Gamerz Online

It was quite some time since I last blog, since I am really quite busy. Not only did I finished my kernelmode unhooker, I also finished my usermode unhooker.
A few days ago, Uligor suggested that npggnt.des calls GetProcAddress() and VirtualProtect() by directly importing ntdll’s function — NtProtectVirtualMemory() and LdrGetProcedureAddress(). I thought, “Hey how stupid of me to not to think of that?”. The usual kernel32.dll that we import our kernel subsystem functions from, actually re-directs our request to ntdll, and GameGuard is a public software, they are expecting people to attack them for certain. Thus they should be ready for it.
However, things are not like what me and Uligor imagined. I thought in order to defeat npggnt.des, I have to know it well, so I unpacked it, and analysed it.


* Note: Click to enlarge
I viewed the IAT with LordPE, there is no sight of ntdll. This is weird, so I disassemble npggnt.des, so to see wassup in there. I also noticed that npggnt.des have 3 exports.

After some disassembly, this is what I think they are doing:
1. Inject npggnt.des
2. GameMon calls CreateRemoteThread to call the 3rd export in every running process.
3. The 3rd export hook the functions, and mean while set up a “Hook Table”.
4. It start a thread and return.
5. The thread constantly check for modification to their hook, and overwrite if found.
6. Also check for modification in npggnt.des’s first 0×9000 bytes, if found, notify GameMon through filemapping, and GameMon will close the game.
I guess I am lazy this time, so I just give their “CRC” routine and Hook check routine a “Tick ZF”… And GameGuard’s usermode hook == GameOver.
But how do they do the hooking without calling the functions mentioned in the blog entry topic? I guess I hooked the function incorrectly or they overwrited my hook, LoL!
( Note: I didn’t release where to “Tick ZF” as it is too “anti-leaking” to be left public. )