|
You last visited: Today at 09:03
Advertisement
War Rock Cheat Programming Discussion
Discussion on War Rock Cheat Programming Discussion within the WarRock forum part of the Shooter category.
08/12/2014, 12:37
|
#766
|
elite*gold: 98 
Join Date: Nov 2011
Posts: 1,267
Received Thanks: 1,019
|
Code:
public static void GetKey(string Encrypted)
{
Thread t = new Thread(() =>
{
//String Encrypted = "160B07072071637E6F670A796F7E7E63646D772023167C6F7879636564142023236C63666F757C6F78796365640A0A0A0A0A0A0A0A";
for (int i = 1; i < 400; i++)
{
Crypt.setKey(i);
char[] decrypted = Crypt.Decrypt(Encoding.Default.GetBytes(Encrypted));
string plain = new string(decrypted);
if (plain.Contains("[ITEM SETTING]"))
{
bKey = i;
break;
}
}
});
t.IsBackground = true;
t.Start();
}
A function to get the XoR key of the items.bin file..
The Encrypted var is commented, but you need the same set of character's (Or just those from [ITEM SETTING]..)
Screen was a test runned on a script from 24-3-2013 by hero9910 
On a recent items.bin:
Ah and before I forget: Credz to NikM cuz of his Crypt class
|
|
|
|
08/12/2014, 12:53
|
#767
|
elite*gold: 0
Join Date: Aug 2014
Posts: 10
Received Thanks: 4
|
WarRock Global addy's 12-8-2014 (Tomorrow update will also be posted)
#define ADR_POINTER_PLAYER 0xB18F60;
#define ADR_POINTER_SERVER 0xB11728;
#define ADR_POINTER_MATRIX 0xA9E7E0;
#define ADR_POINTER_ANGELS 0xB107B4;
#define ADR_POINTER_WEAPON 0xB37508;
#define ADR_POINTER_CLASS 0xB6B1F0;
#define ADR_POINTER_BASE 0xB6A848;
#define ADR_POINTER_ROOM 0xB19184;
#define ADR_POINTER_SLOT 0x3C870;
#define ADR_POINTER_DEVICE 0xB107B8;
#define ADR_MEMORY_ACCURACY_AS 0xB1D67C;
#define ADR_MEMORY_WALKTHROUGHWALLS 0x960500;
#define ADR_MEMORY_DEFUSEANYWHERE 0xAB8654;
#define ADR_MEMORY_PLANTANYWHERE 0xB108A3;
#define ADR_MEMORY_SUPERNOSPREAD 0x8F89F8;
#define ADR_MEMORY_QUICKPLANT 0xB107D8;
#define ADR_MEMORY_QUICKDEFUSE 0xB107D8;
#define ADR_MEMORY_NOWATER_1 0xB1FDF0;
#define ADR_MEMORY_NOWATER_2 0xB1FDF4;
#define ADR_MEMORY_NOBOUNDS1 0xC60FC0;
#define ADR_MEMORY_NOBOUNDS2 0xC60FC4;
#define ADR_MEMORY_NOBOUNDS3 0xC60FC8;
#define ADR_MEMORY_BONE 0x8F99E8;
#define ADR_MEMORY_ANTIAFKKICK 0xC60FC0;
#define ADR_MEMORY_NOSPAWNWAIT 0xC6B5D4;
#define ADR_MEMORY_SHOOTTROUGHWALLS 0x8F8CB0;
#define ADR_MEMORY_STAMINA1 0x8C21E0;
#define ADR_MEMORY_STAMINA2 0x8C21E4;
#define ADR_MEMORY_STAMINA3 0x8C21E8;
#define ADR_MEMORY_STAMINA4 0x8C21EC;
#define ADR_MEMORY_STAMINA5 0x8C21F0;
#define ADR_MEMORY_AUTOREPAIR 0xB107FF;
#define ADR_MEMORY_SILENTRELOAD 0xC60FC4;
#define ADR_OFFSET_GLOBALPLAYERSIZE 0xB18;
#define ADR_OFFSET_LOCALPLAYERSIZE 0xDECC;
#define ADR_OFFSET_DEVICE 0x2B930;
#define ADR_OFFSET_NORECOIL_1 0xC444;
#define ADR_OFFSET_NORECOIL_2 0xC448;
#define ADR_OFFSET_NORECOIL_3 0xC44C;
#define ADR_OFFSET_INDEX 0xC498;
#define ADR_OFFSET_GRAVITY_X 0xC4AC;
#define ADR_OFFSET_GRAVITY_Y 0xC4B0;
#define ADR_OFFSET_GRAVITY_Z 0xC4B4;
#define ADR_OFFSET_WEAPONSTATE 0xC4D4;
#define ADR_OFFSET_NOSPREAD 0x0;
#define ADR_OFFSET_FASTNADEBLAST 0x4;
#define ADR_OFFSET_PLAYERVIEW3D 0x90;
#define ADR_OFFSET_YAW 0x101C8;
#define ADR_OFFSET_VIEW_X 0x101D8;
#define ADR_OFFSET_VIEW_Y 0x101DC;
#define ADR_OFFSET_VIEW_Z 0x101E0;
#define ADR_OFFSET_WEAPON_1 0x101F0;
#define ADR_OFFSET_WEAPON_2 0x101F2;
#define ADR_OFFSET_WEAPON_3 0x101F4;
#define ADR_OFFSET_NOFALLDAMAGE 0x102EC;
#define ADR_OFFSET_POS_X 0x10304;
#define ADR_OFFSET_POS_Y 0x10314;
#define ADR_OFFSET_POS_Z 0x1030C;
#define ADR_OFFSET_AUTOPLANT 0x0;
#define ADR_OFFSET_AUTODEFUSE 0x4;
#define ADR_OFFSET_AUTOSHOT 0x16;
#define ADR_OFFSET_NOM134IDLE 0x103FC;
#define ADR_OFFSET_ROOMNUMBER 0x40C98;
#define ADR_OFFSET_MYPLAYERSLOT 0x40C9C;
#define ADR_OFFSET_MYTEAM 0x40CA0;
#define ADR_USER_READY 0xB6B290;
|
|
|
|
|
08/12/2014, 13:29
|
#768
|
elite*gold: 32
Join Date: Dec 2009
Posts: 937
Received Thanks: 1,307
|
Quote:
Originally Posted by ~Nazar*
Code:
public static void GetKey(string Encrypted)
{
Thread t = new Thread(() =>
{
//String Encrypted = "160B07072071637E6F670A796F7E7E63646D772023167C6F7879636564142023236C63666F757C6F78796365640A0A0A0A0A0A0A0A";
for (int i = 1; i < 400; i++)
{
Crypt.setKey(i);
char[] decrypted = Crypt.Decrypt(Encoding.Default.GetBytes(Encrypted));
string plain = new string(decrypted);
if (plain.Contains("[ITEM SETTING]"))
{
bKey = i;
break;
}
}
});
t.IsBackground = true;
t.Start();
}
A function to get the XoR key of the items.bin file..
The Encrypted var is commented, but you need the same set of character's (Or just those from [ITEM SETTING]..)
Screen was a test runned on a script from 24-3-2013 by hero9910
On a recent items.bin:
Ah and before I forget: Credz to NikM cuz of his Crypt class |
Okay, this code is pure bullshit, it's slow and not very good.
Look at this, use this pseudo code instead of your crappy code.
Code:
stopwatch.Start();
var key = buffer[0] ^ 0x3C; // 0x3D => '<'
stopwatch.Stop();
// Key: D7 (0 ms, 439 ticks)
Console.WriteLine("Key: {0:X2} ({1} ms, {2} ticks)", key, stopwatch.ElapsedMilliseconds, stopwatch.ElapsedTicks);
|
|
|
|
|
08/12/2014, 15:05
|
#769
|
elite*gold: 98
Join Date: Nov 2011
Posts: 1,267
Received Thanks: 1,019
|
Quote:
Originally Posted by ToxicData
Okay, this code is pure bullshit, it's slow and not very good.
Look at this, use this pseudo code instead of your crappy code.
