Hello everyone :wave:
Since deathsoft doesn't like you to poke around WEH's memory they tried
to hide it in a.. strange way..
The program with the new icon is actually a loader which has the actual
WEH and DLL inside its belly :P What it does exactly (this is also wrong
coded preventing some ppl from running it XD) is exctracting WEH inside
C:\Windows and the DLL at the current directory.
All those who do not have a C:\ drive (like me :P) can't use it at all (my
windows directory is actually D:\WinXP so i dont stand a chance XD). After
the exctraction it runs WEH which has the curious filename DSCoreItem.dsf
,for further "protection" XD, using CreateProcessA..
The funny part is that they use this command line "2587746730261237437425"
0.o .. w0ah like now it's seriously protected XD
Anyway..they packed both files (WEH, DLL) with UPX so it was as easy as
peeing to get those things unpacked. So you are free to look around with
Ollydbg or your favorite debugger w/e
This way you can get you values for flying or speedhacking for your own
hack tool this will prevent warden from blacklisting WEH or similar public
releases!
EDIT:
No need for a loader anymore and removed some protections
You can now do what you want freely
Have fun
jOHNIDIs [c]