Exports gone AWOL in Softice [Archive] - RCE Messageboard's Regroupment

View Full Version : Exports gone AWOL in Softice

WaxfordSqueers

December 8th, 2006, 11:16

Howdy...I can no longer get all off my exports using the 'exp' command in softice. They were there a couple of weeks ago, at least some of them were. The 'exp' command only lists: K32, U32, GDI32, NTOSKRNL and HAL.

A couple of weeks ago, I was working on an app that used DirectX dll's, and I had both D3D9.dll and Dinput.dll listed after HAL with the 'exp' command. I'm used to seeing a lot more than that. Usually I see MSVCRT.DLL as well, if it's used.

In fact, since I've been working on Silver's DX crackme, I had D3D9 and DInput displayed, but no more. I have done a fresh install of softice and it's very stable, but the additional exports are not there.

This is my NMS loads from winice.dat, and although I have no request for loads of K32, U32, GDI32, NTOSKRNL and HAL, they get loaded anyway.

Code:





LOAD=C:\nmsout\d3d9.nms

LOAD=C:\nmsout\dinput8.nms

LOAD=C:\nmsout\msvcrt.nms

LOAD=C:\nmsout\dinput.nms

LOAD=C:\nmsout\ddraw.nms

LOAD=C:\nmsout\d3dim.nms

LOAD=C:\nmsout\d3dim700.nms

LOAD=C:\nmsout\comdlg32.nms

LOAD=C:\nmsout\advpack.nms

LOAD=C:\nmsout\advapi32.nms

These NMS files were generated by the m$oft version of symserver. I'm using the 3.2.1 version of NTICE, OSINFO and OSINFOB. I just did a fresh d/l of the NTOSKRNL NMS file.

While I'm whining, I'd like to bring up the issue of why I can get a listing using Silver's crackme for the HWND command. Anyone who might have read the other thread will recall the HWND command under XP SP2 is claiming it can't find a windows (Unable to find a desktop window). Kayaker pointed out it's because the TIB address is variable in XP SP2 and softice is looking for a fixed address. I am including a 'query' readout from Silver's crackme hoping someone can spot the reason why it works normally in his app.

It's obvious from the printout that D3D9.DLL and DINPUT8.DLL are both loaded, but neither shows up with the 'exp' command. I have tried listing them as exports as well as NMS, but it doesn't work.

Code:



:query silver

Address Range      Flags     MMCI      PTE       Name

00010000-00010000  C4000001

00020000-00020000  C4000001

00030000-0012F000  84400004                      STACK(C8)

00130000-00132000  01400000  FF4494D0  E2DC8CD0

00140000-0023F000  844000C7                      Heap #01

00240000-0024F000  84000006                      Heap #02

00250000-0025F000  04000000  FF399E78  E3083ED8  Heap #03

00260000-00275000  01000000  82D882B0  E1B58F68  UNICODE.NLS

00280000-002BC000  01000000  82D6DCF8  E1B577F8  LOCALE.NLS

002C0000-00300000  01000000  82D883F0  E1B57490  SORTKEY.NLS

00310000-00315000  01000000  82D86990  E1B58F48  SORTTBLS.NLS

00320000-003E7000  03400000  82B18930  E1E8D040

003F0000-003F0000  C4400001

00400000-004AB000  071000AB  82BCAAC0  E1237D18  Silver.exe

004B0000-005B2000  01400000  82B17BE8  E1C8F1E8

005C0000-008BF000  03400000  FF62D530  E2378040  Heap (mapped)

008C0000-008C0000  C4400001

008D0000-008DF000  84000004                      Heap #04

008E0000-008E2000  01000000  82D873C8  E1B4F170  CTYPE.NLS

008F0000-0096F000  84000001

00970000-0097F000  8400000B                      Heap #05

00980000-0098F000  C4400010

00990000-00A8F000  84000022                      Heap Segment #02 for Heap #05

00A90000-00A90000  04000000  FF2EAB10  E303E668

00AA0000-00B9F000  84000100                      Heap #06

00BA0000-00C9F000  84000003                      STACK(E4)

