ScanDLL Logger

[kynox]

So after Blizzard decided to get back (well, i assume: put WoWMe on Scan.dll's hitlist) at me for posting the Warden thread, i decided i'd get the ball back in my court.

No, this is not all Scan.dll does. This is all i could be arsed making a logger for.

What this does is log all of the RVA offsets that Scan.dll will hash.

Code:

#include <windows.h>
#include <iostream>
#include <string>
#include <vector>
#include <iomanip>

// Yes With SEH Exceptions (/EHa) must be enabled for this project
// to function without blowing up in your face. You don't want
// it to blow up in your face do you?
// - kynox

/*
    00000000 Scan_ModuleRVAHash struc ; (sizeof=0x4C)
    00000000 arrBadHash_SHA1 db 20 dup(?)
    00000014 dwHMacSeed      dd ?
    00000018 field_18        dd ?
    0000001C field_1C        dd ?
    00000020 dwRVA           dd ?
    00000024 field_24        dd ?
    00000028 dwSize          dd ?
    0000002C field_2C        dd ?
    00000030 pbEncryptedHackName dd ?
    00000034 szHackNameLen   dd ?
    00000038 field_38        dd ?
    0000003C field_3C        dd ?
    00000040 field_40        dd ?
    00000044 field_44        dd ?
    00000048 field_48        dd ?
    0000004C Scan_ModuleRVAHash ends
    0000004C
*/

struct Scan_ModuleRVAHash
{
    u_char    pad1        [32];
    u_int    dwRVAOffset;
    u_char    pad2        [4];
    u_int    dwSize;
    u_char    pad3        [32];
};

unsigned long dwStartAddress = 0x00401000, dwLen = 0x00861FFF;
bool bDataCompare(const unsigned char* pData, const unsigned char* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask )
            return false;
    return (*szMask) == 0;
}
unsigned long FindPattern( unsigned char *bMask,char * szMask, unsigned long dw_Address = dwStartAddress, unsigned long dw_Len = dwLen )
{
    for(unsigned long i=0; i < dw_Len; i++)
        if( bDataCompare( (unsigned char*)( dw_Address+i ),bMask,szMask) )
            return (unsigned long)(dw_Address+i);
    return 0;
}

int main()
{
    // Credit to Cypher; too lazy :0
    // Get the full install path of WoW from the registry
    HKEY WoWKey;
    RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Blizzard Entertainment\\World of Warcraft\\",0,KEY_READ,&WoWKey);
    std::vector<char>    InstallPath(MAX_PATH);
    size_t                BuffSize    = InstallPath.size();
    RegQueryValueEx( WoWKey, "InstallPath", NULL, NULL, reinterpret_cast<LPBYTE>(&InstallPath[0]), reinterpret_cast< PDWORD >(&BuffSize) );

    // Take install path and append executable name
    std::string            WoWPath(&InstallPath[0]);
    WoWPath.append("Scan.dll");

    // We first assume that the app is being run from the WoW dir. If that fails
    // then we use the registry key.
    HMODULE                hModule        = NULL;
    if ( (hModule = LoadLibrary("Scan.dll")) == NULL )
    {
        if ( (hModule = LoadLibrary(WoWPath.c_str())) == NULL )
        {
            std::cout << "Could not find Scan.dll" << std::endl;
            return -1;
        }
    }

    FARPROC                fpScan3        = GetProcAddress( hModule, reinterpret_cast< LPCSTR >( 3 ) );

    if ( fpScan3 == NULL )
    {
        std::cout << "Failed to find Scan_3" << std::endl;
        return -1;
    }

    DWORD_PTR            ScanTable    = NULL;
    try
    {
        ScanTable = FindPattern( reinterpret_cast< u_char* >( "\xC7\x45\xEC" ), "xxx", reinterpret_cast< u_long >( fpScan3 ), 128 );
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 3);
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 4);
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 4);
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 4);
    }
    catch (...)
    {
        std::cout << "Failure! Could not scan table" << std::endl;
        return -1;
    }


    PDWORD_PTR            pScanTable    = reinterpret_cast< PDWORD_PTR >( ScanTable );
    Scan_ModuleRVAHash*    pScan        = reinterpret_cast< Scan_ModuleRVAHash* >( pScanTable[0] );
    int                    i            = 0;
    do 
    {
        std::cout << std::hex <<
            "RVA: 0x"  << std::setw( 8 ) << std::setfill( '0' ) << pScan->dwRVAOffset <<
            " Size: "  << std::setw( 4 ) << std::setfill( '0' ) << pScan->dwSize <<
            std::endl;

        pScan = reinterpret_cast< Scan_ModuleRVAHash* >( pScanTable[++i] );
    } while ( pScan );
}

[Cypher]

Nicely done.

Fyi. If you want to mix SEH and C++ EH easier use this:
Ramblings++ » Mixing SEH and C++ EH

P.S. Yay for DWORD_PTR. :P

[ramey]

Goodjob

[UnknOwned]

Warden Dev's: 1
Kynox : 2

[kynox]

An updated version displaying the module which the scan relates to.

