In Win32 applications, the entrypoint present in PE headers and invoked on program start does not have any parameters. Functions like WinMain
are not the real entrypoint of the program - instead, a function (usually provided by the compiler) like WinMainCRTStartup
is used to get things like command line arguments, initialise the C/C++ runtime, and to call the "higher-level entrypoint".
Judging by function names, programs compiled for WinCE seem to have a CRT startup routines, but they expect the arguments from the operating system. Because no arguments are provided by the OS, the program, for example, has no access to the command line arguments.
Compare stack traces with debug symbols between a Win32 application, and a WinCE one:
Win32:
![obraz](https://private-user-images.githubusercontent.com/24442148/322214688-456b7037-4135-4724-9020-66caa786a54a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNDA3OTgsIm5iZiI6MTcyMTM0MDQ5OCwicGF0aCI6Ii8yNDQ0MjE0OC8zMjIyMTQ2ODgtNDU2YjcwMzctNDEzNS00NzI0LTkwMjAtNjZjYWE3ODZhNTRhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDIyMDgxOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTlkZWIzNjkwY2YzOGNhOWIwOWRhZGJiMDI3MzUwNzRmMmVhYzliNDM3MTRiOGI5ZDBkYzI2YWEwNTQwZmE3YzcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.iZiMH5kNMsdR3V1Cki22kknAIXALkYXnYqmBXGB5HJ8)
WinCE (not showing anything above that in that stacktrace, as it seems that at least for solitaire.exe
, CRT startup function is the only entrypoint - the main program loop is there):
![obraz](https://private-user-images.githubusercontent.com/24442148/322214739-8c9e45fb-3ac8-44ae-966c-bedd782e678a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNDA3OTgsIm5iZiI6MTcyMTM0MDQ5OCwicGF0aCI6Ii8yNDQ0MjE0OC8zMjIyMTQ3MzktOGM5ZTQ1ZmItM2FjOC00NGFlLTk2NmMtYmVkZDc4MmU2NzhhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDIyMDgxOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQ1MTAzZTg1NmMwYTcwZmI1NWFiZjg1ZjA4ZTlmNzJkOTA1NzJjMmY4NzVjMTM1YjU5ZWUyNDI0ZjA0MjcxMDcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Oyp1eZQGc2J1tpgr-lNLXdLHUrhswz87qD3pqwAo5hg)
Using a dirty hack that violates many best practices to call the entrypoint from COREDLL!DllMain
, implementing some functions, clicking through a few stub messages, and making some other minor tweaks, it is possible to run WinCE cmd.exe
, albeit it doesn't really work that great.
![obraz](https://private-user-images.githubusercontent.com/24442148/322215154-a08fc467-6963-4e98-9066-0b4db1ec13eb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjEzNDA3OTgsIm5iZiI6MTcyMTM0MDQ5OCwicGF0aCI6Ii8yNDQ0MjE0OC8zMjIyMTUxNTQtYTA4ZmM0NjctNjk2My00ZTk4LTkwNjYtMGI0ZGIxZWMxM2ViLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE4VDIyMDgxOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWRjOGY4YmNlYzYzOWUyYWE1YjAwZTI5ODJlMTg5MzEzZmU2M2Y3ZTY3NDNlMzU3Y2JlMTYzM2JlNzIzM2YwNzEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.MPZ6h90Ra_smSX-b0rItq6oFLNKPckmZLS6mdQq8NRg)