This how-to will show what is required to keep "game.exe" in the process list so you can use TSearch, WPE Pro, etc... on the process while running to help with reverse engineering.
For this tutorial I will use run Diablo 2 through OllyDbg so no file modifications are needed. If you like using a loader or some other means of modifying the client, you can apply the same concepts to make it dynamically permanent.
Step 1: Open game.exe in OllyDbg.
Step 2: Hit "ctrl + g" to bring up the "Enter expression to follow" dialog box.
Step 3: Paste in the address: "0x407D1D" (D2 V1.12) and hit ok. You will land on the line:
Step 4: Set a breakpoint on this line by pressing F2. This line is where we need to stop execution at so we can jump to 0x407D39 to keep Game.exe in process list.Code:00407D1D |. /74 22 JE SHORT Game.00407D41 ; This is where we need to stop execution at, we will jump to 0x407D39 to keep Game.exe in process list
Step 5: Hit F9 to run Game.exe. When the break point hits go to the next step.
Step 6: Hit "ctrl + g" again and paste in the address: "0x407D39" (D2 V1.12) and hit Ok.
Step 7: Press "Ctrl + NumPad *" on the lie. The EIP will changes to this address and you will see a black line in the address column. Alternatively, right click on the line and choose "New origin here".
Step 8: Press F9 to resume execution of Game.exe. The game will run. If you load up WPE Pro or TSearch, you will see Game.exe in the process list. We have bypassed the API function that hides it.
The line:
Is the culprit for hiding the process. If you simply modify the line at 0x407D1D:Code:00407D33 |. FFD7 CALL NEAR EDI ; This API function hides our game.exe process
toCode:0x407D1D |. /74 22 JE SHORT Game.0x407D41
then you can implement this functionality into your own loaders and programs.Code:JMP 0x407D39 -> 0x407D1D /EB 1A JMP SHORT Game.0x407D39
Hope it helps!
Results 1 to 3 of 3
-
06-29-2008, 11:23 PM #1Newcomer
- Join Date
- Jun 2008
- Battle Tag
- None
- Posts
- 3
[Howto] Keep "Game.exe" in the process list
Last edited by pushedx; 06-29-2008 at 11:26 PM.
-
06-30-2008, 04:31 AM #2Forum Member
- Join Date
- Nov 2005
- Posts
- 39
I assume you cant just simply NOP that line for the API function?
-
06-30-2008, 07:06 AM #3Newcomer
- Join Date
- Jun 2008
- Battle Tag
- None
- Posts
- 3
If you wanted to NOP code, you would have to nop the following:
Originally Posted by mase123y
That is why changing the two bytes in the JE to a JMP to 0x407D39 is much better - you can easily restore those two bytes later on if needed to preserve the memory CRC of that region.Code:00407D1F |. 8B4424 28 MOV EAX, DWORD PTR SS:[ESP+28] ; we will jump to 0x407D39 to keep Game.exe in process list 00407D23 |. 53 PUSH EBX 00407D24 |. 8D5424 30 LEA EDX, DWORD PTR SS:[ESP+30] 00407D28 |. 52 PUSH EDX 00407D29 |. 53 PUSH EBX 00407D2A |. 53 PUSH EBX 00407D2B |. 68 04000080 PUSH 80000004 00407D30 |. 6A 06 PUSH 6 00407D32 |. 50 PUSH EAX 00407D33 |. FFD7 CALL NEAR EDI ; This API function hides our game.exe process 00407D35 |. 85C0 TEST EAX, EAX 00407D37 |. 75 08 JNZ SHORT Game.00407D41
Tutorials like this I usually have more visuals, but I can't post links yet so that's why everything is in text.
The reason you cannot simply NOP the API call is because of the 7 pushes. The stack would have to then be modified to get it back to the "expected" size. It is much more convenient to just fix the JE line instead.
The actual API function that is being called is: SetSecurityInfo from ADVAPI32. You could have a system detour set to make that function simply return TRUE to signal success and not actually do anything as well.
Hope that makes sense!Last edited by pushedx; 06-30-2008 at 07:09 AM.
Reply With Quote
Bookmarks