Results 1 to 12 of 12

Thread: Funny API function inside ntdll.dll

  1. #1
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5

    Funny API function inside ntdll.dll

    Sup ?

    Just while i was bored i and digged a bit inside windows ntdll.dll on winxp sp2.

    the two api functions i found have very funny name declaration:

    Code:
    __stdcall LdrpCheckForSecuROMImage(x)
    __stdcall LdrpCheckForSafeDiscImage(x)
    Im not 100% sure but it seems to be that microsoft is fixing some stuff with special safedisc and securom images. funny, isn't it ?


    This api function is also interesting:

    Code:
    __stdcall LdrpCheckNxIncompatibleDllSection(x)
    Inside it it is checked whether the image is probably a Starfoce or Aspack image.

    It also seems to me that only a russian guy was talking about thoses API functions.
    I hope i can provide more information about it soon.

    Bye

    OH‹en

  2. #2
    It looks like these were added later... original XP (5.1.2600.0) doesn't have them.

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Very interesting find OHPen, looking forward to hearing more about your further research about this!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    There is some info about them in the Uninformed article about circumventing DEP: http://www.uninformed.org/?v=2&a=4&t=sumry

    DEP is available since XP SP2.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Cool. Didn't see anything about those protection-specific functions in there though?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    added in service pack 2...
    basically its 'dep' switch... if an exe is detected as being safedisc or securom protected, then dep is 'secretly' turned off for the process....
    the signature for securom changed with v7 though, so its only applicable for securom 5 or lower...
    safedisc i think has the same .stxt371 sections etc, so it might still work for it...

  7. #7
    Registered User
    Join Date
    Jun 2003
    Location
    Ukraine
    Posts
    9
    Also Windows check for aspack, to turn off dep

  8. #8
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Jup,

    i agree with all mentioned ideas concerning the api functions. But what is really interesting for me is why is ms so friendly to make an exception for those companies.
    If we think twice about it you will agree that it should be much more probable that ms ignores the applications which would result in a crash. Then those companies had to be forced to do the fix not ms.

    So, all in all, its very strange in my eyes...

    I also thinking about the possibilitiy that those companies paid a lot of money to do ms include this code. For SafeNet or Sony ok, but alex with aspack.... not very probable...

    So, it's a little riddle to me
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  9. #9
    they're quick fixes, primarially it happened because it was on a large amount of titles, so the publisher would have to fix every single one, or microsoft could just make one quick fix which covered all.... i guess it was a question of time and the popularity of the software....

  10. #10
    Just
    Guest
    OHPen, technically you might be right, but for the tens (hundreds?) of millions of people who like to play games it looks like:

    Game works.
    Update Windows to SP2.
    Game doesn't work.
    Blame Microsoft, because the only thing you changed was update Windows.

    If you had a chance to look at the Windows sourcecode that was leaked a while ago, you would see a lot of places where exceptions were created because in a single application a developer made an error, but it still worked on an old version of Windows, so Microsoft had to keep bugs in Windows just to keep it compatible.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    I like the third one from here:
    _http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx

  12. #12
    Quote Originally Posted by reverser View Post
    I like the third one from here:
    _http://blogs.msdn.com/oldnewthing/archive/2003/12/23/45481.aspx
    Raymond's blog is an amazing source for many interesting things. But those "compatibility" stories make me weep
    Vulnerant omnes, ultima necat.

Similar Threads

  1. ntdll.RtlCreateUserThread problem
    By vadimpo in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 5th, 2009, 22:29
  2. Program keeps bouncing me to ntdll.dll when run from OllyDbg
    By ljre24 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: January 2nd, 2007, 19:32
  3. ntdll problem
    By bcavlin in forum Bugs
    Replies: 2
    Last Post: October 5th, 2004, 03:49
  4. Breakpoint at callback function inside DLL
    By Gustavo in forum OllyDbg Support Forums
    Replies: 2
    Last Post: June 20th, 2004, 16:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •