Thread: Securom 7 Rebuild
View Single Post
  #2  
Old 15-05-2007, 15:57
anonymous1381 anonymous1381 is offline
Junior Member
  
Join Date: May 2007
Location: Why the **** should you care?
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
anonymous1381 is on a distinguished road
caki,

maybe you are right, maybe not.

Code:
00EDFE4A    FF15 30494901              CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>]                    ; kernel32.GetProcAddress
00EDFE50    8945 D0                    MOV DWORD PTR SS:[EBP-30],EAX
00EDFE53    6A 00                      PUSH 0
00EDFE55    6A 04                      PUSH 4
00EDFE57    BA D9DDF5FF                MOV EDX,FFF5DDD9
00EDFE5C    8D942A F3210A00            LEA EDX,DWORD PTR DS:[EDX+EBP+A21F3]
00EDFE63    83EC 04                    SUB ESP,4
00EDFE66    891424                     MOV DWORD PTR SS:[ESP],EDX
00EDFE69    6A 07                      PUSH 7
00EDFE6B    FF15 C84A4901              CALL DWORD PTR DS:[<&KERNEL32.GetCurrentProcess>]                 ; kernel32.GetCurrentProcess
00EDFE71    83EC 04                    SUB ESP,4
00EDFE74    890424                     MOV DWORD PTR SS:[ESP],EAX
00EDFE77    FF55 D0                    CALL DWORD PTR SS:[EBP-30]
The above GetProcAddress returns ZwQueryInformationProcess. However, if I force it to return 0, meaning the API was not found, the app obviously crashes because there is no test to see if the return value was correct.

Maybe the securom devs do a GetVersion to check if the OS supports ZwQueryInformationProcess?
Reply With Quote