siwu's blog » Research

GTA2 Classics Stuck at 640×480 (and fix!)

siwu — Fri, 23 May 2008 00:35:40 +0000

Lately with friends we've been having some multiplayer fun at GTA 2 Classics Edition (the free one that you can download at Rockstar Classics). I'm amazed to see how cool this game still is in multiplayer. BUT, there was a but. As of now it was impossible to make it run at more than 640x480, despite setting higher resolutions on the GTA 2 Manager. While it's not a big issue, it's still annoying nonetheless.
So I've looked and looked and looked and looked on the net to find some kind of answer. While I did find some people who had the same problem as me (and all my friends for that matter), I did not find any answer.
Because I'm not desperate, I've took my tools and started decompiling GTA 2 (;))
Long story short, here is a patch to activate high resolution on GTA 2 Classics Edition (aka 9.6F) only:

gta2patch.exe (7 kb)

Please bear in mind that this patch is VERY ghetto. It doesn't even check if you are patching the right version, so USE AT YOU OWN RISK!
For the details, the source code and the alternate methods (if you don't feel like downloading and launching an executable from an unknown source), hit the jump.

I won't go into big details but it seems at some point the code to detect whether or not your graphic card is capable of handling high resolution ~~screws up~~ decides that it can't and falls back into "safe mode" by setting a flag. For another ~~weird~~ reason, the flag is not set when a registry key is.
Try to set the DWORD key skip_frontend to 1 under HKEY_LOCAL_MACHINE\SOFTWARE\DMA Design Ltd\GTA2\Debug and it should launch the game at high resolution. The problem is, the game fails telling you that it can't open some file. Whatever.
So what did I do, well, I simply patched the fail-safe code, by forcing high-res.

If you want to patch it yourself, take you favorite hex editor and open gta2.exe. Go at offset 0x000CB2C9, and replace 74 1D by EB 1D (forced jmp ftw).

Finally, if you want to compile the patch yourself (some people do I guess!), here is the code! I told you it was ghetto!

#include
#include
#include
int main(int argc, char **argv)
{
char *patchFile = "gta2.exe";
char *backupFile = "gta2.original.exe";
long patchOffset = 0x000CB2C9;
unsigned char patchData[] = "\xEB";
printf("GTA2 Classics Edition High Resolution Patch\n");
printf("by siwu (siwuzzz@gmail.com)\n\n");
printf("This program will patch %s to allow high resolutions\n", patchFile);
printf("on systems that don't work.\n");
printf("It will also create a backup file called %s\n\n", backupFile);
printf("Press any key to patch!\n");
getch();
if (CopyFile((LPCSTR)patchFile, (LPCSTR)backupFile, FALSE) == FALSE)
{
printf("Unable to copy %s to %s! Press a key to quit!\n", patchFile, backupFile);
getch();
return (1);
}
FILE *gtaFile = fopen(patchFile, "r+");
if (gtaFile == NULL)
{
printf("Unable to open %s! Press a key to quit!\n", patchFile);
getch();
return (1);
}
fseek(gtaFile, patchOffset, SEEK_SET);
fwrite((const void *)patchData, sizeof(unsigned char), sizeof(patchData) - 1, gtaFile);
fclose(gtaFile);
printf("Succesfully patched %s! Press a key to quit!\n", patchFile);
getch();
return (0);
}

Hacking into Vista’s Desktop Window Manager (DWM)

siwu — Sat, 08 Dec 2007 17:23:39 +0000

Window texture is soooo last week, when you can manipulate the windows themselves

Jump for the (quite long I admit) story

Last year (Oct. 2006) I started playing with the Windows Vista's Destkop Window Manager (DWM) API. Like a lot of people, I was really disappointed by the library. The only thing it permits you to do is to have your own live thumbnails... Come on Microsoft! The DWM uses freaking Direct3D, why don't you let us mess around with that!
I knew there a way to extract the window texture (since DWM uses Direct3D9Ex and its marvelous shared resources), so I started a thread on AeroXP.org to expose my progress on this.

