Absolutely not. That's why we need to add more validation code that decides when to modify the year bits. asm495 did a great work by finding that the 5D loop (the loop that regenerate the code that compare the year to 2008) is called twice when using regsvr32. However, it's very much possible that Media Center uses that same loop for other code generation. To know it for sure, we will have to debug Media Center and find out when the loop is called.

With my Dll, is media center crashing as soon as it starts or only when trying to tune an H.264 channel?

xs4all:

With my Dll, is media center crashing as soon as it starts or only when trying to tune an H.264 channel?

Only when you select any SD or HD tv channel.

xs4all:

Absolutely not. That's why we need to add more validation code that decides when to modify the year bits. asm495 did a great work by finding that the 5D loop (the loop that regenerate the code that compare the year to 2008) is called twice when using regsvr32. However, it's very much possible that Media Center uses that same loop for other code generation. To know it for sure, we will have to debug Media Center and find out when the loop is called.

With my Dll, is media center crashing as soon as it starts or only when trying to tune an H.264 channel?

There are 3 main loops I've discovered which call the same 3 sub-loops (using different data).

The 3 sub-loops do the following:

1. Copying 1000h worth of data from one location to another:

CPU Disasm
Address Hex dump Command Comments
6ECF45FE |> /8B3402 /MOV ESI,DWORD PTR DS:[EAX+EDX]
6ECF4601 |. |8930 |MOV DWORD PTR DS:[EAX],ESI
6ECF4603 |. |83C0 04 |ADD EAX,4
6ECF4606 |. |83E9 01 |SUB ECX,1
6ECF4609 |.^\75 F3 \JNE SHORT 6ECF45FE

2. Taking data from the original DLL and putting it through a complex set of conversions to end up with new code (on the 3rd time this loop is reached is when the date piece of code is created). This new code is created at some area in the 1000h of data created in 1.

CPU Disasm
Address Hex dump Command Comments
6ECF4944 |> /F645 D0 01 /TEST BYTE PTR SS:[EBP-30],01
6ECF4948 |. |8A07 |MOV AL,BYTE PTR DS:[EDI]
6ECF494A |. |0F84 92000000 |JE 6ECF49E2
6ECF4950 |. |8A4D E3 |MOV CL,BYTE PTR SS:[EBP-1D]
6ECF4953 |. |8AD9 |MOV BL,CL
6ECF4955 |. |32D8 |XOR BL,AL
6ECF4957 |. |80E3 01 |AND BL,01
6ECF495A |. |0FB6D1 |MOVZX EDX,CL
6ECF495D |. |0FB6C0 |MOVZX EAX,AL
6ECF4960 |. |74 1A |JE SHORT 6ECF497C
6ECF4962 |. |0FB64D E2 |MOVZX ECX,BYTE PTR SS:[EBP-1E]
6ECF4966 |. |8BF2 |MOV ESI,EDX
6ECF4968 |. |D1EE |SHR ESI,1
6ECF496A |. |D1E9 |SHR ECX,1
6ECF496C |. |33CE |XOR ECX,ESI
6ECF496E |. |8BF0 |MOV ESI,EAX
6ECF4970 |. |81F6 00010000 |XOR ESI,00000100
6ECF4976 |. |D1FE |SAR ESI,1
6ECF4978 |. |33CE |XOR ECX,ESI
6ECF497A |. |EB 06 |JMP SHORT 6ECF4982
6ECF497C |> |8BC8 |MOV ECX,EAX
6ECF497E |. |33CA |XOR ECX,EDX
6ECF4980 |. |D1E9 |SHR ECX,1
6ECF4982 |> |0FB677 FF |MOVZX ESI,BYTE PTR DS:[EDI-1]
6ECF4986 |. |33CE |XOR ECX,ESI
6ECF4988 |. |F6C1 01 |TEST CL,01
6ECF498B |. |74 35 |JE SHORT 6ECF49C2
6ECF498D |. |84DB |TEST BL,BL
6ECF498F |. |74 15 |JE SHORT 6ECF49A6
6ECF4991 |. |0FB64D E2 |MOVZX ECX,BYTE PTR SS:[EBP-1E]
6ECF4995 |. |D1E9 |SHR ECX,1
6ECF4997 |. |D1EA |SHR EDX,1
6ECF4999 |. |35 00010000 |XOR EAX,00000100
6ECF499E |. |33CA |XOR ECX,EDX
6ECF49A0 |. |D1F8 |SAR EAX,1
6ECF49A2 |. |33C8 |XOR ECX,EAX
6ECF49A4 |. |EB 06 |JMP SHORT 6ECF49AC
6ECF49A6 |> |33C2 |XOR EAX,EDX
6ECF49A8 |. |D1E8 |SHR EAX,1
6ECF49AA |. |8BC8 |MOV ECX,EAX
6ECF49AC |> |0FB645 E5 |MOVZX EAX,BYTE PTR SS:[EBP-1B]
6ECF49B0 |. |D1E8 |SHR EAX,1
6ECF49B2 |. |33CE |XOR ECX,ESI
6ECF49B4 |. |35 80000000 |XOR EAX,00000080
6ECF49B9 |. |D1F9 |SAR ECX,1
6ECF49BB |. |33C1 |XOR EAX,ECX
6ECF49BD |. |E9 B3000000 |JMP 6ECF4A75
6ECF49C2 |> |84DB |TEST BL,BL
6ECF49C4 |. |0F84 9F000000 |JE 6ECF4A69
6ECF49CA |. |0FB64D E2 |MOVZX ECX,BYTE PTR SS:[EBP-1E]
6ECF49CE |. |D1E9 |SHR ECX,1
6ECF49D0 |. |D1EA |SHR EDX,1
6ECF49D2 |. |35 00010000 |XOR EAX,00000100
6ECF49D7 |. |33CA |XOR ECX,EDX
6ECF49D9 |. |D1F8 |SAR EAX,1
6ECF49DB |. |33C8 |XOR ECX,EAX
6ECF49DD |. |E9 8D000000 |JMP 6ECF4A6F
6ECF49E2 |> |8A5D E1 |MOV BL,BYTE PTR SS:[EBP-1F]
6ECF49E5 |. |0FB655 E1 |MOVZX EDX,BYTE PTR SS:[EBP-1F]
6ECF49E9 |. |32D8 |XOR BL,AL
6ECF49EB |. |80E3 01 |AND BL,01
6ECF49EE |. |0FB6C0 |MOVZX EAX,AL
