Snow thread crash when clicking on aboutbox

[r0ger]

Hey guys, merry xmas to all !

I just wanted to modify the aboutbox that i have ripped by adding the snow effect from the "New year theme by x0man" effect.

I tried initializing all the snow procedures and it crashed.

Any suggestions please? if it is possible, i really need it a little urgent these days cuz i wanna make an xmas-themed keygen template.

hohohooooo.rar

[CodeExplorer]

0040142F  |. A1 90344000    MOV EAX,DWORD PTR DS:[403490]
00401434  |. 6BC0 11        IMUL EAX,EAX,11
00401437  |. 0105 A4344000  ADD DWORD PTR DS:[4034A4],EAX
0040143D  \. C3             RETN
0040143E  /$ FF35 9C344000  PUSH DWORD PTR DS:[40349C]                           ; /hObject = 37050C91
00401444  |. E8 23030000    CALL <JMP.&gdi32.DeleteObject>                       ; \DeleteObject
00401449  |. FF35 A0344000  PUSH DWORD PTR DS:[4034A0]                           ; /hDC = FD01131A
0040144F  |. E8 12030000    CALL <JMP.&gdi32.DeleteDC>                           ; \DeleteDC
00401454  |. FF35 BC344000  PUSH DWORD PTR DS:[4034BC]                           ; /hObject = NULL
0040145A  |. E8 0D030000    CALL <JMP.&gdi32.DeleteObject>                       ; \DeleteObject
0040145F  |. FF35 C4344000  PUSH DWORD PTR DS:[4034C4]                           ; /hDC = 7E011120
00401465  |. E8 FC020000    CALL <JMP.&gdi32.DeleteDC>                           ; \DeleteDC
0040146A  \. C3             RETN
0040146B  /$ 8B3D B8344000  MOV EDI,DWORD PTR DS:[4034B8]
00401471  |. 33C0           XOR EAX,EAX
00401473  |> 40             /INC EAX
00401474  |. 50             |PUSH EAX
00401475  |. 68 90010000    |PUSH 190
0040147A  |. E8 BE000000    |CALL [[CodedB.0040153D
0040147F  |. 8907           |MOV DWORD PTR DS:[EDI],EAX  // exception here
00401481  |. 68 C8000000    |PUSH 0C8
00401486  |. E8 B2000000    |CALL [[CodedB.0040153D
0040148B  |. 6BC0 FF        |IMUL EAX,EAX,-1
0040148E  |. 8947 04        |MOV DWORD PTR DS:[EDI+4],EAX
00401491  |. 6A 03          |PUSH 3
00401493  |. E8 A5000000    |CALL [[CodedB.0040153D
00401498  |. 40             |INC EAX
00401499  |. 8947 08        |MOV DWORD PTR DS:[EDI+8],EAX
0040149C  |. 6A 02          |PUSH 2
0040149E  |. E8 9A000000    |CALL [[CodedB.0040153D

ResortSnow proc
    
    assume edi : ptr _snow
    mov edi, snow
    xor eax, eax
    .repeat
        inc eax
        push eax
                
        invoke Random, 400
        mov [edi].xPos, eax  // exception here
        
        invoke Random, 200
        imul eax, -1
        mov [edi].yPos, eax
        
        invoke Random, 3
        inc eax
        mov [edi].speed, eax
        
        invoke Random, 2
        inc eax
        mov ecx, eax
        imul ecx, 100

snow variable should keep address of snow struct: unfortunaley is null
why is there a difference:     assume edi : ptr _snow
versus:
    mov edi, snow

I think instead of mov edi, snow
should be "lea edi, _snow"
or "mov edi, offset _snow"

Or even better initialize snow dword:
lea edi, _snow
mov snow, edi

 

Edited December 24, 2022 by CodeExplorer

[r0ger]

12 minutes ago, CodeExplorer said:

0040142F  |. A1 90344000    MOV EAX,DWORD PTR DS:[403490]
00401434  |. 6BC0 11        IMUL EAX,EAX,11
00401437  |. 0105 A4344000  ADD DWORD PTR DS:[4034A4],EAX
0040143D  \. C3             RETN
0040143E  /$ FF35 9C344000  PUSH DWORD PTR DS:[40349C]                           ; /hObject = 37050C91
00401444  |. E8 23030000    CALL <JMP.&gdi32.DeleteObject>                       ; \DeleteObject
00401449  |. FF35 A0344000  PUSH DWORD PTR DS:[4034A0]                           ; /hDC = FD01131A
0040144F  |. E8 12030000    CALL <JMP.&gdi32.DeleteDC>                           ; \DeleteDC
00401454  |. FF35 BC344000  PUSH DWORD PTR DS:[4034BC]                           ; /hObject = NULL
0040145A  |. E8 0D030000    CALL <JMP.&gdi32.DeleteObject>                       ; \DeleteObject
0040145F  |. FF35 C4344000  PUSH DWORD PTR DS:[4034C4]                           ; /hDC = 7E011120
00401465  |. E8 FC020000    CALL <JMP.&gdi32.DeleteDC>                           ; \DeleteDC
0040146A  \. C3             RETN
0040146B  /$ 8B3D B8344000  MOV EDI,DWORD PTR DS:[4034B8]
00401471  |. 33C0           XOR EAX,EAX
00401473  |> 40             /INC EAX
00401474  |. 50             |PUSH EAX
00401475  |. 68 90010000    |PUSH 190
0040147A  |. E8 BE000000    |CALL [[CodedB.0040153D
0040147F  |. 8907           |MOV DWORD PTR DS:[EDI],EAX  // exception here
00401481  |. 68 C8000000    |PUSH 0C8
00401486  |. E8 B2000000    |CALL [[CodedB.0040153D
0040148B  |. 6BC0 FF        |IMUL EAX,EAX,-1
0040148E  |. 8947 04        |MOV DWORD PTR DS:[EDI+4],EAX
00401491  |. 6A 03          |PUSH 3
00401493  |. E8 A5000000    |CALL [[CodedB.0040153D
00401498  |. 40             |INC EAX
00401499  |. 8947 08        |MOV DWORD PTR DS:[EDI+8],EAX
0040149C  |. 6A 02          |PUSH 2
0040149E  |. E8 9A000000    |CALL [[CodedB.0040153D

ResortSnow proc
    
    assume edi : ptr _snow
    mov edi, snow
    xor eax, eax
    .repeat
        inc eax
        push eax
                
        invoke Random, 400
        mov [edi].xPos, eax  // exception here
        
        invoke Random, 200
        imul eax, -1
        mov [edi].yPos, eax
        
        invoke Random, 3
        inc eax
        mov [edi].speed, eax
        
        invoke Random, 2
        inc eax
        mov ecx, eax
        imul ecx, 100

snow variable should keep address of snow struct: unfortunaley is null
why is there a difference:     assume edi : ptr _snow
versus:
    mov edi, snow

I think instead of mov edi, snow
should be "lea edi, _snow"
or "mov edi, offset _snow"

Or even better initialize snow dword:
lea edi, _snow
mov snow, edi

 

tried that and it doesn't work...still crashes.

and if i try to set "lea edi, _snow" , it gives me a compiling error : error A2070: invalid instruction operands

Edited December 24, 2022 by r0ger

[BataBo]

r0ger the problem is that the variable "snow" is not initialized(It's value is NULL), call function 

GetMemory proc
    ; считаем сколько памяти зарезервировать... count how many memory reserve
    mov eax, snowcount
    imul eax, sizeof _snow
    add eax, sizeof _snow
    ; Берем сколько надо )))
    invoke GlobalAlloc, GMEM_FIXED or GMEM_ZEROINIT, eax
    mov snow, eax
    ret
GetMemory endp

To initialize it first

[r0ger]

Finally works, but doesn't show the snowflakes.

Update: Finally made the snowflakes working

Edited December 24, 2022 by r0ger

[r0ger]

one more problem.....when i try to close the aboutbox and reload it again , the snow speed starts to increase much faster even when i try to kill thread when exiting. Explanations ? i cannot seem to find out why is it increasing like that.

Update again : i had to make the stop variable to be set to FALSE on WM_INITDIALOG and then make it set to TRUE on WM_CLOSE and this prevents both the crash and the speed growth.

once again sorry for flooding, i was in a rush making an xmas-themed template and every time after i post something i always come up with a quick solution of fixing , idk why 😛

Edited December 24, 2022 by r0ger

[BataBo]

try resetting all the global variables that affect about box whenever you close it

[r0ger]

13 minutes ago, BataBo said:

try resetting all the global variables that affect about box whenever you close it

did that earlier and now it works.

idea: to prevent the flood of this section whenever i struggle with something on the gdi ripping stuff, i will be making another thread which would be only for GDI ripping solutions/suggestions/corrections/fixes only, and i will post there for now if i am struggling with some codes on some effects (which i have like a few).

and when posting the effect i want to rip, i would also include a link to the original keygen (unpacked) with the respective effect, along with the winASM project in which the effect is being ripped + its database in IDA Pro (if anyone has ida pro but i guess every reverser from this forum has it...)

Edited December 24, 2022 by r0ger
announcement