初夜

我怀念和你的初吻，以及那第一夜的秋凉。

终于要毕业了，大家每天都沉浸在饭局和泪水之中。借着酒力，我和每一个曾经有过好感的男生拥抱，仿佛他们今生不会再出现在我的生活。马上要离开这个给了我欢喜和忧愁的校园，未知的世界在等着我，未知的男人也在等着我。

我在北方，你在南方，你说我们的日子还很长，我们读着彼此想念的信，却在别处上着别人的床。人在江湖，蛋不由己，我学会了千奇百怪的姿势，一到晚上就鸡巴瞎忙，谁知道明天会遇到什么姑娘。

我们从这时开始建立起一种以快乐为宗旨的关系。我们像所有的情人一样，相互交换和分享着快乐、痛苦、失望和期望。谁也没有想过将来要怎么样。我的身体很
好，可是我很喜欢笑着谈论“死”的话题。有一天我说，如果我死了，我只要你一滴眼泪。他笑着捏我的鼻子，说，和我在一起，你怎么会死呢？然后吻我，不让我
说下去。这段关系以我的意外怀孕而告终。当我躺在手术台上结束孩子的生命时，对自己说：“别怕，他会站在手术室外拥抱我的。”但是，他没有出现。我删掉了
他的电话号码，他没必要再出现。

我参加了众多朋友的婚礼，有男有女，每个人脸上都画着希望，据说大学6班的那个荡妇嫁给了一个荣誉军人，而我上铺的兄弟逢人便说娶了一个黄花姑娘。还有几个不断离婚不断再婚的酒友，一边比着谁的年轻老婆更为败家，一边打着没有输赢的上楼麻将。




有一天，我喝了不少酒，打开家门口时已经头疼欲裂，突然有个人在身后出现，一把搂住了我，然后是令我喘不过
气来的强吻。……醉酒之后的**恍如梦中进行的一般，你知道对方在干什么，但是感受是那么的不真实，他进入的时候，我只有被动地接受，一下，两下，三
下……他的动作干脆利落，使我有种被猎获的耻辱感，但是我没法动弹，我不能再给他一个耳光……最后，当克制不住的快感使我颤抖之时，当我忍无可忍终于叫出
声的时候，他狠狠地咬了我一口，然后我听到他说了句：“我爱你。”

我只想说：偷来的性高潮，尤其快乐。但是快乐过后的空虚，让我忽然很想念和男人过去的时光。我抽了好几只烟，才放任自己给男人打了一个电话——我说：“我要回到你身旁……”。他竟然答应了，电话那边的声音有点模糊，是他哭了么？

于是，我们走入婚姻的殿堂，父母的笑容，丈母娘的眼泪，同学的唏嘘，前女友的漠然，一切都进行的顺理成章。婚礼上的你我衣冠楚楚，婚纱照上的你我一脸迷茫。那个晚上我们做了很久，我问你是哪里来的人鱼，于是那个夜晚就像童话一样漫长。
　　我们结婚了，所有的婚姻的开始都简单而俗气，嗯，就是这样。只有那个夜晚让我铭记。

黎明时传来噩耗，我们结婚时，上铺的兄弟死于布达拉宫边上的澡堂，他死在拉萨的一个姑娘身上，全身赤裸，五指伸长，据说他的灵魂可以得到宽恕，因为他在高潮中离去的时候，双眼正仰望着那湛蓝的天堂。
　　男人的好哥们儿伴着快感死去，或许他是幸福的，我望着身边的这个男人，会不会有一天他也这样离去？

好景不长，一个叫儿子的东西钻出了女人的身体，六斤七两，蛋黑把长，你说这是我们爱的结晶，我想这或许又是噩梦一场，我的父母把弄着孙子的命根，抹着眼泪说咱家从今以后子孙满堂。

我美丽苗条的女人成了宽宽胖胖的孩儿他娘，每天防着儿子在房里叮当乱撞，工作和家庭让我筋疲力尽，每天只想赖在舒服的床。这孩子聪明得像是妖精，刚学会说话就看着电视上一张大脸喊出了张朝阳。





俗话说，女人三十如狼四十如虎，我的女人却像只猛犸象，她不再保持身材，却有着更辣更久的欲望，每当孩子入睡，她就把俺拽向炕角，夜幕下，那是一张略带恐怖的脸庞，只是兄弟我日渐萎靡，不惑之年，胯下已经不再是一杆神枪。





但随着孩子慢慢长大，我发现欲望就像蛇又回到我的身体，也许是因为孩子在身边，那件事显得有种隐蔽的刺激。我在无限的缠绵中体会婚姻最初的热情，却发现男人的热情好像在渐渐的溜走。是孩子改变了我的身体，或者，是岁月改变了一切？





上帝保佑，一度皱眉的女人开始再度温柔，因为她的儿子才上小学，那玩意就长得比iphone还长。家长会上，老师说你们的儿子越来越喜欢进女厕所，我亲爱的女人便怒斥他是个文盲。她把我晾在一边，越来越关心儿子在屋里的样子，因此隔三差五才能想起来让我交出公粮。





残阳如血的某个时刻，我冷冷地笑着，手里有一支抽了一半的香烟。墙上有一个巨大的吊钟，沉默地走着。我觉得有点冷，把男人的毛衣披到了身上。那曾经让我呛的快死过去的烟现在乖乖地呆在我的指尖。





收拾残躯，重整旗鼓，我所谓的事业突飞猛进，上班大奔，周末公羊，我剥削着500多个城市的白领民工，我买
的中石油终于勃起得硬硬邦邦。我的女人说老公不错，而后把我的钱全存进了她的私人银行。办公室招来了新的小蜜，名叫Janny，前凸后撅，很像我老婆当年
的长相，只是这狐狸精太过放肆，开着董事会都是一副怀春模样。我说着企业战略公司管理，可脑子里禁不住想着她的裙下春光，我像小学生那样坐立不安，我的心
像和女人的第一次那样莺飞草长。




电话铃声突然响了起来，一声声如同催命的丧钟。
　　 “对不起，我今天很忙。”他在电话里说，然后是沉默。
　　 “那你忙吧……”挂了电话。我失声痛哭，瘫倒在地毯上。

那天傍晚外边打雷，我在办公室看着云外的夕阳，对天发誓这绝不是预谋，因为今晚还要和老婆去逛商场。Janny不知何时走了进来，说要向我汇报情况，我问
为什么你还不回家，她说回了家也是一个人独守空房。古人云啥也别说了，我们在宽大的办公桌上开辟了战场，奔五张的我竟然梅花三弄金枪不倒，这20岁的姑都
说超爽超爽。

我开始爱上了洗衣服，我想洗去男人衬衫上的陌生香水味，使劲地洗，可总是洗不干净。我把它们放在夏天很刺眼的阳光下晒，可是最后还是会有香水的味道。你的
毛衣，我亲手织的毛衣啊，它们也沾上了永远洗不干净的口红印。这是什么牌子的口红？我想去买一管，因为它是如此的持久。而我的口红却总是在热吻之后消失。

镜子里我的头发仍然乌黑，可那地方的毛却变得花白，女人说显然小头比大头还要操劳，你在外边肯定是男盗女娼。过了60你就一只脚进了棺材，看哪天一条狐狸
把你拉进坟场。对毛主席发誓，我只有那一次意外的疯狂，那狐狸精早已被我赶到深圳，去当了一个做假证老板的新娘。我的前列腺开始出现毛病，看见美女再不会
心荆荡漾。那曾经困惑的欲望终于莫名衰退，估计一年也弄不出精液半两。

除了丈夫和儿子，我有了第3个男人，一个有艺术气质的男人。我们每周约会，然后在潮湿的拥抱中小睡，然后回家。

我的儿子在重复着我的故事，只是他比我当年要厉害百倍，才干工作两年就换了七八个姑娘。他娘说小流氓随了老流氓，我说和谐社会年轻人都在成长。儿子不愿听我们老掉牙的故事，他说这年头女人只认钱，其他的都是逢场作戏嘿咻一场。

我56岁，丈夫开始变乖，除了应酬之外，不再有风花雪月的风流韵事。与此同时，19儿子也有了女朋友和性的秘密。

那天夜里，我的前列腺疼得要死，我无助地望着透入窗帘的月光，我的眼泪洒在我满是皱纹的手，我的女人却打着呼噜睡在梦乡。我的事业已经让我感到乏味，工商
税务天天把我折腾的神经紧张，我怀念和上铺的兄弟在街边啃煎饼的岁月，我怀念在女生宿舍前哭泣的时光。那一晚我带着眼泪入睡，黑白色的梦里，一树梨花正盛
开在无边的海棠上。

我经常在下午心跳加速，脸上燥热。我知道，自己即将告别卵子这个老朋友。这事儿悄悄来临，就像当年的月经初潮。我无法抗拒，不由得感到一些伤感。丈夫给我买了一些药。随着衰老的到来，他对我的体贴增加。遗憾的是，我们再也无法回到当年的激情。

我老了，不可思议地老了，很多人管我叫大爷，我再也不认为是在骂人。女护士在我身上绑了一个起搏器，我说能否给我下半身也装一个电香肠，小护士说老大爷你
色性难改，我那在轮椅上的老婆说他也就是说说装相。每一个夜晚我都怀疑明天能否醒来，每一个早晨女人都要伏在我的胸膛，他说你可不能走在我的前面，否则夜
里这张床上就会太过冰凉。

他会在我睡着的午后，静静地看着我，然后在阳光下读一本书。而我则经常在他睡着之后，用手抚摸他的额头。

我的朋友们接二连三地死去，我的儿子仍然在隔三差五地换着姑娘。那一天我看见女人银色的发，在昏黄的灯下
发着晶莹的光，我突然发现我是如此爱着这个女人，我突然后悔没有把所有的激情都留给她的欲望。如今我只能每天抚摸着她干枯的手和银色的发，问她是否喜欢那
风雨后宁静的阳光。

19岁的儿子去大学住校前，我最后一次给儿子洗内裤。阳光下，上面的存留物质闪闪发亮。那东西有着特殊的气味，在每个人的鼻子下，是不一样的。这是我的告别礼。

儿子终于有了他的合法配偶，她长得像卖人肉包子的孙二，女人整天在偷偷哭泣，说她心疼咱们的儿子，怎么他就取回来这么个蛮横糟糠。我倒不觉得儿子是吃错了药，那女人一定在床上特别擅长，他们的生活犹如黄钟大吕，整天把席梦思整的兵兵邦邦。

62岁，儿子结婚了，而我开始信仰宗教。《圣经》是一本有趣的书。因为它不仅仅是关于神的，其实，也是关于性的。性让亚当和夏娃繁衍了人类；淫亵的性让上
帝毁灭了人类；luanlun的性让罗得的女儿们延续了人类……只要有人的地方，有男女的地方，必然有性。我虽然已经逐渐告别性生活，但我却发现了有趣的
性理论。尤其当我从《圣经》感受到宗教对于性的神秘诠释之后，觉得无比欢喜。我要赞美主，赞美神，赞美生活，赞美……性。也许这就是人生，当你告别一件东
西，才越发觉出它的美好。

好在这媳妇还算踏实，很快就生出一个孩子，女人上前翻了半天，脸色阴沉，跟我说她的心拔凉拔凉。这孩子再不会蛋黑把长，因为她根本就没长出那么个鸟样。

68岁的我，当了祖母。那个时候我正在家里煮着鸡汤，丈夫在客厅接了电话，儿子告诉他，我们刚刚有了第三
代。我迫不及待地赶去医院，满心欢喜地要看看他的把儿有多长，可事实却让我那么的失望，虽然她也长得像天使一样可爱。然而，这孩子却不再蛋黒把长，真的，
别怪我重男轻女，那是不一样的滋味。

经常路过我家门口的那只老猫再没出现，想必是不知老死在哪个垃圾场。我连下床都变得艰难，可我亲爱的女人竟然又能下地，她说她梦见了少年时的我，拉着她跑过一片片红色的高粱。

我们都老了，我明显地觉得腿脚不如从前，爬楼的时候是那么的吃力，而我的男人连下床都很困难。我爱上了回忆，无论是白天还是梦里，我想着男人，也想着记忆中曾经说过爱我的那些男人，偶尔竟然会有想要的欲望。

那天她帮我洗澡，在温暖的浴缸里，她的手温柔地抚过我的身体，我惊讶地发现那个东西竟然翘起，我浑身都有要飞的轻畅。女人说你个老鬼还不正经，当心摧毁你
那脆弱的心脏。我笑着答看来杨振宁也不过如此，没准我是比他还要好使的一把老枪。女人爱抚地摸着那个东西，眼角竟有了淡淡的泪光，她说如果你愿意，我们就
玩儿命再干上最后一场。

男人已经一周没有洗澡，我搀扶他坐进浴缸，摸着他依然厚实的肩膀，内心里多了些许的感伤，这是我守了大半辈子的男人，可总有一天我们要各自奔天堂。男人不顾死活地要重拾起他那把老枪，而这一次也成就了我们一生的最难忘。

那最后一次的激情险些要了我的老命，可我们的行为却遭到了儿女的强烈表扬，儿子说老爸你真了不起，都站不起来了竟还能跃马拧枪。媳妇说你们真是夫妻楷模，
应该上CCTV说一下事后感想。这疯狂的代价是在医院半年的休养，等出院时，我已经离不开手上那根难看的拐杖。女人问我后不后悔，我说这是我一辈子最高兴
的时光，如果那一天我真的去了，我也会笑着走进满是美女的天堂。

男人住院了，毕竟已是70几岁的人，哪经得住那样的疯狂。儿孙每日奔波于医院和家，而我也会为他煲上一锅汤。我依然终日沉浸在回忆之中，不久于世的伤感让
我渴望听到那些曾经跟我耳鬓厮磨过的声音。颤抖地拿起电话，一通、两通、三通…那些给过我高潮的男人们却都已经离开了这个美丽的人间。

我终于彻底死心，全心全意地迎接我出院归来的男人。我们又仿佛回到少年时的模样，每天拉着手慢慢地走在路上，说着只有我俩才懂的情伤。

从此我们再无遗憾，我们每天拉着手，满意地坐在门口的摇椅上，门口来了新的小猫，它喜欢抱着我们的腿，舔着我们的手，扑着天空里飞舞的豆娘。

不知不觉我们的孙女又生了一个大胖小子，我们家竟然已经四世同堂。已经要瞎眼的女人大声说赶紧看看那玩意儿究竟什么成色，孙女婿说是白花花的一串，有点像
老头花生的怪样。女人嘟囔着说这小子不是男人，将来很可能窝窝囊囊。我说你干吗操这一百年后的心，眼都瞎了还惦记着那玩意多黑多长。

92岁，我有了重孙子，我们家竟然已经四世同堂。但是我已经看不清那孩子什么模样。孩子刚学会走路不久，男人在一次踏青中脑溢血住进了重症病房。

那天我们依然在一起晒着太阳，刚会走路的重孙子向我伸出小手，我猜是他想让我帮他撒尿，就挣扎起来要把他抱上。我的眼前突然发黑，然后跟着掠起一片白光。醒来时我已经躺倒在地，孩子的温暖的尿正呲在我的脸上，我想喊我的女人，可却不忍打搅她的梦乡。

我知道这颗心脏就要停止跳动，可我宁愿如此，默默地去寻找传说中的天堂。那孩子哭着叫着，我只微笑着看着他颤巍巍的小鸡鸡，轻声说孩子别怕，老爷爷就此去了，你的路还有很长，很长……

男人终于弃我而去。作为一个女人，我的一生如此丰富。有激情，有痛苦，有欢乐，有眼泪。作为一个女人，我也许不是规矩和忠诚的。但我忠于自己的身体，和自
己的欲望；我对得起自己，也不想伤害别人。如果我做的不够好，请原谅。我，只是个最普通不过的女人而已。说不定，如我这样的女人，应该也可以上天堂。

这是一个美好的春天，但我想我该走了——病房里洁白安静，空气里有消毒水的芬芳。我翻阅着记忆的相册，想起，想起我的男人，想起经济系男生、艺术史老师、想起我的那个他不曾知道，而且永远也不会知道了的情人……

Downloads

Windows NT 3.51 (I mean, Win3.1, Win95, Win98 were not perfect OSs). The MS-DOS data causes that your executable file to have the performance inside MS-DOS and the MS-DOS Stub program lets it display: "This program can not be run in MS-DOS mode" or "This program can be run only in Windows mode", or some things like these comments when you try to run a Windows EXE file inside MS-DOS 6.0, where there is no footstep of Windows. Thus, this data is reserved for the code to indicate these comments in the MS-DOS operating system. The most interesting part of the MS-DOS data is "MZ"! Can you believe, it refers to the name of "Mark Zbikowski", one of the first Microsoft programmers?

0 Preface

You might demand to comprehend the ways a virus program injects its procedure into the interior of a portable executable file and corrupts it, or you are interested in implementing a packer or a protector to encrypt the data of your portable executable (PE) file. This article is committed to represent a brief discussion to realize the performance that is accomplished by EXE tools or some kinds of mal-ware.

You can employ this article’s source code to create your custom EXE builder. It could be used to make an EXE protector in the right way, or with the wrong intention, to spread a virus. However, my purpose of writing this article has been the first application, so I will not be responsible for the immoral usage of these methods.

1 Prerequisites

There are no specific mandatory prerequisites to follow the topics in this article. If you are familiar with a debugger and also the portable file format, I suggest you to drop to Sections 2 and 3; the whole of these sections has been made for people who don’t have any knowledge regarding the EXE file format or debuggers.

2 Portable Executable File Format

The Portable Executable file format was defined to provide the best way for the Windows Operating System to execute code and also to store the essential data that is needed to run a program—for example constant data, variable data, import library links, and resource data. It consists of MS-DOS file information, Windows NT file information, Section Headers, and Section images, as shown in Table 1.

