A little more information. It's not the memory pages as i thought. It's some kind of clusters, maybe database records. Here's an example of the file body stored in ram:
ROM:91CFFA9C DCD 0x30000040
ROM:91CFFAA0 DCD 0x30000000
ROM:91CFFAA4 DCD 0x1B0F - this record id
ROM:91CFFAA8 DCD 0x1B10
ROM:91CFFAAC DCD 0x1B11
ROM:91CFFAB0 DCD 0x1B12
ROM:91CFFAB4 DCD 0x1B13
ROM:91CFFAB8 DCD 0x1B14
ROM:91CFFABC DCD 0x1B18
ROM:91CFFAC0 DCD 0x1B15
ROM:91CFFAC4 DCD 0x1B16
ROM:91CFFAC8 DCD 0x1B17
ROM:91CFFACC DCD 0
I see such kind of record before each file body. i.e. 0x1B0F - 0x1B17 are the id of the clusters/records which hold the body.
Then goes the first record/cluster:
ROM:91CFFAE8 DCD 0x60000AB4
ROM:91CFFAEC DCD 0x30000000
ROM:91CFFAF0 DCD 0x1B10 - this record id
ROM:91CFFAF4 DCD 0x10003001
ROM:91CFFAF8 DCD 0x2A700
ROM:91CFFAFC DCD 0xB00004F0
ROM:91CFFB00 edm_exe DCW 7
ROM:91CFFB02 DCB 0xAF, 0xA, 0 ; field_0
ROM:91CFFB05 DCB 0xAF, 0xA, 0 ; field_0
ROM:91CFFB08 DCB 0
ROM:91CFFB09 DCB 0x4D ; M
ROM:91CFFB0A DCB 0x5A ; Z
ROM:91CFFB0B DCB 0x90 ; Ð
Here you can see a start of XIP compressed edm.exe
Then, after record/cluster with id 0x1B10 follows 0x1b11 and so on to 0x1B17.
At first time I've decompressed only 0x400 bytes because, after 0x400 bytes there was a header of another cluster/record. And CeDecompress stopped.
Edited by Hexxx 2006-12-06 4:59 AM
?
platform builder or even ida can remotely debug wince. don't know about dumping memory image from there, didn't ever check that.
