Joseph Doherty
460c61df43
Five-stage Ghidra headless decompile traces the byte-to-MXSTATUS_PROXY synthesis path end-to-end across LmxProxy.dll and Lmx.dll. New evidence files committed alongside R3/R4 verdict update: - analysis/ghidra/exports/LmxProxy.dll.fire-event-xrefs.md - analysis/ghidra/exports/LmxProxy.dll.status-synthesis-decompile.md - analysis/ghidra/exports/LmxProxy.dll.mxstatus-safearray-decompile.md - analysis/ghidra/exports/Lmx.dll.set-attribute-result-decompile.md Layer-by-layer findings (bytes flow inward; synthesis flows outward): 1. `Lmx.aaDCT` at 0x10178fc0 is `SysAllocString(L"Lmx.aaDCT")` — a tracing category BSTR, not a table. 2. `MXSTATUS_PROXY` is a 16-byte marshalled struct (4 × i16 padded to i32 boundaries with Pack=4) — the OUTPUT of synthesis, not a lookup entry. 3. `LmxProxy.dll` Fire_* event handlers receive already-populated `MXSTATUS_PROXY[]` and forward through ATL dispatch — no synthesis. 4. `LmxProxy.dll` Fire_* CALLERS (FUN_1001657f / FUN_10016b50 / FUN_10016d4b) call FUN_10003f60(out_safearray, in_status_ptr, count=1) which is a VERBATIM memcpy of an existing 14-byte buffer into the SAFEARRAY — no transformation. 5. `Lmx.dll`'s `PreboundReference::OnSetAttributeResult` (FUN_10114a90) receives an already-populated `short *param_7` status buffer. Log line confirms the layout: `<success %d category %d detectedBy %d detail %d>`. Dispatches on typed values — synthesis is upstream of this function too. The synthesizer is the NMX-frame decoder in Lmx.dll that calls OnSetAttributeResult / OnGetAttributeResult / equivalent OperationComplete handler. The decoder takes raw NMX bytes plus operation context (item handle, engine state, retry state, correlation id) and computes the populated MXSTATUS_PROXY. There is NO static lookup table — synthesis is per-message contextual. Two viable paths to typed promotion (both substantial; neither a small codec patch): - Path A: port the synthesizer. ~1-2 weeks. Requires extending the Rust session to track per-operation context (handles, retries, correlation ids). Out of V1 scope. - Path B: empirical capture pairs. ~30 min × 6-10 scenarios. Output is a (byte, context → status) mapping that approximates without re-implementing. Risk: mapping is only valid for captured contexts. R3/R4 stay settled at verbatim-preserve. The .NET reference does the same for the same reason: the synthesizer is too context- dependent to mirror without porting the entire operation-tracking state machine. Reopen criteria sharpened: either (a) a consumer files a concrete use case for typed promotion of a specific byte+context combination (Path B's empirical capture for that one combination is the cheapest answer); or (b) a major-version bump justifies the state-machine port (Path A). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
18 KiB
18 KiB
LmxProxy.dll selected decompile
FUN_1001657f at 1001657f
Signature: undefined __stdcall FUN_1001657f(uint param_1, undefined4 param_2)
/* WARNING: Function: __EH_prolog3_catch_GS replaced with injection: EH_prolog3 */
void FUN_1001657f(uint param_1,undefined4 param_2)
{
DWORD DVar1;
basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> bVar2;
undefined *puVar3;
int iVar4;
int *piVar5;
DWORD DVar6;
undefined4 *puVar7;
HRESULT HVar8;
basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *pbVar9;
uint uVar10;
undefined4 uVar11;
