|
I just examined it in ollydbg, it differs from original file in 50 bytes only, and alterations are located arround dcbox (plus codecave), chatfilter, gameguard nag, and security patches so it's not detected by the client. (Did I miss anything ? :P) anyway, I'm not going to test it, since i use my own a lot more subtle loader but one thing is sure, there's no way anyone could manage to put virii/keylog in 50 bytes.
Cheers
edit: here's winhex comparison report if someone want's to check it himself
also chat filter? :S
275CA6: D9 EB
275CD0: 7A EB
chat filter...
2A9776: 74 EB
jump to dcbox codecave
33902E: 0F E9
33902F: 85 9A
339030: 9E 9F
339031: 00 48
avoid detection
344387: 0F 90
344388: 84 E9
gameguard
5BD2F0: 83 C3
5BD2F1: EC 90
5BD2F2: 5C 90
text for chat filter i think, it says something like GreyCode in reverse, lol
7C2E6B: 00 72
7C2E6C: 00 70
7C2E6D: 00 6B
7C2E6E: 00 33
7C2E6F: 00 6E
7C2E70: 00 6F
7C2E71: 00 64
7C2E72: 00 63
7C2E73: 00 79
7C2E74: 00 65
7C2E75: 00 72
7C2E76: 00 67
7C2E77: 00 78
7C2E78: 00 6F
7C2E79: 00 66
7C2E7A: 00 2B
7C2E7B: 00 66
7C2E7C: 00 6C
7C2E7D: 00 74
7C2E7E: 00 72
dc box codecave
7C2FCD: 00 3E
7C2FCE: 00 8B
7C2FCF: 00 0D
7C2FD0: 00 D0
7C2FD1: 00 3F
7C2FD2: 00 F5
7C2FD4: 00 8B
7C2FD5: 00 11
7C2FD6: 00 8B
7C2FD7: 00 42
7C2FD8: 00 14
7C2FD9: 00 FF
7C2FDA: 00 D0
7C2FDB: 00 5F
7C2FDC: 00 83
7C2FDD: 00 C4
7C2FDE: 00 10
7C2FDF: 00 C3
50 difference(s) found.
|
