.de/home/Ollydbg
hXXp://home.t-online.de/home/Ollydbg
Virtual key code (VK_xxx)
Virtual key code (VK_xxx)
Pointer to MSG structure (ASCII)
Pointer to MSG structure (ASCII)
Pointer to MSG structure (UNICODE)
Pointer to MSG structure (UNICODE)
%s conditional log breakpoint at
%s conditional log breakpoint at
WinProc(hWnd,msg,wParam,lParam)
WinProc(hWnd,msg,wParam,lParam)
WinMain(hInst,hPrevInst,CmdLine,ShowState)
WinMain(hInst,hPrevInst,CmdLine,ShowState)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
"%s" %s
"%s" %s
- JIT debugger is %s
- JIT debugger is %s
X (%s)
X (%s)
"%s" "%1"
"%s" "%1"
0..FFFFFFFF
0..FFFFFFFF
1,2,10..12,16,81,82,110
1,2,10..12,16,81,82,110
114,115,137
114,115,137
220..229,230
220..229,230
Keyboard
Keyboard
170..173,138
170..173,138
39,140..161
39,140..161
[ESP 8] IN (%s)
[ESP 8] IN (%s)
X %s
X %s
[ESP 8]==%s
[ESP 8]==%s
" && %s
" && %s
[ESP 4]==X && %s
[ESP 4]==X && %s
(Last error = %s)
(Last error = %s)
Unable to create file '%s'
Unable to create file '%s'
Disk full or I/O error when writing to '%s'
Disk full or I/O error when writing to '%s'
%.*s_X.mem
%.*s_X.mem
unknown_file.mem
unknown_file.mem
Unable to open file '%s'
Unable to open file '%s'
File '%s' (%li bytes) is longer than memory block (%li bytes). Load anyway and truncate?
File '%s' (%li bytes) is longer than memory block (%li bytes). Load anyway and truncate?
File '%s' (%li bytes) is shorter than memory block (%li bytes). Load anyway and fill rest of backup with actual data?
File '%s' (%li bytes) is shorter than memory block (%li bytes). Load anyway and fill rest of backup with actual data?
Error reading file '%s'. Backup copy may be corrupted.
Error reading file '%s'. Backup copy may be corrupted.
Error writing file '%s'
Error writing file '%s'
Dump of file '%s' differs from original. Do you want to save modified file to disk? If you answer 'Yes', you will be asked for the filename. If you answer 'No', you will lose any changes you have made.
Dump of file '%s' differs from original. Do you want to save modified file to disk? If you answer 'Yes', you will be asked for the filename. If you answer 'No', you will lose any changes you have made.
Dump of file '%s' is not modified. Do you really want to save unchanged dump to disk?
Dump of file '%s' is not modified. Do you really want to save unchanged dump to disk?
File '%s' already exists. Do you REALLY want to overwrite it?
File '%s' already exists. Do you REALLY want to overwrite it?
File '%s' is system or read-only. Please try another name.
File '%s' is system or read-only. Please try another name.
Unable to backup file '%s'. Please try another name
Unable to backup file '%s'. Please try another name
Unable to create file '%s'. Please try another name
Unable to create file '%s'. Please try another name
Error writing file '%s'. Please try another name
Error writing file '%s'. Please try another name
Edit data at X
Edit data at X
View &executable file
View &executable file
Copy to executable file
Copy to executable file
Modify data at X
Modify data at X
Unable to open file '%s' for dump.
Unable to open file '%s' for dump.
Sorry, OllyDbg is unable to allocate %lu. bytes of memory necessary to display dump of file '%s'.
Sorry, OllyDbg is unable to allocate %lu. bytes of memory necessary to display dump of file '%s'.
File %s
File %s
%s is full, some data will be lost!
%s is full, some data will be lost!
