FILTER FACTORY 3.0.4 MEMORY AND EXE FILE MAP Daniel Marschall ============================================ 16 Dec 2018 0000 .bss begins (VIRTUAL) | Raw address: (0), virtual data does not resemble the location in the EXE file, since the data is marked as uninit | Raw size: (200) | Virtual address: (1C00)6000 | Virtual size: 000C | Attributes: uninit data, read/write PTR DS:[1C006000h] 4 Pointer to the "PARM" resource. PTR DS:[1C006004h] 4 A pointer to a special data structure which contains all important data. (see below) In the "OPER" context, this pointer is assigned by "prolog" to register EDI. In the program code context, this pointer is read directly from [1C006004h]. PTR DS:[1C006008h] 4 A pointer to an unknown data structure, used in the program code. It is a large memory area. ??? PTR DS:[1C00600Ch] (END) 0000 MS-DOS Stub 0080 PE Signature "50 45 00 00" 0084 PE COFF Header 0000 Machine = 4C 01: IMAGE_FILE_MACHINE_I386 0002 Number of sections = 08 00 0004 TimeDateStamp = 3E CE CB 2F (31 May 1995 02:02:38) 0008 Pointer to symbol table: 00 00 00 00 000C Number of Symbols: 00 00 00 00 0010 SizeOfOptionalHeaders: E0 00 0012 Characteristics: 8E A1 [ ] 0x0001 Relocation information is stripped from file [x] 0x0002 The file is executable (no unresolved external references) [x] 0x0004 Line numbers are stripped from file [x] 0x0008 Local symbols are stripped from file [ ] 0x0010 Aggressively trim the working set [ ] 0x0020 The application can handle addresses larger than 2 GB [ ] 0x0040 Reserved [x] 0x0080 Bytes of word are reversed (REVERSED_LO) [x] 0x0100 Computer supports 32-bit words [ ] 0x0200 Debugging information is stored separately in a .dbg file [ ] 0x0400 If the image is on removeable media, copy and run from the swap file [ ] 0x0800 If the image is on network, copy and run from the swap file [ ] 0x1000 The file is a system file such as a driver [x] 0x2000 The file is a dynamica link library (DLL) [ ] 0x4000 The file be run only on a uniprocessor computer [x] 0x8000 Bytes of the word are reversed (REVERSED_HI) 0098 PE32 Header 0000 Magic "0B 01" (PE32) 0002 Linker Version 0x1702 = 2.23 0004 Size of code: 00 4E 00 00 0008 Size of initialized data: 00 6E 00 00 000C Size of uninitialized data: 00 02 00 00 0010 Address of Entry Point: E0 10 00 00 0014 Base of Code: 00 10 00 00 0018 Base of Data: 00 60 00 00 001C Image Base: 00 00 00 1C 0020 SectionAlignment: 00 10 00 00 0024 FileAlignment: 00 02 00 00 0028 OperatingSystemVersion: 01 00 00 00 (1.0) 002C ImageVersion: 00 00 00 00 (0.0) 0030 SubsystemVersion: 03 00 0A 00 (3.10) 0034 Win32VersionValue: 00 00 00 00 (Reserved) 0038 SizeOfImage: 00 20 01 00 003C SizeOfHeaders: 00 04 00 00 0040 CheckSum: 00 00 00 00 0042 Subsystem: 02 00 (Win32 GUI) 0044 DllCharacteristics: 00 00 [ ] 0x0001 Reserved, must be zero. [ ] 0x0002 Reserved, must be zero. [ ] 0x0004 Reserved, must be zero. [ ] 0x0008 Reserved, must be zero. [ ] 0x0020 Image can handle a high entropy 64-bit virtual address space. [ ] 0x0040 DLL can be relocated at load time. [ ] 0x0080 Code Integrity checks are enforced. [ ] 0x0100 Image is NX compatible. [ ] 0x0200 Isolation aware, but do not isolate the image. [ ] 0x0400 Does not use structured exception (SE) handling. No SE handler may be called in this image. [ ] 0x0800 Do not bind the image. [ ] 0x1000 Image must execute in an AppContainer. [ ] 0x2000 A WDM driver. [ ] 0x4000 Image supports Control Flow Guard. [ ] 0x8000 Terminal Server aware. 0048 SizeOfStackReserve: 00 00 10 00 004C SizeOfStackCommit: 00 10 00 00 0050 SizeOfHeapReserve: 00 00 10 00 0054 SizeOfHeapCommit: 00 10 00 00 0058 LoaderFlags: 00 00 00 00 (Obsolete) 0060 Number of data directories (RvaAndSizes): 10 00 00 00 0064 Export Table: 00 F0 00 00 AA 00 00 00 0072 Import Table: 00 00 01 00 6A 08 00 00 0080 Resource Table: 00 90 00 00 A4 58 00 00 0088 ExceptionTable: 00 00 00 00 00 00 00 00 0096 CertificateTbl: 00 00 00 00 00 00 00 00 0104 BaseRelocTable: 00 10 01 00 6C 03 00 00 0112 Debug: 00 00 00 00 00 00 00 00 0120 Architecture: 00 00 00 00 00 00 00 00 0128 GlobalPtr: 00 00 00 00 00 00 00 00 0136 TLS Table 00 00 00 00 00 00 00 00 0144 Load Config Tbl:00 00 00 00 00 00 00 00 0152 BoundImport 00 00 00 00 00 00 00 00 0160 IAT 00 00 00 00 00 00 00 00 0168 DelayImportDesc 00 00 00 00 00 00 00 00 0176 CLR RuntimeHdr 00 00 00 00 00 00 00 00 0184 Reserved 00 00 00 00 00 00 00 00 0192 (END) 0178 Section Header ".text" 0000 Name: ".text" 0008 VirtualSize: 72 4D 00 00 000C VirtualAddress: 00 10 00 00 0010 SizeOfRawData: 00 4E 00 00 0014 PointerToRawData: 00 04 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 20 00 00 60 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [x] 0x00000020 The section contains executable code. [ ] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [x] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [ ] 0x80000000 The section can be written to. 01A0 Section Header ".bss" 0000 Name: ".bss" 0008 VirtualSize: 0C 00 00 00 000C VirtualAddress: 00 60 00 00 0010 SizeOfRawData: 00 02 00 00 0014 PointerToRawData: 00 00 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 80 00 00 C0 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [ ] 0x00000040 The section contains initialized data. [x] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [x] 0x80000000 The section can be written to. 01C8 Section Header ".rdata" 0000 Name: ".rdata" 0008 VirtualSize: 2E 00 00 00 000C VirtualAddress: 00 70 00 00 0010 SizeOfRawData: 00 02 00 00 0014 PointerToRawData: 00 52 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 40 00 00 40 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [x] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [ ] 0x80000000 The section can be written to. 01F0 Section Header ".data" 0000 Name: ".data" 0008 VirtualSize: CA 00 00 00 000C VirtualAddress: 00 80 00 00 0010 SizeOfRawData: 00 02 00 00 0014 PointerToRawData: 00 54 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 40 00 00 C0 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [x] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [x] 0x80000000 The section can be written to. 0218 Section Header ".rsrc" 0000 Name: ".rsrc" 0008 VirtualSize: A4 58 00 00 000C VirtualAddress: 00 90 00 00 0010 SizeOfRawData: 00 5A 00 00 0014 PointerToRawData: 00 56 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 40 00 00 C0 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [x] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [x] 0x80000000 The section can be written to. 0240 Section Header ".edata" 0000 Name: ".edata" 0008 VirtualSize: AA 00 00 00 000C VirtualAddress: 00 F0 00 00 0010 SizeOfRawData: 00 02 00 00 0014 PointerToRawData: 00 B0 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 40 00 00 40 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [x] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [ ] 0x80000000 The section can be written to. 0268 Section Header ".idata" 0000 Name: ".idata" 0008 VirtualSize: 6A 08 00 00 000C VirtualAddress: 00 00 01 00 0010 SizeOfRawData: 00 0A 00 00 0014 PointerToRawData: 00 B2 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 40 00 00 C0 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [x] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [ ] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [x] 0x80000000 The section can be written to. 0290 Section Header ".reloc" 0000 Name: ".reloc" 0008 VirtualSize: F4 03 00 00 000C VirtualAddress: 00 10 01 00 0010 SizeOfRawData: 00 04 00 00 0014 PointerToRawData: 00 BC 00 00 0018 PointerToRelocations: 00 00 00 00 001C PointerToLineNumbers: 00 00 00 00 001E NumberOfRelocations: 00 00 0020 NumberOfLinenumbers: 00 00 0024 Characteristics: 40 00 00 42 [ ] 0x00000000 Reserved for future use. [ ] 0x00000001 Reserved for future use. [ ] 0x00000002 Reserved for