r0ger's GDI-ripping support thread

[r0ger]

Hi all.

In this thread, i will be posting different questions regarding the GDI-ripping of the effects i will be posting here, in case if i am struggling with some odd code found in IDA pro which may sometimes lead either to a GDI leak, or a glitch, or even to a crash.

now what effect i want to rip is the bitmap sinewave effect from one of FFF's keygens : AutoFTP.Premium.4.6_KEYGEN-FFF

what i am struggling is that i have the fstp lying around in the WM_TIMER which lead to error A2070: invalid instruction operands. if i insert "dword ptr" in the back of its value from the fstp function, leads to a crash. 

loc_40C57F:                             ; CODE XREF: sub_40C358+260j
		mov     eax, dword_4197C4
		add     eax, edi
		mov     [var_C4], eax
		fild    [var_C4]
		fld     tbyte_40CA00
		fmulp   st(1), st
		add     esp, 0FFFFFFF4h
		fstp    [esp+0ECh+var_EC] ; _TBYTE     <---- this
		wait
		call    sub_4026E0
		fild    dword_4197C8
		fmulp   st(1), st
		fstp    qword ptr [ebx]
		wait
		inc     edi
		add     ebx, 8
		dec     [var_30]
		jnz     short loc_40C57F

link to the .wap project file with the procedure of the bmp sinewave, and the unpacked version of the original keygen from which i've ripped the effect :

https://mega.nz/file/pc9w0TxQ#sfNdaT8YgliFoF1MIJOYsC2l_9Hfqz-TU8orUEGHs7M

i know the code is so messy but i was in a rush releasing an xmas themed keygen template...

Edited December 27, 2022 by r0ger

[sama]

@r0ger

i renamed 3 function for you for readibility

Randomize proc near

;var_88 	= dword ptr -8

		add esp, -8
		push esp 
		call QueryPerformanceCounter
		test eax, eax
		jz @F
		mov eax, dword ptr[esp]
		mov dword ptr[Seed], eax
		pop ecx
		pop edx
		retn

@@:
		call GetTickCount
		mov dword ptr[Seed], eax
		pop ecx
		pop edx
		retn
Randomize endp

RandomRange proc near
		push ebx
		push esi
		mov esi, edx
		mov ebx, eax
		cmp esi, ebx
		jge loc_407FB0
		mov eax, ebx
		sub eax, esi
		call RandomInt
		add eax, esi
		pop esi
		pop ebx
		ret

loc_407FB0:
		mov eax, esi
		sub eax, ebx
		call RandomInt
		add eax, ebx
		pop esi
		pop ebx
		ret
RandomRange endp

RandomInt proc uses ebx
		push ebx
		xor ebx, ebx
		imul edx, dword ptr[ebx+Seed], 8088405h
		inc edx
		mov dword ptr[ebx+Seed], edx
		mul edx
		mov eax, edx
		pop ebx
		ret
RandomInt endp

then i made  these changes

 loc_40C57F:                             ; CODE XREF: sub_40C358+260j
		mov     eax, dword_4197C4
		add     eax, edi
		mov     var_C4, eax
		fild    var_C4
		fld     tbyte_40CA00
		fmulp   st(1), st
		;add     esp, 0FFFFFFF4h
		fstp    var_EC ; _TBYTE
		wait
		call    sub_4026E0
		fild    dword_4197C8
		fmulp   st(1), st
		fstp    qword ptr [ebx]
		wait
		inc     edi
		add     ebx, 8
		dec     var_30
		jnz     short loc_40C57F

and ...

.data
;cy dd 064h
dword_4197B0	dd 064h
dword_4197C8 dd 2
dword_4197C4    dd 0

.data?
BmpWob		dd  ?
_h			dd  ?
hbm             dd ?
unk_4197A8      db    ? ;
				db    ? ;
				db    ? ;
				db    ? ;
cy              dd ?
dword_419798    dd ? 
dword_41979C    dd ? 
dword_4197A0    dd ?
;dword_4197B0	dd ?
dword_4197AC	dd ?
;dword_4197C4    dd ?                    ; DATA XREF: sub_40C358:loc_40C50Fr
                                         ; sub_40C358+1BEw ...
; dword_4197C8    dd ?                    ; DATA XREF: sub_40C358+1D9w
                                         ; sub_40C358+1EEr ...
 dword_4197CC    dd ?                    ; DATA XREF: sub_40C358+1D4r
                                         ; sub_40C358+1F6w ...
 dword_4197D0    dd ?                    ; DATA XREF: sub_40C358+117w
                                         ; sub_40C358+3A4r
 unk_4197D4      dd    ? ;               ; DATA XREF: sub_40C358+222o
                                         ; sub_40C358+379o
.
.
.
.data
AppName	db	"No1 Screen Capture 4.5.2",0
MsgCap		db	"yay!",0
MsgTxt		db	"serial copied to clipboard.",0
BmpRkt		RECT <>
Seed dd 0
tbyte_40CA00    REAL10 0.078537900000000000001

and btw your local var_EC must be of REAL10 type!

that thing is flickering like hell, you got a lot of work to do!

 

[r0ger]

@sama i tried everything you did on the effect, still got the same error.

[r0ger]

sorry guys i cannot wait that longer to release this keygen so i will be using a similar sinewave effect or just water effect, or even none. 

you guys can think more about this solution everytime, if you wish.

[kao]

There you go, have some fun.

 

If I may suggest - it's always easiest to rip the complete code from the keygen first, then make it working, and only afterwards try to put it into your own template.

Some things to remember - you need to use 256 color BMP file for this. And you must be very careful with window dimensions. I tried to comment the possible issues, check the code..

