I’ll be in New York City from Thursday, I have too many things to prepare right now, and I don’t have time to end this story. Anyway, I thought it might be interesting to write something about this strange behaviour. It’s only a sort of preview, I hope to complete it in the near future.
I have a new printer, it’s an hp c4380. Don’t know if it’s good or not, I don’t print too much. It was really easy to install and it works fine for me, I have nothing to complain about it… until some days ago when I noticed something strange. When the system starts, I sometimes happen to see the cpu at 100%:
As you can see it happens when the system starts. It’s one of the starting process for sure. I opened ProcessExplorer just to have an idea about what’s going on:
Svchost is used to load one or more services, there’s a specific list of services to load inside the registry. The problem doesn’t reside in svchost process, but it’s inside the specific loaded service. How to find it? ProcessExplorer is a great tool, it gives out a lot of information. Just click on the process item and you will have all the necessary information about the process. I’m interested in the command line section which is: “C:\WINDOWS\system32\svchost.exe -k HPService”. Ok, the problem should be inside HPService. To locate the name of the dll you can browse through the process properties, you’ll easily find out the dll: HPSLPSVC32.DLL
This service belongs to hp printer and it’s used to check hp’s peripherals connected through the net. The service is automatically started (have a look at services.msc utility). I made some tries discovering that the problem arises when one or more computers connected to the lan are offline. I’m pretty sure there’s an error inside the dll, but how to find out where the problem is located at? In case like that, when the cpu works at 100%, the problem resides inside a loop. The process is waiting for something that won’t be received; it’s impossible to quit from it due to of a programming error. It could be an error on a variable initialization/update but there are many possibilities, there’s not a general explaination.
What I did is to attach a debugger to the right svchost process hinstance. It’s pretty easy to locate the guilty loop, you only have to break on dll access. Here’s a snippet taken from the loop I was talking before:
10025D00 mov eax, dword_100AC550
10025D05 mov ecx, [edi+4]
10025D08 push eax ; dwMilliseconds: 1000 ms
10025D09 push ecx ; hHandle
10025D0A call ebx ; WaitForSingleObject
10025D0C mov edx, [edi+10h]
10025D0F push edx ; hEvent = 0
10025D10 mov esi, eax ; eax = WAIT_FAILED
10025D12 call ebp ; SetEvent
10025D14 cmp esi, WAIT_TIMEOUT
10025D1A jnz short loc_10025D27
10025D1C mov eax, [edi]
10025D1E mov edx, [eax+24h]
10025D21 mov ecx, edi
10025D23 call edx ; call sub_100255E0
10025D25 jmp short loc_10025D00
10025D27 cmp esi, WAIT_FAILED
10025D2A jnz short loc_10025D3A
10025D2C mov eax, dword_100AC550
10025D31 push eax ; dwMilliseconds
10025D32 call ds:Sleep
10025D38 jmp short loc_10025D00
Well, as you can see from the comments there are two problems:
1. WaitForSingleObject returns WAIT_FAILED
2. SetEvent’s parameter is 0
I tried to call GetLastError after the two calls and the result was an ERROR_INVALID_HANDLE system error code. Pretty obvious eh!
I don’t know where to look for now, an error on CreateEvent’s return value could be an answer. After a quick glance everything seems to be ok, but I need to check carefully.
The problem occours to many people out there. It was reported on HP forum support in March 2007, but the problem still exists. To solve (momentarily) it, it’s pretty easy: just set the service from automatic to manual… Anyway it could be interesting to find out where the problem resides, I’ll try to check when my trip will end.
Like this:
Like Loading...
I like to go to the cinema, I adore movies. I have a lot of dvd movies at home. Special features included in almost all dvd are something I like particularly. What I dislike are the easter eggs included in the disc. There are often small and stupid clips behind easter eggs. They are nowadays documented everywhere around the net, but the question is: how did they find them?
