Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.

Published byGodwin Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun."— Presentation transcript:

1 Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun

2 A little bit about Genesis  The new version of ZeroCraft  Contains two main pieces:  (1) Launcher.exe  (2) Genesis.dll

3 Our adventure 1 - Launcher.exe part 1st try: Load the EXE file with Ollydbg directly. We got the following error message from Ollydbg

4 Our adventure 1 - Launcher.exe part Maybe this file is self-extracting or self-modifying

5 Our adventure 1 - Launcher.exe part Try again to load the.exe file with IDA directly. We got the following error message too.

6 Our adventure 1 - Launcher.exe part

7 Our hypothesis : The software has been packed !

8 Our adventure 1 - Launcher.exe part 2nd try: Unpack the EXE file with the existed unpackers (1) upx ----- Didn’t work (2) GUW ----- Didn’t work (3) ProcDump ----- By using this universal unpacking approach, got Good News!

9 Our adventure 1 - Launcher.exe part

10 We also tried to unpack DLL file with ProcDum too. But it didn’t work. At this point, our conclusion is: the EXE file and the DLL file may be packed by different packers.

11 Our adventure 1 - Launcher.exe part 3rd try: Load the unpacked EXE file with IDA Everything seems good

12 Our adventure 1 - Launcher.exe part

13 However, things appear to be not that “normal” then…. Problems we got: By looking at the assembly code and checking the contents in the registers, we saw some invalid address acesses (2) We set the breakpoint and let the debugger run step by step At “add ss:dword_4093DB[ebp], ebx” line, we get error message. At the same time, the debugger is disabled.

14 Our adventure 1 - Launcher.exe part Launcher_unpacked.exe:The instruction at 0x7C919913 referenced memory at 0x7CC01D77. The memory could not be read

15 Our adventure 1 - Launcher.exe part After directly running the unpacked EXE file, we also got an error message.

16 Our adventure 1 - Launcher.exe part

17 Our hypothesis : The PE file may have been damaged when we unpacked the EXE file Our Solution: Use ProcDump “Rebuild PE” function to rebuild the PE file

18 Our adventure 1 - Launcher.exe part

19 Run the unpacked file directly after PE rebuilder, get the following error message :

20 Our adventure 2 - Launcher.exe part (1) We finally realized that the unpack process done by Procdump actually may not be finished successfully as we were informed. (2) We decided to manually unpack it instead.

21 Our adventure 1 - Launcher.exe part Use PeiD for the last try before we start to manual unpack the Software. Luckily it offers us the information about the packing tools used – PEcompact 1.56

22 Our adventure 2 - Launcher.exe part

23 Our adventure 2 – Laucher.exe Using Ollydbg - locate ESP - full dump ESP - set breakpoint at the first dword pointed by ESP - run code - step into - got OEP Using LordPE, full-dump the binary in memory Using Imprec to relocate Virtual Address in PE

24 Our adventure 2 – Laucher.exe Step in until we get here Dump

25 Our adventure 2 – Laucher.exe Run(F9) code in Ollydgb and step in(F7) until …

26 Our adventure 2 – Laucher.exe OEP

27 Our adventure 2 – Laucher.exe

28 Step1 Step2 Step3 Step4

29 Our adventure 2 – Laucher.exe Fix PE

30 Our adventure 2 – Laucher.exe Strings the unpacked PE

31 Our adventure 2 – Laucher.exe We manually unpacked EXE file successfully

32 Our adventure 3 – Genesis.dll Then We tried to unpack the DLL file - Only one significant difference from the EXE file

33 Our adventure 3 – Genesis.dll Change to 010E

34 Our adventure 3 – Genesis.dll We unpacked DLL successfully We tried to launch unpacked.exe and.dll Unpacked genesis.dll does not work Something must be wrong

35 Our adventure 3 – Genesis.dll Checksum failure

36 Our adventure 3 – Genesis.dll We tried to fix checksum

37 Our adventure 3 – Genesis.dll Problem is still there Have to resort another way From PE specification, we got: - Authenticode PE image hash relating to the integrity of a file - In an Authenticode signature, the file hash is digitally signed by using a private key known only to the signer of the file

38 Conclusion Reverse engineering is hard Too many tools, too many software versions, many ways to anti-reversing For unpacking, the key point is to locate OEP Launcher.exe is coded in VB - call - msvbvm60.dll is VB virtual machine runtime library - ThunRTMain is VB code entry point However we believe genesis.dll is programmed in C or C++

Download ppt "Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching, 80286.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Week 3. Assembly Language Programming  Difficult when starting assembly programming  Have to work at low level  Use processor instructions >Requires.

Week 3. Assembly Language Programming  Difficult when starting assembly programming  Have to work at low level  Use processor instructions >Requires.
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Lab6 – Debug Assembly Language Lab

Lab6 – Debug Assembly Language Lab
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Table 1. Software Hierarchy Levels.. Essential Tools An assembler is a program that converts source-code programs into a machine language (object file).

Table 1. Software Hierarchy Levels.. Essential Tools An assembler is a program that converts source-code programs into a machine language (object file).
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
OllyDbg Debuger.

OllyDbg Debuger.
Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.
Activity 1 - WBs 5 mins Go online and spend a moment trying to find out the difference between: HIGH LEVEL programming languages and LOW LEVEL programming.

Activity 1 - WBs 5 mins Go online and spend a moment trying to find out the difference between: HIGH LEVEL programming languages and LOW LEVEL programming.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.

Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
ITEC 352 Lecture 11 ISA - CPU. ISA (2) Review Questions? HW 2 due on Friday ISA –Machine language –Buses –Memory.

ITEC 352 Lecture 11 ISA - CPU. ISA (2) Review Questions? HW 2 due on Friday ISA –Machine language –Buses –Memory.
© Janice Regan, CMPT 128, Jan. 2007 0 CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
There are different types of translator. An Interpreter Interpreters translate one instruction at a time from a high level language into machine code every.

There are different types of translator. An Interpreter Interpreters translate one instruction at a time from a high level language into machine code every.
Debugging a Program … Using the PC/370 Emulator Interactively !

Debugging a Program … Using the PC/370 Emulator Interactively !
Instruction Set Architecture

Instruction Set Architecture

Similar presentations

Ads by Google