Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: Exports gone AWOL in Softice

  1. #1

    Exports gone AWOL in Softice

    Howdy...I can no longer get all off my exports using the 'exp' command in softice. They were there a couple of weeks ago, at least some of them were. The 'exp' command only lists: K32, U32, GDI32, NTOSKRNL and HAL.

    A couple of weeks ago, I was working on an app that used DirectX dll's, and I had both D3D9.dll and Dinput.dll listed after HAL with the 'exp' command. I'm used to seeing a lot more than that. Usually I see MSVCRT.DLL as well, if it's used.

    In fact, since I've been working on Silver's DX crackme, I had D3D9 and DInput displayed, but no more. I have done a fresh install of softice and it's very stable, but the additional exports are not there.

    This is my NMS loads from winice.dat, and although I have no request for loads of K32, U32, GDI32, NTOSKRNL and HAL, they get loaded anyway.

    Code:
    LOAD=C:\nmsout\d3d9.nms
    LOAD=C:\nmsout\dinput8.nms
    LOAD=C:\nmsout\msvcrt.nms
    LOAD=C:\nmsout\dinput.nms
    LOAD=C:\nmsout\ddraw.nms
    LOAD=C:\nmsout\d3dim.nms
    LOAD=C:\nmsout\d3dim700.nms
    LOAD=C:\nmsout\comdlg32.nms
    LOAD=C:\nmsout\advpack.nms
    LOAD=C:\nmsout\advapi32.nms
    These NMS files were generated by the m$oft version of symserver. I'm using the 3.2.1 version of NTICE, OSINFO and OSINFOB. I just did a fresh d/l of the NTOSKRNL NMS file.

    While I'm whining, I'd like to bring up the issue of why I can get a listing using Silver's crackme for the HWND command. Anyone who might have read the other thread will recall the HWND command under XP SP2 is claiming it can't find a windows (Unable to find a desktop window). Kayaker pointed out it's because the TIB address is variable in XP SP2 and softice is looking for a fixed address. I am including a 'query' readout from Silver's crackme hoping someone can spot the reason why it works normally in his app.

    It's obvious from the printout that D3D9.DLL and DINPUT8.DLL are both loaded, but neither shows up with the 'exp' command. I have tried listing them as exports as well as NMS, but it doesn't work.

