This how-to will show what is required to keep "game.exe" in the process list so you can use TSearch, WPE Pro, etc... on the process while running to help with reverse engineering.
For this tutorial I will use run Diablo 2 through OllyDbg so no file modifications are needed. If you like using a loader or some other means of modifying the client, you can apply the same concepts to make it dynamically permanent.
Step 1: Open game.exe in OllyDbg.
Step 2: Hit "ctrl + g" to bring up the "Enter expression to follow" dialog box.
Step 3: Paste in the address: "0x407D1D" (D2 V1.12) and hit ok. You will land on the line:
Step 4: Set a breakpoint on this line by pressing F2. This line is where we need to stop execution at so we can jump to 0x407D39 to keep Game.exe in process list.
Step 5: Hit F9 to run Game.exe. When the break point hits go to the next step.
Step 6: Hit "ctrl + g" again and paste in the address: "0x407D39" (D2 V1.12) and hit Ok.
Step 7: Press "Ctrl + NumPad *" on the lie. The EIP will changes to this address and you will see a black line in the address column. Alternatively, right click on the line and choose "New origin here".
Step 8: Press F9 to resume execution of Game.exe. The game will run. If you load up WPE Pro or TSearch, you will see Game.exe in the process list. We have bypassed the API function that hides it.
The line:
Is the culprit for hiding the process. If you simply modify the line at 0x407D1D:
to
then you can implement this functionality into your own loaders and programs.
Hope it helps!
![[Image: haha]](http://haha/)
For this tutorial I will use run Diablo 2 through OllyDbg so no file modifications are needed. If you like using a loader or some other means of modifying the client, you can apply the same concepts to make it dynamically permanent.
Step 1: Open game.exe in OllyDbg.
Step 2: Hit "ctrl + g" to bring up the "Enter expression to follow" dialog box.
Step 3: Paste in the address: "0x407D1D" (D2 V1.12) and hit ok. You will land on the line:
Code:
00407D1D |. /74 22 JE SHORT Game.00407D41
; This is where we need to stop execution at, we will jump to 0x407D39 to keep Game.exe in process listStep 5: Hit F9 to run Game.exe. When the break point hits go to the next step.
Step 6: Hit "ctrl + g" again and paste in the address: "0x407D39" (D2 V1.12) and hit Ok.
Step 7: Press "Ctrl + NumPad *" on the lie. The EIP will changes to this address and you will see a black line in the address column. Alternatively, right click on the line and choose "New origin here".
Step 8: Press F9 to resume execution of Game.exe. The game will run. If you load up WPE Pro or TSearch, you will see Game.exe in the process list. We have bypassed the API function that hides it.
The line:
Code:
00407D33 |. FFD7 CALL NEAR EDI ; This API function hides our game.exe processCode:
0x407D1D |. /74 22 JE SHORT Game.0x407D41Code:
[B]JMP 0x407D39[/B] -> 0x407D1D /EB 1A JMP SHORT Game.0x407D39Hope it helps!