I have a stupid technical question about HOW the registers EAX/EBX/ECX/EDX/ESI/EDI etc are given their values at program startup under Win2K and NT as these O/S are more careful with their memory managment and give 'access violations' or 'exceptions'

This is because I have been analysing some packed/unpacked targets
and notice that especially EDI register changes when loaded by symbol loader or just double-clicked and when the program calls it's first API this EDI value can crash the unpacked program in win2K- Hi Alexey

With unpacked CV2.6 with SI loader EDI == 25h and runs fine. With double-click EDI == 0469DEF8 and causes an exception in 1 of my Win2K PC's. In the other 2 it loads OK either way. I thought this could be a speed issue......as the PC that won't load CV2.6 with Win2K is a PIII 1ghz machine and the other 2 are PII 266 and Cel333.
But I did not check with SI yet as I am at work - erm in the office playing with this problem !

So again my question. Where does the register settings come from at exe launch ?

Is there a MS or other technical guide like for the PE format ?

Hope I explained this problem ok !

SplAj

Check pietrek and the usual places; this gets documented a lot by vir guys. This might help:

http://vx.netlux.org/texts/html/i46t.html

_m

Hi,

Interesting question, I've always kinda wondered about this myself. It looks like you can get most of the info by typing 'proc -x taskname' in SoftIce. If you type 'proc' without the -x option you get the pointer to the Process Database, pProcess. For Win98 anyway this is the address in ESI. ECX and EDX seem to be pointers within this database as well. The extended params listed with the -x option describe some of these entries, including the Environment Database.

EAX is obviously the OEP, and for Win98 EDI is 00000000. EBX is 00000000 if SI loader is used, but 530000 if not (put a CC at program OEP and set BPINT3). The article _m gave a link to mentions this 530000 value as well with Win95, no idea what it's for. Interestingly, the MOD command gives the location of the PE header in memory.

Kayaker

Hi guys. Thanks for the URL. Looks like the virii guys know more about pe than everyone...and they give some good bedtime reading.....as usual

The Q was really about Win2K cos in Win98/ME I tested several exe and got EDI==0 everytime. In Win2K 'normalised' exe gives an EDI reg number in range 1B ~ 2B ? but in that unpacked CV EDI had a BIG number that stuffed up the API return.
So it is the damn problem in Win2K I am still bi-curious about

SplAj