Hallo,
some programs still use patching packer like shrinker. http://www.multipcb.de/download/netviewer.exe is such a program.
It doesn't run...
Here a part of the debuglog where I think the error happens: 0009:Call kernel32.LocalAlloc(00000000,00005386) ret=004b80c0 0009:Call ntdll.RtlAllocateHeap(40350000,00000000,00005386) ret=404b8941 0009:Ret ntdll.RtlAllocateHeap() retval=403a0580 ret=404b8941 0009:Ret kernel32.LocalAlloc() retval=403a0580 ret=004b80c0 0009:Call kernel32.VirtualQuery(004b45a0,406bfe38,0000001c) ret=004b6ba8 0009:Call ntdll.NtQueryVirtualMemory(ffffffff,004b45a0,00000000,406bfe38,0000001c,406bfd68) ret=404f364c 0009:Ret ntdll.NtQueryVirtualMemory() retval=00000000 ret=404f364c 0009:Ret kernel32.VirtualQuery() retval=0000001c ret=004b6ba8 0009:Call kernel32.VirtualProtect(00400118,000000e0,00000004,406bfe4c) ret=004b77f5 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,406bfd7c,406bfd80,00000004,406bfe4c) ret=404f36da 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=404f36da 0009:Ret kernel32.VirtualProtect() retval=00000001 ret=004b77f5 0009:Call kernel32.VirtualProtect(00400118,000000e0,00000002,406bfe4c) ret=004b7826 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,406bfd7c,406bfd80,00000002,406bfe4c) ret=404f36da 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=404f36da 0009:Ret kernel32.VirtualProtect() retval=00000001 ret=004b7826 0009:Call kernel32.GetCurrentProcess() ret=004b60aa 0009:Ret kernel32.GetCurrentProcess() retval=ffffffff ret=004b60aa 0009:Call kernel32.SetUnhandledExceptionFilter(004b6435) ret=004b60cb 0009:Ret kernel32.SetUnhandledExceptionFilter() retval=00000000 ret=004b60cb 0009:Call kernel32.ReadProcessMemory(ffffffff,401aa80d,406bfa28,00000008,406bfa30) ret=004b61c3 0009:Call ntdll.NtReadVirtualMemory(ffffffff,401aa80d,406bfa28,00000008,406bfa30) ret=404d2dba 0009: read_process_memory( handle=0xffffffff, addr=0x401aa80d ) 0009: *attached* 0009: *signal* signal=19 0009: read_process_memory() = 0 { data={e0,50,56,ff,55,0c,83,c4} } 0009:Ret ntdll.NtReadVirtualMemory() retval=00000000 ret=404d2dba 0009:Ret kernel32.ReadProcessMemory() retval=00000001 ret=004b61c3 0009:Call kernel32.GetLastError() ret=004b73bc 0009:Ret kernel32.GetLastError() retval=00000000 ret=004b73bc 0009:Call kernel32.CloseHandle(0000004c) ret=004b7f3e 0009:Call ntdll.NtClose(0000004c) ret=404d3741 0009: close_handle( handle=0x4c ) 0009: close_handle() = 0 { fd=11 } 0009:Ret ntdll.NtClose() retval=00000000 ret=404d3741 0009:Ret kernel32.CloseHandle() retval=00000001 ret=004b7f3e 0009:Call kernel32.GetLocalTime(406bf8dc) ret=004b8da6
This time is then used to print an error message like K:\usr\local\tmp\netviewer.exe (3.5) 04/18/05 15:36:46 - Dispatcher initialisation error 02
It seems that the program is not satisfied with what it reads from memory adress 0x401aa80d.
0009:trace:module:import_dll --- RtlRaiseStatus ntdll.dll.566 = 0x401aa780
is the debug output where the address nearest to 0x401aa80d is mentioned before.
Any idea is shrinker can ever run with wine att all? And if it can run, what has to be done to wine?
Thanks