Reading a dumped ehsvc module

[drlunar]

Hello, I've made a previous thread for help on a bypass I'm currently working on, but I'd like to know how it is that one would go about reading a dumped EHSVC module. I've opened the client in olly and debugged it, from there attached CE and I can view all of the modules calls by doing so. I've also dumped EHSVC itself so I can stream though it's memory in IDA. What I'm trying to figure out though is what functions call to what. I've been on this for the passed two days and it's mind blowing. If anyone could help me I'd be very grateful. The dumped EHSVC module can be downloaded here : EHSvc - Minus.

[.::SCHiM::.]

Take a pen and paper and just go sketch the general flow of the program, what functions call what, what variable goes where. Doing it this way, by hand, takes ages especially if you're new to this kind of thing. What you're really after is an understanding of the program you're trying to reverse, like the way you 'know' what you're putting into your own programs.

You shouldn't just 'start somewhere' either, think about it:
(EHSCV is an anti-cheat engine right?)

Anti cheat engines perform several tasks:

They try to harden the game to debugging/injection/hacking by disallowing debuggers or injectors to run (eg. the game closes when you launch ollydbg or ida)

To do this the anti-cheat engine must import several APIs (my guess):

CreateToolhelp32Snapshot
Process32First
Process32Next

Obviously an anti-cheat engine does much more than just that, try to think how you'd implement those functions and what functions you'd need to call for them. Look for these symbols in the anti-cheat engine and start the puzzle there

Good luck!