How to Call Method(s) in WHServer.exe

For those who already read my previous article about Reverse Engineering Omega’s TradeStation Application, you will notice that there are typelib information inside WHServer.exe file.

Also in that article, I already explained how to locate the server side functions for IWhouse interface methods, such as CreateProgram method. This method can be intercepted by WinDBG in existing runtime mode inside WHServer.exe address space.

If you examine the typelib of WHServer.exe file, there are numerous methods of interest, that is related to ELD source code or ELD compiled code retrieval. There is method called CodeRecById that supposedly will retrieve the compiled ELD code, but this has to be verified first by actually examining the method in action, and also by examining the returned parameter.

Surprisingly, when I tried to break at server side function for CodeRecById method using WinDBG, I can’t examine this method in detail because it is nowhere to be invoked in existing runtime-mode of WHServer.exe from running ORPlat.exe application.

So, how about creating the small application by myself and try to call this method ?

The first step is to generate the header file from the existing IDL file by OLEView.exe. Then the IDL text file is saved to WHServer.idl to be processed by MIDL utility :

midl /Oicf /W1 /Zp8 /env win32 /protocol dce /ms_ext /c_ext /error allocation /error ref /error bounds_check /error enum /error stub_data /h WHServer.h WHServer.idl

The generated WHServer.h is then incorporated to my small application project, and the coding phase begin.

The first logical step is to call CoCreateInstance for WHouse class using IWhouse interface, that will be used to call the CodeRecById method, but first I have to check for the returned status whether the object is created successfully :

hr = CoCreateInstance(whclsid, NULL, CLSCTX_SERVER, clsiwhouse, (void**)&pWh);

But, I realized this is not going to be easy because the returned hr variable is 0x80040112 (Class is not licensed for use). In other words, this object is to be solely used by existing Omega’s TradeStation platform (ORPlat.exe).

However, this aroused my curiousity as to how the existing application can successfully call the methods in IWHouse without using direct CoCreateInstance as it has been used in my small application, for instance, the call to CreateProgram. This method is clearly inside the IWhouse interface.

After analyzing this issue, it turns out that required steps to obtain the IWHouse interface object is fairly simple.

As the first step, the platform (ORPlat.exe) calls the CoGetClassObject for IORClassFactory interface. This interface is actually resides in orgcom20.dll.

Then, by using the object obtained from IORClassFactory interface, the platform calls the undocumented method number 8 by passing the generated code (supposedly license code) and IControl Interface ID to obtain IControl object. The license code is generated from combination of a magic number and transformed number that is obtained from MS Window’s GetTickCount function.

After the IControl object is obtained, this object is then used to call the WHouseEx method to get the IDispatch object.

It is by virtue of IDispatch object that I can get the IWHouse object. The IWHouse object is obtained by performing the QueryInterface for the interface id of IWHouse by way of IDispatch object.

After the IWHouse object is successfully obtained in this way, I can now call any methods of interest supplied by this interface object.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: