Hi,

I would like to change some bytes in ntdll.dll. the change itself is easy, of course, but winxp doesnt like the modified binary and reboots immediately. What must be done to make xp accept such modifications?

Japheth

Hi Japheth,
you have to avoid the Windows File Protection system. In few words, you have to patch a dll system named sfc_os.dll (sfc.dll for 2k) and to remove some keys from the registry. For the moment, I won't tell you nothing more because it's a funny reversing game (but if you want...)

Good luck,
ZaiRoN

p

i know that modification too ZaiRoN! i wonder why microsoft disabled the registry-keys to disable SFC. after you patched it, all patches are no problem (i just used it for UXTheme patch, TCP/IP Patch and kernel IsDebuggerPresent)

> For the moment, I won't tell you nothing more because it's a
> funny reversing game (but if you want...)

Some more hints would be appreciated. May be I'm loosing some fun then, but currently I'm engaged in too many such funny games.

Japheth

Hello,

A google search with "sfc.dll" return numerous match about this trick. Here's one of them, very well explained:

http://www.collakesoftware.com/aboutwfp.htm

If you have a multi-boot , you can also do it from another OS...

Regards, Neitsa.

Oh Oh. Somebody is stealing my "search and ye shall find" lines. Glad to have the help.

Regards,

thanks, Neitsa

patching is not the right thing to do. sfc_dll exports a function (only by ordinal, not by name) to disable it at all.

To lifewire: But it has worked. Of course, since this solution may
cause problems if one installs another service pack, it would be
nice to know more details about your mysterious ordinal-exported function.

Japheth: http://29a.host.sk/29a-7/Articles/29A-7.004
two ways: to disable it one minute and to disable it at all (as long as the system isn't rebooted). good luck

Beautiful and precious, lifewire!

During my reversing I found a third method: the replacement of the dll SFCFILES.DLL, which is simply an enumeration of files to watch, with some little code at the start of the DLL to return the start of the list and the number of files, according to the XP version running on the computer.

The method is implemented by Damian Bokowski (http://www.d--b.webpark.pl/dreampackpl_en.htm) who simply set a null list inside SFCFILES.DLL. He also provide a nice tool...

Regards, bilbo

Very good links, thanks guys

I think so many reversers are busy working on commercial protections and the like, they forget they can also spend some time reversing their O.S., just as the gentleman in the above link did. Obviously how can Microsoft apply Service Packs, etc, without disabling SFP? So it makes sense they have a method for it. (In a similar vein reversing another MS product is how I came upon Virtual PC detection methods, and the like).

The good thing is reversing MS code is usally easy, since it's not traditionally protected in any way, and it gives an RCE engineer a more in-depth knowledge of his operating system.


-nt20

hi, nikolatesla20, I fully agree with you!


and they give away the .PDB files for free...

which is at an higher level rapported to the knowledge he/she gains from reversing single commercial apps...

Regards, bilbo