MSFN Forums > XP SP3 Crash with FineCrypt Encryption Program...

Full Version: XP SP3 Crash with FineCrypt Encryption Program...

MSFN Forums > Microsoft Software Products - Discussion & Support > Windows XP

neowillendit

Sep 11 2008, 10:21 PM

Hey fellow MSFN Brothers

I've had a persistent problem with FineCrypt v.10.1 (latest version) on my Windows XP SP3 (fully patched) laptop. I get random windows errors when I try to encrypt files into a FineCrypt Archive File (.fca). I'm attaching the Dr. Watson Log and my user.dmp files on here inside of a WinRAR file (FineCrypt Error.rar) and I would be SO appreciative if someone could tell me how to band-aid this problem (as I've contacted the maker and they don't care because apparently I'm the only one this happens too).

Anyways, would someone kindly look these files over and tell me what exactly is happening here and suggest a possible fix?

Thank you all in advance.

cluberti

Sep 11 2008, 10:50 PM

Well, it looks like the FineCrypt .dll file is passing a bad heap value to the C runtime when a file is being accessed, causing an access violation and a crash:

CODE

// You can see that ecx+50h results in 00000050, which is going to be invalid:
0:020> ~19s
eax=0367aef4 ebx=0367ae68 ecx=00000000 edx=782bca1c esi=0367adf4 edi=00000085
eip=7822a761 esp=0367adac ebp=0367add4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
mfc80+0x5a761:
7822a761 83795000        cmp     dword ptr [ecx+50h],0 ds:0023:00000050=????????

// The stack - FCShell.dll is likely responsible for ecx:
0:019> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0367add4 02843202 mfc80+0x5a761
0367af68 7e41882a FCShell+0x3202
7e41885a ff8b9090 user32!UserCallWinProcCheckWow+0x116
7e41887e 8d000002 0xff8b9090
7e418882 8e3b0448 0x8d000002
7e418886 00000000 0x8e3b0448

0:019> uf 0367af68
...
0367af6a 67032a          add     ebp,dword ptr [bp+si]
0367af6d 88417e          mov     byte ptr [ecx+7Eh],al
0367af70 80eb09          sub     bl,9
0367af73 006003          add     byte ptr [eax+3],ah
0367af76 15008830b2      adc     eax,0B2308800h
0367af7b 011400          add     dword ptr [eax+eax],edx
0367af7e 0000            add     byte ptr [eax],al
0367af80 0100            add     dword ptr [eax],eax
0367af82 0000            add     byte ptr [eax],al
0367af84 3857b4          cmp     byte ptr [edi-4Ch],dl
0367af87 0180eb090000    add     dword ptr [eax+9EBh],eax
0367af8d 0000            add     byte ptr [eax],al
0367af8f 0000            add     byte ptr [eax],al
0367af91 0000            add     byte ptr [eax],al
0367af93 0000            add     byte ptr [eax],al
0367af95 b067            mov     al,67h
0367af97 0301            add     eax,dword ptr [ecx]
0367af99 0000            add     byte ptr [eax],al
0367af9b 0000            add     byte ptr [eax],al
0367af9d 0000            add     byte ptr [eax],al
0367af9f 0001            add     byte ptr [ecx],al
0367afa1 0000            add     byte ptr [eax],al
0367afa3 0070af          add     byte ptr [eax-51h],dh
0367afa6 670300          add     eax,dword ptr [bx+si]
0367afa9 0000            add     byte ptr [eax],al
0367afab 0000            add     byte ptr [eax],al
0367afad b067            mov     al,67h
0367afaf 038f04447e30    add     ecx,dword ptr [edi+307E4404h]
0367afb5 88417e          mov     byte ptr [ecx+7Eh],al

// The thread doing the lookup, which actually is throwing the exception:
0:020> kb
ChildEBP RetAddr  Args to Child
03d2ffb4 7c80b713 00000000 0367de60 0367de60 ntdll!KiFastSystemCallRet
03d2ffec 00000000 7c910230 00000000 00000000 kernel32!GetModuleFileNameA+0x1b4

0:020> ub 7c80b713
...
7c90e4da e829000000       call    ntdll!RtlRaiseException (7c90e508)
7c90e4df 8b0424           mov     eax,[esp]
7c90e4e2 8be5             mov     esp,ebp
7c90e4e4 5d               pop     ebp
7c90e4e5 c3               ret
7c90e4e6 8da42400000000   lea     esp,[esp]
7c90e4ed 8d4900           lea     ecx,[ecx]
ntdll!KiFastSystemCall:
7c90e4f0 8bd4             mov     edx,esp
7c90e4f2 0f34             sysenter
ntdll!KiFastSystemCallRet:
7c90e4f4 c3               ret
7c90e4f5 8da42400000000   lea     esp,[esp]
7c90e4fc 8d642400         lea     esp,[esp]
ntdll!KiIntSystemCall:
7c90e500 8d542408         lea     edx,[esp+0x8]
7c90e504 cd2e             int     2e
7c90e506 c3               ret
7c90e507 90               nop
ntdll!RtlRaiseException:
7c90e508 55               push    ebp
7c90e509 8bec             mov     ebp,esp

// The likely culprit:
0:020> lmvm FCShell
start    end        module name
02840000 02945000   FCShell  T (no symbols)
    Loaded symbol image file: FCShell.dll
    Image path: C:\Program Files\FineCrypt\FCShell.dll
    Image name: FCShell.dll
    Timestamp:        Tue Jan 08 15:10:18 2008 (4783D8AA)
    CheckSum:         0010F362
    ImageSize:        00105000
    File version:     10.1.0.1
    Product version:  10.1.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0

neowillendit

Sep 11 2008, 11:08 PM

Is there anything I can do to alleviate this error (besides not using FineCrypt) and do you think any of my security software is causing this? Also, is the software coded wrong, or is it possible I could disable something in this program to cure this?

Seven Alive

Sep 12 2008, 12:21 AM

Well i know you don't want to change, but TrueCrypt is free and is the leading open source encryption program. I love it, i use a keyfile on a usb stick instead of a password. So when i leave my laptop, i take out the USB - which also doubles as readyboost in vista, so nobody can access my files if my laptop is stolen.

neowillendit

Oct 16 2008, 09:10 AM

This is a test...

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.