floating point support and ManualMap menu

Shout-Out

User Tag List

Results 1 to 10 of 10
  1. #1
    wanyancan's Avatar Member
    Reputation
    1
    Join Date
    May 2009
    Posts
    40
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    floating point support and ManualMap

    Why is manualmap causing this error?
    Code:
    Runtime Error!
    
    R6002
     - floating point support not loaded
    It's been asked for once, and I've tried to backtrack where this error comes from. This error is generated from _output_s_l() in 'crt\src\output.c' while it is calling __decode_pointer() function. However, I really can't understand why would TLS be related with this problem? It's been pointed many times by Cypher, but would you give more detailed explanation about this?

    To be more specific,
    1. How is floating point support getting loaded at runtime? In MSDN, it only states that 'perform a floating-point assignment' will cause it be loaded. But how can I explicitly load it?

    2. If I put sprintf in myHookedEndScene, and it is called by render() in the main thread of host process, it should have floating point support loaded already, but why the error still pops out?

    2. Why would TLS support to ManualMap solve this problem? How do these two things relate with each other? In w2k's code, I can't see anything special in LdrpLoadDll(). What's the new TLS stuff introduced in later Vista OS? In Windows Vista support for __declspec(thread) in demand loaded DLLs it seems that the LoadLibrary is rather complicated.

    3. How to add TLS support ? I've tried to set _tls_index during the mapping, but it seems not working at all.

    I know there's a lot judgement to describe it as shit or incomplete or "WTF if yours is private" or too many assumption and too many brief introduce to the TLS problem. If you just still want to say that only, please skip.
    Thank you!
    Last edited by wanyancan; 02-25-2010 at 06:47 PM.

    floating point support and ManualMap
  2. #2
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Short answer: TLS callbacks.

  3. #3
    kynox's Avatar Member
    Reputation
    830
    Join Date
    Dec 2006
    Posts
    888
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Long answer: TTTTTTTTTTLLLLLLLLLLLLLLLSSSSSSSSSS CAAAAAAAAAAAAAALLLLLLLLLLLLLLBBBBBBBBBBBBBBBAAAAAAAAAAAACCCCCCCCCCKKKKKKKKKKKKKK KSSSSSSSSS

  4. #4
    wanyancan's Avatar Member
    Reputation
    1
    Join Date
    May 2009
    Posts
    40
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But the Tls table contents
    Code:
    typedef struct _IMAGE_TLS_DIRECTORY32 {
        DWORD   StartAddressOfRawData;
        DWORD   EndAddressOfRawData;
        DWORD   AddressOfIndex;             // PDWORD
        DWORD   AddressOfCallBacks;         // PIMAGE_TLS_CALLBACK *
        DWORD   SizeOfZeroFill;
        DWORD   Characteristics;
    } IMAGE_TLS_DIRECTORY32;
    has already been fixed by FixRelocs(), what else needs to be done with the CALLBACKs array?
    Should I call all these callbacks in DllMain() or in the same way as DllMain being called in the DllCall_stub? Before DllMain or after ?
    I really appreciate any further information.

  5. #5
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Maybe start reversing LoadLibrary. It will give you the absolutely correct answers. Just see how they do it, when they call the callback and re-implement it.

  6. #6
    wanyancan's Avatar Member
    Reputation
    1
    Join Date
    May 2009
    Posts
    40
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've already tried. And finally it goes to ntdll:LdrpFindOrMapDll. Then it seems to send dll notification when it finishes and I get lost in nowhere..

  7. #7
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You'll have to reverse into the kernel to find it. Threads, modules, and processes are all handled in kernel mode, for good reason.

  8. #8
    wanyancan's Avatar Member
    Reputation
    1
    Join Date
    May 2009
    Posts
    40
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I tried to call TLS callback before DLLMain after it's been mapped using the following code.
    Code:
    CPU Disasm
    Address   Hex dump          Command                                  Comments
    04300000    55              PUSH EBP
    04300001    89E5            MOV EBP,ESP
    04300003    6A 00           PUSH 0
    04300005    6A 01           PUSH 1
    04300007    FF75 08         PUSH DWORD PTR SS:[EBP+8]
    0430000A    B8 5C348604     MOV EAX,486345C               <<< modified on-fly, PIMAGE_CALLBACK array
    0430000F    8B00            MOV EAX,DWORD PTR DS:[EAX]     <<< the first callback,  my dll only has one callback
    04300011    FFD0            CALL EAX
    04300013    6A 00           PUSH 0
    04300015    6A 01           PUSH 1
    04300017    FF75 08         PUSH DWORD PTR SS:[EBP+8]
    0430001A    B8 90E47F04     MOV EAX,47FE490              << modified on-fly
    0430001F    FFD0            CALL EAX                      <<< call DllMain
    04300021    89EC            MOV ESP,EBP
    04300023    5D              POP EBP
    04300024    C3              RETN
    However, nothing changes.. Still no floating point support. Why would this tls callback be related with it? By looking at the callback function itself, there's nothing obviously connected..

  9. #9
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm almost certain that TLS callbacks are used to initialize FPU support, though it's been a long time since I've looked.

    Also, are you sure that you're calling TLS callbacks not only on your own module, but also on any dependent modules that you're manually mapping? (I know that Darawk's original code works recursively, manually mapping each dependent module that isn't already loaded)

    The CRT module would be the obvious one I'm talking about in this situation.

  10. #10
    wanyancan's Avatar Member
    Reputation
    1
    Join Date
    May 2009
    Posts
    40
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's my log file
    Code:
    [03:01:31]: Logging started at 2010-02-27
    [03:01:31]: In DllMain of ManualMap [.\MMDll.cpp] @ 36
    [03:01:31]: ManualMap Attached [.\MMDll.cpp] @ 45
    [03:01:32]: ManualMap MapModule, instance a new ManualMap to load: gdh.dll [.\MMDll.cpp] @ 62   
    <<< my dll
    
    
    [03:01:32]: in ManualMap::Load with pid 4876 to load gdh.dll [..\Main\ManualMap.cpp] @ 53
    [03:01:32]: Initialize some data: m_module, m_pid [..\Main\ManualMap.cpp] @ 58
    [03:01:32]: openprocess first fail [..\Main\ManualMap.cpp] @ 92
    [03:01:32]: sucess at open process the second time [..\Main\ManualMap.cpp] @ 114
    [03:01:32]: stubBase is 0x69664768 [..\Main\ManualMap.cpp] @ 122
    [03:01:32]: Fix imports for KERNEL32.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: Fix imports for USER32.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: Fix imports for dbghelp.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: recursively load module: dbghelp.dll [..\Main\ManualMap.cpp] @ 410   
    <<< recursively loading another dll
    
    
    [03:01:32]: in ManualMap::Load with pid 4876 to load dbghelp.dll [..\Main\ManualMap.cpp] @ 53
    [03:01:32]: Initialize some data: m_module, m_pid [..\Main\ManualMap.cpp] @ 58
    [03:01:32]: stubBase is 0x69730304 [..\Main\ManualMap.cpp] @ 122
    [03:01:32]: Fix imports for msvcrt.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: Fix imports for KERNEL32.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: Fix imports for ADVAPI32.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: Fix imports for RPCRT4.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: import table fixed [..\Main\ManualMap.cpp] @ 143
    [03:01:32]: successfully loaded : dbghelp.dll [..\Main\ManualMap.cpp] @ 157
    [03:01:32]: Map and execute for dbghelp.dll [..\Main\ManualMap.cpp] @ 165
    [03:01:32]: mapped to remote process for dbghelp.dll [..\Main\ManualMap.cpp] @ 171
    [03:01:32]: dbghelp.dll has no tls section [..\Main\ManualMap.cpp] @ 182
    [03:01:32]: run dllmain And/or tls callback for dbghelp.dll [..\Main\ManualMap.cpp] @ 205   
    <<< after mapping, call tls callbacks and DllMain
    