wchar_t *pwVar12;
_func_basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>_ptr_basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>_ptr
*p_Var13;
void **in_stack_ffffff1c;
undefined1 local_d4 [36];
VARIANTARG local_b0;
_union_2683 local_a0;
VARIANTARG local_90;
VARIANTARG local_80;
int *local_70 [2];
DWORD local_68;
undefined *local_64;
IUnknown *local_60 [2];
BSTR local_58;
uint local_54;
int *local_50 [2];
SAFEARRAY *local_48;
undefined1 local_44 [4];
FILETIME local_40;
undefined2 local_38 [8];
undefined1 local_28 [32];
uint local_8;
undefined4 uStack_4;
uStack_4 = 0xc4;
local_54 = param_1;
local_68 = 0;
local_64 = (undefined *)0x0;
local_58 = (BSTR)0x0;
local_8 = 0;
FUN_1000107a((int *)local_50);
local_8 = CONCAT31(local_8._1_3_,1);
uVar11 = 0;
uVar10 = 3;
puVar3 = FUN_10003248();
iVar4 = FUN_10003897(puVar3,uVar10);
puVar3 = FUN_10003248();
uVar10 = FUN_1000305b(puVar3,iVar4,uVar11);
if ((char)uVar10 != '\0') {
pwVar12 = L"OnDataChange callback received";
piVar5 = (int *)FUN_10003248();
FUN_100031b7(piVar5,pwVar12);
}
if (DAT_10029594 == 0) {
local_8 = local_8 & 0xffffff00;
FUN_1000111b((int *)local_50);
local_8 = 0xffffffff;
SysFreeString(local_58);
}
else {
DVar6 = GetCurrentThreadId();
if (DVar6 == DAT_10029594) {
iVar4 = *(int *)(param_1 + 8);
FUN_1000f663((void *)(iVar4 + 0x2c),&local_40.dwHighDateTime,(int *)(param_1 + 0xc));
DVar6 = local_40.dwHighDateTime;
if ((((undefined *)local_40.dwHighDateTime != *(undefined **)(iVar4 + 0x30)) &&
(FUN_1000f5ef((undefined *)(local_40.dwHighDateTime + 0x3c),&local_40.dwHighDateTime,
(int *)(param_1 + 0x10)), DVar1 = local_40.dwHighDateTime,
(undefined *)local_40.dwHighDateTime != *(undefined **)(DVar6 + 0x40))) &&
(*(char *)(local_40.dwHighDateTime + 0x1c) != '\0')) {
if (*(char *)(local_40.dwHighDateTime + 0x1f) == '\0') {
if (*(char *)(local_40.dwHighDateTime + 0x1e) == '\0') {
local_40.dwHighDateTime = 0;
local_28._0_4_ = (uint)(ushort)local_28._2_2_ << 0x10;
local_28._4_4_ = 0;
local_28._8_4_ = 0;
local_28._12_4_ = (undefined *)0x0;
(**(code **)(**(int **)(DVar6 + 0x24) + 0x60))
(*(int **)(DVar6 + 0x24),*(undefined4 *)(DVar1 + 0x18),
&local_40.dwHighDateTime,local_28);
if ((local_28._0_2_ == 0xffff) && (local_28._4_4_ == 0)) {
*(undefined1 *)(DVar1 + 0x1e) = 1;
*(byte *)(DVar1 + 0x1d) = (byte)(local_40.dwHighDateTime >> 1) & 1;
}
}
piVar5 = *(int **)(DVar6 + 0x24);
if (local_50[0] != (int *)0x0) {
(**(code **)(*local_50[0] + 8))(local_50[0]);
local_50[0] = (int *)0x0;
}
iVar4 = (**(code **)(*piVar5 + 0x50))
(piVar5,*(undefined4 *)(DVar1 + 0x18),local_44,&local_68,local_38,
&local_58,local_50);
}
else {
if (*(char *)(local_40.dwHighDateTime + 0x1e) == '\0') {
local_40.dwHighDateTime = 0;
local_28._0_4_ = (uint)(ushort)local_28._2_2_ << 0x10;
local_28._4_4_ = 0;
local_28._8_4_ = 0;
local_28._12_4_ = (undefined *)0x0;
(**(code **)(**(int **)(DVar6 + 0x30) + 0x28))
(*(int **)(DVar6 + 0x30),*(undefined4 *)(DVar1 + 0x18),
&local_40.dwHighDateTime,local_28);
if ((local_28._0_2_ == 0xffff) && (local_28._4_4_ == 0)) {
*(undefined1 *)(DVar1 + 0x1e) = 1;
*(byte *)(DVar1 + 0x1d) = (byte)(local_40.dwHighDateTime >> 1) & 1;
}
}
piVar5 = *(int **)(DVar6 + 0x30);
if (local_50[0] != (int *)0x0) {
(**(code **)(*local_50[0] + 8))(local_50[0]);
local_50[0] = (int *)0x0;
}
iVar4 = (**(code **)(*piVar5 + 0x20))
(piVar5,*(undefined4 *)(DVar1 + 0x18),local_44,&local_68,local_38,
local_50);
