8 replies to this topic

[sasho648]

So I'm reverse engineering an program which creates an EAX DirectSound8 like this:

[source lang="cpp"]CoCreateInstance(&CLSID_EAXDirectSound8, 0, CLSCTX_INPROC_SERVER, IID_IDirectSound8, (LPVOID*) &m_6[iDeviceNum].m_4);[/source]
But then It call strange functions from the EAX.dll getting them adresses from the IDirectSound8 COM. Here is the code in his hard form:

[source lang="cpp"]class CAAudioDevice{ GUID m_1; //size 16 char m_2[256]; //size 256 char m_3[256]; //size 256 ??? LPDIRECTSOUND8 m_4; //offset of variable this+1064, (size 4)} ; //size 1208class CAAudioDriverPCTest{public: CAAudioDriverPCTest(HWND hWnd); virtual ~CAAudioDriverPCTest(); // size 4 int m_iDeviceAmount; //size 4 HWND m_hTestWindow; //size 4 std::vector<CAAudioDevice> m_3; // size sizeof(CAAudioDevice)*16 unsigned char* m_5; //size 4} ; //size of 19344void CAAudioDriverPCTest::TestAudio(int iDeviceNum, bool bol){ CoInitialize(0); if(CoCreateInstance(&CLSID_EAXDirectSound8, 0, CLSCTX_INPROC_SERVER, IID_IDirectSound8, (LPVOID*) &m_6[iDeviceNum].m_4)==S_OK) { (*(*m_6[iDeviceNum].m_4+40))(m_6[iDeviceNum].m_4, &m_6[iDeviceNum].m_1); (*(*m_6[iDeviceNum].m_4+24))(m_6[iDeviceNum].m_4, m_hTestWindow, 3); }}[/source]

Like the last two function calls instance to the EAX.dll.

[Nik02]

If the CoCreateInstance call succeeds, m_6[iDeviceNum].m_4 contains a pointer to the IDirectSound interface. It may or may not be subclass of that, because "EAXDirectSound" can be Creative's custom implementation of the object. However:

The following lines call functions that are offset by 40 and 24 from the vtable of the object. You could use dumpbin to try to find out what symbolic function names correspond to those offsets (if they have exported symbols, which is likely here).

Without using dumpbin, we can make an educated guess as to what those functions are by observing the parameters, since the interface itself is not very complex:

-The first call (to offset 40) is very likely an Initialize call, since it takes a device instance GUID as its parameter (the m_1 field of the structure).
-The second call (to offset 24) is likely a call to SetCooperativeLevel, with the window handle and "3" as parameters ("3" means DSSCL_EXCLUSIVE, see SDK docs for explaination).

If these are correct assumptions, the code you have presented has nothing to do with actually using EAX. In general, to use EAX, your app sets EAX parameters by obtaining IKsPropertySet interfaces from your secondary sound buffers, and calling its Get and Set methods as appropriate.

The code looks like it has been obfuscated purposefully; if this is not the case, the coder may be too "clever" for his/her own benefit. The last block of code could be refactored as follows to improve readability:

if(CoCreateInstance(&CLSID_EAXDirectSound8, 0, CLSCTX_INPROC_SERVER, IID_IDirectSound8, (LPVOID*) &m_6[iDeviceNum].m_4)==S_OK)  
{	
LPDIRECTSOUND8 pDS = (LPDIRECTSOUND8)m_6[iDeviceNum].m_4;
pDS->Initialize(&m_6[iDeviceNum].m_1); // (*(*m_6[iDeviceNum].m_4+40))(m_6[iDeviceNum].m_4, &m_6[iDeviceNum].m_1);
pDS->SetCooperativeLevel(m_hTestWindow, DSSCL_EXCLUSIVE); // (*(*m_6[iDeviceNum].m_4+24))(m_6[iDeviceNum].m_4, m_hTestWindow, 3);  
}

Edited by Nik02, 18 October 2012 - 01:56 AM.

[sasho648]

I was confused about EAX beacuse while debugging the program. when I enter the call of this functions I go to some lines in the EAX.dll. Anyway thanks for the help!

[Nik02]

Creative's implementation of the IDirectSound8 interface probably resides in EAX.dll.

It is worth noting that this code only works with Sound Blaster cards (or cards from manufacturers that have licensed the EAX technology from Creative). And that this only works prior to Vista, or after Vista if you use the Creative "Alchemy" API interception.

Edited by Nik02, 18 October 2012 - 02:19 AM.

[sasho648]

Sorry for bumping this thread but I have an problem finding the EAX COM Interface. It is created with IID_IEAXUnified. Can you help me?

[Nik02]

I believe you can obtain an EAX SDK from Creative, and that this SDK has a header file (plus needed libraries) that includes this interface as well as the actual effect interface identifiers and structures.

I haven't dabbled with EAX in years, so I'm not sure about the exact details. But I do remember getting the SDK from them.

[sasho648]

I found this: http://people.cs.uct...DK/EAX20SDK.exe but it doesn't declare the interface I want. It have a GUID named : IID_IEAXUnified. After creating the COM object it calls virtual function from it. I need this interface declared. Does somebody know where?

EDIT: The code Is:

if( (LPDIRECTSOUND8)lpAudioDevice.m_12->QueryInterface( &IID_IEAXUnified,  (EAX Interface) &lpAudioDevice.m_14 )

Edited by sasho648, 25 October 2012 - 02:08 AM.

[sasho648]

Somebody? I just searched again the IDD for the interface ( IID_IEAXUnified ) and the result was only this thread. Is this so secret??

[Nik02]

Your best bet would be to check Creative's developer site and ask them directly. Although, I just checked, and the site is down