    
    [03:01:32]: stubase at 0x4280000 dll entry at: 0x49AC314 [..\Main\ManualMap.cpp] @ 206
    [03:01:32]: dbghelp.dll finished loading dllmain and/or callback [..\Main\ManualMap.cpp] @ 212
    
    [03:01:32]: Fix imports for d3d9.dll [..\Main\ManualMap.cpp] @ 407
    [03:01:32]: import table fixed [..\Main\ManualMap.cpp] @ 143
    [03:01:32]: successfully loaded : gdh.dll [..\Main\ManualMap.cpp] @ 157    
    <<< my dll is mapped, 
    
    
    [03:01:32]: gdh.dll is loaded, redirect some module functions to use ManualMap [.\MMDll.cpp] @ 74     <<< setup up some monitoring functions
    [03:01:32]: (GMFN): 757C14FA [.\MMDll.cpp] @ 81        << GetModuleFileName
    [03:01:32]: (GPA): 757C1202 [.\MMDll.cpp] @ 82         << GetProcAddress
    [03:01:32]: (GMH): 757C1225 [.\MMDll.cpp] @ 83		<< GetModuleHandle
    [03:01:32]: (GLL): 757C4BC6 [.\MMDll.cpp] @ 84		<< LoadLibrary
    
    [03:01:32]: Map and execute for gdh.dll [..\Main\ManualMap.cpp] @ 165       	<< call tls callbacks and DllMain
    [03:01:32]: mapped to remote process for gdh.dll [..\Main\ManualMap.cpp] @ 171
    [03:01:32]: gdh.dll has tls section callback(s) [..\Main\ManualMap.cpp] @ 185
    [03:01:32]: tls slot index assigned to 60 max is: 4294967295 [..\Main\ManualMap.cpp] @ 187   <<< manually set _tls_index value
    [03:01:32]: run dllmain And/or tls callback for gdh.dll [..\Main\ManualMap.cpp] @ 205		<<< run PIMAGE_TLS_CALLBACKS array
    
    [03:01:32]: stubase at 0x4270000 dll entry at: 0x479DA20 [..\Main\ManualMap.cpp] @ 206  
    [03:01:33]: MyGPA GetProcAddress2 to check func: FlsAlloc [.\MMDll.cpp] @ 163                  <<< these should be some callbacks relating with CRT
    [03:01:33]: kernel:GetProcAddress for FlsAlloc is at 0x757C1F22 [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: FlsGetValue [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for FlsGetValue is at 0x757C123D [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: FlsSetValue [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for FlsSetValue is at 0x757C18E4 [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: FlsFree [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for FlsFree is at 0x757C3954 [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:33]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
    [03:01:33]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
    [03:01:33]: MyGMFN GetModuleFileName2 for module   [.\MMDll.cpp] @ 117
    [03:01:33]: hmodule 0x00000000 is at G:\World of Warcraft_tw_old\Wow.exe [.\MMDll.cpp] @ 131        <<<< Callback finished
    
    [03:01:33]: Logging started at 2010-02-27			<<<< DllMain starts here
    [03:01:33]: dllmain at 0x04767480 [.\GDHM.cpp] @ 110
    [03:01:33]: DLL_PROCESS_ATTACH [.\GDHM.cpp] @ 113
    [03:01:34]: Direct3DCreate9 OK, pD3D: 0x155909E0 [.\GDHM.cpp] @ 41
    [03:01:34]: pD3D->CreateDevice with hWnd : 0032073C [.\GDHM.cpp] @ 50
    [03:01:34]: pD3D->CreateDevice OK, pd3dDevice: 0x155E2F80 *pd3dDevice= 0x155E5D1C [.\GDHM.cpp] @ 60
    [03:01:34]: pd3dDevice -> Vtable[42] = 6096CE09 [.\GDHM.cpp] @ 68
    [03:01:34]: end scene is successfully hooked! [.\GDHM.cpp] @ 116
    [03:01:34]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
    [03:01:34]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
    [03:01:34]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
    [03:01:34]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
    [03:01:34]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
    [03:01:34]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
    [03:01:34]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
    [03:01:34]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
    [03:01:34]: IDirect3DDevice9* obtained to be 0x3428A20 [.\GDHM.cpp] @ 84
    [03:01:34]: gdh.dll finished loading dllmain and/or callback [..\Main\ManualMap.cpp] @ 212  <<<<<<< all finished
    
