Thread for those crashing using the V1 or V2 sniffers ...

[maggotboy]

It's too confusing to sort through the 200+ posts trying to figure out if your crash matches someone else's, so I thought I'd start a new thread for those people who're crashing in an attempt to isolate the problem and shed some light on things.

I'll begin with some basics before you post here:

1. Tell me exactly what code revision you're compiling.
2. Tell me exactly what modifications you've made to the source.
3. Tell me what compiler you're using, and what service pack.
4. I need your OS version + service packs, processor type and RAM.
5. If you're running known hooking programs like Windowblinds or DesktopX or some of the other Stardock products, I need to know.
6. Include your debug output in the message. You can't just get it from running in the debugger because the sniffer attaches to the EQ process which isn't under the debugger. To get it, download DebugView from SysInternals and run it while running the sniffer.
7. Give me the exact and full crash information as given by Windows.
8. Read all posts here before posting your crash! If nothing matches your circumstances, or the issue is unresolved, then post, but not before!

Maggotboy

[maggotboy]

So far, the most frequent problems in the V1 and V2 code have been:

RUNDLL32 doesn't unload. Supposedly solved in V1.4 and V2.05
EQ crashes right after a keypress. Unresolved, make sure you're compiling using the latest codebase.
EQ starts dogging down after a while and eventually crashes while using the sniffer. Compiling problem, most likely, post if you're encountering this

I'll add to this list if necessary as more problems are encountered. Please note that the V2 codebase uses some potentially "unsafe" methods to inject its code into EQ's unused memory ... If you want system-compliance and maximum compatibility, use the V1 codebase. V2 is a work-in-progress.

Maggotboy

[cryptorad]

Started compiling with 2.04

1) Problem with 2.04 and 2.05.
2) Modified source following your instructions, function names, additional garbage def's, modified offset, renamed DLL. Compiled with debug lines out until I started trying to figure this out, then put it back in. 0 errors 0 warnings (after typo repairs) I receive the same error after compiling when I only changed the DLL and function names.
3) MSVC++ 6 .. Enterprise. Loaded SP5. Basic Load no SDK's or additions. Loaded just for this compile.
4) WinXP SP1 P4 2.2G GigRAM
5) Not running any known hooking programs.
6)

Microsoft (R) Windows Debugger Version 6.1.0009.0
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\WINDOWS\system32\rundll32.exe XXXXX.DLL,XXXXX 999.999.1.103 6969 eqgame.exe 0x00778AAD0
Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting
Executable search path is:
ModLoad: 01000000 0100a000 rundll32.exe
ModLoad: 77f50000 77ff7000 ntdll.dll
ModLoad: 77e60000 77f46000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77c10000 77c63000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77c70000 77cb0000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dcc000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77dd0000 77e5d000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 78000000 78086000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 76c90000 76cb2000 C:\WINDOWS\system32\IMAGEHLP.dll
(7e0.284): Break instruction exception - code 80000003 (first chance)
eax=00181eb4 ebx=7ffdf000 ecx=00000004 edx=77f6eb10 esi=00181eb4 edi=00181f48
eip=77f767cd esp=0006fb38 ebp=0006fc2c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
77f767cd cc int 3

7) Windivll was having same/similar problem.. his output listing in other thread is...

"With version 1.4 or 2.0 I get the following error dialog box:
An exption occurred while trying to run "mydll.dll,myInstallHook x.x.x.x 5555 eqgame.exe 0x0078AAD0"

It stop on the return statement in the debugger:

// Global hook procedure which captures all mouse events for all processes.
LRESULT CALLBACK EQHOOKPROC(int nCode, WPARAM wParam, LPARAM lParam)
{
// Do-nothing hook procedure ...
return CallNextHookEx(gsh_hHook, nCode, wParam, lParam);
}

It was working great with one of the older version of 2. However I seem to have copied over the working code
"

That is my error as well... with my exception spelled this way.

8) I think I covered all the postings so far. Best I can tell.. it appears the CALLNEXTHOOKEX is the area of interest but I haven't figured out why it's not available to me yet. My USER32.dll is the updated one from the SP5.

9) I might be off base.. and this is not needed .. but.. I'm using a Microsoft Optical wheel 5 button mouse on my system. Dunno why I thought this info might be wanted.

10) In my compiler.. my listed external dependencies are "basethd.h". That's it. No header files.. no resource files.

I did edit/change my DLL name, IP etc. with these listings here. If those are required I will gladly cut/paste here if you desire.

Thank you SOO much Maggotboy.


*PS* .. I'm quite the code/compile noobie.. so.. this could likely be a very noobie problem.

[Tonto]

1. V2.05

2. None (other than setting the project name in the def file)

3. VSC++6, no sp, base installation.

4. Win2KAS, SP3, AMD1.2GHz, 512MB RAM

5. No hook progs

6. N/A

7. N/A


I'm really just here to say that it worked. Other than the time installing and reading through the cpp instructions, cvs'ing my showeq and recompiling with the recent libEQ.a, the dll went together like a dream. Pretty colored dots in no time.

I'm set to dual-boot w/XP so I'll switch over and see how it works with that OS.

You dev folks are the shizz. I haven't seen such fervor and activity on these threads up until the end of Oct.

Anyone concerend about the free development that Sony is getting from this community? I mean, you pay them money to play the game and then go out and do all this work to stress test security measures with no billable hours. Yeah, that's probably best left for another thread. . .

[Stormdvill]

I have the same problem as cryptorad.

WinXP P1.5 786Mb RAM & MS Optical Mouse

I had followed the instructions to the letter but to no avail

However an earlier version did work for me!

BTW - Nice work Maggotboy!

I'll post all my info when I get home tonight.

[cryptorad]

Do you need more information then what is posted above? If so.. can you hint me towards what you need. I'll try to provide it the best I can.

I have continued to work on this.. checking everything I can think of that might be at issue.. but have not narrowed down to anything worth reporting yet except maybe this.

If I force the continuation of the file in the windows debugger.. I get the following output.. which is additional to what I provided before..

Microsoft (R) Windows Debugger Version 6.1.0009.0
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\WINDOWS\rundll32.exe test2.dll,HookProc 192.168.1.103 eqgame.exe 0x0078AAD0
Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting
Executable search path is:
ModLoad: 01000000 0100a000 rundll32.exe
ModLoad: 77f50000 77ff7000 ntdll.dll
ModLoad: 77e60000 77f46000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77c10000 77c63000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77c70000 77cb0000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dcc000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77dd0000 77e5d000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 78000000 78086000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 76c90000 76cb2000 C:\WINDOWS\system32\IMAGEHLP.dll
(674.644): Break instruction exception - code 80000003 (first chance)
eax=00181eb4 ebx=7ffdf000 ecx=00000004 edx=77f6eb10 esi=00181eb4 edi=00181f48
eip=77f767cd esp=0006fb38 ebp=0006fc2c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
77f767cd cc int 3
0:000> g
ModLoad: 10000000 10011000 C:\WINDOWS\test2.dll
ModLoad: 71ad0000 71ad8000 C:\WINDOWS\System32\WSOCK32.dll
ModLoad: 71ab0000 71ac5000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\System32\WS2HELP.dll
Ignoring process attach request for C:\WINDOWS\RUNDLL32.EXE
ModLoad: 5ad70000 5ada4000 C:\WINDOWS\System32\uxtheme.dll
(674.644): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=43e20000 ebx=00000000 ecx=43e20000 edx=0003022c esi=7ffde000 edi=00000000
eip=77d47e7f esp=0006fee8 ebp=0006fefc iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010207
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
USER32!CallNextHookEx+4c:
77d47e7f 8b4114 mov eax,[ecx+0x14] ds:0023:43e20014=????????
*** WARNING: Unable to verify checksum for C:\WINDOWS\test2.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\test2.dll -
0:000> g
eax=77c3c7f0 ebx=00000000 ecx=77c3b9f6 edx=00000000 esi=77f7663e edi=00000000
eip=7ffe0304 esp=0006fe60 ebp=0006ff58 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SharedUserData!SystemCallStub+4:
7ffe0304 c3 ret


Also.. I still get the exception error message and I wind up with rundll32 in the task manager. I press continue two times (marked by the 0:000>g portions). I loaded all the debug symbols to my system from MS.com because I felt the first error was referring to missing symbols for debugging only. It did not resolve the issue.

You asked for Debugview info from SysInternals ( I missed that before somehow.) I just loaded it and executed once.. and received this one message. I will be checking to see if I can get more verbose with it now.

[1348] Ignoring process attach request for C:\WINDOWS\SYSTEM32\RUNDLL32.EXE


If you can suggest any other tests.. please do.

Thanks in advance.