future use. [ ] 0x00000004 Reserved for future use. [ ] 0x00000008 The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files. [ ] 0x00000010 Reserved for future use. [ ] 0x00000020 The section contains executable code. [x] 0x00000040 The section contains initialized data. [ ] 0x00000080 The section contains uninitialized data. [ ] 0x00000100 Reserved for future use. [ ] 0x00000200 The section contains comments or other information. The .drectve section has this type. This is valid for object files only. [ ] 0x00000400 Reserved for future use. [ ] 0x00000800 The section will not become part of the image. This is valid only for object files. [ ] 0x00001000 The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files. [ ] 0x00008000 The section contains data referenced through the global pointer (GP). [ ] 0x00020000 Reserved for future use. [ ] 0x00020000 Reserved for future use. [ ] 0x00040000 Reserved for future use. [ ] 0x00080000 Reserved for future use. [ ] 0x00100000 Align data on a 1-byte boundary. Valid only for object files. [ ] 0x00200000 Align data on a 2-byte boundary. Valid only for object files. [ ] 0x00300000 Align data on a 4-byte boundary. Valid only for object files. [ ] 0x00400000 Align data on an 8-byte boundary. Valid only for object files. [ ] 0x00500000 Align data on a 16-byte boundary. Valid only for object files. [ ] 0x00600000 Align data on a 32-byte boundary. Valid only for object files. [ ] 0x00700000 Align data on a 64-byte boundary. Valid only for object files. [ ] 0x00800000 Align data on a 128-byte boundary. Valid only for object files. [ ] 0x00900000 Align data on a 256-byte boundary. Valid only for object files. [ ] 0x00A00000 Align data on a 512-byte boundary. Valid only for object files. [ ] 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files. [ ] 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files. [ ] 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files. [ ] 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files. [ ] 0x01000000 The section contains extended relocations. [x] 0x02000000 The section can be discarded as needed. [ ] 0x04000000 The section cannot be cached. [ ] 0x08000000 The section is not pageable. [ ] 0x10000000 The section can be shared in memory. [ ] 0x20000000 The section can be executed as code. [x] 0x40000000 The section can be read. [ ] 0x80000000 The section can be written to. 02B8 Padding (size: 148) 0400 .text begins | Raw address: 0400 | Raw size: 4E00 | Virtual address: (1C00)1000 | Virtual size: 4D72 | Attributes: code, exec read 1C0010C0h 04C0h ENTRYPOINT1 1C001540h 0940h AboutDlgProc 1C001800h 0C00h EspressoDlgProc 1C002340h 1740h BuildDlgProc 1C001fd0h 13D0h SmallDlgProc 5200 .rdata begins | Raw address: 5200 | Raw size: 200 | Virtual address: (1C00)7000 | Virtual size: 002E | Attributes: init data, read only PTR DS:[1C007000h] 5200h 8 00 00 00 00 00 00 30 41 = double: 1048576.0 = 1024.0*1024.0 Floating point constant for calculation of C2M_LOOKUP. PTR DS:[1C007008h] 5208h 8 00 00 00 00 00 FC 8F 40 = double: 1023.5 Floating point constant for calculation of C2M_LOOKUP. PTR DS:[1C007010h] 5210h 8 00 00 00 00 00 00 50 40 = double: 64.0 Floating point constant for calculation of C2M_LOOKUP. PTR DS:[1C007018h] 5218h 8? 00 00 00 00 00 00 00 00 Unused? PTR DS:[1C007020h] 5220h SZ "Filter Factory" Gets modified when building, but the raw size does not get changed in the EXE header. PTR DS:[1C00702Eh] (END) 5400 .data begins | Raw address: 5400 | Raw size: 200 | Virtual address: (1C00)8000 | Virtual size: 00CA | Attributes: init data, read/write PTR DS:[1C008000h] 5400h 4 00 00 00 00 hInstanceDLL PTR DS:[1C008004h] 5404h 4 00 00 00 00 4th argument (hIcon) for DrawIcon at 1C00195D. Gets only set at 1C001D80 . PTR DS:[1C008008h] 5408h 4 00 00 00 00 OS Info: 0 if it is WinNT or Windows below version 4.0; 1 otherwise (i.e. Win9x and >= 4.0). PTR DS:[1C00800Ch] 540Ch 