Topic: Apilogger V2 (Read 198 times)

PedrosPad · « **on:** November 04, 2005, 03:49:00 AM »

Pedro's APILogger V2

Ancestry / History:
http://forums.xbox-scene.com/index.php?showtopic=298619&view=findpost&p=1952357

Description:
Applications executing on the XBOX make frequent calls into the XBOX kernel in order to accomplish things. The group of functions that the kernel exports for use by applications is known as the Kernel API (Applications Programming Interface). An insight into the operation of the application can be gained by observing the calls it makes to the kernel.

Process:
When executed, the APILogger utility installs itself into the kernel, and then spawns a child application. Any calls made by the spawned application to the kernel are then captured and the details logged to a file on the HDD for later examination.

Design:
The design approach was to ensure that the XBOX-based component of the APILogger was as compact and lightweight as possible. This mandated a companion PC-based application, APIReporter, which contains the intelligence and does the processing.

Installation:
Copy the XBEs from the distribution into E:\APILog.
When executed, APILoggerHDD.xbe, will install the APILogger into memory, and then spawn the subject XBE located at E:\APILog\default.xbe. Any support files required by the subject default.xbe should also be copied into E:\APILog.
When executed, APILoggerDVD.xbe, will install the APILogger into memory, and then spawn the subject XBE located at D:\default.xbe.

Operation:
With either APILogger XBE, the captured log data is written to E:\APILog\APILog.d8a. For efficiency, this is an optimised binary log file format. Following a run, FTP this file to the PC. The separate PC-based utility, APIReporter, knows how to interpret the file format, and is used to produce the human readable text reports.

Usage:
APIReporter <filename> [offset (in Hex)] [/STRINGS][>APIReport.txt]

e.g.
APIReporter APILog.d8a >VerboseReport.txt
APIReporter APILog.d8a 0 /STRINGS >StringsReport.txt

Configuration:
A specific fragment of code is required to record the details of each different kernel call. There is not enough spare space in the kernel for all the specific fragments at one time. Therefore, compile-time directives are used to configure which kernel calls should be monitored. This is configured using the APILogger.inc source file. The source file contains two primary sections. Every kernel function is listed in both sections and is initially commented out. Uncomment both occurrences of the kernel function name (one in the top section, and one in the bottom section) in order to activate logging for that call. It is not recommended that more than 8-10 kernel calls be activated at the same time. Multiple runs can be made if more are required.

After making changes to this file, the source code must be assembled into a new XBE and transferred to the XBOX for execution.

Known issues:

Not intended to work with other kernel patchers (PBL, NKPatcher, etc) - Use with a mod-chip, or softmod that only alters the M$ key.
Doesn't work for all XBEs - some games appear to clobber it in memory. See update below.
APIReporter doesn't show its usage message when executed with no arguments.

Closing:
Note that this is a tool intended for advanced users. It's not pretty, but it does provide some useful functionality if you need it. Use it if you want, ignore it if you wish.

Download http://dwl.xbox-scene.com/~xbox/xbox-scene/software/utilities/APILoggerV2.rar (or from xbins @ /XBOX/apps/utilities/APILogger/APILoggerV2.rar).

Note: This release is abandonware - I'm not looking to provide much/any support. (Heck it's nearly a year since I last touched it. I can't remember much about how it works anymore )

Update:
APILoggerV2 now works with XBEs compiled with recent XDKs by performing the following procedure on the subject XBE:

Open the subject XBE using a file hex editor.
Search for 0x87480887500C (should only be one occurrence).
Replace with 0x909090909090.
Re-sign with xbedump to correct segment checksums.
Spawn the patched XBE from APILoggerV2

PedrosPad · « **Reply #1 on:** November 04, 2005, 04:01:00 AM »

Where as the original APILogger only logged calls to IoCreateFile(), and then only captured the filename and not the other arguments, this new version can capture any/all calls an XBOX application makes to kernel functions, along with all the arguments and details.

To wet your appetite, attached are both a detailed report and summary (contains only calls that take strings arguments) report captured for the XBOX!Live Arcade CD-Rom XBE.

The sample detailed report is very likely OTT on detail, but what is logged, and what's reported is fully configurable in the release.

The first column is simply the record number.
The second column is the ID of the thread making the call. (Useful to undo the interweaving caused by multiple threads (Simply import into Excel, and sort on column )
The third column is the memory address the kernel call will return to when done - useful when you've the XBE disassembled in the next window!

Summary report:

QUOTE

0x00000000 0xD00082D8 0x00025A73 NtOpenFile({"\Device\Harddisk0\partition1\"});
0x00000002 0xD00082D8 0x00025BE1 NtCreateFile({"\Device\Harddisk0\partition1\TDATA"});
0x00000003 0xD00082D8 0x00025C9E NtCreateFile({"\Device\Harddisk0\partition1\TDATA\4d5300c8"});
0x00000004 0xD00082D8 0x00025BE1 NtCreateFile({"\Device\Harddisk0\partition1\UDATA"});
0x00000005 0xD00082D8 0x00025C9E NtCreateFile({"\Device\Harddisk0\partition1\UDATA\4d5300c8"});
0x00000006 0xD00082D8 0x00025D87 NtCreateFile({"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleMeta.xbx"});
0x00000008 0xD00082D8 0x00025B1E NtCreateFile({"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleImage.xbx"});
0x0000000A 0xD00082D8 0x00024745 NtOpenFile({"\Device\Harddisk0\partition0"});
0x0000000D 0xD00082D8 0x0002613D NtOpenFile({"\Device\Harddisk0\Partition5"});
0x0000002E 0xD00082D8 0x00025A73 NtOpenFile({"\Device\Harddisk0\Partition5\"});
0x00000030 0xD00082D8 0x000268FD NtOpenSymbolicLinkObject({"\??\D:"});
0x00000031 0xD00082D8 0x0004D157 NtOpenSymbolicLinkObject({"\??\D:"});
0x00000032 0xD00082D8 0x00024BCD NtCreateFile({"Z:\categoryvideos"});
0x00000033 0xD00082D8 0x00024BCD NtCreateFile({"Z:\offeringvideos"});
<snip />
0x000010BB 0xD012FEB8 0x00023120 NtOpenFile({"Z:\categoryvideos\7.xmv"});
0x000010BC 0xD012FEB8 0x00022C04 NtCreateFile({"Z:\categoryvideos\7.xmv"});
0x000010BE 0xD012FEB8 0x00023E3D NtOpenFile({"T:\$C\"});
0x000010BF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile({"*"});
0x000010C0 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\ContentMeta.xbx"});
0x000010C5 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\cache.xcd"});
0x000010C6 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo_EN.bin"});
0x000010C7 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo.bin"});
0x000010CA 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\ContentMeta.xbx"});
0x000010CE 0xD012FEB8 0x00023E3D NtOpenFile({"T:\$C\4D5300C800000001\"});
0x000010CF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile({""});
0x000010D0 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\contentimage.xbx"});
0x000010D6 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo.bin"});
0x000010DA 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo.list"});
0x000010DE 0xD012FEB8 0x00022C04 NtCreateFile({"T:\$C\4D5300C800000001\gameinfo_FR.bin"});
0x000010E2 0xD012FEB8 0x00023043 NtQueryFullAttributesFile({"T:\$C\4D5300C800000001\default.xbe"});
0x000010E3 0xD012FEB8 0x00023043 NtQueryFullAttributesFile({"T:\$C\4D5300C800000001\contentimage.xbx"});
0x000010E4 0xD012FEB8 0x00023043 NtQueryFullAttributesFile({"T:\$C\4D5300C800000001\gameinfo.bin"});
<snip/>

(Very) Detailed report:

QUOTE

0x00000000 0xD00082D8 0x00025A73 NtOpenFile(pFileHandle=0xD0031CB8,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHAR
E_READ),pObjectAttributes=0xD0031C9C{RootDirectory=0x00000000,ObjectName=0x00181
534{Length=0x001D,MaximumLength=0x001E,Buffer=0x0015A204{"\Device\Harddisk0\partition1\& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031CA8,S
hareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00800021(F
ILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_FREE_SPACE_QUERY))
;
0x00000001 0xD00082D8 0x00025A8E NtQueryVolumeInformationFile(FileHandle=0x0000000C,pIoStatusBlock=0xD0031CA8,pFi
leSystemInformation=0xD0031C84,Length=0x00000018,FileInformationClass=0x00000003
(FileBothDirectoryInformation));
0x00000002 0xD00082D8 0x00025BE1 NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SH
ARE_READ),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0x001
81544{Length=0x0022,MaximumLength=0x0023,Buffer=0x0015A1D8{"\Device\Harddisk0\partition1\TDATA& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_S
HARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|F
ILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NO
NALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000003 0xD00082D8 0x00025C9E NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00120117(READ_CONTROL|SYNCHR
ONIZE|FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE),pObjectAttributes=0xD0
031C7C{RootDirectory=0x00000000,ObjectName=0xD0031C68{Length=0x002B,MaximumLengt
h=0x002C,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\TDATA\4d5300c8& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_S
HARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|F
ILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NO
NALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000004 0xD00082D8 0x00025BE1 NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SH
ARE_READ),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0x001
81554{Length=0x0022,MaximumLength=0x0023,Buffer=0x0015A1AC{"\Device\Harddisk0\partition1\UDATA& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_S
HARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|F
ILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NO
NALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000005 0xD00082D8 0x00025C9E NtCreateFile(pFileHandle=0xD0031C88,DesiredAccess=0x00120117(READ_CONTROL|SYNCHR
ONIZE|FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE),pObjectAttributes=0xD0
031C7C{RootDirectory=0x00000000,ObjectName=0xD0031C68{Length=0x002B,MaximumLengt
h=0x002C,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\UDATA\4d5300c8& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_S
HARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|F
ILE_OPEN_IF),CreateOptions=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NO
NALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x00000006 0xD00082D8 0x00025D87 NtCreateFile(pFileHandle=0xD0031CA0,DesiredAccess=0x40100000(SYNCHRONIZE|GENERIC
_WRITE),pObjectAttributes=0xD0031C7C{RootDirectory=0x00000000,ObjectName=0xD0031
C60{Length=0x0039,MaximumLength=0x003A,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleMeta.xbx& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C74,A
llocationSize=0x00000000,FileAttributes=0x00000004,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),Crea
teOptions=0x00000022(FILE_WRITE_THROUGH|FILE_SYNCHRONOUS_IO_NONALERT));
0x00000007 0xD00082D8 0x00025DA9 NtQueryInformationFile(FileHandle=0x00000010,pIoStatusBlock=0xD0031C74,pFileInfo
rmation=0xD0031C28,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x00000008 0xD00082D8 0x00025B1E NtCreateFile(pFileHandle=0xD00319F0,DesiredAccess=0x40100000(SYNCHRONIZE|GENERIC
_WRITE),pObjectAttributes=0xD00319C8{RootDirectory=0x00000000,ObjectName=0xD0031
9D4{Length=0x003A,MaximumLength=0x003B,Buffer=0xD0031B24{"\Device\Harddisk0\partition1\UDATA\4d5300c8\TitleImage.xbx& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD00319DC,A
llocationSize=0x00000000,FileAttributes=0x00000004,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000003(FILE_OPEN|FILE_CREATE|FILE_OPEN_IF),Crea
teOptions=0x00000022(FILE_WRITE_THROUGH|FILE_SYNCHRONOUS_IO_NONALERT));
0x00000009 0xD00082D8 0x00025B3B NtQueryInformationFile(FileHandle=0x00000010,pIoStatusBlock=0xD00319DC,pFileInfo
rmation=0xD0031990,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x0000000A 0xD00082D8 0x00024745 NtOpenFile(pFileHandle=0xD0031B80,DesiredAccess=0xC0100000(SYNCHRONIZE|GENERIC_W
RITE|GENERIC_READ),pObjectAttributes=0xD0031B5C{RootDirectory=0x00000000,ObjectN
ame=0x0015A0EC{Length=0x001C,MaximumLength=0x001D,Buffer=0x0015A0F4{"\Device\Harddisk0\partition0& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B68,S
hareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00000010(F
ILE_SYNCHRONOUS_IO_ALERT));
0x0000000B 0xD00082D8 0x0002477A NtReadFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0xD003195C,Length=0x00000200,p
ByteOffset=0xD0031B70);
0x0000000C 0xD00082D8 0x0002493A NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0xD003195C,Length=0x00000200,
pByteOffset=0xD0031B70);
0x0000000D 0xD00082D8 0x0002613D NtOpenFile(pFileHandle=0xD0031B88,DesiredAccess=0x00100003(SYNCHRONIZE|FILE_SHAR
E_READ|FILE_SHARE_WRITE),pObjectAttributes=0xD0031B54{RootDirectory=0x00000000,O
bjectName=0xD0031CB4{Length=0x001C,MaximumLength=0x001E,Buffer=0xD0031BA8{"\Device\Harddisk0\Partition5& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B68,S