}
iVar4 = FUN_1000f8d9((undefined4 *)(uint)(iVar4 == 0),iVar4,0x6d,"MxCallback.cpp");
if (iVar4 != 0) {
if (*(char *)(DVar1 + 0x28) == '\0') {
FUN_1000107a((int *)local_60);
local_8 = CONCAT31(local_8._1_3_,4);
if (*(char *)(DVar1 + 0x1d) == '\0') {
local_40.dwLowDateTime = 0;
local_40.dwHighDateTime = 0;
CoFileTimeNow(&local_40);
local_28._8_4_ = local_40.dwLowDateTime;
local_28._12_4_ = local_40.dwHighDateTime;
}
else {
local_28._8_4_ = local_68;
local_28._12_4_ = local_64;
}
HVar8 = (*local_60[0]->lpVtbl[5].QueryInterface)
(local_60[0],(IID *)(local_28 + 8),in_stack_ffffff1c);
if (HVar8 < 0) {
_com_issue_errorex(HVar8,local_60[0],(_GUID *)&DAT_1001b590);
}
puVar3 = FUN_100012e6(local_60);
FUN_10001269(local_70,puVar3);
local_8._0_1_ = 5;
FUN_100060a2((CComVariant *)&local_b0,local_70[0],0x40);
local_8._0_1_ = 6;
FUN_100060a2((CComVariant *)&local_a0.n2,local_50[0],0);
local_8._0_1_ = 7;
HVar8 = FUN_10003f60(&local_48,local_38,1);
if (HVar8 < 0) {
bVar2 = FUN_10003f01(*(basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> **)
(DAT_100294e0 + 8));
if (bVar2 != (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>)0x0) {
p_Var13 = endl_exref;
pbVar9 = (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *)
FUN_10002dbf(*(int **)(DAT_100294e0 + 8),
L"CUserConnectionCallback::OnDataChange - Create MxStatus SafeArray failed. hr = "
);
pbVar9 = std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<
(pbVar9,HVar8);
std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<
(pbVar9,p_Var13);
}
}
else {
local_8 = CONCAT31(local_8._1_3_,8);
FUN_10015f72((void *)(*(int *)(local_54 + 8) + 0xc),*(long *)(local_54 + 0xc),
*(long *)(local_54 + 0x10),local_a0._0_4_);
local_8._0_1_ = 7;
local_8._1_3_ = 0;
HVar8 = SafeArrayDestroy(local_48);
if (HVar8 != 0) {
pwVar12 =
L"CUserConnectionCallback::OnDataChange - SafeArrayDestroy failed - hr %08X";
piVar5 = (int *)FUN_10003248();
FUN_1000308b(piVar5,pwVar12);
}
}
local_8._0_1_ = 6;
VariantClear((VARIANTARG *)&local_a0.n2);
local_8._0_1_ = 5;
VariantClear(&local_b0);
local_8._0_1_ = 4;
FUN_1000111b((int *)local_70);
local_8 = CONCAT31(local_8._1_3_,1);
FUN_1000111b((int *)local_60);
}
else {
VariantInit(&local_80);
local_8._0_1_ = 10;
VariantInit(&local_90);
local_8._0_1_ = 0xb;
VariantInit((VARIANTARG *)local_28);
local_8._0_1_ = 0xc;
local_40.dwHighDateTime = 0;
FUN_100069ad(local_50[0],(ushort *)&local_80,(undefined2 *)&local_90,
(undefined2 *)local_28,(BSTR)&local_40.dwHighDateTime);
HVar8 = FUN_10003f60(&local_48,local_38,1);
if (HVar8 < 0) {
bVar2 = FUN_10003f01(*(basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> **)
(DAT_100294e0 + 8));
if (bVar2 != (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>)0x0) {
p_Var13 = endl_exref;
pbVar9 = (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *)
FUN_10002dbf(*(int **)(DAT_100294e0 + 8),
L"CUserConnectionCallback::OnDataChange - Create MxStatus SafeArray failed on Buffered Data callback. hr = "
);
pbVar9 = std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<
(pbVar9,HVar8);
std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<
(pbVar9,p_Var13);
}
}
else {
local_8 = CONCAT31(local_8._1_3_,0xd);
FUN_100163c0((void *)(*(int *)(local_54 + 8) + 0x18),*(long *)(local_54 + 0xc),
*(long *)(local_54 + 0x10),local_40.dwHighDateTime);
local_8._0_1_ = 0xc;
local_8._1_3_ = 0;
HVar8 = SafeArrayDestroy(local_48);