4 00 00 00 00 Pointer to a CreateSolidBrush handle (unknown purpose ???); WinNT/Win3x 1C008008==$0 => GetSysColor($00000105) => 1C00800C = CreateSolidBrush(???) = Black; Win9x 1C008008==$1 => GetSysColor($0000000F) => 1C00800C = CreateSolidBrush(COLOR_BTNFACE) = "Gray" PTR DS:[1C008010h] 5410h 4 00 00 00 00 The WindowMessage-ID the sliders send. This pointer is sent as argument #2 to the function Plugin.dll:RegisterSlider(hInstanceDll, output), and will be filled by the result of RegisterWindowMessageA("PSSlCmd"). PTR DS:[1C008014h] 5414h SZ %RGB-1.0 n/a PTR DS:[1C008020h] 5420h SZ %RGB-1.0 n/a PTR DS:[1C00802Ch] 542Ch 4? 00 00 00 00 ??? PTR DS:[1C008030h] 5430h 4? 00 00 00 00 ??? PTR DS:[1C008034h] 5434h 4? 0D 00 00 00 ??? PTR DS:[1C008038h] 5438h SZ afs n/a PTR DS:[1C00803Ch] 543Ch SZ afs n/a PTR DS:[1C008040h] 5440h SZ 8bf n/a PTR DS:[1C008044h] 5444h SZ 8bf n/a PTR DS:[1C008048h] 5448h SZ ... n/a PTR DS:[1C00804Ch] 544Ch SZ prolog Internal function name PTR DS:[1C008054h] 5454h SZ epilog Internal function name PTR DS:[1C00805Ch] 545Ch SZ , n/a PTR DS:[1C008060h] 5460h SZ ? n/a PTR DS:[1C008064h] 5464h SZ || Infix operator PTR DS:[1C008068h] 5468h SZ && Infix operator PTR DS:[1C00806Ch] 546Ch SZ | Infix operator PTR DS:[1C008070h] 5470h SZ ^ Infix operator PTR DS:[1C008074h] 5474h SZ & Infix operator PTR DS:[1C008078h] 5478h SZ << Infix operator PTR DS:[1C00807Ch] 547Ch SZ >> Infix operator PTR DS:[1C008080h] 5480h SZ == Infix operator PTR DS:[1C008084h] 5484h SZ != Infix operator PTR DS:[1C008088h] 5488h SZ < Infix operator PTR DS:[1C00808Ch] 548Ch SZ <= Infix operator PTR DS:[1C008090h] 5490h SZ > Infix operator PTR DS:[1C008094h] 5494h SZ >= Infix operator PTR DS:[1C008098h] 5498h SZ + Infix operator PTR DS:[1C00809Ch] 549Ch SZ - Infix operator PTR DS:[1C0080A0h] 54A0h SZ * Infix operator PTR DS:[1C0080A4h] 54A4h SZ / Infix operator PTR DS:[1C0080A8h] 54A8h SZ % Infix operator PTR DS:[1C0080ACh] 54ACh SZ ! Unary operator PTR DS:[1C0080B0h] 54B0h SZ ~ Unary operator PTR DS:[1C0080B4h] 54B4h SZ negate Internal function name PTR DS:[1C0080BCh] 54BCh SZ number Internal function name PTR DS:[1C0080C4h] 54C4h SZ error Internal function name PTR DS:[1C0080CAh] (END) 5600 .rsrc begins | Raw address: 5600 | Raw size: 5A00 | Virtual address: (1C00)9000 | Virtual size: 58A4 | Attributes: init data, read/write **** Root Directory see https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#resource-directory-table 0000 00 00 00 00 Characteristics 0004 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0008 00 00 Major Version = 0 000A 00 00 Minor Version = 0 000C 05 00 Number of Name Entries = 5 000E 05 00 Number of ID Entries = 5 0010 BE 03 00 80 Offset to name "FUNC" is 0x3BE 0014 60 00 00 80 Subdirectory at 0x60 0018 C8 03 00 80 Offset to name "OPER" is 0x3C8 001C 78 00 00 80 Subdirectory at 0x78 0020 AA 03 00 80 Offset to name "PARM" is 0x3AA 0024 90 00 00 80 Subdirectory at 0x90 0028 A0 03 00 80 Offset to name "PIPL" is 0x3A0 002C A8 00 00 80 Subdirectory at 0xA8 0030 B4 03 00 80 Offset to name "SYNM" is 0x3B4 0034 C0 00 00 80 Subdirectory at 0xC0 0038 03 00 00 00 ID = 3 [RT_ICON] 003C D8 00 00 80 Subdirectory at 0xD8 0040 05 00 00 00 ID = 5 [RT_DIALOG] 0044 F0 00 00 80 Subdirectory at 0xF0 0048 06 00 00 00 ID = 6 [RT_STRING] 004C 28 01 00 80 Subdirectory at 0x128 0050 0E 00 00 00 ID = 14 [RT_GROUP_ICON] 0054 40 01 00 80 Subdirectory at 0x140 0058 10 00 00 00 ID = 16 [RT_VERSION] 005C 58 01 00 80 Subdirectory at 0x158 **** Sub-Directory: "FUNC" 0060 00 00 00 00 Characteristics 0064 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0068 00 00 Major version = 0 006A 00 00 Minor version = 0 006C 00 00 Number of name entries = 0 006E 01 00 Number of ID entries = 1 0070 80 3E 00 00 ID = 16000 0074 70 01 00 80 Subdirectory at 0x170 **** Sub-Directory: "OPER" 0078 00 00 00 00 Characteristics 007C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0080 