Advertisement
BaSs_HaXoR

Project Memories & Reborn PwN3D

Mar 7th, 2015
868
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.85 KB | None | 0 0
  1. MW3ProjectMemoriesV3 & MW2RebornV3 By Enstone:
  2. ######################################################
  3. MW3Memories:
  4. Antidump - DBA0A0
  5. CISC VM pointer - 00DBE7A4
  6. TM_WL_2: 00DBC87C
  7. ######################################################
  8. MW2RebornV3:
  9. Antidump - DCA0A0
  10. CISC_VMware - 00DCE505
  11. ######################################################
  12. //PwN3D By BaSs_HaXoR
  13.  
  14. Log data
  15. Address Message
  16. 02D40118 Breakpoint at 02D40118
  17.  
  18. -------------- File Info -------------
  19.  
  20. FIRST_PATH:
  21. C:\Users\BaSs_HaXoR\Desktop\FMT Tools Ready for Cracking\MW2RebornV3.exe
  22.  
  23. MAIN_PATH:
  24. C:\Users\BaSs_HaXoR\Desktop\FMT Tools Ready for Cracking\MW2RebornV3.exe
  25.  
  26. FIRST_FILE_NAME:
  27. MW2RebornV3.exe
  28.  
  29. FIRST_FILE_END:
  30. exe
  31.  
  32. FIRST_NAME:
  33. MW2RebornV3
  34.  
  35. ----------******************----------
  36.  
  37. Found 0 dec & 0 hex Active Processes!
  38.  
  39. ----------******************----------
  40.  
  41.  
  42. ----------- TLS MAIN INFOS -----------
  43.  
  44. TLS TABLE RVA: B88D44 & SIZE: 18
  45.  
  46. TLS TABLE VA: F88D44 & SIZE: 18
  47.  
  48. DATABLOCKSTART VA: D7F019
  49. DATABLOCKEND VA: D7F01C
  50. INDEXVARIABLE VA: D72CFC
  51. CALLBACKTABLE VA: D7E020
  52.  
  53. NO CALLBACK INSIDE PRESENT
  54.  
  55. ----------******************----------
  56.  
  57. PLUGINPATH: C:\Users\BaSs_HaXoR\Desktop\Deobfuscation\OllyDebugger shit\OllyDebugger
  58.  
  59. ------------ Plugin List -------------
  60.  
  61. No: PLUGIN-NAME
  62.  
  63.  
  64. ----------******************----------
  65. VM antidump redirector is used.
  66. Version retriever is not used.
  67. Oreans kernel32, user32 and advapi32 dll's are disabled.
  68. -------------
  69. Modulebase: 00400000
  70. Code & IAT Section: 00401000
  71.  
  72. Found new Anti-Dump store location at address: DCA0A0
  73.  
  74. 00FD3020 Breakpoint at MW2Rebor.00FD3020
  75. 00FD3005 Breakpoint at MW2Rebor.00FD3005
  76. 6EAF0000 Module C:\WINDOWS\SYSTEM32\ntmarta.dll
  77. 74800000 Module C:\WINDOWS\SYSTEM32\winmm.dll
  78. 741E0000 Module C:\WINDOWS\SYSTEM32\WINMMBASE.dll
  79. 75830000 Module C:\WINDOWS\SYSTEM32\cfgmgr32.dll
  80. 77038B90 Hardware breakpoint 1 at KERNEL32.VirtualAlloc
  81. ----------------------------
  82. VMware check pointer was found and patched at: 00DCE505
  83. ----------------------------
  84. CISC VM is located in the Themida - Winlicense section.
  85. ----------------------------
  86. VMware check pointer was found and patched at: 00DCE505
  87. ----------------------------
  88. TM_WL_2: 00DCCACA
  89.  
  90.  
  91.  
  92.  
  93.  
  94.  
  95.  
  96. #################### MW2 Reborn ####################
  97.  
  98.  
