Dumping WarRock.exe

[AeroMan]

Hello guys,
i have noticed that many ppl have been looking for WarRock.exe dumped.
Now here is a good tut you guys may use.

What do i need?
WarRock
Kernel Detective 1.3.1 (download unther)


What does Kernel Detective 1.3.1 does?

Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD !

Supported NT versions :
XP/Vista


Kernel Detective gives you the ability to :
1- Detect Hidden Processes.
3- Detect Hidden Threads.
2- Detect Hidden DLLs.
3- Detect Hidden Handles.
4- Detect Hidden Driver.
5- Detect Hooked SSDT.
6- Detect Hooked Shadow SSDT.
7- Detect Hooked IDT.
8- Detect Kernel-mode code modifications and hooks.
9- Disassemble (Read/Write) Kernel-mode/User-mode memory.
10- Monitor debug output on your system.


Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes.

Detect hidden and suspicious threads in system and allow user to forcely terminate them .

Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module.

Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle.

Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers.

Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table.

Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table

Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines.

Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective.

A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess.

Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter.

How do i use this?
1/ Open WarRock.exe
2/ When WarRock.exe is finished loading, waiting to login, open Kernel Detective 1.3.1
You should now have a screen like this:

3/ Then click on the process tab (screen signed above)
4/ Then look for WarRock.exe

5/ Dump that to a file.

6/ give it a name + .exe

7/ Your done! Ready to reverse!
8/ Thank me

Code:

VirusScans:
VirusTotal
VirScan

I am not responsible for any problems,further actions with G1!
This can lead to instand ban!

Releated info:
Program is legal, can be used to dump other programs to.
Dumping WarRock.exe & Other games is illegal.
Do you take the risk? (i dont)
Its up to you



Virusses = Unpackers
Not really a virus.

[iRobot™]

nice 1 bro welcome back

[AeroMan]

nice 1 bro welcome back

Thanks bro
Im just back to help ppl, not to code anymore

[iRobot™]

ehh well you should start again.. you where respected once and will be respected more

[Krypton1x]

Moving to source code section and stickying.

[tarvi98]

wow! thats realy good i need to use it(K)

[iRobot™]

tony its a tutorial.. not a source code

[Krypton1x]

tony its a tutorial.. not a source code

Deals with coding, getting codes for WarRock, belongs in the WarRock source code section. Ask Dave.

[TheCamels8]

Great tutorial dude

[Snape]

/Approved .

[ryski123]

Thanked even tho i wont use :P Welcome back bro

[omghacker]

What is dumping? /

[AeroMan]

Its unpacking your program from themida & other packers

[omghacker]

Its unpacking your program from themida & other packers

And what can you do with it then? :s

[AeroMan]

And what can you do with it then? :s

You can look inside to find structs,addies,bytes,patterns(with masks) & Bypasses