%-*.*s
%-*.*s
lX %s
lX %s
Unable to allocate %li bytes of memory for log data buffer. Log window is not available in this session. All other functions, including logging data to file, are not influenced.%s
Unable to allocate %li bytes of memory for log data buffer. Log window is not available in this session. All other functions, including logging data to file, are not influenced.%s
%s%s%s*.udd
%s%s%s*.udd
%s%s%s
%s%s%s
%s%s%s_%i.udd
%s%s%s_%i.udd
Error reading .udd file
Error reading .udd file
Different path, discarding .udd data
Different path, discarding .udd data
Size changed, discarding .udd data
Size changed, discarding .udd data
Date/time changed, discarding .udd data
Date/time changed, discarding .udd data
CRC changed, discarding .udd data
CRC changed, discarding .udd data
\StringFileInfo\xx\FileVersion
\StringFileInfo\xx\FileVersion
Module %s
Module %s
SectionAlignment in Optional Header is less than 0x1000 (0x%X bytes)
SectionAlignment in Optional Header is less than 0x1000 (0x%X bytes)
Code size in header is X, extending to size of section
Code size in header is X, extending to size of section
at X
at X
.data
.data
Invalid or compressed Image Export Directory
Invalid or compressed Image Export Directory
Import Lookup Table outside .idata
Import Lookup Table outside .idata
%s.#%i_%s
%s.#%i_%s
%s.%s
%s.%s
%s.#%i
%s.#%i
Unable to open or read executable file '%s'
Unable to open or read executable file '%s'
Bad or unknown format of 32-bit executable file '%s'
Bad or unknown format of 32-bit executable file '%s'
File '%s' contains too much data
File '%s' contains too much data
Unload %s
Unload %s
X (%i.)
X (%i.)
%-*.*s
%-*.*s
imports,
imports,
exports,
exports,
operator %s
operator %s
%-*.*s
%-*.*s
Export
Export
Import
Import
Follow import in Disassembler
Follow import in Disassembler
Find references to import
Find references to import
&Toggle breakpoint on import
&Toggle breakpoint on import
&Conditional breakpoint on import
&Conditional breakpoint on import
Conditional &log breakpoint on import
Conditional &log breakpoint on import
Find: %s
Find: %s
Unknown record type X
Unknown record type X
Source file %s
Source file %s
Found %i segment%s, %i IMPLIB ordinal%s
Found %i segment%s, %i IMPLIB ordinal%s
Found %i matching segment%s
Found %i matching segment%s
Scanning import library '%.*s'$press SPACE to interrupt
Scanning import library '%.*s'$press SPACE to interrupt
Scanning import library '%.*s'
Scanning import library '%.*s'
Unable to open import library
Unable to open import library
Unable to read import library
Unable to read import library
Resolved %i ordinal%s
Resolved %i ordinal%s
.obj;*.lib
.obj;*.lib
%i,%s
%i,%s
Import libraries
Import libraries
Select import libraries
Select import libraries
Save user data outside any module to main .udd file
Save user data outside any module to main .udd file
Ignore (pass to program) following exceptions:
Ignore (pass to program) following exceptions:
After Executing till RET, step over RET
After Executing till RET, step over RET
Pass exceptions to SFX extractor
Pass exceptions to SFX extractor
Specify size of 16-byte SSE operands as:
Specify size of 16-byte SSE operands as:
XMMWORD (eXtended MMX operand)
XMMWORD (eXtended MMX operand)
Always show size of memory operands
Always show size of memory operands
Letter key in Disassembler starts:
Letter key in Disassembler starts:
Unaligned stack operations
Unaligned stack operations
Note that default settings have no influence on existing windows, or on windows
Note that default settings have no influence on existing windows, or on windows
Select path where .udd files will be stored
Select path where .udd files will be stored
Backup old .udd files
Backup old .udd files
Highlight operands:
Highlight operands:
You have asked to allocate %i MB memory for %s. Currently, operating system has only %i MB free virtual memory. Do you want to reduce your request to %i MB?
You have asked to allocate %i MB memory for %s. Currently, operating system has only %i MB free virtual memory. Do you want to reduce your request to %i MB?
X (%.*s)
X (%.*s)
X .. X
X .. X
% i %s
% i %s
Processor doesn't support SSE instructions
Processor doesn't support SSE instructions
OS doesn't support hardware breakpoints
OS doesn't support hardware breakpoints
UDD directory '%s' doesn't exist. Create it?
UDD directory '%s' doesn't exist. Create it?
Unable to create directory '%s'. Please specify different name.
Unable to create directory '%s'. Please specify different name.
UDD path '%s' is not a directory. Do you want to use directory '%s' instead?
UDD path '%s' is not a directory. Do you want to use directory '%s' instead?
