Hallo,
some programs still use patching packer like shrinker. http://www.multipcb.de/download/netviewer.exe is such a program.
It doesn't run...
Here a part of the debuglog where I think the error happens: 0009:Call kernel32.LocalAlloc(00000000,00005386) ret=004b80c0 0009:Call ntdll.RtlAllocateHeap(40350000,00000000,00005386) ret=404b8941 0009:Ret ntdll.RtlAllocateHeap() retval=403a0580 ret=404b8941 0009:Ret kernel32.LocalAlloc() retval=403a0580 ret=004b80c0 0009:Call kernel32.VirtualQuery(004b45a0,406bfe38,0000001c) ret=004b6ba8 0009:Call ntdll.NtQueryVirtualMemory(ffffffff,004b45a0,00000000,406bfe38,0000001c,406bfd68) ret=404f364c 0009:Ret ntdll.NtQueryVirtualMemory() retval=00000000 ret=404f364c 0009:Ret kernel32.VirtualQuery() retval=0000001c ret=004b6ba8 0009:Call kernel32.VirtualProtect(00400118,000000e0,00000004,406bfe4c) ret=004b77f5 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,406bfd7c,406bfd80,00000004,406bfe4c) ret=404f36da 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=404f36da 0009:Ret kernel32.VirtualProtect() retval=00000001 ret=004b77f5 0009:Call kernel32.VirtualProtect(00400118,000000e0,00000002,406bfe4c) ret=004b7826 0009:Call ntdll.NtProtectVirtualMemory(ffffffff,406bfd7c,406bfd80,00000002,406bfe4c) ret=404f36da 0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=404f36da 0009:Ret kernel32.VirtualProtect() retval=00000001 ret=004b7826 0009:Call kernel32.GetCurrentProcess() ret=004b60aa 0009:Ret kernel32.GetCurrentProcess() retval=ffffffff ret=004b60aa 0009:Call kernel32.SetUnhandledExceptionFilter(004b6435) ret=004b60cb 0009:Ret kernel32.SetUnhandledExceptionFilter() retval=00000000 ret=004b60cb 0009:Call kernel32.ReadProcessMemory(ffffffff,401aa80d,406bfa28,00000008,406bfa30) ret=004b61c3 0009:Call ntdll.NtReadVirtualMemory(ffffffff,401aa80d,406bfa28,00000008,406bfa30) ret=404d2dba 0009: read_process_memory( handle=0xffffffff, addr=0x401aa80d ) 0009: *attached* 0009: *signal* signal=19 0009: read_process_memory() = 0 { data={e0,50,56,ff,55,0c,83,c4} } 0009:Ret ntdll.NtReadVirtualMemory() retval=00000000 ret=404d2dba 0009:Ret kernel32.ReadProcessMemory() retval=00000001 ret=004b61c3 0009:Call kernel32.GetLastError() ret=004b73bc 0009:Ret kernel32.GetLastError() retval=00000000 ret=004b73bc 0009:Call kernel32.CloseHandle(0000004c) ret=004b7f3e 0009:Call ntdll.NtClose(0000004c) ret=404d3741 0009: close_handle( handle=0x4c ) 0009: close_handle() = 0 { fd=11 } 0009:Ret ntdll.NtClose() retval=00000000 ret=404d3741 0009:Ret kernel32.CloseHandle() retval=00000001 ret=004b7f3e 0009:Call kernel32.GetLocalTime(406bf8dc) ret=004b8da6
This time is then used to print an error message like K:\usr\local\tmp\netviewer.exe (3.5) 04/18/05 15:36:46 - Dispatcher initialisation error 02
It seems that the program is not satisfied with what it reads from memory adress 0x401aa80d.
0009:trace:module:import_dll --- RtlRaiseStatus ntdll.dll.566 = 0x401aa780
is the debug output where the address nearest to 0x401aa80d is mentioned before.
Any idea is shrinker can ever run with wine att all? And if it can run, what has to be done to wine?
Thanks
Hi,
On Mon, Apr 18, 2005 at 04:06:57PM +0200, Uwe Bonnes wrote:
Hallo,
some programs still use patching packer like shrinker. http://www.multipcb.de/download/netviewer.exe is such a program.
It doesn't run...
No idea here, but:
Google "Dispatcher initialisation error 02" yields two programs with this issue.
Also http://www.emerge.de/faq.htm (might help, but I suspect it won't):
----- Frage: »Shrinker Error« Ich erhalte die Meldung »shrinker.err: 3.20 c:\dw\EMTOOLS.DLL Dispatcher Initialisation Error 11«.
Antwort: Sie haben vermutlich das Programm »First Aid« installiert. Dieses Programm verändert den Code von Windows95 und setzt sogenannten INT 3 Breakpoints. Die Software, mit der wir die Dateien des DCC für Windows komprimieren, kann diese Veränderungen nicht handhaben. Inzwischen ist eine neue Version dieses Komprimierungsprogramms erschienen, das den Fehler umgeht. Ab der Version 1.03 des DCC für Windows sollte diese Meldung also nicht mehr auftreten. -----
Also, I could try to dig out my old contact person at Shrinker, maybe he'd still answer further requests ;) (http://www.blinkinc.com/)
Further, are you sure this log contains the start of the issue? I'm not 100% sure, it might be a bit above...
Andreas
Hi,
On Mon, Apr 18, 2005 at 04:32:22PM +0200, Andreas Mohr wrote:
Also http://www.emerge.de/faq.htm (might help, but I suspect it won't):
Frage: »Shrinker Error« Ich erhalte die Meldung »shrinker.err: 3.20 c:\dw\EMTOOLS.DLL Dispatcher Initialisation Error 11«.
Antwort: Sie haben vermutlich das Programm »First Aid« installiert. Dieses Programm verändert den Code von Windows95 und setzt sogenannten INT 3 Breakpoints. Die Software, mit der wir die Dateien des DCC für Windows komprimieren, kann diese Veränderungen nicht handhaben. Inzwischen ist eine neue Version dieses Komprimierungsprogramms erschienen, das den Fehler umgeht. Ab der Version 1.03 des DCC für Windows sollte diese Meldung also nicht mehr auftreten.
Thinking about it, this INT 3 modification and the ReadProcessMemory activity of shrinker strongly hint at the all-too-common direct API entry point inspection (for manual hooking by this program?) by shrinker, which then bails out if it doesn't match its expectations. Two questions: What does shrinker expect?
Is there any override switch for those shrinker tests? (CHECK THOSE REGISTRY ACCESSES FOR SUSPICIOUS ACTIVITY!) What happens with newer Windows versions not known to shrinker? do they work?
Further, are you sure this log contains the start of the issue? I'm not 100% sure, it might be a bit above...
Now I think it probably is the correct area.
Andreas
"Uwe Bonnes" bon@elektron.ikp.physik.tu-darmstadt.de wrote:
Any idea is shrinker can ever run with wine att all? And if it can run, what has to be done to wine?
Does it change anything if you switch the reported windows version to nt4 or win2k?
"Dmitry" == Dmitry Timoshkov dmitry@baikal.ru writes:
Dmitry> "Uwe Bonnes" bon@elektron.ikp.physik.tu-darmstadt.de wrote: >> Any idea is shrinker can ever run with wine att all? And if it can >> run, what has to be done to wine?
Dmitry> Does it change anything if you switch the reported windows Dmitry> version to nt4 or win2k?
That was when run as nt2k.
Running as win95 gives: fixme:vxd:VXD_Open Unknown/unsupported VxD L"shrink35.vxd". Try setting Windows version to 'nt40' or 'win31'.
-
Andreas Mohr -
Dmitry Timoshkov -
Uwe Bonnes