The common way is trying to push every buttons on your remote control hoping to see something strange around the dvd menu. This is the most easiest way, you have only to spend some time with a remote control in your hand. Otherwise, you can try inspecting the files stored inside the dvd. I don’t have any experience with this kind of things so I did some searches on the net. From all the programs I tried I was impressed by one: PgcEdit. As stated in the documentation “PgcEdit offers an easy to understand view of the DVD’s programming. It allows you to edit, via easy to use GUIs, all the DVD’s commands with their legal values, without any limitations except those imposed by the DVD standard. “
There’s a little problem, I have no idea about the dvd standard… Anyway, I gave it a try.
When you open a disc PcgEdit extracts all the necessary information filling two edit boxes. The image below represents a snippet taken from one of the two boxes.
Don’t know what you think but these are only some meaningless items for me. When you click on an item the other box is filled with some other information which are much more understandable. Here are some of them:
I’m not able to fully understand the instructions above, but I can get the general meaning of each line. It’s like a dead list produced by a disassembler, a series of commands.
Reading through the help I’ve found something interesting, PgcEdit has a debugger inside; it lets you see what happens when a dvd is launched. I don’t know the meaning of the information retrieved by PgcEdit, but I do know how to use a debugger, and this one seems to be really simple. I’ll try to find out an easter egg using PgcEdit’s debugger. I only spent some time on this debugger and I don’t know anything about dvd standard, anyway I’ll try to explain my adventure using the right words.
The dvd film I’m going to inspect is titled Big fish, aTim Burton’s movie. An easter egg could be everywhere inside the dvd, I’ll try to find something inside the main menu title which is showed in the next image:
It’s an animated menu and you can navigate through the 6 options, from “Play movie” to “Trailers”, seems like you can’t move the cursor outside these items.
To start a debugging session you have to select “Trace mode” from one of the PgcEdit’s menu items (using Ctrl-T is much more easy). The debugger is really simple but it has almost everything. It’s possible to set a breakpoint on GPRM (Global Parameter Registers), on SPRM (System Parameter Registers), pre/post PGC (Program Chain), all menus and all titles. It’s possible to watch all the registers and log almost everything. It’s the only dvd debugger I have tried so far, but it seems to be quite complete.
When you are in Trace mode the debugger is stopped at the first instruction:
1 (JumpSS) Jump to VMGM PGC 1
which is inside “VMG, First Play PGC” item. VMGM stands for Video Manager Menu.
The dvd video structure is divided into some levels, I’m at the the first one and it’s used to play an introductive video or some preliminary information. After that the main menu appears. In this case there is nothing before the main menu and the instruction (it’s clearly a jump instruction to “VMGM PGC 1″) will bring me to the dvd main menu.
LU should be Language Unit and I think the number inside brackets represents the item’s length, 14 seconds.
How to proceed? I tried stepping some commands but it’s not so interesting so it’s better if you use some clever breakpoints. Right click on an item from the left box and a popup menu will appear. From this popup menu it’s possible to set a breakpoint on the selected item. When the program flow reaches the item the debugger should break. There are many items inside the box, they are divided into 3 groups:
- VMGM
- VTSM
- VTST
How to identify the right item? The main menu’s length is 52 seconds so I did a scan over the items trying to locate the one with length equals to 52. There are some items with the same length (52 seconds); I’m not totally sure about the meaning of the 0:52 value so I decided to take another way. Spying through the debugger’s menu I found an interesting option: “Break at all menus”. When you set this option the debugger will break every time it encounters a menu. I had 3 breaks and then a new box appeared (it doesn’t mean that there are 3 menu to be shown). The box contains the information about the main menu. The breaks occurred on these items:
- VMGM LU 1 (en), 1 (0:14)
- VTSM 4, LU 1 (en), 1 (dummy) RootM
- VTSM 4, LU 1 (en), 6 (0:52) 16b.