00CA0000-00CAF000  84000004                      Heap #07

00CB0000-00CBF000  84000010                      Heap #08

00CC0000-00CC1000  C4400002

00CD0000-00CD0000  C4400001

00CE0000-00CEF000  84000004                      Heap #09

00CF0000-00DEF000  844000AD                      Heap Segment #02 for Heap #01

00DF0000-00DFC000  C440000D

00E00000-00E5F000  04080000

00E60000-00E6C000  C440000D

00E70000-00ECF000  04080000

00ED0000-00F2F000  04080000

00F30000-00F8F000  04080000

061E0000-061F4000  07100006  82C8A8C8  E1ADB108  SSSENSOR.DLL

10000000-1000B000  07100005  FE799318  E2FD0450  my.dll

4FDD0000-4FF75000  0710000C  82B84688  E1BB1930  D3D9.DLL

688F0000-688F8000  07100002  FF343B08  E2E74610  HID.DLL

6CE10000-6CE47000  0710000B  FF3EB848  E3082570  DINPUT8.dll

6D990000-6D995000  07100002  82B84BA8  E1AE7EB8  D3D8THK.DLL

74D90000-74DFA000  07100011  82D9F848  E1AC06C8  USP10.DLL

76B40000-76B6C000  07100003  82C8E7A8  E1B484B8  WINMM.DLL

76C30000-76C5D000  07100002  82BC0008  E1AE0C80  WINTRUST.DLL

76C90000-76CB7000  07100003  82DA5440  E1AE5DE8  IMAGEHLP.DLL

77920000-77A12000  07100003  82CD1488  E1BA4C00  SETUPAPI.DLL

77A80000-77B13000  07100004  82BF01C0  E1BA2D78  CRYPT32.DLL

77B20000-77B31000  07100002  82B631C0  E1AC46E8  MSASN1.DLL

77C00000-77C07000  07100002  82B8C1F8  E1AC8230  VERSION.DLL

77C10000-77C67000  07100008  82C8A008  E18E1E68  MSVCRT.DLL

77D40000-77DCF000  07100003                      USER32

77DD0000-77E6A000  07100006  82CD5518  E1B978C0  ADVAPI32.DLL

77E70000-77F00000  07100002  82D86298  E1AE9040  RPCRT4.DLL

77F10000-77F56000  07100002  82D4F780  E1ADE8B8  GDI32.DLL

7C800000-7C8F3000  07100006  82D978A8  E1AD56B8  KERNEL32.DLL

7C900000-7C9AF000  07100005  82FC52E0  E1901900  ntdll.dll

7F6F0000-7F7EF000  03400000  8289A3B0  E1C08420  Heap #03

7FFB0000-7FFD3000  01400000  82FC42A0  E100E518  Ansi Code Page

7FFDD000-7FFDD000  C4400001                      TIB(E4)

7FFDE000-7FFDE000  C4400001                      TIB(C8)

7FFDF000-7FFDF000  C4400001                      SubSystem Process

WaxfordSqueers

December 8th, 2006, 12:49

Answering my own question...partially. I knew this too, that's why I'm stupid. I had to declare the directX dll's as exports in winice.dat. I'm confused about that, because I didn't have them declared last time d3d9 and dinput showed up with the 'exp' command. And, K32, U32, GDI32, ntoskrnl and HAL all have semi-colons in front of them. I'm not sure on the distinction between the NMS file and the export.

Also, when I load dinput.dll as an export, it only shows about 5 functions under the 'exp' command. But the NMS file shows all of them...at least 30. When I trace through that code, the function names are available in softice, but if I try to bpx on them, softice claims it hasn't heard of them. Do I maybe have to include the dll name in front of them, like in kernel32!baseprocessstart?? I think I've tried that, and you don't have to precede system functions with the dll name.

Can one of you gurus kindly enlighten me on that? Is there a way to inform softice of the function names, so I can BPX on them. Or, maybe if I had the addresses of the functions, which I could write down as I encounter them, that might help. I was reading in a softice user's guide that softice 'knows' about the functions it lists natively with the 'exp' command.

I went off to check something, and here's an example of what I mean. Dinput8 has a function called 'SetCooperativeLevel'. I can see it in the NMS file, but if I try to BPX on it, softice complains that it doesn't recognize the function. If I bpx the entire dll, like bpx dinput8, it says it's putting bpx's on all 5 exports. I beg your pardon??? There are over 30 of them, or am I confusing imports with exports? It seems to me that a dll can only export.

Back from another checking expedition. Loaded Dinput in IDA, and there are only 5 exports. I seem to be confusing exports with the named functions inside the dll. So, when the softice 'exp' command lists all the functions you'd expect to see in kernel32, are those supposed to be all exports? My brain is getting numb.