I started of by disassembling dwmapi.dll, and it paid off. Here it was, in front of me: DwmpDxGetWindowSharedSurface()! ...and its 32 bytes signature! Damn, that's 8 parameters maximum to reverse! Arg.
But after spending almost 2 months reverse engineering, it eventually paid off. I had a (almost) complete function signature, and even a way to use it.

int __stdcall DwmpDxGetWindowSharedSurface(HWND hWnd,
                                           LUID adapterLuid,
                                           LUID someLuid,
                                           DWORD *pD3DFormat,
                                           HANDLE *pSharedHandle,
                                           unsigned __int64 *arg7);

But there is a "but", the function would return me a correct texture handle but to a black texture! After weeks of trying to tweak the code, I was facing a dead end.
So, taking my courage, I mailed the WPF Architect, Greg Schechter to ask him for help, without much hope about a response. But he did reply (and that was very kind of him to do so), thanking me for my interest into the DWM, but that he couldn't comment on such things (and it's understandable).

And here I was, lonely, facing a dead end. Eventually the project was forgotten on my hard drive (as many others).

But after some months, Jeremiah Morrill followed by work, and scratched some more dust, finding that the texture wasn't black when the window used a Direct3D device, like WPF. And after all, it makes perfect sense. Direct3D applications render to a shared texture given by the DWM, as stated in Greg Schechter's blog:

DirectX window redirection is handled by having the DirectX system, when it's determining what surface to provide the app with to render to, make calls to the DWM in order to share a surface between the DirectX client application process, and the DWM process. This "shared surface" support is unique to DirectX atop the WDDM, and is another key reason why WDDM is an absolute requirement for running the DWM.

But there we were facing the same problem: how the f*ck do we extract the window texture, for all windows?

A few months later, I started talking to Andreas Verhoeven about this (he was doing some reverse on other parts of DWM on his own), and eventually, I revived the project. After a few nights of work, there it was:

The texture relies on hooking IDirect3D9::CreateTexture() to watch out for newly created textures by the DWM, and mark them as shared (GDI texture are not

However, the technique is flawed. The main problem is that the render loop is done asynchronously of windows creation (synchronous with v-sync), there was no direct way to establish a HWND <-> TextureHandle relationship. More importantly, the rendering is done though MIL (milcore.dll), and MIL doesn't have any clue of windows objects, that are handled by uDWM.dll. Pseudo dead end again.

But I didn't stop here, and thank to Andreas, I dug deeper into the DWM. And the results, you saw them at the top of the post
I won't expose exactly what's involved (yet), but it's a combination of internal calls, and API hooking

And for those of you who wonder, yes, I'm working on a library to do all this!

DWM Hacking, Extracting the Window Texture

siwu — Sun, 25 Nov 2007 18:36:21 +0000

Lately I've been working with Ave on this, and here are the first results:

Download MP4 videos directly from DailyMotion

siwu — Thu, 01 Nov 2007 04:06:20 +0000

So I have this shiny iPhone, and I must say, although I was skeptical when it came out, I love it. Thanks to it I can watch YouTube videos on it, and the other competitor (at least here in France), DailyMotion, has an iPhone "webapp" for it. Sweet!

After a while, I wanted to grab some videos and put them on my phone, so I started to search for an application that would allow me to convert flvs to mp4s, and eventually I found some. But the process is kinda slow, and when you think the iPhone plays the videos directly in mp4 from DailyMotion (and YouTube), you would find this utterly inefficient!

But thankfully for you guys, there is a way to download videos directly in mp4 from DailyMotion, and by directly, I don't mean using some transcoding service. I mean directly.
So how do we do that? Well, I've created a simple tool for you to convert DailyMotion urls, to direct download MP4 urls

Thanks to this simple utility, just put the original URL, click "Find!", and it will give you the direct download URL to the MP4 file! It's that simple.

You can download the tool here, and download the sources (VS 2008) here.

Reverse Engineering the Windows XP Window Manager, Part 4: The real thing

siwu — Mon, 26 Mar 2007 12:21:06 +0000

Sooo, here we are. We finally reached the real PrintWindow() implementation. And before we start to comment, let's take a look at the code:

.text:BF8A3C84
.text:BF8A3C84 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:BF8A3C84
.text:BF8A3C84 ; Attributes: bp-based frame
.text:BF8A3C84
.text:BF8A3C84 ; __stdcall xxxPrintWindow(x, x, x)
.text:BF8A3C84 _xxxPrintWindow@12 proc near ; CODE XREF: NtUserPrintWindow(x,x,x)+62p
.text:BF8A3C84
.text:BF8A3C84 var_C = dword ptr -0Ch
.text:BF8A3C84 var_8 = dword ptr -8
.text:BF8A3C84 var_4 = dword ptr -4
.text:BF8A3C84 arg_0 = dword ptr 8
.text:BF8A3C84 arg_4 = dword ptr 0Ch
.text:BF8A3C84 arg_8 = byte ptr 10h
.text:BF8A3C84
.text:BF8A3C84 ; FUNCTION CHUNK AT .text:BF8A3BB8 SIZE 0000002D BYTES
.text:BF8A3C84
.text:BF8A3C84 mov edi, edi
.text:BF8A3C86 push ebp
.text:BF8A3C87 mov ebp, esp
.text:BF8A3C89 sub esp, 0Ch
.text:BF8A3C8C xor eax, eax
.text:BF8A3C8E push ebx
.text:BF8A3C8F inc eax
.text:BF8A3C90 test [ebp+arg_8], al
.text:BF8A3C93 push esi
.text:BF8A3C94 mov esi, [ebp+arg_0]
.text:BF8A3C97 push edi
.text:BF8A3C98 mov [ebp+var_4], eax
.text:BF8A3C9B jnz loc_BF8A3BB8
.text:BF8A3CA1 mov edi, [esi+48h]
.text:BF8A3CA4 mov ebx, [esi+4Ch]
.text:BF8A3CA7 and [ebp+var_C], 0
.text:BF8A3CAB and [ebp+var_8], 0
.text:BF8A3CAF sub edi, [esi+40h]
.text:BF8A3CB2 sub ebx, [esi+44h]
.text:BF8A3CB5
.text:BF8A3CB5 loc_BF8A3CB5: ; CODE XREF: xxxPrintWindow(x,x,x)-ACj
.text:BF8A3CB5 push esi
.text:BF8A3CB6 call _GetRedirectionFlags@4 ; GetRedirectionFlags(x)
.text:BF8A3CBB neg eax
.text:BF8A3CBD sbb eax, eax
.text:BF8A3CBF push 8
.text:BF8A3CC1 inc eax
.text:BF8A3CC2 push esi
.text:BF8A3CC3 mov [ebp+arg_0], eax
.text:BF8A3CC6 call _SetRedirectedWindow@8 ; SetRedirectedWindow(x,x)
.text:BF8A3CCB test eax, eax
.text:BF8A3CCD jz loc_BF8A3BDD
.text:BF8A3CD3 cmp [ebp+arg_0], 0
.text:BF8A3CD7 jz short loc_BF8A3CDF
.text:BF8A3CD9 push esi
.text:BF8A3CDA call _xxxUpdateWindow@4 ; xxxUpdateWindow(x)
.text:BF8A3CDF
.text:BF8A3CDF loc_BF8A3CDF: ; CODE XREF: xxxPrintWindow(x,x,x)+53j
.text:BF8A3CDF push 3
.text:BF8A3CE1 push 0
.text:BF8A3CE3 push esi
.text:BF8A3CE4 call __GetDCEx@12 ; _GetDCEx(x,x,x)
.text:BF8A3CE9 mov [ebp+arg_0], eax
.text:BF8A3CEC xor eax, eax
.text:BF8A3CEE push eax
.text:BF8A3CEF push eax
.text:BF8A3CF0 push 80CC0020h
.text:BF8A3CF5 push [ebp+var_8]
.text:BF8A3CF8 push [ebp+var_C]
.text:BF8A3CFB push [ebp+arg_0]
.text:BF8A3CFE push ebx
.text:BF8A3CFF push edi
.text:BF8A3D00 push eax
.text:BF8A3D01 push eax
.text:BF8A3D02 push [ebp+arg_4]
.text:BF8A3D05 call _NtGdiBitBlt@44 ; NtGdiBitBlt(x,x,x,x,x,x,x,x,x,x,x)
.text:BF8A3D0A push [ebp+arg_0]
.text:BF8A3D0D call __ReleaseDC@4 ; _ReleaseDC(x)
.text:BF8A3D12 push 8
.text:BF8A3D14 push esi
.text:BF8A3D15 call _UnsetRedirectedWindow@8 ; UnsetRedirectedWindow(x,x)
.text:BF8A3D1A
.text:BF8A3D1A loc_BF8A3D1A: ; CODE XREF: xxxPrintWindow(x,x,x)-A4j
.text:BF8A3D1A mov eax, [ebp+var_4]
.text:BF8A3D1D pop edi
.text:BF8A3D1E pop esi
.text:BF8A3D1F pop ebx
.text:BF8A3D20 leave
.text:BF8A3D21 retn 0Ch
.text:BF8A3D21 _xxxPrintWindow@12 endp
.text:BF8A3D21
.text:BF8A3D21 ; ---------------------------------------------------------------------------

