i just get free today. and i notice there was somebody managed to make a tiny # on 20/7. i am pretty new to #. but i have some experience in c++ coding and reverse engineering. this is what i disassembled the saseapub.dll, and i found it has not much coding on it. first main function: Code: ; BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) _DllMain@12 proc near Buffer= byte ptr -0Ch var_B= dword ptr -0Bh var_7= byte ptr -7 var_6= byte ptr -6 var_4= dword ptr -4 hLibModule= dword ptr 4 fdwReason= dword ptr 8 lpvReserved= dword ptr 0Ch sub esp, 0Ch mov eax, dword_10004000 xor eax, esp mov [esp+0Ch+var_4], eax mov eax, [esp+0Ch+hLibModule] push eax ; hLibModule call dsisableThreadLibraryCalls cmp [esp+0Ch+fdwReason], 1 jnz loc_100021E1 session function: Code: push ebx push esi mov esi, ds:GetModuleHandleA push offset ProcName ; "RtlEnterCriticalSection" push offset ModuleName ; "ntdll.dll" call esi ; GetModuleHandleA push eax ; hModule call ds:GetProcAddress xor ebx, ebx mov cl, 90h mov [esp+14h+Buffer], 0E9h mov byte ptr [esp+14h+var_B], bl mov byte ptr [esp+14h+var_B+1], bl mov byte ptr [esp+14h+var_B+2], bl mov byte ptr [esp+14h+var_B+3], bl mov [esp+14h+var_7], cl mov [esp+14h+var_6], cl cmp byte ptr [eax], 64h push ebx ; lpNumberOfBytesWritten jnz short loc_10002166 invoke key function Code: loc_100021E1: mov ecx, [esp+0Ch+var_4] xor ecx, esp xor eax, eax call sub_100021F4 add esp, 0Ch retn 0Ch _DllMain@12 endp catch memory function Code: lea ecx, [eax+7] mov edx, offset loc_10002040 sub edx, eax mov dword_100047A0, ecx sub edx, 5 push 7 lea ecx, [esp+1Ch+Buffer] mov [esp+1Ch+var_B], edx push ecx jmp short loc_10002184 modify memory value function Code: loc_10002166: lea edx, [eax+5] mov ecx, offset loc_10001FB0 sub ecx, eax mov dword_100047A0, edx sub ecx, 5 push 5 ; nSize lea edx, [esp+1Ch+Buffer] mov [esp+1Ch+var_B], ecx push edx ; lpBuffer repatch to memory Code: loc_10002184: ; lpBaseAddress push eax push 0FFFFFFFFh ; hProcess call ds:WriteProcessMemory cmp dword_10004798, ebx jnz short loc_100021B9 allocate new call function Code: push edi mov edi, ds:Sleep lea esp, [esp+0] intercept d3d function Code: loc_100021A0: ; "d3d8.dll" push offset aD3d8_dll call esi ; GetModuleHandleA push 64h ; dwMilliseconds mov dword_10004798, eax call edi ; Sleep cmp dword_10004798, ebx jz short loc_100021A0 thread handling function Code: loc_100021B9: ; lpThreadId push ebx push ebx ; dwCreationFlags push ebx ; lpParameter push offset StartAddress ; lpStartAddress push ebx ; dwStackSize push ebx ; lpThreadAttributes call ds:CreateThread pop esi mov eax, 1 pop ebx mov ecx, [esp+0Ch+var_4] xor ecx, esp call sub_100021F4 add esp, 0Ch retn 0Ch there are many more sub functions, i think approx another 21 subs. i lazy to paste it out. if someone good in reverse engineering, may be you can email me. we will figure this out together. oh yea by the way, this code wasn't using to write this dll. i was not able disassembled them into class. so that is why we have to go thru very low level programming. anyhow, i will try to work out this few days see i can release a patch to make the sa sea undetected. but there is no gurantee gameguard will detect my code afterthat. if i can reverse this saseapub.dll coding, so does GameGuard i dun understand at all this is no longer working, it was d3d8.
