Jump to content

leonidij

Member
  • Posts

    17
  • Joined

  • Last visited

  • Donations

    0.00 USD 
  • Country

    Bulgaria

Everything posted by leonidij

  1. I think the same. They are very super modern resource eaters by my point view. Bringing functions like that into win2k is like adding to it the disadvantages of the very super modern resource eaters operation systems (with very super low speed/size performance). In short: I very super do not like them. very super... I see. Maybe I should try those too. I tough they have some extra added to them to avoid some things, but now I see it is the opposite.
  2. Hello blackwingcat. I just tryed last kernel from v2.3l and compared with v2.3j8 , v2.3k, v2.3h with msdev.exe loading. All with MUI enabled (except v2.3h). And v2.3l is almost as fast as v2.3h while j8 and k are many times slower. It seems you manage to improve this A LOT. And what exactly do you mean by this?: "Game Fix version is higher compatibility of Native Windows 2000 than Standard version." Game Fix version have more original stuff in it while standard have more functions from newer OSes or?
  3. Well now days Av database is so huge that include nearly every possible combinations. So they now more need to add non malware programs signatures in exlide database because their malware database catches nearly anything. As you can see half of AVs detect it clean and other half saying it is different thing. When result is like that I think 99,99999% sure it is false positive. And I think you can confirm yourself on your test machine that no malware actions was done. Ia also another practice of AV companies to add ANY product from some developers or site as malware thing whyle most of them have nothing malware in it. Just because that developer or site produces one or more things which can be used for this purpose, while at same time they do not include commercial programs which are total hiden malware like AD programs or copy protection rootkits and etc. This fast scanner is tool to scan executables to see if they are packed and to see with what if they are - just like famous PEID. (in case you dont know about this programs). I posted it because I remembered that I was not able to use it in past to compare with others similar because of this crash. But now I download it again with that fix and started it and it was working fine! BTW I have more examples of programs which was crashing due same reason, but after this fix theya re working just fine. BUT I'm afraid if I post them here you will cry even more about trojans and etc while they are noting like that. So I wont mention them here . It is just that this bug is commonly seen. It was not just in topo or calc32, but in many many many more applications.
  4. Hello blackwingcat. That bug you have fixed about SendMessage function in user32.dll seems was very Very VERY big flaw in win2k. I made that fix to user32.dll of SP5.1 (NON EXTENDED KERNEL) and now many programs, which gives trouble in past run flawlessly. Micro$oft seems forgot to fix this for full compatibility with win9X., but fixed it in XP. And the problem in Opgen.exe seems again was not fixed in 2k but also in XP and maybe all else versions (maybe it was too rare to be seen by developers). But this one in SendMessage is really important because without it many programs just can not work on win2k. I found many other programs which crashed before to work flawlessly now. So this really was MAJOR BUG (I think) reached in different ways by many programs. One of many examples is FastScanner 3.0 from AT4RE. Can be downloaded from: http://www.woodmann.com/collaborative/tools/index.php/AT4RE_FastScanner It still crashes when TotalScan button is clicked but before it was crashing right after launched.
  5. Hello blackwingcat. Thanks for info! that runme.exe is logo program of site from which the program was downloaded from. That site "protools" no longer exist and this runme.exe have nothing to do with opgen nor matters in any way. It is just there in archive I have. That's all about it. And what is the difference between v2.3h and v2.3h2?
  6. Yes indeed it works with both original calc32.exe (with its tooltips) and topo.exe! I actually have user32.dll deleted from know dlls and just placed v23h into directory where calc32.exe and topo.exe are and they run fine indeed. Seems that was caused by same bug. (And this also means user32 v23h is compatible with v18g other files.) BUT Opgen.exe still do not work. It fails to fully initialize and the problem looks very same as the problem in topo.exe, BUT seems is caused by other function. Maybe this same bug is also present in other functions than SendMessage? Opgen.exe + its full source code is attached in post #480 (a little above).
  7. See above of my post for attached file for another program with same problem. And here with v18g +fixed user32 from v23g3 this problem does still exist. On which environment you test it japanese or english? And which user32.dll exactly are you using for tests? This Opgen tool have much simpler gui as functions and does not use send message at all. 0x0000 "SetDlgItemTextA" 0x0000 "CheckRadioButton" 0x0000 "DialogBoxParamA" 0x0000 "IsDlgButtonChecked" 0x0000 "wsprintfA" 0x0000 "GetDlgItemTextA" 0x0000 "MessageBoxA" 0x0000 "EndDialog" are the only user32 functions it uses.
  8. Yes as what I described above. You can debug both in ollydbg or in any other debugger/dissassembler and see the difference between both. You can use also Cmpdisasm tool for this task. This program can be used to add extra code into exe and thats why AVs think oo it is very bad think to do, but as you know very well not only bad things can be added into existing program. The program itself have nothing malware, but you are free to be extra cautions. I think I remember one more program which have same problem. Will try to find it. It was one Opcode tool. Oh I think I remeber even one more program with that problem. Will search for them. Here is one more program, called OpGen with that problem and it is OPENSOURCE! I found it in my collection and have the same problem. It is an Opcode Generator tool. The source is written in tasm32 and compiles flawlessly (I tested). OPGEN.ZIP
  9. Hello WildBill. You like forgot to update the link of Windows2000-KB2508429-v10-x86-ENU.exe in your 3rd post here. It still goes to the v9 download from 2012. And I seems have found 3 bugs in user32. You can see details in this thread: http://www.msfn.org/board/topic/149233-kernelex-for-win2000/page-19 from post #464 and onward.
  10. See the attached file in my previews post for what causes the problem and how it must be fixed. The fixes are very similar to fixes you use but already done by someone else in this case. This is also General problem and as I understood it it exist in modern applications too. Attachment in previews post give you both the problem and the resolve . _fixed.exe is the fixed file in there which works on win2k and the other exe is the original which do have the problem described above. It is again not saved registers and again is related to SendMessage function but I think not only this time.
  11. Hello and awesome work blackwingcat. Here is another thing which I know is bug in win2k. Some programs (mostly oll ones) when started try to initialize its main dialog but freeze at some point. If you click X (close) they do exit, but if click any other button they get into not responding state. Note this bug maybe closely related to previews one if not the same. I have seen totally 3 programs like that so it is rare, but those programs do work fine on win 9X and probably on XP. I'm sending you an example of one tool from year 2000 which task is to add physical and/or virtual space/sections in PE files. Is rare to find that program now days. In archive is both original version and fixed version (not fixed by me) that WORKS on win2k. You can see how the fix is done and where the problem is without fully debuging - just by compare dissasm of both files. Note this too may be considered as malware tool by "super clever" AVs, but it by itself have nothing malware or destructive in it. Its main aim is to easy and fast add space in PE file for extra code when you do not have enough physical space in file for this task. ToPo.rar
  12. Another program that have some trouble this time with BOTH normal win2k and with kernel ex is this one: http://www.manhunter.ru/releases/108_32_bit_asm_calculator_1_5.html This is awesome asm programmer calculator, but its tool tips make program crash before show on win2k. Otherwise the program is woking fine if the tool tip creation routine is patched and avoided (as I did). But not tool tips then. Ok it is not about the tool tips of this program (I dont actually need them) but this seems is general flaw of win2k (not sure that exactly is the problem), But it may appear on other soft which uses similar way to create tool tips. If you are interested may see what is going on if not leave it be. THIS IS NOT A REQUEST. As I said I do not need this particular tool tips that much. This is just a notice because this thing looks more general problem. So if you have time and and interest can look at it if not so be it.