2.1 The MS-DOS data

These data let you remember the first days of developing the Windows Operating System. You were at the beginning of a way to achieve a complete Operating System such as

To me, only the offset of the PE signature in the MS-DOS data is important, so I can use it to find the position of the Windows NT data. I just recommend that you take a look at Table 1, and then observe the structure of IMAGE_DOS_HEADER in the <winnt.h> header in the <Microsoft Visual Studio .net path>\VC7\PlatformSDK\include\ folder or the <Microsoft Visual Studio 6.0 path>\VC98\include\ folder. I do not know why the Microsoft team has forgotten to provide some comment about this structure in the MSDN library!

typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header "MZ"    WORD   e_magic;                // Magic number    WORD   e_cblp;                 // Bytes on last page of file    WORD   e_cp;                   // Pages in file    WORD   e_crlc;                 // Relocations    WORD   e_cparhdr;              // Size of header in                                   // paragraphs    WORD   e_minalloc;             // Minimum extra paragraphs                                   // needed    WORD   e_maxalloc;             // Maximum extra paragraphs                                   // needed    WORD   e_ss;                   // Initial (relative) SS                                   // value    WORD   e_sp;                   // Initial SP value    WORD   e_csum;                 // Checksum    WORD   e_ip;                   // Initial IP value    WORD   e_cs;                   // Initial (relative) CS                                   // value    WORD   e_lfarlc;               // File address of relocation                                   // table    WORD   e_ovno;                 // Overlay number    WORD   e_res[4];               // Reserved words    WORD   e_oemid;                // OEM identifier                                   // (for e_oeminfo)    WORD   e_oeminfo;              // OEM information;                                   // e_oemid specific    WORD   e_res2[10];             // Reserved words    LONG   e_lfanew;               // File address of the new                                   // exe header  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

e_lfanew is the offset that refers to the position of the Windows NT data. I have provided a program to obtain the header information from an EXE file and to display it to you. To use the program, just try:

PE Viewer

(Full Size Image)

(Full Size Image)

This sample is useful for the whole of this article.

Table 1: Portable Executable file format structure

MS-DOS information	IMAGE_DOS_ HEADER	DOS EXE Signature	00000000 ASCII "MZ"00000002 DW 009000000004 DW 000300000006 DW 000000000008 DW 00040000000A DW 00000000000C DW FFFF0000000E DW 000000000010 DW 00B800000012 DW 000000000014 DW 000000000016 DW 000000000018 DW 00400000001A DW 00000000001C DB 00b&b&0000003B DB 000000003C DD 000000F0
		DOS_PartPag
		DOS_PageCnt
		DOS_ReloCnt
		DOS_HdrSize
		DOS_MinMem
		DOS_MaxMem
		DOS_ReloSS
		DOS_ExeSP
		DOS_ChkSum
		DOS_ExeIPP
		DOS_ReloCS
		DOS_TablOff
		DOS_Overlay
		b& Reserved words b&
		Offset to PE signature
	MS-DOS Stub Program	00000040 ..B:..B4.C!B8\LC!This program canno00000060 t be run in DOS mode....$.......
Windows NT information IMAGE_ NT_HEADERS	Signature	PE signature (PE)	000000F0 ASCII "PE"
	IMAGE_ FILE_HEADER	Machine	000000F4 DW 014C000000F6 DW 0003000000F8 DD 3B7D8410000000FC DD 0000000000000100 DD 0000000000000104 DW 00E000000106 DW 010F
		NumberOfSections
		TimeDateStamp
		PointerToSymbolTable
		NumberOfSymbols
		SizeOfOptionalHeader
		Characteristics
	IMAGE_ OPTIONAL_ HEADER32	MagicNumber	00000108 DW 010B0000010A DB 070000010B DB 000000010C DD 0001280000000110 DD 00009C0000000114 DD 0000000000000118 DD 000124750000011C DD 0000100000000120 DD 0001400000000124 DD 0100000000000128 DD 000010000000012C DD 0000020000000130 DW 000500000132 DW 000100000134 DW 000500000136 DW 000100000138 DW 00040000013A DW 00000000013C DD 0000000000000140 DD 0001F00000000144 DD 0000040000000148 DD 0001D7FC0000014C DW 00020000014E DW 800000000150 DD 0004000000000154 DD 0000100000000158 DD 001000000000015C DD 0000100000000160 DD 0000000000000164 DD 00000010
		MajorLinkerVersion
		MinorLinkerVersion
		SizeOfCode
		SizeOfInitializedData
		SizeOfUninitializedData
		AddressOfEntryPoint
		BaseOfCode
		BaseOfData
		ImageBase
		SectionAlignment
		FileAlignment
		MajorOSVersion
		MinorOSVersion
		MajorImageVersion
		MinorImageVersion
		MajorSubsystemVersion
		MinorSubsystemVersion
		Reserved
		SizeOfImage
		SizeOfHeaders
		CheckSum
		Subsystem
		DLLCharacteristics
		SizeOfStackReserve
		SizeOfStackCommit
		SizeOfHeapReserve
		SizeOfHeapCommit
		LoaderFlags
		NumberOfRvaAndSizes
		IMAGE_ DATA_DIRECTORY[16]	Export Table
			Import Table
			Resource Table
			Exception Table
			Certificate File
			Relocation Table
			Debug Data
			Architecture Data
			Global Ptr
			TLS Table
			Load Config Table
			Bound Import Table
			Import Address Table
			Delay Import Descriptor
			COM+ Runtime Header
			Reserved
Sections information	IMAGE_ SECTION_ HEADER[0]	Name[8]	000001E8 ASCII".text"000001F0 DD 000126B0000001F4 DD 00001000000001F8 DD 00012800000001FC DD 0000040000000200 DD 0000000000000204 DD 0000000000000208 DW 00000000020A DW 00000000020C DD 60000020 CODE|EXECUTE|READ
		VirtualSize
		VirtualAddress
		SizeOfRawData
		PointerToRawData
		PointerToRelocations
		PointerToLineNumbers
		NumberOfRelocations
		NumberOfLineNumbers
		Characteristics
	b& b& b& IMAGE_ SECTION_ HEADER[n]	00000210 ASCII".data"; SECTION00000218 DD 0000101C ; VirtualSize = 0x101C0000021C DD 00014000 ; VirtualAddress = 0x1400000000220 DD 00000A00 ; SizeOfRawData = 0xA0000000224 DD 00012C00 ; PointerToRawData = 0x12C0000000228 DD 00000000 ; PointerToRelocations = 0x00000022C DD 00000000 ; PointerToLineNumbers = 0x000000230 DW 0000 ; NumberOfRelocations = 0x000000232 DW 0000 ; NumberOfLineNumbers = 0x000000234 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE00000238 ASCII".rsrc"; SECTION00000240 DD 00008960 ; VirtualSize = 0x896000000244 DD 00016000 ; VirtualAddress = 0x1600000000248 DD 00008A00 ; SizeOfRawData = 0x8A000000024C DD 00013600 ; PointerToRawData = 0x1360000000250 DD 00000000 ; PointerToRelocations = 0x000000254 DD 00000000 ; PointerToLineNumbers = 0x000000258 DW 0000 ; NumberOfRelocations = 0x00000025A DW 0000 ; NumberOfLineNumbers = 0x00000025C DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
	SECTION[0]	00000400 EA 22 DD 77 D7 23 DD 77 C*"C.wC.#C.w00000408 9A 18 DD 77 00 00 00 00 E!.C.w....00000410 2E 1E C7 77 83 1D C7 77 ..C.wF..C.w00000418 FF 1E C7 77 00 00 00 00 C?.C.w....00000420 93 9F E7 77 D8 05 E8 77 b.E8C'wC..C(w00000428 FD A5 E7 77 AD A9 E9 77 C=B%C'w­B)C)w00000430 A3 36 E7 77 03 38 E7 77 B#6C'w.8C'w00000438 41 E3 E6 77 60 8D E7 77 AC#C&w`BC'w00000440 E6 1B E6 77 2B 2A E7 77 C&.C&w+*C'w00000448 7A 17 E6 77 79 C8 E6 77 z.C&wyC.C&w00000450 14 1B E7 77 C1 30 E7 77 ..C'wC.0C'wb&
	b& b& b& SECTION[n]	b&0001BF00 63 00 2E 00 63 00 68 00 c...c.h.0001BF08 6D 00 0A 00 43 00 61 00 m...C.a.0001BF10 6C 00 63 00 75 00 6C 00 l.c.u.l.0001BF18 61 00 74 00 6F 00 72 00 a.t.o.r.0001BF20 11 00 4E 00 6F 00 74 00 ..N.o.t.0001BF28 20 00 45 00 6E 00 6F 00 .E.n.o.0001BF30 75 00 67 00 68 00 20 00 u.g.h. .0001BF38 4D 00 65 00 6D 00 6F 00 M.e.m.o.0001BF40 72 00 79 00 00 00 00 00 r.y.....0001BF48 00 00 00 00 00 00 00 00 ........0001BF50 00 00 00 00 00 00 00 00 ........0001BF58 00 00 00 00 00 00 00 00 ........0001BF60 00 00 00 00 00 00 00 00 ........0001BF68 00 00 00 00 00 00 00 00 ........0001BF70 00 00 00 00 00 00 00 00 ........0001BF78 00 00 00 00 00 00 00 00 ........

2.2 The Windows NT data

As mentioned in the preceding section, e_lfanew storage in the MS-DOS data structure refers to the location of the Windows NT information. Hence, if you assume that the pMem pointer relates the start point of the memory space for a selected portable executable file, you can retrieve the MS-DOS header and also the Windows NT headers by the following lines, which you also can perceive in the PE viewer sample (pelib.cpp, PEStructure::OpenFileName()):

IMAGE_DOS_HEADER        image_dos_header;IMAGE_NT_HEADERS        image_nt_headers;PCHAR pMem;b&memcpy(&image_dos_header, pMem,       sizeof(IMAGE_DOS_HEADER));memcpy(&image_nt_headers,       pMem+image_dos_header.e_lfanew,       sizeof(IMAGE_NT_HEADERS));

IMAGE_NT_HEADERS structure definition. It makes it possible to grasp what the image NT header maintains to execute a code inside the Windows NT OS. Now, you are conversant with the Windows NT structure; it consists of the "PE" Signature, the File Header, and the Optional Header. Do not forget to take a glimpse at their comments in the MSDN Library and in Table 1.

It seems to be very simple, the retrieval of the headers information. I recommend inspecting the MSDN library regarding the

One the whole, I consider merely, in most circumstances, the following cells of the IMAGE_NT_HEADERS structure:

FileHeader->NumberOfSectionsOptionalHeader->AddressOfEntryPointOptionalHeader->ImageBaseOptionalHeader->SectionAlignmentOptionalHeader->FileAlignmentOptionalHeader->SizeOfImageOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]              ->VirtualAddressOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]              ->Size

You can observe the main purpose of these values clearly, and their role when the internal virtual memory space allocated for an EXE file by the Windows task manager if you pay attention to their explanations in MSDN library, so I am not going to repeat the MSDN annotations here.

I should make a brief comment regarding the PE data directories, or OptionalHeader-> DataDirectory[], because I think there are a few aspects of interest concerning them. When you come to survey the Optional header through the Windows NT information, you will find that there are 16 directories at the end of the Optional Header, where you can find the consecutive directories, including their Relative Virtual Address and Size. I just mention here the notes from <winnt.h> to clarify these information:

// Export Directory#define IMAGE_DIRECTORY_ENTRY_EXPORT          0// Import Directory#define IMAGE_DIRECTORY_ENTRY_IMPORT          1// Resource Directory#define IMAGE_DIRECTORY_ENTRY_RESOURCE        2// Exception Directory#define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3// Security Directory#define IMAGE_DIRECTORY_ENTRY_SECURITY        4// Base Relocation Table#define IMAGE_DIRECTORY_ENTRY_BASERELOC       5// Debug Directory#define IMAGE_DIRECTORY_ENTRY_DEBUG           6// Architecture Specific Data#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7// RVA of GP#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8// TLS Directory#define IMAGE_DIRECTORY_ENTRY_TLS             9// Load Configuration Directory#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10// Bound Import Directory in headers#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11// Import Address Table#define IMAGE_DIRECTORY_ENTRY_IAT            12// Delay Load Import Descriptors#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13// COM Runtime descriptor#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14

The last one (15) was reserved for use in the future; I have not yet seen any purpose for it, even in PE64.

For instance, if you want to perceive the relative virtual address (RVA) and the size of the resource data, it is enough to retrieve them by:

DWORD dwRVA  = image_nt_headers.OptionalHeader->   DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]->VirtualAddress;DWORD dwSize = image_nt_headers.OptionalHeader->   DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE]->Size;

To comprehend more regarding the significance of data directories, I forward you to Section 3.4.3 of the Microsoft Portable Executable and the Common Object File Format Specification document by Microsoft, and furthermore Section 6 of this document, where you discern the various types of sections and their applications. You will see the section’s advantage subsequently.

2.3 The Section Headers and Sections

You currently observe how the portable executable files declare the location and the size of a section on a disk storage file and inside the virtual memory space allocated for the program with IMAGE_NT_HEADERS-> OptionalHeader->SizeOfImage by the Windows task manager, as well the characteristics to demonstrate the type of the section. To better understand the Section header as my previous declaration, I suggest having a brief look at the IMAGE_SECTION_HEADER structure definition in the MSDN library. For an EXE packer developer, VirtualSize, VirtualAddress, SizeOfRawData, PointerToRawData, and Characteristics cells have significant rules. When developing an EXE packer, you should be clever enough to play with them. There are somet hings to note when you modify them; you should take care to align the VirtualSize and VirtualAddress according to OptionalHeader->SectionAlignment, as well as SizeOfRawData and PointerToRawData in line with OptionalHeader->FileAlignment. Otherwise, you will corrupt your target EXE file and it will never run. Regarding Characteristics, I pay attention mostly to establish a section by IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA, I prefer that my new section has the ability to initialize such data during the running process, such as import table; besides, I need it to be able to modify itself by the loader with my settings in the section characteristics to read- and writeable.

Moreover, you should pay attention to the section names; you can know the purpose of each section by its name. I will just forward you to Section 6 of the Microsoft Portable Executable and the Common Object File Format Specification documents. I believe it represents the totality of sections by their names; this is also included in Table 2.

Table 2: Section names

".text"	Code Section
"CODE"	Code Section of file linked by Borland Delphi or Borland Pascal
".data"	Data Section
"DATA"	Data Section of file linked by Borland Delphi or Borland Pascal
".rdata"	Section for Constant Data
".idata"	Import Table
".edata"	Export Table
".tls"	TLS Table
".reloc"	Relocation Information
".rsrc"	Resource Information

To comprehend the section headers and also the sections, you can run the sample PE viewer. With this PE viewer, you can realize only the application of the section headers in a file image, so to observe the main significance in the Virtual Memory, you should try to load a PE file by a debugger. The next section represents the main idea of using the virtual address and size in the virtual memory by using a debugger. The last note is about IMAGE_NT_HEADERS-> FileHeader->NumberOfSections, that provides a number of sections in a PE file. Do not forget to adjust it whenever you remove or add some sections to a PE file. I am talking about section injection!

3 Debugger, Disassembler and some Useful Tools

In this part, you will become familiar with the necessary and essential equipment to develop your PE tools.

3.1 Debuggers

The first essential prerequisite to become a PE tools developer is to have enough experience with bug tracer tools. Furthermore, you should know most of the assembly instructions. To me, the Intel documents are the best references. You can obtain them from the Intel site for IA-32, and on top of that IA-64; the future belongs to IA-64 CPUs, Windows XP 64-bit, and also PE64!

• IA-32 Intel Architecture Software Developer’s Manuals
• Intel Itanium Architecture Assembly Language Reference Guide
• The Intel Itanium Processor Developer Resource Guide

To trace a PE file, SoftICE by Compuware Corporation, I knew it also as named NuMega when I was at high school, is the best debugger in the world. It implements process tracing by using the kernel mode method debugging without applying Windows debugging application programming interface (API) functions. In addition, I will introduce one perfect debugger in user mode level. It utilizes the Windows debugging API to trace a PE file and also attaches itself to an active process. These API functions have been provided by Microsoft teams, inside the Windows Kernel32 library, to trace a specific process, by using Microsoft tools, or perhaps, to make your own debugger! Some of those API functions inlude:

• CreateThread()
• CreateProcess()
• OpenProcess()
• DebugActiveProcess()
• GetThreadContext()
• SetThreadContext()
• ContinueDebugEvent()
• DebugBreak()
• ReadProcessMemory()
• WriteProcessMemory()
• SuspendThread()
• ResumeThread()

3.1.1 SoftICE

It was in 1987; Frank Grossman and Jim Moskun decided to establish a company called NuMega Technologies in Nashua, NH, to develop some equipment to trace and test the reliability of Microsoft Windows software programs. Now, it is a part of Compuware Corporation and its product has participated to accelerate the reliability in Windows software, and additionally in Windows driver developments. Currently, everyone knows the Compuware DriverStudio that is used to establish an environment for implementing the elaboration of a kernel driver or a system file by aiding the Windows Driver Development Kit (DDK). It bypasses the involvement of DDK to implement a portable executable file of kernel level for a Windows system software developer. For us, only one instrument of DriverStudio is important, SoftICE; this debugger can be used to trace every portable executable file, a PE file for user mode level or a PE file for kernel mode level.

Figure 1: SoftICE Window

EAX=00000000EBX=7FFDD000 ECX=0007FFB0 EDX=7C90EB94 ESI=FFFFFFFF EDI=7C919738 EBP=0007FFF0 ESP=0007FFC4 EIP=010119E0 o d i s z a p c CS=0008 DS=0023 SS=0010 ES=0023 FS=0030 GS=0000 SS:0007FFC4=87C816D4F

0023:01013000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ……………. 0023:01013010 01 00 00 00 20 00 00 00-0A 00 00 00 0A 00 00 00 ……………. 0023:01013020 20 00 00 00 00 00 00 00-53 63 69 43 61 6C 63 00 ……..SciCalc. 0023:01013030 00 00 00 00 00 00 00 00-62 61 63 6B 67 72 6F 75 ……..backgrou 0023:01013040 6E 64 00 00 00 00 00 00-2E 00 00 00 00 00 00 00 nd…………..