    Code:
    :query silver
    Address Range      Flags     MMCI      PTE       Name
    00010000-00010000  C4000001
    00020000-00020000  C4000001
    00030000-0012F000  84400004                      STACK(C8)
    00130000-00132000  01400000  FF4494D0  E2DC8CD0
    00140000-0023F000  844000C7                      Heap #01
    00240000-0024F000  84000006                      Heap #02
    00250000-0025F000  04000000  FF399E78  E3083ED8  Heap #03
    00260000-00275000  01000000  82D882B0  E1B58F68  UNICODE.NLS
    00280000-002BC000  01000000  82D6DCF8  E1B577F8  LOCALE.NLS
    002C0000-00300000  01000000  82D883F0  E1B57490  SORTKEY.NLS
    00310000-00315000  01000000  82D86990  E1B58F48  SORTTBLS.NLS
    00320000-003E7000  03400000  82B18930  E1E8D040
    003F0000-003F0000  C4400001
    00400000-004AB000  071000AB  82BCAAC0  E1237D18  Silver.exe
    004B0000-005B2000  01400000  82B17BE8  E1C8F1E8
    005C0000-008BF000  03400000  FF62D530  E2378040  Heap (mapped)
    008C0000-008C0000  C4400001
    008D0000-008DF000  84000004                      Heap #04
    008E0000-008E2000  01000000  82D873C8  E1B4F170  CTYPE.NLS
    008F0000-0096F000  84000001
    00970000-0097F000  8400000B                      Heap #05
    00980000-0098F000  C4400010
    00990000-00A8F000  84000022                      Heap Segment #02 for Heap #05
    00A90000-00A90000  04000000  FF2EAB10  E303E668
    00AA0000-00B9F000  84000100                      Heap #06
    00BA0000-00C9F000  84000003                      STACK(E4)
    00CA0000-00CAF000  84000004                      Heap #07
    00CB0000-00CBF000  84000010                      Heap #08
    00CC0000-00CC1000  C4400002
    00CD0000-00CD0000  C4400001
    00CE0000-00CEF000  84000004                      Heap #09
    00CF0000-00DEF000  844000AD                      Heap Segment #02 for Heap #01
    00DF0000-00DFC000  C440000D
    00E00000-00E5F000  04080000
    00E60000-00E6C000  C440000D
    00E70000-00ECF000  04080000
    00ED0000-00F2F000  04080000
    00F30000-00F8F000  04080000
    061E0000-061F4000  07100006  82C8A8C8  E1ADB108  SSSENSOR.DLL
    10000000-1000B000  07100005  FE799318  E2FD0450  my.dll
    4FDD0000-4FF75000  0710000C  82B84688  E1BB1930  D3D9.DLL
    688F0000-688F8000  07100002  FF343B08  E2E74610  HID.DLL
    6CE10000-6CE47000  0710000B  FF3EB848  E3082570  DINPUT8.dll
    6D990000-6D995000  07100002  82B84BA8  E1AE7EB8  D3D8THK.DLL
    74D90000-74DFA000  07100011  82D9F848  E1AC06C8  USP10.DLL
    76B40000-76B6C000  07100003  82C8E7A8  E1B484B8  WINMM.DLL
    76C30000-76C5D000  07100002  82BC0008  E1AE0C80  WINTRUST.DLL
    76C90000-76CB7000  07100003  82DA5440  E1AE5DE8  IMAGEHLP.DLL
    77920000-77A12000  07100003  82CD1488  E1BA4C00  SETUPAPI.DLL
    77A80000-77B13000  07100004  82BF01C0  E1BA2D78  CRYPT32.DLL
    77B20000-77B31000  07100002  82B631C0  E1AC46E8  MSASN1.DLL
    77C00000-77C07000  07100002  82B8C1F8  E1AC8230  VERSION.DLL
    77C10000-77C67000  07100008  82C8A008  E18E1E68  MSVCRT.DLL
    77D40000-77DCF000  07100003                      USER32
    77DD0000-77E6A000  07100006  82CD5518  E1B978C0  ADVAPI32.DLL
    77E70000-77F00000  07100002  82D86298  E1AE9040  RPCRT4.DLL
    77F10000-77F56000  07100002  82D4F780  E1ADE8B8  GDI32.DLL
    7C800000-7C8F3000  07100006  82D978A8  E1AD56B8  KERNEL32.DLL
    7C900000-7C9AF000  07100005  82FC52E0  E1901900  ntdll.dll
    7F6F0000-7F7EF000  03400000  8289A3B0  E1C08420  Heap #03
    7FFB0000-7FFD3000  01400000  82FC42A0  E100E518  Ansi Code Page
    7FFDD000-7FFDD000  C4400001                      TIB(E4)
    7FFDE000-7FFDE000  C4400001                      TIB(C8)
    7FFDF000-7FFDF000  C4400001                      SubSystem Process

  2. #2

    I'm a bit stupid here.

    Answering my own question...partially. I knew this too, that's why I'm stupid. I had to declare the directX dll's as exports in winice.dat. I'm confused about that, because I didn't have them declared last time d3d9 and dinput showed up with the 'exp' command. And, K32, U32, GDI32, ntoskrnl and HAL all have semi-colons in front of them. I'm not sure on the distinction between the NMS file and the export.

    Also, when I load dinput.dll as an export, it only shows about 5 functions under the 'exp' command. But the NMS file shows all of them...at least 30. When I trace through that code, the function names are available in softice, but if I try to bpx on them, softice claims it hasn't heard of them. Do I maybe have to include the dll name in front of them, like in kernel32!baseprocessstart?? I think I've tried that, and you don't have to precede system functions with the dll name.

    Can one of you gurus kindly enlighten me on that? Is there a way to inform softice of the function names, so I can BPX on them. Or, maybe if I had the addresses of the functions, which I could write down as I encounter them, that might help. I was reading in a softice user's guide that softice 'knows' about the functions it lists natively with the 'exp' command.

