[DLL] Reverse engineered Scan.dll

[alexjoy12]

Nice, will try this later.

[Fayat]

Hum I think it's a big mistake to patch the scan dll...
Why? Just because the game check the hash of this file, so if it's modified, it raise an alert...and why patch each scan.dll update when you can just hook system api which are used by scan.dll?
Just download UPX:

Code:

                       Ultimate Packer for eXecutables
  Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02w       Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 16th 2007

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     90372 <-     41220   45.61%    win32/pe     Scan.dll

Unpacked 1 file.

Then pop OllyDBG:

Code:

Names in Scan
Address    Section    Type    (  Name                                    Comment
373F3030   .text      Export     #1                                      3 arguments
373F3010   .text      Export     #2                                      3 arguments
373F2FA0   .text      Export     #3                                      4 arguments
373FC008   .rdata     Import  (  ADVAPI32.AdjustTokenPrivileges
373FC054   .rdata     Import  (  KERNEL32.CloseHandle
373FC044   .rdata     Import  (  KERNEL32.CreateToolhelp32Snapshot
373FC0E0   .rdata     Import  (  KERNEL32.DeleteCriticalSection
373FC114   .rdata     Import  (  KERNEL32.EnterCriticalSection
373FC134   .rdata     Import  (  USER32.EnumWindows
373FC0CC   .rdata     Import  (  KERNEL32.ExitProcess
373FC0E4   .rdata     Import  (  KERNEL32.FreeEnvironmentStringsA
373FC0EC   .rdata     Import  (  KERNEL32.FreeEnvironmentStringsW
373FC0A4   .rdata     Import  (  KERNEL32.GetACP
373FC05C   .rdata     Import  (  KERNEL32.GetCommandLineA
373FC0A0   .rdata     Import  (  KERNEL32.GetCPInfo
373FC02C   .rdata     Import  (  KERNEL32.GetCurrentProcess
373FC028   .rdata     Import  (  KERNEL32.GetCurrentProcessId
373FC058   .rdata     Import  (  KERNEL32.GetCurrentThreadId
373FC0E8   .rdata     Import  (  KERNEL32.GetEnvironmentStrings
373FC0F0   .rdata     Import  (  KERNEL32.GetEnvironmentStringsW
373FC0D8   .rdata     Import  (  KERNEL32.GetFileType
373FC098   .rdata     Import  (  KERNEL32.GetLastError
373FC118   .rdata     Import  (  KERNEL32.GetLocaleInfoA
373FC07C   .rdata     Import  (  KERNEL32.GetModuleFileNameA
373FC020   .rdata     Import  (  KERNEL32.GetModuleHandleA
373FC0A8   .rdata     Import  (  KERNEL32.GetOEMCP
373FC01C   .rdata     Import  (  KERNEL32.GetProcAddress
373FC068   .rdata     Import  (  KERNEL32.GetProcessHeap
373FC144   .rdata     Import     USER32.GetShellWindow
373FC0DC   .rdata     Import  (  KERNEL32.GetStartupInfoA
373FC078   .rdata     Import  (  KERNEL32.GetStdHandle
373FC11C   .rdata     Import  (  KERNEL32.GetStringTypeA
373FC120   .rdata     Import  (  KERNEL32.GetStringTypeW
373FC030   .rdata     Import  (  KERNEL32.GetSystemInfo
373FC108   .rdata     Import  (  KERNEL32.GetSystemTimeAsFileTime
373FC104   .rdata     Import  (  KERNEL32.GetTickCount
373FC050   .rdata     Import  (  KERNEL32.GetVersionExA
373FC140   .rdata     Import  (  USER32.GetWindowTextA
373FC13C   .rdata     Import  (  USER32.GetWindowTextW
373FC138   .rdata     Import  (  USER32.GetWindowThreadProcessId
373FC064   .rdata     Import  (  KERNEL32.HeapAlloc
373FC0F8   .rdata     Import  (  KERNEL32.HeapCreate
373FC0F4   .rdata     Import  (  KERNEL32.HeapDestroy
373FC060   .rdata     Import  (  KERNEL32.HeapFree
373FC128   .rdata     Import  (  KERNEL32.HeapReAlloc
373FC12C   .rdata     Import  (  KERNEL32.HeapSize
373FC040   .rdata     Import  (  KERNEL32.InitializeCriticalSection
373FC09C   .rdata     Import  (  KERNEL32.InterlockedDecrement
373FC090   .rdata     Import  (  KERNEL32.InterlockedIncrement
373FC0B4   .rdata     Import  (  KERNEL32.IsDebuggerPresent
373FC0AC   .rdata     Import  (  KERNEL32.IsValidCodePage
373FC0B8   .rdata     Import  (  KERNEL32.LCMapStringA
373FC0C0   .rdata     Import  (  KERNEL32.LCMapStringW
373FC110   .rdata     Import  (  KERNEL32.LeaveCriticalSection
373FC10C   .rdata     Import  (  KERNEL32.LoadLibraryA
373FC000   .rdata     Import  (  ADVAPI32.LookupPrivilegeValueW
373FC03C   .rdata     Import  (  KERNEL32.Module32First
373FC038   .rdata     Import  (  KERNEL32.Module32Next
373F4563   .text      Export     <ModuleEntryPoint>
373FC024   .rdata     Import  (  KERNEL32.MultiByteToWideChar
373FC014   .rdata     Import  (  KERNEL32.OpenProcess
373FC00C   .rdata     Import  (  ADVAPI32.OpenProcessToken
373FC004   .rdata     Import  (  ADVAPI32.PrivilegeCheck
373FC048   .rdata     Import  (  KERNEL32.Process32First
373FC04C   .rdata     Import  (  KERNEL32.Process32Next
373FC100   .rdata     Import  (  KERNEL32.QueryPerformanceCounter
373FC0C8   .rdata     Import  (  KERNEL32.RaiseException
373FC034   .rdata     Import  (  KERNEL32.ReadProcessMemory
373FC0C4   .rdata     Import  (  KERNEL32.RtlUnwind
373FC0D4   .rdata     Import  (  KERNEL32.SetHandleCount
373FC094   .rdata     Import  (  KERNEL32.SetLastError
373FC070   .rdata     Import  (  KERNEL32.SetUnhandledExceptionFilter
373FC0D0   .rdata     Import  (  KERNEL32.Sleep
373FC0B0   .rdata     Import  (  KERNEL32.TerminateProcess
373FC084   .rdata     Import  (  KERNEL32.TlsAlloc
373FC08C   .rdata     Import  (  KERNEL32.TlsFree
373FC080   .rdata     Import  (  KERNEL32.TlsGetValue
373FC088   .rdata     Import  (  KERNEL32.TlsSetValue
373FC06C   .rdata     Import  (  KERNEL32.UnhandledExceptionFilter
373FC124   .rdata     Import  (  KERNEL32.VirtualAlloc
373FC0FC   .rdata     Import  (  KERNEL32.VirtualFree
373FC018   .rdata     Import  (  KERNEL32.VirtualQueryEx
373FC0BC   .rdata     Import  (  KERNEL32.WideCharToMultiByte
373FC074   .rdata     Import  (  KERNEL32.WriteFile

So you can see you just need to hook KERNEL32.CreateToolhelp32Snapshot to avoid process listing then KERNEL32.OpenProcess to avoid warden to open process and sneak in your process.

Hooking a system call is very easy, trust me

[Nonominator]

Now just explain what you mean by all that! In non geek speak!

[track3r]

Doesnt work for me

[Seifer]

Hum I think it's a big mistake to patch the scan dll...
Why? Just because the game check the hash of this file, so if it's modified, it raise an alert...and why patch each scan.dll update when you can just hook system api which are used by scan.dll?
Just download UPX:

Code:

                       Ultimate Packer for eXecutables
  Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02w       Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 16th 2007

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     90372 <-     41220   45.61%    win32/pe     Scan.dll

Unpacked 1 file.

Then pop OllyDBG:

Code:

Names in Scan
Address    Section    Type    (  Name                                    Comment
373F3030   .text      Export     #1                                      3 arguments
373F3010   .text      Export     #2                                      3 arguments
373F2FA0   .text      Export     #3                                      4 arguments
373FC008   .rdata     Import  (  ADVAPI32.AdjustTokenPrivileges
373FC054   .rdata     Import  (  KERNEL32.CloseHandle
373FC044   .rdata     Import  (  KERNEL32.CreateToolhelp32Snapshot
373FC0E0   .rdata     Import  (  KERNEL32.DeleteCriticalSection
373FC114   .rdata     Import  (  KERNEL32.EnterCriticalSection
373FC134   .rdata     Import  (  USER32.EnumWindows
373FC0CC   .rdata     Import  (  KERNEL32.ExitProcess
373FC0E4   .rdata     Import  (  KERNEL32.FreeEnvironmentStringsA
373FC0EC   .rdata     Import  (  KERNEL32.FreeEnvironmentStringsW
373FC0A4   .rdata     Import  (  KERNEL32.GetACP
373FC05C   .rdata     Import  (  KERNEL32.GetCommandLineA
373FC0A0   .rdata     Import  (  KERNEL32.GetCPInfo
373FC02C   .rdata     Import  (  KERNEL32.GetCurrentProcess
373FC028   .rdata     Import  (  KERNEL32.GetCurrentProcessId
373FC058   .rdata     Import  (  KERNEL32.GetCurrentThreadId
373FC0E8   .rdata     Import  (  KERNEL32.GetEnvironmentStrings
373FC0F0   .rdata     Import  (  KERNEL32.GetEnvironmentStringsW
373FC0D8   .rdata     Import  (  KERNEL32.GetFileType
373FC098   .rdata     Import  (  KERNEL32.GetLastError
373FC118   .rdata     Import  (  KERNEL32.GetLocaleInfoA
373FC07C   .rdata     Import  (  KERNEL32.GetModuleFileNameA
373FC020   .rdata     Import  (  KERNEL32.GetModuleHandleA
373FC0A8   .rdata     Import  (  KERNEL32.GetOEMCP
373FC01C   .rdata     Import  (  KERNEL32.GetProcAddress
373FC068   .rdata     Import  (  KERNEL32.GetProcessHeap
373FC144   .rdata     Import     USER32.GetShellWindow
373FC0DC   .rdata     Import  (  KERNEL32.GetStartupInfoA
373FC078   .rdata     Import  (  KERNEL32.GetStdHandle
373FC11C   .rdata     Import  (  KERNEL32.GetStringTypeA
373FC120   .rdata     Import  (  KERNEL32.GetStringTypeW
373FC030   .rdata     Import  (  KERNEL32.GetSystemInfo
373FC108   .rdata     Import  (  KERNEL32.GetSystemTimeAsFileTime
373FC104   .rdata     Import  (  KERNEL32.GetTickCount
373FC050   .rdata     Import  (  KERNEL32.GetVersionExA
373FC140   .rdata     Import  (  USER32.GetWindowTextA
373FC13C   .rdata     Import  (  USER32.GetWindowTextW
373FC138   .rdata     Import  (  USER32.GetWindowThreadProcessId
373FC064   .rdata     Import  (  KERNEL32.HeapAlloc
373FC0F8   .rdata     Import  (  KERNEL32.HeapCreate
373FC0F4   .rdata     Import  (  KERNEL32.HeapDestroy
373FC060   .rdata     Import  (  KERNEL32.HeapFree
373FC128   .rdata     Import  (  KERNEL32.HeapReAlloc
373FC12C   .rdata     Import  (  KERNEL32.HeapSize
373FC040   .rdata     Import  (  KERNEL32.InitializeCriticalSection
373FC09C   .rdata     Import  (  KERNEL32.InterlockedDecrement
373FC090   .rdata     Import  (  KERNEL32.InterlockedIncrement
373FC0B4   .rdata     Import  (  KERNEL32.IsDebuggerPresent
373FC0AC   .rdata     Import  (  KERNEL32.IsValidCodePage
373FC0B8   .rdata     Import  (  KERNEL32.LCMapStringA
373FC0C0   .rdata     Import  (  KERNEL32.LCMapStringW
373FC110   .rdata     Import  (  KERNEL32.LeaveCriticalSection
373FC10C   .rdata     Import  (  KERNEL32.LoadLibraryA
373FC000   .rdata     Import  (  ADVAPI32.LookupPrivilegeValueW
373FC03C   .rdata     Import  (  KERNEL32.Module32First
373FC038   .rdata     Import  (  KERNEL32.Module32Next
373F4563   .text      Export     <ModuleEntryPoint>
373FC024   .rdata     Import  (  KERNEL32.MultiByteToWideChar
373FC014   .rdata     Import  (  KERNEL32.OpenProcess
373FC00C   .rdata     Import  (  ADVAPI32.OpenProcessToken
373FC004   .rdata     Import  (  ADVAPI32.PrivilegeCheck
373FC048   .rdata     Import  (  KERNEL32.Process32First
373FC04C   .rdata     Import  (  KERNEL32.Process32Next
373FC100   .rdata     Import  (  KERNEL32.QueryPerformanceCounter
373FC0C8   .rdata     Import  (  KERNEL32.RaiseException
373FC034   .rdata     Import  (  KERNEL32.ReadProcessMemory
373FC0C4   .rdata     Import  (  KERNEL32.RtlUnwind
373FC0D4   .rdata     Import  (  KERNEL32.SetHandleCount
373FC094   .rdata     Import  (  KERNEL32.SetLastError
373FC070   .rdata     Import  (  KERNEL32.SetUnhandledExceptionFilter
373FC0D0   .rdata     Import  (  KERNEL32.Sleep
373FC0B0   .rdata     Import  (  KERNEL32.TerminateProcess
373FC084   .rdata     Import  (  KERNEL32.TlsAlloc
373FC08C   .rdata     Import  (  KERNEL32.TlsFree
373FC080   .rdata     Import  (  KERNEL32.TlsGetValue
373FC088   .rdata     Import  (  KERNEL32.TlsSetValue
373FC06C   .rdata     Import  (  KERNEL32.UnhandledExceptionFilter
373FC124   .rdata     Import  (  KERNEL32.VirtualAlloc
373FC0FC   .rdata     Import  (  KERNEL32.VirtualFree
373FC018   .rdata     Import  (  KERNEL32.VirtualQueryEx
373FC0BC   .rdata     Import  (  KERNEL32.WideCharToMultiByte
373FC074   .rdata     Import  (  KERNEL32.WriteFile

So you can see you just need to hook KERNEL32.CreateToolhelp32Snapshot to avoid process listing then KERNEL32.OpenProcess to avoid warden to open process and sneak in your process.

Hooking a system call is very easy, trust me

I know all about it, I'm currently working on a complete hack for that matter.

OllyDBG is teh shit btw

[amadmonk]

I know all about it, I'm currently working on a complete hack for that matter.

OllyDBG is teh shit btw

[edit... not sure wth I was thinking when I wrote this...]