View Full Version : Funny API function inside ntdll.dll
OHPen
October 22nd, 2007, 01:28
Sup ?
Just while i was bored i and digged a bit inside windows ntdll.dll on winxp sp2.
the two api functions i found have very funny name declaration:
Code:
__stdcall LdrpCheckForSecuROMImage(x)
__stdcall LdrpCheckForSafeDiscImage(x)
Im not 100% sure but it seems to be that microsoft is fixing some stuff with special safedisc and securom images. funny, isn't it ?
This api function is also interesting:
Code:
__stdcall LdrpCheckNxIncompatibleDllSection(x)
Inside it it is checked whether the image is probably a Starfoce or Aspack image.
It also seems to me that only a russian guy was talking about thoses API functions.
I hope i can provide more information about it soon.
Bye
OHÜen
LLXX
October 22nd, 2007, 02:09
It looks like these were added later... original XP (5.1.2600.0) doesn't have them.
dELTA
October 22nd, 2007, 04:13
Very interesting find OHPen, looking forward to hearing more about your further research about this!

fr33ke
October 22nd, 2007, 04:47
There is some info about them in the Uninformed article about circumventing DEP: http://www.uninformed.org/?v=2&a=4&t=sumry
DEP is available since XP SP2.
dELTA
October 22nd, 2007, 05:12
Cool.

Didn't see anything about those protection-specific functions in there though?
evlncrn8
October 22nd, 2007, 06:32
added in service pack 2...
basically its 'dep' switch... if an exe is detected as being safedisc or securom protected, then dep is 'secretly' turned off for the process....
the signature for securom changed with v7 though, so its only applicable for securom 5 or lower...
safedisc i think has the same .stxt371 sections etc, so it might still work for it...
mr. seeQ
October 22nd, 2007, 10:46
Also Windows check for aspack, to turn off dep

OHPen
October 22nd, 2007, 17:19
Jup,
i agree with all mentioned ideas concerning the api functions. But what is really interesting for me is why is ms so friendly to make an exception for those companies.
If we think twice about it you will agree that it should be much more probable that ms ignores the applications which would result in a crash. Then those companies had to be forced to do the fix not ms.
So, all in all, its very strange in my eyes...
I also thinking about the possibilitiy that those companies paid a lot of money to do ms include this code. For SafeNet or Sony ok, but alex with aspack.... not very probable...
So, it's a little riddle to me

evlncrn8
October 23rd, 2007, 04:47
they're quick fixes, primarially it happened because it was on a large amount of titles, so the publisher would have to fix every single one, or microsoft could just make one quick fix which covered all.... i guess it was a question of time and the popularity of the software....
Just
October 23rd, 2007, 10:47
OHPen, technically you might be right, but for the tens (hundreds?) of millions of people who like to play games it looks like:
Game works.
Update Windows to SP2.
Game doesn't work.
Blame Microsoft, because the only thing you changed was update Windows.
If you had a chance to look at the Windows sourcecode that was leaked a while ago, you would see a lot of places where exceptions were created because in a single application a developer made an error, but it still worked on an old version of Windows, so Microsoft had to keep bugs in Windows just to keep it compatible.
reverser
October 23rd, 2007, 19:11
I like the third one from here:
_http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx
omega_red
October 30th, 2007, 04:59
Quote:
[Originally Posted by reverser;69755]I like the third one from here:
_http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx |
Raymond's blog is an amazing source for many interesting things. But those "compatibility" stories make me weep

Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.