Code:
stopwatch.Start();
var key = buffer[0] ^ 0x3C; // 0x3D => '<'
stopwatch.Stop();
// Key: D7 (0 ms, 439 ticks)
Console.WriteLine("Key: {0:X2} ({1} ms, {2} ticks)", key, stopwatch.ElapsedMilliseconds, stopwatch.ElapsedTicks);
|
Yes nice, it get's 0x000000D7 which is 215, still if you use your "pro-code" on a recent items.bin it returns 0x0000000D which is 13.. so it's not simular, nor the same idea behind it..
|
|
|
|
|
08/12/2014, 15:13
|
#770
|
elite*gold: 158
Join Date: Sep 2011
Posts: 878
Received Thanks: 2,493
|
Quote:
Originally Posted by ~Nazar*
Yes nice, it get's 0x000000D7 which is 215, still if you use your "pro-code" on a recent items.bin it returns 0x0000000D which is 13.. so it's not simular, nor the same idea behind it..
|
I use the Same logic in my Bin Editor and its fine
|
|
|
|
|
08/12/2014, 15:34
|
#771
|
elite*gold: 32
Join Date: Dec 2009
Posts: 937
Received Thanks: 1,307
|
Quote:
Originally Posted by ~Nazar*
Yes nice, it get's 0x000000D7 which is 215, still if you use your "pro-code" on a recent items.bin it returns 0x0000000D which is 13.. so it's not simular, nor the same idea behind it..
|
> Lol'd hard.
For people like you, they should implement their Encrypted Binary File Format, which is currently disabled.
|
|
|
|
|
08/12/2014, 17:00
|
#772
|
elite*gold: 0
Join Date: Aug 2010
Posts: 972
Received Thanks: 1,583
|
HackShield Encrypted Imports & Strings
I published this some month ago on another forum but it might be interesting for you too :-3.
I dont know if it is still up2date because i dont have WarRock or any other game using HackShield on my PC anymore.
But I think it shouldn't be a problem to update it if required ;-).
HackShield is loading copies of some windows .dlls in form of .tmp files into the process.
It seems that these .tmp files aren't the same as the originals because they have different hashes.
The functions they import from these modules are simply encrypted.
Code:
___:10004E10 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
___:10004E10
___:10004E10
___:10004E10 decryptFunctionPointer proc near ; CODE XREF: sub_10004420+C7p
___:10004E10 ; sub_10004A10+11Cp ...
___:10004E10
___:10004E10 functionPointer = dword ptr 4
___:10004E10
___:10004E10 mov eax, [ecx+38h]
___:10004E13 mov edx, [ecx+34h]
___:10004E16 mov ecx, [esp+functionPointer]
___:10004E1A xor eax, edx
___:10004E1C xor eax, ecx
___:10004E1E retn 4
___:10004E1E decryptFunctionPointer endp
___:10004E1E
___:10004E1E ; ---------------------------------------------------------------------------
origImport = xorKey1 ^ xorKey2 ^ encImport;
Code:
static DWORD g_dwPsApi = 0x00147AB8;
static DWORD g_dwNtDll = 0x00147F40;
static DWORD g_dwKernelBase = 0x001483C8;
static DWORD g_dwUser32 = 0x00148850;
// These classes are basically the same
// 0x3C could also be void **m_ppFunctionPointers
class hsPsApi;
class hsNtDll;
class hsKernelBase;
class hsUser32;
//
class hsPsApiImports;
class hsNtDllImports;
class hsKernelBaseImports;
class hsUser32Imports;
class hsPsApi
{
public:
/* 0x00000000 */ BYTE pad0[0x04];
/* 0x00000004 */ DWORD m_dwXoredOrigModule;
/* 0x00000008 */ DWORD m_dwXoredBaseAddress;
/* 0x0000000C */ DWORD m_dwBaseAddress;
/* 0x00000010 */ DWORD m_dwPEHeader;
/* 0x00000014 */ BYTE pad1[0x04];
/* 0x00000018 */ DWORD m_dwRelocationAddress;
/* 0x0000001C */ BYTE pad2[0x18];
/* 0x00000034 */ DWORD m_dwXorKey1;
/* 0x00000038 */ DWORD m_dwXorKey2;
/* 0x0000003C */ hsPsApiImports *m_pImports;
/* 0x00000040 */ DWORD m_dwNumberOfImports;
};
class hsNtDll
{
public:
/* 0x00000000 */ BYTE pad0[0x04];
/* 0x00000004 */ DWORD m_dwXoredOrigModule;
/* 0x00000008 */ DWORD m_dwXoredBaseAddress;
/* 0x0000000C */ DWORD m_dwBaseAddress;
/* 0x00000010 */ DWORD m_dwPEHeader;
/* 0x00000014 */ BYTE pad1[0x04];
/* 0x00000018 */ DWORD m_dwRelocationAddress;
/* 0x0000001C */ BYTE pad2[0x18];
/* 0x00000034 */ DWORD m_dwXorKey1;
/* 0x00000038 */ DWORD m_dwXorKey2;
/* 0x0000003C */ hsNtDllImports *m_pImports;
/* 0x00000040 */ DWORD m_dwNumberOfImports;
};
class hsKernelBase
{
public:
/* 0x00000000 */ BYTE pad0[0x04];
/* 0x00000004 */ DWORD m_dwXoredOrigModule;
/* 0x00000008 */ DWORD m_dwXoredBaseAddress;
/* 0x0000000C */ DWORD m_dwBaseAddress;
/* 0x00000010 */ DWORD m_dwPEHeader;
/* 0x00000014 */ BYTE pad1[0x04];
/* 0x00000018 */ DWORD m_dwRelocationAddress;
/* 0x0000001C */ BYTE pad2[0x18];
/* 0x00000034 */ DWORD m_dwXorKey1;
/* 0x00000038 */ DWORD m_dwXorKey2;
/* 0x0000003C */ hsKernelBaseImports *m_pImports;
/* 0x00000040 */ DWORD m_dwNumberOfImports;
};
class hsUser32
{
public:
/* 0x00000000 */ BYTE pad0[0x04];
/* 0x00000004 */ DWORD m_dwXoredOrigModule;
/* 0x00000008 */ DWORD m_dwXoredBaseAddress;
/* 0x0000000C */ DWORD m_dwBaseAddress;
/* 0x00000010 */ DWORD m_dwPEHeader;
/* 0x00000014 */ BYTE pad1[0x04];
/* 0x00000018 */ DWORD m_dwRelocationAddress;
/* 0x0000001C */ BYTE pad2[0x18];
/* 0x00000034 */ DWORD m_dwXorKey1;
/* 0x00000038 */ DWORD m_dwXorKey2;
/* 0x0000003C */ hsUser32Imports *m_pImports;
/* 0x00000040 */ DWORD m_dwNumberOfImports;
};
// Imports
class hsPsApiImports
{
public:
/* 0x00000000 */ DWORD (__stdcall *pXoredGetModuleFileNameExA) (HANDLE, HMODULE, LPSTR, DWORD);
/* 0x00000004 */ DWORD (__stdcall *pXoredGetModuleFileNameExW) (HANDLE, HMODULE, LPWSTR, DWORD);
/* 0x00000008 */ BOOL (__stdcall *pXoredEnumProcesses) (DWORD *, DWORD, DWORD *);
/* 0x0000000C */ BOOL (__stdcall *pXoredEnumProcessModules) (HANDLE, HMODULE *, DWORD, LPDWORD);
/* 0x00000010 */ DWORD (__stdcall *pXoredGetMappedFileNameA) (HANDLE, LPVOID, LPSTR, DWORD);
};
class hsNtDllImports
{
public:
/* 0x00000000 */ NTSTATUS(__stdcall *pXoredRtlEnterCriticalSection) (RTL_CRITICAL_SECTION *);
/* 0x00000004 */ NTSTATUS(__stdcall *pXoredRtlLeaveCriticalSection) (RTL_CRITICAL_SECTION *);
