There is a console application that was compiled on a Microsoft compiler (using WINAPI functions, of course), C ++. The source code and analogues of this program either. Disassembling shows about 3,500 functions, so full reverse engineering will take a very long time.

I set myself the task - to write a universal loader that supports several operating systems (the code is selected at the compilation stage). While I work only on Windows.

The loading is performed according to the principle “place the original segments in the right places, process the import table, call the entry point”. Gcc (MinGW) was chosen for implementation, since it supports modified linker scripts, C language.

The segments were located correctly, the import table was processed correctly, the entry point is called, the arguments are processed correctly. The problem is that sooner or later an error R6002 occurs (as a side effect), but I am sure that the problem is precisely in the layout of the program (the runtime libraries are incompatible and somewhere was initialized, but not somewhere?) and not in any specific errors. Debugging is done using Qt creator, but it is difficult, as there is only an assembler listing.

The question is: do you have to patch calls of standard functions to make the loader work, or can you think of something?

  • 2
    rewrite wine from scratch - good thing - strangeqargo
  • I hardly understand exactly what you are doing. Do you want to write a softin to run different formats of binaries in different operating systems? - Vladimir Martyanov
  • If you consider the implementation for a specific program - rewriting wine - then yes. For now, I try my strength. Subsequently, the bootloader may be entirely embedded in another application. It, by the way, works on the same principle, the only difference is that the ELF x86 binary was used and it quietly runs under Windows. - T-Max
  • By the way, 3500 functions have what total in bytes? How many of them are left unrecognized after FLIRT, if you used it? - Vladimir Martyanov
  • one
    A program msvcrt.dll should not be used at all . - VladD

1 answer 1

As the program printed

 runtime error R6002 - floating point support not loaded

I decided to find out what caused this error. And I found this ("call stack"):

 __NMSG_WRITE _amsg_exit(2) <= 2 - код ошибки (соответствует R6002) _fptrap

The _fptrap function was _fptrap used as a stub as much as 10 times in an array of 10 functors. Interesting is that this function could not be called, since before such a call, there was an unconditional rewriting of these functors to others:

 void __cdecl _cfltcvt_init_0() { off_519200 = _cfltcvt; // Все эти off_* были инициализированы off_519204 = sub_4B91DF; // функтором _fptrap. off_519208 = _fassign; off_51920C = _forcdecpt; off_519210 = _positive; off_519214 = _cfltcvt; off_519218 = _cfltcvt_l; off_51921C = _fassign_l; off_519220 = _cropzeros_l; off_519224 = _forcdecpt_l; }

I changed this stub to normal nullsub , normal flight. However, there is a feeling that somewhere they are deceiving me.