(In reply to comment #3) > 0009:Call KERNEL32.CreateFileA(00525527 > "\\\\.\\SICE",80000000,00000003,00000000,00000003,00000080,00000000) > ret=0051ecd1 > 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=0051ecd1 > 0009:Call KERNEL32.CreateFileA(00525530 > "\\\\.\\NTICE",80000000,00000003,00000000,00000003,00000080,00000000) > ret=0051ecd1 > 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=0051ecd1 > 0009:Call KERNEL32.CreateFileA(0052553a > "\\\\.\\NTFIRE",80000000,00000003,00000000,00000003,00000080,00000000) > ret=0051ecd1 > 0009:Ret KERNEL32.CreateFileA() retval=ffffffff ret=0051ecd1 > > Looks like copyprotection?
Those lines are probably harmless, presumably the application is checking for the presence of a kernel debugger like SoftICE.
(In reply to comment #3) CreateFileA( 00525527 \SICE", 80000000, 00000003, 00000000, 00000003, 00000080, 00000000) CreateFileA( ) retval=ffffffff ret=0051ecd1 CreateFileA( 00525530 \NTICE" ,80000000, 00000003, 00000000, 00000003, 00000080, 00000000) CreateFileA( ) retval=ffffffff ret=0051ecd1 CreateFileA( 0052553a \NTFIRE" ,80000000, 00000003, 00000000, 00000003, 00000080, 00000000) CreateFileA( ) retval=ffffffff ret=0051ecd1
> 0009:Call KERNEL32.
> "\\\\.\
> ret=0051ecd1
> 0009:Ret KERNEL32.
> 0009:Call KERNEL32.
> "\\\\.\
> ret=0051ecd1
> 0009:Ret KERNEL32.
> 0009:Call KERNEL32.
> "\\\\.\
> ret=0051ecd1
> 0009:Ret KERNEL32.
>
> Looks like copyprotection?
Those lines are probably harmless, presumably the application is checking for the presence of a kernel debugger like SoftICE.