6ECF49F1 |. |74 1A |JE SHORT 6ECF4A0D
6ECF49F3 |. |0FB64D E0 |MOVZX ECX,BYTE PTR SS:[EBP-20]
6ECF49F7 |. |8BF2 |MOV ESI,EDX
6ECF49F9 |. |D1EE |SHR ESI,1
6ECF49FB |. |D1E9 |SHR ECX,1
6ECF49FD |. |33CE |XOR ECX,ESI
6ECF49FF |. |8BF0 |MOV ESI,EAX
6ECF4A01 |. |81F6 00010000 |XOR ESI,00000100
6ECF4A07 |. |D1FE |SAR ESI,1
6ECF4A09 |. |33CE |XOR ECX,ESI
6ECF4A0B |. |EB 06 |JMP SHORT 6ECF4A13
6ECF4A0D |> |8BC8 |MOV ECX,EAX
6ECF4A0F |. |33CA |XOR ECX,EDX
6ECF4A11 |. |D1E9 |SHR ECX,1
6ECF4A13 |> |0FB677 FF |MOVZX ESI,BYTE PTR DS:[EDI-1]
6ECF4A17 |. |33CE |XOR ECX,ESI
6ECF4A19 |. |F6C1 01 |TEST CL,01
6ECF4A1C |. |74 32 |JE SHORT 6ECF4A50
6ECF4A1E |. |84DB |TEST BL,BL
6ECF4A20 |. |74 15 |JE SHORT 6ECF4A37
6ECF4A22 |. |0FB64D E0 |MOVZX ECX,BYTE PTR SS:[EBP-20]
6ECF4A26 |. |D1E9 |SHR ECX,1
6ECF4A28 |. |D1EA |SHR EDX,1
6ECF4A2A |. |35 00010000 |XOR EAX,00000100
6ECF4A2F |. |33CA |XOR ECX,EDX
6ECF4A31 |. |D1F8 |SAR EAX,1
6ECF4A33 |. |33C8 |XOR ECX,EAX
6ECF4A35 |. |EB 06 |JMP SHORT 6ECF4A3D
6ECF4A37 |> |33C2 |XOR EAX,EDX
6ECF4A39 |. |D1E8 |SHR EAX,1
6ECF4A3B |. |8BC8 |MOV ECX,EAX
6ECF4A3D |> |0FB645 E4 |MOVZX EAX,BYTE PTR SS:[EBP-1C]
6ECF4A41 |. |D1E8 |SHR EAX,1
6ECF4A43 |. |33CE |XOR ECX,ESI
6ECF4A45 |. |35 80000000 |XOR EAX,00000080
6ECF4A4A |. |D1F9 |SAR ECX,1
6ECF4A4C |. |33C1 |XOR EAX,ECX
6ECF4A4E |. |EB 25 |JMP SHORT 6ECF4A75
6ECF4A50 |> |84DB |TEST BL,BL
6ECF4A52 |. |74 15 |JE SHORT 6ECF4A69
6ECF4A54 |. |0FB64D E0 |MOVZX ECX,BYTE PTR SS:[EBP-20]
6ECF4A58 |. |D1E9 |SHR ECX,1
6ECF4A5A |. |D1EA |SHR EDX,1
6ECF4A5C |. |35 00010000 |XOR EAX,00000100
6ECF4A61 |. |33CA |XOR ECX,EDX
6ECF4A63 |. |D1F8 |SAR EAX,1
6ECF4A65 |. |33C8 |XOR ECX,EAX
6ECF4A67 |. |EB 06 |JMP SHORT 6ECF4A6F
6ECF4A69 |> |33C2 |XOR EAX,EDX
6ECF4A6B |. |D1E8 |SHR EAX,1
6ECF4A6D |. |8BC8 |MOV ECX,EAX
6ECF4A6F |> |33CE |XOR ECX,ESI
6ECF4A71 |. |D1F9 |SAR ECX,1
6ECF4A73 |. |8BC1 |MOV EAX,ECX
6ECF4A75 |> |8B55 C0 |MOV EDX,DWORD PTR SS:[EBP-40]
6ECF4A78 |. |3045 EB |XOR BYTE PTR SS:[EBP-15],AL
6ECF4A7B |. |88043A |MOV BYTE PTR DS:[EDI+EDX],AL
6ECF4A7E |. |8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]
6ECF4A81 |. |83E8 01 |SUB EAX,1
6ECF4A84 |. |83EF 01 |SUB EDI,1
6ECF4A87 |. |85C0 |TEST EAX,EAX
6ECF4A89 |. |8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX
6ECF4A8C |.^\0F87 B2FEFFFF \JA 6ECF4944

