Jump to content


Photo

Apilogger V2


  • Please log in to reply
30 replies to this topic

#1 PedrosPad

PedrosPad

    X-S Freak

  • Moderator
  • PipPipPipPipPip
  • 1,859 posts
  • Location:UK
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 04 November 2005 - 11:42 AM

Pedro's APILogger V2

Ancestry / History:
APILoggerPoC

Description:
Applications executing on the XBOX make frequent calls into the XBOX kernel in order to accomplish things. The group of functions that the kernel exports for use by applications is known as the Kernel API (Applications Programming Interface). An insight into the operation of the application can be gained by observing the calls it makes to the kernel.

Process:
When executed, the APILogger utility installs itself into the kernel, and then spawns a child application. Any calls made by the spawned application to the kernel are then captured and the details logged to a file on the HDD for later examination.

Design:
The design approach was to ensure that the XBOX-based component of the APILogger was as compact and lightweight as possible. This mandated a companion PC-based application, APIReporter, which contains the intelligence and does the processing.

Installation:
Copy the XBEs from the distribution into E:\APILog.
When executed, APILoggerHDD.xbe, will install the APILogger into memory, and then spawn the subject XBE located at E:\APILog\default.xbe. Any support files required by the subject default.xbe should also be copied into E:\APILog.
When executed, APILoggerDVD.xbe, will install the APILogger into memory, and then spawn the subject XBE located at D:\default.xbe.

Operation:
With either APILogger XBE, the captured log data is written to E:\APILog\APILog.d8a. For efficiency, this is an optimised binary log file format. Following a run, FTP this file to the PC. The separate PC-based utility, APIReporter, knows how to interpret the file format, and is used to produce the human readable text reports.

Usage:
APIReporter <filename> [offset (in Hex)] [/STRINGS][>APIReport.txt]

e.g.
APIReporter APILog.d8a >VerboseReport.txt
APIReporter APILog.d8a 0 /STRINGS >StringsReport.txt


Configuration:
A specific fragment of code is required to record the details of each different kernel call. There is not enough spare space in the kernel for all the specific fragments at one time. Therefore, compile-time directives are used to configure which kernel calls should be monitored. This is configured using the APILogger.inc source file. The source file contains two primary sections. Every kernel function is listed in both sections and is initially commented out. Uncomment both occurrences of the kernel function name (one in the top section, and one in the bottom section) in order to activate logging for that call. It is not recommended that more than 8-10 kernel calls be activated at the same time. Multiple runs can be made if more are required.

After making changes to this file, the source code must be assembled into a new XBE and transferred to the XBOX for execution.

Known issues:
  • Not intended to work with other kernel patchers (PBL, NKPatcher, etc) - Use with a mod-chip, or softmod that only alters the M$ key.
  • Doesn't work for all XBEs - some games appear to clobber it in memory. See update below.
  • APIReporter doesn't show its usage message when executed with no arguments.
Closing:
Note that this is a tool intended for advanced users. It's not pretty, but it does provide some useful functionality if you need it. Use it if you want, ignore it if you wish.

Download here (or from xbins @ /XBOX/apps/utilities/APILogger/APILoggerV2.rar). biggrin.gif

Note: This release is abandonware - I'm not looking to provide much/any support. (Heck it's nearly a year since I last touched it. ohmy.gif I can't remember much about how it works anymore unsure.gif )

Update:
APILoggerV2 now works with XBEs compiled with recent XDKs by performing the following procedure on the subject XBE:
  • Open the subject XBE using a file hex editor.
  • Search for 0x87480887500C (should only be one occurrence).
  • Replace with 0x909090909090.
  • Re-sign with xbedump to correct segment checksums.
  • Spawn the patched XBE from APILoggerV2 smile.gif

Edited by PedrosPad, 10 November 2005 - 06:18 PM.


#2 PedrosPad

PedrosPad

    X-S Freak

  • Moderator
  • PipPipPipPipPip
  • 1,859 posts
  • Location:UK
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 04 November 2005 - 11:54 AM

Where as the original APILogger only logged calls to IoCreateFile(), and then only captured the filename and not the other arguments, this new version can capture any/all calls an XBOX application makes to kernel functions, along with all the arguments and details. biggrin.gif

To wet your appetite, attached are both a detailed report and summary (contains only calls that take strings arguments) report captured for the XBOX!Live Arcade CD-Rom XBE.