    I went off to check something, and here's an example of what I mean. Dinput8 has a function called 'SetCooperativeLevel'. I can see it in the NMS file, but if I try to BPX on it, softice complains that it doesn't recognize the function. If I bpx the entire dll, like bpx dinput8, it says it's putting bpx's on all 5 exports. I beg your pardon??? There are over 30 of them, or am I confusing imports with exports? It seems to me that a dll can only export.

    Back from another checking expedition. Loaded Dinput in IDA, and there are only 5 exports. I seem to be confusing exports with the named functions inside the dll. So, when the softice 'exp' command lists all the functions you'd expect to see in kernel32, are those supposed to be all exports? My brain is getting numb.

    I'll try to narrow this down to a question. If I bpx on messageboxA, softice has no problem with that. It's a function in user32, which in turn is a library of functions that can be 'imported' by an application. What's the difference between that and dinput? It's main function is to process input to directX objects, and a function like 'setcooperativelevel' is one of it's functions.

    Why does softice get all warm and fuzzy over an NMS file that lists the name 'setcooperativelevel', but gets bitchy when you ask to bpx on it? It knows about the function because it puts a name to it in it's code. But ask for it through a bpx and it denies knowing about it. I've met a lot of women with the same disposition.

  3. #3
    It seems to me that a dll can only export.
    A DLL can import too.
    Still here...

  4. #4
    Quote Originally Posted by Silver View Post
    A DLL can import too.
    I kind of knew that, but I tend to think of dll's as libraries, as the name DLL implies. But, I have been through the disassemblies of them and they have import sections as well. As I was tracing through Dinput8, I noticed a nice little thunk table that wasn't even in the idata segment. These DLL's are quite strange.

    Anyway, as I was tracing through your crackme, I came across a call to the function cBaseDevice::TestCooperativeLevel in D3D9.DLL, and the thing that started this whole thread is that I can't BPX on it. I'm wondering why. If I came across a call to MessageBoxA in User32, I could BPX on it no problem. Why doesn't softice see the function in D3D9.DLL, when it has it loaded as an export, AND it puts a name to the function in it's own disassembly?

    Is there a utility like IDA2ICE that might help here? Or is it me that needs the help??

  5. #5
    Um, no idea, sounds like a sice problem to me. What you really need is a large, 500,000 candle spotlight. Mount it to the top of your house, aim it at the sky. Next cut out a large "K" symbol and stick it on top. Hey presto, you have one emergency batma...uh, Kayaker-sign, ready to summon the sice superhero league
    Still here...

  6. #6
    Quote Originally Posted by Silver View Post
    Um, no idea, sounds like a sice problem to me. What you really need is a large, 500,000 candle spotlight. Mount it to the top of your house, aim it at the sky. Next cut out a large "K" symbol and stick it on top. Hey presto, you have one emergency batma...uh, Kayaker-sign, ready to summon the sice superhero league
    That's a lot of candles. I guess they had a chinook up that way and Kayaker's out paddling through the ice flows.

    I've made some headway through Googling. I had a fair understanding of the relationship between imports and exports in DLL's, but my Google reading clarified a few things. One article put it pretty well, with reference to the Windows OS's where kernel32 was king. With K32 at the top of the heirarchy, it had no imports, only exports, while at the other end of the food chain, Notepad had only imports and no exports. In between those extremes, libraries like User32, Advapi, etc., had exports and imports. Those with imports have dependencies to a degree on other libraries. Those with exports can provide services for other applications through their exports.

    I'd like to know how softice approaches this. It seems to me, with the DX libraries in question, like D3d9.dll, that certain built in functions are neither exports nor imports, yet they are listed in NMS files. One of the most common DX functions, as you know, is GetDeviceState, yet softice seems to know nothing about it. I was just tracing through cDIDEV::GetDeviceState, and that's exactly how it was written on the softice screen the moment I stepped into the function. But it wont let me BPX on it, claiming it's never heard of it. I find that very odd.

    I can double-click on the function address once I've found it, and highlight it. Then softice will happily break on it. That defeats the purpose, though. As you know, often, you want to set a known BPX and see if the app will break on it somewhere.
    Last edited by WaxfordSqueers; December 9th, 2006 at 14:52.

