Log in

View Full Version : Question about KERNEL32!LockResource.

neviens
October 29th, 2002, 13:46
Hi all!
After searching in KERNEL32.dll for code replacement API
for one well known protector, found a LockResource,
fitting my needs.
It perfectly replaces the code in protector:

push ebp
mov ebp, esp
mov eax, [xxxxxxxx]
mov eax, [ebp+8]
pop ebp
ret 4

with:

Exported fn(): LockResource - Ord:024Eh
|
mov eax, [esp+04]
ret 4

, _but_ from win32.hlp I found following:
>..The LockResource function locks the specified resource in memory...

Here comes my question - how it is possible with this
simple mov and ret? Is it (locking) really done?
Don't want any resource locks in my unpacked app. ,
Neviens.
_Servil_
October 29th, 2002, 19:30
why don't you look to kernel32.dll?
this func really does just holy nothing
Nigma
October 29th, 2002, 21:28
Hi ,

well , when u F I R S T meet those instructions , how can u relize
that it is the lockresource API ?

I found azpr's API emu routine , but I could not find anything
about those instructions and their connection to the
LockResource API in azpr's code !
Snatch
October 29th, 2002, 22:44
People have discovered this over time. LockResource effectively does nothing simply returns the pointer you pass to it. It is there for compatibility and because in the future if they decide to make the resource handles actual handles and not memory addresses that act as handles also then the behavior could change and there goes ASPR. In fact ASPR is doing something very bold there in assuming Windows will not change and it is likely. If you look FreeResource I believe does nothing either simply zeroes the pointer. It is actaully an obsolete function though LockResource is still listed as current meaning it still could change and then all ASPR applications would cease to work in fact I would find it hilarious if maybe WinXP SP2 did this. I would have to laugh . Think about what some of these API functions are meant to do. In a lot of cases it is a lot simpler or merely to reserve future enhancements etc in advance or for backwards compatibility. I believe only 4 functions are actually moved straight into the EXE because they are globally the same on all versions of Windows in Kernel32.

Snatch
+SplAj
October 31st, 2002, 09:23
For ASPR and redirection trick what you said is true.

I found a lame-ass Commercial (dis)Protector that claims to use
the Resource API's :-

ProActivate
========

License Link is a feature which allows the protected application to obtain information at run-time regarding the protection status and machine ID as determined by the security envelope, along with some user-specified information that is included in the license file. This information is stored by the security envelope at run-time as RCDATA (#10) resources within the executable that can be accessed via the Win32 API sequence, FindResource(), LoadResource(), and LockResource().

License Link information consists of the following:


Status Code

Protection failure status indicating which (if any) protection tests have failed.

Resource Identifier: PALICENSELINKSTATUSCODE
Data structure: 4 bytes (unsigned long)

Bit definitions:

0x00000000 - Status OK
0x00000001 - InvalidOwner
0x00000002 - InvalidOrganization
0x00000004 - InvalidMachineID
0x00000008 - BeforeStartDate
0x00000010 - AfterEndDate
0x00000020 - UsageLimitReached
0x00000040 - DaysLimitReached

Nice of them to explain