  99. ---------------EX--------------------------------------
  100. Call from: DCF085 | API: 77038B90 | NAME: VirtualAlloc
  101. -------------------------------------------------------
  102. ---------------EX--------------------------------------
  103. Call from: E0CF92 | API: 77038F80 | NAME: LoadLibraryA
  104. -------------------------------------------------------
  105. ---------------EX--------------------------------------
  106. Call from: E0CFB0 | API: 77038F80 | NAME: LoadLibraryA
  107. -------------------------------------------------------
  108. ---------------EX--------------------------------------
  109. Call from: E0CFC4 | API: 7703A940 | NAME: GetLocalTime
  110. -------------------------------------------------------
  111. ---------------EX--------------------------------------
  112. Call from: E0EA3B | API: 758E75A0 | NAME: MessageBoxExA
  113. -------------------------------------------------------
  114. ---------------EX--------------------------------------
  115. Call from: E0F2ED | API: 77048920 | NAME: CreateFileA
  116. -------------------------------------------------------
  117. ---------------EX--------------------------------------
  118. Call from: E10CDA | API: 75A3C620 | NAME: RegCreateKeyA
  119. -------------------------------------------------------
  120. ---------------EX--------------------------------------
  121. Call from: E10CF9 | API: 75A2E120 | NAME: RegFlushKey
  122. -------------------------------------------------------
  123. ---------------EX--------------------------------------
  124. Call from: E10D18 | API: 75A26FB0 | NAME: RegSetValueExA
  125. -------------------------------------------------------
  126. ---------------EX--------------------------------------
  127. Call from: E10D37 | API: 75A19330 | NAME: RegCloseKey
  128. -------------------------------------------------------
  129. ---------------EX--------------------------------------
  130. Call from: E10D56 | API: 75A194B0 | NAME: RegQueryValueExA
  131. -------------------------------------------------------
  132. ---------------EX--------------------------------------
  133. Call from: E11155 | API: 7703B5A0 | NAME: GetCommandLineA
  134. -------------------------------------------------------
  135. ---------------EX--------------------------------------
  136. Call from: E19CFB | API: 77048880 | NAME: SetEvent
  137. -------------------------------------------------------
  138. ---------------EX--------------------------------------
  139. Call from: E19D19 | API: 770488C0 | NAME: WaitForSingleObject
  140. -------------------------------------------------------
  141. ---------------EX--------------------------------------
  142. Call from: E19D37 | API: 77048740 | NAME: CreateEventA
  143. -------------------------------------------------------
  144. ---------------EX--------------------------------------
  145. Call from: E19D55 | API: 77038F80 | NAME: LoadLibraryA
  146. -------------------------------------------------------
  147. ---------------EX--------------------------------------
  148. Call from: E19D73 | API: 7703A790 | NAME: FreeLibrary
  149. -------------------------------------------------------
  150. ---------------EX--------------------------------------
  151. Call from: E19D91 | API: 77037B50 | NAME: GetProcAddress
  152. -------------------------------------------------------
  153. ---------------EX--------------------------------------
  154. Call from: E19DAF | API: 7703B2E0 | NAME: GetEnvironmentVariableA
  155. -------------------------------------------------------
  156. ---------------EX--------------------------------------
  157. Call from: E19DCD | API: 7589C850 | NAME: wsprintfA
  158. -------------------------------------------------------
  159. ---------------EX--------------------------------------
  160. Call from: E19DEB | API: 7703B5B0 | NAME: GetVersion
  161. -------------------------------------------------------
  162. ---------------EX--------------------------------------
  163. Call from: E19E09 | API: 77048920 | NAME: CreateFileA
  164. -------------------------------------------------------
  165. ---------------EX--------------------------------------
  166. Call from: E19E27 | API: 77049850 | NAME: ExitProcess
  167. -------------------------------------------------------
  168. ---------------EX--------------------------------------
  169. Call from: E19E45 | API: 77038A50 | NAME: DeviceIoControl
  170. -------------------------------------------------------
  171. ---------------EX--------------------------------------
  172. Call from: E19E5C | API: 75A26BB0 | NAME: RegOpenKeyA
  173. -------------------------------------------------------
  174. ---------------EX--------------------------------------
  175. Call from: E19E7A | API: 770486F0 | NAME: CloseHandle
  176. -------------------------------------------------------
  177. ---------------EX--------------------------------------
  178. Call from: E19E98 | API: 77038F20 | NAME: VirtualFree
  179. -------------------------------------------------------
  180. ---------------EX--------------------------------------
  181. Call from: E19EB6 | API: 770382D0 | NAME: Sleep
  182. -------------------------------------------------------
  183. ---------------EX--------------------------------------
  184. Call from: E1806D | API: 77038B10 | NAME: GetVersionExA
  185. -------------------------------------------------------
  186. ---------------EX--------------------------------------
  187. Call from: E18A06 | API: 75A19330 | NAME: RegCloseKey
  188. -------------------------------------------------------
