Big Bummer for running Shrinkered files!
ek sqrl
autophile at starband.net
Mon Dec 17 12:21:37 CST 2001
On Mon, 17 Dec 2001 14:49:35 +1000
Mike McCormack <mike_mccormack at start.com.au> wrote:
> Did you try running wine with -winver win98?
Yes, Shrinker tries to load a VXD which is not
allowed under Wine. At first I was going to
implement a special Shrinker VXD replacement for
Wine, but then I found that it wouldn't try to
load the VXD under --winver nt40. Thus, I figured
I would try to resolve the problems with running
under nt40, since that would (at least
theoretically) improve the existing functionality
of Wine, rather than add new functionality.
>
> Did you try finding an Un-Shrinker? A quick
search using google turned
> up a few candidates. Haven't tried any out though.
Yes, I've looked at them. They all seem to be
h4x0r toolz with no source code.
Some new news on the Shrinker front. I've managed
to determine, for the most part, what Shrinker's
exception filter function does. It's a minefield!
Recall that earlier I said it was looking for a
magic signature in ntdll.dll. I found all of the
landmines.
The first landmine makes sure the exception
handler was called with the code "call ecx". If
not, the process dies.
Next, we read 8 bytes from the process around
that location. If the read fails, the process dies.
If the code starting with the call is not FF D1
64 8B 25 or FF D1 64 8B 0D, the process dies.
It then tries to allocate some memory, and copies
some of the process code into that memory. If the
allocation fails, the process dies.
With that in mind, it seems that the only thing
it's really looking for is that signature. So one
idea that I had is a "Shrinker fixer". When Wine
loads an executable, it would look for this
specific exception handling code, and then NOP
out the checks.
Is that a reasonable approach?
--Rob
More information about the wine-devel
mailing list