I'll try to narrow this down to a question. If I bpx on messageboxA, softice has no problem with that. It's a function in user32, which in turn is a library of functions that can be 'imported' by an application. What's the difference between that and dinput? It's main function is to process input to directX objects, and a function like 'setcooperativelevel' is one of it's functions.

Why does softice get all warm and fuzzy over an NMS file that lists the name 'setcooperativelevel', but gets bitchy when you ask to bpx on it? It knows about the function because it puts a name to it in it's code. But ask for it through a bpx and it denies knowing about it. I've met a lot of women with the same disposition.

Silver

December 8th, 2006, 14:24

Quote:

It seems to me that a dll can only export.

A DLL can import too.

WaxfordSqueers

December 8th, 2006, 15:29

Quote:

[Originally Posted by Silver;62980]A DLL can import too.

I kind of knew that, but I tend to think of dll's as libraries, as the name DLL implies. But, I have been through the disassemblies of them and they have import sections as well. As I was tracing through Dinput8, I noticed a nice little thunk table that wasn't even in the idata segment. These DLL's are quite strange.

Anyway, as I was tracing through your crackme, I came across a call to the function cBaseDevice::TestCooperativeLevel in D3D9.DLL, and the thing that started this whole thread is that I can't BPX on it. I'm wondering why. If I came across a call to MessageBoxA in User32, I could BPX on it no problem. Why doesn't softice see the function in D3D9.DLL, when it has it loaded as an export, AND it puts a name to the function in it's own disassembly?

Is there a utility like IDA2ICE that might help here? Or is it me that needs the help??

Silver

December 9th, 2006, 09:45

Um, no idea, sounds like a sice problem to me. What you really need is a large, 500,000 candle spotlight. Mount it to the top of your house, aim it at the sky. Next cut out a large "K" symbol and stick it on top. Hey presto, you have one emergency batma...uh, Kayaker-sign, ready to summon the sice superhero league

WaxfordSqueers

December 9th, 2006, 14:45

Quote:

[Originally Posted by Silver;62993]Um, no idea, sounds like a sice problem to me. What you really need is a large, 500,000 candle spotlight. Mount it to the top of your house, aim it at the sky. Next cut out a large "K" symbol and stick it on top. Hey presto, you have one emergency batma...uh, Kayaker-sign, ready to summon the sice superhero league

That's a lot of candles. I guess they had a chinook up that way and Kayaker's out paddling through the ice flows.

I've made some headway through Googling. I had a fair understanding of the relationship between imports and exports in DLL's, but my Google reading clarified a few things. One article put it pretty well, with reference to the Windows OS's where kernel32 was king. With K32 at the top of the heirarchy, it had no imports, only exports, while at the other end of the food chain, Notepad had only imports and no exports. In between those extremes, libraries like User32, Advapi, etc., had exports and imports. Those with imports have dependencies to a degree on other libraries. Those with exports can provide services for other applications through their exports.

I'd like to know how softice approaches this. It seems to me, with the DX libraries in question, like D3d9.dll, that certain built in functions are neither exports nor imports, yet they are listed in NMS files. One of the most common DX functions, as you know, is GetDeviceState, yet softice seems to know nothing about it. I was just tracing through cDIDEV::GetDeviceState, and that's exactly how it was written on the softice screen the moment I stepped into the function. But it wont let me BPX on it, claiming it's never heard of it. I find that very odd.

I can double-click on the function address once I've found it, and highlight it. Then softice will happily break on it. That defeats the purpose, though. As you know, often, you want to set a known BPX and see if the app will break on it somewhere.

fr33ke

December 9th, 2006, 17:15

AFAIK most DirectX 'exports' aren't really exports. They are not written in the export table of the dll, but are functions of the interface class.

This is called COM (Component Object Model).

