W3l.exe reverse assembly code analysis

After the disassembly code is obtained, we can see how the program operates. Use Ida pro 4.5to install w3l.exe, which has been removed from the shell. After some chewing by IDA, you will get a good-looking typographical code:
Loc_401000:; Code xref: Foo.: 004020.aj
; Foo.: 004010abj...
It indicates that an error has occurred.
Push 1
Code returned when the process exits
Push ds: dword_4030b8
Process Handle, which can be obtained during creation
Call DS: terminateprocess
Call terminateprocess to end the previously created process (see the following code)
Push 0
Push offset aerror; "error"
The message box is titled "error"
Push offset awrongwar3_exev; "wrong war3.exe version. (need b307 )"
The body of the message box is a string of "wrong war3.exe ...".
Push 0
Call DS: messageboxa
A message box is displayed.
Push 3
Call DS: exitprocess
Exit this program (cmdw3l.exe) and return code 3.
 
Public start
Start:
This is the official program entry point of w3l.exe.
Push offset dword_4030b8
The address of a startupinfo Structure
Call DS: getstartupinfoa
Get the program startup information and save it in a startupinfo structure.
Call DS: getcommandlinea
The program command line string pointer is obtained and the result is saved to eax.
Push offset dword_4030b8
Push offset dword_4030b8
XOR edX, EDX
Push edX
Push edX
Push 4
Check this parameter so that the created process will not be executed immediately but will be suspended. Why ......
Push edX
Push edX
Push edX
Push eax
Push offset awar3_exe; "war3.exe"
Call DS: createprocessa
Create a war3.exe process. For detailed parameter definitions, see msdn.
Test eax, eax
Test function return value
Jnz short loc_40107a
If the return value is not 0, it indicates that the function is successfully called. Otherwise, it will go down !!
Push 0
Push offset aerror; "error"
Push offset ecouldnotstartw; "cocould not start war3.exe! Make sure "...
Push 0
Call DS: messageboxa
Pop up a message box and give a cause of the error that the author thinks is predicted (maybe the loader is not in the TFT directory)
Push 2
Call DS: exitprocess
Exit w3l.exe and return value 2.
 
Loc_40107a:; Code xref: Foo.: 0040105cj
The process has been correctly created. Let's do something really useful.
MoV EBX, DS: dword_4030b8
This is the handle of the created process.
Push offset dword_4020b0
Push 4
Push offset dword_4020b4
Push 4524d0h
Push EBX
Call DS: readprocessmemory
Read several bytes from the process space address 0x4524d0 (4 bytes to be read)
Test eax, eax
Is the call successful?
JZ loc_401000
MoV eax, DS: dword_4020b4
CMP eax, DS: dword_402008
Let's see what we have read. The key is !!
Jnz loc_401000
Push offset dword_4020b0
Push 4
Push offset aw3lh_dll; "w3lh. dll"
Push 4524d0h
Push EBX
Call DS: writeprocessmemory
In this case, the w3lh.dllname is written, and war3.exe is called no matter how it is called. In fact, all crack are in w3lh. what is implemented in DLL? Which day can we wait. the DLL shell is also taken off before reading -_-!
Test eax, eax
Is the rewrite successful?
JZ loc_401000
MoV EDI, DS: dword_4030bc
Push EDI
Call DS: resumethread
It seems that there is no question about the change. Now we can let that war3.exe run.
Push 0
Call DS: exitprocess
Exit loader normally
; ========================================================== =========================================?
Dd 3c6h DUP (0)
Align 4
Aerror dB 'error', 0; Data xref: Foo.: 00401010o
; Foo.: 00401060o
Align 4
Dword_402008 dd 656d6147h; Data xref: Foo.: 004010a5r
Dd 6c6c642eh
Db 0
Awrongwar3_exev dB 'wrong war3.exe version. (need b307) ', 0
; Data xref: Foo.: 00401015o
Aculdnotstartw dB 'could not start war3.exe! Make sure the loader is in the SAM'
; Data xref: Foo.: 00401065o
DB 'e dir. ', 0
Awar3_exe dB 'war3.exe ', 0; Data xref: Foo.: 004020.fo
Aw3lh_dll dB 'w3lh. dll ', 0; Data xref: Foo.: 004010b8o