  189. ---------------EX--------------------------------------
  190. Call from: E18A80 | API: 75A194B0 | NAME: RegQueryValueExA
  191. -------------------------------------------------------
  192. ---------------EX--------------------------------------
  193. Call from: E1EB91 | API: 770382D0 | NAME: Sleep
  194. -------------------------------------------------------
  195. ---------------EX--------------------------------------
  196. Call from: E21FB6 | API: 77048920 | NAME: CreateFileA
  197. -------------------------------------------------------
  198. ---------------EX--------------------------------------
  199. Call from: E21FC0 | API: 77048AF0 | NAME: GetFileSize
  200. -------------------------------------------------------
  201. ---------------EX--------------------------------------
  202. Call from: E21FCA | API: 77038B90 | NAME: VirtualAlloc
  203. -------------------------------------------------------
  204. ---------------EX--------------------------------------
  205. Call from: E21FD4 | API: 77048C00 | NAME: ReadFile
  206. -------------------------------------------------------
  207. ---------------EX--------------------------------------
  208. Call from: E21FDE | API: 77038B10 | NAME: GetVersionExA
  209. -------------------------------------------------------
  210. ---------------EX--------------------------------------
  211. Call from: E21FF2 | API: 7703A890 | NAME: GetSystemDirectoryA
  212. -------------------------------------------------------
  213. ---------------EX--------------------------------------
  214. Call from: E2202E | API: 770486F0 | NAME: CloseHandle
  215. -------------------------------------------------------
  216. ---------------EX--------------------------------------
  217. Call from: E30FB8 | API: 77032410 | NAME: IsBadReadPtr
  218. -------------------------------------------------------
  219. ---------------GPA---------------------------------
  220. Call from: E3306C | API: 7726D7B0 | NAME: NtOpenThread
  221. -------------------------------------------------------
  222. ---------------GPA---------------------------------
  223. Call from: E335A8 | API: 74802800 | NAME: timeGetTime
  224. -------------------------------------------------------
  225. ---------------EX--------------------------------------
  226. Call from: E573D8 | API: 770431B0 | NAME: Process32Next
  227. -------------------------------------------------------
  228. ---------------EX--------------------------------------
  229. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  230. -------------------------------------------------------
  231. ---------------EX--------------------------------------
  232. Call from: E3AFE9 | API: 77032410 | NAME: IsBadReadPtr
  233. -------------------------------------------------------
  234. ---------------GPA---------------------------------
  235. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  236. -------------------------------------------------------
  237. ---------------EX--------------------------------------
  238. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  239. -------------------------------------------------------
  240. ---------------GPA---------------------------------
  241. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  242. -------------------------------------------------------
  243. ---------------EX--------------------------------------
  244. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  245. -------------------------------------------------------
  246. ---------------GPA---------------------------------
  247. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  248. -------------------------------------------------------
  249. ---------------EX--------------------------------------
  250. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  251. -------------------------------------------------------
  252. ---------------GPA---------------------------------
  253. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  254. -------------------------------------------------------
  255. ---------------EX--------------------------------------
  256. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  257. -------------------------------------------------------
  258. ---------------GPA---------------------------------
  259. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  260. -------------------------------------------------------
  261. ---------------EX--------------------------------------
  262. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  263. -------------------------------------------------------
  264. ---------------GPA---------------------------------
  265. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  266. -------------------------------------------------------
  267. ---------------EX--------------------------------------
  268. Call from: E3AF5E | API: 7703FA50 | NAME: lstrcmpiA
  269. -------------------------------------------------------
  270. ---------------GPA---------------------------------
  271. Call from: E3B1E0 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  272. -------------------------------------------------------
  273. ---------------EX--------------------------------------
  274. Call from: E6068C | API: 7726C800 | NAME: ZwQueryInformationProcess
  275. -------------------------------------------------------
  276. ---------------EX--------------------------------------
  277. Call from: E62BF0 | API: 7726C740 | NAME: ZwSetInformationThread
  278. -------------------------------------------------------
  279.  
  280. #################### MW3 MEMORIES ####################
  281.  
  282. ---------------EX--------------------------------------
  283. Call from: DBF275 | API: 77038B90 | NAME: VirtualAlloc
  284. -------------------------------------------------------
  285. ---------------EX--------------------------------------
  286. Call from: DFCE9D | API: 77038F80 | NAME: LoadLibraryA
  287. -------------------------------------------------------
  288. ---------------EX--------------------------------------
  289. Call from: DFCEBB | API: 77038F80 | NAME: LoadLibraryA
  290. -------------------------------------------------------
  291. ---------------EX--------------------------------------
  292. Call from: DFCECF | API: 7703A940 | NAME: GetLocalTime
  293. -------------------------------------------------------
  294. ---------------EX--------------------------------------
  295. Call from: DFF09F | API: 758E75A0 | NAME: MessageBoxExA
  296. -------------------------------------------------------
  297. ---------------EX--------------------------------------
  298. Call from: E00CAE | API: 75A3C620 | NAME: RegCreateKeyA
  299. -------------------------------------------------------
  300. ---------------EX--------------------------------------
  301. Call from: E00CCD | API: 75A2E120 | NAME: RegFlushKey
  302. -------------------------------------------------------
  303. ---------------EX--------------------------------------
  304. Call from: E00CEC | API: 75A26FB0 | NAME: RegSetValueExA
  305. -------------------------------------------------------
  306. ---------------EX--------------------------------------
  307. Call from: E00D0B | API: 75A19330 | NAME: RegCloseKey
  308. -------------------------------------------------------
  309. ---------------EX--------------------------------------
  310. Call from: E00D2A | API: 75A194B0 | NAME: RegQueryValueExA
  311. -------------------------------------------------------
  312. ---------------EX--------------------------------------
  313. Call from: E00EAE | API: 77048920 | NAME: CreateFileA
  314. -------------------------------------------------------
  315. ---------------EX--------------------------------------
  316. Call from: E01F2E | API: 7703B5A0 | NAME: GetCommandLineA
  317. -------------------------------------------------------
  318. ---------------EX--------------------------------------
  319. Call from: E099B8 | API: 77048880 | NAME: SetEvent
  320. -------------------------------------------------------
  321. ---------------EX--------------------------------------
  322. Call from: E099D6 | API: 770488C0 | NAME: WaitForSingleObject
  323. -------------------------------------------------------
  324. ---------------EX--------------------------------------
  325. Call from: E099F4 | API: 77048740 | NAME: CreateEventA
  326. -------------------------------------------------------
  327. ---------------EX--------------------------------------
  328. Call from: E09A12 | API: 77038F80 | NAME: LoadLibraryA
  329. -------------------------------------------------------
  330. ---------------EX--------------------------------------
  331. Call from: E09A30 | API: 7703A790 | NAME: FreeLibrary
  332. -------------------------------------------------------
  333. ---------------EX--------------------------------------
  334. Call from: E09A4E | API: 77037B50 | NAME: GetProcAddress
  335. -------------------------------------------------------
  336. ---------------EX--------------------------------------
  337. Call from: E09A6C | API: 7703B2E0 | NAME: GetEnvironmentVariableA
  338. -------------------------------------------------------
  339. ---------------EX--------------------------------------
  340. Call from: E09A8A | API: 7589C850 | NAME: wsprintfA
  341. -------------------------------------------------------
  342. ---------------EX--------------------------------------
  343. Call from: E09AA8 | API: 7703B5B0 | NAME: GetVersion
  344. -------------------------------------------------------
  345. ---------------EX--------------------------------------
  346. Call from: E09AC6 | API: 77048920 | NAME: CreateFileA
  347. -------------------------------------------------------
  348. ---------------EX--------------------------------------
  349. Call from: E09AE4 | API: 77049850 | NAME: ExitProcess
  350. -------------------------------------------------------
  351. ---------------EX--------------------------------------
  352. Call from: E09B02 | API: 77038A50 | NAME: DeviceIoControl
  353. -------------------------------------------------------
  354. ---------------EX--------------------------------------
  355. Call from: E09B19 | API: 75A26BB0 | NAME: RegOpenKeyA
  356. -------------------------------------------------------
  357. ---------------EX--------------------------------------
  358. Call from: E09B37 | API: 770486F0 | NAME: CloseHandle
  359. -------------------------------------------------------
  360. ---------------EX--------------------------------------
  361. Call from: E09B55 | API: 77038F20 | NAME: VirtualFree
  362. -------------------------------------------------------
  363. ---------------EX--------------------------------------
  364. Call from: E09B73 | API: 770382D0 | NAME: Sleep
  365. -------------------------------------------------------
  366. ---------------EX--------------------------------------
  367. Call from: E07DEF | API: 77038B10 | NAME: GetVersionExA
  368. -------------------------------------------------------
  369. ---------------EX--------------------------------------
  370. Call from: E0B965 | API: 75A19330 | NAME: RegCloseKey
  371. -------------------------------------------------------
  372. ---------------EX--------------------------------------
  373. Call from: E0B9DF | API: 75A194B0 | NAME: RegQueryValueExA
  374. -------------------------------------------------------
  375. ---------------EX--------------------------------------
  376. Call from: E0F535 | API: 770382D0 | NAME: Sleep
  377. -------------------------------------------------------
  378. ---------------EX--------------------------------------
  379. Call from: E11D2B | API: 77048920 | NAME: CreateFileA
  380. -------------------------------------------------------
  381. ---------------EX--------------------------------------
  382. Call from: E11D35 | API: 77048AF0 | NAME: GetFileSize
  383. -------------------------------------------------------
  384. ---------------EX--------------------------------------
  385. Call from: E11D3F | API: 77038B90 | NAME: VirtualAlloc
  386. -------------------------------------------------------
  387. ---------------EX--------------------------------------
  388. Call from: E11D49 | API: 77048C00 | NAME: ReadFile
  389. -------------------------------------------------------
  390. ---------------EX--------------------------------------
  391. Call from: E11D53 | API: 77038B10 | NAME: GetVersionExA
  392. -------------------------------------------------------
  393. ---------------EX--------------------------------------
  394. Call from: E11D67 | API: 7703A890 | NAME: GetSystemDirectoryA
  395. -------------------------------------------------------
  396. ---------------EX--------------------------------------
  397. Call from: E11DA3 | API: 770486F0 | NAME: CloseHandle
  398. -------------------------------------------------------
  399. ---------------EX--------------------------------------
  400. Call from: E1FCD0 | API: 77032410 | NAME: IsBadReadPtr
  401. -------------------------------------------------------
  402. ---------------GPA---------------------------------
  403. Call from: E21EBA | API: 7726D7B0 | NAME: NtOpenThread
  404. -------------------------------------------------------
  405. ---------------GPA---------------------------------
  406. Call from: E224ED | API: 74802800 | NAME: timeGetTime
  407. -------------------------------------------------------
  408. ---------------EX--------------------------------------
  409. Call from: E46126 | API: 770431B0 | NAME: Process32Next
  410. -------------------------------------------------------
  411. ---------------EX--------------------------------------
  412. Call from: E47352 | API: 7726C800 | NAME: ZwQueryInformationProcess
  413. -------------------------------------------------------
  414. ---------------EX--------------------------------------
  415. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  416. -------------------------------------------------------
  417. ---------------EX--------------------------------------
  418. Call from: E28DD8 | API: 77032410 | NAME: IsBadReadPtr
  419. -------------------------------------------------------
  420. ---------------GPA---------------------------------
  421. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  422. -------------------------------------------------------
  423. ---------------EX--------------------------------------
  424. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  425. -------------------------------------------------------
  426. ---------------GPA---------------------------------
  427. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  428. -------------------------------------------------------
  429. ---------------EX--------------------------------------
  430. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  431. -------------------------------------------------------
  432. ---------------GPA---------------------------------
  433. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  434. -------------------------------------------------------
  435. ---------------EX--------------------------------------
  436. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  437. -------------------------------------------------------
  438. ---------------GPA---------------------------------
  439. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  440. -------------------------------------------------------
  441. ---------------EX--------------------------------------
  442. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  443. -------------------------------------------------------
  444. ---------------GPA---------------------------------
  445. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  446. -------------------------------------------------------
  447. ---------------EX--------------------------------------
  448. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  449. -------------------------------------------------------
  450. ---------------GPA---------------------------------
  451. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  452. -------------------------------------------------------
  453. ---------------EX--------------------------------------
  454. Call from: E28CF7 | API: 7703FA50 | NAME: lstrcmpiA
  455. -------------------------------------------------------
  456. ---------------GPA---------------------------------
  457. Call from: E290F5 | API: 7726C9D0 | NAME: NtQuerySystemInformation
  458. -------------------------------------------------------
  459. ---------------EX--------------------------------------
  460. Call from: E51FB0 | API: 7726C740 | NAME: ZwSetInformationThread
  461. -------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement