What can you guys make out of this?

Forum closed. All further discussion to be discussed at https://github.com/OpenKore/

Moderator: Moderators

Message
Author
Infinite Sphere
Noob
Noob
Posts: 3
Joined: 26 Jun 2009, 05:15
Noob?: Yes

What can you guys make out of this?

#1 Post by Infinite Sphere »

http://www.megaupload.com/?d=S640RH0Z

It's a file hooked onto the .exe of that server, apparantly blocking every program that tries or makes an attempt to hook into it. I expected it to be a sweat to get in, then again it's been quite nasty really. I have no real knowledge about the ASM language so I was wondering if someone could figure out exactly what this ''file'' does to the .exe.

If you need the client for it aswell I'll upload it here.

UltimaWeapon
Human
Human
Posts: 37
Joined: 04 Apr 2008, 22:55
Noob?: Yes
Location: Thailand
Contact:

Re: What can you guys make out of this?

#2 Post by UltimaWeapon »

So confused. Look like they are using code obfuscation with this DLL. After little analyze, I have found many of the magic jump. Look at this code.

Code: Select all

.text:100013B7                 mov     ecx, offset loc_100013B7
.text:100013BC                 add     ecx, 0Bh
.text:100013BF                 jmp     ecx
.text:100013BF send            endp
.text:100013BF
.text:100013BF ; ---------------------------------------------------------------------------
.text:100013C1                 db 0E8h
.text:100013C2 ; ---------------------------------------------------------------------------
.text:100013C2                 cmp     dword_1001076C, 0
.text:100013C9                 jnz     loc_1000153B

Code: Select all

jmp     ecx
This jump will be going to 100013C2 (100013B7h + 0Bh)

Code: Select all

cmp     dword_1001076C, 0
This technique can be used for confusing a disassembler and debugger. And I have not the best solution for defeating it. Sorry.

This is some of other magic jump.

Code: Select all

.text:10001481                 mov     edx, offset loc_10001486
.text:10001486
.text:10001486 loc_10001486:                           ; DATA XREF: .text:loc_10001481o
.text:10001486                 add     edx, 6
.text:10001489                 jmp     edx

Code: Select all

.text:10001547                 mov     ecx, 11235ABCh
.text:1000154C                 sub     ecx, 1234567h
.text:10001552                 jmp     ecx

Code: Select all

.text:1000159F                 mov     ecx, 0DCCCE221h
.text:100015A4                 sub     ecx, 0CCCCCCCCh
.text:100015AA                 jmp     ecx
P.S. Sorry for my English. :mrgreen:
I may make you misunderstand. Because my English isn't good enough. So Sorry.
Image

kali
OpenKore Monk
OpenKore Monk
Posts: 457
Joined: 04 Apr 2008, 10:10

Re: What can you guys make out of this?

#3 Post by kali »

As long as the english can be understood, it's no problem :)

Which server are we talking about again?
Got your topic trashed by a mod?

Trashing topics is one click, and moving a topic to its proper forum is a lot harder. You expend the least effort in deciding where to post, mods expend the least effort by trashing.

Have a nice day.

Mushroom
Perl Monk
Perl Monk
Posts: 427
Joined: 04 Apr 2008, 14:04
Noob?: No
Location: Brazil

Re: What can you guys make out of this?

#4 Post by Mushroom »

Probably DreamerRO.
Quit.

Infinite Sphere
Noob
Noob
Posts: 3
Joined: 26 Jun 2009, 05:15
Noob?: Yes

Re: What can you guys make out of this?

#5 Post by Infinite Sphere »

Oh. I was busy for a while, couldn't bother doing anything =/.
UltimaWeapon wrote:So confused. Look like they are using code obfuscation with this DLL. After little analyze, I have found many of the magic jump. Look at this code.

Code: Select all

.text:100013B7                 mov     ecx, offset loc_100013B7
.text:100013BC                 add     ecx, 0Bh
.text:100013BF                 jmp     ecx
.text:100013BF send            endp
.text:100013BF
.text:100013BF ; ---------------------------------------------------------------------------
.text:100013C1                 db 0E8h
.text:100013C2 ; ---------------------------------------------------------------------------
.text:100013C2                 cmp     dword_1001076C, 0
.text:100013C9                 jnz     loc_1000153B

Code: Select all

jmp     ecx
This jump will be going to 100013C2 (100013B7h + 0Bh)

Code: Select all

cmp     dword_1001076C, 0
This technique can be used for confusing a disassembler and debugger. And I have not the best solution for defeating it. Sorry.

This is some of other magic jump.

Code: Select all

.text:10001481                 mov     edx, offset loc_10001486
.text:10001486
.text:10001486 loc_10001486:                           ; DATA XREF: .text:loc_10001481o
.text:10001486                 add     edx, 6
.text:10001489                 jmp     edx

Code: Select all

.text:10001547                 mov     ecx, 11235ABCh
.text:1000154C                 sub     ecx, 1234567h
.text:10001552                 jmp     ecx

Code: Select all

.text:1000159F                 mov     ecx, 0DCCCE221h
.text:100015A4                 sub     ecx, 0CCCCCCCCh
.text:100015AA                 jmp     ecx
P.S. Sorry for my English. :mrgreen:
The .exe of theirs also contains some code, perhaps you might find something interesting? I'll update this thread once I have uploaded their .exe, sorry for not responding for so long and I thank you for checking it out. ASM is so beyond me =/

@ kali

Dreamer RO

updated: http://www.megaupload.com/?d=I22VYUI6 < their .exe

~ Sphere

UltimaWeapon
Human
Human
Posts: 37
Joined: 04 Apr 2008, 22:55
Noob?: Yes
Location: Thailand
Contact:

Re: What can you guys make out of this?

#6 Post by UltimaWeapon »

kali wrote:As long as the english can be understood, it's no problem :)

Which server are we talking about again?
Thank you. :mrgreen:
I may make you misunderstand. Because my English isn't good enough. So Sorry.
Image

Locked