In C (from gcc headers):

Code:

DECLARE_INTERFACE_(IDirect3D9,IUnknown)

{

	STDMETHOD(QueryInterface)(THIS_ REFIID,PVOID*) PURE;

	STDMETHOD_(ULONG,AddRef)(THIS) PURE;

	STDMETHOD_(ULONG,Release)(THIS) PURE;

	STDMETHOD(RegisterSoftwareDevice)(THIS_ void* pInitializeFunction) PURE;

	STDMETHOD_(UINT,GetAdapterCount)(THIS) PURE;

	STDMETHOD(GetAdapterIdentifier)(THIS_ UINT,DWORD,D3DADAPTER_IDENTIFIER9*) PURE;

	STDMETHOD_(UINT,GetAdapterModeCount)(THIS_ UINT,D3DFORMAT) PURE;

	STDMETHOD(EnumAdapterModes)(THIS_ UINT,D3DFORMAT,UINT,D3DDISPLAYMODE*) PURE;

	STDMETHOD(GetAdapterDisplayMode)(THIS_ UINT,D3DDISPLAYMODE*) PURE;

	STDMETHOD(CheckDeviceType)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,D3DFORMAT,BOOL) PURE;

	STDMETHOD(CheckDeviceFormat)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,DWORD,D3DRESOURCETYPE,D3DFORMAT) PURE;

	STDMETHOD(CheckDeviceMultiSampleType)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,BOOL,D3DMULTISAMPLE_TYPE,DWORD*) PURE;

	STDMETHOD(CheckDepthStencilMatch)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,D3DFORMAT,D3DFORMAT) PURE;

	STDMETHOD(CheckDeviceFormatConversion)(THIS_ UINT,D3DDEVTYPE,D3DFORMAT,D3DFORMAT) PURE;

	STDMETHOD(GetDeviceCaps)(THIS_ UINT,D3DDEVTYPE,D3DCAPS9*) PURE;

	STDMETHOD_(HMONITOR,GetAdapterMonitor)(THIS_ UINT) PURE;

	STDMETHOD(CreateDevice)(THIS_ UINT,D3DDEVTYPE,HWND,DWORD,D3DPRESENT_PARAMETERS*,IDirect3DDevice9**) PURE;

};

typedef struct IDirect3D9 *LPDIRECT3D9, *PDIRECT3D9;

In asm (from http://www.deinmeister.de/w32asm3e.htm):

Code:

mov edi,[interface]    ;edi = COM-Object (address)

mov edi,[edi]          ;edi = VTable (address)

mov edi,[edi+method]   ;edi = call destination

push [interface]

call edi

I'm not sure, but this might be related to your problem.

Kayaker

December 9th, 2006, 18:25

Robin was supposed to cover for me, looks like he's off with CatWoman again..

The HWND problem is easy, that's just what we discussed, in this case you have a TIB at 7FFDE000 therefore the command will work.

I'm really not sure about the sym problem. I can't run Silver's crackme, it gives me the dreaded
"Error starting up, this isn't part of the protection in the crackme"
I'm using a default XPsp2 setup and DxDiag tells me I'm running DirectX 9.0c
I can however begin to trace into it and can put a breakpoint on an import that uses the "::" class decoration. So Softice *does* recognize that syntax.

You might try increasing the buffer size available for the SYM tables. Also take a close look at the Softice Command docs to eliminate any basic problems when using SYM or EXP, case sensitivity, address context, etc. If you type EXP! or TABLE, it should indicate that the DX modules symbols are indeed loaded, again check address context. You may need to reload them using Loader32. Can't think of anything else at the moment.

WaxfordSqueers

December 10th, 2006, 08:41

Quote:

[Originally Posted by Kayaker;63000]Robin was supposed to cover for me, looks like he's off with CatWoman again..

darn that Robin anyway...dresses in tights and chases women. I guess you need some flair.

Quote:

[Originally Posted by Kayaker;63000]The HWND problem is easy, that's just what we discussed, in this case you have a TIB at 7FFDE000 therefore the command will work.

My memory is a bit fuzzy, but wasn't the hardwiring of the TIB address in softice the issue? It seems they were pushing a pointer in the 7FFDExxx range and XP had turned to moving it around in the 7FFDFxxx range. You claimed they had it fixed at one point but now it is variable.

Also, the question to me is why Silver's crackme is one of the only apps besides Explorer that has a TIB address in the 7FFDExxx range. Sotice is still pushing the address of the TIB in the 7FFDExxx range, why does the crackme have it's TIBs in this range other apps don't? It was compiled recently with a linker version 6. I just fired up Notepad and did a hwnd on it...'Unable to find desktop window'. Did an 'addr Notepad', then the hwnd...still 'Unable to find desktop window'. Did a 'query Notepad', returned the last entry as 7FFDF000.

Maybe I'm screwed up on this, as usual, but isn't softice looking up the TIB to identify what threads are running, hence which windows? It seems unable to find the TIB period, because it's looking in the 7FFDExxx range and NT is moving it around in the 7FFDFxxx range.