[maggotboy]

Originally posted by cryptorad
Microsoft (R) Windows Debugger Version 6.1.0009.0
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\WINDOWS\rundll32.exe test2.dll,HookProc 192.168.1.103 eqgame.exe 0x0078AAD0

This is telling ... it tells me your calling rundll32.exe test2.dll,HookProc instead of rundll32.exe test2.dll,InstallHook

You'll get immediate exception errors if you call HookProc from RUNDLL32!

Maggotboy

[Stormdvill]

OMG...thank you maggotboy for your patience. I made a poor mistake...I switched the two defines and its up...No one ever said I was smart

You rock!

[Admatha]

thanks for the reply on the other thread cryptorad, before i hit the sack tonight i'm gonna try and compile this on the win98 machine i referred to in the other post, see if that makes a difference or not, thought this might be useful as the DLLs made by the other two would not run on any of the three machines, and if it's universal we might establish a better link, i'll post results as soon as i have em.

[cryptorad]

Ayep.. that was the noob mistake I was making Maggotboy.

Your example in the comments of the source referred to the right function. I had already changed the names right off and simply called the first one in line each time. I had just gone back to unmodified code trying to minimize differences in an effort to isolate the error, and you got it right off. A little better RTFM would have served me well.

All up and working great now.

Thank you very much.

[troll]

Not sure if I ran the DebugView program right, this is all I got.

[2560] Ignoring process attach request for C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
[2560] Creating event handle "6.tmp"
[1660] time()-cpuSpeed:2196687
[1660] TimeGetTime-cpuSpeed: 2218778
[1660] Found EQ Process!
[1660] Injecting code length 37888 ...
[1660] Code allocated at 0x05D70000
[1660] Setting hook procedure...
[1660] Opening global event "6.tmp"

Using sniffer 2.05

For the sake of testing did not make any modifications other than change the definition file to have the project name of MyFirstDll2

Microsoft Visual C++ .NET 7.0.9466

Microsoft Windows XP Professional 5.1.2600 SP 1.0

Mobile Intel(R) Pentium(R) 4 - M CPU 2.20GHz
1GB RAM

Crash is after keypress, I can use mouse and click around for what that is worth, just whenever I hit a key, it's poof back to windows.

[emmt33]

Hi maggotboy,

I hope this'll help you with the "unloading RunDll32" problem...

eqsniffer code (V2.05) as supplied works 100% fine under WinNT, but fails to unload RunDll32.exe in WinME...

specifically, the call to GetTempFileName fails on WinME, unless changed to the following:

GetTempFileName(_T("."), _T(""), 0, gsh_szEvent);

works fine for me with that change in

[notsosure]

[1060] time()-cpuSpeed:1816069
[1060] TimeGetTime-cpuSpeed: 1844513
[1060] Found EQ Process!
[1060] Injecting code length 37888 ...
[1060] Code allocated at 0x097D0000
[1060] Setting hook procedure...
[1060] Opening global event "42.tmp"

This is what I get with version 2.05 of the dll. compiled on windows 2000 with visual studio .net. Followed the destructions perfectly and EQ crashes at the first keypress.

Hope this helps! and thanks for all your time so far

[falkore]

[1084] Creating event handle "16.tmp"
[972] time()-cpuSpeed:1204442
[972] TimeGetTime-cpuSpeed: 1216500
[972] Found EQ Process!
[972] Injecting code length 37888 ...
[972] Code allocated at 0x098C0000
[972] Setting hook procedure...
[972] Opening global event "16.tmp"


Win2K Sp5
Sniffer 2.05
VS.NET 7.0.9492
.NET framework 1.0.3705



First keystroke dumps Eqgame.exe

[Monchichi]

[1632] Found EQ Process!
[1632] Injecting code length 37888 ...
[1632] Code allocated at 0x09860000
[1632] Setting hook procedure...
[1632] Opening global event "75.tmp"
AgpInterfaceReleaseMemory - releasing range e1b4e228, 510 pages at e0200000
AgpInterfaceReleaseMemory - releasing range e11743c8, 110 pages at e0710000
AgpMasterDispatchPnp: IRP 0x8
AgpMasterDispatchPnp: IRP 0x8
AgpMasterDispatchPnp: IRP 0x8

When I click accept on the EULA, hit space bar on the 1st splash screen it dumps to desktop.

Compiled on WinXP, VS .NET all settings specified in the source.