  13. GameRanger nor the ancient game I play with it uses Gameguard. Gameranger just launches the game and redirect its online servers to Gameranger server using dll injection. From there on Gameranger have nothing to do with game except to wait it to close. NO GAMEGUARD so it is not at fault at all. I do not have gameguard on my pc in anyway nor something which could ses it. So the deal is only between gameranger.exe and user32.dll, and i can not even test it vs gameguard. How to get this "1.8+Fixed User32"? To copy user32.dll from v23g3 ENU to installation package of v1.8x ENU? If that is so I cand do it. And v23g3 have that fixed user32.dll? I could try both variants. Just didnt got where that so called fixed user32.dll is located (in v23g3 by my last nderstanding). EDIT: Ok I did tested it with 1.8g + fixed user32 and it do work! Thank you. Wanted to test first 2.3g3 but it wanted one update for IE6 which I probably have locally but do not want to install it right now, but it shold work too. We can consider this solved! EDIT2: I forgot to tell you that I got that fixed user32.dll from 2.3g3 in case there are more variants.
  14. Hello. And you misunderstood it. It is not GmeGuard but it is GameRanger. They are totally different things. Gameguard you know what it is already, but gameranger is program for online multiplayer of many local games. www.gameranger.com Here you can download and try it yourself if you want. But it needs some tweaking because is downloading some dlls which do requare xp. Seems you are very obsessed with Gameguard fixing lately and tough of it but it have nothing to do. It is one MFC & MSVCRT based application. It have no much internal code nor drivers or etc. The problem is caused before initalizing main window. So it have something to do with creating interface as you can see from stack back treace.
  15. So in short v23g3 have that fix in user32.dll and I better try that instead of v23f3 and I shold test v23g3 instead to see of it is working? And the reason I prefer 1.8g is that win2k lack some core things like vectored exception handling (VEH) and others (I'm not usre if you implement this), but some programs do check if this is available and if not they just dont uses it in case of win2k. But, If I'm not wrong, version 2X maybe try to fake version of window$ those programs detect and so they try to use some still unsupposrted things because they are confused. This is maybe the cause of gameguard problem. And maybe some other drivers or driver level programs which uses things like that. So I think is not bad idea to continue version 1X in paralel with 2X, if I understand it correctly. In short some programs better be fully aware that this is not XP. Some of them have anything that support win2k but just the compiller of this programs add some non needed stuff as addon which is not supported by win2k or just few non so important functions, while they kept support for complicated functions and routine. The developers of those programs maybe just didnt check if it still works on win2k after they change the compiller to vc10 or vc11. And besides I like the "Stable" after some 1X versions . Because this is also work pc of someone else and I want to be able to relay on things and dont want to wonder what causes certian problem. If there is bug in 1.8 versions why not fix it and make them even more close to stable? They are btw working pretty stable indeed as far as I tested some long period of time and had no problems except this problem I posted above. And btw after I use recovery error with "CrashDoctor" program on gameranger after it crashes on your routine. then gameranger continues working. Crash doctor just handles internally (as far as I understand some exceptions and try to redirect execution code to other rutine. And I think it means only that trying to read from 0 address is the problem because first parameter is 0. If it was internal bug shold the program will not be able to continue or shold it be crashing on standart win2k?
  16. Hello blackwingcat. v23f is JPN and I'm on ENU machine and user. What is the difference between those, and can it be installed on english machine? Maybe not very wise. But if user32.dll is basicly the same as ENU version could I just try to replace it in let say ver 18g. In short to put user32.dll from v23f in v18g and then isntall v18g or they are not compatible? And I ave read in your blog that versions 2X use more faking of XP things while version 1X more like update win2k (add support). So I'm willing to stuck with 1X way. Is that fix in v23f also available in v23g3 (your last release) because v23g have ENU version while v23f have not. I'm not sure what exaclty you changed but I think if add check before of each call of that function of yours for first parameter if it is zero would solve the problem (or maybe not?) and make it more universal fix in case of other similar bugs? (or maybe this is not that easy as how it looks?) Ah I just saw you actually have aditional v23f ENU releases under field of v23e - are they the ENU of v23f and what is the difference between v23f and v23f3? v23f is removed so only v23f3 remains. Is it v23f ENU or is mistake? Hmmm the file size of v23f3 is just 1kb less than v23e - it maybe is mistake or not? I will wait for replay from you and then will test it.
  17. Hello, blackwingcat. Thank you for your work on this first. I have found one bug or error in user32.dll in version 18e, but it is also there in version 18e - I have checked it. The problem appears in starting process of Gameranger program. Here are some details: Registers: eax=00000013 ebx=00000000 ecx=00000087 edx=00000012 esi=000001a0 edi=006b7070 eip=77e16078 esp=0012ef68 ebp=0012ef78 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 Code: 77e16059 64a118000000 mov eax,fs:[00000018] fs:00000018=???????? 77e1605f 8b4040 mov eax,[eax+0x40] ds:00949ef9=???????? 77e16062 c3 ret 77e16063 55 push ebp <== your function starts here 77e16064 8bec mov ebp,esp 77e16066 51 push ecx 77e16067 51 push ecx 77e16068 8065fe00 and byte ptr [ebp+0xfe],0x0 ss:00a78e5e=?? 77e1606c 8065ff00 and byte ptr [ebp+0xff],0x0 ss:00a78e5e=?? 77e16070 53 push ebx 77e16071 8b5d08 mov ebx,[ebp+0x8] ss:00a78e5e=???????? 77e16074 56 push esi 77e16075 8b750c mov esi,[ebp+0xc] ss:00a78e5e=???????? FAULT ->77e16078 8b03 mov eax,[ebx] ds:00000000=???????? 77e1607a 81fee0030000 cmp esi,0x3e0 *----> Stack Back Trace <----* FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0012EF78 77E1B894 00000000 000001A0 00000000 00000012 !IsWindowVisible [omap] 0012EFEC 77E1BA6B 000201BA 00000153 00000000 00000012 !GetWindowLongW [omap] 0012F010 77E3A454 000201BA 00000153 00000000 00000012 !GetWindowLongW [omap] 0012F030 77E14750 77E1BA04 000201BA 00000153 00000000 !SetWindowPlacement [omap] Full details Report is atached! I think the second first parameter of this function is 0 and 77e16071 - mov ebx,[ebp+0x8] sets ebx to 0 where [ebp+0x8] is second parameter to this function is first parameter i think and then 77e16078 mov eax,[ebx] causes reading from 0x00000000 address. I reversed abit user32 and saw you called this function often from many functions and usually check if first parameter is zero and if it is you skip this function calling. But however seems it is posible (in some rare cases) second parameter to be Zero too. But maybe is better to check always if first parameter is Zero. I think you can easily fix it by add check for second parameter in this function before all calls. The other way is to figure out where this call was generated with second first parameter Zero, but I'm not curently using extended kernel, but I can install it and then debug Gameranger to see where the call is made with second first parameter Zero to your function. But I think you can see it in Stack back trace to figure out. It looks like some chain of calls which maybe do not produce this result always, because I have not seen this in any other program. Gameranger works fine without extended kernel (tuned a little bit to fit support ofcourse, but it works without crash). Another , maybe more practical way to fix it to add check if secont parameter is zero before call of your function. I have seen you skipped some original code and instead of it you call your code - so I think you have some space for this check. This is what come to my mind lastly. There are 90+ calls to your function, I hope you figure out where exactly things go wrong if you dont chouse to change it in general. I think I can try to add check before all calls to see if it works fine because there is always some original code you skip with jump, so there is room for it. And again this is for version 18e (the adresses may differ for other version of user32), but this crash hapans also in 18g (I have checked it). Another clue for you is maybe esi=000001a0 which you use to check which function called your function and which is third second parameter of this funtion (by my view) - 77e16075 - mov esi,[ebp+0xc]. I got confused by stack frame which shifts stack with push ebp first to +4 to all things. So +0 is saved ebp, +4 is return adress +8 is first parameter and etc. Report.zip
×
×
  • Create New...