Hello every one,
Can some one maby help me to baypass the Anti mem hack thread.
Code:
06721F70 /$ 53 PUSH EBX
06721F71 |. 56 PUSH ESI
06721F72 |. E8 49050000 CALL 067224C0
06721F77 |. 68 1C010000 PUSH 11C
06721F7C |. E8 33522900 CALL 069B71B4
06721F81 |. 8BF0 MOV ESI,EAX
06721F83 |. 33DB XOR EBX,EBX
06721F85 |. 83C4 04 ADD ESP,4
06721F88 |. 3BF3 CMP ESI,EBX
06721F8A |. 74 0F JE SHORT 06721F9B
06721F8C |. E8 6F0B0000 CALL 06722B00
06721F91 |. C706 2856A106 MOV DWORD PTR DS:[ESI],06A15628
06721F97 |. 8BCE MOV ECX,ESI
06721F99 |. EB 02 JMP SHORT 06721F9D
06721F9B |> 33C9 XOR ECX,ECX
06721F9D |> 898F B8000000 MOV DWORD PTR DS:[EDI+B8],ECX
06721FA3 |. 8B01 MOV EAX,DWORD PTR DS:[ECX]
06721FA5 |. 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
06721FA8 |. 68 E055A106 PUSH 06A155E0 ; AntiMemHackThread
06721FAD |. 57 PUSH EDI
06721FAE |. FFD2 CALL EDX ; ntdll.DbgUiRemoteBreakin
06721FB0 |. 68 C8000000 PUSH 0C8 ; /Timeout = 200. ms
06721FB5 |. 899F 9C000000 MOV DWORD PTR DS:[EDI+9C],EBX ; |
06721FBB |. 899F A0000000 MOV DWORD PTR DS:[EDI+A0],EBX ; |
06721FC1 |. 899F A4000000 MOV DWORD PTR DS:[EDI+A4],EBX ; |
06721FC7 |. 899F A8000000 MOV DWORD PTR DS:[EDI+A8],EBX ; |
06721FCD |. 90 NOP ; |
06721FCE |. E8 2CF10E6F CALL kernel32.Sleep ; \Sleep
06721FD3 |. 5E POP ESI ; ntdll.77B8F826
06721FD4 |. 5B POP EBX ; ntdll.77B8F826
06721FD5 \. C3 RET
I found it in cshell:
Code:
Address=06721000
Size=00C98000 (13205504.)
Owner=cshell 06720000
Section=.text
Contains=code
Type=Imag 01001004
Access=RW
Initialÿaccess=RWE
If the call on F72 is:
Code:
067224C0 F605 BC8F3B07 0>TEST BYTE PTR DS:[73B8FBC],1
067224C7 75 1E JNZ SHORT 067224E7
067224C9 830D BC8F3B07 0>OR DWORD PTR DS:[73B8FBC],1
067224D0 68 50AB9C06 PUSH 069CAB50
067224D5 C705 B88F3B07 0>MOV DWORD PTR DS:[73B8FB8],0
067224DF E8 C34D2900 CALL 069B72A7
067224E4 83C4 04 ADD ESP,4
067224E7 A1 B88F3B07 MOV EAX,DWORD PTR DS:[73B8FB8]
067224EC 85C0 TEST EAX,EAX
067224EE 74 13 JE SHORT 06722503
067224F0 6A 00 PUSH 0
067224F2 50 PUSH EAX
067224F3 90 NOP
067224F4 E8 2BBC3B6F CALL ADVAPI32.CryptReleaseContext
067224F9 C705 B88F3B07 0>MOV DWORD PTR DS:[73B8FB8],0
06722503 68 000000F0 PUSH F0000000
06722508 6A 01 PUSH 1
0672250A 6A 00 PUSH 0
0672250C 6A 00 PUSH 0
0672250E 68 B88F3B07 PUSH 073B8FB8 ; p^5
06722513 90 NOP
06722514 E8 C46C3B6F CALL ADVAPI32.CryptAcquireContextA
06722519 85C0 TEST EAX,EAX
0672251B 75 03 JNZ SHORT 06722520
0672251D 32C0 XOR AL,AL
0672251F C3 RET
I think that:
Code:
06722520 C705 6C8F3B07 B>MOV DWORD PTR DS:[73B8F6C],073B8FB8 ; p^5
073B8FB8 is the addie were stands if there is a memhack detected?
Becouse I'm not good in asm, never learnt it :$
I found also somting on 073B8FB8:
Code:
073B8FB0 E0 2E LOOPDNE SHORT 073B8FE0
073B8FB2 65:42 INC EDX
073B8FB4 DB ??? ; Unknown command
073B8FB5 0F493F CMOVNS EDI,DWORD PTR DS:[EDI]
073B8FB8 8869 D1 MOV BYTE PTR DS:[ECX-2F],CH
073B8FBB 0001 ADD BYTE PTR DS:[ECX],AL
073B8FBD 0000 ADD BYTE PTR DS:[EAX],AL
073B8FBF 0000 ADD BYTE PTR DS:[EAX],AL
073B8FC1 0000 ADD BYTE PTR DS:[EAX],AL
073B8FC3 0002 ADD BYTE PTR DS:[EDX],AL
073B8FC5 0000 ADD BYTE PTR DS:[EAX],AL
073B8FC7 0000 ADD BYTE PTR DS:[EAX],AL
073B8FC9 0000 ADD BYTE PTR DS:[EAX],AL
073B8FCB 0001 ADD BYTE PTR DS:[ECX],AL
073B8FCD 0000 ADD BYTE PTR DS:[EAX],AL
073B8FCF 0000 ADD BYTE PTR DS:[EAX],AL
073B8FD1 0000 ADD BYTE PTR DS:[EAX],AL
073B8FD3 00E4 ADD AH,AH
073B8FD5 FA CLI
073B8FD6 - 7C 58 JL SHORT 073B9030
073B8FD8 E4 FA IN AL,0FA
073B8FDA 885A 00 MOV BYTE PTR DS:[EDX],BL
073B8FDD 0000 ADD BYTE PTR DS:[EAX],AL
073B8FDF 0000 ADD BYTE PTR DS:[EAX],AL
073B8FE1 0000 ADD BYTE PTR DS:[EAX],AL
073B8FE3 0000 ADD BYTE PTR DS:[EAX],AL
073B8FE5 0000 ADD BYTE PTR DS:[EAX],AL
073B8FE7 0000 ADD BYTE PTR DS:[EAX],AL
073B8FE9 0000 ADD BYTE PTR DS:[EAX],AL
073B8FEB 0000 ADD BYTE PTR DS:[EAX],AL
073B8FED 0000 ADD BYTE PTR DS:[EAX],AL
073B8FEF 0000 ADD BYTE PTR DS:[EAX],AL
073B8FF1 0000 ADD BYTE PTR DS:[EAX],AL
073B8FF3 0000 ADD BYTE PTR DS:[EAX],AL
073B8FF5 0000 ADD BYTE PTR DS:[EAX],AL
073B8FF7 0000 ADD BYTE PTR DS:[EAX],AL
073B8FF9 0000 ADD BYTE PTR DS:[EAX],AL
073B8FFB 0000 ADD BYTE PTR DS:[EAX],AL
073B8FFD 0000 ADD BYTE PTR DS:[EAX],AL
073B8FFF 00 ??? ; Command crosses end of memoryÿblock
So:
73B8FBC << does this needs to be 1? I think this is correct. Going to test it soon.