Home > Cloud Computing > Cloud Security

Safewow Analysis notes

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

I 've been playing private servers again recently. Okay, I admit that my eggs are broken ......
The login server is huge, reaching 9.27 M. My first reaction was the built-in wow main program. Because I have compressed it, it looks like 2.56M after ASpack, you can see that there is a sufficient volume to do all kinds of things.
As a result, he releases the safewow.exe program. The following figure shows the modified wow main program.
Why are you asking him why he wants to change it? You guess ......
After reading this, we can clearly tell you the name of the shell. Why do you know?
Public start
. Safe: 01A336C4 start proc near
. Safe: 01A336C4 call sub_1A336E6
. Safe: 01A336C4 start endp; sp-analysis failed
. Safe: 01A336C4
. Safe: 01A336C4 ;---------------------------------------------------------------------------
. Safe: 01A336C9 aSafengineProte db Safengine Protector v1.8.6.0, 0; this is obvious enough ......

As we all know, wow itself has some protection measures, and it is difficult to append them after running.

First, I use the general permission to start this wow, and then use the Administrator permission to start LoadPE. Why the administrator privilege is required? Didn't you see it say that you are an anti-plug-in lander? I have a higher permission than it so that he can't see it!
Select safewow.exe and dump the entire exe to load IDA. Look, Harmony?
Then the intuition tells me that the modified part will certainly not be far away or much, because there are not many cave bytes in wow itself, at the same time, do you think there are a few people doing this plug-in this era who like to do nothing to patch a large exe?
Then G 0401000, apparently the following code appears:
. Text: 00401000 call sub_6E4780
. Text: 00401005 jmp loc_99EBB5
Here, I don't want to know that the second jump is to the patch location. Why? Obviously, I often use OD to load wow ......
. Text: 0099EBB5 loc_99EBB5:; code xref:. text: 00401005j
. Text: 0099EBB5 pusha
. Text: 0099EBB6 push 6C6Ch
. Text: 0099 EBBB push 642E736Dh
. Text: 0099EBC0 push esp
. Text: 0099EBC1 call dword_99F264
. Text: 0099EBC7 test eax, eax
. Text: 0099EBC9 jz near ptr 207A5h
. Text: 0099 EBCF add esp, 8
. Text: 0099EBD2 push 0
. Text: 0099EBD4 push 74696E49h
. Text: 0099EBD9 push esp
. Text: 0099 EBDA push eax
. Text: 0099 EBDB call dword_10AF9EC
. Text: 0099EBE1 test eax, eax
. Text: 0099EBE3 jz near ptr 207A5h
. Text: 0099EBE9 add esp, 8
. Text: 0099 EBEC call eax
. Text: 0099 EBEE popa
. Text: 0099 EBEF jmp loc_40b133

It's hard to understand, isn't it? To use your imagination:

. Text: 0099EBB5 loc_99EBB5:; code xref:. text: 00401005j
. Text: 0099EBB5 pusha
. Text: 0099EBB6 push ll
. Text: 0099 EBBB push d. sm; ms. dll
. Text: 0099EBC0 push esp
. Text: 0099EBC1 call dword_99F264; loadlibrary
. Text: 0099EBC7 test eax, eax
. Text: 0099EBC9 jz near ptr 207A5h
. Text: 0099 EBCF add esp, 8
. Text: 0099EBD2 push 0
. Text: 0099EBD4 push ini; init
. Text: 0099EBD9 push esp
. Text: 0099 EBDA push eax
. Text: 0099 EBDB call dword_10AF9EC; getprocaddress
. Text: 0099EBE1 test eax, eax
. Text: 0099EBE3 jz near ptr 207A5h
. Text: 0099EBE9 add esp, 8
. Text: 0099 EBEC & nbs

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
install notes logarithm notes bsf notes ellipse notes function notes notes net xml notes
Related Article
How does personal cloud security guarantee data security?
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More