.text:BF8A3BB8 ; START OF FUNCTION CHUNK FOR _xxxPrintWindow@12
.text:BF8A3BB8
.text:BF8A3BB8 loc_BF8A3BB8: ; CODE XREF: xxxPrintWindow(x,x,x)+17j
.text:BF8A3BB8 mov ecx, [esi+50h]
.text:BF8A3BBB mov eax, [esi+40h]
.text:BF8A3BBE mov edx, [esi+54h]
.text:BF8A3BC1 mov edi, [esi+58h]
.text:BF8A3BC4 mov ebx, [esi+5Ch]
.text:BF8A3BC7 sub eax, ecx
.text:BF8A3BC9 mov [ebp+var_C], eax
.text:BF8A3BCC mov eax, [esi+44h]
.text:BF8A3BCF sub eax, edx
.text:BF8A3BD1 sub edi, ecx
.text:BF8A3BD3 mov [ebp+var_8], eax
.text:BF8A3BD6 sub ebx, edx
.text:BF8A3BD8 jmp loc_BF8A3CB5
.text:BF8A3BDD ; ---------------------------------------------------------------------------
.text:BF8A3BDD
.text:BF8A3BDD loc_BF8A3BDD: ; CODE XREF: xxxPrintWindow(x,x,x)+49j
.text:BF8A3BDD and [ebp+var_4], eax
.text:BF8A3BE0 jmp loc_BF8A3D1A
.text:BF8A3BE0 ; END OF FUNCTION CHUNK FOR _xxxPrintWindow@12

Let's analyze this.

First, we notice that the function moves the first argument in esi and then references some data (like in a structure) from esi.

.text:BF8A3C94 mov esi, [ebp+arg_0]
.text:BF8A3CA1 mov edi, [esi+48h]
.text:BF8A3CA4 mov ebx, [esi+4Ch]

However, HWNDs are not pointer, which tends to demonstrate that the first argument is NOT an HWND, but likely the internal structure kept by the kernel for each window.
If we go back to the call to xxxPrintWindow() in NtUserPrintWindow(), we notice this:

.text:BF8A3C60 push [ebp+arg_8]
.text:BF8A3C63 push [ebp+arg_4]
.text:BF8A3C66 push eax
.text:BF8A3C67 call _xxxPrintWindow@12 ; xxxPrintWindow(x,x,x)

The last 2 arguments are forwarded from the original PrintWindow() call, and the first isn't, instead it is eax. So, when does eax get set? Well:

.text:BF8A3C16 call @ValidateHwnd@4 ; ValidateHwnd(x)
.text:BF8A3C1B test eax, eax
.text:BF8A3C1D jz short loc_BF8A3BB1

So here we are, ValidateHwnd() (which is __fastcall), must converts a window handle (HWND) to a window structure pointer. For clarity, let's name this type PWND.
We can then extract the following prototypes:

PWND __fastcall ValidateHwnd(HWND hwnd);
BOOL __stdcall xxxPrintWindow(PWND pwnd, HDC hdcBlt, UINT nFlags);

And then we look at the rough function flow:

.text:BF8A3CB6 call _GetRedirectionFlags@4 ; GetRedirectionFlags(x)
.text:BF8A3CC6 call _SetRedirectedWindow@8 ; SetRedirectedWindow(x,x)
.text:BF8A3CDA call _xxxUpdateWindow@4 ; xxxUpdateWindow(x)
.text:BF8A3CE4 call __GetDCEx@12 ; _GetDCEx(x,x,x)
.text:BF8A3D05 call _NtGdiBitBlt@44 ; NtGdiBitBlt(x,x,x,x,x,x,x,x,x,x,x)
.text:BF8A3D0D call __ReleaseDC@4 ; _ReleaseDC(x)
.text:BF8A3D15 call _UnsetRedirectedWindow@8 ; UnsetRedirectedWindow(x,x)

Oh, there is one interesting thing: according to this function, we notice that the Win32 GUI does implement the concept of window drawing redirection; this basically means that the GUI is able to redirect all the drawing call into a off screen bitmap, instead of the real window, on the screen. This is actually "documented" on MSDN:
"The second way to use layered windows is to continue using the Win32 painting paradigm, but allowing the system to redirect all the drawing for the layered window and its children into an off-screen bitmap."

In what way is this interesting for PrintWindow() ? Well, thanks to this, the API can screenshot partially or completely hidden windows. This is, to be fair, the core advantage of this API.
So, according to all this, how does it work? Well, it does the following:

Sets the window to layered using SetRedirectedWindow()
Redraws completely the window using UpdateWindow() in the newly created empty off screen bitmap
Gets the DC of the new of the window with GetDCEx()
Copies the bitmap to the provided DC using NtGdiBitBlt()
Releases the new DC
Unsets the layered attribute

So we now know why PrintWindow() permits to take screenshots of partially or completely hidden windows! This is because of the existence of layered windows!
So, even though the API appeared in Windows XP, the very existence of layered windows goes back to Windows 2000. Which means reimplementing it on Windows 2000 is totally possible, using a kernel mode driver which would call the kernel mode functions.

But what is interesting here is the concept of off screen bitmaps. So basically, there is a pointer with DIB data of the windows! This could be very well suited to make a replica and even optimize the PrintWindow() implementation! Why would it be a good thing? Well, here is what we need to do to take a screenshot to a texture:

Get the first surface of the texture
Get a DC to this surface
PrintWindow() into this DC
Release the DC
Release the surface

While this could be not quite cumbersome to some of you, there is one problem: what if the window has a mask? Like MSN windows? Well, here are the steps involved:

Create a temporary DC
PrintWindow() into this DC
Get the first surface of the texture
Get a DC to this surface
BitBlt from the temporary DC to the surface DC, using the mask
Release the 2 DCs
Release the surface

All of this copying, allocations, and GDI stuff is quite slow. What if we had a direct access to the window DIB? We would only have to copy the DIB data to the locked texture. But even more powerful, using a standard 2D API like SDL where image DIB are stored into the system memory, we could even point the pointer to the DIB maintained by the OS, not having to worry about the updating, without even polling!

And here is the new quest, finding this damn pointer, so we can make something like this:
Pretty fun eh?

Reverse Engineering the Windows XP Window Manager, Part 3

siwu — Thu, 01 Feb 2007 12:18:16 +0000

In the previous part we managed to hunt down the real implementation of the PrintWindow API. Le'ts take a look at it. The functions is divided in 3 chunks:

.text:BF8978A3 ; __stdcall NtUserPrintWindow(x, x, x)
.text:BF8978A3 _NtUserPrintWindow@12 proc near ; DATA XREF: .data:BF998A74o
.text:BF8978A3
.text:BF8978A3 var_C = dword ptr -0Ch
.text:BF8978A3 var_8 = dword ptr -8
.text:BF8978A3 arg_0 = dword ptr 8
.text:BF8978A3 arg_4 = dword ptr 0Ch
.text:BF8978A3 arg_8 = dword ptr 10h
.text:BF8978A3
.text:BF8978A3 ; FUNCTION CHUNK AT .text:BF89784F SIZE 00000007 BYTES
.text:BF8978A3 ; FUNCTION CHUNK AT .text:BF897893 SIZE 0000000B BYTES
.text:BF8978A3
.text:BF8978A3 mov edi, edi
.text:BF8978A5 push ebp
.text:BF8978A6 mov ebp, esp
.text:BF8978A8 sub esp, 0Ch
.text:BF8978AB push esi
.text:BF8978AC call _EnterCrit@0 ; EnterCrit()
.text:BF8978B1 mov ecx, [ebp+arg_0]
.text:BF8978B4 call @ValidateHwnd@4 ; ValidateHwnd(x)
.text:BF8978B9 test eax, eax
.text:BF8978BB jz short loc_BF89784F
.text:BF8978BD movzx ecx, word ptr [eax+2Ah]
.text:BF8978C1 and ecx, 0FFFF3FFFh
.text:BF8978C7 cmp ecx, 29Dh
.text:BF8978CD jz short loc_BF89784F
.text:BF8978CF cmp ecx, 29Fh
.text:BF8978D5 jz loc_BF89784F
.text:BF8978DB mov ecx, _gptiCurrent
.text:BF8978E1 mov edx, [ecx+28h]
.text:BF8978E4 mov [ebp+var_C], edx
.text:BF8978E7 lea edx, [ebp+var_C]
.text:BF8978EA mov [ecx+28h], edx
.text:BF8978ED mov ecx, [ebp+arg_8]
.text:BF8978F0 mov [ebp+var_8], eax
.text:BF8978F3 inc dword ptr [eax+4]
.text:BF8978F6 and ecx, 1
.text:BF8978F9 cmp ecx, [ebp+arg_8]
.text:BF8978FC jnz short loc_BF897893
.text:BF8978FE push [ebp+arg_8]
.text:BF897901 push [ebp+arg_4]
.text:BF897904 push eax
.text:BF897905 call _xxxPrintWindow@12 ; xxxPrintWindow(x,x,x)
.text:BF89790A mov esi, eax
.text:BF89790C
.text:BF89790C loc_BF89790C: ; CODE XREF: NtUserPrintWindow(x,x,x)-7j
.text:BF89790C call _ThreadUnlock1@0 ; ThreadUnlock1()
.text:BF897911
.text:BF897911 loc_BF897911: ; CODE XREF: NtUserPrintWindow(x,x,x)-52j
.text:BF897911 call _LeaveCrit@0 ; LeaveCrit()
.text:BF897916 mov eax, esi
.text:BF897918 pop esi
.text:BF897919 leave
.text:BF89791A retn 0Ch
.text:BF89791A _NtUserPrintWindow@12 endp

.text:BF897893 ; ---------------------------------------------------------------------------
.text:BF897893 ; START OF FUNCTION CHUNK FOR _NtUserPrintWindow@12
.text:BF897893
.text:BF897893 loc_BF897893: ; CODE XREF: NtUserPrintWindow(x,x,x)+59j
.text:BF897893 push 57h
.text:BF897895 xor esi, esi
.text:BF897897 call _UserSetLastError@4 ; UserSetLastError(x)
.text:BF89789C jmp short loc_BF89790C
.text:BF89789C ; END OF FUNCTION CHUNK FOR _NtUserPrintWindow@12
.text:BF89789C ; ---------------------------------------------------------------------------

.text:BF89784F ; ---------------------------------------------------------------------------
.text:BF89784F ; START OF FUNCTION CHUNK FOR _NtUserPrintWindow@12
.text:BF89784F
.text:BF89784F loc_BF89784F: ; CODE XREF: NtUserPrintWindow(x,x,x)+18j
.text:BF89784F ; NtUserPrintWindow(x,x,x)+2Aj ...
.text:BF89784F xor esi, esi
.text:BF897851 jmp loc_BF897911
.text:BF897851 ; END OF FUNCTION CHUNK FOR _NtUserPrintWindow@12
.text:BF897856 ; ---------------------------------------------------------------------------

So here I am bombing you with assembly... How rude...
In order to know what happens, we could try our analysis by looking at the calls the function does:

.text:BF8978AC call _EnterCrit@0 ; EnterCrit()
.text:BF8978B4 call @ValidateHwnd@4 ; ValidateHwnd(x)
.text:BF897905 call _xxxPrintWindow@12 ; xxxPrintWindow(x,x,x)
.text:BF89790C call _ThreadUnlock1@0 ; ThreadUnlock1()
.text:BF897911 call _LeaveCrit@0 ; LeaveCrit()
.text:BF897897 call _UserSetLastError@4 ; UserSetLastError(x)

And what do we see:
- EnterCrit/LeaveCrit: this functions are used for thread synchronization. It must be here to prevent the function from being executed more than once at the same time. See EnterCriticalSection and LeaveCriticalSection.
- ValidateHwnd: we don't know at the moment what it does, but we know it's __fastcall (thanks to the mangling), so it must be called very very often.
- xxxPrintWindow: interesting, must be the underlying PrintWindow implementation.
- ThreadUnlock: used to unlock the thread
- UserSetLastError: used to set the last error in case something went wrong.

With all this it's pretty fair to assume the real PrintWindow code is actually done in xxxPrintWindow.