Windbg – Random IT Utensils https://blog.adamfurmanek.pl IT, operating systems, maths, and more. Wed, 06 Apr 2022 14:48:19 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 Bit Twiddling Part 2 — Reverse engineering Profesor Klaus Intensywny Kurs to fix missing microphone — Profesor Klaus Intensywny Kurs bez mikrofonu https://blog.adamfurmanek.pl/2020/09/05/reverse-engineering-profesor-klaus-intensywny-kurs-to-fix-missing-microphone/ https://blog.adamfurmanek.pl/2020/09/05/reverse-engineering-profesor-klaus-intensywny-kurs-to-fix-missing-microphone/#comments Sat, 05 Sep 2020 08:00:31 +0000 https://blog.adamfurmanek.pl/?p=3448 Continue reading Bit Twiddling Part 2 — Reverse engineering Profesor Klaus Intensywny Kurs to fix missing microphone — Profesor Klaus Intensywny Kurs bez mikrofonu]]>

This is the second part of the Bit Twiddling series. For your convenience you can find other parts in the table of contents in Par 1 — Modifying Android application on a binary level

Word of warning: if you come to this post to find the solution only and you are not interested in the explanation how to do it then scroll down to the last section. I don’t expect any non-Polish speaker to do it so that section is not in English. And now the same warning in Polish:

Uwaga! Jeżeli interesuje Cię jak dałoby się uruchomić program Profesor Klaus Intensywny Kurs bez mikrofonu, to przewiń do ostatniej sekcji tego wpisu. Większość informacji tutaj dotyczy czegoś innego. Wpis ma charakter edukacyjny i nie jest nakłanianiem do modyfikowania aplikacji, łamania licencji lub ingerencji w oprogramowanie w jakikolwiek inny sposób.

Also, this post is only for education purposes. I am not encouraging anyone to modify the application or break the license agreements.

Today a short Reverse Engineering story to fix the application Profesor Klaus Intensywny Kurs. That’s a Polish application for learning German language. It checks for the microphone at start and shuts down when it’s not available. Microphone is not needed at all, however. Since I was using it in a remote desktop scenario without Remote Desktop Session Host (in Administrator licensing mode on Windows Server) I was looking for some workaround.

Reverse engineering the application

And another word of warning: I am not a reverse engineer and I don’t do it in an optimal way. There are probably better tools and approaches. If you are looking for best practices — that’s probably not the right place.

Okay, let’s go. The only thing I knew about the application is that it checks for the microphone when started and then exits if it cannot find one. So let’s launch API Monitor and see what it does. Start the API Monitor, select “Audio and Video” APIs, add breakpoint on waveInGetNumDevs and run the application, like this:

it immediately shows this:

Okay, so there is some API called. Let’s continue a few times and then the message dialog appears saying that application won’t run.

Let’s try it again. This time, let’s attach WinDBG on the first time Audio API is called. Let’s run it and then see this:

0:003> g
(3068.18e4): Unknown exception - code 0eedfade (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe
eax=0018fa80 ebx=03c635c0 ecx=00000007 edx=00000000 esi=00000002 edi=03c8c4d0
eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x48:
75414e28 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:0018fad4=47b481ba

We have some exception with code 0eedfade. This is a well-known code for Delphi language exceptions. Let’s start the application again and catch the exception:

0:001> sxe 0eedfade  
0:001> g
(23a0.3210): Unknown exception - code 0eedfade (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe
eax=0018fa80 ebx=03ad35c0 ecx=00000007 edx=00000000 esi=00000002 edi=03afc4d0
eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x48:
75414e28 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:0018fad4=01acbcce
0:000> ~0s
eax=0018fa80 ebx=03ad35c0 ecx=00000007 edx=00000000 esi=00000002 edi=03afc4d0
eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x48:
75414e28 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:0018fad4=01acbcce
0:000> kb
ChildEBP RetAddr  Args to Child              
0018fadc 0055309c 0eedfade 00000001 00000007 KERNELBASE!RaiseException+0x48
WARNING: Stack unwind information not available. Following frames may be wrong.
0018fb2c 005533f6 0018fb58 00404f1d 0018fb50 Intensywny_kurs+0x15309c
0018fb50 006f5142 0018fb64 006f5155 0018fda8 Intensywny_kurs+0x1533f6
0018fda8 0047527b 0018fde0 00475285 0018fdcc Intensywny_kurs+0x2f5142
0018fdcc 00474ed3 006f3d60 006f3d60 00404f6c Intensywny_kurs+0x7527b
0018fdfc 00474ea9 0018ff34 00404f1d 0018ff2c Intensywny_kurs+0x74ed3
0018ff2c 0047e805 0018ff40 0047e80f 0018ff60 Intensywny_kurs+0x74ea9
0018ff60 006fbce5 006fbba0 7ffde000 00007ff8 Intensywny_kurs+0x7e805
0018ff80 76d96a14 7ffde000 76d969f0 344884a0 Intensywny_kurs+0x2fbce5
0018ff94 7778adcf 7ffde000 11fdba68 00000000 KERNEL32!BaseThreadInitThunk+0x24
0018ffdc 7778ad9a ffffffff 7777011e 00000000 ntdll!__RtlUserThreadStart+0x2f
0018ffec 00000000 006fbba0 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> u Intensywny_kurs+0x15309c-5
Intensywny_kurs+0x153097:
00553097 e86c24ebff      call    Intensywny_kurs+0x5508 (00405508)
0055309c 6a20            push    20h
0055309e 8b431c          mov     eax,dword ptr [ebx+1Ch]
005530a1 50              push    eax
005530a2 8b4304          mov     eax,dword ptr [ebx+4]
005530a5 85c0            test    eax,eax
005530a7 7905            jns     Intensywny_kurs+0x1530ae (005530ae)
005530a9 e8aa19ebff      call    Intensywny_kurs+0x4a58 (00404a58)

Okay, now we have the line where the method was called. What is this method doing? Let’s restart, add a breakpoint and see:

0:001> sxe 0eedfade  
0:001> bp 00553097 
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\Profesor Klaus - Intensywny kurs\Intensywny_kurs.exe
0:001> g
Breakpoint 0 hit
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0
eip=00553097 esp=0018fb10 ebp=0018fb2c iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
Intensywny_kurs+0x153097:
00553097 e86c24ebff      call    Intensywny_kurs+0x5508 (00405508)
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0
eip=00405508 esp=0018fb0c ebp=0018fb2c iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000216
Intensywny_kurs+0x5508:
00405508 09c0            or      eax,eax
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0
eip=0040550a esp=0018fb0c ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x550a:
0040550a 750a            jne     Intensywny_kurs+0x5516 (00405516)       [br=1]
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=00552d8c esi=00000002 edi=03cac4d0
eip=00405516 esp=0018fb0c ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5516:
00405516 5a              pop     edx
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405517 esp=0018fb10 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5517:
00405517 54              push    esp
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405518 esp=0018fb0c ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5518:
00405518 55              push    ebp
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405519 esp=0018fb08 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5519:
00405519 57              push    edi
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=0040551a esp=0018fb04 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x551a:
0040551a 56              push    esi
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=0040551b esp=0018fb00 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x551b:
0040551b 53              push    ebx
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=0040551c esp=0018fafc ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x551c:
0040551c 50              push    eax
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=0040551d esp=0018faf8 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x551d:
0040551d 52              push    edx
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=0040551e esp=0018faf4 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x551e:
0040551e 54              push    esp
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=0040551f esp=0018faf0 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x551f:
0040551f 6a07            push    7
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405521 esp=0018faec ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5521:
00405521 6a01            push    1
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405523 esp=0018fae8 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5523:
00405523 68defaed0e      push    0EEDFADEh
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405528 esp=0018fae4 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5528:
00405528 52              push    edx
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00405529 esp=0018fae0 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x5529:
00405529 ff2514f07000    jmp     dword ptr [Intensywny_kurs+0x30f014 (0070f014)] ds:002b:0070f014=00401488
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=00401488 esp=0018fae0 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
Intensywny_kurs+0x1488:
00401488 ff25506c8a00    jmp     dword ptr [Intensywny_kurs+0x4a6c50 (008a6c50)] ds:002b:008a6c50={KERNEL32!RaiseExceptionStub (76d9a7a0)}
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=76d9a7a0 esp=0018fae0 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNEL32!RaiseExceptionStub:
76d9a7a0 ff250c03e076    jmp     dword ptr [KERNEL32!_imp__RaiseException (76e0030c)] ds:002b:76e0030c={KERNELBASE!RaiseException (75414de0)}
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414de0 esp=0018fae0 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException:
75414de0 8bff            mov     edi,edi
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414de2 esp=0018fae0 ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x2:
75414de2 55              push    ebp
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414de3 esp=0018fadc ebp=0018fb2c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x3:
75414de3 8bec            mov     ebp,esp
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414de5 esp=0018fadc ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x5:
75414de5 83e4f8          and     esp,0FFFFFFF8h
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414de8 esp=0018fad8 ebp=0018fadc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x8:
75414de8 83ec58          sub     esp,58h
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414deb esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0xb:
75414deb a1683b4a75      mov     eax,dword ptr [KERNELBASE!__security_cookie (754a3b68)] ds:002b:754a3b68=3ef023d9
0:000> t
eax=3ef023d9 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414df0 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x10:
75414df0 33c4            xor     eax,esp
0:000> t
eax=3ee8d959 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414df2 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x12:
75414df2 89442454        mov     dword ptr [esp+54h],eax ss:002b:0018fad4=0018fae8
0:000> t
eax=3ee8d959 ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414df6 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x16:
75414df6 8b4508          mov     eax,dword ptr [ebp+8] ss:002b:0018fae4=0eedfade
0:000> t
eax=0eedfade ebx=03c835c0 ecx=03ca58d0 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414df9 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x19:
75414df9 8b4d14          mov     ecx,dword ptr [ebp+14h] ss:002b:0018faf0=0018faf4
0:000> t
eax=0eedfade ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414dfc esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
KERNELBASE!RaiseException+0x1c:
75414dfc 8364240800      and     dword ptr [esp+8],0  ss:002b:0018fa88=20715b61
0:000> t
eax=0eedfade ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e01 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!RaiseException+0x21:
75414e01 890424          mov     dword ptr [esp],eax  ss:002b:0018fa80={winmm!waveInGetErrorTextAStub (7459fe10)}
0:000> t
eax=0eedfade ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e04 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!RaiseException+0x24:
75414e04 8b450c          mov     eax,dword ptr [ebp+0Ch] ss:002b:0018fae8=00000001
0:000> t
eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e07 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!RaiseException+0x27:
75414e07 83e001          and     eax,1
0:000> t
eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e0a esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x2a:
75414e0a c744240ce04d4175 mov     dword ptr [esp+0Ch],offset KERNELBASE!RaiseException (75414de0) ss:002b:0018fa8c=bb1f255f
0:000> t
eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e12 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x32:
75414e12 89442404        mov     dword ptr [esp+4],eax ss:002b:0018fa84=0024eaf0
0:000> t
eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e16 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x36:
75414e16 85c9            test    ecx,ecx
0:000> t
eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e18 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x38:
75414e18 751f            jne     KERNELBASE!RaiseException+0x59 (75414e39) [br=1]
0:000> t
eax=00000001 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e39 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x59:
75414e39 8b4510          mov     eax,dword ptr [ebp+10h] ss:002b:0018faec=00000007
0:000> t
eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e3c esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x5c:
75414e3c 83f80f          cmp     eax,0Fh
0:000> t
eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e3f esp=0018fa80 ebp=0018fadc iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
KERNELBASE!RaiseException+0x5f:
75414e3f 7718            ja      KERNELBASE!RaiseException+0x79 (75414e59) [br=0]
0:000> t
eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e41 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
KERNELBASE!RaiseException+0x61:
75414e41 89442410        mov     dword ptr [esp+10h],eax ss:002b:0018fa90=3f24940b
0:000> t
eax=00000007 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e45 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000293
KERNELBASE!RaiseException+0x65:
75414e45 c1e002          shl     eax,2
0:000> t
eax=0000001c ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e48 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x68:
75414e48 50              push    eax
0:000> t
eax=0000001c ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e49 esp=0018fa7c ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x69:
75414e49 51              push    ecx
0:000> t
eax=0000001c ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e4a esp=0018fa78 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x6a:
75414e4a 8d44241c        lea     eax,[esp+1Ch]
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e4e esp=0018fa78 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x6e:
75414e4e 50              push    eax
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=75414e4f esp=0018fa74 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x6f:
75414e4f e8b7a2fdff      call    KERNELBASE!memcpy (753ef10b)
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=753ef10b esp=0018fa70 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!memcpy:
753ef10b ff2524694a75    jmp     dword ptr [KERNELBASE!_imp__memcpy (754a6924)] ds:002b:754a6924={ntdll!memcpy (77757c00)}
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=77757c00 esp=0018fa70 ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy:
77757c00 55              push    ebp
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=77757c01 esp=0018fa6c ebp=0018fadc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x1:
77757c01 8bec            mov     ebp,esp
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=77757c03 esp=0018fa6c ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x3:
77757c03 57              push    edi
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=77757c04 esp=0018fa68 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x4:
77757c04 56              push    esi
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=00000002 edi=03cac4d0
eip=77757c05 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x5:
77757c05 8b750c          mov     esi,dword ptr [ebp+0Ch] ss:002b:0018fa78=0018faf4
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0018faf4 edx=0055309c esi=0018faf4 edi=03cac4d0
eip=77757c08 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x8:
77757c08 8b4d10          mov     ecx,dword ptr [ebp+10h] ss:002b:0018fa7c=0000001c
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0000001c edx=0055309c esi=0018faf4 edi=03cac4d0
eip=77757c0b esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0xb:
77757c0b 8b7d08          mov     edi,dword ptr [ebp+8] ss:002b:0018fa74=0018fa94
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=0000001c edx=0055309c esi=0018faf4 edi=0018fa94
eip=77757c0e esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0xe:
77757c0e 8bc1            mov     eax,ecx
0:000> t
eax=0000001c ebx=03c835c0 ecx=0000001c edx=0055309c esi=0018faf4 edi=0018fa94
eip=77757c10 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x10:
77757c10 8bd1            mov     edx,ecx
0:000> t
eax=0000001c ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c12 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x12:
77757c12 03c6            add     eax,esi
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c14 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x14:
77757c14 3bfe            cmp     edi,esi
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c16 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!memcpy+0x16:
77757c16 7608            jbe     ntdll!memcpy+0x20 (77757c20)            [br=1]
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c20 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
ntdll!memcpy+0x20:
77757c20 f7c703000000    test    edi,3
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c26 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!memcpy+0x26:
77757c26 7514            jne     ntdll!memcpy+0x3c (77757c3c)            [br=0]
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=0000001c edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c28 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!memcpy+0x28:
77757c28 c1e902          shr     ecx,2
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=0000001c esi=0018faf4 edi=0018fa94
eip=77757c2b esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!memcpy+0x2b:
77757c2b 83e203          and     edx,3
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757c2e esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!memcpy+0x2e:
77757c2e 83f908          cmp     ecx,8
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757c31 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x31:
77757c31 7229            jb      ntdll!memcpy+0x5c (77757c5c)            [br=1]
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757c5c esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x5c:
77757c5c ff248de07c7577  jmp     dword ptr ntdll!memcpy+0xe0 (77757ce0)[ecx*4] ds:002b:77757cfc=77757d00
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d00 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x100:
77757d00 8b448ee4        mov     eax,dword ptr [esi+ecx*4-1Ch] ds:002b:0018faf4=0055309c
0:000> t
eax=0055309c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d04 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x104:
77757d04 89448fe4        mov     dword ptr [edi+ecx*4-1Ch],eax ds:002b:0018fa94=2fbf78eb
0:000> t
eax=0055309c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d08 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x108:
77757d08 8b448ee8        mov     eax,dword ptr [esi+ecx*4-18h] ds:002b:0018faf8=03ca58d0
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d0c esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x10c:
77757d0c 89448fe8        mov     dword ptr [edi+ecx*4-18h],eax ds:002b:0018fa98=01d5f9a0