00 00 Major version = 0 0082 00 00 Minor version = 0 0084 00 00 Number of name entries = 0 0086 01 00 Number of ID entries = 1 0088 80 3E 00 00 ID = 16000 008C 88 01 00 80 Subdirectory at 0x188 **** Sub-Directory: "PARM" 0090 00 00 00 00 Characteristics 0094 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0098 00 00 Major version = 0 009A 00 00 Minor version = 0 009C 00 00 Number of name entries = 0 009E 01 00 Number of ID entries = 1 00A0 10 00 00 00 ID = 16 00A4 A0 01 00 80 Subdirectory at 0x1A0 **** Sub-Directory: "PIPL" 00A8 00 00 00 00 Characteristics 00AC 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 00B0 00 00 Major version = 0 00B2 00 00 Minor version = 0 00B4 00 00 Number of name entries = 0 00B6 01 00 Number of ID entries = 1 00B8 10 00 00 00 ID = 16 00BC B8 01 00 80 Subdirectory at 0x1b8 **** Sub-Directory: "SYNM" 00C0 00 00 00 00 Characteristics 00C4 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 00C8 00 00 Major version = 0 00CA 00 00 Minor version = 0 00CC 00 00 Number of name entries = 0 00CE 01 00 Number of ID entries = 1 00D0 80 3E 00 00 ID = 16000 00D4 D0 01 00 80 Subdirectory at 0x1D0 **** Sub-Directory: RT_ICON(3) 00D8 00 00 00 00 Characteristics 00DC 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 00E0 00 00 Major version = 0 00E2 00 00 Minor version = 0 00E4 00 00 Number of name entries = 0 00E6 01 00 Number of ID entries = 1 00E8 01 00 00 00 ID = 1 00EC E8 01 00 80 Subdirectory at 0x1E8 **** Sub-Directory: RT_DIALOG(5) 00F0 00 00 00 00 Characteristics 00F4 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 00F8 00 00 Major version = 0 00FA 00 00 Minor version = 0 00FC 00 00 Number of name entries = 0 00FE 05 00 Number of ID entries = 5 0100 65 00 00 00 ID = 101 0104 00 02 00 80 Subdirectory at 0x200 0108 66 00 00 00 ID = 102 010C 18 02 00 80 Subdirectory at 0x218 0110 67 00 00 00 ID = 103 0114 30 02 00 80 Subdirectory at 0x230 0118 68 00 00 00 ID = 104 011C 48 02 00 80 Subdirectory at 0x248 0120 69 00 00 00 ID = 105 0124 60 02 00 80 Subdirectory at 0x260 **** Sub-Directory: RT_STRING(6) 0128 00 00 00 00 Characteristics 012C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0130 00 00 Major version = 0 0132 00 00 Minor version = 0 0134 00 00 Number of name entries = 0 0136 01 00 Number of ID entries = 1 0138 7E 00 00 00 ID = 126 013C 78 02 00 80 Subdirectory at 0x278 **** Sub-Directory: RT_GROUP_ICON(14) 0140 00 00 00 00 Characteristics 0144 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0148 00 00 Major version = 0 014A 00 00 Minor version = 0 014C 00 00 Number of name entries = 0 014E 01 00 Number of ID entries = 1 0150 C9 00 00 00 ID = 201 0154 90 02 00 80 Subdirectory at 0x290 **** Sub-Directory: RT_VERSION(16) 0158 00 00 00 00 Characteristics 015C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0160 00 00 Major version = 0 0162 00 00 Minor version = 0 0164 00 00 Number of name entries = 0 0166 01 00 Number of ID entries = 1 0168 01 00 00 00 ID = 1 016C A8 02 00 80 Subdirectory at 0x2A8 **** Sub-Directory: "FUNC"\16000 0170 00 00 00 00 Characteristics 0174 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0178 00 00 Major version = 0 017A 00 00 Minor version = 0 017C 00 00 Number of name entries = 0 017E 01 00 Number of ID entries = 1 0180 09 04 00 00 ID = 1033 (ENU) 0184 C0 02 00 00 Resource data entry at 0x2C0 **** Sub-Directory: "OPER"\16000 0188 00 00 00 00 Characteristics 018C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0190 00 00 Major version = 0 0192 00 00 Minor version = 0 0194 00 00 Number of name entries = 0 0196 01 00 Number of ID entries = 1 0198 09 04 00 00 ID = 1033 (ENU) 019C D0 02 00 00 Resource data entry at 0x2D0 **** Sub-Directory: "PARM"\16 01A0 00 00 00 00 Characteristics 01A4 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 01A8 00 00 Major version = 0 01AA 00 00 Minor version = 0 01AC 00 00 Number of name entries = 0 01AE 