    [03:01:41]: In manualmap.dll :: UnmapModule gdh.dll [.\MMDll.cpp] @ 102
    [03:01:41]: in Unmap [..\Main\ManualMap.cpp] @ 219
    [03:01:41]: clear mapped mapbyName [..\Main\ManualMap.cpp] @ 245
    [03:01:41]: clear mapped mapbyHandle [..\Main\ManualMap.cpp] @ 247
    Every thing seems going well, but still no floating point support.
    Besides, I've also changed the code cave to call all the callbacks not the first one only.
    Code:
    //	Stub that calls the Dll from within the remote process.
    //	This is necessary because a DllMain function takes 3
    //	arguments, and CreateRemoteThread can pass only 1.
    unsigned char ManualMap::DllCall_stub[] = { 
    	0x55,  // push ebp
    	0x89,0xe5,  // mov ebp,esp
    	0x31, 0xdb, // xor ebx,ebx
    	0x83, 0xec, 0x10, // sub esp,10
    	0xb8, 0xDE, 0xAD, 0xBE, 0xEF, // mov eax, 0xdeadbeef  << pTlsCallback_array
    	0x89, 0x45, 0xfc, // mov dword ptr [ebp-4], eax      <<<< loop start
    	0x39, 0xd8, // cmp eax, ebx
    	0x74, 0x15, // je Label:quit
    	0x39, 0x18, // cmp [eax], ebx
    	0x74, 0x11, // je label:quit
    	
    	0x6a, 0x00, // push 0
    	0x6a, 0x01, // push 1
    	0xff, 0x75, 0x08, // push dword [ebp+8]
    	0xff, 0x10, // call [eax]
    	0x8b, 0x45, 0xfc, // mov eax, [ebp-4]
    	0x83, 0xc0, 0x04, // add eax,4
    	0xeb, 0xe4, // jmp loop start
    	
    	0x6a, 0x00, // push 0
    	0x6a, 0x01, // push 1
    	0xff, 0x75, 0x08, // push dword [ebp+8]
    	0xb8, 0xDE, 0xAD, 0xBE, 0xEF, // mov eax, 0xdeadbeef
    	0xff, 0xd0, // call eax
    	0x89, 0xec, // mov esp, ebp
    	0x5d,	// pop ebp
    	0xc3	// retn
    };
    I've really run out of ideas..

    As you're also going to write the mapping codes, sincerely hope you can shed light on me.

Similar Threads

  1. [request]arena points emblems and gold
    By matrix23 in forum WoW Bots Questions & Requests
    Replies: 1
    Last Post: 08-07-2010, 12:51 AM
  2. Floating-Point Support issue
    By nitrogrlie in forum WoW Memory Editing
    Replies: 7
    Last Post: 01-04-2010, 12:03 AM
  3. Problems with floating point instruction
    By flo8464 in forum WoW Memory Editing
    Replies: 4
    Last Post: 08-20-2009, 02:59 AM
  4. Complete Ascent guide with: ascent 2.2.x supported and website
    By 2dgreengiant in forum WoW EMU Guides & Tutorials
    Replies: 145
    Last Post: 11-18-2007, 12:51 PM
All times are GMT -5. The time now is 10:13 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search