3. Not really sure what this loop does as I've not investigated it because it did not seem to have anything to do with the date issue. Again this modifies the data created in 1.

CPU Disasm
Address Hex dump Command Comments
6ECF4B8C |> /8B04BD D860C8 /MOV EAX,DWORD PTR DS:[EDI*4+6EC860D8]
6ECF4B93 |. |8BF0 |MOV ESI,EAX
6ECF4B95 |. |81E6 FFFFFF0F |AND ESI,0FFFFFFF
6ECF4B9B |. |3B75 C0 |CMP ESI,DWORD PTR SS:[EBP-40]
6ECF4B9E |. |73 4A |JNB SHORT 6ECF4BEA
6ECF4BA0 |. |8BC8 |MOV ECX,EAX
6ECF4BA2 |. |03C0 |ADD EAX,EAX
6ECF4BA4 |. |03C0 |ADD EAX,EAX
6ECF4BA6 |. |C1F8 1E |SAR EAX,1E
6ECF4BA9 |. |C1F9 1E |SAR ECX,1E
6ECF4BAC |. |83E0 03 |AND EAX,00000003 ; Switch (cases 0..3, 4 exits)
6ECF4BAF |. |83E1 03 |AND ECX,00000003
6ECF4BB2 |. |33D2 |XOR EDX,EDX
6ECF4BB4 |. |83E8 01 |SUB EAX,1
6ECF4BB7 |. |74 14 |JE SHORT 6ECF4BCD
6ECF4BB9 |. |83E8 01 |SUB EAX,1
6ECF4BBC |. |74 0A |JE SHORT 6ECF4BC8
6ECF4BBE |. |83E8 01 |SUB EAX,1
6ECF4BC1 |. |75 10 |JNE SHORT 6ECF4BD3
6ECF4BC3 |. |8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24] ; Case 3 of switch MSDTVVDEC.6ECF4BAC
6ECF4BC6 |. |EB 0B |JMP SHORT 6ECF4BD3
6ECF4BC8 |> |8B55 CC |MOV EDX,DWORD PTR SS:[EBP-34] ; Case 2 of switch MSDTVVDEC.6ECF4BAC
6ECF4BCB |. |EB 06 |JMP SHORT 6ECF4BD3
6ECF4BCD |> |8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24] ; Case 1 of switch MSDTVVDEC.6ECF4BAC
6ECF4BD0 |. |2B55 CC |SUB EDX,DWORD PTR SS:[EBP-34]
6ECF4BD3 |> |83E9 02 |SUB ECX,2 ; Case 0 of switch MSDTVVDEC.6ECF4BAC
6ECF4BD6 |. |75 07 |JNE SHORT 6ECF4BDF
6ECF4BD8 |. |019433 0000C8 |ADD DWORD PTR DS:[ESI+EBX+6ECF4BDF |> |83C7 01 |ADD EDI,1
6ECF4BE2 |. |3B3D D460C86E |CMP EDI,DWORD PTR DS:[6EC860D4]
6ECF4BE8 |.^\72 A2 \JB SHORT 6ECF4B8C

I don't think the problem is with this at all though. I think there is something else going on when decoding needs to happen - maybe another date check there.

Just a note to Microsoft... there have been over 27,000 views of this thread.  Surely that indicates there is huge demand for H.264 on Media Center.

God d.mn great big corporate machine, we do it our way, regardless of what U think or say...

Do we care.. no we don´t, we will grease you up, so that you´ll want Windows 7 soooooo bad.... mooooohahahaaahaaa.... get ready to be redeemed once again by our all caring loving father, Microsoft.

Oh yes we have an office in Ireland dedicated to all our European children, we will take good care of you all..

We are the itch you can´t scratch...

I just realized something disturbing, I can´t live without my mediacenter and I will be buying Windows 7 too...

.... I´m stuck in this hell and I can´t get out....  But do I really want to leave anyway....

No wonder they had to cut out all the features of the TV-Pack since they apparently had to use all their time and effort preventing the users from actually being able to use them...

asm495:

I don't think the problem is with this at all though. I think there is something else going on when decoding needs to happen - maybe another date check there.

Is that results from debugging media center?

xs4all:

asm495:

I don't think the problem is with this at all though. I think there is something else going on when decoding needs to happen - maybe another date check there.

Is that results from debugging media center?

No evidence to back that up other than the fact that we've bypassed the date check now and that the error only occurs when playing back content.  I'll try and see if there is any way I can attach to Media Center with a debugger just to quickly see where the error is happening.  If there is another date check (which is what I suspect is happening considering I can't think what else would fail) then with any luck it will be based around the same code process and will be fairly easy to fix.

I've noticed that the .dll's you uploaded have a modified date of 18/09/2008

Would it be worth tring the the following;

Setting the clock back and resaving the dll at the original date that MS did it?

Just an idea?  maybe the .dll also checks when the file was created?

 

D

Just having a quick scan through the code again to see if I could spot anything in IDA Pro.  The only thing I could see was...