0010:0007FFC4 4F 6D 81 7C 38 07 91 7C-FF FF FF FF 00 90 FD 7F Om |8 b.| . 0010:0007FFD4 ED A6 54 80 C8 FF 07 00-E8 B4 F5 81 FF FF FF FF T . 0010:0007FFE4 F3 99 83 7C 58 6D 81 7C-00 00 00 00 00 00 00 00 Xm |…….. 0010:0007FFF4 00 00 00 00 E0 19 01 01-00 00 00 00 00 00 00 00 …. ….

010119E0 PUSH EBP 010119E1 MOV EBP,ESP 010119E3 PUSH -1 010119E5 PUSH 01001570 010119EA PUSH 01011D60 010119EF MOV EAX,DWORD PTR FS:[0] 010119F5 PUSH EAX 010119F6 MOV DWORD PTR FS:[0],ESP 010119FD ADD ESP,-68 01011A00 PUSH EBX 01011A01 PUSH ESI 01011A02 PUSH EDI 01011A03 MOV DWORD PTR SS:[EBP-18],ESP 01011A06 MOV DWORD PTR SS:[EBP-4],0

:_

3.1.2 OllyDbg

It was about four years ago that I first saw this debugger by chance. For me, it was the best choice; I was not wealthy enough to purchase SoftICE, and at that time, SoftICE only had good functions for DOS, Windows 98, and Windows 2000. I found that this debugger supported all kinds of Windows versions. Therefore, I started to learn it very fast, and now it is my favorite debugger for the Windows OS. It is a debugger that can be used to trace all kinds of portable executable files except a Common Language Infrastructure (CLI) file format in user mode level, by using the Windows debugging API. Oleh Yuschuk, the author, is one of worthiest software developers I have seen in my life. He is a Ukrainian who now lives in Germany. I should mention here that his debugger is the best choice for hacker and cracker parties around the world! It is freeware! You can try it from the OllyDbg Homepage.

Figure 2: OllyDbg CPU Window

Proview or PVDasm is an admirable disassembler by the Reverse-Engineering-Community; it is still under development and bug fixing. You can find its disassmbler source engine and employ it to create your own disassembler.

3.2.2 W32Dasm

W32DASM can disassemble both 16- and 32-bit executable file formats. In addition to its disassembling ability, you can employ it to analyze import, export, and resource data directories data.

3.2.3 IDA Pro

All reverse-engineering experts know that IDA Pro can be used to investigate, not only x86 instructions, but that of various kinds of CPU types like AVR, PIC, and so forth. It can illustrate the assembly source of a portable executable file by using colored graphics and tables, and is very useful for any newbie in this area. Furthermore, it has the capability to trace an executable file inside the user mode level in the same way as OllyDbg.

3.3 Some Useful Tools

A good PE tools developer is conversant with the tools that save his time, so I recommend that you select some appropriate instruments to investigate the base information under a portable executable file.

3.3.1 LordPE

LordPE by y0da is still the first choice to retrieve PE file information with the possibility to modify them.

3.3.2 PEiD

PE iDentifier is valuable to identify the type of compilers, packers, and cryptors of PE files. As of now, it can detect more than 500 different signature types of PE files.

3.3.3 Resource Hacker

Resource Hacker can be employed to modify resource directory information; icon, menu, version info, string table, and so on.

3.3.4 WinHex

WinHex, it is clear what you can do with this tool.

3.3.5 CFF Explorer

Eventually, CFF Explorer by Ntoskrnl is what you want to have as a PE Utility tool in your arsenal; it supports PE32/64, PE rebuild included Common Language Infrastructure (CLI) file. In other words, the .NET file, a resource modifier, and much more facilities which can not be found in others. Just try to discover every unimaginable option by hand.

4 Add a New Section and Change the OEP

You are ready to do the first step of making your project. I have provided a library to add a new section and rebuild the portable executable file. Before starting, I wnat you to get familiar with the headers of a PE file, by using OllyDbg. You should first open a PE file; that pops up a menu, View->Executable file. Again, you get a popup menu: Special->PE header. You will observe a scene similar to Figure 3. Now, come to the Main Menu View->Memory, and try to distinguish the sections inside the Memory map window.

Figure 3

00000000000000020000000400000006000000080000000A0000000C0000000E00000010000000120000001400000016000000180000001A0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F000000300000003100000032000000330000003400000035000000360000003700000038000000390000003A0000003B0000003C

 4D 5A 9000 0300 0000 0400 0000 FFFF 0000 B800 0000 0000 0000 4000 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0000000

 ASCII "MZ" DW 0090 DW 0003 DW 0000 DW 0004 DW 0000 DW FFFF DW 0000 DW 00B8 DW 0000 DW 0000 DW 0000 DW 0040 DW 0000 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DB 00 DD 000000F0

 DOS EXE Signature DOS_PartPag = 90 (144.) DOS_PageCnt = 3 DOS_ReloCnt = 0 DOS_HdrSize = 4 DOS_MinMem = 0 DOS_MaxMem = FFFF (65535.) DOS_ReloSS = 0 DOS_ExeSP = B8 DOS_ChkSum = 0 DOS_ExeIP = 0 DOS_ReloCS = 0 DOS_TablOff = 40 DOS_Overlay = 0 Offset to PE signature

I want to explain how you can plainly change the Offset of Entry Point (OEP) in your sample file, CALC.EXE of Windows XP. First, by using a PE Tool, and also using your PE Viewer, you find OEP, 0x00012475, and Image Base, 0x01000000. This value of OEP is the Relative Virtual Address, so the Image Base value is used to convert it to the Virtual Address.

DWORD OEP_RVA = image_nt_headers->   OptionalHeader.AddressOfEntryPoint ;// OEP_RVA = 0x00012475DWORD OEP_VA = image_nt_headers->   OptionalHeader.ImageBase + OEP_RVA ;// OEP_VA = 0x01000000 + 0x00012475 = 0x01012475

__stdcall void DynLoader(){_asm{//----------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//----------------------------------    MOV EAX,01012475h // << Original OEP    JMP EAX//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

//----------------------------------------------------------------class CPELibrary{private:    //-----------------------------------------    PCHAR                   pMem;    DWORD                   dwFileSize;    //-----------------------------------------protected:    //-----------------------------------------    PIMAGE_DOS_HEADER       image_dos_header;    PCHAR                   pDosStub;    DWORD                   dwDosStubSize, dwDosStubOffset;    PIMAGE_NT_HEADERS       image_nt_headers;    PIMAGE_SECTION_HEADER   image_section_header[MAX_SECTION_NUM];    PCHAR                   image_section[MAX_SECTION_NUM];    //-----------------------------------------protected:    //-----------------------------------------    DWORD PEAlign(DWORD dwTarNum,DWORD dwAlignTo);    void AlignmentSections();    //-----------------------------------------    DWORD Offset2RVA(DWORD dwRO);    DWORD RVA2Offset(DWORD dwRVA);    //-----------------------------------------    PIMAGE_SECTION_HEADER ImageRVA2Section(DWORD dwRVA);    PIMAGE_SECTION_HEADER ImageOffset2Section(DWORD dwRO);    //-----------------------------------------    DWORD ImageOffset2SectionNum(DWORD dwRVA);    PIMAGE_SECTION_HEADER AddNewSection(char* szName,DWORD dwSize);    //-----------------------------------------public:    //-----------------------------------------    CPELibrary();    ~CPELibrary();    //-----------------------------------------    void OpenFile(char* FileName);    void SaveFile(char* FileName);    //-----------------------------------------};

4.2 Create data for the new section

Full Size Image)

You can comprehend the difference between incremental link and no-incremental link by looking at the following picture:

To acquire the virtual address of DynLoader(), you obtain the virtual address of JMP pemaker.DynLoader in the incremental link, but by no-incremental link, the real virtual address is gained by the following code:

DWORD dwVA= (DWORD) DynLoader;

This setting is more critical in the incremental link when you try to find the beginning and ending of the Loader, DynLoader(), by CPECryptor::ReturnToBytePtr():

void* CPECryptor::ReturnToBytePtr(void* FuncName, DWORD findstr){    void* tmpd;    __asm   {        mov eax, FuncName        jmp dfhjg:    inc eaxdf:     mov ebx, [eax]        cmp ebx, findstr        jnz hjg        mov tmpd, eax    }    return tmpd;}

In pecrypt.cpp, I have represented another class, CPECryptor, to comprise the data of the new section. Nevertheless, the data of the new section is created by DynLoader() in loader.cpp, DynLoader Step 1. You use the CPECryptor class to enter this data in to the new section, and also some other stuff.

CPECryptor Class Step 1

//----------------------------------------------------------------class CPECryptor: public CPELibrary{private:    //----------------------------------------    PCHAR pNewSection;    //----------------------------------------    DWORD GetFunctionVA(void* FuncName);    void* ReturnToBytePtr(void* FuncName, DWORD findstr);    //----------------------------------------protected:    //----------------------------------------public:    //----------------------------------------    void CryptFile(int(__cdecl *callback) (unsigned int,                                           unsigned int));    //----------------------------------------};//----------------------------------------------------------------

4.3 Some notes regarding creating a new PE file

• Align the VirtualAddress and the VirtualSize of each section by SectionAlignment:

  image_section_header[i]->VirtualAddress=    PEAlign(image_section_header[i]->VirtualAddress,    image_nt_headers->OptionalHeader.SectionAlignment);image_section_header[i]->Misc.VirtualSize=    PEAlign(image_section_header[i]->Misc.VirtualSize,    image_nt_headers->OptionalHeader.SectionAlignment);

• Align the PointerToRawData and the SizeOfRawData of each section by FileAlignment:

  image_section_header[i]->PointerToRawData =    PEAlign(image_section_header[i]->PointerToRawData,            image_nt_headers->OptionalHeader.FileAlignment);image_section_header[i]->SizeOfRawData =    PEAlign(image_section_header[i]->SizeOfRawData,            image_nt_headers->OptionalHeader.FileAlignment);

• Correct the SizeofImage by the virtual size and the virtual address of the last section:

  image_nt_headers->OptionalHeader.SizeOfImage =   image_section_header[LastSection]->VirtualAddress +   image_section_header[LastSection]->Misc.VirtualSize;

• Set the Bound Import Directory header to zero because this directory is not very important to execute a PE file:

  image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].  VirtualAddress = 0;image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_                                IMPORT].Size = 0;

4.4 Some notes regarding linking this VC Project

• Set Linker->General->Enable Incremental Linking to No (/INCREMENTAL:NO).

  
  (

5 Store Important Data and Reach the Original OEP

Right now, we save the Original OEP and also the Image Base in order to reach to the virtual address of OEP. I have reserved a free space at the end of DynLoader() to store them, DynLoader Step 2.

PE Maker – Step 2

Download the pemaker2.zip source files from the end of the article.

DynLoader Step 2

__stdcall void DynLoader(){_asm{//------------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//------------------------------------Main_0:    PUSHAD    // get base ebp    CALL Main_1Main_1:    POP EBP    SUB EBP,OFFSET Main_1    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    PUSH EAX    RETN // >> JMP to Original OEP//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)

The new function, CPECryptor::CopyData1(), will implement the copy of the Image Base value and the Offset of Entry Point value into 8 bytes of free space in the loader.

5.1 Restore the first register’s context

It is important to recover the Original Context of the thread. You have not yet done it in the DynLoader Step 2 source code. You can modify the source of DynLoader() to repossess the first Context.

__stdcall void DynLoader(){_asm{//------------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//------------------------------------Main_0:    PUSHAD// Save the registers context in stack    CALL Main_1Main_1:    POP EBP// Get Base EBP    SUB EBP,OFFSET Main_1    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    MOV DWORD PTR [ESP+1Ch],EAX // pStack.Eax <- EAX    POPAD // Restore the first registers context from stack    PUSH EAX    XOR  EAX, EAX    RETN // >> JMP to Original OEP//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

5.2 Restore the original stack

You also can recover the original stack by setting the value of the beginning stack + 0x34 to the Original OEP, but it is not very important. Nevertheless, in the following code, I have accomplished the loader code by a simple trick to reach the OEP in addition to redecorating the stack. You can observe the implementation by tracing using OllyDbg or SoftICE.

__stdcall void DynLoader(){_asm{//----------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//----------------------------------Main_0:    PUSHAD    // Save the registers context in stack    CALL Main_1Main_1:    POP EBP    SUB EBP,OFFSET Main_1    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    MOV DWORD PTR [ESP+54h],EAX    // pStack.Eip <- EAX    POPAD    // Restore the first registers context from stack    CALL _OEP_Jump    DWORD_TYPE(0xCCCCCCCC)_OEP_Jump:    PUSH EBP    MOV EBP,ESP    MOV EAX,DWORD PTR [ESP+3Ch]    // EAX <- pStack.Eip    MOV DWORD PTR [ESP+4h],EAX     // _OEP_Jump RETURN pointer <- EAX    XOR EAX,EAX    LEAVE    RETN//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

5.3 Approach OEP by structured exception handling

try-except statement in C++ clarifies the operation of structured exception handling. Besides the assembly code of this code, it elucidates the structured exception handler installation, the raise of an exception, and the exception handler function.

An exception is generated when a program falls into a fault code execution and an error happens, so in such a special condition, the program immediately jumps to a function called the exception handler from exception handler list of the Thread Information Block.

The next example of a

#include "stdafx.h"#include "windows.h"void RAISE_AN_EXCEPTION(){_asm{    INT 3    INT 3    INT 3    INT 3}}int _tmain(int argc, _TCHAR* argv[]){    __try    {        __try{            printf("1: Raise an Exception\n");            RAISE_AN_EXCEPTION();        }        __finally        {            printf("2: In Finally\n");        }    }    __except( printf("3: In Filter\n"), EXCEPTION_EXECUTE_HANDLER )    {        printf("4: In Exception Handler\n");    }    return 0;}

; main()00401000: PUSH EBP00401001: MOV EBP,ESP00401003: PUSH -100401005: PUSH 00407160; __try {; the structured exception handler (SEH) installation 0040100A: PUSH _except_handler30040100F: MOV EAX,DWORD PTR FS:[0]00401015: PUSH EAX00401016: MOV DWORD PTR FS:[0],ESP0040101D: SUB ESP,800401020: PUSH EBX00401021: PUSH ESI00401022: PUSH EDI00401023: MOV DWORD PTR SS:[EBP-18],ESP;     __try {00401026: XOR ESI,ESI00401028: MOV DWORD PTR SS:[EBP-4],ESI0040102B: MOV DWORD PTR SS:[EBP-4],100401032: PUSH OFFSET "1: Raise an Exception"00401037: CALL printf0040103C: ADD ESP,4; the raise a exception, INT 3 exception; RAISE_AN_EXCEPTION()0040103F: INT300401040: INT300401041: INT300401042: INT3;     } __finally {00401043: MOV DWORD PTR SS:[EBP-4],ESI00401046: CALL 0040104D0040104B: JMP 004010800040104D: PUSH OFFSET "2: In Finally"00401052: CALL printf00401057: ADD ESP,40040105A: RETN;     }; }; __except( 0040105B: JMP 004010800040105D: PUSH OFFSET "3: In Filter"00401062: CALL printf00401067: ADD ESP,40040106A: MOV EAX,1 ; EXCEPTION_EXECUTE_HANDLER = 10040106F: RETN;     , EXCEPTION_EXECUTE_HANDLER ); {; the exception handler funtion00401070: MOV ESP,DWORD PTR SS:[EBP-18]00401073: PUSH OFFSET "4: In Exception Handler"00401078: CALL printf0040107D: ADD ESP,4; }00401080: MOV DWORD PTR SS:[EBP-4],-10040108C: XOR EAX,EAX; restore previous SEH0040108E: MOV ECX,DWORD PTR SS:[EBP-10]00401091: MOV DWORD PTR FS:[0],ECX00401098: POP EDI00401099: POP ESI0040109A: POP EBX0040109B: MOV ESP,EBP0040109D: POP EBP0040109E: RETN

Make a Win32 console project, and link and run the preceding C++ code, to perceive the result:

1: Raise an Exception 3: In Filter 2: In Finally 4: In Exception Handler _

This program runs the exception expression, printf("3: In Filter\n");, when an exception happens—in this example, the INT 3 exception. You can employ other kinds of exception too. In OllyDbg, Debugging options->Exceptions, you can see a short list of different types of exceptions.

5.3.1 Implement Exception Handler

You want to construct a structured exception handler to reach OEP. Now, I think you have distinguished the SEH installation, the exception raise, and the exception expression filter, by foregoing the assembly code. To establish your exception handler approach, you need to comprise the following codes:

• SEH installation:

  LEA EAX,[EBP+_except_handler1_OEP_Jump]PUSH EAXPUSH DWORD PTR FS:[0]MOV DWORD PTR FS:[0],ESP

• An Exception Raise:

  INT 3

• Exception handler expression filter:

  _except_handler1_OEP_Jump:   PUSH EBP   MOV EBP,ESP   ...   // EXCEPTION_CONTINUE_SEARCH = 0   MOV EAX, EXCEPTION_CONTINUE_SEARCH   LEAVE   RETN

So, you yearn to make the ensuing C++ code in assembly language to inaugurate your engine to approach the Offset of the Entry Point by SEH.

__try    // SEH installation{    __asm    {        INT 3    // An Exception Raise    }}__except( ..., EXCEPTION_CONTINUE_SEARCH ){}// Exception handler expression filter

In assembly code…

    ; ----------------------------------------------------    ; the structured exception handler (SEH) installation    ; __try {    LEA EAX,[EBP+_except_handler1_OEP_Jump]    PUSH EAX    PUSH DWORD PTR FS:[0]    MOV DWORD PTR FS:[0],ESP    ; ----------------------------------------------------    ; the raise a INT 3 exception    INT 3    INT 3    INT 3    INT 3    ; }    ; __except( ...     ; ----------------------------------------------------    ; exception handler expression filter_except_handler1_OEP_Jump:    PUSH EBP    MOV EBP,ESP    ...    MOV EAX, EXCEPTION_CONTINUE_SEARCH ; EXCEPTION_CONTINUE_SEARCH = 0    LEAVE    RETN    ; , EXCEPTION_CONTINUE_SEARCH ) { }

The exception value, __except(..., Value), determines how the exception is handled. It can have three values: 1, 0, -1. To understand them, refer to the try-except statement description in the MSDN library. You set it to EXCEPTION_CONTINUE_SEARCH (0), not to run the exception handler function; therefore, by this value, the exception is not recognized. It is simply ignored, and the thread continues its code execution.

How the SEH installation is implemented

As you perceived from the illustrated code, the SEH installation is done by the FS segment register. Microsoft Windows 32 bit uses the FS segment register as a pointer to the data block of the main thread. The first 0x1C bytes comprise the information of the Thread Information Block (TIB). Therefore, FS:[00h] refers to ExceptionList of the main thread, Table 3. In your code, you have pushed the pointer to _except_handler1_OEP_Jump in the stack and changed the value of ExceptionList, FS:[00h], to the beginning of the stack, ESP.

Thread Information Block (TIB)

typedef struct _NT_TIB32 {   DWORD ExceptionList;   DWORD StackBase;   DWORD StackLimit;   DWORD SubSystemTib;   union {      DWORD FiberData;      DWORD Version;   };   DWORD ArbitraryUserPointer;   DWORD Self;} NT_TIB32, *PNT_TIB32;

Table 3: FS segment register and Thread Information Block

5.3.2 Attain OEP by adjusting the Thread Context

In this part, you effectuate your performance by accomplishing the OEP approach. You change the Context of the thread and ignore every simple exception handling, and let the thread continue the execution, but in the original OEP!

When an exception happens, the context of the processor during the time of the exception is saved in the stack. Through

MOV EAX, ContextRecordMOV EDI, dwOEP                   ; EAX <- dwOEPMOV DWORD PTR DS:[EAX+0B8h], EDI ; pContext.Eip <- EAX

#define MAXIMUM_SUPPORTED_EXTENSION     512typedef struct _CONTEXT {    //-----------------------------------------    DWORD ContextFlags;    //-----------------------------------------    DWORD   Dr0;    DWORD   Dr1;    DWORD   Dr2;    DWORD   Dr3;    DWORD   Dr6;    DWORD   Dr7;    //-----------------------------------------    FLOATING_SAVE_AREA FloatSave;    //-----------------------------------------    DWORD   SegGs;    DWORD   SegFs;    DWORD   SegEs;    DWORD   SegDs;    //-----------------------------------------    DWORD   Edi;    DWORD   Esi;    DWORD   Ebx;    DWORD   Edx;    DWORD   Ecx;    DWORD   Eax;    //-----------------------------------------    DWORD   Ebp;    DWORD   Eip;    DWORD   SegCs;    DWORD   EFlags;    DWORD   Esp;    DWORD   SegSs;    //-----------------------------------------    BYTE    ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];    //----------------------------------------} CONTEXT,*LPCONTEXT;

__stdcall void DynLoader(){_asm{//----------------------------------    DWORD_TYPE(DYN_LOADER_START_MAGIC)//----------------------------------Main_0:    PUSHAD  // Save the registers context in stack    CALL Main_1Main_1:    POP EBP    SUB EBP,OFFSET Main_1 // Get Base EBP    MOV EAX,DWORD PTR [EBP+_RO_dwImageBase]    ADD EAX,DWORD PTR [EBP+_RO_dwOrgEntryPoint]    MOV DWORD PTR [ESP+10h],EAX    // pStack.Ebx <- EAX    LEA EAX,[EBP+_except_handler1_OEP_Jump]    MOV DWORD PTR [ESP+1Ch],EAX    // pStack.Eax <- EAX    POPAD  // Restore the first registers context from stack    //----------------------------------------------------    // the structured exception handler (SEH) installation    PUSH EAX    XOR  EAX, EAX    PUSH DWORD PTR FS:[0]       // NT_TIB32.ExceptionList    MOV DWORD PTR FS:[0],ESP    // NT_TIB32.ExceptionList <-ESP    //----------------------------------------------------    // the raise a INT 3 exception    DWORD_TYPE(0xCCCCCCCC)    //--------------------------------------------------------// -------- exception handler expression filter ----------_except_handler1_OEP_Jump:    PUSH EBP    MOV EBP,ESP    //------------------------------    MOV EAX,DWORD PTR SS:[EBP+010h]   // PCONTEXT: pContext <- EAX    //==============================    PUSH EDI    // restore original SEH    MOV EDI,DWORD PTR DS:[EAX+0C4h]    // pContext.Esp    PUSH DWORD PTR DS:[EDI]    POP DWORD PTR FS:[0]    ADD DWORD PTR DS:[EAX+0C4h],8    // pContext.Esp    //------------------------------    // set the Eip to the OEP    MOV EDI,DWORD PTR DS:[EAX+0A4h] // EAX <- pContext.Ebx    MOV DWORD PTR DS:[EAX+0B8h],EDI // pContext.Eip <- EAX    //------------------------------    POP EDI    //==============================    MOV EAX, EXCEPTION_CONTINUE_SEARCH    LEAVE    RETN//----------------------------------    DWORD_TYPE(DYN_LOADER_START_DATA1)//----------------------------------_RO_dwImageBase:                DWORD_TYPE(0xCCCCCCCC)_RO_dwOrgEntryPoint:            DWORD_TYPE(0xCCCCCCCC)//----------------------------------    DWORD_TYPE(DYN_LOADER_END_MAGIC)//----------------------------------}}

There are two ways to use the Windows dynamic link library (DLL) in Windows application programming:

• Using Windows libraries by additional dependencies: 
  

  
  (

  Full Size Image)

• Using Windows dynamic link libraries in run-time:

  // DLL function signaturetypedef HGLOBAL (*importFunction_GlobalAlloc)(UINT, SIZE_T);...importFunction_GlobalAlloc __GlobalAlloc;// Load DLL fileHINSTANCE hinstLib = LoadLibrary("Kernel32.dll");if (hinstLib == NULL){   // Error - unable to load DLL}// Get function pointer__GlobalAlloc =   (importFunction_GlobalAlloc)GetProcAddress(hinstLib,                                              "GlobalAlloc");if (addNumbers == NULL){    // Error - unable to find DLL function}FreeLibrary(hinstLib);

When you make a Windows application project, the linker includes at least kernel32.dll in the base dependencies of your project. Without LoadLibrary() and GetProcAddress() of Kernel32.dll, you cannot load a DLL at run time. The dependencies information is stored in the import table section. By using Dependency Walker, it is not so difficult to observe the DLL module and the functions that are imported into a PE file.

You attempt to establish your custom import table to conduct your project. Furthermore, you have to fix up the original import table at the end to run the real code of the program.

PE Maker: Step 3

Download the pemaker3.zip source files from the end of the article.

6.1 Construct the Client Import Table

I strongly advise that you to read Section 6.4 of the Microsoft Portable Executable and the Common Object File Format Specification document. This section contains the principal information to comprehend the import table performance. The import table data is accessible by a second data directory of the optional header from PE headers, so you can access it by using the following code:

DWORD dwVirtualAddress = image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].      VirtualAddress;DWORD dwSize = image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].      Size;

The VirtualAddress refers to structures by IMAGE_IMPORT_DESCRIPTOR. This structure contains the pointer to the imported DLL name and the relative virtual address of the first thunk.

typedef struct _IMAGE_IMPORT_DESCRIPTOR {    union {        DWORD   Characteristics;        DWORD   OriginalFirstThunk;    };    DWORD   TimeDateStamp;    DWORD   ForwarderChain;    DWORD   Name;         // the imported DLL name    DWORD   FirstThunk;   // the relative virtual address of the                          // first thunk} IMAGE_IMPORT_DESCRIPTOR, *PIMAGE_IMPORT_DESCRIPTOR;

When a program is running, the Windows Task Manager sets the thunks by the virtual address of the function. The virtual address is found by the name of the function. At first, the thunks hold the relative virtual address of the function name, as shown in Table 5; during execution, they are fixed up by the virtual address of the functions (see Table 6).

Table 5: The Import Table in a file image

IMAGE_IMPORT_ DESCRIPTOR[0]	OriginalFirstThunk
	TimeDateStamp
	ForwarderChain
	Name_RVA	——>	"kernel32.dll",0
	FirstThunk_RVA	——>	proc_1_name_RVA	——>	0,0,"LoadLibraryA",0
			proc_2_name_RVA	——>	0,0,"GetProcAddress",0
			proc_3_name_RVA	——>	0,0,"GetModuleHandleA",0
			…
IMAGE_IMPORT_ DESCRIPTOR[1]
...
IMAGE_IMPORT_ DESCRIPTOR[n]

Table 6: The Import Table in virtual memory

IMAGE_IMPORT_DESCRIPTOR[0]	OriginalFirstThunk
	TimeDateStamp
	ForwarderChain
	Name_RVA	------>	"kernel32.dll",0
	FirstThunk_RVA	------>	proc_1_VA
			proc_2_VA
			proc_3_VA
			...
IMAGE_IMPORT_DESCRIPTOR[1]
...
IMAGE_IMPORT_DESCRIPTOR[n]

You want to make a simple import table to import LoadLibrary(), and GetProcAddress() from Kernel32.dll. You need these two essential API functions to cover other API functions in run-time. The following assembly code shows how easily you can reach your solution:

0101F000: 00000000 ; OriginalFirstThunk0101F004: 00000000 ; TimeDateStamp0101F008: 00000000 ; ForwarderChain0101F00C: 0001F034 ; Name;       ImageBase + 0001F034                                 -> 0101F034 -> "Kernel32.dll",00101F010: 0001F028 ; FirstThunk; ImageBase + 0001F028 -> 0101F0280101F014: 000000000101F018: 000000000101F01C: 000000000101F020: 000000000101F024: 000000000101F028: 0001F041 ; ImageBase + 0001F041 -> 0101F041                     -> 0,0,"LoadLibraryA",00101F02C: 0001F050 ; ImageBase + 0001F050 -> 0101F050                     -> 0,0,"GetProcAddress",00101F030: 000000000101F034: 'K' 'e' 'r' 'n' 'e' 'l' '3' '2' '.' 'd' 'l' 'l' 0001F041: 00 00 'L' 'o' 'a' 'd' 'L' 'i' 'b' 'r' 'a' 'r' 'y' 'A'0001F050: 00 00 'G' 'e' 't' 'P' 'r' 'o' 'c' 'A' 'd' 'd' 'r' 'e' 's'          's' 00 0000

After running…

0101F000: 00000000 ; OriginalFirstThunk0101F004: 00000000 ; TimeDateStamp0101F008: 00000000 ; ForwarderChain0101F00C: 0001F034 ; Name;       ImageBase + 0001F034                                 -> 0101F034 -> "Kernel32.dll",00101F010: 0001F028 ; FirstThunk; ImageBase + 0001F028 -> 0101F0280101F014: 000000000101F018: 000000000101F01C: 000000000101F020: 000000000101F024: 000000000101F028: 7C801D77 ; -> Kernel32.LoadLibrary()0101F02C: 7C80AC28 ; -> Kernel32.GetProcAddress()0101F030: 000000000101F034: 'K' 'e' 'r' 'n' 'e' 'l' '3' '2' '.' 'd' 'l' 'l' 0001F041: 00 00 'L' 'o' 'a' 'd' 'L' 'i' 'b' 'r' 'a' 'r' 'y' 'A'0001F050: 00 00 'G' 'e' 't' 'P' 'r' 'o' 'c' 'A' 'd' 'd' 'r' 'e' 's'          's' 00 0000

I have prepared a class library to make every import table by using a client string table. The CITMaker class library in itmaker.h; it will build an import table by sz_IT_EXE_strings and also the relative virtual address of the import table.

static const char *sz_IT_EXE_strings[]={    "Kernel32.dll",    "LoadLibraryA",    "GetProcAddress",    0,,    0,};

You subsequently employ this class library to establish an import table to support DLLs and OCXs, so this is a general library to present all possible import tables easily. The next step is clarified in the following code.

CITMaker *ImportTableMaker = new CITMaker( IMPORT_TABLE_EXE );...pimage_section_header=AddNewSection( ".xxx", dwNewSectionSize );// build import table by the current virtual addressImportTableMaker->Build( pimage_section_header->VirtualAddress );memcpy( pNewSection, ImportTableMaker->pMem,ImportTableMaker->dwSize );...memcpy( image_section[image_nt_headers->FileHeader.NumberOfSections-1],        pNewSection,        dwNewSectionSize );...image_nt_headers->OptionalHeader.  DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress  = pimage_section_header->VirtualAddress;image_nt_headers->OptionalHeader.  DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size  = ImportTableMaker->dwSize;...delete ImportTableMaker;

The import table is copied at the beginning of the new section, and the relevant data directory is adjusted to the relative virtual address of the new section and the size of the new import table.

6.2 Using other API functions at run time

At this time, you can load other DLLs and find the process address of other functions by using LoadLibrary() and GetProcAddress():

lea edi, @"Kernel32.dll"//-------------------push edimov eax,offset _p_LoadLibrarycall [ebp+eax] //LoadLibrary(lpLibFileName);//-------------------mov esi,eax    // esi -> hModulelea edi, @"GetModuleHandleA"//-------------------push edipush esimov eax,offset _p_GetProcAddresscall [ebp+eax] //GetModuleHandle=GetProcAddress(hModule, lpProcName);//--------------------

 LoadLibrary() and GetProcAddress() aid you in your effort to reach your intention.

I want to have a complete imported function table similar in performance done in a real EXE file. If you look inside a PE file, you will discover that an API call is done by an indirection jump through the virtual address of the API function:

JMP DWORD PTR [XXXXXXXX]

...0101F028: 7C801D77      ; Virtual Address of kernel32.LoadLibrary()...0101F120: JMP DWORD PTR [0101F028]...0101F230: CALL 0101F120 ;  JMP to kernel32.LoadLibrary...

It makes it easy to expand the other part of your project by this performance, so you construct two data tables: the first for API virtual addresses, and the second for the JMP [XXXXXXXX].

#define __jmp_api               byte_type(0xFF) byte_type(0x25)__asm{...//----------------------------------------------------------------_p_GetModuleHandle:             dword_type(0xCCCCCCCC)_p_VirtualProtect:              dword_type(0xCCCCCCCC)_p_GetModuleFileName:           dword_type(0xCCCCCCCC)_p_CreateFile:                  dword_type(0xCCCCCCCC)_p_GlobalAlloc:                 dword_type(0xCCCCCCCC)//----------------------------------------------------------------_jmp_GetModuleHandle:           __jmp_api   dword_type(0xCCCCCCCC)_jmp_VirtualProtect:            __jmp_api   dword_type(0xCCCCCCCC)_jmp_GetModuleFileName:         __jmp_api   dword_type(0xCCCCCCCC)_jmp_CreateFile:                __jmp_api   dword_type(0xCCCCCCCC)_jmp_GlobalAlloc:               __jmp_api   dword_type(0xCCCCCCCC)//----------------------------------------------------------------...}

In the succeeding code, you have concluded your ambition to install a custom internal import table! (You cannot call it import table.)

    ...    lea edi,[ebp+_p_szKernel32]    lea ebx,[ebp+_p_GetModuleHandle]    lea ecx,[ebp+_jmp_GetModuleHandle]    add ecx,02h_api_get_lib_address_loop:        push ecx        push edi        mov eax,offset _p_LoadLibrary        call [ebp+eax]    //LoadLibrary(lpLibFileName);        pop ecx        mov esi,eax       // esi -> hModule        push edi        call __strlen        add esp,04h        add edi,eax_api_get_proc_address_loop:            push ecx            push edi            push esi            mov eax,offset _p_GetProcAddress            //GetModuleHandle=GetProcAddress(hModule, lpProcName);            call [ebp+eax]            pop ecx            mov [ebx],eax            mov [ecx],ebx    // JMP DWORD PTR [XXXXXXXX]            add ebx,04h            add ecx,06h            push edi            call __strlen            add esp,04h            add edi,eax            mov al,byte ptr [edi]        test al,al        jnz _api_get_proc_address_loop        inc edi        mov al,byte ptr [edi]    test al,al    jnz _api_get_lib_address_loop    ...

