Hallo, some programm refuses to start. First it checks for the usual suspects: Call kernel32.CreateFileA(0040a89e "\\\\.\\SICE" Ret kernel32.CreateFileA() retval=ffffffff Call kernel32.CreateFileA(0040a8a7 "\\\\.\\NTICE" Ret kernel32.CreateFileA() retval=ffffffff Call advapi32.RegOpenKeyExA(80000002,0040a24e "Software\\NuMega\\SoftIce" Ret advapi32.RegOpenKeyExA() retval=00000002 Call kernel32.CreateFileA(0040a5a3 "\\\\.\\CMAPIENG" Ret kernel32.CreateFileA() retval=ffffffff Then it checks for GetModuleHandle and GetProcAddres Call kernel32.GetModuleHandleA(0040a572 "Kernel32.dll") Ret kernel32.GetModuleHandleA() retval=40450000 Call kernel32.GetProcAddress(40450000,0040a57f "LoadLibraryA") Ret kernel32.GetProcAddress() retval=40517bd0 ret=0040a60b and immediate hits an exception, which is handled: trace:seh:EXC_RtlRaiseException code=c0000005 flags=0 addr=0x4123a1 trace:seh:EXC_RtlRaiseException info[0]=00000001 trace:seh:EXC_RtlRaiseException info[1]=00000000 trace:seh:EXC_RtlRaiseException eax=00000000 ebx=405294ac ecx=00400000 edx=00400000 esi=ffffffa8 edi=00405000 trace:seh:EXC_RtlRaiseException ebp=0000a000 esp=4067ff10 cs=0073 ds=007b es=007b fs=003b gs=0033 flags=00010212 trace:seh:EXC_CallHandler calling handler at 0x410bcc code=c0000005 flags=0 trace:seh:EXC_CallHandler handler returned 0 0009:Call user32.MessageBoxA(00000000,004c6142 "Incompatible Systemanalyzer detected!\n(#2000)",004c5ac0 "Sparbuch 2004",00010010) ret=004c95eb Similar failure on the net also come up with an additional message: "Kernel32 call does not point into Kernel32.dll" Is this an misbehavoiur of wine we can (want) to fix? Bye -- Uwe Bonnes bon(a)elektron.ikp.physik.tu-darmstadt.de Institut fuer Kernphysik Schlossgartenstrasse 9 64289 Darmstadt --------- Tel. 06151 162516 -------- Fax. 06151 164321 ----------
On Sat, 04 Sep 2004 17:23:47 +0200, Uwe Bonnes wrote:
Call kernel32.GetModuleHandleA(0040a572 "Kernel32.dll") Ret kernel32.GetModuleHandleA() retval=40450000 Call kernel32.GetProcAddress(40450000,0040a57f "LoadLibraryA") Ret kernel32.GetProcAddress() retval=40517bd0 ret=0040a60b
and immediate hits an exception, which is handled:
trace:seh:EXC_RtlRaiseException code=c0000005 flags=0 addr=0x4123a1
0x0040a60b and 0x004123a1 are some way apart so I wouldn't say it's immediate.
Similar failure on the net also come up with an additional message: "Kernel32 call does not point into Kernel32.dll"
I suspect it's checking for a redirection of LoadLibrary to shim code by checking if the returned address of the call is within the boundaries described by the PE headers of kernel32.dll Random guess: winebuild outputs 0 and 0 for SizeOfCode and BaseOfCode, maybe it's taking the address from GetProcAddress, casting the return of GetModuleHandleA to an IMAGE_NT_HEADERS structure then saying if (( address_of_loadlibrary < headers->BaseOfCode + headers->SizeOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); } Not sure how you could verify this except by disassembling the app though. thanks -mike
On Sat, 04 Sep 2004 17:22:09 +0100, Mike Hearn wrote:
if (( address_of_loadlibrary < headers->BaseOfCode + headers->SizeOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); }
Uh ... obviously I meant: if (( address_of_loadlibrary < headers->BaseOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); } It might be cleverer than that of course, checking individual sections and stuff. Anyway, it's just a theory.
participants (3)
-
Mike Hearn -
Mike McCormack -
Uwe Bonnes