Sup ?

Just while i was bored i and digged a bit inside windows ntdll.dll on winxp sp2.

the two api functions i found have very funny name declaration:


Im not 100% sure but it seems to be that microsoft is fixing some stuff with special safedisc and securom images. funny, isn't it ?


This api function is also interesting:


Inside it it is checked whether the image is probably a Starfoce or Aspack image.

It also seems to me that only a russian guy was talking about thoses API functions.
I hope i can provide more information about it soon.

Bye

OHÜen

It looks like these were added later... original XP (5.1.2600.0) doesn't have them.

Very interesting find OHPen, looking forward to hearing more about your further research about this!

There is some info about them in the Uninformed article about circumventing DEP: http://www.uninformed.org/?v=2&a=4&t=sumry

DEP is available since XP SP2.

Cool. Didn't see anything about those protection-specific functions in there though?

added in service pack 2...
basically its 'dep' switch... if an exe is detected as being safedisc or securom protected, then dep is 'secretly' turned off for the process....
the signature for securom changed with v7 though, so its only applicable for securom 5 or lower...
safedisc i think has the same .stxt371 sections etc, so it might still work for it...

Also Windows check for aspack, to turn off dep

Jup,

i agree with all mentioned ideas concerning the api functions. But what is really interesting for me is why is ms so friendly to make an exception for those companies.
If we think twice about it you will agree that it should be much more probable that ms ignores the applications which would result in a crash. Then those companies had to be forced to do the fix not ms.

So, all in all, its very strange in my eyes...

I also thinking about the possibilitiy that those companies paid a lot of money to do ms include this code. For SafeNet or Sony ok, but alex with aspack.... not very probable...

So, it's a little riddle to me

they're quick fixes, primarially it happened because it was on a large amount of titles, so the publisher would have to fix every single one, or microsoft could just make one quick fix which covered all.... i guess it was a question of time and the popularity of the software....

OHPen, technically you might be right, but for the tens (hundreds?) of millions of people who like to play games it looks like:

Game works.
Update Windows to SP2.
Game doesn't work.
Blame Microsoft, because the only thing you changed was update Windows.

If you had a chance to look at the Windows sourcecode that was leaked a while ago, you would see a lot of places where exceptions were created because in a single application a developer made an error, but it still worked on an old version of Windows, so Microsoft had to keep bugs in Windows just to keep it compatible.

I like the third one from here:
_http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx

Raymond's blog is an amazing source for many interesting things. But those "compatibility" stories make me weep