I was a little bored today, so I decided to unpack, devirtualize and fix the GMS v95 client (making it completely runnable). So here you go 
You still need to do something to make it runnable (because of HackShield):
Compile
Edit: This was primarily done for fun and to test my TheMida devirtualizer. I do not take requests.
You must be registered to see links
You still need to do something to make it runnable (because of HackShield):
Compile
You must be registered to see links
and put ehsvc.dll into the /HShield/ folder. Run with the following hooks:
Code:
[COLOR=#839496][COLOR=#859900]bool[/COLOR] [COLOR=#268BD2]hook_CreateProcessA[/COLOR]()[/COLOR][COLOR=#839496]{ [/COLOR][COLOR=#839496][COLOR=#859900]static[/COLOR] [COLOR=#268BD2]decltype[/COLOR](&CreateProcessA) _CreateProcessA [/COLOR][COLOR=#839496]= &CreateProcessA; [/COLOR][COLOR=#859900]decltype[/COLOR][COLOR=#839496](&CreateProcessA) CreateProcessA_hook = [](LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) -> BOOL { [/COLOR][COLOR=#859900]const[/COLOR][COLOR=#839496] [/COLOR][COLOR=#859900]char[/COLOR][COLOR=#839496] _hsupdate[] = [/COLOR][COLOR=#2AA198]"HSUpdate.exe"[/COLOR][COLOR=#839496]; [/COLOR][COLOR=#859900]const[/COLOR][COLOR=#839496] [/COLOR][COLOR=#859900]char[/COLOR][COLOR=#839496] _autoup[] = [/COLOR][COLOR=#2AA198]"autoup.exe"[/COLOR][COLOR=#839496]; [/COLOR][COLOR=#859900]if[/COLOR][COLOR=#839496] (lpCommandLine != [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496]) { [/COLOR][COLOR=#859900]bool[/COLOR][COLOR=#839496] is_hsupdate = ([/COLOR][COLOR=#DC322F]strstr[/COLOR][COLOR=#839496](lpCommandLine, _hsupdate) != [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496]); [/COLOR][COLOR=#859900]bool[/COLOR][COLOR=#839496] is_autoup = ([/COLOR][COLOR=#DC322F]strstr[/COLOR][COLOR=#839496](lpCommandLine, _autoup) != [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496]); [/COLOR][COLOR=#859900]if[/COLOR][COLOR=#839496] (is_hsupdate || is_autoup) { [/COLOR][COLOR=#859900]if[/COLOR][COLOR=#839496] (is_hsupdate) { HANDLE hEvent = OpenEvent(EVENT_ALL_ACCESS, FALSE, [/COLOR][COLOR=#2AA198]"Global\\EF81BA4B-4163-44f5-90E2-F05C1E49C12D"[/COLOR][COLOR=#839496]); SetEvent(hEvent); CloseHandle(hEvent); } [/COLOR][COLOR=#859900]char[/COLOR][COLOR=#839496] lpszFilePath[[/COLOR][COLOR=#2AA198]256[/COLOR][COLOR=#839496]]; StringCchCopy(lpszFilePath + GetSystemDirectory(lpszFilePath, [/COLOR][COLOR=#2AA198]256[/COLOR][COLOR=#839496]), [/COLOR][COLOR=#2AA198]256[/COLOR][COLOR=#839496], [/COLOR][COLOR=#2AA198]"\\svchost.exe"[/COLOR][COLOR=#839496]); [/COLOR][COLOR=#859900]return[/COLOR][COLOR=#839496] _CreateProcessA(lpszFilePath, [/COLOR][COLOR=#2AA198]"svchost.exe"[/COLOR][COLOR=#839496], [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496], [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496], FALSE, dwCreationFlags, [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496], [/COLOR][COLOR=#2AA198]NULL[/COLOR][COLOR=#839496], lpStartupInfo, lpProcessInformation); } } [/COLOR][COLOR=#859900]return[/COLOR][COLOR=#839496] _CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); }; [/COLOR][COLOR=#859900]return[/COLOR][COLOR=#839496] function::redirect([/COLOR][COLOR=#2AA198]true[/COLOR][COLOR=#839496], [/COLOR][COLOR=#859900]reinterpret_cast[/COLOR][COLOR=#839496]<[/COLOR][COLOR=#859900]void[/COLOR][COLOR=#839496]**>(&_CreateProcessA), CreateProcessA_hook);}[/COLOR]Edit: This was primarily done for fun and to test my TheMida devirtualizer. I do not take requests.
Last edited by a moderator:
