ode:// .data:004421D0 0000005B C Copyright (c) 1992-2004 by P.J. Plauger, li

1. ode:
2.  
3. // .data:004421D0 0000005B C Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
4. //.rdata:0043F288 00000050 C C:\\Users\\mimetnet\\Desktop\\paladin.client\\programs\\client\\Release\\cmn-client.pdb
5.  
6. WinMain( )
7.  
8. Creates named-pipe: Global\\cmn-client-%llu
9.  
10. PHP Code:
11. // Looks for local storage:
12.  
13. if ( !SHGetFolderPathA(0, 28, 0, 0, "C:\\Users\\<user>\\AppData\\Local\\CMN") )
14. strcat_s("C:\\Users\\<user>\\AppData\\Local\\CMN", 260u, "\\CMN");
15. Retrieves list of running applications and their associated window handles:
16.  
17. PHP Code:
18. //.text:004011C0 ProcessEnum proc near ; CODE XREF: WinMain(x,x,x,x)+18Cp
19.  
20. BOOL __cdecl ProcessEnum( )
21. {
22. //..
23.  
24. result = Process32FirstW( hProcessSnap, &pe );
25.  
26. if ( !result )
27. return result;
28.  
29. if ( !Process32NextW( hProcessSnap, &pe ) )
30. return CloseHandle( hProcessSnap );
31.  
32. //..
33.  
34. while ( 1 )
35. {
36. hProc = OpenProcess( 0x410u, 0, pe.th32ProcessID ); // Probably VMREAD
37.  
38. if ( hProc )
39. break;
40.  
41. LABEL_6:
42.  
43. if ( !Process32NextW( hSnapshot, &pe ) )
44. goto LABEL_9;
45. }
46.  
47. EnumWindows(EnumFunc, pe.th32ProcessID);
48.  
49. //..
50.  
51. return CloseHandle( hProcessSnap );
52. }
53. EnumFunc
54. PHP Code:
55. //.text:00401150 ; BOOL __stdcall EnumFunc(HWND, LPARAM)
56.  
57. signed int __stdcall EnumFunc( HWND hWnd, int a2 )
58. {
59. HWND v2; // esi@1
60. HWND i; // eax@3
61. signed int result; // eax@5
62. DWORD dwProcessId; // [sp+4h] [bp-4h]@1
63.  
64. v2 = hWnd;
65. dwProcessId = 0;
66. GetWindowThreadProcessId( hWnd, &dwProcessId );
67. if ( dwProcessId && dwProcessId == a2 )
68. {
69. for ( i = GetParent( hWnd ); i; i = GetParent( i ) )
70. v2 = i;
71.  
72. ShowWindow( v2, 1 );
73. BringWindowToTop( v2 );
74. SetForegroundWindow( v2 );
75. result = 0;
76. } else {
77. result = 1;
78. }
79. return result;
80. }
81. Their InitInstance function:
82. PHP Code:
83. signed int __cdecl InitInstance( HINSTANCE hInstance, int nCmdShow )
84. {
85. // ...
86.  
87. sub_411A60( &nWidth, &nHeight, &wpszName );
88. if ( wpszName && GetProcessByName( ( const wchar_t * )&wpszName ) )
89. {
90. _snwprintf( &Text, 0x2000u, L"The application '%s' cannot be running before the Paladin client starts", &wpszName );
91. MessageBoxW( 0, &Text, L"Paladin Error", 0x10u );
92. return 0;
93. }
94. if ( BrowserCheck( ) )
95. {
96. MessageBoxW( 0, L"Paladin can only be launched through the browser-based match check-in.", L"Paladin Error", 0x10u );
97. result = 0;
98. }
99. else
100. {
101. v3 = CreateWindowExW( 0, &ClassName, &WindowName, 0x2CA0000u, 0x80000000u, 0, nWidth, nHeight, 0, 0, hInstance, 0 );
102. if ( !v3 )
103. return 0;
104.  
105. ShowWindow( v3, nCmdShow );
106. UpdateWindow( v3 );
107. result = 1;
108. }
109. return result;
110. }
111. Boring
112. PHP Code:
113. if ( !dword_444940 )
114. {
115. v3 = LoadLibraryW(L"USER32.DLL");
116. v4 = v3;
117. if ( !v3 || (v5 = GetProcAddress(v3, "MessageBoxW")) == 0 )
118. return 0;
119.  
120. dword_444940 = EncodePointer(v5);
121. v6 = GetProcAddress(v4, "GetActiveWindow");
122. dword_444944 = EncodePointer(v6);
123. v7 = GetProcAddress(v4, "GetLastActivePopup");
124. dword_444948 = EncodePointer(v7);
125. v8 = GetProcAddress(v4, "GetUserObjectInformationW");
126. dword_444950 = EncodePointer(v8);
127.  
128. if ( dword_444950 )
129. {
130. v9 = GetProcAddress(v4, "GetProcessWindowStation");
131. dword_44494C = EncodePointer(v9);
132. }
133. }
134. cmn-dash.exe is a x64 build
135. Code:
136.  
137. //.rdata:0000000140004658 aC2012MatthewMe db '(c) 2012 Matthew Metnetsky',0Ah,0
138. //.rdata:0000000140004CC4 00000056 C C:\\Users\\mimetnet\\Desktop\\paladin.client\\programs\\dash\\win32\\Release\\x64\\cmn-dash.pdb
139.  
140. communicates on the named pipe
141.  
142. Code:
143.  
144. .text:0000000140001265 lea r8, aGlobalCmnDashU ; "Global\\cmn-dash-%u"
145. .text:000000014000126C call cs:_snwprintf
146. .text:0000000140001272 jmp short loc_140001281
147. .text:0000000140001274 ; ---------------------------------------------------------------------------
148. .text:0000000140001274
149. .text:0000000140001274 loc_140001274: ; CODE XREF: sub_1400011B0+B3j
150. .text:0000000140001274 lea r8, aGlobalCmnDash ; "Global\\cmn-dash"
151. .text:000000014000127B call cs:_snwprintf
152. .text:0000000140001281
153. .text:0000000140001281 loc_140001281: ; CODE XREF: sub_1400011B0+C2j
154. .text:0000000140001281 lea r8, [rsp+288h+Name] ; lpName
155. .text:0000000140001286 xor edx, edx ; bInheritHandle
156. .text:0000000140001288 mov ecx, 1F0001h ; dwDesiredAccess
157. .text:000000014000128D call cs:OpenMutexW
158.  
159.  
160. .text:00000001400031F8 call cs:OpenSCManagerW
161. .text:00000001400031FE mov rsi, rax
162. .text:0000000140003201 test rax, rax
163. .text:0000000140003204 jz short loc_140003283
164. .text:0000000140003206 lea r8d, [rbx+14h] ; dwDesiredAccess
165. .text:000000014000320A lea rdx, ServiceName ; "cmn-dash"
166. .text:0000000140003211 mov rcx, rax ; hSCManager
167.  
168.  
169. .text:0000000140003253 call cs:StartServiceA
170. .text:0000000140003259 mov edx, 2 ; int
171. .text:000000014000325E mov rcx, rdi ; hService
172. .text:0000000140003261 lea r8d, [rdx+2] ; int
173. .text:0000000140003265 call sub_140002960
174. .text:000000014000326A mov ebx, eax