I believe ntdll.dll function "RtlAnsiStringToUnicodeString" has not 3 parameters but 2.

Best regards
Posted on 2003-09-17 08:05:14 by minor28
Strange. These two gives the same result.

push TRUE

push offset pAnsi
push offset pUni
call RtlAnsiStringToUnicodeString


stack:
0012FEEC  E0 30 40 00

0012FEF0 C0 30 40 00
0012FEF4 01 00 00 00
0012FEF8 FF FF FF FF


Result:
00132BF8  44 00 69 00  D.i.

00132BFC 61 00 6C 00 a.l.
00132C00 6F 00 67 00 o.g.
00132C04 2E 00 65 00 ..e.
00132C08 78 00 65 00 x.e.


and

push offset pAnsi

push offset pUni
call RtlAnsiStringToUnicodeString


stack:
0012FEF0  E0 30 40 00

0012FEF4 C0 30 40 00
0012FEF8 FF FF FF FF


Result:
00132BF8  44 00 69 00  D.i.

00132BFC 61 00 6C 00 a.l.
00132C00 6F 00 67 00 o.g.
00132C04 2E 00 65 00 ..e.
00132C08 78 00 65 00 x.e.


BTW. Do you have some documentation besides of http://undocumented.ntinternals.net.

Regards
Posted on 2003-09-17 09:20:28 by minor28
I do not know if this is illegal but looking at the disassembled form (PS mods please remove them if you think they are illegal)


.text:77F914AC public RtlAnsiStringToUnicodeString
.text:77F914AC RtlAnsiStringToUnicodeString proc near ; CODE XREF: RtlIntegerToUnicodeString+41p
.text:77F914AC ; .text:77F86D21p ...
.text:77F914AC
.text:77F914AC arg_0 = dword ptr 8
.text:77F914AC arg_4 = dword ptr 0Ch
.text:77F914AC arg_8 = byte ptr 10h
.text:77F914AC
.text:77F914AC push ebp
.text:77F914AD mov ebp, esp
.text:77F914AF push ebx
.text:77F914B0 xor ebx, ebx
.text:77F914B2 cmp NlsMbCodePageTag, bl
.text:77F914B8 push esi
.text:77F914B9 push edi
.text:77F914BA mov edi, [ebp+arg_4]
.text:77F914BD jnz loc_77F9AC6D
.text:77F914C3 movzx eax, word ptr [edi]
.text:77F914C6 lea eax, [eax+eax+2]
.text:77F914CA
.text:77F914CA loc_77F914CA: ; CODE XREF: .text:77F9AC73j
.text:77F914CA cmp eax, 0FFFFh
.text:77F914CF ja loc_77F9AC78
.text:77F914D5 mov esi, [ebp+arg_0]
.text:77F914D8 cmp [ebp+arg_8], bl
.text:77F914DB lea ecx, [eax-2]
.text:77F914DE mov [esi], cx
.text:77F914E1 jnz loc_77F84E59
.text:77F914E7 cmp cx, [esi+2]
.text:77F914EB jnb loc_77F9AC8C
.text:77F914F1
.text:77F914F1 loc_77F914F1: ; CODE XREF: .text:77F84E69j
.text:77F914F1 movzx eax, word ptr [edi]
.text:77F914F4 push eax
.text:77F914F5 lea eax, [ebp+arg_4]
.text:77F914F8 push dword ptr [edi+4]
.text:77F914FB push eax
.text:77F914FC movzx eax, word ptr [esi]
.text:77F914FF push eax
.text:77F91500 push dword ptr [esi+4]
.text:77F91503 call RtlMultiByteToUnicodeN
.text:77F91508 mov edi, eax
.text:77F9150A cmp edi, ebx
.text:77F9150C jl loc_77F9AC96
.text:77F91512 mov eax, [ebp+arg_4]
.text:77F91515 mov ecx, [esi+4]
.text:77F91518 shr eax, 1
.text:77F9151A mov [ecx+eax*2], bx
.text:77F9151E xor eax, eax
.text:77F91520
.text:77F91520 loc_77F91520: ; CODE XREF: .text:77F9AC7Dj
.text:77F91520 ; .text:77F9AC87j ...
.text:77F91520 pop edi
.text:77F91521 pop esi
.text:77F91522 pop ebx
.text:77F91523 pop ebp
.text:77F91524 retn 0Ch
.text:77F91524 RtlAnsiStringToUnicodeString endp



Since the retn 0C clears 3 parameters I think it accepts 3 parameters.
Posted on 2003-09-17 10:28:04 by roticv
minor, think about the orders args are pushed, and the order they appear on the stack. Couldn't it be that there's a "garbage" non-zero value on the stack where you would have pushed TRUE?
Posted on 2003-09-17 11:34:00 by f0dder
Yes roticv, I am convinced that it should be three arguments, but the strange thing is the fact that it works with two.

fOdder, you are right the first byte is a "garbage" non-zero value. I will use three arguments in the future.

Thanks
Posted on 2003-09-18 00:57:30 by minor28