0:000> t
eax=03ca58d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d10 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x110:
77757d10 8b448eec        mov     eax,dword ptr [esi+ecx*4-14h] ds:002b:0018fafc=03c835c0
0:000> t
eax=03c835c0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d14 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x114:
77757d14 89448fec        mov     dword ptr [edi+ecx*4-14h],eax ds:002b:0018fa9c=000002bb
0:000> t
eax=03c835c0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d18 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x118:
77757d18 8b448ef0        mov     eax,dword ptr [esi+ecx*4-10h] ds:002b:0018fb00=00000002
0:000> t
eax=00000002 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d1c esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x11c:
77757d1c 89448ff0        mov     dword ptr [edi+ecx*4-10h],eax ds:002b:0018faa0=00000000
0:000> t
eax=00000002 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d20 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x120:
77757d20 8b448ef4        mov     eax,dword ptr [esi+ecx*4-0Ch] ds:002b:0018fb04=03cac4d0
0:000> t
eax=03cac4d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d24 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x124:
77757d24 89448ff4        mov     dword ptr [edi+ecx*4-0Ch],eax ds:002b:0018faa4=7b21d95f
0:000> t
eax=03cac4d0 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d28 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x128:
77757d28 8b448ef8        mov     eax,dword ptr [esi+ecx*4-8] ds:002b:0018fb08=0018fb2c
0:000> t
eax=0018fb2c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d2c esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x12c:
77757d2c 89448ff8        mov     dword ptr [edi+ecx*4-8],eax ds:002b:0018faa8=000002bb
0:000> t
eax=0018fb2c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d30 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x130:
77757d30 8b448efc        mov     eax,dword ptr [esi+ecx*4-4] ds:002b:0018fb0c=0018fb10
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d34 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x134:
77757d34 89448ffc        mov     dword ptr [edi+ecx*4-4],eax ds:002b:0018faac=7b21d32e
0:000> t
eax=0018fb10 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d38 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x138:
77757d38 8d048d00000000  lea     eax,[ecx*4]
0:000> t
eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018faf4 edi=0018fa94
eip=77757d3f esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000297
ntdll!memcpy+0x13f:
77757d3f 03f0            add     esi,eax
0:000> t
eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fa94
eip=77757d41 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x141:
77757d41 03f8            add     edi,eax
0:000> t
eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fab0
eip=77757d43 esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x143:
77757d43 ff24954c7d7577  jmp     dword ptr ntdll!memcpy+0x14c (77757d4c)[edx*4] ds:002b:77757d4c=77757d5c
0:000> t
eax=0000001c ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fab0
eip=77757d5c esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x15c:
77757d5c 8b4508          mov     eax,dword ptr [ebp+8] ss:002b:0018fa74=0018fa94
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=0018fb10 edi=0018fab0
eip=77757d5f esp=0018fa64 ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x15f:
77757d5f 5e              pop     esi
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=0018fab0
eip=77757d60 esp=0018fa68 ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x160:
77757d60 5f              pop     edi
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77757d61 esp=0018fa6c ebp=0018fa6c iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x161:
77757d61 c9              leave
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77757d62 esp=0018fa70 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!memcpy+0x162:
77757d62 c3              ret
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=75414e54 esp=0018fa74 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x74:
75414e54 83c40c          add     esp,0Ch
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=75414e57 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x77:
75414e57 ebc5            jmp     KERNELBASE!RaiseException+0x3e (75414e1e)
0:000> t
eax=0018fa94 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=75414e1e esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x3e:
75414e1e 8d0424          lea     eax,[esp]
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=75414e21 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x41:
75414e21 50              push    eax
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=75414e22 esp=0018fa7c ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x42:
75414e22 ff152c634a75    call    dword ptr [KERNELBASE!_imp__RtlRaiseException (754a632c)] ds:002b:754a632c={ntdll!RtlRaiseException (777707c0)}
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777707c0 esp=0018fa78 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException:
777707c0 55              push    ebp
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777707c1 esp=0018fa74 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x1:
777707c1 8bec            mov     ebp,esp
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777707c3 esp=0018fa74 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x3:
777707c3 8da42430fdffff  lea     esp,[esp-2D0h]
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777707ca esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0xa:
777707ca 54              push    esp
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777707cb esp=0018f7a0 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0xb:
777707cb e84ff8ffff      call    ntdll!RtlCaptureContext (7777001f)
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=7777001f esp=0018f79c ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext:
7777001f 53              push    ebx
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770020 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x1:
77770020 8b5c2408        mov     ebx,dword ptr [esp+8] ss:002b:0018f7a0=0018f7a4
0:000> t
eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770024 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x5:
77770024 8983b0000000    mov     dword ptr [ebx+0B0h],eax ds:002b:0018f854=00000000
0:000> t
eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=7777002a esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0xb:
7777002a 898bac000000    mov     dword ptr [ebx+0ACh],ecx ds:002b:0018f850=00002000
0:000> t
eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770030 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x11:
77770030 8993a8000000    mov     dword ptr [ebx+0A8h],edx ds:002b:0018f84c=00040000
0:000> t
eax=0018fa80 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770036 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x17:
77770036 8b0424          mov     eax,dword ptr [esp]  ss:002b:0018f798=03c835c0
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770039 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x1a:
77770039 8983a4000000    mov     dword ptr [ebx+0A4h],eax ds:002b:0018f848=00000002
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=7777003f esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x20:
7777003f 89b3a0000000    mov     dword ptr [ebx+0A0h],esi ds:002b:0018f844=04660000
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770045 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x26:
77770045 89bb9c000000    mov     dword ptr [ebx+9Ch],edi ds:002b:0018f840=03365e68
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=7777004b esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlCaptureContext+0x2c:
7777004b eb43            jmp     ntdll!RtlpCaptureContext+0x41 (77770090)
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770090 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x41:
77770090 8c8bbc000000    mov     word ptr [ebx+0BCh],cs ds:002b:0018f860=046600b8
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=77770096 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x47:
77770096 8c9b98000000    mov     word ptr [ebx+98h],ds ds:002b:0018f83c=00000000
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=7777009c esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x4d:
7777009c 8c8394000000    mov     word ptr [ebx+94h],es ds:002b:0018f838=04660001
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700a2 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x53:
777700a2 8ca390000000    mov     word ptr [ebx+90h],fs ds:002b:0018f834=046603c0
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700a8 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x59:
777700a8 8cab8c000000    mov     word ptr [ebx+8Ch],gs ds:002b:0018f830=6fcddf33
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700ae esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x5f:
777700ae 8c93c8000000    mov     word ptr [ebx+0C8h],ss ds:002b:0018f86c=00000001
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700b4 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x65:
777700b4 9c              pushfd
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700b5 esp=0018f794 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x66:
777700b5 8f83c0000000    pop     dword ptr [ebx+0C0h] ds:002b:0018f864=00000000
0:000> t
eax=03c835c0 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700bb esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x6c:
777700bb 8b4504          mov     eax,dword ptr [ebp+4] ss:002b:0018fa78=75414e28
0:000> t
eax=75414e28 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700be esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x6f:
777700be 8983b8000000    mov     dword ptr [ebx+0B8h],eax ds:002b:0018f85c=04660200
0:000> t
eax=75414e28 ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700c4 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x75:
777700c4 8b4500          mov     eax,dword ptr [ebp]  ss:002b:0018fa74=0018fadc
0:000> t
eax=0018fadc ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700c7 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x78:
777700c7 8983b4000000    mov     dword ptr [ebx+0B4h],eax ds:002b:0018f858=00000000
0:000> t
eax=0018fadc ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700cd esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x7e:
777700cd 8d4508          lea     eax,[ebp+8]
0:000> t
eax=0018fa7c ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700d0 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x81:
777700d0 8983c4000000    mov     dword ptr [ebx+0C4h],eax ds:002b:0018f868=046601b0
0:000> t
eax=0018fa7c ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700d6 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x87:
777700d6 c70307000100    mov     dword ptr [ebx],10007h ds:002b:0018f7a4=6fcdd017
0:000> t
eax=0018fa7c ebx=0018f7a4 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700dc esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x8d:
777700dc 5b              pop     ebx
0:000> t
eax=0018fa7c ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777700dd esp=0018f79c ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlpCaptureContext+0x8e:
777700dd c20400          ret     4
0:000> t
eax=0018fa7c ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=777707d0 esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x10:
777707d0 8b5504          mov     edx,dword ptr [ebp+4] ss:002b:0018fa78=75414e28
0:000> t
eax=0018fa7c ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707d3 esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x13:
777707d3 8b4508          mov     eax,dword ptr [ebp+8] ss:002b:0018fa7c=0018fa80
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707d6 esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x16:
777707d6 838424c400000004 add     dword ptr [esp+0C4h],4 ss:002b:0018f868=0018fa7c
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707de esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x1e:
777707de 89500c          mov     dword ptr [eax+0Ch],edx ds:002b:0018fa8c={KERNELBASE!RaiseException (75414de0)}
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707e1 esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x21:
777707e1 c7042407000100  mov     dword ptr [esp],10007h ss:002b:0018f7a4=00010007
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707e8 esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x28:
777707e8 8bcc            mov     ecx,esp
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707ea esp=0018f7a4 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x2a:
777707ea 6a01            push    1
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707ec esp=0018f7a0 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x2c:
777707ec 51              push    ecx
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707ed esp=0018f79c ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x2d:
777707ed ff7508          push    dword ptr [ebp+8]    ss:002b:0018fa7c=0018fa80
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=777707f0 esp=0018f798 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!RtlRaiseException+0x30:
777707f0 e8abcfffff      call    ntdll!NtRaiseException (7776d7a0)
0:000> t
eax=0018fa80 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=7776d7a0 esp=0018f794 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!NtRaiseException:
7776d7a0 b846010000      mov     eax,146h
0:000> t
eax=00000146 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=7776d7a5 esp=0018f794 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
ntdll!NtRaiseException+0x5:
7776d7a5 64ff15c0000000  call    dword ptr fs:[0C0h]  fs:0053:000000c0=776d1218
0:000> t
eax=00000146 ebx=03c835c0 ecx=0018f7a4 edx=75414e28 esi=00000002 edi=03cac4d0
eip=776d1218 esp=0018f790 ebp=0018fa74 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
776d1218 ea841d6d773300  jmp     0033:776D1D84
0:000> t
eax=00000000 ebx=00000622 ecx=00000000 edx=00000000 esi=00000000 edi=0018fa54
eip=7776c64c esp=0018fa1c ebp=0018fa38 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!NtQueryPerformanceCounter+0xc:
7776c64c c20800          ret     8
0:000> t
(22f4.25a8): Unknown exception - code 0eedfade (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0018fa80 ebx=03c835c0 ecx=00000007 edx=00000000 esi=00000002 edi=03cac4d0
eip=75414e28 esp=0018fa80 ebp=0018fadc iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x48:
75414e28 8b4c2454        mov     ecx,dword ptr [esp+54h] ss:002b:0018fad4=3ee8d959

Well, that’s long. However, we see that almost immediately (line 95) we load the constant identifying the exception type. So it looks like call Intensywny_kurs+0x5508 (00405508) calls some well known procedure for throwing the exception.

What can we do now? Well, let’s see what arguments we pass to the method (and if any). However, this is x86 architecture so we don’t know what the previous instruction was. We cant just start decoding because instructions have different lengths. Let’s give it a try:

0:000> u Intensywny_kurs+0x15309c-20
Intensywny_kurs+0x15307c:
0055307c e8372febff      call    Intensywny_kurs+0x5fb8 (00405fb8)
00553081 50              push    eax
00553082 56              push    esi
00553083 e854cdf3ff      call    Intensywny_kurs+0x8fddc (0048fddc)
00553088 8b4dfc          mov     ecx,dword ptr [ebp-4]
0055308b b201            mov     dl,1
0055308d a1402d5500      mov     eax,dword ptr [Intensywny_kurs+0x152d40 (00552d40)]
00553092 e8f5d1ebff      call    Intensywny_kurs+0x1028c (0041028c)

I have no idea if that’s the code which is actually executed. It looks kind of plausible, but cannot be sure. However, let’s give it a go.

We know there is some method called which throws the exception. Exception is probably prepared at this point. How about just not throwing it? Let’s restart the application and remove the call with no ops:

0:000> u 00553097
Intensywny_kurs+0x153097:
00553097 e86c24ebff      call    Intensywny_kurs+0x5508 (00405508)
0055309c 6a20            push    20h
0055309e 8b431c          mov     eax,dword ptr [ebx+1Ch]
005530a1 50              push    eax
005530a2 8b4304          mov     eax,dword ptr [ebx+4]
005530a5 85c0            test    eax,eax
005530a7 7905            jns     Intensywny_kurs+0x1530ae (005530ae)
005530a9 e8aa19ebff      call    Intensywny_kurs+0x4a58 (00404a58)
0:000> a 00553097
00553097 nop
nop
00553098 nop
nop
00553099 nop
nop
0055309a nop
nop
0055309b nop
nop
0055309c 

0:000> u 00553097
Intensywny_kurs+0x153097:
00553097 90              nop
00553098 90              nop
00553099 90              nop
0055309a 90              nop
0055309b 90              nop
0055309c 6a20            push    20h

So we check the code initially, modify it, and then check again. Let’s now resume the application and see it works.

Okay, now the tricky part. We’d like to remove that code forever to be able to just run the application normally.

To do that we need a hexeditor. I used Frhed. Open the exe file and look for the following:

<bh:e8><bh:6c><bh:24><bh:eb><bh:ff>

Luckily enough, there is only one occurrence:

If you check bytes after the pattern we can see they match our instructions. So it looks like that’s the code. Modify it with series of nops and it works!

And now solution for Polish speakers.

Uruchomienie Profesor Klaus Intensywny Kurs bez mikrofonu

Uwaga: Ta sekcja tłumaczy jak wyglądałaby zmodyfikowana aplikacja, która nie sprawdzałaby mikrofonu przy starcie. Oczywiście nie zachęcam do modyfikowania aplikacji, co jest sprzeczne z licencją, nie załączam też żadnych plików należących do autorów. Cały wpis ma charakter edukacyjny.

Uwaga 2: Wszystkie modyfikacje dotyczą wersji 1.1.0.103 pliku wykonywalnego. Jeżeli masz inną wersję, rozwiązanie poniżej może nie działać.

Uwaga 3: Modyfikowanie aplikacji jest niebezpieczne i może spowodować jej trwałe uszkodzenie. Zrób kopię zapasową, a jeżeli nie rozumiesz poniższego opisu, to poproś o pomoc kogoś bardziej doświadczonego.

Rozwiązanie automatyczne

Otwórz PowerShell z uprawnieniami administratora i przejdź do katalogu z plikiem Intensywny_kurs.exe (najprawdopodobniej w C:\Edgard\Profesor Klaus - Intensywny kurs):

cd "C:\Edgard\Profesor Klaus - Intensywny kurs"

A następnie skopiuj i wykonaj ten kod:

$code = @"
using System;
using System.IO;
namespace KlausReplacer
{
	public class Program
	{
		public static void Main(){
			var bytes = File.ReadAllBytes("Intensywny_kurs.exe");
			var instruction = new byte[]{0xe8, 0x6c, 0x24, 0xeb, 0xff};
			for(int i=0;i<bytes.Length - instruction.Length;++i){
				bool found = true;
				for(int j=0;j<instruction.Length;++j){
					found &= bytes[i+j] == instruction[j];
				}
				if(found){
					Console.WriteLine("Found at " + i);
					for(int j=0;j<instruction.Length;++j){
						bytes[i+j] = 0x90;
					}
				}
			}
			File.WriteAllBytes("Intensywny_kurs_bez_mikrofonu.exe", bytes);
		}
	}
}
"@

Add-Type -TypeDefinition $code -Language CSharp	
iex "[KlausReplacer.Program]::Main()"

To utworzy plik Intensywny_kurs_bez_mikrofonu.exe. Jeżeli po wykonaniu ostatniej komendy zobaczyłeś wynik

Found at 1385623

to wszystko zakończyło się poprawnie.

Rozwiązanie ręczne

Na początku potrzebujemy edytora binarnego Frhed (nie jestem w żaden sposób powiązany z autorami tej aplikacji).

Po instalacji edytora, uruchom go jako administrator i otwórz plik przez File -> Open.... Wybierz plik Intensywny_kurs.exe (najprawdopodobniej z lokalizacji C:\Edgard\Profesor Klaus - Intensywny kurs.

Wciśnij CTRL + F aby otworzyć okno szukania, a następnie poszukaj tego ciągu:

<bh:e8><bh:6c><bh:24><bh:eb><bh:ff>

Powinno być tylko jedno wystąpienie, jak poniżej:

Znaleziony ciąg musisz zastąpić wartościami

9090909090

jak poniżej:

Zapisz plik przez CTRL + S, zamknij edytor, a następnie uruchom Profesora Klausa.

]]>
https://blog.adamfurmanek.pl/2020/09/05/reverse-engineering-profesor-klaus-intensywny-kurs-to-fix-missing-microphone/feed/ 1
Debugging WCF high memory usage https://blog.adamfurmanek.pl/2017/04/15/debugging-wcf-high-memory-usage/ https://blog.adamfurmanek.pl/2017/04/15/debugging-wcf-high-memory-usage/#respond Sat, 15 Apr 2017 08:00:20 +0000 https://blog.adamfurmanek.pl/?p=2116 Continue reading Debugging WCF high memory usage]]>

If you are interested in the topic see the talk page

Recently I was debugging high memory usage in application written in .NET 4 using WCF. After few hours application was eating almost 8 GB of memory. I made a memory dump and started digging into it.

First, statistics of heap (sorted by total memory usage per type)

!dumpheap -stat										
MT	Count	TotalSize	Class	Name						
000007fecdf6df78	46895258	1500648256,00	System.ServiceModel.Security.MessagePartSpecification							
000007fee98b5b80	14351165	1249823520,00	System.Object[]							
000007fecdf7fea0	253208	1197563136,00	System.Collections.Generic.Dictionary`2+Entry[[System.String,	mscorlib],[System.ServiceModel.Security.MessagePartSpecification,	System.ServiceModel]][]					
000007fee98cfdd0	1220610	588263408,00	System.Byte[]							
000007fee8169780	11719237	468769480,00	System.Collections.Generic.List`1[[System.Xml.XmlQualifiedName,	System.Xml]]						
000007fee98ceeb0	392174	215851704,00	System.Int32[]							
000007fee98c7d90	1917846	186874224,00	System.String							
000007fee815be60	1623002	64920080,00	System.Xml.NameTable+Entry							
000007feccd07a70	538933	60360496,00	System.Xml.XmlBaseReader+XmlElementNode							
000007fee8160860	787684	56713248,00	System.Xml.XmlName							
000007feccd07700	1285725	51429000,00	System.Xml.StringHandle							
000007feccd07680	1285725	51429000,00	System.Xml.PrefixHandle							
000007feccd07ae8	538933	47426104,00	System.Xml.XmlBaseReader+XmlEndElementNode							
000007fee98cf8b0	102864	35425872,00	System.Collections.Hashtable+bucket[]							
000007fee8160298	598925	33539800,00	System.Xml.XmlElement							
000007fecdf7f8b8	378220	33283360,00	System.Collections.Generic.Dictionary`2[[System.String,	mscorlib],[System.ServiceModel.Security.MessagePartSpecification,	System.ServiceModel]]					
000007feccd07780	814117	32564680,00	System.Xml.ValueHandle							
000007fecdf34d40	756104	30244160,00	System.Collections.Generic.List`1[[System.ServiceModel.Security.Tokens.SecurityTokenParameters,	System.ServiceModel]]						
000007fecd04c3d8	62954	29714288,00	System.IdentityModel.SamlDictionary							
...

So we can see, that there are over 45M of System.ServiceModel.Security.MessagePartSpecification objects. Let’s see one of them:

!dumpheap -type System.ServiceModel.Security.MessagePartSpecification		
...
000000010a5745f0	000007fecdf7fea0	4752
...

0:046> !gcroot 000000010a5745f0											
Note: Roots found on stacks may be false positives. Run "!help gcroot" for											
more info.											
Scan Thread 7 OSTHread 2dcc											
Scan Thread 29 OSTHread 1084											
Scan Thread 4 OSTHread 2c60											
Scan Thread 30 OSTHread eb0											
Scan Thread 31 OSTHread 21c4											
Scan Thread 19 OSTHread 2e60											
Scan Thread 32 OSTHread 2d24											
Scan Thread 33 OSTHread 2840											
Scan Thread 34 OSTHread 788											
Scan Thread 35 OSTHread 145c											
Scan Thread 36 OSTHread 1b80											
Scan Thread 37 OSTHread 1898											
Scan Thread 38 OSTHread 2600											
Scan Thread 40 OSTHread 216c											
Scan Thread 41 OSTHread 2bec											
Scan Thread 42 OSTHread fa8											
Scan Thread 43 OSTHread 1ebc											
Scan Thread 44 OSTHread e28											
Scan Thread 45 OSTHread 2ef8											
Scan Thread 47 OSTHread 2418											
Scan Thread 46 OSTHread 2934											
DOMAIN(00000000067B1EA0):HANDLE(Pinned):2dc13e0:Root:00000001ffdb5b08(System.Object[])->											
00000000ffddc9b8(System.ServiceModel.ChannelFactoryRefCache`1[[MySystem.IService, App_WebReferences.kj6s2mli]])->											
00000001dfe63928(System.ServiceModel.ChannelFactoryRef`1[[MySystem.IService, App_WebReferences.kj6s2mli]])->											
00000001dfdebe28(System.ServiceModel.ChannelFactory`1[[MySystem.IService, App_WebReferences.kj6s2mli]])->											
00000001dff06140(System.ServiceModel.Channels.ServiceChannelFactory+ServiceChannelFactoryOverRequestSession)->											
00000001dff05b50(System.ServiceModel.Channels.SecurityChannelFactory`1[[System.ServiceModel.Channels.IRequestSessionChannel, System.ServiceModel]])->											
00000001dff05c50(System.ServiceModel.Channels.HttpChannelFactory)->											
00000001dff05d78(System.ServiceModel.Channels.CommunicationObjectManager`1[[System.ServiceModel.Channels.IChannel, System.ServiceModel]])->											
00000001dff05db0(System.Collections.Hashtable)->											
000000020fda8130(System.Collections.Hashtable+bucket[])->											
000000010a555568(System.ServiceModel.Channels.HttpChannelFactory+HttpRequestChannel)->											
000000010a589108(System.EventHandler)->											
000000010a5556b8(System.ServiceModel.Channels.ReliableChannelBinder`1+ChannelSynchronizer[[System.ServiceModel.Channels.IRequestChannel, System.ServiceModel]])->											
000000010a5554e0(System.ServiceModel.Channels.ClientReliableChannelBinder`1+RequestClientReliableChannelBinder[[System.ServiceModel.Channels.IRequestChannel, System.ServiceModel]])->											
000000010a555490(System.ServiceModel.Channels.ChannelParameterCollection)->											
000000010a555258(System.ServiceModel.Security.SecuritySessionClientSettings`1+SecurityRequestSessionChannel[[System.ServiceModel.Channels.IRequestSessionChannel, System.ServiceModel]])->											
000000010a556450(System.ServiceModel.Security.SecuritySessionSecurityTokenProvider)->											
000000010a564e20(System.ServiceModel.Channels.SecurityChannelFactory`1[[System.ServiceModel.Channels.IRequestChannel, System.ServiceModel]])->											
000000010a5578d8(System.ServiceModel.Security.SymmetricSecurityProtocolFactory)->											
000000010a557a00(System.ServiceModel.Security.ChannelProtectionRequirements)->											
000000010a557b88(System.ServiceModel.Security.ScopedMessagePartSpecification)->											
000000010a570a10(System.Collections.Generic.Dictionary`2[[System.String, mscorlib],[System.ServiceModel.Security.MessagePartSpecification, System.ServiceModel]])->											
000000010a5745f0(System.Collections.Generic.Dictionary`2+Entry[[System.String, mscorlib],[System.ServiceModel.Security.MessagePartSpecification, System.ServiceModel]][])

