基本信息
文件名称:
BioShock Remastered 汉化补丁 0.3.exe
MD5: 343c5425cd76e5a95679c00499d927cc
文件类型: EXE
上传时间: 2017-06-03 20:35:32
出品公司: none
版本: 0.0.0.3---0.3
壳或编译器信息: COMPILER:dUP v2.x Patcher --> www.diablo2oo2.cjb.net [Overlay] *
子文件信息:
modern-wizard.bmp / cbe40fd2b1ec96daedc65da172d90022 / Unknown
InstallOptions.dll / 3e277798b9d8f48806fbb5ebfd4990db / DLL
[NSIS].nsi / ca55942be58f82e72739861e2e406218 / Unknown
blank.nsi / cbb99a1c909de12d75130b48b2ceb17e / Unknown
ioSpecial.ini / e2d5070bc28db1ac745613689ff86067 / Unknown
关键行为
行为描述: 获取TickCount值
详情信息:
TickCount = 5439734, SleepMilliseconds = 1000.
TickCount = 5439750, SleepMilliseconds = 1000.
TickCount = 5439765, SleepMilliseconds = 1000.
TickCount = 5439781, SleepMilliseconds = 1000.
TickCount = 5439843, SleepMilliseconds = 1000.
TickCount = 5439859, SleepMilliseconds = 1000.
TickCount = 5439953, SleepMilliseconds = 1000.
TickCount = 5439968, SleepMilliseconds = 1000.
TickCount = 5440031, SleepMilliseconds = 1000.
TickCount = 5440062, SleepMilliseconds = 1000.
TickCount = 5440187, SleepMilliseconds = 1000.
TickCount = 5441703, SleepMilliseconds = 1000.
TickCount = 5441718, SleepMilliseconds = 1000.
TickCount = 5443140, SleepMilliseconds = 1000.
TickCount = 5443156, SleepMilliseconds = 1000.
进程行为
行为描述: 创建本地线程
详情信息:
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2436, ThreadID = 2572, StartAddress = 77C0A341, Parameter = 00924738
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2436, ThreadID = 2628, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2436, ThreadID = 2632, StartAddress = 7C930230, Parameter = 00000000
文件行为
行为描述: 创建文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu51.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\Delay.dll
C:\WINDOWS\wininit.ini
行为描述: 创建可执行文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\Delay.dll
行为描述: 覆盖已有文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp
行为描述: 查找文件
详情信息:
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\pay.bmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\*.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\Delay.dll.AmBackup3
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\nsDialogs.dll.AmBackup1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\System.dll.AmBackup2
行为描述: 删除文件
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu51.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\Delay.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\System.dll
行为描述: 修改文件内容
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp ---> Offset = 74014
C:\Documents and Settings\Administrator\Local Settings\Temp\nsp52.tmp ---> Offset = 106782
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\pay.bmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\nsDialogs.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\Delay.dll ---> Offset = 0
C:\WINDOWS\wininit.ini ---> Offset = 0
注册表行为
行为描述: 修改注册表_延迟重命名项
详情信息:
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
其他行为
行为描述: 创建互斥体
详情信息:
oleacc-msaa-loaded
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IIJ
行为描述: 创建事件对象
详情信息:
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.IIJ.IC
EventName = MSCTF.SendReceiveConection.Event.IIJ.IC
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 窗口信息
详情信息:
Pid = 2436, Hwnd=0x70380, Text = 下一步(&N) >, ClassName = Button.
Pid = 2436, Hwnd=0x10033c, Text = 取消(&C), ClassName = Button.
Pid = 2436, Hwnd=0xc038a, Text = 黑桐切嗣 && 小胖鱼 , ClassName = Static.
Pid = 2436, Hwnd=0x15030c, Text = 黑桐切嗣 && 小胖鱼, ClassName = Static.
Pid = 2436, Hwnd=0x6037e, Text = 本汉化补丁说明:, ClassName = Static.
Pid = 2436, Hwnd=0x40394, Text = 请认真阅读。, ClassName = Static.
Pid = 2436, Hwnd=0x1f02fe, Text = 汉化文本大部分提取自1代原版汉化,重置版新增文本提取自3dm汉化, 最后剩余未翻译部分由小胖鱼翻译。 修正了部分奇怪的翻译。 安装前请确保是steam原版未修改,如不确定,请在Steam里验证游戏完整性。 桌面有2个快捷方式,用于切换游戏日语/英语语音和切换字体平滑。 本汉化补丁当前测试的游戏版本:1.0.122283 注意,在Steam里,右键修改游戏属性,语言改为日语才会生效!!! 如果有某些文本翻译不恰当,请截图,并附言更好的翻译,发送到 122150047@qq.co, ClassName = Static.
Pid = 2436, Hwnd=0x2102b6, Text = BioShock Remastered 汉化补丁 0.3 安装, ClassName = #32770.
Pid = 2436, Hwnd=0x150306, Text = < 上一步(&P), ClassName = Button.
Pid = 2436, Hwnd=0x70380, Text = 6, ClassName = Button.
Pid = 2436, Hwnd=0x6037e, Text = 您的支持,是我继续的动力!, ClassName = Static.
Pid = 2436, Hwnd=0x40394, Text = 一元也可,自愿支持。左边支付宝,右边微信。, ClassName = Static.
Pid = 2436, Hwnd=0x2002fe, Text = PayPal 链接, ClassName = Button.
Pid = 2436, Hwnd=0x70380, Text = 安装(&I), ClassName = Button.
Pid = 2436, Hwnd=0x6037e, Text = 选定安装位置, ClassName = Static.
行为描述: 获取TickCount值
详情信息:
TickCount = 5439734, SleepMilliseconds = 1000.
TickCount = 5439750, SleepMilliseconds = 1000.
TickCount = 5439765, SleepMilliseconds = 1000.
TickCount = 5439781, SleepMilliseconds = 1000.
TickCount = 5439843, SleepMilliseconds = 1000.
TickCount = 5439859, SleepMilliseconds = 1000.
TickCount = 5439953, SleepMilliseconds = 1000.
TickCount = 5439968, SleepMilliseconds = 1000.
TickCount = 5440031, SleepMilliseconds = 1000.
TickCount = 5440062, SleepMilliseconds = 1000.
TickCount = 5440187, SleepMilliseconds = 1000.
TickCount = 5441703, SleepMilliseconds = 1000.
TickCount = 5441718, SleepMilliseconds = 1000.
TickCount = 5443140, SleepMilliseconds = 1000.
TickCount = 5443156, SleepMilliseconds = 1000.
行为描述: 调整进程token权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000052
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000052
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
行为描述: 可执行文件签名信息
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\nsDialogs.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\Delay.dll(签名验证: 未通过)
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 1000.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 1000.
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Button]
[Window,Class] = [,Auto-Suggest Dropdown]
行为描述: 可执行文件MD5
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\nsDialogs.dll ---> b3070cf20db659fdfb3cb2ed38130e8d
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\System.dll ---> 3f176d1ee13b0d7d6bd92e1c7a0b9bae
C:\Documents and Settings\Administrator\Local Settings\Temp\nsv53.tmp\Delay.dll ---> 4602d9a9ed82d646522ead08a58536a9
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 加载新释放的文件
详情信息:
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\nsDialogs.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsv53.tmp\Delay.dll.
进程树
****.exe (PID: 0x00000984) |
发表于 2017-6-3 20:27:07
楼主