6.3 Fix up the Original Import Table

To run the program again, you should fix up the thunks of the actual import table; otherwise, you have a corrupted target PE file. Your code must correct all of the thunks the same as Table 5 to Table 6. Once more,

    ...    mov ebx,[ebp+_p_dwImportVirtualAddress]    test ebx,ebx    jz _it_fixup_end    mov esi,[ebp+_p_dwImageBase]    add ebx,esi             // dwImageBase + dwImportVirtualAddress_it_fixup_get_lib_address_loop:        mov eax,[ebx+00Ch]  // image_import_descriptor.Name        test eax,eax        jz _it_fixup_end        mov ecx,[ebx+010h]  // image_import_descriptor.FirstThunk        add ecx,esi        mov [ebp+_p_dwThunk],ecx    // dwThunk        mov ecx,[ebx]       // image_import_descriptor.Characteristics        test ecx,ecx        jnz _it_fixup_table            mov ecx,[ebx+010h]_it_fixup_table:        add ecx,esi        mov [ebp+_p_dwHintName],ecx    // dwHintName        add eax,esi  // image_import_descriptor.Name + dwImageBase = ModuleName        push eax     // lpLibFileName        mov eax,offset _p_LoadLibrary        call [ebp+eax]               // LoadLibrary(lpLibFileName);        test eax,eax        jz _it_fixup_end        mov edi,eax_it_fixup_get_proc_address_loop:            mov ecx,[ebp+_p_dwHintName]    // dwHintName            mov edx,[ecx]            // image_thunk_data.Ordinal            test edx,edx            jz _it_fixup_next_module            test edx,080000000h      // .IF( import by ordinal )            jz _it_fixup_by_name                and edx,07FFFFFFFh    // get ordinal                jmp _it_fixup_get_addr_it_fixup_by_name:            add edx,esi  // image_thunk_data.Ordinal                         // + dwImageBase = OrdinalName            inc edx            inc edx                  // OrdinalName.Name_it_fixup_get_addr:            push edx //lpProcName            push edi                 // hModule            mov eax,offset _p_GetProcAddress            call [ebp+eax]    // GetProcAddress(hModule, lpProcName);            mov ecx,[ebp+_p_dwThunk]    // dwThunk            mov [ecx],eax  // correction the thunk            // dwThunk => next dwThunk            add dword ptr [ebp+_p_dwThunk], 004h            // dwHintName => next dwHintName            add dword ptr [ebp+_p_dwHintName],004h        jmp _it_fixup_get_proc_address_loop_it_fixup_next_module:        add ebx,014h      // sizeof(IMAGE_IMPORT_DESCRIPTOR)    jmp _it_fixup_get_lib_address_loop_it_fixup_end:    ...

7 Support DLL and OCX

Now, you intend to include the dynamic link library (DLL) and OLE-ActiveX Control in your PE builder project. Supporting them is very easy if you pay attention to the two-time arrival into the Offset of Entry Point, the relocation table implementation, and the client import table.
PE Maker: Step 4

 

 LoadLibrary(), or an OCX is registered by using LoadLibrary() and GetProcAddress() through calling DllRegisterServer(), the first of the OEP arrival is done.

 
hinstDLL = LoadLibrary( "test1.dll" );hinstOCX = LoadLibrary( "test1.ocx" );_DllRegisterServer = GetProcAddress( hinstOCX,                                     "DllRegisterServer" );_DllRegisterServer();    // ocx register

Download the pemaker4.zip source files from the end of the article.
7.1 Twice OEP approach
The Offset of Entry Point of a DLL file or an OCX file is touched by the main program atleast twice:

Constructor: When a DLL is loaded by 
Destructor: When the main program frees the library usage by FreeLibrary(), the second OEP arrival happens.
 
FreeLibrary( hinstDLL );FreeLibrary( hinstOCX );


To perform this, I have employed a trick that causes in the second time again, the instruction pointer (EIP) traveling towards the original OEP by the structured exception handler.
_main_0:    pushad    // save the registers context in stack    call _main_1_main_1:    pop ebp    sub ebp,offset _main_1    // get base ebp    //---------------- support dll, ocx  -----------------_support_dll_0:    jmp _support_dll_1        // nop; nop;    // << trick                              // in the second time OEP    jmp _support_dll_2_support_dll_1:    //----------------------------------------------------    ...    //---------------- support dll, ocx  1 ---------------    mov edi,[ebp+_p_dwImageBase]    add edi,[edi+03Ch]            // edi -> IMAGE_NT_HEADERS    mov ax,word ptr [edi+016h]    // edi -> image_nt_headers->                                  // FileHeader.Characteristics    test ax,IMAGE_FILE_DLL    jz _support_dll_2        mov ax, 9090h // << trick        mov word ptr [ebp+_support_dll_0],ax_support_dll_2:    //----------------------------------------------------    ...    into OEP by SEH ...
I hope you caught the trick in the preceding code, but this is not all of it. You have a problem in ImageBase, when the library has been loaded in different image bases by the main program. You should write some code to find the real image base and store it to use forward.
    mov eax,[esp+24h]    // the real imagebase    mov ebx,[esp+30h]    // oep    cmp eax,ebx    ja _no_dll_pe_file_0        cmp word ptr [eax],IMAGE_DOS_SIGNATURE        jne _no_dll_pe_file_0            mov [ebp+_p_dwImageBase],eax_no_dll_pe_file_0:
This code finds the real image base by investigating the stack information. By using the real image base and the formal image base, you should correct all memory calls inside the image program!! Don't be afraid; it will be done simply by the relocating the table information.
7.2 Implement relocation table
To understand the relocation table better, you can take a look at Section 6.6 of the Microsoft Portable Executable and Common Object File Format Specification document. The relocation table contains many packages to relocate the information related to the virtual address inside the virtual memory image. Each package is comprised of an 8-byte header to exhibit the base virtual address and the number of data, demonstrated by the IMAGE_BASE_RELOCATION data structure.
typedef struct _IMAGE_BASE_RELOCATION {   DWORD   VirtualAddress;   DWORD   SizeOfBlock;} IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION;
Table 7 - The Relocation Table




Block[1]
VirtualAddress


SizeOfBlock


type:4
offset:12
type:4
offset:12


type:4
offset:12
type:4
offset:12


type:4
offset:12
type:4
offset:12


...
...
...
...


type:4
offset:12
00
00


Block[2]
VirtualAddress


SizeOfBlock


type:4
offset:12
type:4
offset:12


type:4
offset:12
type:4
offset:12


type:4
offset:12
type:4
offset:12


...
...
...
...


type:4
offset:12
00
00


...

 
... 
 



Block[n]
VirtualAddress


SizeOfBlock


type:4
offset:12
type:4
offset:12


type:4
offset:12
type:4
offset:12


type:4
offset:12
type:4
offset:12


...
...
...
...


type:4
offset:12
00
00



Table 7 illustrates the main idea of the relocation table. Furthermore, you can upload a DLL or an OCX file in OllyDbg to observe the relocation table, the ".reloc" section through Memory map window. By the way, you find the position of the relocation table by using the following code in your project:
DWORD dwVirtualAddress = image_nt_headers->  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].  VirtualAddress;DWORD dwSize = image_nt_headers->  OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
By OllyDbg, you have the same as the following for the ".reloc" section, by using the Long Hex viewer mode. In this example, the base virtual address is 0x1000 and the size of the block is 0x184.
008E1000 : 00001000  00000184  30163000  30403028008E1010 : 30683054  308C3080  30AC309C  30D830CC008E1020 : 30E030DC  30E830E4  30F030EC  310030F4008E1030 : 3120310D  315F3150  31A431A0  31C031A8008E1040 : 31D031CC  31F431EC  31FC31F8  32043200008E1050 : 320C3208  32143210  324C322C  32583254008E1060 : 3260325C  32683264  3270326C  32B03274
It relocates the data in the subsequent virtual addresses:
0x1000 + 0x0000 = 0x10000x1000 + 0x0016 = 0x10160x1000 + 0x0028 = 0x10280x1000 + 0x0040 = 0x10400x1000 + 0x0054 = 0x1054...
Each package performs the relocation by using consecutive 4 bytes form its internal information. The first byte refers to the type of relocation and the next three bytes are the offset that must be used with the base virtual address and the image base to correct the image information.




type
offset


03
00
00
00



What is the type?
The type can be one of the following values:

IMAGE_REL_BASED_ABSOLUTE (0): No effect 
IMAGE_REL_BASED_HIGH (1): Relocate by the high 16 bytes of the base virtual address and the offset 
IMAGE_REL_BASED_LOW (2): Relocate by the low 16 bytes of the base virtual address and the offset 
IMAGE_REL_BASED_HIGHLOW (3): Relocate by the base virtual address and the offset 

What is done in the relocation?
By relocation, some values inside the virtual memory are corrected according to the current image base by the ".reloc" section packages.




delta_ImageBase = current_ImageBase - image_nt_headers->OptionalHeader.ImageBase



mem[ current_ImageBase + 0x1000 ] =   mem[ current_ImageBase + 0x1000 ] + delta_ImageBase ;mem[ current_ImageBase + 0x1016 ] =   mem[ current_ImageBase + 0x1016 ] + delta_ImageBase ;mem[ current_ImageBase + 0x1028 ] =   mem[ current_ImageBase + 0x1028 ] + delta_ImageBase ;mem[ current_ImageBase + 0x1040 ] =   mem[ current_ImageBase + 0x1040 ] + delta_ImageBase ;mem[ current_ImageBase + 0x1054 ] =  mem[ current_ImageBase + 0x1054 ] + delta_ImageBase ;...
I have employed the following code from Morphine packer to implement the relocation.
    ..._reloc_fixup:    mov eax,[ebp+_p_dwImageBase]    mov edx,eax    mov ebx,eax    add ebx,[ebx+3Ch]    // edi -> IMAGE_NT_HEADERS    // edx ->image_nt_headers->OptionalHeader.ImageBase    mov ebx,[ebx+034h]    sub edx,ebx // edx -> reloc_correction    // delta_ImageBase    je _reloc_fixup_end    mov ebx,[ebp+_p_dwRelocationVirtualAddress]    test ebx,ebx    jz _reloc_fixup_end    add ebx,eax_reloc_fixup_block:    mov eax,[ebx+004h]          //ImageBaseRelocation.SizeOfBlock    test eax,eax    jz _reloc_fixup_end    lea ecx,[eax-008h]    shr ecx,001h    lea edi,[ebx+008h]_reloc_fixup_do_entry:        movzx eax,word ptr [edi]//Entry        push edx        mov edx,eax        shr eax,00Ch            //Type = Entry >> 12        mov esi,[ebp+_p_dwImageBase]//ImageBase        and dx,00FFFh        add esi,[ebx]        add esi,edx        pop edx_reloc_fixup_HIGH:              // IMAGE_REL_BASED_HIGH        dec eax        jnz _reloc_fixup_LOW            mov eax,edx            shr eax,010h        //HIWORD(Delta)            jmp _reloc_fixup_LOW_fixup_reloc_fixup_LOW:               // IMAGE_REL_BASED_LOW            dec eax        jnz _reloc_fixup_HIGHLOW        movzx eax,dx            //LOWORD(Delta)_reloc_fixup_LOW_fixup:            add word ptr [esi],ax// mem[x] = mem[x] + delta_ImageBase        jmp _reloc_fixup_next_entry_reloc_fixup_HIGHLOW:           // IMAGE_REL_BASED_HIGHLOW            dec eax        jnz _reloc_fixup_next_entry        add [esi],edx           // mem[x] = mem[x] + delta_ImageBase_reloc_fixup_next_entry:        inc edi        inc edi                 //Entry++        loop _reloc_fixup_do_entry_reloc_fixup_next_base:    add ebx,[ebx+004h]    jmp _reloc_fixup_block_reloc_fixup_end:    ...
7.3 Build a special import table
To support the OLE-ActiveX Control registration, you should present an appropriate import table to your target OCX and DLL file. Therefore, I have established an import table by the following string:
const char *sz_IT_OCX_strings[]={   "Kernel32.dll",   "LoadLibraryA",   "GetProcAddress",   "GetModuleHandleA",   0,   "User32.dll",   "GetKeyboardType",   "WindowFromPoint",   0,   "AdvApi32.dll",   "RegQueryValueExA",   "RegSetValueExA",   "StartServiceA",   0,   "Oleaut32.dll",   "SysFreeString",   "CreateErrorInfo",   "SafeArrayPtrOfIndex",   0,   "Gdi32.dll",   "UnrealizeObject",   0,   "Ole32.dll",   "CreateStreamOnHGlobal",   "IsEqualGUID",   0,   "ComCtl32.dll",   "ImageList_SetIconSize",   0,   0,};
Without these API functions, the library can not be loaded, and moreover the DllregisterServer() and DllUregisterServer() will not operate. In CPECryptor::CryptFile, I have distinguished between EXE files and DLL files in the initialization of the new import table object during creation:
if(( image_nt_headers->FileHeader.Characteristics             & IMAGE_FILE_DLL ) == IMAGE_FILE_DLL ){    ImportTableMaker = new CITMaker( IMPORT_TABLE_OCX );}else{    ImportTableMaker = new CITMaker( IMPORT_TABLE_EXE );}
 
8 Preserve the Thread Local Storage
By using Thread Local Storage (TLS), a program is able to execute a multithreaded process, This performance mostly is used by Borland linkers: Delphi and C++ Builder. When you pack a PE file, you should take care to keep the TLS clean; otherwise, your packer will not support Borland Delphi and C++ Builder linked EXE files. To comprehend TLS, I refer you to Section 6.7 of the Microsoft Portable Executable and Common Object File Format Specification document. You can observe the TLS structure by IMAGE_TLS_DIRECTORY32 in winnt.h.
typedef struct _IMAGE_TLS_DIRECTORY32 {   DWORD   StartAddressOfRawData;   DWORD   EndAddressOfRawData;   DWORD   AddressOfIndex;   DWORD   AddressOfCallBacks;   DWORD   SizeOfZeroFill;   DWORD   Characteristics;} IMAGE_TLS_DIRECTORY32, * PIMAGE_TLS_DIRECTORY32;
     MessageBox() from user32.dll.
To keep the TLS directory safe, I have copied it in a special place inside the loader:
..._tls_dwStartAddressOfRawData:   dword_type(0xCCCCCCCC)_tls_dwEndAddressOfRawData:     dword_type(0xCCCCCCCC)_tls_dwAddressOfIndex:          dword_type(0xCCCCCCCC)_tls_dwAddressOfCallBacks:      dword_type(0xCCCCCCCC)_tls_dwSizeOfZeroFill:          dword_type(0xCCCCCCCC)_tls_dwCharacteristics:         dword_type(0xCCCCCCCC)...
It is necessary to correct the TLS directory entry in the Optional Header:
if(image_nt_headers->   OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].   VirtualAddress!=0){   memcpy(&pDataTable->image_tls_directory,          image_tls_directory,          sizeof(IMAGE_TLS_DIRECTORY32));   dwOffset=DWORD(pData1)-DWORD(pNewSection);   dwOffset+=sizeof(t_DATA_1)-sizeof(IMAGE_TLS_DIRECTORY32);   image_nt_headers->      OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].      VirtualAddress=dwVirtualAddress + dwOffset;}
9 Inject Your Code
You are ready to place your code inside the new section. Your code is a "Hello World!" message by 
...push MB_OK | MB_ICONINFORMATIONlea eax,[ebp+_p_szCaption]push eaxlea eax,[ebp+_p_szText]push eaxpush NULLcall _jmp_MessageBox// MessageBox(NULL, szText, szCaption, MB_OK | MB_ICONINFORMATION) ;...
PE Maker: Step 5
Download the pemaker5.zip source files from the end of the article.

10 Conclusion
By reading this article, you have perceived how easily you can inject code to a portable executable file. You can complete the code by using the source of other packers, create a packer in the same way as Yoda's Protector, and make your packer undetectable by mixing up with Morphine source code. I hope that you have enjoyed this brief discussion of one part of the reverse engineering field. See you again in the next discussion!
 

EXCEPTION_POINTERS, you have access to the pointer of ContextRecord. The ContextRecord has the CONTEXT data structure, as seen in Table 4. This is the thread context during the exception time. When you ignore the exception by EXCEPTION_CONTINUE_SEARCH (0), the instruction pointer, as well as the context, will be set to ContextRecord to return to the previous condition. Therefore, if you change the Eip of the Win32 Thread Context to the Original Offset of Entry Point, it will come clearly into OEP.Full Size Image)

第一集
1.And he’s the mastermind of this whole thing. 他是整个事情的主谋
mastermind＝策划者,主谋
2.he acknowledge that whatever neuroses drove the criminal to commit the original crime is compounded.他知道无论是什么神经机能病变导致的最初犯罪都是复杂的
commit the crime=犯罪
acknowledge =承认,知道
3.You’re not being very transparent,Warden. 你不是很坦率，狱长
transparent＝透明的
4.But it’s going to make collaboration kind of hard. 不过这样合作起来就不那么容易了
collaboration＝cooperation 协作,合作
5.i’m the furthest thing from a threat.我根本没有威胁
这句话体现了老外说话的艺术性,非直来直去的表达自己的意思,譬如老外喜欢用"is the ice cold?" 来表达"yes"之意
6.why don’t you cut out all the riddles,snowflake,and just give us to a straight.你干嘛不把话说明点,小白脸.
riddle=谜题
straight除了"直"的意思外,也用于"异性恋者",反义是homosexual同性恋者
7.the harder you struggle,the worse it gets你越挣扎,情况越糟
这是我们在中文里经常听到的
struggle=挣扎
8.Self-presevation is a strong motivator.自卫是很强的因素
self-presevation=self-protection 自卫
motivator=动机,因素
9.one thing you learn when you’re walking the steps is that you never outsource a blame that belons in your own backyard.当你经历这些,你学到的一件事就是你再不用寻求你所受到的责备
walk the steps=一步步地经历下来
10.you fell for her 你爱上了她
等于我们常见的you felling in love with her
11.Sir,I cannot do a procedure like this without an anesthetic. 先生，如果没有麻醉剂，我没法动这个手术 procedure＝手术 ；anesthetic＝麻醉药
12.i want you to turn youself in.我希望你去自首
这里的turn in 是"自首"的意思,若换成"i want you to turn him in"则turn in为"告发"的意思

第二集
1.yeah,yuck it up,funny man.耶,尽情大笑吧,可笑的人
yuck up=开怀大笑
2.we’re headed out,man 我们出发了,伙计
3.That is absolutely hogwash. 简直一派胡言
Hogwash=猪食
4.how was scofield able to have exclusive access to you?为什么scofield能单独接触你?
exclusive=专门的,独家的 ; access to=接近…
5.This will be your last outburst,officer. 这将是你最后一次发飙了，长官
outburst=爆发,发飙
6.Is it true you sold the right to run prison industries to the highest bidder. 你将监狱工厂管理权卖给出价最高的人是不是真的？
run=经营 eg. run a company 经营一家公司
highest bidder=最高价竞买人7.We’ll call for you when we’ve reached a decision. 等我们做好决定后会通知你们
reach a decision=作出决定 (注意reach的用法)8.your call.你决定吧
常用口语
9.This can go down humanely if you don’t fight,but if you pull a stunt like that again,it’s going to get inhumane right quick. 你要不挣扎的话,那接下来我将会很仁慈，不过要是你想再耍花招，我就会变得很残忍
humanely=慈悲地 ；pull a stunt=耍花招 ；inhumane=残忍的
10.if you would have just told us in the beginning that this was going to be a railroad.如果你一开始就告诉我们这是个快速通过案
railroad在俗语中指"议案快速通过",泛指"铁路运输"
11.But you need a fall guy,fine. 但是你们需要一个替罪羊
a fall guy=替罪羊;替身演员
12.he went out with his boots on.他死在工作岗位
翻译组的译文是"他走得很平静",我觉得不确切.die with one’s boots on”,源自美国西部,它有两
层含义。一为死于工作岗位(“die in harness”)、一为殉职，尤指在战斗中或者为高尚的事业而
献身。因为如果是病死或老死的情况下，一般是躺在床上等待死亡，不会穿着鞋子；如果是在枪战中死去，自然是穿着靴子的。而在英式英语里，通常把它说成“die in one’s boots”。
13.i failed him.我让他失望了.