hareAccess=0x00000000(),OpenOptions=0x00000018(FILE_NO_INTERMEDIATE_BUFFERING|FI
LE_SYNCHRONOUS_IO_ALERT));
0x0000000E 0xD00082D8 0x0002616F NtDeviceIoControlFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000
000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pIoControlCode=0x00070000,p
InputBuffer=0x00000000,InputBufferLength=0x00000000,pOutputBuffer=0xD0031B3C,Out
putBufferLength=0x00000018);
0x0000000F 0xD00082D8 0x000261AB NtDeviceIoControlFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000
000,pApcContext=0x00000000,pIoStatusBlock=0xD0031B68,pIoControlCode=0x00074004,p
InputBuffer=0x00000000,InputBufferLength=0x00000000,pOutputBuffer=0xD0031B1C,Out
putBufferLength=0x00000020);
0x00000010 0xD00082D8 0x000262ED NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000011 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000012 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000013 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000014 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000015 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000016 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000017 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000018 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000019 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000001A 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000001B 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000001C 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000001D 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000001E 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000001F 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000020 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000021 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000022 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000023 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000024 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000025 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000026 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000027 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000028 0xD00082D8 0x00026382 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x00000029 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000002A 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000002B 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000002C 0xD00082D8 0x000263D0 NtWriteFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD0031B68,pBuffer=0x039B0690,Length=0x00001000,
pByteOffset=0xD0031B70);
0x0000002D 0xD00082D8 0x0002640A NtFsControlFile(FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pA
pcContext=0x00000000,pIoStatusBlock=0xD0031B68,FsControlCode=0x00090020,pInputBu
ffer=0x00000000,InputBufferLength=0x00000000,pOutputBuffer=0x00000000,OutputBuff
erLength=0x00000000);
0x0000002E 0xD00082D8 0x00025A73 NtOpenFile(pFileHandle=0xD0031B94,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHAR
E_READ),pObjectAttributes=0xD0031B78{RootDirectory=0x00000000,ObjectName=0xD0031
CAC{Length=0x001D,MaximumLength=0x001E,Buffer=0xD0031BA8{"\Device\Harddisk0\Partition5\& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031B84,S
hareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00800021(F
ILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_FREE_SPACE_QUERY))
;
0x0000002F 0xD00082D8 0x00025A8E NtQueryVolumeInformationFile(FileHandle=0x0000000C,pIoStatusBlock=0xD0031B84,pFi
leSystemInformation=0xD0031B60,Length=0x00000018,FileInformationClass=0x00000003
(FileBothDirectoryInformation));
0x00000030 0xD00082D8 0x000268FD NtOpenSymbolicLinkObject(pFileHandle=0xD0030C60,pObjectAttributes=0xD0030C44{Roo
tDirectory=0x00000000,ObjectName=0x00181524{Length=0x0006,MaximumLength=0x0007,B
uffer=0x0015A170{"\??\D:"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)});
0x00000031 0xD00082D8 0x0004D157 NtOpenSymbolicLinkObject(pFileHandle=0xD00310D4,pObjectAttributes=0xD00310AC{Roo
tDirectory=0x00000000,ObjectName=0xD00310C0{Length=0x0006,MaximumLength=0x0007,B
uffer=0x0015A170{"\??\D:"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)});
0x00000032 0xD00082D8 0x00024BCD NtCreateFile(pFileHandle=0xD0031C98,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SH
ARE_READ),pObjectAttributes=0xD0031C74{RootDirectory=0xFFFFFFFD,ObjectName=0xD00
31C88{Length=0x0011,MaximumLength=0x0012,Buffer=0x00159838{"Z:\categoryvideos& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C80,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_S
HARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000002(FILE_CREATE),CreateOpti
ons=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BA
CKUP_INTENT));
0x00000033 0xD00082D8 0x00024BCD NtCreateFile(pFileHandle=0xD0031C98,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SH
ARE_READ),pObjectAttributes=0xD0031C74{RootDirectory=0xFFFFFFFD,ObjectName=0xD00
31C88{Length=0x0011,MaximumLength=0x0012,Buffer=0x00159824{"Z:\offeringvideos& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD0031C80,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000003(FILE_S
HARE_READ|FILE_SHARE_WRITE),CreateDisposition=0x00000002(FILE_CREATE),CreateOpti
ons=0x00004021(FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BA
CKUP_INTENT));
<snip />
0x000010BB 0xD012FEB8 0x00023120 NtOpenFile(pFileHandle=0xD01A2AB4,DesiredAccess=0x00010000(DELETE),pObjectAttrib
