sandeagle Posted May 18, 2010 Share Posted May 18, 2010 any1 know Sabotage64.dll? is it a protection dll? or something other? Quote Link to comment Share on other sites More sharing options...
0 Sighed Posted May 21, 2010 Share Posted May 21, 2010 Where you found that ? if its something injected in a pack it could be a backdoor, i think is a backdoor, well the word sabotage sounds like. Quote Link to comment Share on other sites More sharing options...
0 Hazel Posted May 21, 2010 Share Posted May 21, 2010 http://l2dev.co.cc/tag/sabotage64-dll/ Quote Link to comment Share on other sites More sharing options...
0 rej222 Posted May 21, 2010 Share Posted May 21, 2010 Don't use it imo. Quote Link to comment Share on other sites More sharing options...
0 evilgh0st Posted May 22, 2010 Share Posted May 22, 2010 why ? what have that dll ? Quote Link to comment Share on other sites More sharing options...
0 sandeagle Posted May 22, 2010 Author Share Posted May 22, 2010 http://l2dev.co.cc/tag/sabotage64-dll/ right,in this pack ,it was been included. i dont know what is it,any1 know??? Quote Link to comment Share on other sites More sharing options...
0 sandeagle Posted May 22, 2010 Author Share Posted May 22, 2010 maybe some1 understand what is it... .text:000000018000BBA4 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) .text:000000018000BBA4 public DllEntryPoint .text:000000018000BBA4 DllEntryPoint proc near ; DATA XREF: .pdata:000000018001C42Co .text:000000018000BBA4 .text:000000018000BBA4 var_18 = dword ptr -18h .text:000000018000BBA4 arg_0 = qword ptr 8 .text:000000018000BBA4 arg_8 = qword ptr 10h .text:000000018000BBA4 arg_10 = qword ptr 18h .text:000000018000BBA4 .text:000000018000BBA4 mov [rsp+arg_0], rbx .text:000000018000BBA9 mov [rsp+arg_8], rsi .text:000000018000BBAE push rdi .text:000000018000BBAF sub rsp, 20h .text:000000018000BBB3 mov rdi, r8 .text:000000018000BBB6 mov ebx, edx .text:000000018000BBB8 mov rsi, rcx .text:000000018000BBBB cmp edx, 1 .text:000000018000BBBE jnz short loc_18000BBC5 .text:000000018000BBC0 call sub_18000BFDC .text:000000018000BBC5 .text:000000018000BBC5 loc_18000BBC5: ; CODE XREF: DllEntryPoint+1Aj .text:000000018000BBC5 mov r8, rdi .text:000000018000BBC8 mov edx, ebx .text:000000018000BBCA mov rcx, rsi .text:000000018000BBCD mov rbx, [rsp+28h+arg_0] .text:000000018000BBD2 mov rsi, [rsp+28h+arg_8] .text:000000018000BBD7 add rsp, 20h .text:000000018000BBDB pop rdi .text:000000018000BBDC jmp sub_18000BA6C .text:000000018000BBDC DllEntryPoint endp //============================================================================= .text:000000018000BFDC ; int __cdecl sub_18000BFDC(struct _FILETIME SystemTimeAsFileTime, LARGE_INTEGER PerformanceCount, __int64) .text:000000018000BFDC sub_18000BFDC proc near ; CODE XREF: DllEntryPoint+1Cp .text:000000018000BFDC ; DATA XREF: .pdata:000000018001C498o .text:000000018000BFDC .text:000000018000BFDC SystemTimeAsFileTime= _FILETIME ptr 8 .text:000000018000BFDC PerformanceCount= LARGE_INTEGER ptr 10h .text:000000018000BFDC arg_10 = qword ptr 18h .text:000000018000BFDC .text:000000018000BFDC mov [rsp+arg_10], rbx .text:000000018000BFE1 push rdi .text:000000018000BFE2 sub rsp, 20h .text:000000018000BFE6 mov rax, cs:qword_18001B040 .text:000000018000BFED and qword ptr [rsp+28h+SystemTimeAsFileTime.dwLowDateTime], 0 .text:000000018000BFF3 mov rdi, 2B992DDFA232h .text:000000018000BFFD cmp rax, rdi .text:000000018000C000 jz short loc_18000C00E .text:000000018000C002 not rax .text:000000018000C005 mov cs:qword_18001B048, rax .text:000000018000C00C jmp short loc_18000C084 .text:000000018000C00E ; --------------------------------------------------------------------------- .text:000000018000C00E .text:000000018000C00E loc_18000C00E: ; CODE XREF: sub_18000BFDC+24j .text:000000018000C00E lea rcx, [rsp+28h+SystemTimeAsFileTime] ; lpSystemTimeAsFileTime .text:000000018000C013 call cs:GetSystemTimeAsFileTime .text:000000018000C019 mov rbx, qword ptr [rsp+28h+SystemTimeAsFileTime.dwLowDateTime] .text:000000018000C01E call cs:GetCurrentProcessId .text:000000018000C024 mov r11d, eax .text:000000018000C027 xor rbx, r11 .text:000000018000C02A call cs:GetCurrentThreadId .text:000000018000C030 mov r11d, eax .text:000000018000C033 xor rbx, r11 .text:000000018000C036 call cs:GetTickCount .text:000000018000C03C lea rcx, [rsp+28h+PerformanceCount] ; lpPerformanceCount .text:000000018000C041 mov r11d, eax .text:000000018000C044 xor rbx, r11 .text:000000018000C047 call cs:QueryPerformanceCounter .text:000000018000C04D mov r11, qword ptr [rsp+28h+PerformanceCount] .text:000000018000C052 xor r11, rbx .text:000000018000C055 mov rax, 0FFFFFFFFFFFFh .text:000000018000C05F and r11, rax .text:000000018000C062 mov rax, 2B992DDFA233h .text:000000018000C06C cmp r11, rdi .text:000000018000C06F cmovz r11, rax .text:000000018000C073 mov cs:qword_18001B040, r11 .text:000000018000C07A not r11 .text:000000018000C07D mov cs:qword_18001B048, r11 .text:000000018000C084 .text:000000018000C084 loc_18000C084: ; CODE XREF: sub_18000BFDC+30j .text:000000018000C084 mov rbx, [rsp+28h+arg_10] .text:000000018000C089 add rsp, 20h .text:000000018000C08D pop rdi .text:000000018000C08E retn .text:000000018000C08E sub_18000BFDC endp Quote Link to comment Share on other sites More sharing options...
0 evilgh0st Posted May 30, 2010 Share Posted May 30, 2010 maybe is an old method to bypass security dll. Quote Link to comment Share on other sites More sharing options...
Question
sandeagle
any1 know Sabotage64.dll?
is it a protection dll? or something other?
Link to comment
Share on other sites
7 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.