Re: Outlook Express question

From: Robert Aldwinckle (robald_at_techemail.com)
Date: 04/02/04 

Date: Fri, 2 Apr 2004 10:37:40 -0500

"Jim Carlock" <anonymous@127.0.0.1> wrote in message
news:u0RLIzBGEHA.2656@TK2MSFTNGP09.phx.gbl...
> <g>
>
> This message is for Robert Aldwinckle as well. I'm sending the
> thread to the PA Bear newsgroup as well. ;-)
>
> I've tried using OllyDbg to step through it. I can't slow down my
> system enough to read the splash, and for some reason I can get
> OllyDbg to stop right after the Splash is displayed, but the splash
> at that point is unreadable (because of OllyDbg's control over it).

Remember I said that I had to press Alt-PrintScrn in anticipation of it
even with both FileMon and RegMon running to try to slow it down?

Actually, I'm not sure how useful this is going to be for you anyway
because there isn't any version information on it apart from the OE6 logo.
It would probably be enough for you to guess that you were seeing
the real thing if you are seeing a flash of blue.

(Sorry I was slow posting this. I see now that you have captured it.)

>
> Some comments, so far, the best I can tell right at the moment
> is the version number is being read from msoeres.dll. I've looked
> through the msoe.dll for the version string but they default to a
> IMproper string (ie, not the 5.00.0000.0000 string). ;-)
>
> And I'm not sure if you'd like me to post all the gorey details
> about the different strings that are contained within the other
> files, so I'll start off by stating, the following:
>
> msoe.dll <- is one of the main files
> msimn.exe <- is thart starting stub
> msoeres.dll <- is the resource file that holds icons (and version info ?)
> This file is read initially and loaded at start up. This file is also read
> when doing a version lookup (at least on my system it is).

You mean instead of seeing oeimport.dll accessed when you press A
a few seconds after pressing Alt-H?

Here's a better FileMon filter which may help compare differences there.
    Include: msimn*READ
    Highlight: OE

What I missed before is that oeimport.dll is always accessed when
Alt-H,A is issued but the first time both msoeres.dll and oeimport.dll
are accessed. mapi32.dll is also read the same way and is the only
other module in the Help,About list which exists but which doesn't have
the its Full Path listed. (csapi3t1.dll is the third module which doesn't
have its Full Path listed but it doesn't exist.) There are two reads per
module. My guess is that they will just be reading them to get the module
versions.

The trace is relatively small so FWIW here it is
< second use of Help, About >
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\WINDOWS\system32\config\software SUCCESS Offset: 7405568 Length: 4096
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\Program Files\Outlook Express\msimn.exe SUCCESS Offset: 7680 Length: 16384
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\WINDOWS\system32\mapi32.dll SUCCESS Offset: 32768 Length: 32768
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\WINDOWS\system32\mapi32.dll SUCCESS Offset: 65536 Length: 32768
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\$Mft SUCCESS Offset: 27074560 Length: 4096
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\Program Files\Outlook Express\oeimport.dll SUCCESS Offset: 0 Length: 32768
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\Program Files\Outlook Express\oeimport.dll SUCCESS Offset: 61440 Length: 32768
10:01:20 msimn.exe:476 IRP_MJ_READ* D:\Program Files\Common Files\System\wab32.dll SUCCESS Offset: 433152 Length: 12800

</ second use of Help, About >

(more...)

>
> I created a new MS IEADK (these acronyms are killing me!) and
> reinstalled using the new IEAKD build, but it didn't seem to over-
> write anything. Right now I've got the OLD msoeres.dll (as it
> doesn't export anything but icons (and possibly a version number)),
> in use. It does NOT seem to affect any of the operations of OE.
> There are approx. 59 icons in msoeres.dll in 10 different formats,
> and it has the version number of OE as displayed in my About box.
> The About box seems to read from that file, but my first inclination
> is to think that it's grabbing a bitmap or icon. Furthermore, there
> seem to be numerous .gif89 files inside of msoeres.dll, as well as
> Adobe 4.0 images, there is a reference to: NPhotoshop 3.0, I'm
> not quite sure what that is at the moment, but I think it might be
> worth finding, and other things with that tag inside of them all
> seem to be some sort of .jpg images, which is really really
> interesting, as there is JFIF in those files and if the image is renamed
> from jpg, to jfif, it reads 100% accurately (in IE as well as other
> graphics programs). If you're a graphic image specialist, you I'd
> appreciate a comment, because as you can tell I don't have a
> very broad knowledge of what the difference is between jfif and
> jpg (there appears to be NO difference).
>
> Some interesting strings inside of msoe.dll:
>
> ComboBox, cmdDownload, cmdConnect, btnContinue
> btnTrust, btnCert, btnOpen, Hhotmail
>
> It almost looks like a VB application with function names as those
> listed above. Either that, or the programmers took a fancy for the
> Hungarian notation that VB programmers use. In fact, I'm willing
> to bet that parts of msoe.dll were created with an offshoot brand
> of VB5.

Possibly! Turn on your script debugger and run this from the Address bar

< res://%ProgramFiles%\Outlook%20Express\msoeres.dll/frntpage.htm >

This would be another possible difference perhaps worth investigating.
E.g., try overriding FrontPagePath with About:Blank to avoid that script.

BTW using the res: protocol prefix would be a way to check out those
images that you noticed.

>
> But what do I know? Absolutely nothing! I'm still at the same
> point I started at. <g>

Do you have another standard version installed somewhere that you can
compare traces with? My guess is still that oeimport.dll has something
to do with the difference but I'm less certain what it is. Related to it, there
are some registry values which deal with "migration". E.g. you could use
a RegMon filter of msimn*mig to compare differences there.

Good luck

Robert 

---

Relevant Pages

  • Re: Outlook Express question
    ... > This message is for Robert Aldwinckle as well. ... > I've tried using OllyDbg to step through it. ... or the programmers took a fancy for the ... images that you noticed. ...
    (microsoft.public.windowsxp.general)
  • Re: [PHP] Re: how to display images stored in DB**
    ... for storing images is "bad" practice. ... "Bad" practice or "good" practice depends upon the needs and one's perspective of the situation. ... If you were to talk to the average computer user; or to the average investor who invests in technologies; or to the businessman who is paying the bills for programmers to build the product while trying to make money at the same time; they all might have different opinions as to the quality and state of software. ... If you assume that you have one database supply all the images to all ...
    (php.general)
  • v4l device in userspace
    ... I've a little program running in the phone, capturing ... images, ... driver that actually gets the images form userspace. ... Programmers are, in their hearts, architects -- Joel Spolsky ...
    (Linux-Kernel)
  • Re: [SLE] screen blocks installation of 9.1
    ... On Saturday 02 July 2005 02:50, Sunny wrote: ... Then the program displays text and images correctly on a full screen. ... These young SuSE programmers ought to take some advice ...
    (SuSE)
  • Re: Logos/buttons show as plain boxes
    ... > Robert Aldwinckle wrote: ... What's curious is that Images List ... > What is the Web Accessory Images List? ... > I can't find cache checking in the Internet Explorer Help. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)