r0ger Posted December 27, 2022 Share Posted December 27, 2022 (edited) Hi all. In this thread, i will be posting different questions regarding the GDI-ripping of the effects i will be posting here, in case if i am struggling with some odd code found in IDA pro which may sometimes lead either to a GDI leak, or a glitch, or even to a crash. now what effect i want to rip is the bitmap sinewave effect from one of FFF's keygens : AutoFTP.Premium.4.6_KEYGEN-FFF what i am struggling is that i have the fstp lying around in the WM_TIMER which lead to error A2070: invalid instruction operands. if i insert "dword ptr" in the back of its value from the fstp function, leads to a crash. loc_40C57F: ; CODE XREF: sub_40C358+260j mov eax, dword_4197C4 add eax, edi mov [var_C4], eax fild [var_C4] fld tbyte_40CA00 fmulp st(1), st add esp, 0FFFFFFF4h fstp [esp+0ECh+var_EC] ; _TBYTE <---- this wait call sub_4026E0 fild dword_4197C8 fmulp st(1), st fstp qword ptr [ebx] wait inc edi add ebx, 8 dec [var_30] jnz short loc_40C57F link to the .wap project file with the procedure of the bmp sinewave, and the unpacked version of the original keygen from which i've ripped the effect : https://mega.nz/file/pc9w0TxQ#sfNdaT8YgliFoF1MIJOYsC2l_9Hfqz-TU8orUEGHs7M i know the code is so messy but i was in a rush releasing an xmas themed keygen template... Edited December 27, 2022 by r0ger 1 Link to comment
sama Posted December 28, 2022 Share Posted December 28, 2022 @r0ger i renamed 3 function for you for readibility Randomize proc near ;var_88 = dword ptr -8 add esp, -8 push esp call QueryPerformanceCounter test eax, eax jz @F mov eax, dword ptr[esp] mov dword ptr[Seed], eax pop ecx pop edx retn @@: call GetTickCount mov dword ptr[Seed], eax pop ecx pop edx retn Randomize endp RandomRange proc near push ebx push esi mov esi, edx mov ebx, eax cmp esi, ebx jge loc_407FB0 mov eax, ebx sub eax, esi call RandomInt add eax, esi pop esi pop ebx ret loc_407FB0: mov eax, esi sub eax, ebx call RandomInt add eax, ebx pop esi pop ebx ret RandomRange endp RandomInt proc uses ebx push ebx xor ebx, ebx imul edx, dword ptr[ebx+Seed], 8088405h inc edx mov dword ptr[ebx+Seed], edx mul edx mov eax, edx pop ebx ret RandomInt endp then i made these changes loc_40C57F: ; CODE XREF: sub_40C358+260j mov eax, dword_4197C4 add eax, edi mov var_C4, eax fild var_C4 fld tbyte_40CA00 fmulp st(1), st ;add esp, 0FFFFFFF4h fstp var_EC ; _TBYTE wait call sub_4026E0 fild dword_4197C8 fmulp st(1), st fstp qword ptr [ebx] wait inc edi add ebx, 8 dec var_30 jnz short loc_40C57F and ... .data ;cy dd 064h dword_4197B0 dd 064h dword_4197C8 dd 2 dword_4197C4 dd 0 .data? BmpWob dd ? _h dd ? hbm dd ? unk_4197A8 db ? ; db ? ; db ? ; db ? ; cy dd ? dword_419798 dd ? dword_41979C dd ? dword_4197A0 dd ? ;dword_4197B0 dd ? dword_4197AC dd ? ;dword_4197C4 dd ? ; DATA XREF: sub_40C358:loc_40C50Fr ; sub_40C358+1BEw ... ; dword_4197C8 dd ? ; DATA XREF: sub_40C358+1D9w ; sub_40C358+1EEr ... dword_4197CC dd ? ; DATA XREF: sub_40C358+1D4r ; sub_40C358+1F6w ... dword_4197D0 dd ? ; DATA XREF: sub_40C358+117w ; sub_40C358+3A4r unk_4197D4 dd ? ; ; DATA XREF: sub_40C358+222o ; sub_40C358+379o . . . .data AppName db "No1 Screen Capture 4.5.2",0 MsgCap db "yay!",0 MsgTxt db "serial copied to clipboard.",0 BmpRkt RECT <> Seed dd 0 tbyte_40CA00 REAL10 0.078537900000000000001 and btw your local var_EC must be of REAL10 type! that thing is flickering like hell, you got a lot of work to do! Link to comment
r0ger Posted December 28, 2022 Author Share Posted December 28, 2022 @sama i tried everything you did on the effect, still got the same error. Link to comment
r0ger Posted December 29, 2022 Author Share Posted December 29, 2022 sorry guys i cannot wait that longer to release this keygen so i will be using a similar sinewave effect or just water effect, or even none. you guys can think more about this solution everytime, if you wish. Link to comment
kao Posted December 30, 2022 Share Posted December 30, 2022 (edited) There you go, have some fun. If I may suggest - it's always easiest to rip the complete code from the keygen first, then make it working, and only afterwards try to put it into your own template. Some things to remember - you need to use 256 color BMP file for this. And you must be very careful with window dimensions. I tried to comment the possible issues, check the code.. sine_scroll.zip Edited December 30, 2022 by kao more notes. 3 3 Link to comment
r0ger Posted June 3, 2023 Author Share Posted June 3, 2023 (edited) okay, yet another issue i have found. recently i've ripped an effect from one of iNFLUENCE keygens and when i try to load this into the form with invoke GetDC,xWnd , which i have applied on my main form, it crashes whenever i load it. But when i load it without the xWnd variable, the starfield effect is shown but only outside, and it does crash like after 10 or 15 seconds. does anyone know how would i get this issue over please ? Edited June 4, 2023 by r0ger attachment removed - problem fixed Link to comment
kao Posted June 4, 2023 Share Posted June 4, 2023 13 hours ago, r0ger said: when i load it without the xWnd variable, the starfield effect is shown but only outside Since you commented out the assigment of xWnd, your code is calling GetDC with argument 0. From MSDN: Quote A handle to the window whose DC is to be retrieved. If this value is NULL, GetDC retrieves the DC for the entire screen. 13 hours ago, r0ger said: it does crash When you move local variables to globals, don't forget to fix all [EBP+xxxx] references. Specifically: .data psizl tagSIZE <> .code lea eax, [ebp+psizl] <--- this is almost guaranteed to crash ... sub eax, [ebp+psizl.cy] <--- same ... sub ebx, [ebp+psizl._cx]<--- same My suggestion from December still stands: Quote it's always easiest to rip the complete code from the keygen first, then make it working, and only afterwards try to put it into your own template. 1 Link to comment
r0ger Posted June 4, 2023 Author Share Posted June 4, 2023 @kao thanks for your suggestion once again, i've actually found out i need to remove the EBP global values and put "dword ptr" variables in order to make it work. havent noticed that but thanks again Link to comment
r0ger Posted May 3 Author Share Posted May 3 Hi all! Since i haven't written anything here on this topic i will post it here because recently I am trying to rip a VU meter visualization from one of tPORt's cracks (DreamCoder_for_MySQL_Enterprise_v4.4.Patch.LaZzy.tPORt) . The thing is that i still don't get it why is it crashing like that even if i ripped it pretty fresh... any suggestions or tips on this one please? I've included the .IDB file for the patch + the whole source code (the winASM project itself) in the rar file below. VU_meter.rar 1 Link to comment
The Binary Expert Posted May 4 Share Posted May 4 7 hours ago, r0ger said: Hi all! Since i haven't written anything here on this topic i will post it here because recently I am trying to rip a VU meter visualization from one of tPORt's cracks (DreamCoder_for_MySQL_Enterprise_v4.4.Patch.LaZzy.tPORt) . The thing is that i still don't get it why is it crashing like that even if i ripped it pretty fresh... any suggestions or tips on this one please? I've included the .IDB file for the patch + the whole source code (the winASM project itself) in the rar file below. VU_meter.rar 335.05 kB · 4 downloads @r0ger Hello. Quote First chance exception on 00401576 (C0000005, EXCEPTION_ACCESS_VIOLATION)! push ebp mov ebp, esp add esp, 0FFFFFFECh xor eax, eax mov al, [arg_1C] rol eax, 8 mov al, [arg_18] rol eax, 8 mov al, [arg_14] push eax ; color call CreateSolidBrush mov [hbr], eax push [arg_4] pop [rc1.left] VU_meter.zip Regards. sean. 1 Link to comment
r0ger Posted May 4 Author Share Posted May 4 (edited) hi @Sean Park - Lovejoy i have updated all the variables you mentioned with byte ptr and dword ptr in that procedure you've mentioned and set the rc variable to global and it doesn't crash anymore but at least the VU meter shows up. and now I have added uFMOD_GetStats to make the VU meter synchronize with the XM music . Thanks for your help Edited May 5 by r0ger yay made it working :D Link to comment
r0ger Posted June 18 Author Share Posted June 18 (edited) hi anyone, one month ago i have downloaded an interesting spiral effect from this site: http://abreojosensamblador.epizy.com/?Tarea=5&SubTarea=5&Lang=1&i=1 and i have tried getting this to work on my next kg template but unfortunately it's causing GDI leak (bcs of the InvalidateRect function)... is there any possibility to transform this into a thread (by using CreateThread function) and perhaps to prevent GDI leaking? ( ignore the algo pls, i was going to release a new interesting template 😕 ) Edited June 19 by r0ger attachment removed - problem fixed 2 Link to comment
fearless Posted June 19 Share Posted June 19 Few things i noticed that might help: in WM_PAINT invoke CreateSolidBrush,000000FFh is always creating a brush, and not deleting it afterwards, ideally you would move this to WM_INITDIALOG or somewhere before dialog is created and save the brush handle globally to use every time, something like: invoke CreateSolidBrush,000000FFh mov hBackBrush, eax then in WM_PAINT you only need to use hBackBrush for invoke FrameRect, hdd, ebx, hBackBrush But I would also remove the following at the start of WM_PAINT lea ebx,r3kt assume ebx:ptr RECT and just use invoke FrameRect, hdd, Addr r3kt, hBackBrush In CreateSpiral function there is a GetDC, but no ReleaseDC, but as its only called once its a minor thing. In ScrollThread there is multiple calls to GetDC without corresponding ReleaseDC at end of thread but looks like this thread is only called once and so few leaks wont impact it overall. The call to InvalidateRect in WM_TIMER, calls WM_PAINT, which causes the brush to be created each time and thus leaks the gdi resources. And eventually will cause the crash. I would probably restructure the code to make the spiral its own window control and handle its own drawing and update via a timer, and avoid having to create a thread at all. Hope that helps. 2 3 Link to comment
r0ger Posted June 19 Author Share Posted June 19 hi @fearless thanks so much for your help! after i did what you said the GDI objects have been reduced from 1000+ to only 37 objects. problem solved ! Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now