So we can see that it is ultimately rooted in some pinned array of objects. What’s that? This array holds static variables from app domain. It usually looks as follows:

0:046>	!do	00000001ffdb5b08						
Name:	System.Object[]							
MethodTable:	000007fee98b5b80							
EEClass:	000007fee94ceb88							
Size:	8192(0x2000)	bytes						
Array:	Rank	1	Number	of	elements	1020	Type	CLASS
Element	Type:	System.Object						
Fields:								
None

So if you spot an array similar to this, you might suspect that it is for holding static references. But how do we figure out what static reference?

In early days of .NET (I mean around .NET 1.0 and 1.1) application had address of this element hardcoded in some part of code. So you could find out actual address of reference and sweep the heap with that address.

First, address of our object 00000000ffddc9b8(System.ServiceModel.ChannelFactoryRefCache1[[MySystem.IService, App_WebReferences.kj6s2mli]]) must be somewhere in the array. Let’s find it:

0:046>	s -d	00000001ffdb5b08	L?0x1000	00000000ffddc9b8					
00000001`ffdb64b0	ffddc9b8	0	ffddca90	0	................

We look for 4-bytes integer (even though we work with x64 application), pass address of our array (second parameter) and range. What we get in return is the address of element in an array which holds the value. In our case it is 00000001`ffdb64b0.

Now we can look for this address in whole application:

0:046> s-q 0 L?0x7FFFFFEFFFF 00000001`ffdb64b0						
000007ff`002e0120  00000001`ffdb64b0 00000000`00000000

We look in user mode partition of our application and get one hit. Unfortunately, it is not the thing we are looking for:

0:046> !U 000007ff`002e0120				
Unmanaged code				
000007ff`002e0120 b064            mov     al,64h				
000007ff`002e0122 db              ???				
000007ff`002e0123 ff01            inc     dword ptr [rcx]				
000007ff`002e0125 0000            add     byte ptr [rax],al				
000007ff`002e0127 0000            add     byte ptr [rax],al				
000007ff`002e0129 0000            add     byte ptr [rax],al				
000007ff`002e012b 0000            add     byte ptr [rax],al				
000007ff`002e012d 0000            add     byte ptr [rax],al				
000007ff`002e012f 00d8            add     al,bl				
000007ff`002e0131 ff              ???

If this was a .NET 1 application, you would probably get code of some static constructor which you could then examine in code.

So, what can we do next? Well, we can use !dumpdomain to find out which domain holds this array (check start and end address of domain) and then trawl for information in codebase. In my case it was:

namespace System.ServiceModel
{
  /// <summary>
  /// Provides the base implementation used to create Windows Communication Foundation (WCF) client objects that can call services.
  /// </summary>
  /// <typeparam name="TChannel">The channel to be used to connect to the service.</typeparam>
  [__DynamicallyInvokable]
  public abstract class ClientBase<TChannel> : ICommunicationObject, IDisposable where TChannel : class
  {
    private static ChannelFactoryRefCache<TChannel> factoryRefCache = new ChannelFactoryRefCache<TChannel>(32);
    ...
  }
}

One of my services inherited from this base class. So the question now is: how do I change my application to clean this cache or not use it at all (just to confirm that this is the reason of memory usage). Let’s check MSDN and see that it has CacheSettings which we can use to switch off the cache. Unfortunately, this is accessible only in .NET 4.5 (and I am using .NET 4). So what can we do? Well, use reflection to clear the cache:

var type = typeof (ClientBase<IService>);
var field = type.GetField("factoryRefCache", BindingFlags.Static | BindingFlags.NonPublic);
var cache = field.GetValue(null);
cache.GetType().GetMethod("Clear").Invoke(cache, new object[0]);

GC.Collect(2);

We need to run this code manually and verify whether the memory usage drops. And it looks like its working.

]]>
https://blog.adamfurmanek.pl/2017/04/15/debugging-wcf-high-memory-usage/feed/ 0