第三集
1.well,Hector says that you can serve your full sentence.嗯,hector说你要刑满才释放.
sentence=判决,宣判
serve the sentence=服刑
2.anything break on the other six.其他六人有什么进展?
break=突破,进展
3.Listen,you know I’m thankful for the help with the green card,but I just don’t want to get involved. 我很感激你帮我搞到绿卡但我不想卷入此事。
be involved in sth=卷入…事情中
4.those ass-hats are worth more dead than you and i are alives.那些混蛋就是死了也比我们值钱
ass-hats=混蛋
eg. ass hat inside 内心卑鄙的
5.i hope you’re holding on to something tight ’cause i’m about to break it down for you.我希望你做好心理准备,因为我要说的东西会让你崩溃
holding on to something tight牢牢扶助什么东西
break down=崩溃
6.you were attending when I first started here. 我刚来的时候你是主治医师。
attending=主治的
7.i want to alert you to a possible situation.我要提醒你可能发生的情况
alert sb=warn sb 警告某人
8.Give me one good reason why I shouldn’t turn you in right now. 给我个不告发你的理由。
turn in=告发;上缴;上床睡觉
9.we keep tapping on cracks,and she’s going to break.我们深入利用这个弱点,她就会崩溃
tap on=轻轻敲打 ; crack=裂缝
tap on cracks 敲打已有的裂缝,即深入利用弱点
10.humpty dumpty climbed up a wall,humpty dumpty had a great fall.胖墩爬上墙,胖墩摔下来
此句来源于一首童谣,humpty dumpty现在都用来称呼胖墩
11.How do you throw the hunter off the scent?Get rid of the prey.你怎么才能逃过猎人的鼻子? 扔掉猎物。
throw off=摆脱掉 scent=气味，嗅觉
12.your tags are expired.你的车牌过期了
expire=期满;死亡
13.provided the transport comes though.若果交通顺利的话
provied和provided that常用于数学属于中,为"假设,假如"的意思
14.You have the right to speak to an attorney before you speak to the police.Anything you say may be used against you in a court of law. 在你向警方供述之前，你有权去请律师,但是你所说的一切将成为呈堂证供

第四集
1.We’ll drop you off in the next town,and I’ll wire you that 10,000 like I said.我们让你在下个镇下车,我会给你汇10000美元
wire=汇款;诱饵
2.Don’t even think about getting cute,smart-ass.And now,you and your brother are gonna take me right to where that money is,or the whore gets dead real fast.别耍花招，现在你和你哥带我们去藏钱的地方，不然这妓女会死的很快
cute=狡猾的;花招 ; whore=妓女
3.The dredging of the river under Scofield’s apartment bore some fruit. 从Scofeld公寓下的 河里打捞出了些东西
dredging=捕捞 ; fruit=成果
4.to forge ahead with its nuclear program 继续核武器的计划
forge=锻造; ahead with sth=继续做…
5.he’s got a stateroom listed as a cargo hold on the manifest.他将头等舱伪造成装货物的仓库
stateroom=头等舱 ; cargo=货物 ; manifest=货单6.i travel light 我轻松旅行
light做副词为"轻轻地"意思
7.and you’re just hoofing it out here in the middle of nowhere?你就在中途闲逛?
另外hang around也是"闲逛"的意思
8.I admire your optimism.She’s rolling,man. 我很钦佩你的乐观，她在叛变
admire sb=羡慕某人;钦佩某人
rolling=转变,在此句中指"叛变"
9.not in a thousand years.想都别想
等于no way(没门),但比no way的拒绝程度更坚决
10.you think that tire went flat by accident?你以为车轮瘪了是个意外么?
flat=平的,扁的; 充气为inflate
by accident=偶然的,意外的
11.Don’t turn your back on us.别抛弃我们
turn one’s back on / upon=背弃..，抛弃..
eg.One should never turn his back on his home country. 一个人永远也不能背弃自己的祖国
12.my dogs are just barking. 我走得脚痛
此句是t-bag在被邀请搭个顺风车时说的,翻译组的翻译是"正合我意" . 原因是在美国的俚语中"my dogs are just barking"的意思是"我的脚走得都痛了"
13.When dad’s back acts up,we stop. 当爸爸的背不舒服时我们就得停下来
act up=运作不正常
14.Hit a sore spot,didnt I? 说到你痛处了，是不是？
sore spot=痛处,提起来就伤感情的话题
15.it’s over for good 永远结束了
for good=永远

第五集
1.I bought us some time-that’s what counts. 我争取到了时间，那才是最重要的。
count=有价值
2.What you call it?Double K Ranch.No.You from around here? Yeah,born and raise.你说哪里？双K农场。没听过。你是这里人吗？是的，土生土长。
Ranch=大农场
born and raise=土生土长
3.thanks for your time.谢谢你的配合
这是实用而简单的口语,当你耽误了别人时间时最好都说一声thanks for your time
4.every plot is mapped out with dimensions.每一小块都会用尺寸标注出
map with=标示 ; dimension=尺寸
5.Keep me posted. 和我保持联系
posted=消息灵通的
6.that’s my ego.是我自以为是了
ego=自负,自我主义
7.none of your beeswax.不关你事
大家常见的是"none of your business",可用beeswax代替business
8.Do you happen to have a pen handy? 你手头有笔吗？
handy=唾手可得的,手边的
9.they’re due west and we need to know why.他们都计划去西边,我们得知道为什么
due=计划的
10.that bitch treed herself and i brought her down in one shot.那个贱人困住了自己,我一枪射中
tree sb 口语中表示"使某人陷入困境"
11.i’ll ring it up.我来打价
超市里打价都是"滴"一声,ring up 由此得来
12.before i destroyed it,i committed it to my photographic memory.在我销毁它之前,我把它存入我的相机一样的记忆中了
commit=委托,托负
photographic =摄影般的
13.now let’s not dissolve into threats,all right.别化为恐吓好么?
14.Probably out of your price range. 恐怕你买不起

第六集
1.I want to don’t hear anything out of your mouth other than what yourphotograpic…map除了你说关于地图的事，其它事我都不要听
want to 在口语里读成wanna other than＝除了we’re pulling them now.我们在全力以赴
2.we’re going to get made out here.我们会被认出的
make out=辨认出
3.oh ,shut it　哦　闭嘴吧
4.我们一般多用shut up,shut it语气没shut up 强烈
something was in their way 有东西挡着它们
特口语的说法，本集里说的是仓库档着树的阳光，也可用于ＸＸ东西阻碍了什么什么的发展
5.if we hit the foundation,we stay
hit the foundation=触到地基
6.we got to do something and it’s not going to involve hurting anyone　我们要干点什么，但不能伤人
involve doing sth=包括…then gas up the car　给车加满油
7.can I hitch a ride?　我能搭个便车吗？
hitchhike=徒步搭过路车式的旅行
8.Fresh out of the academy 一毕业就开始了
9.If you’re telling me the road to him leads through Sara Tancredi ,by all means,pursue it.如果你认为抓到他必须利用到ST,那就用任何手段继续下去
这个词组蛮好用的，road to sb/sth leads through sb/sth是很形象的说法＝达到。。。必须通过。。。。
by all means＝用尽一切方法
10.The president has unwavering faith in you.总统对你很有信心
unwavering也是好的用法＝不动摇的，意志坚定的，可替代unchangeable
11.Now feel free to call your company
feel free to 请便
12.we’re ready to turn your juice back on 我们准备好去恢复你家的电力
juice＝<俚语>电流
13.the niose might be substabtial噪音会很大
substabtial的意思很多，这里指“相当的”，除此之外，它还有“实际的；重要的；真实的；坚固的”等含义
14.What’s up,snowflake?
snowflake表面意是“小雪花”，引申义是白种高加索人不友好的称呼，可见C-NOTE对MS的不满
15.ask him if he would like have a drink with me after the punches out?问问他下班能和我喝一杯吗？
punch 有打孔的意思，punch out引申为“打卡下班” punch in则同理为“打卡上班”

第七集
1.Just go easy.放松点
2.Go nothing.别动
警察的惯用语是:Freeze! 即"别动"的意思
3.It was 1:00 PM when they tangled it up.他们在下午一点聚集在一起
tangle up 集中在一起
4.The guy id’d both of them 那个人认出了他们两
ID=identify,鉴别,识别,id card=身份证
5.your car’s empty.
car=超市里用的手推车
6.It’s time to get the hat.我们该去拿钱了
hat在这里不是"帽子"=非法所得的收入
7.We have already committed the crime.我们已经犯罪了
committe the crime犯罪
committe the suicide自杀
8.The hat’s over the wall.犯罪已成事实
9.There was a way we could wipe the slate clean.这样我们可以洗清冤屈
wipe the slate clean 是个再常用不过的词组,你会在很多电影和歌词中碰到,意思为"勾销往事 洗清冤屈"
slate=石板, 古人会把罪犯的名字刻在石板上
9.it looks like we’re back to square one.看来我们又回到起点了
10.They withdrew his nomination他们撤销了对他的提名
withdraw=撤销;撤退 nomination=提名
11.oh,hit me a nerve 哦,真吓人12.knock it off. 安静
13.whatever you got eating at you,you just give it up.无论什么事在折磨你,你就让它去吧(即别让这种内疚折磨你
14.Bodies kept stacking up.
stack up=不断堆积 body=尸首
15.The picture makes me look like a sociopath.照片上的我跟精神变态者似的
这里教一个猜单词词义的方法 sociopath: socio-为单词前缀=社会 -path为单词后缀=恨
所以sociopath可翻译成憎恨社会的,反社会的
16.Keep your head down.小心撞头,引申为"小心行事"
17.She found no signs of foul play.她没发现谋杀迹象
foul play原义为"球场上的严重的恶意的犯规"

第八集
1.The money was never yours to begin with．本来就不是你们的钱
to begin with=本来，原先
2.you are outnumbered and we will come after you.你人数少，我们会追上你的
　outnumber=数量上胜过
　come after 追上
3.i let that psychopath t-bag loose once.我让T-BAG那个变态逃掉一次
　psychopath＝精神变态者
　4. i didn’t mean to startle you. 我没想吓你。
　startle=使吃惊
5.in an apparent attempt to avoid jail time.有意逃避入狱
　avoid+n.／doing sth.
老外喜欢用名词＋time,表＂一段什么的日子＂
6.that stuff on that table is premium.桌子上放着保险费
　很多人说＂东西＂时喜欢用＂thing＂，其实stuff是最贴切的
premium ＝n.保险费　　　a.高价值的　
7.here is a list of options available to you.单子上提供的东西对你有用
　available在口语中是常用的词，譬如问别人有没有空＂are you available today?＂，或问座位有没有人占＂is the seat available?＂
8.Places to stay,business that are more open to hiring men out of the correctional system. 能住的地方，优　先聘用劳改犯的商家。
　 be open to=对…开放； correctional system＝引申为教改所
9.without the money,we are screwed　没有钱我们就完了
screw=螺丝钉，此处用被动，表示被牢牢定住了　
10.we ran into some car trouble 我们遇到车祸了
run into=遭遇，撞上
11.They’re ladies’ clubs — I’m guessing they’re hotter than a monkey’s jock strap.那些小妞的酒吧，我猜她们比猴子的护裆还热
　　Jockstrap是指男用的护裆(打壁球容易被球反弹击中），大家都知道猴子的PP是红的嘛，所以monkey’s jock strap红热红热的。。
12.we got to lose the bike. 我们得扔掉这车。
throw,leave 用腻了，用用lose也不错
13.from a public relations standpoint,abruzzi and apolskia were by the book.从公众角度出发,（杀）abruzzi and apolskia是按规定的。
　　standpoint=立场，观点
　　by the book=按常规，按规矩
14.your brilliant plan to eliminate sara tancredi from the equation failed.你的伟大的铲除SARA的计划，失败得也如此“伟大”
　　一个brilliant一个和equation，把讽刺意味表露无疑
15.It’s a simple strategy,plays across the board. 很简单的策略，广为人知
16.Get some two-bit job? 找份廉价工打打？
two-bit=二毛五分，即廉价的
17.and then when you strat running out of air…当你没气的时候
　在学校学的都是“out of breath”
18.i will chain you to this desk until i get some answers i cannot fertilize my lawn with
我就把你困在这儿，寻找答案，找到我不能再找为止　fertilize＝施肥　　lawn＝草坪
　这里用了个比喻，i cannot fertilize my lawn with原义“直到我的草坪施肥到不能再施为止”

第九集
1.I’ve been working.Uh,night shifts,cleanup and…Jimmy said I could change my shift　我一
直在这儿工作，上的晚班，负责打扫，jimmy同意我换班
the night shift＝夜班；the day shift＝白班 ;three shifts＝三班倒
2.copy that.收到
　copy在口语中常用于＂收到／听到＂
eg. Do you copy?收到了吗？
　 Roger. 收到了
3.all the charges against you have been dropped,you’re free and clear to start a new life.
　你身上所有的指控都撤销了，你可以重新开始新的生活了
　drop在这里意为＂删去＂　　
　指控：charge somebody with
4.Not be constantly running,looking over your shoulder不用到处躲藏，小心翼翼地生活
constantly=不时的，频繁的
　looking over your shoulder小心翼翼，时刻警惕
5.was there any opprtunity to subdue him? 是否有机会制服他？
　subdue=打败，使顺从
6.But sometimes things happen that are just out of your control.但有时候事情的发展会超出你
的控制（M叔叔深刻的教训啊～这句不错）
7.care to comment? 有啥想说的么？
　want to用腻了就用care to吧，同样是＂愿意，想要＂的意思
8.i believe i said no comment.我说过无可奉告了
　no comment＝无可奉告
9.God help the who goes behind my back and talks to the press.上帝保佑那个背着我向媒体通风报信的家伙（别被我抓到）
　go behind sb’s back=背着某人
　 press=新闻界，媒体
10.the only way to win a war is to try to konw your prey completely.知己知彼，百战不殆
　 prey=对手
11.everything’s arranged.一切就绪
　everything’s arranged＝everything’s ready
12.let’s roll out.我们出发吧
　 let’s roll out=let’s go
13.We don’t have to ditch the car. 我们不必丢弃这辆车。
ditch=放弃；挖沟
14.It’s a one-shot deal out of the country. 这是离开这个国家的惟一的机会。
　　shot=射击；one-shot=一射即出的，即＂只有一次的＂
15.i just figured that since we were divorced…我只是发现自从我们结婚后．．．
　　figure和figure out 在口语中非常常用，为＂发现，觉得＂的意思
16.the bureau take its toll on your family.当局给你家带来了损害
　　bureau=局
　　toll=损失，代价
17.can you guarantee me that my family ain’t going to get hurt?你保证我家人不会受伤？
这里说说promise和guarantee的区别：两者都为＂保证，确保＂，但promise的＂保证＂比　　　　
guarantee要弱很多．
　　eg. i promise that i’m on your side.我尽量保证支持你（即如果事情有变我可以背叛你）
　　　　i guarantee that i’m on your side.我誓死保证支持你
18.nobody’s punking out没人退出
punking out ＝退出
　 这里再教大家一个新用法－－punkd=被耍了
　　i’m punkd 即＂我被耍了＂
19.he’s a closed book.他很自我保护　　
20.All you have to do is wait by the merry-go-round. 你要做的就是等在旋转木马旁
merry-go-round=旋转木马
21.Alex was consumed with finding him.Alex费尽气力去找他
22.you’re slipping.你错了
　 slipping=wrong
23.two caucasian males on foot ,fleeing the willcox station.两个白种男人徒步从willcox火车站逃逸
　　（这里可以看出警察的训练有素，短短一句话就把细节都说明了）
　　caucasian＝高加索人的，白种人的
flee=逃走

第十集
1.he ain’t coming off the goods.他什么都不说
　come off就是二个原来在一起的东西分开的意思
2.i’m on my way and I need your talents,on the ground as well. 我正在赶去，我需要你的帮助
on the ground=从基础开始
　另外与之相对的hit the ceiling的意思的＂暴跳如雷＂
3.You wanted me to figure out Scofield’s rendezvous with Tancredi? 你想我找出Scofield和Tancredi的　　　　　　　会面地点么？
　rendezvous=集合点
4.I’m sitting right on top of it. 我就快得手了
on top of=了解知道，熟练掌握
5.i could drop you back off with the crops if you’d prefer.若你喜欢我可以把你们再还给警察
　drop… back off=退还给
6.she’s picking me uo in a few hours.她一会来接我
　pick up 是常用口语，意为＂接某人上车＂，或＂搭便车＂
7.Running away into the sunset with the man who lied to me? 和一个骗我的男人一起逃亡？
sunset=日落；晚年（这里两种意思都有吧＾＾）
8.he’s not gonna call for backup.他不会叫后援的
　back up=后援，增援
9.i don’t wanna get trapped in here.我不想被困在这里
　trap＝陷阱　　　　　　　　　be trapped in=被困住
10.you are somebody.你是个大人物
　同样的，i’m nobody意思就是＂我是个小人物＂
11.you’re on the wrong side.你站错了立场
　on sb’s side 站在某人一边
　eg.i’m on your side.我站在你这边，我支持你
12.This is a monumental moment for both of us. 这是我们的重要时刻
　 monumental=纪念碑的，即不朽的
13.i’m not kidding around.我没有开玩笑
　 i’m not kidding太常用啦
14.you named him after yourself.他跟你姓
　 name A after B＝A以B命名
15.Well,thanks for bailing as out. 谢谢你把我们弄出来
　bail=保释
16.Down by the border. 南部的边境
up by the border. 北部的边境