01 00 Number of ID entries = 1 01B0 09 04 00 00 ID = 1033 (ENU) 01B4 E0 02 00 00 Resource data entry at 0x2E0 **** Sub-Directory: "PIPL"\16 01B8 00 00 00 00 Characteristics 01BC 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 01C0 00 00 Major version = 0 01C2 00 00 Minor version = 0 01C4 00 00 Number of name entries = 0 01C6 01 00 Number of ID entries = 1 01C8 09 04 00 00 ID = 1033 (ENU) 01CC F0 02 00 00 Resource data entry at 0x2F0 **** Sub-Directory: "SYNM"\16000 01D0 00 00 00 00 Characteristics 01D4 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 01D8 00 00 Major version = 0 01DA 00 00 Minor version = 0 01DC 00 00 Number of name entries = 0 01DE 01 00 Number of ID entries = 1 01E0 09 04 00 00 ID = 1033 (ENU) 01E4 00 03 00 00 Resource data entry at 0x300 **** Sub-Directory: RT_ICON(3)\1 01E8 00 00 00 00 Characteristics 01EC 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 01F0 00 00 Major version = 0 01F2 00 00 Minor version = 0 01F4 00 00 Number of name entries = 0 01F6 01 00 Number of ID entries = 1 01F8 09 04 00 00 ID = 1033 (ENU) 01FC 10 03 00 00 Resource data entry at 0x310 **** Sub-Directory: RT_DIALOG(5)\101 0200 00 00 00 00 Characteristics 0204 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0208 00 00 Major version = 0 020A 00 00 Minor version = 0 020C 00 00 Number of name entries = 0 020E 01 00 Number of ID entries = 1 0210 09 04 00 00 ID = 1033 (ENU) 0214 20 03 00 00 Resource data entry at 0x320 **** Sub-Directory: RT_DIALOG(5)\102 0218 00 00 00 00 Characteristics 021C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0220 00 00 Major version = 0 0222 00 00 Minor version = 0 0224 00 00 Number of name entries = 0 0226 01 00 Number of ID entries = 1 0228 09 04 00 00 ID = 1033 (ENU) 022C 30 03 00 00 Resource data entry at 0x330 **** Sub-Directory: RT_DIALOG(5)\103 0230 00 00 00 00 Characteristics 0234 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0238 00 00 Major version = 0 023A 00 00 Minor version = 0 023C 00 00 Number of name entries = 0 023E 01 00 Number of ID entries = 1 0240 09 04 00 00 ID = 1033 (ENU) 0244 40 03 00 00 Resource data entry at 0x340 **** Sub-Directory: RT_DIALOG(5)\104 0248 00 00 00 00 Characteristics 024C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0250 00 00 Major version = 0 0252 00 00 Minor version = 0 0254 00 00 Number of name entries = 0 0256 01 00 Number of ID entries = 1 0258 09 04 00 00 ID = 1033 (ENU) 025C 50 03 00 00 Resource data entry at 0x350 **** Sub-Directory: RT_DIALOG(5)\105 0260 00 00 00 00 Characteristics 0264 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0268 00 00 Major version = 0 026A 00 00 Minor version = 0 026C 00 00 Number of name entries = 0 026E 01 00 Number of ID entries = 1 0270 09 04 00 00 ID = 1033 (ENU) 0274 60 03 00 00 Resource data entry at 0x360 **** Sub-Directory: RT_STRING(6)\126 0278 00 00 00 00 Characteristics 027C 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0280 00 00 Major version = 0 0282 00 00 Minor version = 0 0284 00 00 Number of name entries = 0 0286 01 00 Number of ID entries = 1 0288 09 04 00 00 ID = 1033 (ENU) 028C 70 03 00 00 Resource data entry at 0x370 **** Sub-Directory: RT_GROUP_ICON(14)\201 0290 00 00 00 00 Characteristics 0294 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 0298 00 00 Major version = 0 029A 00 00 Minor version = 0 029C 00 00 Number of name entries = 0 029E 01 00 Number of ID entries = 1 02A0 09 04 00 00 ID = 1033 (ENU) 02A4 80 03 00 00 Resource data entry at 0x380 **** Sub-Directory: RT_VERSION(16)\1 02A8 00 00 00 00 Characteristics 02AC 3E CE CB 2F Time/Date Stamp = 31 May 1995 02:02:38 02B0 00 00 Major version = 0 02B2 00 00 Minor version = 0 02B4 00 00 Number of name entries = 0 02B6 01 00 Number of ID entries = 1 02B8 09 04 00 00 ID = 1033 (ENU) 02BC 90 03 00 00 Resource data entry at 0x390 **** Resource data entry: "FUNC"\16000\1033(ENU) 02C0 EC BB 00 00 RVA 0xBBEC (-0x3a00 = 0x81ec raw) 02C4 44 02 00 00 Size: 0x244 02C8 00 00 00 00 Codepage = 0 02CC 00 00 00 00 Reserved, must be 0. **** Resource data entry: "OPER"\16000\1033(ENU) 02D0 30 BE 00 00 RVA 0xBE30 (-0x3a00 = 0x8430 raw) 02D4 D3 0A 00 00 Size: 0xad3 02D8 00 00 00 00 Codepage = 0 02DC 00 00 00 00 Reserved, must be 0. **** Resource data entry: "PARM"\16\1033(ENU) 02E0 14 98 00 00 RVA 0x9814 (-0x3a00 = 0x5E14 raw) 02E4 68 20 00 00 Size: 0x2068 02E8 00 00 00 00 Codepage = 0 02EC 00 00 00 00 Reserved, must be 0. **** Resource data entry: "PIPL"\16\1033(ENU) 02F0 F4 96 00 00 RVA 0x96F4 (-0x3a00 = 0x5cf4 raw) 02F4 1E 01 00 00 Size: 0x11E 02F8 00 00 00 00 Codepage = 0 02FC 00 00 00 00 Reserved, must be 0. **** Resource data entry: "SYNM"\16000\1033(ENU) 0300 7C B8 00 00 RVA 0xB87C (-0x3a00 = 0x7E7C raw) 0304 70 03 00 00 Size: 0x370 0308 00 00 00 00 Codepage = 0 030C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_ICON(3)\1\1033(ENU) 0310 94 DE 00 00 RVA 0xDE94 (-0x3a00 = 0xA494 raw) 0314 E8 02 00 00 Size: 0x2e8 0318 00 00 00 00 Codepage = 0 031C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_DIALOG(5)\101\1033(ENU) 0320 04 C9 00 00 RVA 0xC904 (-0x3a00 = 0x8F04 raw) 0324 22 05 00 00 Size: 0x522 0328 00 00 00 00 Codepage = 0 032C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_DIALOG(5)\102\1033(ENU) 0330 28 CE 00 00 RVA 0xCE28 (-0x3a00 = 0x9428) 0334 22 05 00 00 Size: 0x522 0338 00 00 00 00 Codepage = 0 033C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_DIALOG(5)\103\1033(ENU) 0340 4C D3 00 00 RVA 0xD34C (-0x3A00 = 0x994C raw) 0344 76 00 00 00 Size: 0x76 0348 00 00 00 00 Codepage = 0 034C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_DIALOG(5)\104\1033(ENU) 0350 C4 D3 00 00 RVA 0xD3C4 (-0x3A00 = 0x99C4) 0354 D2 06 00 00 Size: 0x6D2 0358 00 00 00 00 Codepage = 0 035C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_DIALOG(5)\105\1033(ENU) 0360 98 DA 00 00 RVA 0xDA98 (-0x3a00 = 0xa098 raw) 0364 FA 03 00 00 Size: 0x3fa 0368 00 00 00 00 Codepage = 0 036C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_STRING(6)\126\1033(ENU) 0370 90 E1 00 00 RVA 0xE190 (-0x3a00 = 0xa790 raw) 0374 12 07 00 00 Size: 0x712 0378 00 00 00 00 Codepage = 0 037C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_GROUP_ICON(14)\201\1033(ENU) 0380 7C E1 00 00 RVA 0xE17C (-0x3A00 = 0xA77C raw) 0384 14 00 00 00 Size: 0x14 0388 00 00 00 00 Codepage = 0 038C 00 00 00 00 Reserved, must be 0. **** Resource data entry: RT_VERSION(16)\1\1033(ENU) 0390 E0 93 00 00 RVA 0x93E0 (-0x3a00 = 0x59e0 raw) 0394 14 03 00 00 Size: 0x314 0398 00 00 00 00 Codepage = 0 039C 00 00 00 00 Reserved, must be 0. *** Name: "PIPL" 03A0 04 00 Length name of "PIPL" 03A2 50 00 49 00 50 00 4C 00 "PIPL" *** Name: "PARM" 03AA 04 00 Length name of "PARM" 03AC 50 00 41 00 52 00 4D 00 "PARM" *** Name: "SYNM" 03B4 04 00 Length name of "SYNM" 03B6 53 00 59 00 4E 00 4D 00 "SYNM" *** Name: "FUNC" 03BE 04 00 Length name of "FUNC" 03C0 46 00 55 00 4E 00 43 00 "FUNC" *** Name: "OPER" 03C8 04 00 Length name of "OPER" 03CA 4F 00 50 00 45 00 52 00 "OPER" *** Padding 03D2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 59E0 Resource: RT_VERSION(16)\1\1033(ENU); size = 0x314 Length Of Struc: 0314h Length Of Value: 0034h Type Of Struc: 0000h Info: VS_VERSION_INFO Signature: FEEF04BDh Struc Version: 1.0 File Version: 3.0.64.77 Product Version: 3.0.134.4 File Flags Mask: 0.63 File Flags: DEBUG; File OS: WINDOWS32 File Type: DLL File SubType: UNKNOWN File Date: 00:00:00 00/00/0000 Struc has Child(ren). Size: 696 bytes. Child Type: StringFileInfo Language/Code Page: 1033/1252 CompanyName: Adobe Systems, Inc. FileDescription: Photoshop Filter Plugin FileVersion: 3.0.4 InternalName: Filter Factory LegalCopyright: Copyright © Adobe Systems, Inc. 1989-1995 OriginalFilename: FFactory.8BF ProductName: Adobe Photoshop ProductVersion: 3.0.4 Child Type: VarFileInfo Translation: 1033/1252 5CF4 Resource: "PIPL"\16\1033(ENU); size: 0x11e 5E12 Padding; size: 2 5E14 Resource: "PARM"\16\1033(ENU); size: 0x2068 7E7C Resource: "SYNM"\16000\1033(ENU); size: 0x370 81EC Resource: "FUNC"\16000\1033(ENU); size: 0x244 8430 Resource: "OPER"\16000\1033(ENU); size: 0xad3 8F03 Padding; size: 1 8F04 Resource: RT_DIALOG(5)\101\1033(ENU); size: 0x522 9426 Padding; size: 2 9428 Resource: RT_DIALOG(5)\102\1033(ENU); size: 0x522 994A Padding; size: 2 994C Resource: RT_DIALOG(5)\103\1033(ENU); size: 0x76 99C2 Padding; size: 2 99C4 Resource: RT_DIALOG(5)\104\1033(ENU); size: 0x6d2 A096 Padding; size: 2 A098 Resource: RT_DIALOG(5)\105\1033(ENU); size: 0x3fa A492 Padding; size: 2 A494 Resource: RT_ICON(3)\1\1033(ENU); size: 2e8 A77C Resource: RT_GROUP_ICON(14)\201\1033(ENU); size: 0x14 32x32 4-bit; Icon Entry Ord: 1 A790 Resource: RT_STRING(6)\126\1033(ENU); size: 0x712 STRINGTABLE LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { 2000, "Settings (*.afs)!*.afs!All Files (*.*)!*.*!" 2001, "An error occured while attempting to open the settings file." 2002, "An error occured while attempting to write to the settings file." 2003, "An error occured while attempting to read from the settings file. This file may not have the correct format." 2004, "An error occured while attempting to create a sample for this image. This operation cannot be completed." 2005, "Unable to allocate local memory. This operation cannot be completed." 2006, "The file '%s' already exists. Do you want to overwrite it?" 2007, "An error occured while attempting to create the file '%s' in the plug-in directory." 2008, "An error occured while attempting to create the file '%s' in the plug-in directory.\nIf you are using SHARE with Windows 3.1, refer to the ReadMe file for more information." 2009, "An error occured while attempting to write to the file '%s' in the plug-in directory." 2010, "The new filter '%s' was successfully created." } AEA2 Padding; size: 0x15e B000 .edata begins | Raw address: B000 | Raw size: 200 | Virtual address: (1C00)F000 | Virtual size: AA | Attributes: init data, read only "ENTRYPOINT1" at 1C0010C0 (file: 04C0) "AboutDlgProc" at 1C001540 (file: 0940) "EspressoDlgProc" at 1C001800 (file: 0C00) "BuildDlgProc" at 1C002340 (file: 1740) "SmallDlgProc" at 1C001fd0 (file: 13D0) B200 .idata begins | Raw address: B200 | Raw size: A00 | Virtual address: (1C0)10000 | Virtual size: 86A | Attributes: init data, read/write comdlg32.dll (Windows) GetOpenFileNameA GetSaveFileNameA GDI32.dll (Windows) CreateSolidBrush DeleteObject GetStockObject ExtTextOutA SetBkColor SetBkMode MSVCRT10.dll (Visual C++ Runtime) _chmod _access _splitpath _makepath _ftol _itoa atol KERNEL32.dll (Windows) CopyFileA OpenFile CloseHandle SetFileTime SystemTimeToFileTime GetLocalTime UnmapViewOfFile MapViewOfFile CreateFileMappingA GetFileSize CreateFileA _lclose GetVersion FreeResource LockResource LoadResource SizeOfResource FindResourceA _lread _lwrite GetModuleFileNameA DeleteFileA PLUGIN.dll (Photoshop) FixATan2 FracCos Fix2Long SetSliderPos WinToMacRect MacToWinRect UnRegisterSlider DisposPtr RegisterSlider CenterWindow FixDiv SetSliderRange NewPtr USER32.dll (Windows) GetDlgItemInt ReleaseDC GetWindowRect FrameRect InflateRect GetDC ClientToScreen PeekMessageA SetWindowTextA GetDlgItemTextA GetDlgItem ShowWindow SetTimer DialogBoxParamA SetDlgItemTextA EndDialog LoadstringA MessageBoxA GetClientRect GetSysColor GetSystemMetrics EnableWindow LoadIconA MessageBeep KillTimer DrawIcon SetDlgItemInt SendDlgItemMessageA UpdateWindow wsprintfA CheckDlgButton IsDlgButtonChecked SetFocus BC00 .reloc begins | Raw address: BC00 | Raw size: 400 | Virtual address: (1C0)11000 | Virtual size: 3F4 | Attributes: init data, read only, discardable 1C001000h (.text): 96 relocations 1C002000h (.text): 76 relocations 1C003000h (.text): 104 relocations 1C004000h (.text): 44 relocations 1C005000h (.text): 98 relocations C000 (EOF)