/* 0x00000008 */ NTSTATUS(__stdcall *pXoredNtProtectVirtualMemory) (HANDLE, PVOID, PULONG, ULONG, PULONG);
/* 0x0000000C */ NTSTATUS(__stdcall *pXoredNtQueryObject) (HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG);
/* 0x00000010 */ NTSTATUS(__stdcall *pXoredNtQueryInformationThread) (HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG);
/* 0x00000014 */ NTSTATUS(__stdcall *pXoredNtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);
/* 0x00000018 */ NTSTATUS(__stdcall *pXoredNtQueryInformationProcess) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
/* 0x0000001C */ NTSTATUS(__stdcall *pXoredNtGetContextThread) (HANDLE, LPCONTEXT);
/* 0x00000020 */ NTSTATUS(__stdcall *pXoredNtQueryPerformanceCounter) (PLARGE_INTEGER, PLARGE_INTEGER);
};
class hsKernelBaseImports
{
public:
/* 0x00000000 */ HANDLE (__stdcall *pXoredOpenProcess) (DWORD, BOOL, DWORD);
/* 0x00000004 */ HMODULE (__stdcall *pXoredLoadLibraryExA) (LPCSTR, HANDLE, DWORD);
/* 0x00000008 */ HANDLE (__stdcall *pXoredCreateFileA) (LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
/* 0x0000000C */ HANDLE (__stdcall *pXoredCreateFileW) (LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
/* 0x00000010 */ HANDLE (__stdcall *pXoredCreateFileMappingW) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCWSTR);
/* 0x00000014 */ LPVOID (__stdcall *pXoredMapViewOfFile) (HANDLE, DWORD, DWORD, DWORD, SIZE_T);
/* 0x00000018 */ DWORD (__stdcall *pXoredGetModuleFileNameA) (HMODULE, LPCSTR, DWORD);
/* 0x0000001C */ DWORD (__stdcall *pXoredGetModuleFileNameW) (HMODULE, LPCWSTR, DWORD);
/* 0x00000020 */ HMODULE (__stdcall *pXoredGetModuleHandleA) (LPCSTR);
/* 0x00000024 */ HMODULE (__stdcall *pXoredGetModuleHandleW) (LPCWSTR);
/* 0x00000028 */ BOOL (__stdcall *pXoredGetVersionExA) (LPOSVERSIONINFOA);
/* 0x0000002C */ HANDLE (__stdcall *pXoredOpenMutexW) (DWORD, BOOL, LPCWSTR);
/* 0x00000030 */ HANDLE (__stdcall *pXoredCreateMutexA) (LPSECURITY_ATTRIBUTES, BOOL, LPCSTR);
/* 0x00000034 */ HANDLE (__stdcall *pXoredCreateMutexW) (LPSECURITY_ATTRIBUTES, BOOL, LPCWSTR);
/* 0x00000038 */ LPVOID (__stdcall *pXoredVirtualAlloc) (LPVOID, SIZE_T, DWORD, DWORD);
/* 0x0000003C */ LPVOID (__stdcall *pXoredVirtualAllocEx) (HANDLE, LPVOID, SIZE_T, DWORD, DWORD);
/* 0x00000040 */ BOOL (__stdcall *pXoredVirtualFree) (LPVOID, SIZE_T, DWORD);
/* 0x00000044 */ BOOL (__stdcall *pXoredVirtualFreeEx) (HANDLE, LPVOID, SIZE_T, DWORD);
/* 0x00000048 */ SIZE_T (__stdcall *pXoredVirtualQuery) (LPCVOID, PMEMORY_BASIC_INFORMATION, SIZE_T);
/* 0x0000004C */ BOOL (__stdcall *pXoredVirtualProtect) (LPCVOID, SIZE_T, DWORD, PDWORD);
/* 0x00000050 */ HANDLE (__stdcall *pXoredCreateEventA) (LPSECURITY_ATTRIBUTES, BOOL, BOOL, LPCSTR);
/* 0x00000054 */ BOOL (__stdcall *pXoredSetEvent) (HANDLE);
/* 0x00000058 */ LONG (__cdecl *pXoredInterlockedExchange) (LONG volatile *, LONG);
/* 0x0000005C */ LONG (__cdecl *pXoredInterlockedCompareExchange) (LONG volatile *, LONG, LONG);
/* 0x00000060 */ UINT (__stdcall *pXoredGetSystemDirectoryW) (LPCWSTR, UINT);
/* 0x00000064 */ BOOL (__stdcall *pXoredWriteFile) (HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED);
/* 0x00000068 */ HRSRC (__stdcall *pXoredFindResourceExW) (HMODULE, LPCWSTR, LPCWSTR, WORD);
/* 0x0000006C */ HGLOBAL (__stdcall *pXoredLoadResource) (HMODULE, HRSRC);
/* 0x00000070 */ DWORD (__stdcall *pXoredSizeofResource) (HMODULE, HRSRC);
/* 0x00000074 */ LPVOID (__stdcall *pXoredLockResource) (HGLOBAL);
/* 0x00000078 */ HANDLE (__stdcall *pXoredOpenThread) (DWORD, BOOL, DWORD);
/* 0x0000007C */ HANDLE (__stdcall *pXoredOpenFileMappingW) (DWORD, BOOL, LPCWSTR);
/* 0x00000080 */ HANDLE (__stdcall *pXoredCreateTimerQueue) (void);
/* 0x00000084 */ BOOL (__stdcall *pXoredCreateTimerQueueTimer) (PHANDLE, HANDLE, WAITORTIMERCALLBACK, PVOID, DWORD, DWORD, ULONG);
/* 0x00000088 */ BOOL (__stdcall *pXoredDeleteTimerQueueEx) (HANDLE, HANDLE);
/* 0x0000008C */ DWORD (__stdcall *pXoredGetTickCount) (void);
/* 0x00000090 */ BOOL (__stdcall *pXoredDeleteTimerQueueTimer) (HANDLE, HANDLE, HANDLE);
/* 0x00000094 */ DWORD (__stdcall *pXoredWaitForSingleObject) (HANDLE, DWORD);
/* 0x00000098 */ DWORD (__stdcall *pXoredWaitForSingleObjectEx) (HANDLE, DWORD, BOOL);
/* 0x0000009C */ UINT (__stdcall *pXoredGetDriveTypeA) (LPCSTR);
/* 0x000000A0 */ BOOL (__stdcall *pXoredTlsSetValue) (DWORD, LPVOID);
/* 0x000000A4 */ LPVOID (__stdcall *pXoredTlsGetValue) (DWORD);
/* 0x000000A8 */ DWORD (__stdcall *pXoredQueueUserAPC) (PAPCFUNC, HANDLE, ULONG_PTR);
/* 0x000000AC */ DWORD (__stdcall *pXoredGetLongPathNameA) (LPCSTR, LPSTR, DWORD);
/* 0x000000B0 */ DWORD (__stdcall *pXoredGetLongPathNameW) (LPCWSTR, LPWSTR, DWORD);
/* 0x000000B4 */ DWORD (__stdcall *pXoredGetCurrentThreadId) (void);
/* 0x000000B8 */ HANDLE (__stdcall *pXoredGetCurrentProcess) (void);
/* 0x000000BC */ DWORD (__stdcall *pXoredTlsAlloc) (void);
/* 0x000000C0 */ DWORD (__stdcall *pXoredResumeThread) (HANDLE);
};
class hsUser32Imports
{
public:
/* 0x00000000 */ BOOL (__stdcall *pXoredEnumWindows) (WNDENUMPROC, LPARAM);
/* 0x00000004 */ BOOL (__stdcall *pXoredEnumChildWindows) (HWND, WNDENUMPROC, LPARAM);
/* 0x00000008 */ BOOL (__stdcall *pXoredGetWindowInfo) (HWND, PWINDOWINFO);
/* 0x0000000C */ int (__stdcall *pXoredGetWindowTextA) (HWND, LPSTR, int);
/* 0x00000010 */ int (__stdcall *pXoredGetClassNameA) (HWND, LPSTR, int);
/* 0x00000014 */ LRESULT(__stdcall *pXoredSendMessageTimeoutA) (HWND, UINT, WPARAM, LPARAM, UINT, UINT, PDWORD_PTR);
};
hsPsApi *phshsPsApi = (hsPsApi *) (dwEHSvcDllBaseAddr + g_dwPsApi);
hsNtDll *phsNtDll = (hsNtDll *) (dwEHSvcDllBaseAddr + g_dwNtDll);
hsKernelBase *phsKernelBase = (hsKernelBase *) (dwEHSvcDllBaseAddr + g_dwKernelBase);
hsUser32 *phsUser32 = (hsUser32 *) (dwEHSvcDllBaseAddr + g_dwUser32);
It might be quite interesting that there are some encrypted strings, too.
The strings are encrypted like this:
Code:
for (i = 0 ; i < len ; ++i)
str [i] ^= 0x55;
___:1010D9BC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
___:1010D9BC
___:1010D9BC ; Attributes: bp-based frame
___:1010D9BC
___:1010D9BC decryptString proc near ; CODE XREF: sub_1010D774+31�p
___:1010D9BC ; sub_1010D774+47�p ...
___:1010D9BC
___:1010D9BC strPtr = dword ptr -4
___:1010D9BC
...
___:1010D9FD loc_1010D9FD: ; CODE XREF: decryptString+4A�j
___:1010D9FD mov ecx, [ebx]
___:1010D9FF xor byte ptr [ecx+edx-1], 55h ; Very Key
___:1010D9FF ; so crypto
___:1010D9FF ; wow
___:1010DA04 inc edx
___:1010DA05 dec eax
___:1010DA06 jnz short loc_1010D9FD
___:1010DA08
___:1010DA08 loc_1010DA08: ; CODE XREF:
...
I wrote a little Python script to find all encrypted Strings and decrypt them.
1st Log:
Code:
Addr: 0x1010D950
Encyrpted String: 0721391b21062134212026013a113a261027273a27
Decrypted String: RtlNtStatusToDosError
Addr: 0x1010D970
Encyrpted String: 3b213139397b313939
Decrypted String: ntdll.dll
Addr: 0x1010D984
Encyrpted String: 3b30213826327b313939
Decrypted String: netmsg.dll
Addr: 0x1010D998
Encyrpted String: 023c3b313a2226753027273a27753b2038373027
Decrypted String: Windows error number
Addr: 0x10110A9C
Encyrpted String: 3e30273b303966677b313939
Decrypted String: kernel32.dll
Error at: 10110AD7
Addr: 0x10110B98
Encyrpted String: 3b213139397b313939
Decrypted String: ntdll.dll
Error at: 10110BEC
Addr: 0x10111638
Encyrpted String: 02212614253c66677b313939
Decrypted String: WtsApi32.dll
Addr: 0x10111650
Encyrpted String: 020106132730301830383a272c
Decrypted String: WTSFreeMemory
Addr: 0x1011187C
Encyrpted String: 061806067b302d30
Decrypted String: SMSS.exe
Addr: 0x10111988
Encyrpted String: 363a3836213966677b313939
Decrypted String: comctl32.dll
Addr: 0x101124B4
Encyrpted String: 38363d07016c2d
Decrypted String: mchRT9x
Addr: 0x10113844
Encyrpted String: 12393a37343909
Decrypted String: Global\
Addr: 0x1011392C
Encyrpted String: 12393a37343909
Decrypted String: Global\
Addr: 0x10113A40
Encyrpted String: 12393a37343909
Decrypted String: Global\
Addr: 0x10113B30
Encyrpted String: 12393a37343909
Decrypted String: Global\
Addr: 0x10113C3C
Encyrpted String: 12393a37343909
Decrypted String: Global\
Addr: 0x10113D24
Encyrpted String: 12393a37343909
Decrypted String: Global\
Addr: 0x10113E2C
Encyrpted String: 063d34273031
Decrypted String: Shared
Addr: 0x10113E3C
Encyrpted String: 05273a36302626
Decrypted String: Process
Error at: 10113DAF
Addr: 0x10113E64
Encyrpted String: 14051c
Decrypted String: API
Addr: 0x10113F38
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x1011404C
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x101146D8
Encyrpted String: 38363d051c016c2d
Decrypted String: mchPIT9x
Addr: 0x10114858
Encyrpted String: 38363d183c2d1634363d30
Decrypted String: mchMixCache
Addr: 0x10114D44
Encyrpted String: 38363d053c210701
Decrypted String: mchPitRT
Addr: 0x10115B74
Encyrpted String: 38141d023421363d3027013d27303431
Decrypted String: mAHWatcherThread
Addr: 0x10115B90
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x10115B74
Encyrpted String: 38141d023421363d3027013d27303431
Decrypted String: mAHWatcherThread
Addr: 0x10115BA0
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x10115B74
Encyrpted String: 38141d023421363d3027013d27303431
Decrypted String: mAHWatcherThread
Addr: 0x10115BAC
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x10115B74
Encyrpted String: 38141d023421363d3027013d27303431
Decrypted String: mAHWatcherThread
Addr: 0x10115BAC
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x10115D48
Encyrpted String: 38141d0621203726
Decrypted String: mAHStubs
Addr: 0x10115D5C
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x10115D48
Encyrpted String: 38141d0621203726
Decrypted String: mAHStubs
Addr: 0x10115D6C
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x10115FA4
Encyrpted String: 38141d0621203726
Decrypted String: mAHStubs
Addr: 0x10115FB8
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x10115FA4
Encyrpted String: 38141d0621203726
Decrypted String: mAHStubs
Addr: 0x10115FC8
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x1011644C
Encyrpted String: 38363d1c6c2d1814
Decrypted String: mchI9xMA
Addr: 0x1011652C
Encyrpted String: 32313c66677b313939
Decrypted String: gdi32.dll
Addr: 0x10116540
Encyrpted String: 2026302766677b313939
Decrypted String: user32.dll
Addr: 0x10116554
Encyrpted String: 2134253c66677b313939
Decrypted String: tapi32.dll
Addr: 0x10116700
Encyrpted String: 2026302766677b313939
Decrypted String: user32.dll
Addr: 0x1011770C
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x1011770C
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x10117728
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x10117728
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x1011773C
Encyrpted String: 2226670a66677b313939
Decrypted String: ws2_32.dll
Error at: 10116C10
Addr: 0x10117728
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x10117728
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x10117A04
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x10117A20
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x10117F30
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x10117F4C
Encyrpted String: 1b34383031172033333027
Decrypted String: NamedBuffer
Addr: 0x10118588
Encyrpted String: 1420213a
Decrypted String: Auto
Addr: 0x10119530
Encyrpted String: 3836670602111c1f
Decrypted String: mc2SWDIJ
Addr: 0x10119FC0
Encyrpted String: 060c060110180916202727303b21163a3b21273a3906302109063027233c363026
Decrypted String: SYSTEM\CurrentControlSet\Services
Addr: 0x10119FEC
Encyrpted String: 38363d1c3b3f112723
Decrypted String: mchInjDrv
Addr: 0x1011A000
Encyrpted String: 1c383432300534213d
Decrypted String: ImagePath
Addr: 0x1011A014
Encyrpted String: 012c2530
Decrypted String: Type
Addr: 0x1011A024
Encyrpted String: 1027273a27163a3b21273a39
Decrypted String: ErrorControl
Addr: 0x1011A03C
Encyrpted String: 0621342721
Decrypted String: Start
Addr: 0x1011A058
Encyrpted String: 2730323c2621272c093834363d3c3b30
Decrypted String: registry\machine
Addr: 0x10119FC0
Encyrpted String: 060c060110180916202727303b21163a3b21273a3906302109063027233c363026
Decrypted String: SYSTEM\CurrentControlSet\Services
Error at: 10119EE2
Addr: 0x1011A08C
Encyrpted String: 11303930213013393432
Decrypted String: DeleteFlag
Addr: 0x1011A574
Encyrpted String: 3836670602111c1f
Decrypted String: mc2SWDIJ
Addr: 0x1011AB98
Encyrpted String: 3836670602111c1f
Decrypted String: mc2SWDIJ
Addr: 0x1011ABAC
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x1011B218
Encyrpted String: 3836670602111c1f
Decrypted String: mc2SWDIJ
Addr: 0x1011B22C
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x1011B218
Encyrpted String: 3836670602111c1f
Decrypted String: mc2SWDIJ
Addr: 0x1011BA98
Encyrpted String: 3836671c1c3b3f01
Decrypted String: mc2IInjT
Error at: 1011CFF8
Addr: 0x1011D820
Encyrpted String: 09173426301b343830311a373f3036212609
Decrypted String: \BaseNamedObjects\
Addr: 0x1011D83C
Encyrpted String: 3836670602111c1f
Decrypted String: mc2SWDIJ
Addr: 0x1011D874
Encyrpted String: 12393a37343909
Decrypted String: Global\
Error at: 1011D3FD
Error at: 1011D451
Addr: 0x1011DABC
Encyrpted String: 38363d1c3b3f112723183425
Decrypted String: mchInjDrvMap
Addr: 0x1011E634
Encyrpted String: 203b3c363a22267b313939
Decrypted String: unicows.dll
Addr: 0x1011E634
Encyrpted String: 203b3c363a22267b313939
Decrypted String: unicows.dll
Addr: 0x1011E648
Encyrpted String: 16273034213005273a3630262602
Decrypted String: CreateProcessW
Addr: 0x1011E9E0
Encyrpted String: 34312334253c66677b313939
Decrypted String: advapi32.dll
Addr: 0x1011E9F8
Encyrpted String: 12302106303620273c212c1c3b333a
Decrypted String: GetSecurityInfo
Addr: 0x1011EA10
Encyrpted String: 06302106303620273c212c1c3b333a
Decrypted String: SetSecurityInfo
Addr: 0x1011EA28
Encyrpted String: 063021103b21273c30261c3b14363914
Decrypted String: SetEntriesInAclA
Addr: 0x1011EBF0
Encyrpted String: 1c253667
Decrypted String: Ipc2
Addr: 0x1011EC00
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x1011EBF0
Encyrpted String: 1c253667
Decrypted String: Ipc2
Addr: 0x1011EC10
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x1011F048
Encyrpted String: 143b2622302717203367
Decrypted String: AnswerBuf2
Addr: 0x1011F05C
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x1011F068
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x1011F068
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x1011F078
Encyrpted String: 063026263c3a3b09
Decrypted String: Session\
Addr: 0x1011F05C
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x1011F05C
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x1011F068
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x1011F068
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x1011F068
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x1011F068
Encyrpted String: 1023303b21
Decrypted String: Event
Addr: 0x1011F5AC
Encyrpted String: 1c253667
Decrypted String: Ipc2
Addr: 0x1011F5BC
Encyrpted String: 182021302d
Decrypted String: Mutex
Addr: 0x1011F5AC
Encyrpted String: 1c253667
Decrypted String: Ipc2
Addr: 0x1011F5CC
Encyrpted String: 183425
Decrypted String: Map
Addr: 0x1011FB04
Encyrpted String: 06301734363e202505273c233c39303230
Decrypted String: SeBackupPrivilege
Addr: 0x1011FB20
Encyrpted String: 0630073026213a273005273c233c39303230
Decrypted String: SeRestorePrivilege
2nd Log:
Code:
Addr: 0x10110F68
Encyrpted String: 0730343105273a363026261830383a272c
Decrypted String: ReadProcessMemory
Addr: 0x10111060
Encyrpted String: 162730342130013a3a393d3039256667063b3425263d3a21
Decrypted String: CreateToolhelp32Snapshot
Addr: 0x10111084
Encyrpted String: 05273a363026266667133c272621
Decrypted String: Process32First
Addr: 0x1011109C
Encyrpted String: 05273a3630262666671b302d21
Decrypted String: Process32Next
Addr: 0x101110B4
Encyrpted String: 183a312039306667133c272621
Decrypted String: Module32First
Addr: 0x101110CC
Encyrpted String: 183a3120393066671b302d21
Decrypted String: Module32Next
Addr: 0x1011113C
Encyrpted String: 0730343105273a363026261830383a272c
Decrypted String: ReadProcessMemory
Addr: 0x10111158
Encyrpted String: 02273c213005273a363026261830383a272c
Decrypted String: WriteProcessMemory
Addr: 0x10111174
Encyrpted String: 123021013d27303431163a3b21302d21
Decrypted String: GetThreadContext
Addr: 0x10111190
Encyrpted String: 063021013d27303431163a3b21302d21
Decrypted String: SetThreadContext
Addr: 0x101111AC
Encyrpted String: 1627303421300730383a2130013d27303431
Decrypted String: CreateRemoteThread
Addr: 0x10111A90
Encyrpted String: 033c27212034391439393a36102d
Decrypted String: VirtualAllocEx
Addr: 0x10111AA8
Encyrpted String: 033c2721203439042030272c102d
Decrypted String: VirtualQueryEx
Addr: 0x10111B38
Encyrpted String: 033c272120343913273030102d
Decrypted String: VirtualFreeEx
Addr: 0x10111BB8
Encyrpted String: 033c272120343905273a21303621
Decrypted String: VirtualProtect
Addr: 0x10111BD0
Encyrpted String: 1c2617343102273c2130052127
Decrypted String: IsBadWritePtr
Addr: 0x10111BE8
Encyrpted String: 123021033027263c3a3b
Decrypted String: GetVersion
Addr: 0x101123BC
Encyrpted String: 0630211027273a27183a3130
Decrypted String: SetErrorMode
Addr: 0x101123D4
Encyrpted String: 02343c21133a27063c3b3239301a373f303621
Decrypted String: WaitForSingleObject
Addr: 0x101123F0
Encyrpted String: 12302116202727303b2105273a36302626
Decrypted String: GetCurrentProcess
Addr: 0x1011240C
Encyrpted String: 12302116202727303b21013d27303431
Decrypted String: GetCurrentThread
Addr: 0x10112428
Encyrpted String: 112025393c363421301d343b313930
Decrypted String: DuplicateHandle
Addr: 0x10112440
Encyrpted String: 16393a26301d343b313930
Decrypted String: CloseHandle
Addr: 0x10112454
Encyrpted String: 162730342130013d27303431
Decrypted String: CreateThread
Addr: 0x1011246C
Encyrpted String: 123021102d3c21163a3130013d27303431
Decrypted String: GetExitCodeThread
Addr: 0x10112488
Encyrpted String: 12302116202727303b2105273a363026261c31
Decrypted String: GetCurrentProcessId
Addr: 0x101124A4
Encyrpted String: 0639303025
Decrypted String: Sleep
Addr: 0x101125CC
Encyrpted String: 05273a363026261c31013a063026263c3a3b1c31
Decrypted String: ProcessIdToSessionId
Addr: 0x10112D80
Encyrpted String: 162730342130013d27303431
Decrypted String: CreateThread
Addr: 0x10112D98
Encyrpted String: 11303720321436213c233005273a36302626
Decrypted String: DebugActiveProcess
Addr: 0x10112DD0
Encyrpted String: 102d3c21013d27303431
Decrypted String: ExitThread
Addr: 0x10113428
Encyrpted String: 123021183a312039301d343b31393014
Decrypted String: GetModuleHandleA
Addr: 0x10113444
Encyrpted String: 123021183a312039301d343b31393002
Decrypted String: GetModuleHandleW
Addr: 0x10113460
Encyrpted String: 0630211027273a27183a3130
Decrypted String: SetErrorMode
Addr: 0x10113478
Encyrpted String: 193a3431193c372734272c14
Decrypted String: LoadLibraryA
Addr: 0x10113490
Encyrpted String: 193a3431193c372734272c02
Decrypted String: LoadLibraryW
Addr: 0x101134A8
Encyrpted String: 13273030193c372734272c
Decrypted String: FreeLibrary
Addr: 0x101134BC
Encyrpted String: 123021193426211027273a27
Decrypted String: GetLastError
Addr: 0x101134D4
Encyrpted String: 033c272120343913273030
Decrypted String: VirtualFree
Addr: 0x101134E8
Encyrpted String: 123021033027263c3a3b
Decrypted String: GetVersion
Addr: 0x101134FC
Encyrpted String: 162730342130182021302d14
Decrypted String: CreateMutexA
Addr: 0x10113514
Encyrpted String: 123021183a31203930133c39301b34383014
Decrypted String: GetModuleFileNameA
Addr: 0x10113530
Encyrpted String: 02343c21133a27063c3b3239301a373f303621
Decrypted String: WaitForSingleObject
Addr: 0x1011354C
Encyrpted String: 12302116202727303b2105273a363026261c31
Decrypted String: GetCurrentProcessId
Addr: 0x10113568
Encyrpted String: 1a25303b133c3930183425253c3b3214
Decrypted String: OpenFileMappingA
Addr: 0x10113584
Encyrpted String: 183425033c30221a33133c3930
Decrypted String: MapViewOfFile
Addr: 0x1011359C
Encyrpted String: 163a38253427300621273c3b3214
Decrypted String: CompareStringA
Addr: 0x101135B4