I'd like to find a way to watch softice in operation. Would that be possible through Windbg, or something else?

Quote:

[Originally Posted by Kayaker;63000]I can however begin to trace into it and can put a breakpoint on an import that uses the "::" class decoration. So Softice *does* recognize that syntax.

I can bpx on them as long as they are listed in the softice 'exp' command window. There are many common functions, however, that are native to the DX dll's, and that are called in the dll's regularly to setup and maintain DX windows, that are unavailable with a bpx. It wouldn't be an issue if softice didn't know about them, but it does. These functions are listed in the NMS files, and maybe that's where it's getting it's info. Each time there's a call to one of these functions, softice prints the name of the function as soon as I step into the function. But...it does not replace the name of the calling address until I step into the function.

I have started to make a list of these functions and their addresses, and I can always BPX the address. That's not foolproof. As you know, functions can appear at different addresses.

Quote:

[Originally Posted by Kayaker;63000]You might try increasing the buffer size available for the SYM tables. Also take a close look at the Softice Command docs to eliminate any basic problems when using SYM or EXP, case sensitivity, address context, etc. If you type EXP! or TABLE, it should indicate that the DX modules symbols are indeed loaded, again check address context. You may need to reload them using Loader32. Can't think of anything else at the moment.

thanks for the tips, Kayaker. I have pretty well exhausted the possibilities in the areas you mention, and my expertise as well.

WaxfordSqueers

December 10th, 2006, 08:59

Quote:

[Originally Posted by fr33ke;62998]AFAIK most DirectX 'exports' aren't really exports. They are not written in the export table of the dll, but are functions of the interface class.

This is called COM (Component Object Model).

I'm a total novice in DX, and we'd have to get one of those skylamps with a big 'S' to summon DXman. Inside joke.

Thanks for your input. I do have exports listed for D3D9.dll and Dinput8.dll, and I can bpx on those exported functions. I know very little about COM, but it is pretty well hidden from modern DX apps. From my limited experience of tracing through Silver's crackme, the functions I'm refering to don't get into any COM code or interfacing. I have traced them right through system calls, and unless they have disguised the COM aspects really well, the functions I traced were pertinent to the dll I was tracing.

The initial DX function for setting up the DX environement apparently does interface with COM, but all you need to supply it is the current DX version, and it does the rest. I took it's word for that and didn't bother tracing into it.

In your code, and I'm no code expert, there is a reference to IDirect3D9 and IUnknown. This seems to be a reference to the initiliazation of the DX object. At that point, the DX images have not even appeared. During that phase, there is a lot of COM stuff going on, but it's hidden from the programmer now.

Read my reply to Kayaker and you might get a better sense of what is bugging me.

WaxfordSqueers

December 10th, 2006, 11:01

Quote:

[Originally Posted by Kayaker;63000]I'm really not sure about the sym problem.

OK..I think I've got it, based on one of your hints. Thanks. I checked out the 'table' command and it had all my loaded NMS files listed. When the crackme is loaded, only one of the nms files was highlighted with the 'table' listing.

I loaded that nms file in IDA as a binary, and looked for the names. There were scads of them, and I used the 'a' command to change them to a readable horizontal line from their raw binary listing. The names are not in the format I was expecting. For example:

_cDIDev_GetDeviceData

When I bpxed on that name, softice liked it. In fact, it converted it to an address. I did a 'd' on the address, after an 'addr' on the app, and sure enough, there is was. I'm a happy camper.

The above example is pretty straightforward, but here's another:

_c_IDirectInputMapShepherd_CMapShepVI

I'm going to have to make a printout of each nms file, or at least, those functions I can use.

The problem I have with modern software companies, is their thriftiness with paper. They seem to only give you explanations of what they think you need to know. An example of that is the explanation in the manual for 'table'. It's very terse.

What exactly does it mean when only one nms file is highlighted? Does than mean I have to use the table command each time I change libraries, or does the 'autoon' parameter affect that? That question is partly rhetorical, since I need to try it. If you have experience with that, I'd appreciate your input.

Silver

December 10th, 2006, 11:01

f33ke is absolutely right, much of what you're thinking of as function exports are COM interface methods. I didn't put 2 + 2 together when you posted the original question. The one notable exception is the D3DX utility libraries and the Direct3DCreateN(), which are actual exports.

Kayaker, I'd love to know why it doesn't work on your system. Can I recompile a bare bones version of the setup code, send it to you and see if we can figure it out? Also what gfx card do you have?

Kayaker

December 10th, 2006, 11:41

I'll get back to you a little later on that Silver, I'm very busy atm.
K.

blabberer

December 10th, 2006, 13:18

@silver

oh if you want some info it didnt run on my system too and according to some notes i did it failed in this function

Code:



00402302      |.  E8 791A0000   CALL    00403D80

00402307      |.  83C4 10       ADD     ESP, 10

0040230A      |.  85C0          TEST    EAX, EAX

0040230C      |.  7D 0A         JGE     SHORT 00402318

0040230E      |.  B8 05400080   MOV     EAX, 80004005  <------------

00402313      |.  E9 13040000   JMP     0040272B

dxdiag details below

Quote:

---------------
Display Devices
---------------
Card name: Intel(R) 82810 Graphics Controller (Microsoft Corporation)
Manufacturer: Intel Corporation
Chip type: Intel(R) 82810
DAC type: Internal
Device Key: Enum\PCI\VEN_8086&DEV_7121&SUBSYS_01081028&REV_03
Display Memory: 32.0 MB
Current Mode: 800 x 600 (24 bit) (60Hz)
Monitor: Plug and Play Monitor

Quote:

dx diag tests all are successfull by default
------------
DxDiag Notes
------------
DirectX Files Tab: No problems found.
Display Tab 1: No problems found. DirectDraw test results: All tests were successful. Direct3D 7 test results: All tests were successful. Direct3D 8 test results: All tests were successful. Direct3D 9 test results: All tests were successful.
Sound Tab 1: No problems found.
Music Tab: No problems found.
Input Tab: No problems found.
Network Tab: No problems found.

here is a callstack when it said it wont run on my pc

Code:



Call stack of main thread

Address        Stack        Procedure / arguments                                                                                                 Called from                   Frame

0012F828       77D493F5     Includes ntdll.KiFastSystemCallRet                                                                                    USER32.77D493F3               0012F85C

0012F82C       77D6EA24     USER32.WaitMessage                                                                                                    USER32.77D6EA1F               0012F85C

0012F860       77D5688A     USER32.77D6E895                                                                                                       USER32.77D56885               0012F85C

0012F888       77D6B7C5     USER32.77D567D4                                                                                                       USER32.77D6B7C0               0012F884

0012FB48       77D6B12B     USER32.SoftModalMessageBox                                                                                            USER32.77D6B126               0012FB44

0012FC98       77D95FDF     USER32.77D6AFB6                                                                                                       USER32.77D95FDA               0012FC94

0012FCF0       77D96084     USER32.MessageBoxTimeoutW                                                                                             USER32.77D9607F               0012FCEC

0012FD24       77D80598     ? USER32.MessageBoxTimeoutA                                                                                           USER32.77D80593               0012FD20

0012FD44       77D80550     ? USER32.MessageBoxExA                                                                                                USER32.77D8054B               0012FD40

0012FD48       00000000       hOwner = NULL

0012FD4C       0046A0DC       Text = "Error starting up, this isn't part of the protection in the crackme, it's an actual problem."

0012FD50       0046A13C       Title = "Error"

0012FD54       00000000       Style = MB_OK|MB_APPLMODAL

0012FD58       00000000       LanguageID = 0 (LANG_NEUTRAL)

0012FD60       00401EE8     ? USER32.MessageBoxA                                                                                                  Silver.00401EE2               0012FD5C

0012FD64       00000000       hOwner = NULL

0012FD68       0046A0DC       Text = "Error starting up, this isn't part of the protection in the crackme, it's an actual problem."

0012FD6C       0046A13C       Title = "Error"

0012FD70       00000000       Style = MB_OK|MB_APPLMODAL

0012FF38       00446C8F     Silver.00401C40                                                                                                       Silver.<ModuleEntryPoint>+0C  0012FF34

0012FF3C       00400000       Arg1 = 00400000

0012FF40       00000000       Arg2 = 00000000

0012FF44       00141EFE       Arg3 = 00141EFE

0012FF48       0000000A       Arg4 = 0000000A

so i dropped looking further into it

edit

ok here is the function names according to ms pdb files may be it could be easy to narrow down

Code:



00403DB3  |.  FF52 20       CALL    NEAR DWORD PTR DS:[EDX+20]       ;  d3d9.CEnum::GetAdapterDisplayMode

00403E7B  |.  FF50 40       CALL    NEAR DWORD PTR DS:[EAX+40]       ;  d3d9.CEnum::CreateDevice

error D3DERR_INVALIDCALL 

00403E92  |.  FF50 40       CALL    NEAR DWORD PTR DS:[EAX+40]       ;  d3d9.CEnum::CreateDevice

error D3DERR_NOTAVAILABLE

00403EA9  |.  FF52 40       CALL    NEAR DWORD PTR DS:[EDX+40]       ;  d3d9.CEnum::CreateDevice

error D3DERR_INVALIDCALL 

00403EC0  |.  FF51 40       CALL    NEAR DWORD PTR DS:[ECX+40]       ;  d3d9.CEnum::CreateDevice

error D3DERR_NOTAVAILABLE

WaxfordSqueers

December 10th, 2006, 15:36

Quote:

[Originally Posted by blabberer;63022]
oh if you want some info it didnt run on my system too and according to some notes i did it failed in this function

Code:

00402302 |. E8 791A0000 CALL 00403D80
00402307 |. 83C4 10 ADD ESP, 10
0040230A |. 85C0 TEST EAX, EAX
0040230C |. 7D 0A JGE SHORT 00402318
0040230E |. B8 05400080 MOV EAX, 80004005 <------------
00402313 |. E9 13040000 JMP 0040272B

the 80004005 is an error code. I noticed it while I was playing with bits in a structure. The program will jump at 40230C if everything is hunky-dory, otherwise it will pop up the message box with the error. There's definitely a problem between the object initialization and this point.

BTW...my card is an NVidia GEForce 6200, and it works fine on it, unless I start fiddling with the code, of course.

I'm running DX 9.0c.

Silver

December 11th, 2006, 13:35

Yep, same old problem. It's caps checking. Because I didn't add loads of caps checking code into the crackme it's simply failing to create a device compatible with your adapter.

What I might do if I get some time is add extra caps checking in then re-release it, hopefully that will let more people play with it.

Thanks blabberer. If you get some time, do you have access to the DirectX Caps Checker tool? If not I can attach it. You can use it to dump all the caps of your graphics card to a file then send it to me, that way I can just find a caps combo that works and add it. Much easier than trying multiple permutations.

blabberer

December 11th, 2006, 13:51

actually i was interested in your crackme just because i wanted to test the pix in directx sdk i had nothing in mind about cracking the serial etc i thought this might be a good way to put to use the pix and learn a few tricks in the process (for the unknown pix is some kind of debugger that comes in directx sdk thats supposed to get one loads of information about pixel shaders vertex shaders and such) i have the dx sdk leeched some where but i dont have it locally if you think the caps whatever is available in that ill try splitting the 509 mb into 10 mb pieces and get it to my local comp that way i can check both pix as well your device caps

Silver

December 12th, 2006, 14:15

blabberer, rather than make you unpack the sdk I've attached the dxcapsviewer to this message. It's self explanatory, there's a menu option to dump the caps to file. Many thanks for doing this.

I just had another dig around about pix, can it debug running shaders without needing the original shader source? If so, that's damn impressive and goes right back to what maximus and I were talking about in another thread. I've never needed to use pix, especially as I use VC6 and not 2005. But you're right, my code would be a good target for pix.

blabberer

December 12th, 2006, 14:28

i have a dumpcaps from chris dragen's site i used it once to find some info on some graphic card

there is a wizard over there which lists d3dcaps of many graphic cards

i thought ill point you to that site if it had my graphics card details
but it doesnt have my graphic card

http://zp.amsnet.pl/cdragan/wizard.php

so where to send this file pm me with some contact info

oops this created 275 kb of information in text

chriss output is just 8 kb

i attached the 8 kb file here see if that is sufficient

Silver

December 15th, 2006, 11:00

Sorry for the delay, was away working. Yep, that tells me exactly what the problem is, it's the bb format. I use x8r8g8b8, but your (onboard, nasty) chipset doesn't support it.

I can recode the crackme for that very easily. I'll do it shortly. Thanks for posting it.

blabberer

December 16th, 2006, 00:05

you call dell machine a crap michael is going to be pretty mad reading your post

never mind i agree with you silently unseen by michael dell

Silver

December 17th, 2006, 07:12