utes=0xD01A2A98{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2AAC{Length=0x0017,Max
imumLength=0x0018,Buffer=0xD01A2BE4{"Z:\categoryvideos\7.xmv& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2AA4,S
hareAccess=0x00000007(FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE),OpenOp
tions=0x00004040(FILE_NON_DIRECTORY_FILE|FILE_OPEN_FOR_BACKUP_INTENT));
0x000010BC 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2A9C,DesiredAccess=0x40100080(SYNCHRONIZE|GENERIC
_WRITE|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A2A80{RootDirectory=0xFFFFF
FFD,ObjectName=0xD01A2A94{Length=0x0017,MaximumLength=0x0018,Buffer=0xD01A2BE4{"Z:\categoryvideos\7.xmv& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2A8C,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000000(),Crea
teDisposition=0x00000005(FILE_OPEN|FILE_OVERWRITE|FILE_OVERWRITE_IF|FILE_MAXIMUM
_DISPOSITION),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIR
ECTORY_FILE));
0x000010BD 0xD012FEB8 0x00022748 NtWriteFile(FileHandle=0x00000020,Event=0x00000000,pApcRoutine=0x00000000,pApcCo
ntext=0x00000000,pIoStatusBlock=0xD01A2AA0,pBuffer=0x02354BE0,Length=0x00079000,
pByteOffset=0x00000000);
0x000010BE 0xD012FEB8 0x00023E3D NtOpenFile(pFileHandle=0xD01A27F4,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHAR
E_READ),pObjectAttributes=0xD01A27D0{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2
7E4{Length=0x0006,MaximumLength=0x0006,Buffer=0xD01A2808{"T:\$C\& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A27C8,S
hareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00004021(F
ILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x000010BF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile(FileHandle=0x00000020,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A27C8,pFileInformation=0xD01A2680,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0xD01A27DC{Length=0x0001,MaximumLength=0x0001,Buffer=0xD01A280E{"*"}},RestartScan=0x00000000);
0x000010C0 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2728,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A270C{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A2720{Length=0x0026,MaximumLength=0x0027,Buffer=0xD01A2B00{"T:\$C\4D5300C800000001\ContentMeta.xbx& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2718,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE
_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C1 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A272C,pBuffer=0xD01A275C,Length=0x00000088,p
ByteOffset=0x00000000);
0x000010C2 0xD012FEB8 0x000228D9 NtSetInformationFile(FileHandle=0x0000001C,pIoStatusBlock=0xD01A2728,FileInforma
tion=0xD01A2730,Length=0x00000008,FileInformationClass=0x0000000E(FilePositionIn
formation));
0x000010C3 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A2714,pBuffer=0xD01A274E,Length=0x00000002,p
ByteOffset=0x00000000);
0x000010C4 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A25B0,pBuffer=0xD01A25E0,Length=0x00000072,p
ByteOffset=0x00000000);
0x000010C5 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A28E0,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A28C4{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A28D8{Length=0x0020,MaximumLength=0x0021,Buffer=0xD01A2934{"T:\$C\4D5300C800000001\cache.xcd& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A28D0,A
llocationSize=0x00000000,FileAttributes=0x00000080,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE
_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C6 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A28D8,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A28BC{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A28D0{Length=0x0026,MaximumLength=0x0027,Buffer=0xD01A2934{"T:\$C\4D5300C800000001\gameinfo_EN.bin& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A28C8,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000000(),Crea
teDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONL
Y|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C7 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A28D8,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A28BC{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A28D0{Length=0x0023,MaximumLength=0x0024,Buffer=0xD01A2934{"T:\$C\4D5300C800000001\gameinfo.bin& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A28C8,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000000(),Crea
teDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE_SEQUENTIAL_ONL
Y|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010C8 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x0000001C,pIoStatusBlock=0xD01A28D0,pFileInfo
rmation=0xD01A2898,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x000010C9 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A28DC,pBuffer=0x039D56C0,Length=0x0000E95C,p
ByteOffset=0x00000000);
0x000010CA 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A1FC4,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A1FA8{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A1FBC{Length=0x0026,MaximumLength=0x0027,Buffer=0xD01A212C{"T:\$C\4D5300C800000001\ContentMeta.xbx& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A1FB4,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE
_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010CB 0xD012FEB8 0x00023468 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A1FCC,pBuffer=0xD01A206C,Length=0x0000001C,p
ByteOffset=0xD01A1FC4);
0x000010CC 0xD012FEB8 0x00023498 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A1FCC,pBuffer=0xD01A2088,Length=0x0000006C,p
ByteOffset=0x00000000);
0x000010CD 0xD012FEB8 0x00022622 NtReadFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0xD01A2108,pIoStatusBlock=0xD01A2108,pBuffer=0x03FD3AC8,Length=0x0000012C,p
ByteOffset=0xD01A1FC0);
0x000010CE 0xD012FEB8 0x00023E3D NtOpenFile(pFileHandle=0xD01A2234,DesiredAccess=0x00100001(SYNCHRONIZE|FILE_SHAR
E_READ),pObjectAttributes=0xD01A2210{RootDirectory=0xFFFFFFFD,ObjectName=0xD01A2
224{Length=0x0017,MaximumLength=0x0017,Buffer=0x03FD3CD0{"T:\$C\4D5300C800000001\& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2208,S
hareAccess=0x00000003(FILE_SHARE_READ|FILE_SHARE_WRITE),OpenOptions=0x00004021(F
ILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT));
0x000010CF 0xD012FEB8 0x00023E67 NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2208,pFileInformation=0xD01A20C0,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0xD01A221C{Length=0x0000,MaximumLength=0x0003,Buffer=0x03FD3CE7{""}},RestartScan=0x00000000);
0x000010D0 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A220C{Length=0x0027,MaximumLength=0x0028,Buffer=0x03FD3D40{"T:\$C\4D5300C800000001\contentimage.xbx& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE
_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010D1 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInfo
rmation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x000010D2 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x0000C036,p
ByteOffset=0x00000000);
0x000010D3 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0x00000000,RestartScan=0x00000000);
0x000010D4 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0x00000000,RestartScan=0x00000000);
0x000010D5 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0x00000000,RestartScan=0x00000000);
0x000010D6 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A220C{Length=0x0023,MaximumLength=0x0024,Buffer=0x03FD3D10{"T:\$C\4D5300C800000001\gameinfo.bin& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE
_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010D7 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInfo
rmation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x000010D8 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x0000E95C,p
ByteOffset=0x00000000);
0x000010D9 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0x00000000,RestartScan=0x00000000);
0x000010DA 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A220C{Length=0x0024,MaximumLength=0x0025,Buffer=0x03FD3D10{"T:\$C\4D5300C800000001\gameinfo.list& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE
_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010DB 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInfo
rmation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x000010DC 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x00000016,p
ByteOffset=0x00000000);
0x000010DD 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0x00000000,RestartScan=0x00000000);
0x000010DE 0xD012FEB8 0x00022C04 NtCreateFile(pFileHandle=0xD01A2214,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC
_READ|FILE_ATTRIBUTE_NORMAL),pObjectAttributes=0xD01A21F8{RootDirectory=0xFFFFFF
FD,ObjectName=0xD01A220C{Length=0x0026,MaximumLength=0x0027,Buffer=0x03FD3CE0{"T:\$C\4D5300C800000001\gameinfo_FR.bin& quot;}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pIoStatusBlock=0xD01A2204,A
llocationSize=0x00000000,FileAttributes=0x00000000,ShareAccess=0x00000001(FILE_S
HARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000064(FILE
_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));
0x000010DF 0xD012FEB8 0x00022A7E NtQueryInformationFile(FileHandle=0x00000024,pIoStatusBlock=0xD01A220C,pFileInfo
rmation=0xD01A21D4,Length=0x00000038,FileInformationClass=0x00000022(FileNetwork
OpenInformation));
0x000010E0 0xD012FEB8 0x00022667 NtReadFile(FileHandle=0x00000024,Event=0x00000000,pApcRoutine=0x00000000,pApcCon
text=0x00000000,pIoStatusBlock=0xD01A2218,pBuffer=0x039E5000,Length=0x0000E95C,p
ByteOffset=0x00000000);
0x000010E1 0xD012FEB8 0x00023ECE NtQueryDirectoryFile(FileHandle=0x0000001C,Event=0x00000000,pApcRoutine=0x000000
00,pApcContext=0x00000000,pIoStatusBlock=0xD01A2224,pFileInformation=0xD01A20DC,
Length=0x00000148,FileInformationClass=0x00000001(FileDirectoryInformation),pFil
eMask=0x00000000,RestartScan=0x00000000);
0x000010E2 0xD012FEB8 0x00023043 NtQueryFullAttributesFile(pObjectAttributes=0xD01A25A4{RootDirectory=0xFFFFFFFD,
ObjectName=0xD01A25B0{Length=0x0022,MaximumLength=0x0023,Buffer=0xD01A25CC{"T:\$C\4D5300C800000001\default.xbe"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pAttributes=0xD01A256C);
0x000010E3 0xD012FEB8 0x00023043 NtQueryFullAttributesFile(pObjectAttributes=0xD01A25A4{RootDirectory=0xFFFFFFFD,
ObjectName=0xD01A25B0{Length=0x0027,MaximumLength=0x0028,Buffer=0xD01A25CC{"T:\$C\4D5300C800000001\contentimage.xbx"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pAttributes=0xD01A256C);
0x000010E4 0xD012FEB8 0x00023043 NtQueryFullAttributesFile(pObjectAttributes=0xD01A25A4{RootDirectory=0xFFFFFFFD,
ObjectName=0xD01A25B0{Length=0x0023,MaximumLength=0x0024,Buffer=0xD01A25CC{"T:\$C\4D5300C800000001\gameinfo.bin"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE)},pAttributes=0xD01A256C);
<snip />

Enjoy

DaddyJ · « **Reply #2 on:** November 04, 2005, 06:10:00 AM »

Nice work, once again Pedro.....

QUOTE(Pedro)

abandonware

I like that!!!!

Angerwound · « **Reply #3 on:** November 04, 2005, 10:06:00 AM »

Genius!

pepe2004 · « **Reply #4 on:** November 04, 2005, 12:12:00 PM »

Sorry for the question, what this program does?, it make a registry of what the xbox does?, just curiosity

xman954 · « **Reply #5 on:** November 04, 2005, 12:13:00 PM »

VERY NICE

going to dive into this later tonight...
a few questions on your "abandonware"

QUOTE

Usage:
APIReporter <filename> [offset (in Hex)] [/STRINGS][>APIReport.txt]
e.g.
APIReporter APILog.d8a >VerboseReport.txt
APIReporter APILog.d8a 0 /STRINGS >StringsReport.txt

in APIReporter
is the "offset in hex" the record number to start the output file from ?
are there any other arguments that can be passed ?

also what is "\Device\Harddisk0\partition1\& quot"

krayzie · « **Reply #6 on:** November 04, 2005, 01:08:00 PM »

QUOTE(pepe2004 @ Nov 4 2005, 08:12 PM)

Sorry for the question, what this program does?, it make a registry of what the xbox does?, just curiosity

QUOTE

Description:
Applications executing on the XBOX make frequent calls into the XBOX kernel in order to accomplish things. The group of functions that the kernel exports for use by applications is known as the Kernel API (Applications Programming Interface). An insight into the operation of the application can be gained by observing the calls it makes to the kernel.

In simple English: It shows what calls xbe files make to the kernel when executed..

PedrosPad · « **Reply #7 on:** November 04, 2005, 03:14:00 PM »

QUOTE(krayzie @ Nov 4 2005, 09:08 PM)

QUOTE

Description:
Applications executing on the XBOX make frequent calls into the XBOX kernel in order to accomplish things. The group of functions that the kernel exports for use by applications is known as the Kernel API (Applications Programming Interface). An insight into the operation of the application can be gained by observing the calls it makes to the kernel.

In simple English: It shows what calls xbe files make to the kernel when executed..

Sorry. Wrote it at work (I get paid by the word ).

PedrosPad · « **Reply #8 on:** November 04, 2005, 03:29:00 PM »

QUOTE(xman954 @ Nov 4 2005, 08:13 PM)

a few questions on your "abandonware"

in APIReporter
is the "offset in hex" the record number to start the output file from ?
are there any other arguments that can be passed ?

I dont believe the parameter is needed anymore. An earlier version of the APILogger XBOX component used to write out corrupt data capture files occasionally (caused by some non-thread-safe code

). I used to use the hex offset parameter to access the first good record in the file following the corruption.

QUOTE(xman954 @ Nov 4 2005, 08:13 PM)

also what is "\Device\Harddisk0\partition1\& quot"

Some character strings are prefixed by their length (just like a Windows BSTR), and arent null terminated. In practice most the strings encountered were also null terminated. Thus I didnt bother to code specific support for length-prefixed-strings into the APIReporter. Consequently, occasionally you find one that isnt null terminated, and the garbage following the true string is sometimes accidentally output.

morbidpete · « **Reply #9 on:** November 04, 2005, 05:12:00 PM »

so ahh. whats this mean for the homebrew or hacking scene?

PedrosPad · « **Reply #10 on:** November 04, 2005, 11:12:00 PM »

QUOTE(morbidpete @ Nov 5 2005, 01:19 AM)

so ahh. whats this mean for the homebrew or hacking scene?

Nada.

As the XBOX1 nears the end of its operational life, Angerwound has led the way in releasing previously closed-group utils. The motive for his release was simply to provide a historic record, and contribute additional information to the curious. However his revelation and description of FuckM$ has provided stimulus to a new generation of enthusiasts who are even now looking at unforeseen practical uses for his techniques.

I thought I'd contribute similarly by releasing the completed second version of my APILogger (completed = as far as I intended too anyway ). It was completed at the beginning of the year, but is trickier to use, and less stable, than version 1 (which is the reason it wasnt released BTW.).

APILogger was initially developed to aid me in the search for a http://forums.xbox-scene.com/index.php?showtopic=278283&view=findpost&p=1838750. It provided a quick insight into the operation of candidate XBEs without having to enter into a lengthy, and often fruitless, disassembly analysis.

X360 is as yet uncharted territory, and will provide an fresh opportunity for many whom homed their skills on XBOX1 to contribute. It is my hope that these releases will enthuse, educate, and inspire such individuals.

The unofficial response? Angerwound has started a pissing contest!

Angerwound · « **Reply #11 on:** November 04, 2005, 11:20:00 PM »

QUOTE(PedrosPad @ Nov 5 2005, 12:12 AM)

The unofficial response? Angerwound has started a pissing contest!

Haha...

Keo-Keo · « **Reply #12 on:** November 05, 2005, 11:43:00 AM »

Wow PedrosPad i had love your 1st API logger! And was glade to hear V2 is out.. Nice work!!! :-D

_Keo

globe_guyx · « **Reply #13 on:** November 05, 2005, 04:00:00 PM »

Good job. Guess what. I have no complaints..

xman954 · « **Reply #14 on:** November 06, 2005, 10:10:00 PM »

APIlogger V1 works fine...
APIlogger V2 well, it does not like my xbox for some reason

EVERYTHING i try just turns the led to orange then hangs with a black screen.
habibi signed evox, configmagic
tried APIloggerHDD.xbe as is.
compiled a new one with just 4 things to log

CODE

DetourKernelCall NtCreateFile; Ordinal number 190
DetourKernelCall NtOpenFile; Ordinal number 202
DetourKernelCall NtReadFile; Ordinal number 219
DetourKernelCall NtWriteFile; Ordinal number 236

started to get desperate so I edited ernie.xtf to point to the APIlogger directly
still no go, then decided to put the patch back M$ KEY code in the start of the logger
(xboxapps.asm) then directed it to log C:\settings_adoc.xip and it worked
logged this (went back to default logger settings +2 others with patch back code in it)

CODE

0x00000000 0xD0008358 0x00022356 IoCreateSymbolicLink(UnknownArgs=54A70600 5CA70600 );
0x00000001 0xD0008358 0x0001E5D8 IoCreateSymbolicLink(UnknownArgs=24A70600 2CA70600 );
0x00000002 0xD0008358 0x00028C5D NtCreateFile(pFileHandle=0xD0031B64,DesiredAccess=0x80100080(SYNCHRONIZE|GENERIC_READ|FILE_ATTRIBUTE_NORMAL& #41;,pObjectAttributes=0xD0031B48{RootDirectory=0xFFFFFFFD,ObjectName=0xD0031B5C
{Length=0x0030,MaximumLength=0x0031,Buffer=0xD0031C08{"y:\Audio\AmbientAudio\AMB_12_HYDROTHUNDER_LR.wav"}},Attributes=0x00000040(OBJ_CASE_INSENSITIVE& #41;},pIoStatusBlock=0xD0031B54,AllocationSize=0x00000000,FileAttributes=0x00000
000,ShareAccess=0x00000001(FILE_SHARE_READ),CreateDisposition=0x00000001(FILE_OPEN),CreateOptions=0x00000060(FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE));

0x00000012 0xD0008358 0x000288EB NtReadFile& #40;FileHandle=0x0000000C,Event=0x00000000,pApcRoutine=0x00000000,pApcContext=0x
00000000,pIoStatusBlock=0xD0031B58,pBuffer=0x80FD7000,Length=0x006261A8,pByteOff
set=0x00000000);

so at least i got it to work so my setup is ok (with chip on or off)
but it will not work with any other xbe (habibi or M$ signed)
tried xboxdash.xbe, xonlinedash.xbe
xbox is K4034
is there anything i can do to make it work...

Author Topic: Apilogger V2 (Read 198 times)