.text:63A0B897 ; =============== S U B R O U T I N E =======================================
.text:63A0B897
.text:63A0B897
.text:63A0B897 sub_63A0B897 proc near                  ; CODE XREF: sub_63A0BA3C+15p
.text:63A0B897
.text:63A0B897 SystemTime= _SYSTEMTIME ptr -414h
.text:63A0B897 ValueName= byte ptr -404h
.text:63A0B897 Dst= byte ptr -403h
.text:63A0B897 var_4= dword ptr -4
.text:63A0B897
.text:63A0B897 sub     esp, 414h
.text:63A0B89D mov     eax, dword_63AE0928
.text:63A0B8A2 xor     eax, esp
.text:63A0B8A4 mov     [esp+414h+var_4], eax
.text:63A0B8AB push    esi
.text:63A0B8AC push    edi
.text:63A0B8AD push    3FFh                            ; Size
.text:63A0B8B2 lea     eax, [esp+420h+Dst]
.text:63A0B8B6 push    0                               ; Val
.text:63A0B8B8 push    eax                             ; Dst
.text:63A0B8B9 mov     edi, ecx
.text:63A0B8BB mov     [esp+428h+ValueName], 0
.text:63A0B8C0 call    memset
.text:63A0B8C5 add     esp, 0Ch
.text:63A0B8C8 lea     ecx, [esp+41Ch+SystemTime]
.text:63A0B8CC push    ecx                             ; lpSystemTime
.text:63A0B8CD call    ds:GetLocalTime
.text:63A0B8D3 movzx   esi, [esp+41Ch+SystemTime.wYear]
.text:63A0B8D8 movzx   edx, [esp+41Ch+SystemTime.wMonth]
.text:63A0B8DD imul    esi, 64h
.text:63A0B8E0 movzx   eax, [esp+41Ch+SystemTime.wDay]
.text:63A0B8E5 add     esi, edx
.text:63A0B8E7 imul    esi, 64h
.text:63A0B8EA push    400h
.text:63A0B8EF lea     ecx, [esp+420h+ValueName]
.text:63A0B8F3 push    ecx
.text:63A0B8F4 add     esi, eax
.text:63A0B8F6 push    3
.text:63A0B8F8 xor     esi, 73B998h
.text:63A0B8FE call    sub_63A0BAA7
.text:63A0B903 add     esp, 0Ch
.text:63A0B906 push    0                               ; int
.text:63A0B908 lea     edx, [esp+420h+ValueName]
.text:63A0B90C push    edx                             ; lpValueName
.text:63A0B90D mov     ecx, edi
.text:63A0B90F call    sub_63A0B504
.text:63A0B914 cmp     eax, esi
.text:63A0B916 jnz     short loc_63A0B970
.text:63A0B918 push    400h
.text:63A0B91D lea     eax, [esp+420h+ValueName]
.text:63A0B921 push    eax
.text:63A0B922 push    4
.text:63A0B924 call    sub_63A0BAA7
.text:63A0B929 mov     ecx, dword_63AEFD74
.text:63A0B92F add     esp, 0Ch
.text:63A0B932 push    ecx                             ; int
.text:63A0B933 lea     edx, [esp+420h+ValueName]
.text:63A0B937 push    edx                             ; lpValueName
.text:63A0B938 mov     ecx, edi
.text:63A0B93A call    sub_63A0B504
.text:63A0B93F mov     dword_63AEFD74, eax
.text:63A0B944 push    400h
.text:63A0B949 lea     eax, [esp+420h+ValueName]
.text:63A0B94D push    eax
.text:63A0B94E push    5
.text:63A0B950 call    sub_63A0BAA7
.text:63A0B955 mov     ecx, dword_63AEFD78
.text:63A0B95B add     esp, 0Ch
.text:63A0B95E push    ecx                             ; int
.text:63A0B95F lea     edx, [esp+420h+ValueName]
.text:63A0B963 push    edx                             ; lpValueName
.text:63A0B964 mov     ecx, edi
.text:63A0B966 call    sub_63A0B504
.text:63A0B96B mov     dword_63AEFD78, eax
.text:63A0B970
.text:63A0B970 loc_63A0B970:                           ; CODE XREF: sub_63A0B897+7Fj
.text:63A0B970 mov     ecx, [esp+41Ch+var_4]
.text:63A0B977 pop     edi
.text:63A0B978 pop     esi
.text:63A0B979 xor     ecx, esp
.text:63A0B97B call    sub_6399E9D5
.text:63A0B980 add     esp, 414h
.text:63A0B986 retn
.text:63A0B986 sub_63A0B897 endp

The time part seems a bit suspicious.  Don't remember seeing this when going through before.

Edit: Just reading through and this is definitely doing a date comparison.  It takes the current year, multiplies by 100 (64h) then adds the current month before multiplying by 100 (64h) again.  Before adding on the day.  This is then compared against EAX which seems to be set in this subroutine:

.text:63A0B504 ; =============== S U B R O U T I N E =======================================
.text:63A0B504
.text:63A0B504
.text:63A0B504 ; int __stdcall sub_63A0B504(LPCSTR lpValueName, int)
.text:63A0B504 sub_63A0B504 proc near                  ; CODE XREF: sub_63A0B897+78p
.text:63A0B504                                         ; sub_63A0B897+A3p ...
.text:63A0B504
.text:63A0B504 hKey= dword ptr -410h
.text:63A0B504 Data= byte ptr -40Ch
.text:63A0B504 cbData= dword ptr -408h
.text:63A0B504 SubKey= byte ptr -404h
.text:63A0B504 Dst= byte ptr -403h
.text:63A0B504 var_4= dword ptr -4
.text:63A0B504 lpValueName= dword ptr  4
.text:63A0B504 arg_4= dword ptr  8
.text:63A0B504
.text:63A0B504 sub     esp, 410h
.text:63A0B50A mov     eax, dword_63AE0928
.text:63A0B50F xor     eax, esp
.text:63A0B511 mov     [esp+410h+var_4], eax
.text:63A0B518 push    esi
.text:63A0B519 mov     esi, [esp+414h+lpValueName]
.text:63A0B520 push    3FFh                            ; Size
.text:63A0B525 lea     eax, [esp+418h+Dst]
.text:63A0B529 push    0                               ; Val
.text:63A0B52B push    eax                             ; Dst
.text:63A0B52C mov     [esp+420h+hKey], 0
.text:63A0B534 mov     dword ptr [esp+420h+Data], 0
.text:63A0B53C mov     [esp+420h+cbData], 4
.text:63A0B544 mov     [esp+420h+SubKey], 0
.text:63A0B549 call    memset
.text:63A0B54E push    400h
.text:63A0B553 lea     ecx, [esp+424h+SubKey]
.text:63A0B557 push    ecx
.text:63A0B558 push    2
.text:63A0B55A call    sub_63A0BAA7
.text:63A0B55F add     esp, 18h
.text:63A0B562 lea     edx, [esp+414h+hKey]
.text:63A0B566 push    edx                             ; phkResult
.text:63A0B567 push    1                               ; samDesired
.text:63A0B569 push    0                               ; ulOptions
.text:63A0B56B lea     eax, [esp+420h+SubKey]
.text:63A0B56F push    eax                             ; lpSubKey
.text:63A0B570 push    80000002h                       ; hKey
.text:63A0B575 call    ds:RegOpenKeyExA
.text:63A0B57B test    eax, eax
.text:63A0B57D jnz     short loc_63A0B59B
.text:63A0B57F lea     ecx, [esp+414h+cbData]
.text:63A0B583 push    ecx                             ; lpcbData
.text:63A0B584 lea     edx, [esp+418h+Data]
.text:63A0B588 push    edx                             ; lpData
.text:63A0B589 push    eax                             ; lpType
.text:63A0B58A push    eax                             ; lpReserved
.text:63A0B58B mov     eax, [esp+424h+hKey]
.text:63A0B58F push    esi                             ; lpValueName
.text:63A0B590 push    eax                             ; hKey
.text:63A0B591 call    ds:RegQueryValueExA
.text:63A0B597 test    eax, eax
.text:63A0B599 jz      short loc_63A0B5C9
.text:63A0B59B
.text:63A0B59B loc_63A0B59B:                           ; CODE XREF: sub_63A0B504+79j
.text:63A0B59B mov     eax, [esp+414h+hKey]
.text:63A0B59F test    eax, eax
.text:63A0B5A1 jz      short loc_63A0B5AA
.text:63A0B5A3 push    eax                             ; hKey
.text:63A0B5A4 call    ds:RegCloseKey
.text:63A0B5AA
.text:63A0B5AA loc_63A0B5AA:                           ; CODE XREF: sub_63A0B504+9Dj
.text:63A0B5AA mov     eax, [esp+414h+arg_4]
.text:63A0B5B1 pop     esi
.text:63A0B5B2 mov     ecx, [esp+410h+var_4]
.text:63A0B5B9 xor     ecx, esp
.text:63A0B5BB call    sub_6399E9D5
.text:63A0B5C0 add     esp, 410h
.text:63A0B5C6 retn    8

Food for thought...

Also it seems to XOR the date it creates with 73B998h

So for today's date (18/09/2008) you originally end up with a number of 20080918 (1326916h) and XORing produces... 21090446 (141D08Eh)

Why it does this, I do not know.

I cannot seem to debug this code as it is not reached during the regsvr32 process.  This makes me believe that this is something that we've not taken into account.

Another routine also gets called:

.text:63A0BAA7 ; =============== S U B R O U T I N E =======================================
.text:63A0BAA7
.text:63A0BAA7
.text:63A0BAA7 sub_63A0BAA7 proc near                  ; CODE XREF: sub_63A0B504+56p
.text:63A0BAA7                                         ; sub_63A0B5E5+E5p ...
.text:63A0BAA7
.text:63A0BAA7 arg_0= dword ptr  4
.text:63A0BAA7 arg_8= dword ptr  0Ch
.text:63A0BAA7
.text:63A0BAA7 mov     edx, [esp+arg_0]
.text:63A0BAAB xor     ecx, ecx
.text:63A0BAAD xor     eax, eax
.text:63A0BAAF
.text:63A0BAAF loc_63A0BAAF:                           ; CODE XREF: sub_63A0BAA7+1Dj
.text:63A0BAAF cmp     dword_63AE2010[eax], edx
.text:63A0BAB5 jz      short loc_63A0BAC7
.text:63A0BAB7 add     eax, 84h
.text:63A0BABC add     ecx, 1
.text:63A0BABF cmp     eax, 183Ch
.text:63A0BAC4 jb      short loc_63A0BAAF
.text:63A0BAC6
.text:63A0BAC6 locret_63A0BAC6:                        ; CODE XREF: sub_63A0BAA7+44j
.text:63A0BAC6 retn
.text:63A0BAC7 ; ---------------------------------------------------------------------------
.text:63A0BAC7
.text:63A0BAC7 loc_63A0BAC7:                           ; CODE XREF: sub_63A0BAA7+Ej
.text:63A0BAC7 imul    ecx, 84h
.text:63A0BACD lea     edx, a4[ecx]                    ; "©\r¦4ÀÌ"
.text:63A0BAD3 mov     eax, edx
.text:63A0BAD5 push    esi
.text:63A0BAD6 lea     esi, [eax+1]
.text:63A0BAD9
.text:63A0BAD9 loc_63A0BAD9:                           ; CODE XREF: sub_63A0BAA7+39j
.text:63A0BAD9 mov     cl, [eax]
.text:63A0BADB add     eax, 1
.text:63A0BADE test    cl, cl
.text:63A0BAE0 jnz     short loc_63A0BAD9
.text:63A0BAE2 mov     ecx, [esp+4+arg_8]
.text:63A0BAE6 sub     eax, esi
.text:63A0BAE8 cmp     eax, ecx
.text:63A0BAEA pop     esi
.text:63A0BAEB jnb     short locret_63A0BAC6
.text:63A0BAED mov     [esp+arg_8], ecx
.text:63A0BAF1 mov     [esp+arg_0], edx
.text:63A0BAF5 jmp     sub_63A0BA5A
.text:63A0BAF5 sub_63A0BAA7 endp

I'll take another look tomorrow.

That could be it.

Here is a version that does not crash on my SD (I still have no H.264 WTV to test with). With the beta-expired version, I used to get a message about an expired codec. That message is now gone for me using that dll.

http://rapidshare.com/files/146479578/MSDTVVDEC.zip.html

Yeah I think we've got it. I found a sample HD WTV file and it plays fine. Changing the year past 2024 gets the Video Codec Error message to appear.

Here is the WTV file: http://w14.easy-share.com/1701207119.html

asm495:

Also it seems to XOR the date it creates with 73B998h

So for today's date (18/09/2008) you originally end up with a number of 20080918 (1326916h) and XORing produces... 21090446 (141D08Eh)

Why it does this, I do not know.

I cannot seem to debug this code as it is not reached during the regsvr32 process.  This makes me believe that this is something that we've not taken into account.

Another routine also gets called:

.text:63A0BAA7 ; =============== S U B R O U T I N E =======================================
.text:63A0BAA7
.text:63A0BAA7
.text:63A0BAA7 sub_63A0BAA7 proc near                  ; CODE XREF: sub_63A0B504+56p
.text:63A0BAA7                                         ; sub_63A0B5E5+E5p ...
.text:63A0BAA7
.text:63A0BAA7 arg_0= dword ptr  4
.text:63A0BAA7 arg_8= dword ptr  0Ch
.text:63A0BAA7
.text:63A0BAA7 mov     edx, [esp+arg_0]
.text:63A0BAAB xor     ecx, ecx
.text:63A0BAAD xor     eax, eax
.text:63A0BAAF
.text:63A0BAAF loc_63A0BAAF:                           ; CODE XREF: sub_63A0BAA7+1Dj
.text:63A0BAAF cmp     dword_63AE2010[eax], edx
.text:63A0BAB5 jz      short loc_63A0BAC7
.text:63A0BAB7 add     eax, 84h
.text:63A0BABC add     ecx, 1
.text:63A0BABF cmp     eax, 183Ch
.text:63A0BAC4 jb      short loc_63A0BAAF
.text:63A0BAC6
.text:63A0BAC6 locret_63A0BAC6:                        ; CODE XREF: sub_63A0BAA7+44j
.text:63A0BAC6 retn
.text:63A0BAC7 ; ---------------------------------------------------------------------------
.text:63A0BAC7
.text:63A0BAC7 loc_63A0BAC7:                           ; CODE XREF: sub_63A0BAA7+Ej
.text:63A0BAC7 imul    ecx, 84h
.text:63A0BACD lea     edx, a4[ecx]                    ; "©\r¦4ÀÌ"
.text:63A0BAD3 mov     eax, edx
.text:63A0BAD5 push    esi
.text:63A0BAD6 lea     esi, [eax+1]
.text:63A0BAD9
.text:63A0BAD9 loc_63A0BAD9:                           ; CODE XREF: sub_63A0BAA7+39j
.text:63A0BAD9 mov     cl, [eax]
.text:63A0BADB add     eax, 1
.text:63A0BADE test    cl, cl
.text:63A0BAE0 jnz     short loc_63A0BAD9
.text:63A0BAE2 mov     ecx, [esp+4+arg_8]
.text:63A0BAE6 sub     eax, esi
.text:63A0BAE8 cmp     eax, ecx
.text:63A0BAEA pop     esi
.text:63A0BAEB jnb     short locret_63A0BAC6
.text:63A0BAED mov     [esp+arg_8], ecx
.text:63A0BAF1 mov     [esp+arg_0], edx
.text:63A0BAF5 jmp     sub_63A0BA5A
.text:63A0BAF5 sub_63A0BAA7 endp

I'll take another look tomorrow.

xs4all:

That could be it.

Here is a version that does not crash on my SD (I still have no H.264 WTV to test with). With the beta-expired version, I used to get a message about an expired codec. That message is now gone for me using that dll.

http://rapidshare.com/files/146479578/MSDTVVDEC.zip.html

OMG it works! Amazing job asm495 and xs4all, you made alot of European VMC users happy :).

I added a mirror to my FTP.

>> Download <<

Does anyone know the performance capabilities of this decoder? Does it take advantage of multi core CPUs?