I’m working through a reverse engineering exercise using olly.
00402D71 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL 00402D73 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL 00402D78 |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING 00402D7A |. 6A 00 PUSH 0 ; |pSecurity = NULL 00402D7C |. 6A 00 PUSH 0 ; |ShareMode = 0 00402D7E |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ 00402D83 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |C:\Windows\system32\eLearnRE#5.dat 00402D86 |. E8 DF642300 CALL <JMP.&KERNEL32.CreateFileA> ; \CreateFileA
On Windows 10, I created the eLearnRE#5.dat file and verified that NTFS permissions make it readable. But even like that I get 0xFFFFFFFF with ERROR_FILE_NOT_FOUND (00000002) as a result of the CALL CreateFileA.
This is what I tried already (without success)
- Copy and pasted the name from ollydbg to make sure I don’t have any typos
- Compared the two filenames letter by letter in notepad to check for typos
- Patched the process memory to try reading an existing file in C:\temp\test.txt (just in case c:\windows\System32\eLearnRE#5.dat had some special restrictions because it’s in a system folder)
- Put some data into the file just in case it had trouble handling a blank file for some reason.
- Ran olly as Administrator
This works perfectly fine in Windows XP, but not in Windows 10. Why?
The credit for the answer goes to Hans Passant for https://docs.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector
- On 64bit windows, 32bit applications are redirected to C:\windows\syswow64
- As soon as I moved the file to C:\windows\syswos64, things started to work as expected
Answered By – user3280964