http://www.megaupload.com/?d=S640RH0Z
It's a file hooked onto the .exe of that server, apparantly blocking every program that tries or makes an attempt to hook into it. I expected it to be a sweat to get in, then again it's been quite nasty really. I have no real knowledge about the ASM language so I was wondering if someone could figure out exactly what this ''file'' does to the .exe.
If you need the client for it aswell I'll upload it here.
What can you guys make out of this?
Moderator: Moderators
-
- Noob
- Posts: 3
- Joined: 26 Jun 2009, 05:15
- Noob?: Yes
-
- Human
- Posts: 37
- Joined: 04 Apr 2008, 22:55
- Noob?: Yes
- Location: Thailand
- Contact:
Re: What can you guys make out of this?
So confused. Look like they are using code obfuscation with this DLL. After little analyze, I have found many of the magic jump. Look at this code.
This jump will be going to 100013C2 (100013B7h + 0Bh)
This technique can be used for confusing a disassembler and debugger. And I have not the best solution for defeating it. Sorry.
This is some of other magic jump.
P.S. Sorry for my English.
Code: Select all
.text:100013B7 mov ecx, offset loc_100013B7
.text:100013BC add ecx, 0Bh
.text:100013BF jmp ecx
.text:100013BF send endp
.text:100013BF
.text:100013BF ; ---------------------------------------------------------------------------
.text:100013C1 db 0E8h
.text:100013C2 ; ---------------------------------------------------------------------------
.text:100013C2 cmp dword_1001076C, 0
.text:100013C9 jnz loc_1000153B
Code: Select all
jmp ecx
Code: Select all
cmp dword_1001076C, 0
This is some of other magic jump.
Code: Select all
.text:10001481 mov edx, offset loc_10001486
.text:10001486
.text:10001486 loc_10001486: ; DATA XREF: .text:loc_10001481o
.text:10001486 add edx, 6
.text:10001489 jmp edx
Code: Select all
.text:10001547 mov ecx, 11235ABCh
.text:1000154C sub ecx, 1234567h
.text:10001552 jmp ecx
Code: Select all
.text:1000159F mov ecx, 0DCCCE221h
.text:100015A4 sub ecx, 0CCCCCCCCh
.text:100015AA jmp ecx
I may make you misunderstand. Because my English isn't good enough. So Sorry.
Re: What can you guys make out of this?
As long as the english can be understood, it's no problem
Which server are we talking about again?
Which server are we talking about again?
Got your topic trashed by a mod?
Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.
Have a nice day.
Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.
Have a nice day.
-
- Noob
- Posts: 3
- Joined: 26 Jun 2009, 05:15
- Noob?: Yes
Re: What can you guys make out of this?
Oh. I was busy for a while, couldn't bother doing anything =/.
@ kali
Dreamer RO
updated: http://www.megaupload.com/?d=I22VYUI6 < their .exe
~ Sphere
The .exe of theirs also contains some code, perhaps you might find something interesting? I'll update this thread once I have uploaded their .exe, sorry for not responding for so long and I thank you for checking it out. ASM is so beyond me =/UltimaWeapon wrote:So confused. Look like they are using code obfuscation with this DLL. After little analyze, I have found many of the magic jump. Look at this code.
Code: Select all
.text:100013B7 mov ecx, offset loc_100013B7 .text:100013BC add ecx, 0Bh .text:100013BF jmp ecx .text:100013BF send endp .text:100013BF .text:100013BF ; --------------------------------------------------------------------------- .text:100013C1 db 0E8h .text:100013C2 ; --------------------------------------------------------------------------- .text:100013C2 cmp dword_1001076C, 0 .text:100013C9 jnz loc_1000153B
This jump will be going to 100013C2 (100013B7h + 0Bh)Code: Select all
jmp ecx
This technique can be used for confusing a disassembler and debugger. And I have not the best solution for defeating it. Sorry.Code: Select all
cmp dword_1001076C, 0
This is some of other magic jump.
Code: Select all
.text:10001481 mov edx, offset loc_10001486 .text:10001486 .text:10001486 loc_10001486: ; DATA XREF: .text:loc_10001481o .text:10001486 add edx, 6 .text:10001489 jmp edx
Code: Select all
.text:10001547 mov ecx, 11235ABCh .text:1000154C sub ecx, 1234567h .text:10001552 jmp ecx
P.S. Sorry for my English.Code: Select all
.text:1000159F mov ecx, 0DCCCE221h .text:100015A4 sub ecx, 0CCCCCCCCh .text:100015AA jmp ecx
@ kali
Dreamer RO
updated: http://www.megaupload.com/?d=I22VYUI6 < their .exe
~ Sphere
-
- Human
- Posts: 37
- Joined: 04 Apr 2008, 22:55
- Noob?: Yes
- Location: Thailand
- Contact:
Re: What can you guys make out of this?
Thank you.kali wrote:As long as the english can be understood, it's no problem
Which server are we talking about again?
I may make you misunderstand. Because my English isn't good enough. So Sorry.