第十一集
1.this is the tribune police.make yourself known.我们是警察,请表明身份
tribune=保护百姓的官
make yourself known=表明身份
2.cops found your girlfriend fish-belly white,gargling her own puke.警察发现你女朋友不省人 事,口吐 白沫
fish-belly=鱼腹;fish-belly white=鱼翻白肚,即生命岌岌可危
gargle=漱口 ; puke=呕吐物
gargling her own puke口吐白沫(若换成字面意思挺恶心*_*)
3.bring her down 将她打垮了
这里再说另一个常用的词组let sb down,即"使某人失望
4.the analyst got his hands on a phone conversation.分析员得到一通电话交谈
get a hand on sth=得到…
5.And judging by how hard they’re going after sara tancredi,i’m pretty sure they think she has it.以他们追捕sara的力度看,我很确定她有(带子)
judge by=以…为判断 (因为这里的主语为I,所以用judge的动名词)
go after=追逐;追求
在动词前加上pretty,加深程度
6.But i hope his death properly illustrates the magnitude of the situation that we’re in right now. 但我希望他的死完全说明了我们的麻烦，已经很严重了。
properly=适当地，完全地； illustrate=举例说明,阐明； magnitude=大小
7.are you aware of the nature of your sins?你知道你犯的罪的性质么?
be aware of=知道,了解
nature=(神学中)性质,种类
sin=罪,其实sin和一般的罪不一样,它一般指人的原罪Original sin,如大家所熟悉的"七宗罪"(七宗
罪即:Gluttony 暴食 Greed 贪婪 Sloth 懒惰 Pride 自负 Lust 淫欲 Envy 嫉妒 Warth 愤怒)
8.What are those ends? 这些的目的是什么？
9.surrender your will to god.屈服于上帝
surrender=投降 ; wil=意愿
10.I don’t like being out in the field,I only do so when there’s been a screw up. 我不喜欢抛头露面,我只在事情办砸的时候才出来
screw up=事情办砸 eg.sorry,i screw it up 对不起,我把事情搞砸了
11.you have my word.我保证
实用口语12.Yeah,but i mean it. 是的但是我是认真的
实用口语
13.Do you think i’m just withholding information because i like hanging out with you.你以为我隐瞒消息是因为喜欢和你待一起么?
withhold=保留,隐瞒
hang out with sb=与某人待在一起
14.Don’t try to float a babe-in-the-woods routine by me. 别想耍我把我当成不懂事的小孩
babe-in-the-wood(s)=涉世未深的人,幼稚盲从的人,无经验而易受骗的人
15.It’s really going to piss me off.这可真会把我惹火
piss off=滚开
16.I already named my price. 我已经开价了
注意name的用法
17.you’d better get down on your knees and pray to god that i don’t find you.你最好跪下祈祷我不会找到你
get down on your knees=双膝跪下18.kiss my ass,cobarde.求我吧,懦夫
kiss sb’s ass求某人,讨好某人
相反,kick sb’s ass的意思为"揍某人一顿"

第十二集
1.They put me with this foster father down on pershing avenue.他们让我和住在pershing大街的养父一起生活.
foster-father=养父. 另外step-father=继父
avenue=林荫道,大街
2.Apparently,you were some kind of analyst.That’s the job you chose over your family. 显然你是个分析家，你就为了那工作不要家了。
3.Michael,turning on the company put me and you at even greater risk.Michael,跟公司作对会让你们和我冒更大的危险
我们常见的turn on是指"打开,拧开",在此处trun on (sb)指"攻击"
eg.Why are you all turning on me ? 你们为什么都冲我来了?
另外,turn sb on=使某人激动或兴奋
4.You must be relieved that it’s over. 这事结束了你就解脱了
relieve=放心,解脱
5.we don’t get a whole bunch of homicides out here,and,well,we’re trying to play catch-up.我们还没抓到那帮逃犯,我们正努力呢
a bunch of=一堆,一群 ; homicide=杀人犯
6.we can each sniff out a perp like a hot fart.我们能查觉谁是罪犯,就像闻臭屁一样
sniff out=闻到;查觉到 ; fart=[俗语]屁
perp=罪犯,为perpetrator的缩略
7.I’d be indebted. 我很感激
indebted=感恩的;负债的
8.I’ll do whatever i can to help you nail that son of bitch.我会尽我所能去帮你们抓住那个狗娘养的
nail=指甲;钉住;[俚语]抓住 (在此句中表"抓住")
9.He got me clean through.他打穿我的身体了
clean=整个地. eg.The bullet went clean through his shoulder. 子弹整个儿穿过了他的肩膀
10.it’s a backup.这是后备的
backup=后援;替代的
而词组back up=支持;倒退
11.Geary and me had a little dustup over how to go about finding bagwell.Geary和我在对于怎么寻找bagwell的问题上出现了纠纷
dustup=纠纷,争执
12.All we need to do is find a pharmacy. 我们要找的就是个药店
pharmacy=药房，制药业
13.I’ll make sure that everybody involved knows that your help was invaluable. 我保证每个有关人员都知道你的帮助是无价的
invaluable=无价的
in-和un-都是表"不"的前缀,但invaluable是指"无价的,珍贵的",unvalued才是指"无价值的,没用的"
14.And i want to cut a deal first.我想先做个交易
cut a deal 并不是破坏一个交易。相反地，to cut a deal就是在做生意方面,或者是在司法方面和对方 达成一个协议
15.A little incentive,and i want it in writing. 以防万一，我要书面承诺。
16.When we found the money,Geary double-crossed me. 当我们找到钱时,Geary出卖了我
double-crossed=欺骗，出卖
17.Now,at this juncture,thing will go a whole lot easier for you if you admit to the crime.事情到这份上，你还是早早认罪的好
at this juncture=在这个当口上，在这个节骨眼上
18.Bagwell set me up.bagwell陷害我
set up是一个常用的词组，用法很灵活,有"竖起;排版;创立;张贴;树立(榜样);装置、安放…."一堆意思

第十三集
1.Until we verify,you will drop your weapon or we will drop you.在我们核实之前,放下武器,不然我们就放 倒你
2.There men are in my custody. 我抓住了两个逃犯
in custody=被拘留
3.I was wondering if you could help a brother out.我想问问你能否帮兄弟我一个忙.
我们都知道help sb是"帮助某人",help sb out 即"帮助解决难题,帮助摆脱困境,救出 "
4.Remain at large. 仍逃亡在外
at large=未被捕
5.How a guy goes about getting a hold of one of those prosthetic jobbies. 一个人怎么才能得到假肢?
get hold of=得到 ; prosthetic=[医]修补学,装补学
6.He just neglected to tuck in the sheets. 他(医生)只是忽略我了
这里说一下neglect,overlook, ignore的区别,虽然三个单词都表"忽视,忽略"的意思,但neglect指因粗心或遗 忘而没有事,ignore指有意识地拒绝、故意不予理会；overlook指由于草率或没有注意到而忽视某事。
在搭配上, neglect除了可接sb.或sth.之外,还可接to do sth或doing sth作其宾语，而ignore 后面只可接sb. 或sth.不可接不定式。
7.You sure as hell can figure out how to get a prosthetic for that stump of yours by yourself. 你自然能给自己搞个假肢
as hell=表示强调，意为“非常”
hell 在口语中使用频率很高，经常见到的由hell构成的词组还有：
1)a / one hell of 表示强调，意思为“极好的/极糟的”。
e.g. Forrest Gump is a hell of a good soldier. 阿甘是一个绝对出色的士兵
2)go to hell 去你的，见鬼去吧
3)feel / look like hell (感觉或气色)很差
4)the hell表示强调，意思为“到底”
stump=截肢
8.with his escape,the aiding and abetting charges the felonies he’s racked up along the way,on top of his original sentence,I’d say Mr.Scofield will be spending the rest of his life behind bars.介于他越狱,协助并教唆犯罪等种种重罪指控,我得说Scofield要在监狱渡过余生了
abet=怂恿,教唆 ; rack up=积累 ; behind bars=坐牢
9.We’re entitled to a phone call. 我们有打电话的权利
be entitled to do sth.=有权利,有资格做某事
10.So sit tight.所以给我好好坐着
tight=安稳的
sleep tight="睡个好觉"
11.What you’re asking me to do is tantamount to suicide. 你要我干的事相当于让我自杀
tantamount to=等价于
12.Pardon my forwardness. 原谅我的粗鲁
pardon=原谅,宽恕 ; forwardness=卤莽;热心
13.there’s sure to be a moment or two of chaos.会有一小会儿骚乱
a moment or two=一会儿
chaos=骚乱,吵杂 (教一个音忆法 chaos–chao+s,用汉语拼音读就是"吵死" ,这个词一下就能记住啦^ ^)
14.Refresh my memory. 我回忆一下
15.there is just one teensy-tiny thing i been meaning to ask.我只要求你帮个一个小小的忙
tessy=[俗]极小的=tiny ; teensy-tiny=小之又小的
16.copy that.收到
常用口语
17.You just found your inside man,but it’s got to be right now. 你们得找个知情人,不过我们现在就得行 动
inside man=知情人,线人

第十四集
1.Give me a medevac,asap!我需要医疗直升飞机,快点!
medevac=医疗后送直升飞机
asap=尽快,为"as soon as possible"的缩写,在紧急情况下读成"asap"以节省时间
2.No offense,sir,but we’re searching every vehicle.恕我冒犯,但我们在搜查每一辆车
no offense在美语中很常用,当你要指出别人的缺点，或者表示不同观点的时候，都可以加这样一句,表示没有故意要冒犯的意思.另外,no offense如果用在打球方面,就是一方没有进攻,或没有得分
3.That means,that at this stage,every second is critical.So if you detain me for one moment more,i will have all of your jobs. 这说明,眼下每一秒都至关重要.如果你们再妨碍我,我就让你们都失业
at this stage=眼下，暂时 ； critical=批评的;万分紧急的； detain=阻止，拘留
4.Now I have a bull’s-eye on my chest,just as you two.现在我也你们俩一样被人追杀
bull’s-eye=靶心 ; chest=胸口
5.Don’t fret now. 先不要急
fret=(使)焦急
6.We got ourselves a clean slate.我们都清白了
slate=(书写用的)石板,在美语中也指"候选人名单,提名名单"
a clean slate相当于中文里的"白纸一张,如白纸一样纯洁"
7.Well,you were a little more formidable than we anticipated.你们比我们想像中要强大些
formidable=强大的;令人敬畏的,可怕的
8.We don’t need compliments out of you,jackass. 我们不需要你的恭维,混蛋
compliments=称赞，恭维
out of=来自;从…里面;在…范围外
9.well,it was touch-and-go there for a minute,but i got everything handled.嗯,刚开始有点儿惊险,不过我已经掌控一切了
touch-and-go= 草率从事的行动;一触即发的形势
10.He is a losse end.他是个麻烦
loose end=(常由于复数)不用的部分;未了结的零星问题
11.you are great,top-notch.你们真强,是高手.
(这句话是steadman在电视上看到ms和linc又逃走后,对某FBI说的 ^^)
top大家都知道是最高的意思.notch为在一样东西上刻记号.当然最高的就是最好的,所以Top-notch是指最出众的人或其他东西. 如"top-notch personnel"即指"拔尖人才"
12.Man,you don’t quit. 老兄,你真是执着
13.You are smarter than a bee sting.你真聪明
这是一个形象的比喻,bee sting为蜂刺,smart在此一语双关,以为smart既有"聪明"的意思,还有"刺痛"之意, 故于bee sting比较
14.If anything jumps off,you get my back,I won’t forget it. 如果有事发生,你帮我一把,我不会忘记的
jumps off的字面意思为"跳下,脱离",在文章中常表示"开始"
15.Out there,you’re on your own. 在外面你得靠自己
on your own=独立自主
16.just relax and keep your head.只需放松和冷静
keep one’s head=保持冷静
此外,keep your head down的意思是"说话做事保持低调,不为人注意"

第十五集
1.Exit with your hands in the air.举手出来
with your hands in the air=我们更熟悉的:with your hands up
2.I’ll make you a deal if you don’t move a muscle,i won’t blow your head off.我跟你说好,只要你乖乖着.我就不打爆你的头
not move a muscle=毫不动容,不变神色
此外,在美国俚语中be on the muscle=准备动武; 准备蛮干
在口语中flex one’s muscles =小试身手
on the muscle =用暴力方式;气势汹汹的
3.pull over. 靠边,靠岸,开到路边
发现这是michael经常跟linc说的话—-"把车停到一边",每当linc问"why"的时候,michael都是一脸懒得跟你解释的那种神情说"just pull over"
4.Your commitment to help others,and i put you in a place that’s every doctor’s nightmare.你承诺帮助他人,我却让你陷入医生的恶梦中
commitment to=许诺
5.I’m going to take a leak. 我去小解
leak=泄漏; take a leak=小解
6.That’s a nasty contusion.那是恶意殴打
nasty=令人不快的;恶意的 ; contusion=殴打;打伤
7.If you think i can pull some strings to keep you out of gen pop.I can’t do that. 如果你以为我能让你不关禁闭,那么你错了
pull strings=在幕后操作
gen pop是lockdown的口语说法,意为"一级防范紧闭"
8.They’re already done irreparable damage. 他们已经造成了不可挽回的损失
irreparable=不可挽回的 ; ir-为"不"的前缀
reparable=可修复的,可挽回的
9.A tape purported to be made by escaped convicts lincoln burrows and michael scofield was immediarely dismissed by the justice department.逃犯lincoln与michael做的可疑录影带被司法部门立即驳回
purported=可疑的 (purport=意义,主旨)
dismiss=[法律]不受理.dismiss还有"打发,解散,开除"的意思
10.They dumped it off the front page and buried it.他们把这事从报纸头条撤下并隐瞒起来
dump=倾倒,抛弃
我们常在电影里听到的"He/She dumped me"的意思就是"他/她甩了我"
front page=报纸上的头版头条,也可用"page one"
11.It’s a hail mary,man.这是孤注一掷,老兄
hail mary原指祷告者向圣母玛丽亚求救,而在美国口语中通常是指当成功的机率非常小时,做绝望的尝试
12.I’m guessing they’re spoon-feeding us every lead they want us to follow.我猜他们想让我们顺着他们铺的路去白忙一场
spoon-feeding=填鸭式
spoon-feeding education=填鸭式教育
13.What if this is just one giant setup?如何这是个巨大的圈套呢?
giant=巨大的;伟大的 ; setup=陷阱,圈套
14.I didn’t drive all this way to gloat. 我跑这么远不是来嘲笑你的
gloat=幸灾乐祸
15.The girl bailed on you back in Gila.这女孩在Gila都没跟你走
我们在PB里常见的bail的用法为"保释",而bail还有个常用词义为"离开"

第十六集
1.Out in the cold. remember? 我被流放着,你还记得么?
Out in the cold=被忽视,被冷落
2.I don’t recognize the insignia, do you? 我不认识这标志?你呢?
insignia=阶级、团体成员身份等用的佩章、衣饰等
3.I want Scofield’s and Burrows’ pictures on each and every gas pump.我希望S和B的照片贴在每个加油站上
gas pump=加油站
each and every.虽然老师一直教我们each和every的区别,但从此句可以看到,口语中可用"each and every"是可以连用的,起强调作用
4.Everything goes through headquarters from now on.从现在起,所有事都要向总部汇报
headquarters=n.(公司,机关等的)总部,总公司;(军,警的)司令部
headquarter=v.设立总部
5.I need you to clear a car for me.我需要你腾出一节车厢给我
car=火车车厢
6.You want him to rub elbows with your other passengers?你想他和其他乘客坐一起么?
rub=磨擦 ; elbow=肘
rub elbows with sb.的引申义就是"与某人挨很近"
7.Everything is jake.一切都好
jake=(俚)对的,好
Everything is jake=Everything is all right
8.I tried, but your new warden, straight as an arrow.我试过了,但你们的新狱长固执得要命
straight as an arrow=像弓箭一样直,来比喻一个人待人处世抱诚守真、刚正不阿
eg. The man insisted that he was innocent and that he was as straight as an arrow. 那个人坚持自己是清 白的, 而且他是个正直的人
9.And you tracked down bagwell by following susan hollander.你又通过跟踪susan hollander追捕到了bagwell.
track down=追捕
10.It’s just waiting to be rubber-stamped. 只需一些盖章的批准工作
rubber-stamped=橡皮图章；照常规的批准
11.Fowl is not part of a traditional brunch.禽肉不是传统的早午餐的一部分
brunch=breakfast+lunch,即"早午餐"
12.We have got company.我们有客人
company=客人
13.Remember that merry-go-round that we saw today? 记得我们今天看到的旋转木马么?
merry-go-round=旋转木马
14.what if the only thing inside’s a bunch of stogies?要里面只有一些雪茄怎么办?
stogie=stogy=廉价的细长雪茄烟,产于宾西法尼亚(Pennsylvania)州的科内斯托加(Conestoga)
15.I don’t wanna spend any more minutes in here than necessary.我不想再在这里浪费时间了
…more…than necessary=比应当的更…
16.I’m no local hayseed cop. 我不是地方草包警察
hayseed=甘草种子，甘草屑,在美国口语中指"乡巴佬"
17.whoever this is..tell bill kim that he just screwed up..big time.不管你是谁,告诉bill kim他这次搞砸了…砸大了
screw up=搞糟,搞砸
big time=[俚语]十分,极度;欢乐时刻