  7. #7
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    AFAIK most DirectX 'exports' aren't really exports. They are not written in the export table of the dll, but are functions of the interface class.

    This is called COM (Component Object Model).

    In C (from gcc headers):
    Code:
    DECLARE_INTERFACE_(IDirect3D9,IUnknown)
    {
    	STDMETHOD(QueryInterface)(THIS_ REFIID,PVOID*) PURE;
    	STDMETHOD_(ULONG,AddRef)(THIS) PURE;
    	STDMETHOD_(ULONG,Release)(THIS) PURE;
    	STDMETHOD(RegisterSoftwareDevice)(THIS_ void* pInitializeFunction) PURE;
    	STDMETHOD_(UINT,GetAdapterCount)(THIS) PURE;
    	STDMETHOD(GetAdapterIdentifier)(THIS_ UINT,DWORD,D3DADAPTER_IDENTIFIER9*) PURE;
    	STDMETHOD_(UINT,GetAdapterModeCount)(THIS_ UINT,D3DFORMAT) PURE;
    	STDMETHOD(EnumAdapterModes)(THIS_ UINT,D3DFORMAT,UINT,D3DDISPLAYMODE*) PURE;
    	STDMETHOD(GetAdapterDisplayMode)(THIS_ UINT,D3DDISPLAYMODE*) PURE;
    	STDMETHOD(CheckDeviceType)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,D3DFORMAT,BOOL) PURE;
    	STDMETHOD(CheckDeviceFormat)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,DWORD,D3DRESOURCETYPE,D3DFORMAT) PURE;
    	STDMETHOD(CheckDeviceMultiSampleType)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,BOOL,D3DMULTISAMPLE_TYPE,DWORD*) PURE;
    	STDMETHOD(CheckDepthStencilMatch)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,D3DFORMAT,D3DFORMAT) PURE;
    	STDMETHOD(CheckDeviceFormatConversion)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,D3DFORMAT) PURE;
    	STDMETHOD(GetDeviceCaps)(THIS_ UINT,D3DDEVTYPE,D3DCAPS9*) PURE;
    	STDMETHOD_(HMONITOR,GetAdapterMonitor)(THIS_ UINT) PURE;
    	STDMETHOD(CreateDevice)(THIS_ UINT,D3DDEVTYPE,HWND,DWORD,D3DPRESENT_PARAMETERS*,IDirect3DDevice9**) PURE;
    };
    typedef struct IDirect3D9 *LPDIRECT3D9, *PDIRECT3D9;
    In asm (from http://www.deinmeister.de/w32asm3e.htm):
    Code:
    mov edi,[interface]    ;edi = COM-Object (address)
    mov edi,[edi]          ;edi = VTable (address)
    mov edi,[edi+method]   ;edi = call destination
    push [interface]
    call edi
    I'm not sure, but this might be related to your problem.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Robin was supposed to cover for me, looks like he's off with CatWoman again..

    The HWND problem is easy, that's just what we discussed, in this case you have a TIB at 7FFDE000 therefore the command will work.

    I'm really not sure about the sym problem. I can't run Silver's crackme, it gives me the dreaded
    "Error starting up, this isn't part of the protection in the crackme"
    I'm using a default XPsp2 setup and DxDiag tells me I'm running DirectX 9.0c
    I can however begin to trace into it and can put a breakpoint on an import that uses the "::" class decoration. So Softice *does* recognize that syntax.

    You might try increasing the buffer size available for the SYM tables. Also take a close look at the Softice Command docs to eliminate any basic problems when using SYM or EXP, case sensitivity, address context, etc. If you type EXP! or TABLE, it should indicate that the DX modules symbols are indeed loaded, again check address context. You may need to reload them using Loader32. Can't think of anything else at the moment.

  9. #9
    Quote Originally Posted by Kayaker View Post
    Robin was supposed to cover for me, looks like he's off with CatWoman again..
    darn that Robin anyway...dresses in tights and chases women. I guess you need some flair.