Plugin directory '%s' doesn't exist. Please select another direcory.
Plugin directory '%s' doesn't exist. Please select another direcory.
Plugin path '%s' is not a directory. Do you want to use directory '%s' instead?
Plugin path '%s' is not a directory. Do you want to use directory '%s' instead?
Portuguese
Portuguese
%s (Unknown sublanguage)
%s (Unknown sublanguage)
%s at X
%s at X
Resource at X
Resource at X
String %X
String %X
Table of windows
Table of windows
Process '%s' is active. If you terminate it now, process will be unable to clean up and write unsaved data to disk. Do you really want to terminate active process?
Process '%s' is active. If you terminate it now, process will be unable to clean up and write unsaved data to disk. Do you really want to terminate active process?
X (%li.)
X (%li.)
Unable to terminate process '%s'. Operating system reports error %s
Unable to terminate process '%s'. Operating system reports error %s
Any file (*.*)
Any file (*.*)
.exe;*.dll
.exe;*.dll
Executable file or DLL (*.exe,*.dll)
Executable file or DLL (*.exe,*.dll)
Executable file (*.exe)
Executable file (*.exe)
Dynamic-link library (*.dll)
Dynamic-link library (*.dll)
Object file or library (*.obj,*.lib)
Object file or library (*.obj,*.lib)
Object file (*.obj)
Object file (*.obj)
Import or object library (*.lib)
Import or object library (*.lib)
.c;*.cpp;*.h;*.hpp;*.asm;*.pas
.c;*.cpp;*.h;*.hpp;*.asm;*.pas
Source (*.c,*.cpp,*.h,*.hpp,*.asm,*.pas)
Source (*.c,*.cpp,*.h,*.hpp,*.asm,*.pas)
.c;*.cpp
.c;*.cpp
C/C source (*.c,*.cpp)
C/C source (*.c,*.cpp)
C source (*.cpp)
C source (*.cpp)
.h;*.hpp
.h;*.hpp
Header file (*.h,*.hpp)
Header file (*.h,*.hpp)
C Header file (*.hpp)
C Header file (*.hpp)
Assembler source (*.asm)
Assembler source (*.asm)
Delphi/Pascal source (*.pas)
Delphi/Pascal source (*.pas)
Text file (*.txt)
Text file (*.txt)
Backup file (*.bak)
Backup file (*.bak)
Argument descriptions (*.arg)
Argument descriptions (*.arg)
Help file (*.hlp)
Help file (*.hlp)
*%s file (*%s)
*%s file (*%s)
&%i %s
&%i %s
Unable to extract name of executable file from link '%s'
Unable to extract name of executable file from link '%s'
Unable to locate file '%s'
Unable to locate file '%s'
Unable to open or read file '%s'
Unable to open or read file '%s'
File '%s' is probably not a 32-bit Portable Executable. Try to load it anyway?
File '%s' is probably not a 32-bit Portable Executable. Try to load it anyway?
File '%s' probably will not run under Win95-based OS. Try to load it anyway?
File '%s' probably will not run under Win95-based OS. Try to load it anyway?
File '%s' is a Dynamic Link Library. Windows can't execute DLLs directly. Launch LOADDLL.EXE?
File '%s' is a Dynamic Link Library. Windows can't execute DLLs directly. Launch LOADDLL.EXE?
Unable to extract LOADDLL.EXE. If OllyDbg directory is write-protected, please enable writing or move OllyDbg to another directory.
Unable to extract LOADDLL.EXE. If OllyDbg directory is write-protected, please enable writing or move OllyDbg to another directory.
"%s\LOADDLL.EXE" %s
"%s\LOADDLL.EXE" %s
Unable to start file '%s'
Unable to start file '%s'
Console file '%s'
Console file '%s'
File '%s'
File '%s'
Arguments '%s'
Arguments '%s'
%s - %s%s
%s - %s%s
The process '%s' is one you are currently debugging. You are already attached to it.
The process '%s' is one you are currently debugging. You are already attached to it.
Unable to attach to process '%s'
Unable to attach to process '%s'
%chread lX
%chread lX
Êin
Êin
%s (lX)
%s (lX)
You are going to kill thread X. Note
You are going to kill thread X. Note
X (%i.)
X (%i.)
