Browse for folder Xp Crash

ragdog · November 22, 2008, 05:17:27 PM

Hi

I have a routine Browse for folder under xp-sp2 works fine
Why crash this under xp-without sp2?


_GetOpenDirectoryName proc uses esi, hWnd:DWORD
LOCAL binfo:BROWSEINFO
LOCAL lpIDList :DWORD

	mov eax, hWnd
    mov binfo.hwndOwner, eax
    mov binfo.pidlRoot, 0
    mov binfo.pszDisplayName, 0

    mov binfo.lpszTitle,offset szBrowseTitle
    mov binfo.iImage, 0
	mov binfo.ulFlags, BIF_RETURNONLYFSDIRS or BIF_DONTGOBELOWDOMAIN or BIF_RETURNONLYFSDIRS
    invoke SHBrowseForFolder, addr binfo
	 mov lpIDList, eax

    .if eax != 0
        invoke  SHGetPathFromIDList, lpIDList , addr bbf  
        invoke  lstrlen,addr  bbf     
           mov  esi,offset bbf    
           add  esi,eax                     
           cmp  byte ptr [esi-1], '\'       
            je  @F
           mov  byte ptr [esi], '\' 
           mov  byte ptr [esi+1], 0 
        @@: 
           mov  eax,offset bbf
    .endif
	   ret
_GetOpenDirectoryName endp

This Crash by xp without sp here in the Shell32.dll

Code Select


774B0D5C SHEnableServiceObject    XOR EAX,EAX
774B0D5E                          CMP DWORD PTR SS:[ESP+8],EAX
774B0D62                          SETNE AL
774B0D65                          INC EAX
774B0D66                          INC EAX
774B0D67                          PUSH EAX
774B0D68                          PUSH DWORD PTR SS:[ESP+8]
774B0D6C                          CALL 774B0CF5
774B0D71                          RETN 8
774B0D74                          MOV EAX,DWORD PTR SS:[ESP+4]
774B0D78                          MOV ECX,DWORD PTR DS:[EAX+18]
774B0D7B                          TEST ECX,ECX <-------- = 0F
774B0D7D                          JE SHORT 774B0D91 <-------- ----------------------------
774B0D7F                          PUSH DWORD PTR DS:[EAX+1C]
774B0D82                          PUSH DWORD PTR SS:[ESP+10]
774B0D86                          PUSH DWORD PTR SS:[ESP+10]
774B0D8A                          PUSH DWORD PTR DS:[EAX+20]
774B0D8D                          CALL ECX
774B0D8F                          JMP SHORT 774B0D93
774B0D91                          XOR EAX,EAX
774B0D93                          RETN 0C

TEST ECX,ECX // ECX = 0000000F

Greets,

askm · November 22, 2008, 09:55:57 PM

OllyDbg ?

How is the register ecx being used while in your proc ?
...while in XP with SP2 ?
...while in XP with SP3 ?
...while Win 2000 SP4 ?

Should it hold a dword size value at all times when
being referenced ?

Should it be pushed or popped ?

Can you post a real usage snippet ?

donkey · November 23, 2008, 12:56:20 AM

Be sure to zero BROWSEINFO.lpfn which I suspect is your problem, when you use a LOCAL structure there is bound to be random data in the structure.

Donkey

askm · November 23, 2008, 04:14:37 AM

Some say zero or NULL the entire BROWSEINFO structure ...

donkey · November 23, 2008, 04:31:19 AM

Quote from: askm on November 23, 2008, 04:14:37 AM

Some say zero or NULL the entire BROWSEINFO structure ...

He explicitly sets the rest of the members though it wouldn't hurt to zero everything it is not necessary in this case.

ragdog · November 23, 2008, 07:29:36 AM

Thanks for your Reply

Mean you this?
mov bi.lpfn, offset cbBrowse

And must i set this?
invoke CoTaskMemFree,lpIDList

Regards,

donkey · November 23, 2008, 04:25:17 PM

Quote from: ragdog on November 23, 2008, 07:29:36 AM
Thanks for your Reply

Mean you this?
mov bi.lpfn, offset cbBrowse

No, I mean mov bi.lpfn, 0

QuoteAnd must i set this?
invoke CoTaskMemFree,lpIDList,

Yes, you must free the memory allocated to the ID list

ragdog · November 23, 2008, 09:35:36 PM

Thanks for this info

Gives a way to add a Combobox to this browser dialog with the Browser Callback?
with CreateWindow....

Greets

News:

Browse for folder Xp Crash