The sample detailed report is very likely OTT on detail, but what is logged, and what's reported is fully configurable in the release. biggrin.gif
  • The first column is simply the record number.
  • The second column is the ID of the thread making the call. (Useful to undo the interweaving caused by multiple threads (Simply import into Excel, and sort on column cool.gif)
  • The third column is the memory address the kernel call will return to when done - useful when you've the XBE disassembled in the next window! wink.gif
Summary report:
QUOTE
0x00000000 0xD00082D8 0x00025A73 NtOpenFile({"\Device\Harddisk0\partition1\"});
0x00000002 0xD00082D8 0x00025BE1 NtCreateFile({"\Device\Harddisk0\partition1\TDATA"});
0x00000003 0xD00082D8 0x00025C9E NtCreateFile({"\Device\Harddisk0\partition1\TDATA\4d5300c8"});
0x00000004 0xD00082D8 0x00025BE1 NtCreateFile({"\Device\Harddisk0\partition1\UDATA"});
0x00000005 0xD00082D8 0x00025C9E NtCreateFile({"\Device\Harddisk0\partition1\UDATA\4d5300c8"});
0x00000006 0xD00082D8 0x00025D87 NtCreateFile({"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleMeta.xbx"});
0x00000008 0xD00082D8 0x00025B1E NtCreateFile({"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleImage.xbx"});
0x0000000A 0xD00082D8 0x00024745 NtOpenFile({"\Device\Harddisk0\partition0"});
0x0000000D 0xD00082D8 0x0002613D NtOpenFile({"\Device\Harddisk0\Partition5"});
0x0000002E 0xD00082D8 0x00025A73 NtOpenFile({"\Device\Harddisk0\Partition5\"});
0x00000030 0xD00082D8 0x000268FD NtOpenSymbolicLinkObject({"\??\D:"});
0x00000031 0xD00082D8 0x0004D157 NtOpenSymbolicLinkObject({"\??\D:"});
0x00000032 0xD00082D8 0x00024BCD NtCreateFile({"Z:\categoryvideos"});
0x00000033 0xD00082D8 0x00024BCD NtCreateFile({"Z:\offeringvideos"});
<snip />
0x000010BB 0xD012FEB8 0x00023120 NtOpenFile({"Z:\categoryvideos\7.xmv"});
0x000010BC 0xD012FEB8 0x00022C04 NtCreateFile({"Z:\categoryvideos\7.xmv"});
0x000010BE 0xD012FEB8 0x00023E3D NtOpenFile({"T:\$C\"});
0x000010BF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile({"*"});
0x000010C0 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\ContentMeta.xbx"});
0x000010C5 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\cache.xcd"});
0x000010C6 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo_EN.bin"});
0x000010C7 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo.bin"});
0x000010CA 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\ContentMeta.xbx"});
0x000010CE 0xD012FEB8 0x00023E3D NtOpenFile({"T:\$C\4D5300C800000001\"});
0x000010CF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile({""});
0x000010D0 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\contentimage.xbx"});
0x000010D6 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo.bin"});
0x000010DA 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo.list"});
0x000010DE 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo_FR.bin"});
0x000010E2 0xD012FEB8 0x00023043 NtQueryFullAttributesFile({"T:\$C\4D5300C800000001\default.xbe"});
0x000010E3 0xD012FEB8 0x00023043 NtQueryFullAttributesFile({"T:\$C\4D5300C800000001\contentimage.xbx"});
0x000010E4 0xD012FEB8 0x00023043 NtQueryFullAttributesFile({"T:\$C\4D5300C800000001\gameinfo.bin"});
<snip/>


