Blizzard Sector » Diablo II » Hacks Bots and Editors » Hacks and Dupes Guides » [Howto] Keep "Game.exe" in the process list

Hacks and Dupes Guides Everything you wanted to know about hacks and dupes can be found here.

Vote on the Diablo 2 Top 200
Diablo 2 Top 200 - Items, Cheats, Bots, Editors, Hacks Free
This Forum is Sponsored by
Vote on the Diablo 2 Top 200
Diablo 2 Top 200 - Items, Cheats, Bots, Editors, Hacks Free

Blizzard Sector Chat  [Archives]
Empty the chat input field
Loading ...
Users in the chatbox : 3 user(s)
RaZzor, Nex, The Mob

Reply
Display Modes Rate Thread Thread Tools
Old 06-29-2008, 01:23 PM   #1 (permalink)
 
pushedx's Avatar
 
Status: Newcomer
Join Date: Jun 2008
Posts: 3

Credits: 35
Spent time on board: 2:16:00 Hours
Rep Power: 0 pushedx is on a distinguished road
This how-to will show what is required to keep "game.exe" in the process list so you can use TSearch, WPE Pro, etc... on the process while running to help with reverse engineering.

For this tutorial I will use run Diablo 2 through OllyDbg so no file modifications are needed. If you like using a loader or some other means of modifying the client, you can apply the same concepts to make it dynamically permanent.

Step 1: Open game.exe in OllyDbg.
Step 2: Hit "ctrl + g" to bring up the "Enter expression to follow" dialog box.
Step 3: Paste in the address: "0x407D1D" (D2 V1.12) and hit ok. You will land on the line:

Code:
00407D1D   |. /74 22                JE SHORT Game.00407D41                              
;  This is where we need to stop execution at, we will jump to 0x407D39 to keep Game.exe in process list
Step 4: Set a breakpoint on this line by pressing F2. This line is where we need to stop execution at so we can jump to 0x407D39 to keep Game.exe in process list.

Step 5: Hit F9 to run Game.exe. When the break point hits go to the next step.

Step 6: Hit "ctrl + g" again and paste in the address: "0x407D39" (D2 V1.12) and hit Ok.

Step 7: Press "Ctrl + NumPad *" on the lie. The EIP will changes to this address and you will see a black line in the address column. Alternatively, right click on the line and choose "New origin here".

Step 8: Press F9 to resume execution of Game.exe. The game will run. If you load up WPE Pro or TSearch, you will see Game.exe in the process list. We have bypassed the API function that hides it.

The line:

Code:
00407D33   |.  FFD7                 CALL NEAR EDI                                       ;  This API function hides our game.exe process
Is the culprit for hiding the process. If you simply modify the line at 0x407D1D:
Code:
0x407D1D   |. /74 22                JE SHORT Game.0x407D41
to

Code:
JMP 0x407D39 -> 0x407D1D      /EB 1A                JMP SHORT Game.0x407D39
then you can implement this functionality into your own loaders and programs.

Hope it helps!
Last edited by pushedx; 06-29-2008 at 01:26 PM.
pushedx is offline   Reply With Quote
Sponsored Links
Vote on the Diablo 2 Top 200Diablo 2 Top 200 - Items, Cheats, Bots, Editors, Hacks Free Vote on the Diablo 2 Top 200Diablo 2 Top 200 - Items, Cheats, Bots, Editors, Hacks Free

Old 06-29-2008, 06:31 PM   #2 (permalink)
 
mase123y's Avatar
 
Status: Newcomer
Join Date: Nov 2005
Posts: 39

Credits: 1
Spent time on board: 0:21:49 Hours
Rep Power: 3 mase123y is on a distinguished road
I assume you cant just simply NOP that line for the API function?
mase123y is offline   Reply With Quote
Old 06-29-2008, 09:06 PM   #3 (permalink)
 
pushedx's Avatar
 
Status: Newcomer
Join Date: Jun 2008
Posts: 3

Credits: 35
Spent time on board: 2:16:00 Hours
Rep Power: 0 pushedx is on a distinguished road
Quote:
Originally Posted by mase123y View Post
I assume you cant just simply NOP that line for the API function?
If you wanted to NOP code, you would have to nop the following:

Code:
00407D1F                                           |.  8B4424 28            MOV EAX, DWORD PTR SS:[ESP+28]                      ;  we will jump to 0x407D39 to keep Game.exe in process list
00407D23                                           |.  53                   PUSH EBX
00407D24                                           |.  8D5424 30            LEA EDX, DWORD PTR SS:[ESP+30]
00407D28                                           |.  52                   PUSH EDX
00407D29                                           |.  53                   PUSH EBX
00407D2A                                           |.  53                   PUSH EBX
00407D2B                                           |.  68 04000080          PUSH 80000004
00407D30                                           |.  6A 06                PUSH 6
00407D32                                           |.  50                   PUSH EAX
00407D33                                           |.  FFD7                 CALL NEAR EDI                                       ;  This API function hides our game.exe process
00407D35                                           |.  85C0                 TEST EAX, EAX
00407D37                                           |.  75 08                JNZ SHORT Game.00407D41
That is why changing the two bytes in the JE to a JMP to 0x407D39 is much better - you can easily restore those two bytes later on if needed to preserve the memory CRC of that region.

Tutorials like this I usually have more visuals, but I can't post links yet so that's why everything is in text.

The reason you cannot simply NOP the API call is because of the 7 pushes. The stack would have to then be modified to get it back to the "expected" size. It is much more convenient to just fix the JE line instead.

The actual API function that is being called is: SetSecurityInfo from ADVAPI32. You could have a system detour set to make that function simply return TRUE to signal success and not actually do anything as well.

Hope that makes sense!
Last edited by pushedx; 06-29-2008 at 09:09 PM.
pushedx is offline   Reply With Quote

Reply

Tags
game.exe, process, pushedx, tsearch, wpe pro

« Previous Thread | Next Thread »
Thread Tools
Display Modes Rate This Thread
Linear Mode Linear Mode
Rate This Thread:




Starcraft 2 Sector | Diablo 2 Sector