    Quote Originally Posted by Kayaker View Post
    The HWND problem is easy, that's just what we discussed, in this case you have a TIB at 7FFDE000 therefore the command will work.
    My memory is a bit fuzzy, but wasn't the hardwiring of the TIB address in softice the issue? It seems they were pushing a pointer in the 7FFDExxx range and XP had turned to moving it around in the 7FFDFxxx range. You claimed they had it fixed at one point but now it is variable.

    Also, the question to me is why Silver's crackme is one of the only apps besides Explorer that has a TIB address in the 7FFDExxx range. Sotice is still pushing the address of the TIB in the 7FFDExxx range, why does the crackme have it's TIBs in this range other apps don't? It was compiled recently with a linker version 6. I just fired up Notepad and did a hwnd on it...'Unable to find desktop window'. Did an 'addr Notepad', then the hwnd...still 'Unable to find desktop window'. Did a 'query Notepad', returned the last entry as 7FFDF000.

    Maybe I'm screwed up on this, as usual, but isn't softice looking up the TIB to identify what threads are running, hence which windows? It seems unable to find the TIB period, because it's looking in the 7FFDExxx range and NT is moving it around in the 7FFDFxxx range.

    I'd like to find a way to watch softice in operation. Would that be possible through Windbg, or something else?


    Quote Originally Posted by Kayaker View Post
    I can however begin to trace into it and can put a breakpoint on an import that uses the "::" class decoration. So Softice *does* recognize that syntax.
    I can bpx on them as long as they are listed in the softice 'exp' command window. There are many common functions, however, that are native to the DX dll's, and that are called in the dll's regularly to setup and maintain DX windows, that are unavailable with a bpx. It wouldn't be an issue if softice didn't know about them, but it does. These functions are listed in the NMS files, and maybe that's where it's getting it's info. Each time there's a call to one of these functions, softice prints the name of the function as soon as I step into the function. But...it does not replace the name of the calling address until I step into the function.

    I have started to make a list of these functions and their addresses, and I can always BPX the address. That's not foolproof. As you know, functions can appear at different addresses.

    Quote Originally Posted by Kayaker View Post
    You might try increasing the buffer size available for the SYM tables. Also take a close look at the Softice Command docs to eliminate any basic problems when using SYM or EXP, case sensitivity, address context, etc. If you type EXP! or TABLE, it should indicate that the DX modules symbols are indeed loaded, again check address context. You may need to reload them using Loader32. Can't think of anything else at the moment.
    thanks for the tips, Kayaker. I have pretty well exhausted the possibilities in the areas you mention, and my expertise as well.

  10. #10
    Quote Originally Posted by fr33ke View Post
    AFAIK most DirectX 'exports' aren't really exports. They are not written in the export table of the dll, but are functions of the interface class.

    This is called COM (Component Object Model).
    I'm a total novice in DX, and we'd have to get one of those skylamps with a big 'S' to summon DXman. Inside joke.

    Thanks for your input. I do have exports listed for D3D9.dll and Dinput8.dll, and I can bpx on those exported functions. I know very little about COM, but it is pretty well hidden from modern DX apps. From my limited experience of tracing through Silver's crackme, the functions I'm refering to don't get into any COM code or interfacing. I have traced them right through system calls, and unless they have disguised the COM aspects really well, the functions I traced were pertinent to the dll I was tracing.

    The initial DX function for setting up the DX environement apparently does interface with COM, but all you need to supply it is the current DX version, and it does the rest. I took it's word for that and didn't bother tracing into it.

    In your code, and I'm no code expert, there is a reference to IDirect3D9 and IUnknown. This seems to be a reference to the initiliazation of the DX object. At that point, the DX images have not even appeared. During that phase, there is a lot of COM stuff going on, but it's hidden from the programmer now.

    Read my reply to Kayaker and you might get a better sense of what is bugging me.

  11. #11
    Quote Originally Posted by Kayaker View Post
    I'm really not sure about the sym problem.
    OK..I think I've got it, based on one of your hints. Thanks. I checked out the 'table' command and it had all my loaded NMS files listed. When the crackme is loaded, only one of the nms files was highlighted with the 'table' listing.

