hello,
our team has made a loader that enables warcraft3/Tft to connect to pvpgn-server by patching out the server-auth...

the loader hooks the GAMEMAIN function of game.dll and patches the few jumps in mem, and replaces the hash-routine for the pw's with the one of starcraft.

since our former source of the nocd-crackz has been busted i tried to make these on my own,too ,but encountered lots of difficulties when dumping with icedump etc...

so my questions is (before i go and code all this i thought it'll be clever to ask first) if it would work if i read the complete process-memory from war.exe @ the execution of the hooked GameMain function and write this to a file then.

would this gimme a correct decrypted dump of the exe, or does securom rencrypted certain parts again after they have been used? (it's securom 4.8.x)

perhaps anyone has already done this and made some experience with it, or may even provide some code for masm/nasm that shows how to do this effeciently...
thx for your time and help....

you'd have to dump it at true ep, rebuild imports and fix all the api calls, and triggers if there are any (though i dont think there are). try using the search button next time too

i've read the other threads... i just didn't seem to even get an dump with the correct size...
i'd thought of (after having an correct dump) compare the gimpsRUS vcrack from an older version of the game with a clear dump of the uncracked exe from same version, so i can see what he did to the triggers etc...

but if i dump from the EP on it won't be the same size as his exe... although the file in mem seems same sizze as the file on disk...

so i don't understand why dumping it leads to another size...
forgive me if i'm sutpid in your opinion, but i'm new to all this, i some smaller appz in asm now and cracked some hash-functions inmem etc, but never dealed with copy-protections

perhaps could just be so kind to tell step by step how to get this file to disk?
i've really read all i could find about it but still doesn't seem to do it right...

my startup is to replace game.dll by my own dll, which will then load game.dll
so to be more excact, what must this url do to write down the correct exe as it lies in mem, and why the hell is it changed on readproc @ all?

here's the src:

; カカカカカカカカカカカカカカカカカカカカカカカカカカカカカカカ�

; DLL for dumping war3.exe
; by AmAdEuS ,coded for MASM32

; カカカカカカカカカカカカカカカカカカカカカカカカカカカカカカ�

.486 ; set processor model
.model flat, stdcall ; default STDCALL calling convention
option casemap :none ; always use the case sensitive option

include include\windows.inc
include include\user32.inc
include include\kernel32.inc

includelib lib\user32.lib
includelib lib\kernel32.lib

; カカカカカカカカカカカカカカカカカカカカカカカカカカカカカカカ�


; -----------------------------------------------
; procedures
; -----------------------------------------------
Dump PROTO WORD
; -----------------------------------------------
.data

CrackBuf byte 1568211 dup (?)
DumpEntryAddr dd 0
written dd 0


;-----------------------------------------------------
.code
LibMain proc hInstDLLWORD, reasonWORD, unusedWORD


.if reason == DLL_PROCESS_ATTACH
invoke GetModuleHandle,NULL
mov hInstance, eax

mov eax, TRUE
invoke Dump.addr CrackBuf

.elseif reason == DLL_PROCESS_DETACH
;blabla
.endif

ret


LibMain Endp

; カカカカカカカカカカカカカカカカカカカカカカカカカカカカカカカカ

Dump proc lpBufferWORD,


invoke GetCurrentProcessId

invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,eax
mov DumpEntryAddr, eax

invoke ReadProcessMemory,DumpEntryAddr,lpBaseAddress,lpBuffer,1568211,addr written

; shouldn't Crackbuf contain the full decrypted exe @ this point?



Crack endp


; カカカカカカカカカカカカカカカカカカカカカカカカカカカカカカカカ

end LibMain

;AmAdEuS (who feels so small among the ppl here )

What you need to do is make a dump of the code section. The code section doesn't change in size. Use a pe tool to find it's size and dump it at the right moment.

thx alot... the hint i missed

oh btw last war3 exe i checked on the update was securom 5, and from your code it looks like you have a hell of a lot more work to do although you're in luck it has no triggers, so just true ep patching, rebuild, import rebuild, api call rebuild, job done