 

sine_scroll.zip

Edited December 30, 2022 by kao
more notes.

[r0ger]

okay, yet another issue i have found.

recently i've ripped an effect from one of iNFLUENCE keygens and when i try to load this into the form with invoke GetDC,xWnd , which i have applied on my main form, it crashes whenever i load it. But when i load it without the xWnd variable, the starfield effect is shown but only outside, and it does crash like after 10 or 15 seconds. does anyone know how would i get this issue over please ? 

 

Edited June 4, 2023 by r0ger
attachment removed - problem fixed

[kao]

13 hours ago, r0ger said:

when i load it without the xWnd variable, the starfield effect is shown but only outside

Since you commented out the assigment of xWnd, your code is calling GetDC with argument 0. From MSDN:

Quote

A handle to the window whose DC is to be retrieved. If this value is NULL, GetDC retrieves the DC for the entire screen.

 

13 hours ago, r0ger said:

it does crash

When you move local variables to globals, don't forget to fix all [EBP+xxxx] references. Specifically:

.data
psizl	tagSIZE <>
.code
lea eax, [ebp+psizl]	<--- this is almost guaranteed to crash
...
sub eax, [ebp+psizl.cy] <--- same
...
sub ebx, [ebp+psizl._cx]<--- same

                     

 

 

My suggestion from December still stands:

Quote

it's always easiest to rip the complete code from the keygen first, then make it working, and only afterwards try to put it into your own template.

 

[r0ger]

@kao

thanks for your suggestion once again, i've actually found out i need to remove the EBP global values and put "dword ptr" variables in order to make it work. havent noticed that but thanks again

[r0ger]

Hi all!

Since i haven't written anything here on this topic i will post it here because recently I am trying to rip a VU meter visualization from one of tPORt's cracks (DreamCoder_for_MySQL_Enterprise_v4.4.Patch.LaZzy.tPORt) . 

The thing is that i still don't get it why is it crashing like that even if i ripped it pretty fresh... any suggestions or tips on this one please?

I've included the .IDB file for the patch + the whole source code (the winASM project itself) in the rar file below.

 

VU_meter.rar

[The Binary Expert]

7 hours ago, r0ger said:

Hi all!

Since i haven't written anything here on this topic i will post it here because recently I am trying to rip a VU meter visualization from one of tPORt's cracks (DreamCoder_for_MySQL_Enterprise_v4.4.Patch.LaZzy.tPORt) . 

The thing is that i still don't get it why is it crashing like that even if i ripped it pretty fresh... any suggestions or tips on this one please?

I've included the .IDB file for the patch + the whole source code (the winASM project itself) in the rar file below.

 

VU_meter.rar 335.05 kB · 4 downloads

@r0ger Hello.

 

Quote

First chance exception on 00401576 (C0000005, EXCEPTION_ACCESS_VIOLATION)!

 

 

 

		push ebp
		mov ebp, esp
		add esp, 0FFFFFFECh
		xor eax, eax
		mov al, [arg_1C]
		rol eax, 8
		mov al, [arg_18]
		rol eax, 8
		mov al, [arg_14]
		push eax 	; color
		call CreateSolidBrush
		mov [hbr], eax
		push [arg_4]
		pop [rc1.left]

VU_meter.zip

Regards.

sean.

[r0ger]

hi @Sean Park - Lovejoy

i have updated all the variables you mentioned with byte ptr and dword ptr in that procedure you've mentioned and set the rc variable to global and it doesn't crash anymore but at least the VU meter shows up.

and now I have added uFMOD_GetStats to make the VU meter synchronize with the XM music . 

Thanks for your help

Edited May 5 by r0ger
yay made it working :D

[r0ger]

hi anyone,

one month ago i have downloaded an interesting spiral effect from this site: http://abreojosensamblador.epizy.com/?Tarea=5&SubTarea=5&Lang=1&i=1

and i have tried getting this to work on my next kg template but unfortunately it's causing GDI leak (bcs of the InvalidateRect function)...

is there any possibility to transform this into a thread (by using CreateThread function) and perhaps to prevent GDI leaking?

( ignore the algo pls, i was going to release a new interesting template 😕 )

 

Edited June 19 by r0ger
attachment removed - problem fixed

[fearless]

Few things i noticed that might help:

in WM_PAINT

invoke CreateSolidBrush,000000FFh

is always creating a brush, and not deleting it afterwards, ideally you would move this to WM_INITDIALOG or somewhere before dialog is created and save the brush handle globally to use every time, something like:

invoke CreateSolidBrush,000000FFh
mov hBackBrush, eax

then in WM_PAINT you only need to use hBackBrush for

invoke FrameRect, hdd, ebx, hBackBrush

But I would also remove the following at the start of WM_PAINT

        lea ebx,r3kt
        assume ebx:ptr RECT

and just use

invoke FrameRect, hdd, Addr r3kt, hBackBrush

In CreateSpiral function there is a GetDC, but no ReleaseDC, but as its only called once its a minor thing.

In ScrollThread there is multiple calls to GetDC without corresponding ReleaseDC at end of thread but looks like this thread is only called once and so few leaks wont impact it overall.

The call to InvalidateRect in WM_TIMER, calls WM_PAINT, which causes the brush to be created each time and thus leaks the gdi resources. And eventually will cause the crash.

I would probably restructure the code to make the spiral its own window control and handle its own drawing and update via a timer, and avoid having to create a thread at all.

Hope that helps.

 

[r0ger]

hi @fearless

thanks so much for your help!

after i did what you said the GDI objects have been reduced from 1000+ to only 37 objects.

problem solved !