On Saturday 22 April 2006 13:54, Marcus Meissner wrote:
Here is the culprit:
trace:virtual:VIRTUAL_SetProt 0x462000-0x4e7fff c-rW- trace:virtual:VIRTUAL_DumpView View: 0x400000 - 0x57bfff (anonymous) trace:virtual:VIRTUAL_DumpView 0x400000 - 0x400fff c-r-- trace:virtual:VIRTUAL_DumpView 0x401000 - 0x449fff c-r-x trace:virtual:VIRTUAL_DumpView 0x44a000 - 0x57bfff c-rW-
This covers the 0x00495000 address. Note that the area lacks the x-bit.
What is happening is likely the copy protection. The original loader is likely executable, but the copyprotection decrypts the code in a datasection and then executes it.
Well, I'm using a "modified" game executable which does not check for the presence of a CD. However, it hooks into the original game executable so that the game can validate itself. Alas, it's probably not the more pure win32 application known to man..
Could you please do: winedump dump -x war3.exe and put it somewhere/attach it here?
Certainly, find it here (261K):
This is the section with the entry point in:
04 .iyhivx VirtSize: 548864 VirtAddr: 401408 0x00062000 raw data offs: 356352 raw data size: 548864 relocation offs: 0 relocations: 0 line # offs: 0 line #'s: 0 characteristics: 0xc0000040 INITIALIZED_DATA MEM_READ MEM_WRITE
It is missing the "MEM_EXECUTE" flag.
The patch did the trick. Thanks for taking the time to debug this.