I 've been playing private servers again recently. Okay, I admit that my eggs are broken ......
The login server is huge, reaching 9.27 M. My first reaction was the built-in wow main program. Because I have compressed it, it looks like 2.56M after ASpack, you can see that there is a sufficient volume to do all kinds of things.
As a result, he releases the safewow.exe program. The following figure shows the modified wow main program.
Why are you asking him why he wants to change it? You guess ......
After reading this, we can clearly tell you the name of the shell. Why do you know?
Public start
. Safe: 01A336C4 start proc near
. Safe: 01A336C4 call sub_1A336E6
. Safe: 01A336C4 start endp; sp-analysis failed
. Safe: 01A336C4
. Safe: 01A336C4 ;---------------------------------------------------------------------------
. Safe: 01A336C9 aSafengineProte db Safengine Protector v1.8.6.0, 0; this is obvious enough ......
As we all know, wow itself has some protection measures, and it is difficult to append them after running.
First, I use the general permission to start this wow, and then use the Administrator permission to start LoadPE. Why the administrator privilege is required? Didn't you see it say that you are an anti-plug-in lander? I have a higher permission than it so that he can't see it!
Select safewow.exe and dump the entire exe to load IDA. Look, Harmony?
Then the intuition tells me that the modified part will certainly not be far away or much, because there are not many cave bytes in wow itself, at the same time, do you think there are a few people doing this plug-in this era who like to do nothing to patch a large exe?
Then G 0401000, apparently the following code appears:
. Text: 00401000 call sub_6E4780
. Text: 00401005 jmp loc_99EBB5
Here, I don't want to know that the second jump is to the patch location. Why? Obviously, I often use OD to load wow ......
. Text: 0099EBB5 loc_99EBB5:; code xref:. text: 00401005j
. Text: 0099EBB5 pusha
. Text: 0099EBB6 push 6C6Ch
. Text: 0099 EBBB push 642E736Dh
. Text: 0099EBC0 push esp
. Text: 0099EBC1 call dword_99F264
. Text: 0099EBC7 test eax, eax
. Text: 0099EBC9 jz near ptr 207A5h
. Text: 0099 EBCF add esp, 8
. Text: 0099EBD2 push 0
. Text: 0099EBD4 push 74696E49h
. Text: 0099EBD9 push esp
. Text: 0099 EBDA push eax
. Text: 0099 EBDB call dword_10AF9EC
. Text: 0099EBE1 test eax, eax
. Text: 0099EBE3 jz near ptr 207A5h
. Text: 0099EBE9 add esp, 8
. Text: 0099 EBEC call eax
. Text: 0099 EBEE popa
. Text: 0099 EBEF jmp loc_40b133
It's hard to understand, isn't it? To use your imagination:
. Text: 0099EBB5 loc_99EBB5:; code xref:. text: 00401005j
. Text: 0099EBB5 pusha
. Text: 0099EBB6 push ll
. Text: 0099 EBBB push d. sm; ms. dll
. Text: 0099EBC0 push esp
. Text: 0099EBC1 call dword_99F264; loadlibrary
. Text: 0099EBC7 test eax, eax
. Text: 0099EBC9 jz near ptr 207A5h
. Text: 0099 EBCF add esp, 8
. Text: 0099EBD2 push 0
. Text: 0099EBD4 push ini; init
. Text: 0099EBD9 push esp
. Text: 0099 EBDA push eax
. Text: 0099 EBDB call dword_10AF9EC; getprocaddress
. Text: 0099EBE1 test eax, eax
. Text: 0099EBE3 jz near ptr 207A5h
. Text: 0099EBE9 add esp, 8
. Text: 0099 EBEC & nbs