%%B = X
%%B = X
Inspect %s in
Inspect %s in
Win95/98 may crash when NEG ESP is executed
Win95/98 may crash when NEG ESP is executed
Win95/98 may crash when NOT ESP is executed
Win95/98 may crash when NOT ESP is executed
Win95/98 may crash when VxD call is executed in user mode
Win95/98 may crash when VxD call is executed in user mode
LOCK CMPXCHG8B may crash some processors when executed
LOCK CMPXCHG8B may crash some processors when executed
ASCII X,
ASCII X,
%cNAN X lX lX
%cNAN X lX lX
%c??? X lX lX
%c??? X lX lX
%cUNORM X lX lX
%cUNORM X lX lX
Quick statistical test of module '%.*s' reports that its code section is either compressed, encrypted, or contains large amount of embedded data. Results of code analysis can be very unreliable or simply wrong. Do you want to continue analysis?
Quick statistical test of module '%.*s' reports that its code section is either compressed, encrypted, or contains large amount of embedded data. Results of code analysis can be very unreliable or simply wrong. Do you want to continue analysis?
Struct 'IMAGE_IMPORT_DESCRIPTOR'
Struct 'IMAGE_IMPORT_DESCRIPTOR'
Import lookup table for '%.*s'
Import lookup table for '%.*s'
Struct 'IMAGE_EXPORT_DIRECTORY'
Struct 'IMAGE_EXPORT_DIRECTORY'
Export Address Table
Export Address Table
Export Name Pointer Table
Export Name Pointer Table
Export Ordinal Table
Export Ordinal Table
Call switch table used at X>
Call switch table used at X>
Index table to switch X>
Index table to switch X>
Switch table %sused at X>
Switch table %sused at X>
Switch table (reverse%s) used at X>
Switch table (reverse%s) used at X>
RET used as a jump to X>
RET used as a jump to X>
(WM_USER %X)
(WM_USER %X)
of switch X>
of switch X>
Default case of switch X>
Default case of switch X>
Switch (cases -%X..%X)
Switch (cases -%X..%X)
Switch (cases %X..%X)
Switch (cases %X..%X)
{ %X}
{ %X}
{[ %X]}
{[ %X]}
%i %s procedure%s
%i %s procedure%s
1 call to known%s
1 call to known%s
%i calls to known%s
%i calls to known%s
Analysing %.*s: %s
Analysing %.*s: %s
Analysing %.*s: %s, %s
Analysing %.*s: %s, %s
%i loops%s
%i loops%s
%i switches%s
%i switches%s
Unable to allocate %i bytes of memory%s
Unable to allocate %i bytes of memory%s
%s X
%s X
%s X
%s X
Warning, debug data subsection %i (type X) is too long
Warning, debug data subsection %i (type X) is too long
Unrecognized AlignSym 0xX (size %i)
Unrecognized AlignSym 0xX (size %i)
Unrecognized GlobalSym 0xX (size %i)
Unrecognized GlobalSym 0xX (size %i)
Unknown debug data subsection type X
Unknown debug data subsection type X
Debugging information (%s format) available
Debugging information (%s format) available
%.*s.%s
%.*s.%s
Size of source file exceeds 16 M: '%s'
Size of source file exceeds 16 M: '%s'
Error reading source file '%s'
Error reading source file '%s'
Source - %s%s (%s)
Source - %s%s (%s)
*.dll
*.dll
Plugin '%s' has invalid version (%i.i)
Plugin '%s' has invalid version (%i.i)
_ODBG_Plugincmd
_ODBG_Plugincmd
Plugin '%s' failed to initialize (code %i)
Plugin '%s' failed to initialize (code %i)
Plugin %s
Plugin %s
=Handle X
=Handle X
AWINDOWS
AWINDOWS
ICO_WINDOWS
ICO_WINDOWS
Windows
Windows
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
.Default
.Default
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
File (pipe)
File (pipe)
WindowStation
WindowStation
ACCESS_MASK_PIPE
ACCESS_MASK_PIPE
ACCESS_MASK_KEY
ACCESS_MASK_KEY
Size %i. (X) bytes
Size %i. (X) bytes
Hide unimportant handles
Hide unimportant handles
Show unimportant handles
Show unimportant handles
Arg %i: %s
Arg %i: %s
%s: %s
%s: %s
%s: Integer expression expected
%s: Integer expression expected
X %s
X %s
Unable to access LOADDLL.EXE
Unable to access LOADDLL.EXE
Call export in %s%s
Call export in %s%s
Export:
Export:
Please wait till previous call is executed
Please wait till previous call is executed
xxtype.cpp
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
Operation not permitted
Operation not permitted
%H:%M:%S
%H:%M:%S
%m/%d/%y
%m/%d/%y
%A, %B %d, %Y
%A, %B %d, %Y
d/d/d d:d:d.d
d/d/d d:d:d.d
kernel32.dll
kernel32.dll
xx.cpp
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
elemType->tpClass.tpcFlags & CF_HAS_DTOR
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\OLLYDBG.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\OLLYDBG.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
C:\Users\NISAR\Desktop\Cracking toolz\odbg110\udd
C:\Users\NISAR\Desktop\Cracking toolz\odbg110\udd
C:\Users\NISAR\Desktop\Cracking toolz\odbg110\plugin
C:\Users\NISAR\Desktop\Cracking toolz\odbg110\plugin
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\ollydbg.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\ollydbg.ini
%Documents and Settings%\Wij\Bureaublad\nag2.txt
%Documents and Settings%\Wij\Bureaublad\nag2.txt
%System%\
%System%\
C:\ReverseIt Programs\Win32API\win32.hlp
C:\ReverseIt Programs\Win32API\win32.hlp
%Documents and Settings%\Ik\Bureaublad\RVA.txt
%Documents and Settings%\Ik\Bureaublad\RVA.txt
c:\Program Files\OllyDbg
c:\Program Files\OllyDbg
VERSION.DLL
VERSION.DLL
COMCTL32.DLL
COMCTL32.DLL
COMDLG32.DLL
COMDLG32.DLL
GDI32.DLL
GDI32.DLL
USER32.DLL
USER32.DLL
OLE32.DLL
OLE32.DLL
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyA
RegOpenKeyA
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
ShellExecuteA
ShellExecuteA
EnumChildWindows
EnumChildWindows
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
GetKeyState
GetKeyState
MapVirtualKeyA
MapVirtualKeyA
ollydbg.exe
ollydbg.exe
_Findimportbyname
_Findimportbyname
_Getcputhreadid
_Getcputhreadid
_OpenEXEfile
_OpenEXEfile
_Setcpu
_Setcpu
xM{%u
xM{%u
Q%1UvxU
Q%1UvxU
.idK$
.idK$
CRS%S
CRS%S
.Tw'p
.Tw'p
$z =-q}
$z =-q}
ËvlD~
ËvlD~
.ZSK_
.ZSK_
`e.dz
`e.dz
'rQ%2U%w
'rQ%2U%w
.ZG}3
.ZG}3
Pu#%uFyr
Pu#%uFyr
V F%F
V F%F
.Juxq3
.Juxq3
.Hc|}*
.Hc|}*
=*=/=5=>=
=*=/=5=>=
6#6*60666>6
6#6*60666>6
2(2/252=2
2(2/252=2
5b6U6k6
5b6U6k6
252;2[2`2}2
252;2[2`2}2
6"6,656:6?6
6"6,656:6?6
7 7&7 7}7
7 7&7 7}7
=$=3=:=?=]=
=$=3=:=?=]=
;!2@2_2~2
;!2@2_2~2
5%5,545:5`5}5
5%5,545:5`5}5
84999@6`6
84999@6`6
1#2x2~2
1#2x2~2
6#6'6 6/63676;6
6#6'6 6/63676;6
1$1(1,1014181
1$1(1,1014181
6"6.686 7
6"6.686 7
5V5F5
5V5F5
4%4S4j4
4%4S4j4
Id X
Id X
&Executable modules
&Executable modules
&Windows
&Windows
Select import &libraries
Select import &libraries
Change arguments of executable file
Change arguments of executable file
Pass count (dec.)
Pass count (dec.)
If program pauses, pass following commands to plugins:
If program pauses, pass following commands to plugins:
Copy selection to executable file
Copy selection to executable file
Add to Windows Explorer
Add to Windows Explorer
Add OllyDbg to menu in Windows Explorer
Add OllyDbg to menu in Windows Explorer
Break on all windows with same title
Break on all windows with same title
1.0.10.0
1.0.10.0