On Sat, 04 Sep 2004 17:23:47 +0200, Uwe Bonnes wrote: > Call kernel32.GetModuleHandleA(0040a572 "Kernel32.dll") > Ret kernel32.GetModuleHandleA() retval=40450000 > Call kernel32.GetProcAddress(40450000,0040a57f "LoadLibraryA") > Ret kernel32.GetProcAddress() retval=40517bd0 ret=0040a60b > > and immediate hits an exception, which is handled: > > trace:seh:EXC_RtlRaiseException code=c0000005 flags=0 addr=0x4123a1
0x0040a60b and 0x004123a1 are some way apart so I wouldn't say it's immediate. > Similar failure on the net also come up with an additional message: > "Kernel32 call does not point into Kernel32.dll" I suspect it's checking for a redirection of LoadLibrary to shim code by checking if the returned address of the call is within the boundaries described by the PE headers of kernel32.dll Random guess: winebuild outputs 0 and 0 for SizeOfCode and BaseOfCode, maybe it's taking the address from GetProcAddress, casting the return of GetModuleHandleA to an IMAGE_NT_HEADERS structure then saying if (( address_of_loadlibrary < headers->BaseOfCode + headers->SizeOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); } Not sure how you could verify this except by disassembling the app though. thanks -mike