A while ago, I compared the implementation of the XpressDecode function in the Windows XP NTLDR with the one of the Sandman project. I found several slight differences. But there is also a third implementation, in a well-known commercial forensics software. This software was released in March 2008, about a month later than Sandman's code. So let's have a closer look at it.
As I did before with the two other implementations, I disassembled the XpressDecode function in IDA Pro and carefully translated it into C-like pseudo code. Now I could compare the implementations by Microsoft and Vendor "X". But then I'd have to repeat the lengthy analysis. For brevity I compare the reconstructed Sandman code and "X". Here are the differences:
No. 1: In some complex conditions, the expression
(Size1 == CompressedBlockSize)
becomes
(CompressedBlockSize == Size1)
and
(Size1 == CompressedBlockSize)
changes into
(CompressedBlockSize > Size1)
Obviously, both sides of the (in)equation were exchanged. This may indicate a different notation in the program's source. On the other hand, the Sandman binary was compiled by Visual Studio 2005, while Vendor "X" used a Borland compiler. So, it might be a "fingerprint" or "style" of the two compilers. Anyway, there is no functional difference.
No 2: Now there are some calculation, first by Sandman
DecodeData.BufferLimit = DestinationBuffer + Size1;
DecodeData.CompressedBlockSize1 = CompressedBlockSize - 1;
DecodeData.CompressedBlockSize3 = CompressedBlockSize - 1;
and now by Vendor "X"
DecodeData.BufferLimit = Size1 + DestinationBuffer;
tmp1 = CompressedBlockSize - 1;
DecodeData.CompressedBlockSize1 = tmp1;
DecodeData.CompressedBlockSize3 = tmp1;
In the second variant the compiler saved a few CPU cycles by storing the result in a register for later use. But this requires no modification of the source code - and obviously it doesn't affect the result.
No 3: Again some calculations. Sandman first
if ((CompressedBlockSize + BlockEntry - DefaultOffset) > 0xe8)
...
DecodeData.AdjustedPadding = CompressedBlockSize + BlockEntry - 0xe8;
and now Vendor "X"
tmp2 = BlockEntry + CompressedBlockSize;
if ((tmp2 - DefaultOffset) > 0xe8)
...
DecodeData.AdjustedPadding = tmp2 - 0xe8;
Again, there are signs of optimization visible in the second variant.
To summarize, there are only cosmetic differences between the implementations of Sandman and Vendor "X". The differences were most likely caused by compiler optimizations. They don't affect the program's behavior at large.
As it was shown earlier, the Sandman implementation contains a dozen of differences and errors, that prevent it from fully interoperating with Microsoft's code. Obviously, the commercial software suffers from the very same errors as the open source code.
so the question is...what's the author going to do to fix Sandman? ;-)