if (HVar8 != 0) {
pwVar12 =
L"CUserConnectionCallback::OnDataChange - SafeArrayDestroy failed - hr %08X";
piVar5 = (int *)FUN_10003248();
FUN_1000308b(piVar5,pwVar12);
}
}
local_8._0_1_ = 0xb;
VariantClear((VARIANTARG *)local_28);
local_8._0_1_ = 10;
VariantClear(&local_90);
local_8 = CONCAT31(local_8._1_3_,1);
VariantClear(&local_80);
}
}
}
}
else {
local_40.dwHighDateTime = (DWORD)&DAT_100295bc;
EnterCriticalSection((LPCRITICAL_SECTION)&DAT_100295bc);
local_8._0_1_ = 2;
puVar7 = FUN_10015e06(local_d4,(int *)(-(uint)(param_1 != 4) & param_1),param_2);
local_8._0_1_ = 3;
FUN_1001654d(&DAT_100295b0,DAT_100295b0,puVar7);
local_8._0_1_ = 2;
FUN_1000d639((int)local_d4);
local_8 = CONCAT31(local_8._1_3_,1);
LeaveCriticalSection((LPCRITICAL_SECTION)&DAT_100295bc);
}
local_8 = local_8 & 0xffffff00;
FUN_1000111b((int *)local_50);
local_8 = 0xffffffff;
SysFreeString(local_58);
}
FUN_10017482();
return;
}
FUN_10016b50 at 10016b50
Signature: HRESULT __stdcall FUN_10016b50(uint param_1, undefined4 param_2, undefined4 * param_3)
/* WARNING: Function: __EH_prolog3_catch replaced with injection: EH_prolog3 */
/* WARNING: Function: __EH_epilog3 replaced with injection: EH_epilog3 */
HRESULT FUN_10016b50(uint param_1,undefined4 param_2,undefined4 *param_3)
{
uint uVar1;
basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> bVar2;
undefined *puVar3;
int iVar4;
int *piVar5;
DWORD DVar6;
undefined4 *puVar7;
HRESULT HVar8;
basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *pbVar9;
uint uVar10;
HRESULT HVar11;
undefined4 uVar12;
wchar_t *pwVar13;
_func_basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>_ptr_basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>_ptr
*p_Var14;
undefined1 local_40 [36];
undefined *local_1c;
undefined4 local_18 [4];
int local_8;
undefined4 uStack_4;
uStack_4 = 0x30;
local_8 = 0x10016b5c;
local_18[0] = 0;
uVar12 = 0;
uVar10 = 3;
puVar3 = FUN_10003248();
iVar4 = FUN_10003897(puVar3,uVar10);
puVar3 = FUN_10003248();
uVar10 = FUN_1000305b(puVar3,iVar4,uVar12);
if ((char)uVar10 != '\0') {
pwVar13 = L"OnSetAttributeResult callback received";
piVar5 = (int *)FUN_10003248();
FUN_100031b7(piVar5,pwVar13);
}
if (DAT_10029594 != 0) {
DVar6 = GetCurrentThreadId();
uVar10 = param_1;
if (DVar6 == DAT_10029594) {
piVar5 = (int *)(param_1 + 0xc);
iVar4 = *(int *)(param_1 + 8);
FUN_1000f663((void *)(iVar4 + 0x2c),¶m_1,piVar5);
uVar1 = param_1;
if ((param_1 == *(uint *)(iVar4 + 0x30)) ||
(FUN_1000f5ef((void *)(param_1 + 0x3c),¶m_1,(int *)(uVar10 + 0x10)),
param_1 == *(uint *)(uVar1 + 0x40))) {
return -0x7fffbffb;
}
HVar8 = FUN_10003f60(local_18,(undefined2 *)param_3,1);
if (-1 < HVar8) {
local_8 = 2;
FUN_1001611f((void *)(*(int *)(uVar10 + 8) + 0xc),*piVar5,*(long *)(uVar10 + 0x10),local_18)
;
local_8 = 0xffffffff;
HVar8 = FUN_10016d1a();
return HVar8;
}
bVar2 = FUN_10003f01(*(basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> **)
(DAT_100294e0 + 8));
if (bVar2 == (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>)0x0) {
return HVar8;
}
HVar11 = HVar8;
p_Var14 = endl_exref;
pbVar9 = (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *)
FUN_10002dbf(*(int **)(DAT_100294e0 + 8),
L"CUserConnectionCallback::OnSetAttributeResult - Create MxStatus SafeArray failed. hr = "
);
pbVar9 = std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<
(pbVar9,HVar11);
std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<(pbVar9,p_Var14);