Code:

#include <windows.h>
#include <iostream>
#include <string>
#include <vector>
#include <iomanip>

// Yes With SEH Exceptions (/EHa) must be enabled for this project
// to function without blowing up in your face. You don't want
// it to blow up in your face do you?
// - kynox

/*
    00000000 Scan_ModuleRVAHash struc ; (sizeof=0x4C)
    00000000 arrBadHash_SHA1 db 20 dup(?)
    00000014 dwHMacSeed      dd ?
    00000018 field_18        dd ?
    0000001C field_1C        dd ?
    00000020 dwRVA           dd ?
    00000024 field_24        dd ?
    00000028 dwSize          dd ?
    0000002C field_2C        dd ?
    00000030 pbEncryptedHackName dd ?
    00000034 szHackNameLen   dd ?
    00000038 field_38        dd ?
    0000003C field_3C        dd ?
    00000040 field_40        dd ?
    00000044 field_44        dd ?
    00000048 field_48        dd ?
    0000004C Scan_ModuleRVAHash ends
    0000004C
*/

struct Scan_ModuleRVAHash
{
    u_char    pad1        [24];
    char*    pModule;
    u_char    pad2        [4];
    u_int    RVAOffset;
    u_char    pad3        [4];
    u_int    Size;
    u_char    pad4        [32];
};

class HexNum
{
public:
    HexNum( int padSize, bool bUpper = false ) : m_padSize( padSize ), m_bUpper( bUpper ) {}

    std::ostream &operator()(std::ostream &out) const
    {
        if ( m_bUpper )
            out << std::uppercase;
        else
            out << std::nouppercase;

        out << std::hex << std::setfill( '0' ) << std::setw( m_padSize );
        return out;
    }

    friend std::ostream & operator << (std::ostream &os, const HexNum& nl)
    {
        return nl(os);
    }
private:
    int m_padSize;
    bool m_bUpper;
};

unsigned long dwStartAddress = 0x00401000, dwLen = 0x00861FFF;
bool bDataCompare(const unsigned char* pData, const unsigned char* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask )
            return false;
    return (*szMask) == 0;
}
unsigned long FindPattern( unsigned char *bMask,char * szMask, unsigned long dw_Address = dwStartAddress, unsigned long dw_Len = dwLen )
{
    for(unsigned long i=0; i < dw_Len; i++)
        if( bDataCompare( (unsigned char*)( dw_Address+i ),bMask,szMask) )
            return (unsigned long)(dw_Address+i);
    return 0;
}

int main()
{
    // Credit to Cypher; too lazy :0
    // Get the full install path of WoW from the registry
    HKEY WoWKey;
    RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Blizzard Entertainment\\World of Warcraft\\",0,KEY_READ,&WoWKey);
    std::vector<char>    InstallPath(MAX_PATH);
    size_t                BuffSize    = InstallPath.size();
    RegQueryValueEx( WoWKey, "InstallPath", NULL, NULL, reinterpret_cast<LPBYTE>(&InstallPath[0]), reinterpret_cast< PDWORD >(&BuffSize) );

    // Take install path and append executable name
    std::string            WoWPath(&InstallPath[0]);
    WoWPath.append("Scan.dll");

    // We first assume that the app is being run from the WoW dir. If that fails
    // then we use the registry key.
    HMODULE                hModule        = NULL;
    if ( (hModule = LoadLibrary("Scan.dll")) == NULL )
    {
        if ( (hModule = LoadLibrary(WoWPath.c_str())) == NULL )
        {
            std::cout << "Could not find Scan.dll" << std::endl;
            return -1;
        }
    }

    FARPROC                fpScan3        = GetProcAddress( hModule, reinterpret_cast< LPCSTR >( 3 ) );

    if ( fpScan3 == NULL )
    {
        std::cout << "Failed to find Scan_3" << std::endl;
        return -1;
    }

    DWORD_PTR            ScanTable    = NULL;
    try
    {
        ScanTable = FindPattern( reinterpret_cast< u_char* >( "\xC7\x45\xEC" ), "xxx", reinterpret_cast< u_long >( fpScan3 ), 128 );
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 3);
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 4);
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 4);
        ScanTable = *reinterpret_cast<DWORD_PTR*>(ScanTable + 4);
    }
    catch (...)
    {
        std::cout << "Failure! Could not scan table" << std::endl;
        return -1;
    }


    std::cout << "Module\t\tRVA\t\tSize" << std::endl;

    PDWORD_PTR            pScanTable    = reinterpret_cast< PDWORD_PTR >( ScanTable );
    Scan_ModuleRVAHash*    pScan        = reinterpret_cast< Scan_ModuleRVAHash* >( pScanTable[0] );
    int                    i            = 0;
    do 
    {
        std::string ModuleName = ( pScan->pModule == NULL ? "WoW.exe" : pScan->pModule );
        std::cout << "[" << ModuleName << "]\t0x" << HexNum( 8 ) << pScan->RVAOffset << "\t" << HexNum( 4 ) << pScan->Size << std::endl;

        pScan = reinterpret_cast< Scan_ModuleRVAHash* >( pScanTable[++i] );
    } while ( pScan );
    std::cout << "Successfully dumped 0x" << HexNum(4) << i << " scans" << std::endl;
}

Output:

Code:

Module        RVA        Size
[WoW.exe]    0x00000012    0002
[explorer.exe]    0x00008220    0034
[explorer.exe]    0x00002214    002f
[explorer.exe]    0x0000268c    0021
[explorer.exe]    0x000022ac    0013
[WoW.exe]    0x00015bea    0016
[WoW.exe]    0x00008114    002b
[explorer.exe]    0x00005d14    0014
[WoW.exe]    0x0000c0dc    0014
[explorer.exe]    0x00018104    001e
[WoW.exe]    0x0000c1ec    0013
[WoW.exe]    0x0000c0cc    0013
[explorer.exe]    0x00005db4    0013
[explorer.exe]    0x00008274    0023
[explorer.exe]    0x00007208    0022
[explorer.exe]    0x00002198    002f
[explorer.exe]    0x00005d04    0013
[WoW.exe]    0x0000b19c    0013
[explorer.exe]    0x00008284    0022
[explorer.exe]    0x00008208    0022
[explorer.exe]    0x00007034    0021
[WoW.exe]    0x00006a44    002c
[explorer.exe]    0x00008354    0022
[explorer.exe]    0x0000266c    0021
[explorer.exe]    0x000022ac    0013
[WoW.exe]    0x000080c4    002f
[WoW.exe]    0x0000995a    000d
[explorer.exe]    0x0000995a    000d
[WoW.exe]    0x0000b764    001e
[WoW.exe]    0x0000a974    000d
[explorer.exe]    0x0000a974    000d
[WoW.exe]    0x0000b764    0019
[explorer.exe]    0x0000252c    0009
[explorer.exe]    0x0007ca14    001a
[explorer.exe]    0x0007ca14    0014
[WoW.exe]    0x0000bbbc    0024
[WoW.exe]    0x0000b92b    0024
[explorer.exe]    0x000071bc    001d
[WoW.exe]    0x0000c658    0024
[WoW.exe]    0x00007518    0019
[explorer.exe]    0x0007ca68    001c
[explorer.exe]    0x0007ca14    001c
[WoW.exe]    0x0000c108    002a
[WoW.exe]    0x0000cbc0    0018
[explorer.exe]    0x0000424c    0022
[explorer.exe]    0x0000a992    0010
[explorer.exe]    0x00006740    0013
[explorer.exe]    0x00007e40    0013
[explorer.exe]    0x0000814c    0013
[explorer.exe]    0x00008130    0013
[explorer.exe]    0x00008154    0013
[explorer.exe]    0x00007860    000d
[explorer.exe]    0x00008184    0013
[explorer.exe]    0x000081b8    0013
[explorer.exe]    0x000081a8    0013
[explorer.exe]    0x0000b420    001b
[explorer.exe]    0x00005448    000d
[explorer.exe]    0x0001d3fc    001d
[explorer.exe]    0x0001d15c    001d
[explorer.exe]    0x00009084    002c
[explorer.exe]    0x00005298    000d
[explorer.exe]    0x000054c8    000d
[explorer.exe]    0x000054d8    000d
[explorer.exe]    0x00006500    000d
[explorer.exe]    0x0000b420    0020
[explorer.exe]    0x000064fc    000d
[explorer.exe]    0x000011d8    000d
[explorer.exe]    0x0000a07c    0018
[explorer.exe]    0x000070f4    000f
[explorer.exe]    0x000070f4    0011
[explorer.exe]    0x0000b07c    0018
[explorer.exe]    0x00006504    000d
[explorer.exe]    0x000070f4    0011
[explorer.exe]    0x00007002    0009
[explorer.exe]    0x000070b2    0009
[explorer.exe]    0x0000650c    000d
[explorer.exe]    0x000077d2    0009
[explorer.exe]    0x00007982    0009
[explorer.exe]    0x0000c07c    0018
[explorer.exe]    0x0000b19c    0018
[explorer.exe]    0x000070f4    000f
[explorer.exe]    0x000060ec    000f
[explorer.exe]    0x000060ec    0011
[WoW.exe]    0x0013c71b    0007
Successfully dumped 0x0054 scans

[Krillere]

Wow.. Blizzard is a big company with many developers, they create this gigantic program, they create security and stuff. And then 1 man. Kynox comes and breaks it all. Blizzard fails. Kynox wins

[Cursed]

Wow.. Blizzard is a big company with many developers, they create this gigantic program, they create security and stuff. And then 1 man. Kynox comes and breaks it all. Blizzard fails. Kynox wins

Warden = 1 guy/gal
kynox = 1 guy

Atleast at this moment

[suicidity]

Warden = 1 guy/gal
kynox = 1 guy

Atleast at this moment

Are you trying to say kynox is soon going to Evolve into a guy/gal ?

[Cursed]

No, Im trying to say that kynox is something between guy/gal


I like to call that form gul or ga... Wait a second!

[suicidity]

Oh so then the Evolving process has already begun, Good we're on schedule! Proceed as instructed..