第十七集
1.she’s been ill, some chronic condition.她有病,慢性病
chronic=(病)慢性的 ; 反之,acute=(病)急性的
2.Find a spot close to the club and sit tight.找个离俱乐部近的地方,慢慢等着
tight可作形容词或副词,指"牢牢的/地,不动的/地"
3.What the hell are you thinking about, waltzing here?你到底想怎么样,还悠闲地跑到这儿?
waltz=华尔兹,在这里指"轻松前进"
4.She’s had this kidney thing since she was real young.她从小肾就有问题
kidney=肾
5.I don’t give a rat’s ass about your or your brother.我对你和你哥的事都他妈的没兴趣
I don’t give a shit/damn/rat’s ass about sth.都算是粗口了,表示"我不在乎…"
6.What if i’m standing on this side? 如果我处于这种情况呢?
7.There are places that can better serve your needs.有些地方更适合你们的需要
serve sb’s needs=help sb. (当help用腻时,可用serve sb’s needs替换)
8.What the hell are you trying to pull.你到底想干嘛?
pull在美国口语中指"干(勾当),耍阴谋"
eg.Don’t try to pull anything.别想耍什么花招
9.Look me in the eye,tell me you don’t believe there’s a cover-up going on right now.看着我的眼睛,你觉得我在欺骗你吗?
cover-up=掩饰;掩盖
(顺便体会一下Look me in the eye和Look at me的小区别)
10.’cause i feel like a circus freak.因为我觉得自己像马戏团小丑
circus=马戏团;马戏表演 ; freak=行为怪诞的人
11.you mark my words.你牢牢记住我说的话
mark=记下,录下,可与"remember/record"替换
12.President reynolds attended a chicago fundraiser last night.reynolds总统昨晚在芝加哥参加了一个筹款活动
fund=基金 ; raiser=筹措者 ; fundraiser=资金筹集活动
13.Scofield,i don’t know what you’re used to,but anything short of filet mignon is not going to cult it with me.Scofield,我不知道你习惯怎么着,但没有一客腓力牛排别想打发我.
short of=缺少,不足
filet mignon=腓力牛排.这个词源于法语.意思就是牛里脊,是牛身上最贵的部分.
14.Do you think i’d bring you here to so sacred a place to me as this if i meant you ill.如果我要害你,你觉得我会带你来这个对我来说如此神圣的地方么?
ill用在此处指"坏的;冷酷的;恶劣的".比"bad"的程度深
15.I am the laws of karma all come down wrong.我是因果报应的作孽的产物
karma=命运;因果报应
佛教中认为节制万众生灵的是所谓“功德法轮”(law of karma)此功德法轮是一组定律常规, 支配善恶的因果报应, 生命的托世轮回,.反之,
物理的自然定律(laws of Nature), 是客观的, 是永恒的, 不受鬼神的支配的
(由此可看出t-bag的文字功底确实了得)
16.may need to run a few tests.可能得做些化验
17.You don’t mind if i ask you to empty your pockets.你不介意我搜一下你的口袋吧?
empty (out) sb’s pockets=搜查某人
eg.The police made the thief empty out his pocket.警察搜查小偷
此外,an empty pocket=没有钱的人.

Why You Need a Proxy

All modern web browsers impose a security restriction on network connections, which includes calls to XMLHttpRequest. This restriction prevents a script or application from making a connection to any web server other than the one the web page originally came from (Internet Explorer will allow cross-domain requests if the option has been enabled in the preferences). If both your web application and the XML data that application uses come directly from the same server, then you do not run into this restriction.

If, however, you serve your web application from one web server and you make web service data requests to another server — for example, to the Yahoo! Web Services — then the browser prevents the connection from being opened at all. Bummer.

There are a number of solutions to this problem but the most commonly-used one is to install a proxy on your web server. Instead of making your XMLHttpRequest calls directly to the web service, you make your calls to your web server proxy. The proxy then passes the call onto the web service and in return passes the data back to your client application. Because the connection is made to your server, and the data comes back from your server, the browser has nothing to complain about.

For security reasons it’s a good idea for any proxy you install on your web server should be limited in use. An open proxy that passes on connections to any web site URL is open to abuse. Although it is difficult to limit the connections to your proxy from only your application, you can prevent the proxy from making connections to servers other than those you specify. Hard code the URL to connect to in the proxy itself or provide limited options. This makes the proxy less open and less useful to users other than your client application.

PHP Proxy for Yahoo! Web Services

For the Yahoo! Developer Network JavaScript Developer Center we have provided sample code for a simple web proxy, written in PHP, that takes requests for the Yahoo! Search APIs. You can install this proxy on your own web server in any convenient location (your web server must be set up to run PHP).

The proxy encodes the Yahoo! Web services site URL in a global variable called HOSTNAME. ou will need to modify this variable to refer to the Yahoo! Web Services API you’ll be using. This is the domain used by the Yahoo! Search web services; other domains include Yahoo! Local (http://api.local.yahoo.com) and Yahoo! Travel (http://api.travel.yahoo.com).

define ('HOSTNAME', 'http://api.search.yahoo.com/');

To use the PHP web proxy in your client application, the URL for the request in the JavaScript code includes the path for the Yahoo! Web Services request, minus the domain name. The domain name is added by the proxy itself on the server side. This code snippet comes from a more complete XMLHttpRequest code sample on our JavaScript Developer Center.

// The web services request minus the domain name
var path = 'VideoSearchService/V1/videoSearch?appid=YahooDemo&query=madonna&results=2';

// The full path to the PHP proxy
var url = 'http://localhost/php_proxy_simple.php?yws_path=' + encodeURIComponent(path);
... // core xmlhttp code
xmlhttp.open('GET', url, true);

Note that although this example uses an HTTP GET request, the sample PHP web proxy also supports POST.

You could modify the proxy to do post-processing of the data you get from the request on the server side, for example, to strip out only the elements you’re interested in or the parse the XML into a format you can more comfortably handle in JavaScript.

Other Solutions

In addition to using a web proxy to pass web services data to your application, there are several other options to working around cross-domain browser restrictions:

• Use apache’s mod_rewrite or mod_proxy to pass requests from your server to some other server. In your client code you just make the request as if it was actually on your server — no browser problems with that. Apache then does its magic and makes the request to the other server for you.
• Use JSON and dynamic <script> tags instead of XML and XMLHttpRequest. You can get around the browser security problem altogether by making your web services request directly inside a <script> tag. If the Yahoo! Web Service you’re using can output JSON (using the output=json and callback=function parameters), the data you get back from the web service is evaluated as a JavaScript object when the page is loaded. See our JSON Documentation for an example of how to do this in your own scripts.
• Digitally sign your scripts. In Firefox you can apply a digital signature to your script and those scripts will then be considered "trusted" by the browser. Firefox will then let you make XMLHttpRequests to any domain. However, no other browsers support script signing at this time, so this solution is of limited use.

For More Information

For more information on JavaScript, XMLHttpRequest, Yahoo! Web Services APIs and other JavaScript development topics, see The Yahoo! Developer Network JavaScript Developer Center.

在Windows操作系统上，我们最常见的浏览器有两种：文件浏览器（exploer.exe，应用于文件系统）和Internet浏览器（iexplore.exe，应用于互联网资源）。由于这两个浏览器功能强大，而且又与Windows操作系统捆绑销售，最终也就成为了浏览器的标准。但有时候，为了给浏览器加入一些新的特性，我们往往会重新设计一个自己的浏览器。新的浏览器模仿标准浏览器的大部分功能，同时加入新特性。这种做法最直观，但实际上也是相对于微软的重复劳动，且工作量比较大。其实，使用BHO插件，一切都变得很简单。

　　BHO（Browser Help Objects），是实现了特定接口的COM组件。开发好的BHO插件在注册表特定的位置注册好后，每当微软的浏览器启动，BHO实例就会被创建。在浏览器工作的工程中，BHO会接收到很多事件，比如浏览器浏览新的地址、前进或后退、生成新的窗口、浏览器退出等等；BHO可以在这些事件的响应中实现与浏览器的交互。
　
　　下面，我们首先来介绍一下BHO的工作原理。上面我们已经提到，BHO是COM组件，而且一定实现了IObjectWithSite接口。这些组件除了在注册表中注册为COM Server外，还必须将它们的CLSID在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects下注册为子键。微软在设计浏览器的时候，已经给这些组件预留了空间。每当浏览器启动时，浏览器会首先在上述注册表位置查看是否有注册的BHO CLSID；如果有则分别创建一个实例，并对BHO实例进行初始化，建立交互连接。（注：BHO实例只有在创建它的浏览器窗口销毁时才被释放。）下图演示了BHO的创建过程：

　　成功创建的BHO，不仅可以得到各种标准的浏览器操作事件，并做出响应；还可以定制浏览器的菜单、工具条等界面元素；更或者可以安装钩子函数，监视浏览器的一举一动。值得注意的是，使用BHO插件，Internet浏览器要求在4.0以上版本；如果是文件浏览器，操作系统要求是Windows 95/98/2000或Window NT 4.0以上版本，并且Shell的版本在4.71以上。下面是支持BHO特性的系统一览表：

　　接下去，笔者就来介绍一下如何开发BHO插件，开发环境为VC6.0（使用ATL），安装Platform SDK中的Internet Development SDK。首先，启动VC的ATL COM AppWizard，生成一个项目名为BhoPlugin，其余均采用默认设置。接着，我们就来分步详细阐述。

　　第一步，增加一个ATL Object到该项目中。VC菜单Insert->New ATL Object…，在弹出的对话框中选择“Internet Explorer Object”，输入COM类名（在Short Name后输入EyeOnIE，其它各项会自动生成）。完成后，我们可以看到CEyeOnIE类有一个基类IObjectWithSiteImpl，这个就是实现IObjectWithSite接口的模版类。

　　第二步，实现IObjectWithSite的接口方法。在这之前，我们要先定义几个成员变量：CComQIPtr<IWebBrowser2, &IID_IWebBrowser2> mWebBrowser2，（需要加入#include "ExDisp.h"），用以保存浏览器组件的指针；DWORD mCookie，用以保存与浏览器的连接ID。IObjectWithSite有两个接口方法：SetSite和GetSite。我们只需重载SetSite就行了。在EyeOnIE.h中增加函数声明STDMETHOD(SetSite)(IUnknown *pUnkSite)，在EyeOnIE.cpp实现如下：

　　我们可以看到，SetSite的参数实际上指向的是浏览器组件。在SetSite实现中，我们首先保存浏览器组件指针，然后将该BHO向浏览器注册为事件处理器。

第三步，实现IDispatch接口方法。事件处理也就在IDispatch::Invoke中实现（各个事件的ID在ExDispID.h中定义）。BHO可能会接收到很多事件，但我们只需要响应我们感兴趣的那一部分。首先在EyeOnIE.h中增加该函数的声明，在EyeOnIE.cpp的实现中，笔者试着响应浏览器浏览一个地址之前发出的事件DISPID_BEFORENAVIGATE2，以此来实现简单的网址过滤功能，代码参考如下：

　　我们看到，当用户浏览的新地址包含"girl.com"字符的时候，浏览器就会弹出一个警告对话框，并且停止进一步的动作。另外值得注意的是，在DISPID_QUIT事件（浏览器将要退出）的响应中，我们将BHO事件处理器进行了注销。

　　第四步，因为BHO可能会被文件浏览器加载。如果我们不想这样，我们就要在DllMain中对加载者进行判断，参考如下：

　　最后，别忘了修改注册表文件，追加BHO的注册信息。在EyeOnIE.rgs文件的下面增加如下代码：

　　注意，{6E28339B-7A2A-47B6-AEB2-46BA53782379}是笔者这个BHO的CLSID，如果你自己开发BHO，这里应该正确填写你的CLSID。

　　好了，一个简单的BHO开发完成了。（可以到本人的个人主页 http://hqtech.nease.net 下载实例源代码。）BHO插件可以实现的功能还有很多，比如网页内容分析、IE界面定制等等。作为总结，笔者还要提醒读者一点的是，如果不想让BHO起作用了，可以注销该插件，如下格式：regsvr32 /u yourpath\yourbho.dll，或者直接在注册表中将“Browser Helper Objects”目录下注册的CLSID删掉。

dengwei，您的总体评价：

文字的平民化韵味浓郁，具有很强的生活气息；相对正统的创作路线，可读性较强。架构清晰，逻辑性强，情节缜密，可读性强；文章内容丰富，观点翔实可圈可点；在成语使用方面可以着重下功夫改进。情节缜密题材的小说值得尝试，将推理、悬念、历史的因素掺杂其中；同时也可以尝试杂文、评论等文体。行文时留心描写与情节结构的紧密配合，必然会诞生令人耳目一新的作品。

感兴趣的话您也可以去试一试

http://www.sogou.com/websearch/test/statsword.jsp

人力资源经理:( human resource manager)
高级管理人员:(executive)
职业:(profession)
道德标准:(ethics)
操作工:(operative employees)
专家:(specialist)
人力资源认证协会:(the Human Resource Certification Institute,HRCI)

2. 外部环境:(external environment)

内部环境:(internal environment)
政策:(policy)
企业文化:(corporate culture)
目标:(mission)
股东:(shareholders)
非正式组织:(informal organization)
跨国公司:(multinational corporation,MNC)
管理多样性:(managing diversity)

3. 工作:(job)

职位:(posting)
工作分析:(job analysis)
工作说明:(job description)
工作规范:(job specification)
工作分析计划表:(job analysis schedule,JAS)
职位分析问卷调查法:(Management Position Description Questionnaire,MPDQ)
行政秘书:(executive secretary)
地区服务经理助理:(assistant district service manager)

4. 人力资源计划:(Human Resource Planning,HRP)

战略规划:(strategic planning)
长期趋势:(long term trend)
要求预测:(requirement forecast)
供给预测:(availability forecast)
管理人力储备:(management inventory)
裁减:(downsizing)
人力资源信息系统:(Human Resource Information System,HRIS)

5. 招聘:(recruitment)

员工申请表:(employee requisition)
招聘方法:(recruitment methods)
内部提升:(Promotion From Within ,PFW)
工作公告:(job posting)
广告:(advertising)
职业介绍所:(employment agency)
特殊事件:(special events)
实习:(internship)

6. 选择:(selection)

选择率:(selection rate)
简历:(resume)
标准化:(standardization)
有效性:(validity)
客观性:(objectivity)
规范:(norm)
录用分数线:(cutoff score)
准确度:(aiming)
业务知识测试:(job knowledge tests)
求职面试:(employment interview)
非结构化面试:(unstructured interview)
结构化面试:(structured interview)
小组面试:(group interview)
职业兴趣测试:(vocational interest tests)
会议型面试:(board interview)

7. 组织变化与人力资源开发

人力资源开发:(Human Resource Development,HRD)
培训:(training)
开发:(development)
定位:(orientation)
训练:(coaching)
辅导:(mentoring)
经营管理策略:(business games)
案例研究:(case study)
会议方法:(conference method)
角色扮演:(role playing)
工作轮换:(job rotating)
在职培训:(on-the-job training ,OJT)
媒介:(media)

8. 企业文化与组织发展

企业文化:(corporate culture)
组织发展:(organization development,OD)
调查反馈:(survey feedback)
质量圈:(quality circles)
目标管理:(management by objective,MBO)
全面质量管理:(Total Quality Management,TQM)
团队建设:(team building)

9. 职业计划与发展

职业:(career)
职业计划:(career planning)
职业道路:(career path)
职业发展:(career development)
自我评价:(self-assessment)
职业动机:(career anchors)

10. 绩效评价

绩效评价:(Performance Appraisal,PA)
小组评价:(group appraisal)
业绩评定表:(rating scales method)
关键事件法:(critical incident method)
排列法:(ranking method)
平行比较法:(paired comparison)
硬性分布法:(forced distribution method)
晕圈错误:(halo error)
宽松:(leniency)
严格:(strictness)
3600反馈:(360-degree feedback)
叙述法:(essay method)
集中趋势:(central tendency)

11. 报酬与福利

报酬:(compensation)
直接经济报酬:(direct financial compensation)
间接经济报酬:(indirect financial compensation)
非经济报酬:(no financial compensation)
公平:(equity)
外部公平:(external equity)
内部公平:(internal equity)
员工公平:(employee equity)
小组公平:(team equity)
工资水平领先者:(pay leaders)
现行工资率:(going rate)
工资水平居后者:(pay followers)
劳动力市场:(labor market)
工作评价:(job evaluation)
排列法:(ranking method)
分类法:(classification method)
因素比较法:(factor comparison method)
评分法:(point method)
海氏指示图表个人能力分析法:(Hay Guide Chart-profile Method)
工作定价:(job pricing)
工资等级:(pay grade)
工资曲线:(wage curve)
工资幅度:(pay range)

12. 福利和其它报酬问题

福利(间接经济补偿)
员工股权计划:(employee stock ownership plan,ESOP)
值班津贴:(shift differential)
奖金:(incentive compensation)
分红制:(profit sharing)

13. 安全与健康的工作环境

安全:(safety)
健康:(health)
频率:(frequency rate)
紧张:(stress)
角色冲突:(role conflict)
催眠法:(hypnosis)
酗酒:(alcoholism)

14. 员工和劳动关系

工会:(union)
地方工会:(local union)
行业工会:(craft union)
产业工会:(industrial union)
全国工会:(national union)
谈判组:(bargaining union)
劳资谈判:(collective bargaining)
仲裁:(arbitration)
罢工:(strike)
内部员工关系:(internal employee relations)
纪律:(discipline)
纪律处分:(disciplinary action)
申诉:(grievance)
降职:(demotion)
调动:(transfer)
晋升:(promotion)

http://www.chinahrd.net/zhi_sk/article.asp?articleID=19389