(Very) Detailed report:
QUOTE
0x00000000 0xD00082D8 0x00025A73 NtOpenFile(pFileHandle=0xD0031CB8,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD0031C9C{RootDirectory=0x00000000,ObjectName=0x00181534{Length=0x001D,MaximumLength=0x001E,Buffer=0x0015A204{"\Device\Harddisk0\partition1\"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031CA8,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00800021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_FREE_SPACE_QUERY));
0x00000001 0xD00082D8 0x00025A8E NtQueryVolumeInformationFile(FileHandle=0x0000000C,pIoStatusBlock=0xD0031CA8,pFileSystemInformation=0xD0031C84,Length=0x00000018,FileInformationClass=0x00000003(FileBothDirectoryInformation));
0x00000002 0xD00082D8 0x00025BE1 NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0x00181544{Length=0x0022,MaximumLength=0x0023,Buffer=0x0015A1D8{"\Device\Harddisk0\partition1\TDATA"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000003 0xD00082D8 0x00025C9E NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00120117(READ_CONTROL|SYNCHRONIZE|FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0xD0031C68{Length=0x002B,MaximumLength=0x002C,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\TDATA\4d5300c8"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000004 0xD00082D8 0x00025BE1 NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0x00181554{Length=0x0022,MaximumLength=0x0023,Buffer=0x0015A1AC{"\Device\Harddisk0\partition1\UDATA"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000005 0xD00082D8 0x00025C9E NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00120117(READ_CONTROL|SYNCHRONIZE|FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0xD0031C68{Length=0x002B,MaximumLength=0x002C,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\UDATA\4d5300c8"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000006 0xD00082D8 0x00025D87 NtCreateFile(pFileHandle=0xD0031CA0,DesiredAccess=0x40100000(SYNCHRONIZE|GENERIC_WRITE),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0xD0031C60{Length=0x0039,MaximumLength=0x003A,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleMeta.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,AllocationSize=0x00000000,FileAttributes=0x00000004,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),CreateOptions=0x00000022(FILE_WRITE_THROUGH|FILE_SYNCHRONOUS_IO_NONALERT));
0x00000007 0xD00082D8 0x00025DA9 NtQueryInformationFile(FileHandle=0x00000010,pIoStatusBlock=0xD0031C74,pFileInformation=0xD0031C28,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x00000008 0xD00082D8 0x00025B1E NtCreateFile(pFileHandle=0xD00319F0,DesiredAccess=0x40100000(SYNCHRONIZE|GENERIC_WRITE),pObjectAttributes=0xD00319C8{RootDirectory=0x00000000,ObjectName=0xD00319D4{Length=0x003A,MaximumLength=0x003B,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleImage.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD00319DC,AllocationSize=0x00000000,FileAttributes=0x00000004,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),CreateOptions=0x00000022(FILE_WRITE_THROUGH|FILE_SYNCHRONOUS_IO_NONALERT));
0x00000009 0xD00082D8 0x00025B3B NtQueryInformationFile(FileHandle=0x00000010,pIoStatusBlock=0xD00319DC,pFileInformation=0xD0031990,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x0000000A 0xD00082D8 0x00024745 NtOpenFile(pFileHandle=0xD0031B80,DesiredAccess=0xC0100000(SYNCHRONIZE|GENERIC_WRITE|GENERIC_READ),pObjectAttributes=0xD0031B5C{RootDirectory=0x00000000,ObjectName=0x0015A0EC{Length=0x001C,MaximumLength=0x001D,Buffer=0x0015A0F4{"\Device\Harddisk0\partition0"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B68,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00000010(FILE_SYNCHRONOUS_IO_ALERT));
0x0000000B 0xD00082D8 0x0002477A NtReadFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0xD003195C,Length=0x00000200,pByteOffset=0xD0031B70);
0x0000000C 0xD00082D8 0x0002493A NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0xD003195C,Length=0x00000200,pByteOffset=0xD0031B70);
0x0000000D 0xD00082D8 0x0002613D NtOpenFile(pFileHandle=0xD0031B88,DesiredAccess=0x00100003(SYNCHRONIZE|FILE_SHARE_READ|FILE_SHARE_WRITE),pObjectAttributes=0xD0031B54{RootDirectory=0x00000000,ObjectName=0xD0031CB4{Length=0x001C,MaximumLength=0x001E,Buffer=0xD0031BA8{"\Device\Harddisk0\Partition5"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B68,ShareAccess=0x00000000(),OpenOptions=0x00000018(FILE_NO_INTERMEDIATE_BUFFERING|FILE_SYNCHRONOUS_IO_ALERT));
0x0000000E 0xD00082D8 0x0002616F NtDeviceIoControlFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pIoControlCode=0x00070000,pInputBuffer=0x00000000,InputBufferLength=0x00000000,pOutputBuffer=0xD0031B3C,OutputBufferLength=0x00000018);
0x0000000F 0xD00082D8 0x000261AB NtDeviceIoControlFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pIoControlCode=0x00074004,pInputBuffer=0x00000000,InputBufferLength=0x00000000,pOutputBuffer=0xD0031B1C,OutputBufferLength=0x00000020);
0x00000010 0xD00082D8 0x000262ED NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000011 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000012 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000013 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000014 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000015 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000016 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000017 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000018 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000019 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000001A 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000001B 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000001C 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000001D 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000001E 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000001F 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000020 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000021 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000022 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000023 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000024 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000025 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000026 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000027 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000028 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x00000029 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000002A 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000002B 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000002C 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,pByteOffset=0xD0031B70);
0x0000002D 0xD00082D8 0x0002640A NtFsControlFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,FsControlCode=0x00090020,pInputBuffer=0x00000000,InputBufferLength=0x00000000,pOutputBuffer=0x00000000,OutputBufferLength=0x00000000);
0x0000002E 0xD00082D8 0x00025A73 NtOpenFile(pFileHandle=0xD0031B94,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD0031B78{RootDirectory=0x00000000,ObjectName=0xD0031CAC{Length=0x001D,MaximumLength=0x001E,Buffer=0xD0031BA8{"\Device\Harddisk0\Partition5\"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B84,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00800021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_FREE_SPACE_QUERY));
0x0000002F 0xD00082D8 0x00025A8E NtQueryVolumeInformationFile(FileHandle=0x0000000C,pIoStatusBlock=0xD0031B84,pFileSystemInformation=0xD0031B60,Length=0x00000018,FileInformationClass=0x00000003(FileBothDirectoryInformation));
0x00000030 0xD00082D8 0x000268FD NtOpenSymbolicLinkObject(pFileHandle=0xD0030C60,pObjectAttributes=0xD0030C44{RootDirectory=0x00000000,ObjectName=0x00181524{Length=0x0006,MaximumLength=0x0007,Buffer=0x0015A170{"\??\D:"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)});
0x00000031 0xD00082D8 0x0004D157 NtOpenSymbolicLinkObject(pFileHandle=0xD00310D4,pObjectAttributes=0xD00310AC{RootDirectory=0x00000000,ObjectName=0xD00310C0{Length=0x0006,MaximumLength=0x0007,Buffer=0x0015A170{"\??\D:"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)});
0x00000032 0xD00082D8 0x00024BCD NtCreateFile(pFileHandle=0xD0031C98,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD0031C74{RootDirectory=0xFFFFFFFD,ObjectName=0xD0031C88{Length=0x0011,MaximumLength=0x0012,Buffer=0x00159838{"Z:\categoryvideos"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C80,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000002(FILE_CREATE),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000033 0xD00082D8 0x00024BCD NtCreateFile(pFileHandle=0xD0031C98,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD0031C74{RootDirectory=0xFFFFFFFD,ObjectName=0xD0031C88{Length=0x0011,MaximumLength=0x0012,Buffer=0x00159824{"Z:\offeringvideos"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C80,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000002(FILE_CREATE),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
<snip />
0x000010BB 0xD012FEB8 0x00023120 NtOpenFile(pFileHandle=0xD01A2AB4,DesiredAccess=0x00010000(DELETE),pObjectAttributes=0xD01A2A98{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2AAC{Length=0x0017,MaximumLength=0x0018,Buffer=0xD01A2BE4{"Z:\categoryvideos\7.xmv"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2AA4,ShareAccess=0x00000007(FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE),OpenOptions=0x00004040(FILE_NON_DIRECTORY_FILE|FILE_OPEN_FOR_BACKUP_INTENT));
0x000010BC 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2A9C,DesiredAccess=0x40100080(SYNCHRONIZE|GENERIC_WRITE|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A2A80{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2A94{Length=0x0017,MaximumLength=0x0018,Buffer=0xD01A2BE4{"Z:\categoryvideos\7.xmv"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2A8C,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000000(),CreateDisposition=0x00000005(FILE_OPEN|FILE_OVERWRITE|FILE_OVERWRITE_IF|FILE_MAXIMUM_DISPOSITION),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010BD 0xD012FEB8 0x00022748 NtWriteFile(FileHandle=0x00000020,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2AA0,pBuffer=0x02354BE0,Length=0x00079000,pByteOffset=0x00000000);
0x000010BE 0xD012FEB8 0x00023E3D NtOpenFile(pFileHandle=0xD01A27F4,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD01A27D0{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A27E4{Length=0x0006,MaximumLength=0x0006,Buffer=0xD01A2808{"T:\$C\"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A27C8,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x000010BF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile(FileHandle=0x00000020,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A27C8,pFileInformation=0xD01A2680,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0xD01A27DC{Length=0x0001,MaximumLength=0x0001,Buffer=0xD01A280E{"*"}},RestartScan=0x00000000);
0x000010C0 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2728,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A270C{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2720{Length=0x0026,MaximumLength=0x0027,Buffer=0xD01A2B00{"T:\$C\4D5300C800000001\ContentMeta.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2718,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C1 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A272C,pBuffer=0xD01A275C,Length=0x00000088,pByteOffset=0x00000000);
0x000010C2 0xD012FEB8 0x000228D9 NtSetInformationFile(FileHandle=0x0000001C,pIoStatusBlock=0xD01A2728,FileInformation=0xD01A2730,Length=0x00000008,FileInformationClass=0x0000000E(FilePositionInformation));
0x000010C3 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2714,pBuffer=0xD01A274E,Length=0x00000002,pByteOffset=0x00000000);
0x000010C4 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A25B0,pBuffer=0xD01A25E0,Length=0x00000072,pByteOffset=0x00000000);
0x000010C5 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A28E0,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A28C4{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A28D8{Length=0x0020,MaximumLength=0x0021,Buffer=0xD01A2934{"T:\$C\4D5300C800000001\cache.xcd"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A28D0,AllocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C6 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A28D8,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A28BC{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A28D0{Length=0x0026,MaximumLength=0x0027,Buffer=0xD01A2934{"T:\$C\4D5300C800000001\gameinfo_EN.bin"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A28C8,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000000(),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C7 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A28D8,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A28BC{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A28D0{Length=0x0023,MaximumLength=0x0024,Buffer=0xD01A2934{"T:\$C\4D5300C800000001\gameinfo.bin"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A28C8,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000000(),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C8 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x0000001C,pIoStatusBlock=0xD01A28D0,pFileInformation=0xD01A2898,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x000010C9 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A28DC,pBuffer=0x039D56C0,Length=0x0000E95C,pByteOffset=0x00000000);
0x000010CA 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A1FC4,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A1FA8{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A1FBC{Length=0x0026,MaximumLength=0x0027,Buffer=0xD01A212C{"T:\$C\4D5300C800000001\ContentMeta.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A1FB4,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010CB 0xD012FEB8 0x00023468 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A1FCC,pBuffer=0xD01A206C,Length=0x0000001C,pByteOffset=0xD01A1FC4);
0x000010CC 0xD012FEB8 0x00023498 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A1FCC,pBuffer=0xD01A2088,Length=0x0000006C,pByteOffset=0x00000000);
0x000010CD 0xD012FEB8 0x00022622 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0xD01A2108,pIoStatusBlock=0xD01A2108,pBuffer=0x03FD3AC8,Length=0x0000012C,pByteOffset=0xD01A1FC0);
0x000010CE 0xD012FEB8 0x00023E3D NtOpenFile(pFileHandle=0xD01A2234,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHARE_READ),pObjectAttributes=0xD01A2210{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2224{Length=0x0017,MaximumLength=0x0017,Buffer=0x03FD3CD0{"T:\$C\4D5300C800000001\"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2208,ShareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x000010CF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2208,pFileInformation=0xD01A20C0,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0xD01A221C{Length=0x0000,MaximumLength=0x0003,Buffer=0x03FD3CE7{""}},RestartScan=0x00000000);
0x000010D0 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A220C{Length=0x0027,MaximumLength=0x0028,Buffer=0x03FD3D40{"T:\$C\4D5300C800000001\contentimage.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010D1 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInformation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x000010D2 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x0000C036,pByteOffset=0x00000000);
0x000010D3 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0x00000000,RestartScan=0x00000000);
0x000010D4 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0x00000000,RestartScan=0x00000000);
0x000010D5 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0x00000000,RestartScan=0x00000000);
0x000010D6 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A220C{Length=0x0023,MaximumLength=0x0024,Buffer=0x03FD3D10{"T:\$C\4D5300C800000001\gameinfo.bin"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010D7 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInformation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x000010D8 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x0000E95C,pByteOffset=0x00000000);
0x000010D9 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0x00000000,RestartScan=0x00000000);
0x000010DA 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A220C{Length=0x0024,MaximumLength=0x0025,Buffer=0x03FD3D10{"T:\$C\4D5300C800000001\gameinfo.list"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010DB 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInformation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x000010DC 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x00000016,pByteOffset=0x00000000);
0x000010DD 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0x00000000,RestartScan=0x00000000);
0x000010DE 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A220C{Length=0x0026,MaximumLength=0x0027,Buffer=0x03FD3CE0{"T:\$C\4D5300C800000001\gameinfo_FR.bin"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010DF 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInformation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetworkOpenInformation));
0x000010E0 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x0000E95C,pByteOffset=0x00000000);
0x000010E1 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFileMask=0x00000000,RestartScan=0x00000000);
0x000010E2 0xD012FEB8 0x00023043 NtQueryFullAttributesFile(pObjectAttributes=0xD01A25A4{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A25B0{Length=0x0022,MaximumLength=0x0023,Buffer=0xD01A25CC{"T:\$C\4D5300C800000001\default.xbe"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pAttributes=0xD01A256C);
0x000010E3 0xD012FEB8 0x00023043 NtQueryFullAttributesFile(pObjectAttributes=0xD01A25A4{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A25B0{Length=0x0027,MaximumLength=0x0028,Buffer=0xD01A25CC{"T:\$C\4D5300C800000001\contentimage.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pAttributes=0xD01A256C);
0x000010E4 0xD012FEB8 0x00023043 NtQueryFullAttributesFile(pObjectAttributes=0xD01A25A4{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A25B0{Length=0x0023,MaximumLength=0x0024,Buffer=0xD01A25CC{"T:\$C\4D5300C800000001\gameinfo.bin"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pAttributes=0xD01A256C);
<snip />


Enjoy smile.gif

Edited by PedrosPad, 04 November 2005 - 08:01 PM.


#3 DaddyJ

DaddyJ

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,919 posts
  • Xbox Version:unk
  • 360 version:none

Posted 04 November 2005 - 02:03 PM

Nice work, once again Pedro.....

QUOTE(Pedro)
abandonware
blink.gif I like that!!!!

Edited by DaddyJ, 04 November 2005 - 11:54 PM.


#4 Angerwound

Angerwound

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,719 posts
  • Location:Hell
  • Xbox Version:v1.0
  • 360 version:none

Posted 04 November 2005 - 06:06 PM

Genius!

#5 pepe2004

pepe2004

    X-S Senior Member

  • Members
  • PipPip
  • 201 posts

Posted 04 November 2005 - 08:05 PM

Sorry for the question, what this program does?, it make a registry of what the xbox does?, just curiosity tongue.gif

#6 xman954

xman954

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,028 posts
  • Location:the bottom of Tampa Bay
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 04 November 2005 - 08:06 PM

VERY NICE smile.gif
going to dive into this later tonight...
a few questions on your "abandonware" jester.gif
QUOTE
Usage:
  APIReporter <filename> [offset (in Hex)] [/STRINGS][>APIReport.txt]
e.g.
APIReporter APILog.d8a >VerboseReport.txt
APIReporter APILog.d8a 0 /STRINGS >StringsReport.txt

in APIReporter
is the "offset in hex" the record number to start the output file from ?
are there any other arguments that can be passed ?

also what is "\Device\Harddisk0\partition1\& quot"

Edited by xman954, 04 November 2005 - 08:11 PM.


#7 krayzie

krayzie

    X-S Elysian

  • Head Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPipPip
  • 9,340 posts
  • Gender:Male
  • Xbox Version:unk
  • 360 version:unknown

Posted 04 November 2005 - 09:01 PM

QUOTE(pepe2004 @ Nov 4 2005, 08:12 PM)
Sorry for the question, what this program does?, it make a registry of what the xbox does?, just curiosity  tongue.gif

View Post



QUOTE
Description:
Applications executing on the XBOX make frequent calls into the XBOX kernel in order to accomplish things. The group of functions that the kernel exports for use by applications is known as the Kernel API (Applications Programming Interface). An insight into the operation of the application can be gained by observing the calls it makes to the kernel.


In simple English: It shows what calls xbe files make to the kernel when executed..

#8 PedrosPad

PedrosPad

    X-S Freak

  • Moderator
  • PipPipPipPipPip
  • 1,859 posts
  • Location:UK
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 04 November 2005 - 11:07 PM

QUOTE(krayzie @ Nov 4 2005, 09:08 PM)
QUOTE
Description:
Applications executing on the XBOX make frequent calls into the XBOX kernel in order to accomplish things. The group of functions that the kernel exports for use by applications is known as the Kernel API (Applications Programming Interface). An insight into the operation of the application can be gained by observing the calls it makes to the kernel.

In simple English: It shows what calls xbe files make to the kernel when executed..

View Post


Sorry. Wrote it at work (I get paid by the word wink.gif laugh.gif ).

Edited by PedrosPad, 04 November 2005 - 11:08 PM.


#9 PedrosPad

PedrosPad

    X-S Freak

  • Moderator
  • PipPipPipPipPip
  • 1,859 posts
  • Location:UK
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 04 November 2005 - 11:22 PM

QUOTE(xman954 @ Nov 4 2005, 08:13 PM)
a few questions on your "abandonware"  jester.gif

in APIReporter
is the "offset in hex" the record number to start the output file from ?
are there any other arguments that can be passed ?

View Post


I don’t believe the parameter is needed anymore. An earlier version of the APILogger XBOX component used to write out corrupt data capture files occasionally (caused by some non-thread-safe code mad.gif ). I used to use the hex offset parameter to access the first good record in the file following the corruption. smile.gif
QUOTE(xman954 @ Nov 4 2005, 08:13 PM)
also what is "\Device\Harddisk0\partition1\& quot"

View Post


Some character strings are prefixed by their length (just like a Window’s BSTR), and aren’t null terminated. In practice most the strings encountered were also null terminated. Thus I didn’t bother to code specific support for length-prefixed-strings into the APIReporter. Consequently, occasionally you find one that isn’t null terminated, and the garbage following the true string is sometimes accidentally output.


#10 morbidpete

morbidpete

    X-S X-perience

  • Members
  • PipPip
  • 304 posts
  • Location:West Warwick R.I., USA
  • Xbox Version:v1.4
  • 360 version:v1 (xenon)

Posted 05 November 2005 - 01:12 AM

so ahh. whats this mean for the homebrew or hacking scene?

#11 PedrosPad

PedrosPad

    X-S Freak

  • Moderator
  • PipPipPipPipPip
  • 1,859 posts
  • Location:UK
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 05 November 2005 - 07:05 AM

QUOTE(morbidpete @ Nov 5 2005, 01:19 AM)
so ahh. whats this mean for the homebrew or hacking scene?

View Post


Nada. biggrin.gif

As the XBOX1 nears the end of its operational life, Angerwound has led the way in releasing previously closed-group utils. The motive for his release was simply to provide a historic record, and contribute additional information to the curious. However his revelation and description of FuckM$ has provided stimulus to a new generation of enthusiasts who are even now looking at unforeseen practical uses for his techniques.

I thought I'd contribute similarly by releasing the completed second version of my APILogger (completed = as far as I intended too anyway wink.gif ). It was completed at the beginning of the year, but is trickier to use, and less stable, than version 1 (which is the reason it wasn‘t released BTW.).

APILogger was initially developed to aid me in the search for a Utopia disk exploit. It provided a quick insight into the operation of candidate XBEs without having to enter into a lengthy, and often fruitless, disassembly analysis.

X360 is as yet uncharted territory, and will provide an fresh opportunity for many whom homed their skills on XBOX1 to contribute. It is my hope that these releases will enthuse, educate, and inspire such individuals.



The unofficial response? Angerwound has started a pissing contest! wink.gif biggrin.gif jester.gif

Edited by PedrosPad, 05 November 2005 - 07:08 AM.


#12 Angerwound

Angerwound

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,719 posts
  • Location:Hell
  • Xbox Version:v1.0
  • 360 version:none

Posted 05 November 2005 - 07:13 AM

QUOTE(PedrosPad @ Nov 5 2005, 12:12 AM)
The unofficial response?  Angerwound has started a pissing contest! wink.gif biggrin.gif jester.gif

View Post



Haha... tongue.gif

#13 Keo-Keo

Keo-Keo

    X-S Genius

  • Members
  • PipPipPipPip
  • 871 posts
  • Location:Cincinnati Ohio
  • Interests:Modded.. Shell scripting all sorts of things.
  • Xbox Version:v1.0

Posted 05 November 2005 - 07:43 PM

Wow PedrosPad i had love your 1st API logger! And was glade to hear V2 is out.. Nice work!!! :-D

_Keo

#14 globe_guyx

globe_guyx

    X-S Member

  • Members
  • Pip
  • 61 posts

Posted 05 November 2005 - 11:53 PM

Good job. Guess what. I have no complaints..smile.gif

#15 xman954

xman954

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,028 posts
  • Location:the bottom of Tampa Bay
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 07 November 2005 - 06:03 AM

APIlogger V1 works fine...
APIlogger V2 well, it does not like my xbox for some reason sad.gif
EVERYTHING i try just turns the led to orange then hangs with a black screen.
habibi signed evox, configmagic
tried APIloggerHDD.xbe as is.
compiled a new one with just 4 things to log
CODE
DetourKernelCall  NtCreateFile; Ordinal number 190
DetourKernelCall  NtOpenFile; Ordinal number 202
DetourKernelCall  NtReadFile; Ordinal number 219
DetourKernelCall  NtWriteFile; Ordinal number 236

started to get desperate so I edited ernie.xtf to point to the APIlogger directly
still no go, then decided to put the patch back M$ KEY code in the start of the logger
(xboxapps.asm) then directed it to log C:\settings_adoc.xip and it worked
logged this (went back to default logger settings +2 others with patch back code in it)
CODE
0x00000000 0xD0008358 0x00022356 IoCreateSymbolicLink(UnknownArgs=54A70600 5CA70600 );
0x00000001 0xD0008358 0x0001E5D8 IoCreateSymbolicLink(UnknownArgs=24A70600 2CA70600 );
0x00000002 0xD0008358 0x00028C5D NtCreateFile(pFileHandle=0xD0031B64,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD0031B48{RootDirectory=0xFFFFFFFD,ObjectName=0xD0031B5C{Length=0x0030,MaximumLength=0x0031,Buffer=0xD0031C08{"y:\Audio\AmbientAudio\AMB_12_HYDROTHUNDER_LR.wav"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B54,AllocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
<snip>
0x00000012 0xD0008358 0x000288EB NtReadFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B58,pBuffer=0x80FD7000,Length=0x006261A8,pByteOffset=0x00000000);

so at least i got it to work so my setup is ok (with chip on or off)
but it will not work with any other xbe (habibi or M$ signed)
tried xboxdash.xbe, xonlinedash.xbe
xbox is K4034
is there anything i can do to make it work... beerchug.gif

Edited by xman954, 07 November 2005 - 06:06 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users