return HVar8;
}
local_1c = &DAT_100295bc;
EnterCriticalSection((LPCRITICAL_SECTION)&DAT_100295bc);
local_8 = 0;
puVar7 = FUN_10015db2(local_40,(int *)(-(uint)(param_1 != 4) & param_1),*param_3,param_3[1],
param_3[2],param_3[3],param_2);
local_8._0_1_ = 1;
FUN_1001654d(&DAT_100295b0,DAT_100295b0,puVar7);
local_8 = (uint)local_8._1_3_ << 8;
FUN_1000d639((int)local_40);
local_8 = 0xffffffff;
LeaveCriticalSection((LPCRITICAL_SECTION)&DAT_100295bc);
}
return 0;
}
FUN_10016d4b at 10016d4b
Signature: HRESULT __stdcall FUN_10016d4b(int * param_1, undefined4 param_2, undefined4 * param_3)
/* WARNING: Function: __EH_prolog3_catch replaced with injection: EH_prolog3 */
/* WARNING: Function: __EH_epilog3 replaced with injection: EH_epilog3 */
HRESULT FUN_10016d4b(int *param_1,undefined4 param_2,undefined4 *param_3)
{
int *piVar1;
int *piVar2;
basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> bVar3;
undefined *puVar4;
int iVar5;
int *piVar6;
DWORD DVar7;
undefined4 *puVar8;
HRESULT HVar9;
basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *pbVar10;
uint uVar11;
undefined4 uVar12;
wchar_t *pwVar13;
_func_basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>_ptr_basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>_ptr
*p_Var14;
undefined1 local_40 [36];
undefined *local_1c;
undefined4 local_18 [4];
int local_8;
undefined4 uStack_4;
uStack_4 = 0x30;
local_8 = 0x10016d57;
uVar12 = 0;
uVar11 = 3;
puVar4 = FUN_10003248();
iVar5 = FUN_10003897(puVar4,uVar11);
puVar4 = FUN_10003248();
uVar11 = FUN_1000305b(puVar4,iVar5,uVar12);
if ((char)uVar11 != '\0') {
pwVar13 = L"OperationComplete callback received";
piVar6 = (int *)FUN_10003248();
FUN_100031b7(piVar6,pwVar13);
}
if (DAT_10029594 != 0) {
DVar7 = GetCurrentThreadId();
piVar6 = param_1;
if (DVar7 == DAT_10029594) {
piVar1 = param_1 + 4;
iVar5 = param_1[3];
FUN_1000f663((void *)(iVar5 + 0x2c),¶m_1,piVar1);
piVar2 = param_1;
if ((param_1 == *(int **)(iVar5 + 0x30)) ||
(FUN_1000f5ef(param_1 + 0xf,¶m_1,piVar6 + 5), param_1 == (int *)piVar2[0x10])) {
return -0x7fffbffb;
}
HVar9 = FUN_10003f60(local_18,(undefined2 *)param_3,1);
if (-1 < HVar9) {
local_8 = 2;
FUN_10016271((void *)(piVar6[3] + 0xc),*piVar1,piVar6[5],local_18);
local_8 = 0xffffffff;
HVar9 = FUN_10016f05();
return HVar9;
}
bVar3 = FUN_10003f01(*(basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> **)
(DAT_100294e0 + 8));
if (bVar3 == (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>)0x0) {
return HVar9;
}
p_Var14 = endl_exref;
pbVar10 = (basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_> *)
FUN_10002dbf(*(int **)(DAT_100294e0 + 8),
L"CUserConnectionCallback::CUserConnectionCallback::OperationComplete - Create MxStatus SafeArray failed. hr = "
);
pbVar10 = std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<
(pbVar10,HVar9);
std::basic_ostream<wchar_t,struct_std::char_traits<wchar_t>_>::operator<<(pbVar10,p_Var14);
HVar9 = FUN_10016f05();
return HVar9;
}
local_1c = &DAT_100295bc;
EnterCriticalSection((LPCRITICAL_SECTION)&DAT_100295bc);
local_8 = 0;
puVar8 = FUN_10015e4e(local_40,param_1,*param_3,param_3[1],param_3[2],param_3[3],param_2);
local_8._0_1_ = 1;
FUN_1001654d(&DAT_100295b0,DAT_100295b0,puVar8);
local_8 = (uint)local_8._1_3_ << 8;
FUN_1000d639((int)local_40);
local_8 = 0xffffffff;
LeaveCriticalSection((LPCRITICAL_SECTION)&DAT_100295bc);
}
return 0;
}