Encyrpted String:
Decrypted String:
Addr: 0x101135CC
Encyrpted String: 16393a26301d343b313930
Decrypted String: CloseHandle
Addr: 0x101135E0
Encyrpted String: 07303930342630182021302d
Decrypted String: ReleaseMutex
Addr: 0x101135F8
Encyrpted String: 063021193426211027273a27
Decrypted String: SetLastError
Addr: 0x10113610
Encyrpted String: 193a3634391439393a36
Decrypted String: LocalAlloc
Addr: 0x10113624
Encyrpted String: 193a36343913273030
Decrypted String: LocalFree
Addr: 0x10113638
Encyrpted String: 033c2721203439042030272c
Decrypted String: VirtualQuery
Addr: 0x10113650
Encyrpted String: 0639303025
Decrypted String: Sleep
Addr: 0x10113660
Encyrpted String: 02343c21133a27182039213c2539301a373f30362126
Decrypted String: WaitForMultipleObjects
Addr: 0x101146EC
Encyrpted String: 123021183a312039301d343b31393014
Decrypted String: GetModuleHandleA
Addr: 0x10114708
Encyrpted String: 193a3431193c372734272c14
Decrypted String: LoadLibraryA
Addr: 0x1011776C
Encyrpted String: 12302116202727303b2105273a363026261c31
Decrypted String: GetCurrentProcessId
Addr: 0x10118540
Encyrpted String: 193a3431193c372734272c14
Decrypted String: LoadLibraryA
Addr: 0x10118558
Encyrpted String: 193a3431193c372734272c102d14
Decrypted String: LoadLibraryExA
Addr: 0x10118570
Encyrpted String: 193a3431193c372734272c102d02
Decrypted String: LoadLibraryExW
Addr: 0x10119130
Encyrpted String: 05273a363026261c31013a063026263c3a3b1c31
Decrypted String: ProcessIdToSessionId
Addr: 0x10119188
Encyrpted String: 0201061230211436213c2330163a3b263a3930063026263c3a3b1c31
Decrypted String: WTSGetActiveConsoleSessionId
Addr: 0x1011ABBC
Encyrpted String: 13273030193c372734272c
Decrypted String: FreeLibrary
Addr: 0x1011C210
Encyrpted String: 193a3634391439393a36
Decrypted String: LocalAlloc
Addr: 0x1011C224
Encyrpted String: 193a3431193c372734272c14
Decrypted String: LoadLibraryA
Addr: 0x1011D208
Encyrpted String: 13273030193c372734272c
Decrypted String: FreeLibrary
Addr: 0x1011D884
Encyrpted String: 1a25303b133c3930183425253c3b3202
Decrypted String: OpenFileMappingW
Addr: 0x1011D904
Encyrpted String: 183425033c30221a33133c3930
Decrypted String: MapViewOfFile
Addr: 0x1011D91C
Encyrpted String: 193a3634391439393a36
Decrypted String: LocalAlloc
Addr: 0x1011D930
Encyrpted String:
Decrypted String:
Addr: 0x1011D948
Encyrpted String: 123021183a312039301d343b31393002
Decrypted String: GetModuleHandleW
Addr: 0x1011D964
Encyrpted String: 193a36343913273030
Decrypted String: LocalFree
Addr: 0x1011D978
Encyrpted String: 16393a26301d343b313930
Decrypted String: CloseHandle
Addr: 0x1011D98C
Encyrpted String: 12302116202727303b2105273a36302626
Decrypted String: GetCurrentProcess
Addr: 0x1011D9A8
Encyrpted String: 05273a363026261c31013a063026263c3a3b1c31
Decrypted String: ProcessIdToSessionId
Addr: 0x1011DA64
Encyrpted String: 12302116202727303b2105273a363026261c31
Decrypted String: GetCurrentProcessId
3rd Log:
Code:
Addr: 0x10111684
Encyrpted String: 1b21042030272c062c262130381c3b333a273834213c3a3b
Decrypted String: NtQuerySystemInformation
Addr: 0x10112DB4
Encyrpted String: 072139162730342130
Decrypted String: RtlCreate
Addr: 0x10113104
Encyrpted String: 1b21042030272c1c3b333a273834213c3a3b05273a36302626
Decrypted String: NtQueryInformationProcess
Addr: 0x1011A074
Encyrpted String: 1b21193a343111273c233027
Decrypted String: NtLoadDriver
Addr: 0x1011BC14
Encyrpted String: 1b21042030272c1c3b333a273834213c3a3b05273a36302626
Decrypted String: NtQueryInformationProcess
Addr: 0x1011C5F0
Encyrpted String: 193127193a3431113939
Decrypted String: LdrLoadDll
Addr: 0x1011C604
Encyrpted String: 1b2105273a21303621033c27212034391830383a272c
Decrypted String: NtProtectVirtualMemory
Addr: 0x1011C624
Encyrpted String: 1b21013026211439302721
Decrypted String: NtTestAlert
Addr: 0x1011D1F0
Encyrpted String: 193127
Decrypted String: Ldr
Addr: 0x1011D720
Encyrpted String: 1b21013026211439302721
Decrypted String: NtTestAlert
Addr: 0x1011D750
Encyrpted String: 193127193a3431113939
Decrypted String: LdrLoadDll
Addr: 0x1011D764
Encyrpted String: 1931271230211139391d343b313930
Decrypted String: LdrGetDllHandle
Addr: 0x1011D77C
Encyrpted String: 1b2116393a2630
Decrypted String: NtClose
Addr: 0x1011D78C
Encyrpted String: 1b2113273030033c27212034391830383a272c
Decrypted String: NtFreeVirtualMemory
Addr: 0x1011D7A8
Encyrpted String: 1b21042030272c1c3b333a273834213c3a3b05273a36302626
Decrypted String: NtQueryInformationProcess
Addr: 0x1011D7CC
Encyrpted String: 1b211a25303b063036213c3a3b
Decrypted String: NtOpenSection
Addr: 0x1011D7E4
Encyrpted String: 1b21183425033c30221a33063036213c3a3b
Decrypted String: NtMapViewOfSection
Addr: 0x1011D800
Encyrpted String: 1b21
Decrypted String: Nt
Addr: 0x1011D85C
Encyrpted String: 193127
Decrypted String: Ldr
Addr: 0x1011D8A0
Encyrpted String: 1b21042030272c1c3b333a273834213c3a3b013a3e303b
Decrypted String: NtQueryInformationToken
Addr: 0x1011D8C0
Encyrpted String: 1b211a25303b05273a36302626013a3e303b
Decrypted String: NtOpenProcessToken
Addr: 0x1011D8DC
Encyrpted String: 0721390334393c31063c31
Decrypted String: RtlValidSid
Addr: 0x1011D8F0
Encyrpted String: 0721391024203439063c31
Decrypted String: RtlEqualSid
Addr: 0x1011D9C8
Encyrpted String: 1b211439393a36342130033c27212034391830383a272c
Decrypted String: NtAllocateVirtualMemory
Addr: 0x1011D9E8
Encyrpted String: 1b21042030272c033c27212034391830383a272c
Decrypted String: NtQueryVirtualMemory
Addr: 0x1011DA08
Encyrpted String: 1b2105273a21303621033c27212034391830383a272c
Decrypted String: NtProtectVirtualMemory
Addr: 0x1011DA28
Encyrpted String: 1b2107303431033c27212034391830383a272c
Decrypted String: NtReadVirtualMemory
Addr: 0x1011DA44
Encyrpted String: 1b2102273c2130033c27212034391830383a272c
Decrypted String: NtWriteVirtualMemory
4th Log:
Code:
Addr: 0x10113F58
Encyrpted String: 383c2d
Decrypted String: mix
Addr: 0x1011406C
Encyrpted String: 38141d
Decrypted String: mAH
Addr: 0x10117700
Encyrpted String: 38141d
Decrypted String: mAH
Error at: 10116902
Addr: 0x10117750
Encyrpted String: 383c2d
Decrypted String: mix
Addr: 0x101179F8
Encyrpted String: 38141d
Decrypted String: mAH
Addr: 0x10117F24
Encyrpted String: 38141d
Decrypted String: mAH
And some i decrypted manually because my script failed to find them:
Code:
Addr: 0x1011D21C
Encrypted String: >0';09fg{199
Decrypted String: kernel32.dll
Addr: 0x10119FEC
Encrypted String: \x38\x36\x3D\x1C\x3B\x3F\x11\x27\x23
Decrypted String: mchInjDrv
Addr: 0x1011773C
Encrypted String: &g\nfg{199
Decrypted String: s2_32.dll (fail lel :-3 guess its "ws2_32.dll")
Addr: 0x1011D83C
Encrypted String: \x38\x36\x67\x06\x02\x11\x1C\x1F
Decrypted String: mc2SWDIJ
Greetz
NikM
|
|
|
|
|
08/12/2014, 19:51
|
#773
|
elite*gold: 26
Join Date: Nov 2013
Posts: 410
Received Thanks: 249
|
Someone have the address of ClientSocket and send function
|
|
|
|
|
08/17/2014, 01:52
|
#774
|
elite*gold: 0
Join Date: Jul 2014
Posts: 43
Received Thanks: 4
|
Quote:
Originally Posted by Alliance™
Someone have the address of ClientSocket and send function
|
Why don't grab the ClientSocket via. ws2_32.dll[connect]?
|
|
|
|
|
08/22/2014, 12:10
|
#775
|
elite*gold: 26
Join Date: Nov 2013
Posts: 410
Received Thanks: 249
|
Ollydbg :
Code:
0040AB96 /$ 53 PUSH EBX
0040AB97 |. 56 PUSH ESI
0040AB98 |. 57 PUSH EDI
0040AB99 |. 33DB XOR EBX,EBX
0040AB9B |. BF D0F45C00 MOV EDI,Moss_dum.005CF4D0
0040ABA0 |. 53 PUSH EBX ; /pDefaultCharUsed => NULL
0040ABA1 |. 53 PUSH EBX ; |pDefaultChar => NULL
0040ABA2 |. 68 00D00700 PUSH 7D000 ; |MultiByteCount = 7D000 (512000.)
0040ABA7 |. 57 PUSH EDI ; |MultiByteStr => Moss_dum.005CF4D0
0040ABA8 |. 6A FF PUSH -1 ; |WideCharCount = FFFFFFFF (-1.)
0040ABAA |. 51 PUSH ECX ; |WideCharStr
0040ABAB |. 53 PUSH EBX ; |Options => 0
0040ABAC |. 53 PUSH EBX ; |CodePage => CP_ACP
0040ABAD |. 8BF2 MOV ESI,EDX ; |
0040ABAF |. FF15 08535500 CALL DWORD PTR DS:[<&kernel32.WideCharTo>; \WideCharToMultiByte
0040ABB5 |. 68 00B25800 PUSH Moss_dum.0058B200 ; ASCII "CRC: "
0040ABBA |. 57 PUSH EDI
0040ABBB |. E8 90F91100 CALL Moss_dum.0052A550
0040ABC0 |. 59 POP ECX
0040ABC1 |. 59 POP ECX
0040ABC2 |. 85C0 TEST EAX,EAX
0040ABC4 |. 74 22 JE SHORT Moss_dum.0040ABE8
0040ABC6 |. 8BCF MOV ECX,EDI
0040ABC8 |. 8818 MOV BYTE PTR DS:[EAX],BL
0040ABCA |. E8 BA6FFFFF CALL Moss_dum.00401B89
0040ABCF |. 50 PUSH EAX ; /Arg4
0040ABD0 |. 68 14B25800 PUSH Moss_dum.0058B214 ; |Arg3 = 0058B214
0040ABD5 |. 68 FF000000 PUSH 0FF ; |Arg2 = 000000FF
0040ABDA |. 56 PUSH ESI ; |Arg1
0040ABDB |. E8 EDEE1100 CALL Moss_dum.00529ACD ; \Moss_dum.00529ACD
0040ABE0 |. 33C0 XOR EAX,EAX
0040ABE2 |. 83C4 10 ADD ESP,10
0040ABE5 |. 40 INC EAX
0040ABE6 |. EB 02 JMP SHORT Moss_dum.0040ABEA
0040ABE8 |> 33C0 XOR EAX,EAX
0040ABEA |> 5F POP EDI
0040ABEB |. 5E POP ESI
0040ABEC |. 5B POP EBX
0040ABED \. C3 RETN
IDA
Code:
int __fastcall sub_40AB96(LPCWSTR lpWideCharStr, wchar_t *Dst)
.MPRESS1:0040AB96 sub_40AB96 proc near ; CODE XREF: sub_40A84C+195p
.MPRESS1:0040AB96 push ebx
.MPRESS1:0040AB97 push esi
.MPRESS1:0040AB98 push edi
.MPRESS1:0040AB99 xor ebx, ebx
.MPRESS1:0040AB9B mov edi, offset Buffer
.MPRESS1:0040ABA0 push ebx ; lpUsedDefaultChar
.MPRESS1:0040ABA1 push ebx ; lpDefaultChar
.MPRESS1:0040ABA2 push 7D000h ; cbMultiByte
.MPRESS1:0040ABA7 push edi ; lpMultiByteStr
.MPRESS1:0040ABA8 push 0FFFFFFFFh ; cchWideChar
.MPRESS1:0040ABAA push ecx ; lpWideCharStr
.MPRESS1:0040ABAB push ebx ; dwFlags
.MPRESS1:0040ABAC push ebx ; CodePage
.MPRESS1:0040ABAD mov esi, edx
.MPRESS1:0040ABAF call WideCharToMultiByte
.MPRESS1:0040ABB5 push offset aGlobalLogCrc ; "CRC: "
.MPRESS1:0040ABBA push edi ; char *
.MPRESS1:0040ABBB call _strstr
.MPRESS1:0040ABC0 pop ecx
.MPRESS1:0040ABC1 pop ecx
.MPRESS1:0040ABC2 test eax, eax
.MPRESS1:0040ABC4 jz short loc_40ABE8
.MPRESS1:0040ABC6 mov ecx, edi
.MPRESS1:0040ABC8 mov [eax], bl
.MPRESS1:0040ABCA call sub_401B89
.MPRESS1:0040ABCF push eax
.MPRESS1:0040ABD0 push offset off_58B214 ; Format
.MPRESS1:0040ABD5 push 0FFh ; SizeInWords
.MPRESS1:0040ABDA push esi ; Dst
.MPRESS1:0040ABDB call _swprintf_s
.MPRESS1:0040ABE0 xor eax, eax
.MPRESS1:0040ABE2 add esp, 10h
.MPRESS1:0040ABE5 inc eax
.MPRESS1:0040ABE6 jmp short loc_40ABEA
.MPRESS1:0040ABE8 ; ---------------------------------------------------------------------------
.MPRESS1:0040ABE8
.MPRESS1:0040ABE8 loc_40ABE8: ; CODE XREF: sub_40AB96+2Ej
.MPRESS1:0040ABE8 xor eax, eax
.MPRESS1:0040ABEA
.MPRESS1:0040ABEA loc_40ABEA: ; CODE XREF: sub_40AB96+50j
.MPRESS1:0040ABEA pop edi
.MPRESS1:0040ABEB pop esi
.MPRESS1:0040ABEC pop ebx
.MPRESS1:0040ABED retn
.MPRESS1:0040ABED sub_40AB96 endp
I interpreted this in C++:
Code:
int sub_40AB96(LPCWSTR lpWideCharStr, wchar_t *Dst)
{
CHAR Buffer[134045];
int dwSize = WideCharToMultiByte(CP_ACP, 0, lpWideCharStr, -1, Buffer, 512000, NULL, NULL);
char aGlobalLogCrc[] = "CRC:";
....what i write?..
}
Someone can help me to continue to interpreted asm code...
|
|
|
|
|
08/22/2014, 13:35
|
#776
|
elite*gold: 297
Join Date: Dec 2010
Posts: 1,129
Received Thanks: 1,687
|
Quote:
Originally Posted by Alliance™
...
|
Why do you feel the urge to modify the CRC32 generation of ESL MOSS? Come onon, dude, leave the eSports alone.
|
|
|
|
|
08/22/2014, 14:12
|
#777
|
elite*gold: 26
Join Date: Nov 2013
Posts: 410
Received Thanks: 249
|
Quote:
Originally Posted by Raz9r
Why do you feel the urge to modify the CRC32 generation of ESL MOSS? Come onon, dude, leave the eSports alone.
|
This is a function for determinate Global log CRC and not CRC32...if you wont response please reply only with a suggestion.
|
|
|
|
|
08/23/2014, 12:18
|
#778
|
elite*gold: 98
Join Date: Nov 2011
Posts: 1,267
Received Thanks: 1,019
|
Quote:
Originally Posted by Alliance™
This is a function for determinate Global log CRC and not CRC32...if you wont response please reply only with a suggestion.
|
Yes so ur about to alter the log's, in which case, is actually really sad to ruin eSports either..
|
|
|
|
|
08/23/2014, 15:40
|
#779
|
elite*gold: 0
Join Date: Jul 2014
Posts: 43
Received Thanks: 4
|
Quote:
Originally Posted by Alliance™
(...)
|
0x00401B89 Checkout this function
|
|
|
|
|
08/23/2014, 16:10
|
#780
|
elite*gold: 30
Join Date: May 2013
Posts: 1,546
Received Thanks: 2,597
|
Quote:
Originally Posted by Alliance™
Ollydbg :
Code:
0040AB96 /$ 53 PUSH EBX
0040AB97 |. 56 PUSH ESI
0040AB98 |. 57 PUSH EDI
0040AB99 |. 33DB XOR EBX,EBX
0040AB9B |. BF D0F45C00 MOV EDI,Moss_dum.005CF4D0
0040ABA0 |. 53 PUSH EBX ; /pDefaultCharUsed => NULL
0040ABA1 |. 53 PUSH EBX ; |pDefaultChar => NULL
0040ABA2 |. 68 00D00700 PUSH 7D000 ; |MultiByteCount = 7D000 (512000.)
0040ABA7 |. 57 PUSH EDI ; |MultiByteStr => Moss_dum.005CF4D0
0040ABA8 |. 6A FF PUSH -1 ; |WideCharCount = FFFFFFFF (-1.)
0040ABAA |. 51 PUSH ECX ; |WideCharStr
0040ABAB |. 53 PUSH EBX ; |Options => 0
0040ABAC |. 53 PUSH EBX ; |CodePage => CP_ACP
0040ABAD |. 8BF2 MOV ESI,EDX ; |
0040ABAF |. FF15 08535500 CALL DWORD PTR DS:[<&kernel32.WideCharTo>; \WideCharToMultiByte
0040ABB5 |. 68 00B25800 PUSH Moss_dum.0058B200 ; ASCII "CRC: "
0040ABBA |. 57 PUSH EDI
0040ABBB |. E8 90F91100 CALL Moss_dum.0052A550
0040ABC0 |. 59 POP ECX
0040ABC1 |. 59 POP ECX
0040ABC2 |. 85C0 TEST EAX,EAX
0040ABC4 |. 74 22 JE SHORT Moss_dum.0040ABE8
0040ABC6 |. 8BCF MOV ECX,EDI
0040ABC8 |. 8818 MOV BYTE PTR DS:[EAX],BL
0040ABCA |. E8 BA6FFFFF CALL Moss_dum.00401B89
0040ABCF |. 50 PUSH EAX ; /Arg4
0040ABD0 |. 68 14B25800 PUSH Moss_dum.0058B214 ; |Arg3 = 0058B214
0040ABD5 |. 68 FF000000 PUSH 0FF ; |Arg2 = 000000FF
0040ABDA |. 56 PUSH ESI ; |Arg1
0040ABDB |. E8 EDEE1100 CALL Moss_dum.00529ACD ; \Moss_dum.00529ACD
0040ABE0 |. 33C0 XOR EAX,EAX
0040ABE2 |. 83C4 10 ADD ESP,10
0040ABE5 |. 40 INC EAX
0040ABE6 |. EB 02 JMP SHORT Moss_dum.0040ABEA
0040ABE8 |> 33C0 XOR EAX,EAX
0040ABEA |> 5F POP EDI
0040ABEB |. 5E POP ESI
0040ABEC |. 5B POP EBX
0040ABED \. C3 RETN
IDA
Code:
int __fastcall sub_40AB96(LPCWSTR lpWideCharStr, wchar_t *Dst)
.MPRESS1:0040AB96 sub_40AB96 proc near ; CODE XREF: sub_40A84C+195p
.MPRESS1:0040AB96 push ebx
.MPRESS1:0040AB97 push esi
.MPRESS1:0040AB98 push edi
.MPRESS1:0040AB99 xor ebx, ebx
.MPRESS1:0040AB9B mov edi, offset Buffer
.MPRESS1:0040ABA0 push ebx ; lpUsedDefaultChar
.MPRESS1:0040ABA1 push ebx ; lpDefaultChar
.MPRESS1:0040ABA2 push 7D000h ; cbMultiByte
.MPRESS1:0040ABA7 push edi ; lpMultiByteStr
.MPRESS1:0040ABA8 push 0FFFFFFFFh ; cchWideChar
.MPRESS1:0040ABAA push ecx ; lpWideCharStr
.MPRESS1:0040ABAB push ebx ; dwFlags
.MPRESS1:0040ABAC push ebx ; CodePage
.MPRESS1:0040ABAD mov esi, edx
.MPRESS1:0040ABAF call WideCharToMultiByte
.MPRESS1:0040ABB5 push offset aGlobalLogCrc ; "CRC: "
.MPRESS1:0040ABBA push edi ; char *
.MPRESS1:0040ABBB call _strstr
.MPRESS1:0040ABC0 pop ecx
.MPRESS1:0040ABC1 pop ecx
.MPRESS1:0040ABC2 test eax, eax
.MPRESS1:0040ABC4 jz short loc_40ABE8
.MPRESS1:0040ABC6 mov ecx, edi
.MPRESS1:0040ABC8 mov [eax], bl
.MPRESS1:0040ABCA call sub_401B89
.MPRESS1:0040ABCF push eax
.MPRESS1:0040ABD0 push offset off_58B214 ; Format
.MPRESS1:0040ABD5 push 0FFh ; SizeInWords
.MPRESS1:0040ABDA push esi ; Dst
.MPRESS1:0040ABDB call _swprintf_s
.MPRESS1:0040ABE0 xor eax, eax
.MPRESS1:0040ABE2 add esp, 10h
.MPRESS1:0040ABE5 inc eax
.MPRESS1:0040ABE6 jmp short loc_40ABEA
.MPRESS1:0040ABE8 ; ---------------------------------------------------------------------------
.MPRESS1:0040ABE8
.MPRESS1:0040ABE8 loc_40ABE8: ; CODE XREF: sub_40AB96+2Ej
.MPRESS1:0040ABE8 xor eax, eax
.MPRESS1:0040ABEA
.MPRESS1:0040ABEA loc_40ABEA: ; CODE XREF: sub_40AB96+50j
.MPRESS1:0040ABEA pop edi
.MPRESS1:0040ABEB pop esi
.MPRESS1:0040ABEC pop ebx
.MPRESS1:0040ABED retn
.MPRESS1:0040ABED sub_40AB96 endp
I interpreted this in C++:
Code:
int sub_40AB96(LPCWSTR lpWideCharStr, wchar_t *Dst)
{
CHAR Buffer[134045];
int dwSize = WideCharToMultiByte(CP_ACP, 0, lpWideCharStr, -1, Buffer, 512000, NULL, NULL);
char aGlobalLogCrc[] = "CRC:";
....what i write?..
}
Someone can help me to continue to interpreted asm code...
|
did you KNOW what WideCharToMultiByte doing ?
Data converted from UTF-16 to non-Unicode encodings is subject to data loss, because a code page might not be able to represent every character used in the specific Unicode data.
more information 
|
|
|
|
Similar Threads
|
[Farmville2]Rock&Wood Cheat.
10/28/2012 - Facebook - 0 Replies
Credits:
http://www.pwnthis.net/2012/10/farmville-2-cheats -vanishing-rocks.html
1. Gehe auf deine Farm.
2. Öffne Cheat Engine.
3. Öffne den flash plugin bei Firefox.
4. Ändere den Value type auf Text.
5. Scanne: obstruction_rock.
6. Wähle alle Ergebnisse aus und nutzen dann den roten Pfeil.
|
Can you help me in Cheat Engine for the rock paper scissor please ?
08/04/2011 - 4Story - 4 Replies
With Cheat Engine 6 I tried to modifie the number of victories:
I win one time, I put 1 and do first scan
I win twice, I put 2 and I do next scen
I win three times and I put 3 and next scan and I found the adress number:
07482200
I modifie for put 15 and I try to leave and he didn't work I repaet operations and I try to continue but didn't work either =(
Do you know how make that ?
|
help war rock cheat
04/14/2008 - Say Hello - 3 Replies
can some 1 give me some cheat for war rock thx.
[email protected]:confused:
|
All times are GMT +1. The time now is 09:04.
|
|
