what does this error mean?: "The application failed to initialize properly (0xc000000

[FredLiu]

Hello guys,
I have develope a small packer program, which packs&unpacks PE files by examing/altering import tables of the PE files.
Now I have a problem:after i do the packing to the PE file, the packed PE file will be corrupted and if i clicked on it, an error message will be shown: "The application failed to initialize properly (0xc0000005)."
What does this error message mean? Generally, what can be the cause of this error?

thanks in advance

[Mick]

[QUOTE]Originally posted by FredLiu
Hello guys,
I have develope a small packer program, which packs&unpacks PE files by examing/altering import tables of the PE files.
Now I have a problem:after i do the packing to the PE file, the packed PE file will be corrupted and if i clicked on it, an error message will be shown:

"The application failed to initialize properly (0xc0000005)."
What does this error message mean?

0xC00000005 is an Access Violation...your attempting a memory operation for which you are not allowed.

Generally, what can be the cause of this error?

There are a number of different reasons. Run your code under a debugger and examine the call stack.

[wayside]

"The application failed to initialize properly (0xc0000005)."

This means the program is crashing with an access violation sometime during the run-up of the exe, before the exe's code actually runs.

You have been messing around with the import tables of this image, it is likely that you messed something up; it is quite tricky to properly handle all the different variations that can go on in the import tables and the image headers, and get everything put back the way it belongs, and still have the program run correctly.

It's also possible that the entry code you injected to unpack the exe and restore the imports has a problem and is causing a crash, although I would not expect the "application failed to initialize properly" if it is getting far enough to run your code.

This stuff is really painful to debug, because none of your code actually ever runs. All I can recommend is, become very familiar with the portable exe spec, and get a good image dumping tool and binary editing tool.

If you are attempting to do exe compression, there are numerous freeware, shareware, and commercial programs that do this, you might want to check some of them out. If you are trying to do some sort of licensing/copy protection scheme, I wish you luck - I've done this, and it's a pain in the a**.

[Mick]

Originally posted by wayside

It's also possible that the entry code you injected to unpack the exe and restore the imports has a problem and is causing a crash, although I would not expect the "application failed to initialize properly" if it is getting far enough to run your code.

probably should write a small bit of code to walk through PE format ie: ImageNtHeader(...) or just grab the source to dumpbin or one of hte PE format dump programs (as you indicated) that have source avail and walk through the load, such as the pwalk sample.

The reason he should use a debugger first IMHO is to determine where in the Ldr routines this is occruing...if it is a trashed executable than that should be evident, of course the same thing could be said if a dumpbin program determines the file format is invalid

[FredLiu]

thank both Mick and wayside !

actually i have solved the problem, however not by using a debugger. I'm using a user mode debugger, and it just won't help, since, just as wayside said, the problem occured before the debugger get to my program's entry point. what I've done is just open the packed exe file with a Hex editor, and check the import table directly to see if i had messed something up, and there I found the problem (and it was really not so straight forward to figure the problem out of raw hex data,hehe~~)
Mick's suggestion of using some code going through the PE structure to find the problem is a good one, next time if i have similar problem i'll try this way first

and to wayside:
"If you are trying to do some sort of licensing/copy protection scheme, I wish you luck - I've done this, and it's a pain in the a**."
ha, i'm just doing it, and i understand what you mean~ thank you for your wish

[Mick]

Originally posted by FredLiu
Mick's suggestion of using some code going through the PE structure to find the problem is a good one, next time if i have similar problem i'll try this way first

It was also waysides suggestion I just expanded on it But you should probabaly do this, that is have something that validates that you have written out the packed file correctly, or validates the file when it is unpacked, should acutally put this in as a run-time check IMHO.

As far as the debugger, that's a knee jerk reflex for me As you could have been in a DllMain(...) and been executing code that generated an access violation which would have given you the same system error message box.

/Just trying to cover the bases

sides you can break in a debugger well before things are loaded...eg: KiUserApcDispatcher

[FredLiu]

thank you !

[wayside]

There's a PE viewer posted on this very site:

http://www.codeguru.com/Cpp/misc/misc/article.php/c315/

"ha, i'm just doing it, and i understand what you mean~ thank you for your wish"

BTW - munging on the import table is a pretty good trick, but there are hacker tools which can examine a program that is running in memory (after you've restored the exe), and analyze and reconstruct the exe on disk. Even if you wipe out the import data, these tools can look at the jump table, figure out what the function is just from the address, and add an import reference.

There have been several commercial programs which used techniques such as these, all were ultimately hacked.

So you are going to have to be much more clever if you want serious protection...

[FredLiu]

thank you for your advise and the tool suggested,
I know that "ultimate protection" is really not so easy (or even possible?) I'll try to be as clever as I can, although there will always be someone more cleverer out there~~~