> 1 - NtQueryInformationProcess is a stub, except when called with
> ProcessInformationClass set to ProcessDebugPort, which is exactly what the
> copy protection does :-), so this is not really a problem. BTW, I found this
> link on the MSDN website while searching for some doc about
> NtQueryInformationProcess
>
> http://msdn.microsoft.com/msdn-files/026/002/137/NTDLL/Source
> Files/ntdll_cpp.asp
hmm I think NtQueryInformationProcess should set the length of the
modified
data (4 for a DWORD)
> Unfortunately the server returns an error, but it might be worth
> investigating :-)
>
> 2 - int 0x01 is called from within a try{} block (if I read the assembly code
> correctly), and the copy protection code seems to be looking for a side
> effect: the debugger detection returns false (no debugger present) if some
> memory location (0x00435b90), which has been initialized with the value -1,
> contains 0xc0000005 upon completion of int 0x01. Does this ring a bell to
> someone ?
C0000005 is STATUS_ACCESS_VIOLATION
sounds like the code that has been caught in the exception handler
> 3 - fixme:win32:DEVICE_Open Unknown/unsupported VxD Secdrv. Try --winver nt40
> or win31 !
> I haven't been ablt to find any Secdrv.vxd, but there's a secdrv.sys on the
> CD... Should I disassembly it and add the code to wine ? :-)
of course not ;-)
perhaps in that case (true in step 2) it tries to look for further
information
wrt debuggers
A+
