Anonymous
February 9th, 2001, 11:16
Quote:
Bratscher (02-08-2001 11:09):
hmemcpy is a 32 bit function Alright, check it in Sice:
it uses extended registers.
This is a code snipet from inside hmemcpy taken directly from the cracknotes:
...
|
I don't know anything about the cracknotes, and don't figure why ppl feel the need to speak about arguments that don't know at all.
HMEMCPY was implemented first in Windows 3.0 (16 bit) and was, and still is, exported by KRNL386.EXE, a 16 bit (obviously) module; its name corresponds to ordinal 348, at least in Windows 3.1, Windows 95, Windows 98, Windows NT 4 and Windows 2000. This is part of the disassembly listing of the function from the KRNL386 module part of Windows 2000 Build 2128 (a pre-release version); the implementation in Windows NT, 9x and 3.1 is almost identical.
cseg01:8976 ; Attributes: bp-based frame
cseg01:8976
cseg01:8976 public HMEMCPY
cseg01:8976 HMEMCPY proc far ; CODE XREF: sub_0_9AFC+5Ep
cseg01:8976
cseg01:8976 var_2 = word ptr -2
cseg01:8976 arg_0 = word ptr 6
cseg01:8976 arg_2 = word ptr 8
cseg01:8976 arg_4 = dword ptr 0Ah
cseg01:8976 arg_8 = dword ptr 0Eh
cseg01:8976
cseg01:8976 enter 2, 0 ; KERNEL_348
cseg01:897A push ds
cseg01:897B push si
cseg01:897C push di
cseg01:897D mov ds, cs:word_0_30
cseg01:8982 mov bx, word_128B_464
cseg01:8986 mov [bp+var_2], bx
cseg01:8989 mov dx, [bp+arg_2]
cseg01:898C mov ax, [bp+arg_0]
cseg01:898F xor cx, cx
cseg01:8991 lds si, [bp+arg_4]
cseg01:8994 les di, [bp+arg_8]
cseg01:8997 cld
cseg01:8998
cseg01:8998 loc_0_8998: ; CODE XREF: HMEMCPY+7Fj
cseg01:8998 mov cx, 8000h
cseg01:899B cmp cx, si
cseg01:899D jnb loc_0_89A1
cseg01:899F mov cx, si
cseg01:89A1
cseg01:89A1 loc_0_89A1: ; CODE XREF: HMEMCPY+27j
cseg01:89A1 cmp cx, di
cseg01:89A3 jnb loc_0_89A7
cseg01:89A5 mov cx, di
cseg01:89A7
cseg01:89A7 loc_0_89A7: ; CODE XREF: HMEMCPY+2Dj
cseg01:89A7 neg cx
cseg01:89A9 or dx, dx
cseg01:89AB jnz loc_0_89B3
cseg01:89AD cmp cx, ax
cseg01:89AF jbe loc_0_89B3
cseg01:89B1 mov cx, ax
cseg01:89B3
cseg01:89B3 loc_0_89B3: ; CODE XREF: HMEMCPY+35j
cseg01:89B3 ; HMEMCPY+39j
cseg01:89B3 sub ax, cx
cseg01:89B5 sbb dx, 0
cseg01:89B8 test [bp+var_2], 2Ch
cseg01:89BD jnz loc_0_89CA
cseg01:89BF shr cx, 1
cseg01:89C1 repe movsw
cseg01:89C3 adc cx, 0
cseg01:89C6 repe movsb
cseg01:89C8 jmp short loc_0_89D7
...
...
; CODE XREF: HMEMCPY+65j
cseg01:89FF pop di
cseg01:8A00 pop si
cseg01:8A01 pop ds
cseg01:8A02 assume ds:dseg04
cseg01:8A02 leave
cseg01:8A03 retf 0Ch
cseg01:8A03 HMEMCPY endp
This means that if you add "EXP %SystemRoot%\system32\krnl386.exe " to the export list in SoftICE, on any NT system, SoftICE will accept the "bpx hmemcpy" command; however, SoftICE will never break on it because HMEMCPY is a 16 bit function and neither the Win32 subsystem, nor the NT DOS Virtual Machine will never call it. HMEMCPY is still implemented for backward compatibility, just in case some program called it directly, but I've never seen a program that referenced it. In Windows 9x, as many OS function are implemented by thunking on 16bit modules, HMEMCPY is widely used in order to perform memory chunks copying;therefore, the related EXP line is present in default .DAT file. Not so on NT system; beside MEMCPY DO NOT perform same functions as HMEMCPY in 9x system, so setting a such breakpoint is useless for cracking purposes.
Regards