Shrinker again
Uwe Bonnes
bon at elektron.ikp.physik.tu-darmstadt.de
Mon Apr 18 09:06:57 CDT 2005
Hallo,
some programs still use patching packer like shrinker.
http://www.multipcb.de/download/netviewer.exe
is such a program.
It doesn't run...
Here a part of the debuglog where I think the error happens:
0009:Call kernel32.LocalAlloc(00000000,00005386) ret=004b80c0
0009:Call ntdll.RtlAllocateHeap(40350000,00000000,00005386) ret=404b8941
0009:Ret ntdll.RtlAllocateHeap() retval=403a0580 ret=404b8941
0009:Ret kernel32.LocalAlloc() retval=403a0580 ret=004b80c0
0009:Call kernel32.VirtualQuery(004b45a0,406bfe38,0000001c) ret=004b6ba8
0009:Call ntdll.NtQueryVirtualMemory(ffffffff,004b45a0,00000000,406bfe38,0000001c,406bfd68) ret=404f364c
0009:Ret ntdll.NtQueryVirtualMemory() retval=00000000 ret=404f364c
0009:Ret kernel32.VirtualQuery() retval=0000001c ret=004b6ba8
0009:Call kernel32.VirtualProtect(00400118,000000e0,00000004,406bfe4c) ret=004b77f5
0009:Call ntdll.NtProtectVirtualMemory(ffffffff,406bfd7c,406bfd80,00000004,406bfe4c) ret=404f36da
0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=404f36da
0009:Ret kernel32.VirtualProtect() retval=00000001 ret=004b77f5
0009:Call kernel32.VirtualProtect(00400118,000000e0,00000002,406bfe4c) ret=004b7826
0009:Call ntdll.NtProtectVirtualMemory(ffffffff,406bfd7c,406bfd80,00000002,406bfe4c) ret=404f36da
0009:Ret ntdll.NtProtectVirtualMemory() retval=00000000 ret=404f36da
0009:Ret kernel32.VirtualProtect() retval=00000001 ret=004b7826
0009:Call kernel32.GetCurrentProcess() ret=004b60aa
0009:Ret kernel32.GetCurrentProcess() retval=ffffffff ret=004b60aa
0009:Call kernel32.SetUnhandledExceptionFilter(004b6435) ret=004b60cb
0009:Ret kernel32.SetUnhandledExceptionFilter() retval=00000000 ret=004b60cb
0009:Call kernel32.ReadProcessMemory(ffffffff,401aa80d,406bfa28,00000008,406bfa30) ret=004b61c3
0009:Call ntdll.NtReadVirtualMemory(ffffffff,401aa80d,406bfa28,00000008,406bfa30) ret=404d2dba
0009: read_process_memory( handle=0xffffffff, addr=0x401aa80d )
0009: *attached*
0009: *signal* signal=19
0009: read_process_memory() = 0 { data={e0,50,56,ff,55,0c,83,c4} }
0009:Ret ntdll.NtReadVirtualMemory() retval=00000000 ret=404d2dba
0009:Ret kernel32.ReadProcessMemory() retval=00000001 ret=004b61c3
0009:Call kernel32.GetLastError() ret=004b73bc
0009:Ret kernel32.GetLastError() retval=00000000 ret=004b73bc
0009:Call kernel32.CloseHandle(0000004c) ret=004b7f3e
0009:Call ntdll.NtClose(0000004c) ret=404d3741
0009: close_handle( handle=0x4c )
0009: close_handle() = 0 { fd=11 }
0009:Ret ntdll.NtClose() retval=00000000 ret=404d3741
0009:Ret kernel32.CloseHandle() retval=00000001 ret=004b7f3e
0009:Call kernel32.GetLocalTime(406bf8dc) ret=004b8da6
This time is then used to print an error message like
K:\usr\local\tmp\netviewer.exe (3.5) 04/18/05 15:36:46 - Dispatcher initialisation error 02
It seems that the program is not satisfied with what it reads from
memory adress 0x401aa80d.
0009:trace:module:import_dll --- RtlRaiseStatus ntdll.dll.566 = 0x401aa780
is the debug output where the address nearest to 0x401aa80d is mentioned
before.
Any idea is shrinker can ever run with wine att all? And if it can run, what
has to be done to wine?
Thanks
--
Uwe Bonnes bon at elektron.ikp.physik.tu-darmstadt.de
Institut fuer Kernphysik Schlossgartenstrasse 9 64289 Darmstadt
--------- Tel. 06151 162516 -------- Fax. 06151 164321 ----------
More information about the wine-devel
mailing list