VTSM stands for Video Title Set Menu and it contains all the information about a specific menu. This one seems to be the menu I was looking for and now I’m pretty sure about the fact that 52 is the length (in seconds) of the animated menu. When the time reaches 52 the animated menu starts again, like an infinite loop. So, I’m interested in the last entry, if you click on this item you’ll see the commands inside the dead list box. There are some pre and post commands; pre commands are executed before the reproduction (post commands are executed after…):
“gprm(i)” refers to a register, there are 16 Global Parameter Registers and they can contain a value in the 0/65535 range. From what I have seen they are often filled with SPRM values; there are 24 System Parameter Registers and they contain the current player settings. That’s why gprm registers get information from sprm registers, the dvd internal programming code needs to know where is running on.
The words inside brackets (mov, and, or) define the operation. i.e.: Instruction number 2 is used to store 0 into register 8, pretty simple. Ok, back to the box now:
This is the box that is shown, it’s the main menu (I edited the image adding the text). As you can see it shows the *gui* without pictures of course. It’s pretty easy to identify the buttons at the bottom of the image, they represent the 6 options. There are two more buttons (7 and 8) at the top of the picture, btw. You can navigate through the buttons using the keyboard or mouse, the highlighted button is the current selected one. When you switch from a button to another PgcEdit’s debugger is able to show what kind of commands will be executed, you can see the next instruction that will be performed. After some tries I understood how to reach button number 8, just click on keyboard’s key-up from button 5. When you switch to button number 8 nothing is shown; some commands are executed but I had the impression that it’s only a check routine used to see which kind of button has been pressed. Button 7 is another story because when you press it the current post commands are executed. Anyway, without looking at the post commands it’s obvious that there’s something behind button number 7, which is our easter egg for sure!
Why did they (dvd’s authors) use button number 8? As far as I know there aren’t dvd player with a mouse control, if you want to move through the menu you can only use your remote control. With a remote control you have 4 direction’s buttons and you can move the pointer from a voice to another using them. Button number 8 is a bridge from button number 5 to 7. I think it’s used because they wanted to hide the easter egg a little bit more.
It’s time to see the hidden feature, load the film with your preferred player. Move the pointer over the hat and a red star magically appears. Click and enjoy the clip (nothing special btw).
My dvd adventure ends here, It was a nice unusual debugging session. Is there another way to discover an easter egg? Don’t know and I don’t care about it, I think I’ll check for easter eggs browsing the net in the future… haha!
Like this:
Like Loading...
How many times did you create a structure starting from Windbg‘s dt command output? It sometimes happens especially if you use Ida or if you need to code something. It’s something that makes me feel unhappy. It’s a boring job for sure, particularly when you have to deal with big structures (i.e. ethread). There are some ready made definitions online, but there’s not a standard definition for a single structure. Most of the time it depends on the OS you are running on.
All I want to do is to convert dt’s output into a struct definition. The output to convert is something like (obtained by Windbg using “dt _list_entry” command):
ntdll!_LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
And this is what I want to generate:
typedef struct _LIST_ENTRY
{
struct _LIST_ENTRY* Flink; // 0x000
struct _LIST_ENTRY* Blink; // 0x004
} LIST_ENTRY, *PLIST_ENTRY;
I’m not a Windbg guru and I don’t know if there is a quickest way, so the idea is to write something able to perform (almost all) the convertion.
The gui is pretty simple:
Two edit boxes and two buttons, nothing more. The convertion process starts by pressing the “Convert” button, the program converts the data stored inside the clipboard. The left box will be filled with the clipboard’s contents while the other box will contain the converted structure. What to store inside the clipboard? Look at the picture below:
Selected text is what you have to store into clipboard, everything starts from ‘_’ character. Once you have saved the text you can convert the structure. Here’s the result:
The edit box is editable, it’s necessary because most of the time it’s hard to predict the right type to display. I don’t know if it’s possible to perform a perfect convertion, the aim of this tool is to speed up the convertion process. With some minor changes you should be able to obtain a perfect convertion.
This tool is not totally complete, I have some more things to add. As usual I didn’t test it too much because I prefer to fix it when a bug occours. Anyway, it seems to work fine and you can contact me for comment/criticism/suggestion/etcetc.
You can download the converter here: https://www.box.com/shared/jai5ju0848
ps. HAPPY NEW YEAR!!!
Like this:
Like Loading...