    I loaded that nms file in IDA as a binary, and looked for the names. There were scads of them, and I used the 'a' command to change them to a readable horizontal line from their raw binary listing. The names are not in the format I was expecting. For example:

    _cDIDev_GetDeviceData

    When I bpxed on that name, softice liked it. In fact, it converted it to an address. I did a 'd' on the address, after an 'addr' on the app, and sure enough, there is was. I'm a happy camper.

    The above example is pretty straightforward, but here's another:

    _c_IDirectInputMapShepherd_CMapShepVI

    I'm going to have to make a printout of each nms file, or at least, those functions I can use.

    The problem I have with modern software companies, is their thriftiness with paper. They seem to only give you explanations of what they think you need to know. An example of that is the explanation in the manual for 'table'. It's very terse.

    What exactly does it mean when only one nms file is highlighted? Does than mean I have to use the table command each time I change libraries, or does the 'autoon' parameter affect that? That question is partly rhetorical, since I need to try it. If you have experience with that, I'd appreciate your input.

  12. #12
    f33ke is absolutely right, much of what you're thinking of as function exports are COM interface methods. I didn't put 2 + 2 together when you posted the original question. The one notable exception is the D3DX utility libraries and the Direct3DCreateN(), which are actual exports.

    Kayaker, I'd love to know why it doesn't work on your system. Can I recompile a bare bones version of the setup code, send it to you and see if we can figure it out? Also what gfx card do you have?
    Still here...

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    I'll get back to you a little later on that Silver, I'm very busy atm.
    K.

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    @silver

    oh if you want some info it didnt run on my system too and according to some notes i did it failed in this function

    Code:
    00402302      |.  E8 791A0000   CALL    00403D80
    00402307      |.  83C4 10       ADD     ESP, 10
    0040230A      |.  85C0          TEST    EAX, EAX
    0040230C      |.  7D 0A         JGE     SHORT 00402318
    0040230E      |.  B8 05400080   MOV     EAX, 80004005  <------------
    00402313      |.  E9 13040000   JMP     0040272B
    dxdiag details below

    ---------------
    Display Devices
    ---------------
    Card name: Intel(R) 82810 Graphics Controller (Microsoft Corporation)
    Manufacturer: Intel Corporation
    Chip type: Intel(R) 82810
    DAC type: Internal
    Device Key: Enum\PCI\VEN_8086&DEV_7121&SUBSYS_01081028&REV_03
    Display Memory: 32.0 MB
    Current Mode: 800 x 600 (24 bit) (60Hz)
    Monitor: Plug and Play Monitor
    dx diag tests all are successfull by default
    ------------
    DxDiag Notes
    ------------
    DirectX Files Tab: No problems found.
    Display Tab 1: No problems found. DirectDraw test results: All tests were successful. Direct3D 7 test results: All tests were successful. Direct3D 8 test results: All tests were successful. Direct3D 9 test results: All tests were successful.
    Sound Tab 1: No problems found.
    Music Tab: No problems found.
    Input Tab: No problems found.
    Network Tab: No problems found.
    here is a callstack when it said it wont run on my pc

    Code:
    Call stack of main thread
    Address        Stack        Procedure / arguments                                                                                                 Called from                   Frame
    0012F828       77D493F5     Includes ntdll.KiFastSystemCallRet                                                                                    USER32.77D493F3               0012F85C
    0012F82C       77D6EA24     USER32.WaitMessage                                                                                                    USER32.77D6EA1F               0012F85C
    0012F860       77D5688A     USER32.77D6E895                                                                                                       USER32.77D56885               0012F85C
    0012F888       77D6B7C5     USER32.77D567D4                                                                                                       USER32.77D6B7C0               0012F884
    0012FB48       77D6B12B     USER32.SoftModalMessageBox                                                                                            USER32.77D6B126               0012FB44
    0012FC98       77D95FDF     USER32.77D6AFB6                                                                                                       USER32.77D95FDA               0012FC94
    0012FCF0       77D96084     USER32.MessageBoxTimeoutW                                                                                             USER32.77D9607F               0012FCEC
    0012FD24       77D80598     ? USER32.MessageBoxTimeoutA                                                                                           USER32.77D80593               0012FD20
    0012FD44       77D80550     ? USER32.MessageBoxExA                                                                                                USER32.77D8054B               0012FD40
    0012FD48       00000000       hOwner = NULL
    0012FD4C       0046A0DC       Text = "Error starting up, this isn't part of the protection in the crackme, it's an actual problem."
    0012FD50       0046A13C       Title = "Error"
    0012FD54       00000000       Style = MB_OK|MB_APPLMODAL
    0012FD58       00000000       LanguageID = 0 (LANG_NEUTRAL)
    0012FD60       00401EE8     ? USER32.MessageBoxA                                                                                                  Silver.00401EE2               0012FD5C
    0012FD64       00000000       hOwner = NULL
    0012FD68       0046A0DC       Text = "Error starting up, this isn't part of the protection in the crackme, it's an actual problem."
    0012FD6C       0046A13C       Title = "Error"
    0012FD70       00000000       Style = MB_OK|MB_APPLMODAL
    0012FF38       00446C8F     Silver.00401C40                                                                                                       Silver.<ModuleEntryPoint>+0C  0012FF34
    0012FF3C       00400000       Arg1 = 00400000
    0012FF40       00000000       Arg2 = 00000000
    0012FF44       00141EFE       Arg3 = 00141EFE
    0012FF48       0000000A       Arg4 = 0000000A
    so i dropped looking further into it

    edit

    ok here is the function names according to ms pdb files may be it could be easy to narrow down
    Code:
    00403DB3  |.  FF52 20       CALL    NEAR DWORD PTR DS:[EDX+20]       ;  d3d9.CEnum::GetAdapterDisplayMode
    00403E7B  |.  FF50 40       CALL    NEAR DWORD PTR DS:[EAX+40]       ;  d3d9.CEnum::CreateDevice
    error D3DERR_INVALIDCALL 
    00403E92  |.  FF50 40       CALL    NEAR DWORD PTR DS:[EAX+40]       ;  d3d9.CEnum::CreateDevice
    error D3DERR_NOTAVAILABLE
    00403EA9  |.  FF52 40       CALL    NEAR DWORD PTR DS:[EDX+40]       ;  d3d9.CEnum::CreateDevice
    error D3DERR_INVALIDCALL 
    00403EC0  |.  FF51 40       CALL    NEAR DWORD PTR DS:[ECX+40]       ;  d3d9.CEnum::CreateDevice
    error D3DERR_NOTAVAILABLE
    Last edited by blabberer; December 10th, 2006 at 14:28.

  15. #15
    Quote Originally Posted by blabberer View Post
    oh if you want some info it didnt run on my system too and according to some notes i did it failed in this function

    Code:
    00402302      |.  E8 791A0000   CALL    00403D80
    00402307      |.  83C4 10       ADD     ESP, 10
    0040230A      |.  85C0          TEST    EAX, EAX
    0040230C      |.  7D 0A         JGE     SHORT 00402318
    0040230E      |.  B8 05400080   MOV     EAX, 80004005  <------------
    00402313      |.  E9 13040000   JMP     0040272B
    the 80004005 is an error code. I noticed it while I was playing with bits in a structure. The program will jump at 40230C if everything is hunky-dory, otherwise it will pop up the message box with the error. There's definitely a problem between the object initialization and this point.

    BTW...my card is an NVidia GEForce 6200, and it works fine on it, unless I start fiddling with the code, of course. I'm running DX 9.0c.
    Last edited by WaxfordSqueers; December 10th, 2006 at 15:50.

Similar Threads

  1. Merging Imports with Exports?
    By 5aLIVE in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 2nd, 2006, 12:25
  2. Exports and kernel32.dll under w9x
    By ancev in forum Advanced Reversing and Programming
    Replies: 14
    Last Post: February 28th, 2006, 17:49
  3. Exports for an exe???
    By yaa in forum OllyDbg Support Forums
    Replies: 4
    Last Post: November 26th, 2002, 02:50
  4. Softice Help Plz
    By golden_123 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: June 12th, 2002, 16:11
  5. DEBUG using Softice: Softice look for abort.c atoi.c etc... (Win32 console program)
    By lsteo2 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 15th, 2001, 03:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •