OpenRCE_Saphex
November 24th, 2007, 18:50
Hi,
A week ago, it crossed my path a new cheat for on line games, Unreal Tournament v436 (Unreal Engine 1) and for Tactical Ops: Assault On Terror v351 (also Unreal Engine 1).
The cheat only has a executable, that is protected by ASProtect. It worked as a injector, but there wasn't any dll visible. After removing ASProtect, I found myself looking to a function that searched for the game executables (in this case UnrealTournament.exe and TacticalOps.exe). If the executables were running it would call a function with some parameters. One of them was a number, the other was a location on the data section. So I decided to take a look at that location, and I instantly recognized a MZ header magic.
It simply had the dll embedded in the executable, it writes the dll into the file system, and then it injects it using the LoadLibrary and CreateRemoteThread trick (I think its called fault injection).
So I come up with a script that searches for embedded PE in another loadable file in IDA.
Best regards,
saphex
https://www.openrce.org/blog/view/819/Embedded_Portable_Executable_File
A week ago, it crossed my path a new cheat for on line games, Unreal Tournament v436 (Unreal Engine 1) and for Tactical Ops: Assault On Terror v351 (also Unreal Engine 1).
The cheat only has a executable, that is protected by ASProtect. It worked as a injector, but there wasn't any dll visible. After removing ASProtect, I found myself looking to a function that searched for the game executables (in this case UnrealTournament.exe and TacticalOps.exe). If the executables were running it would call a function with some parameters. One of them was a number, the other was a location on the data section. So I decided to take a look at that location, and I instantly recognized a MZ header magic.
It simply had the dll embedded in the executable, it writes the dll into the file system, and then it injects it using the LoadLibrary and CreateRemoteThread trick (I think its called fault injection).
So I come up with a script that searches for embedded PE in another loadable file in IDA.
Code:
static main()
{
auto l_Address, l_End, l_Iterate, l_PEHeader;
l_Address = FirstSeg();
while (l_Address != BADADDR) {
l_End = SegEnd(l_Address);
Message("Processing: %s (%i bytes)\n", SegName(l_Address), (l_End - l_Address));
for (l_Iterate = l_Address; l_Iterate < l_End; l_Iterate++) {
if (Word(l_Iterate) == 0x5A4D) {
l_PEHeader = l_Iterate + Dword(l_Iterate + 0x3C);
if (Word(l_PEHeader) == 0x4550)
Message("%s found embedded PE\n", atoa(l_Iterate));
}
}
l_Address = NextSeg(l_Address);
}
}
Best regards,
saphex
https://www.openrce.org/blog/view/819/Embedded_Portable_Executable_File