[DiscordArchive] you ever dump warden module PE?

rektbyfaith

06-27-2025, 11:46 AM #11

Archived author: Deleted User • Posted: 2025-06-27T11:46:59.130000+00:00
Original source

wow itself does it for you........

Reply

rektbyfaith

06-27-2025, 11:47 AM #12

Archived author: Deamon • Posted: 2025-06-27T11:47:51.309000+00:00
Original source

It was exercise. And back then barely anyone knew anything about warden publically

Reply

Archived author: Deleted User • Posted: 2025-06-27T11:48:42.235000+00:00
Original source

most people know know now in days about the warden func in .text, not how to build a proper PE and how to find it in dynamic memory etc.

Reply

rektbyfaith

06-27-2025, 11:48 AM #14

Archived author: Deamon • Posted: 2025-06-27T11:48:43.099000+00:00
Original source

Also, kek. I looked how I did the decode. Turns out I just copy pasted asm code from IDA, lol

```pascal
procedure decode_warden(warden_module:pointer; warden_size:cardinal;
arc1:pointer; arc:pointer); cdecl;
const var_8=-8;
var_4=-4;
arg_0=8 ;
arg_4=$0C;
arg_8=$10;
arg_C=$14;
asm
sub esp, 8
push ebx
mov ebx, [ebp+arg_C]
push esi
mov esi, [ebp+arg_8]
cmp esi, ebx
push edi
jz @loc_622CDE
mov ecx, 40h
mov edi, ebx
rep movsd
movsw

@loc_622CDE:
movzx eax, byte ptr [ebx+100h]
mov ecx, [ebp+arg_4]
and ecx, 0FFFFFFFCh
mov byte ptr [ebp+arg_8+3], al
mov al, [ebx+101h]
mov [ebp+var_8], ecx
mov esi, 0
jbe @loc_622DE3

@loc_622D02:
mov cl, byte ptr [ebp+arg_8+3]
add cl, 1
mov byte ptr [ebp+arg_8+3], cl
movzx ecx, cl
add al, [ecx+ebx]
add ecx, ebx
movzx edx, al
lea edi, [edx+ebx]
mov byte ptr [ebp+arg_C+3], al
mov eax, edi
call make_byte
movzx eax, byte ptr [edi]
add al, [ecx]
movzx ecx, al
mov al, byte ptr [ebp+arg_8+3]
movzx edi, byte ptr [ecx+ebx]
add al, 1
movzx edx, al
mov byte ptr [ebp+arg_8+3], al
mov al, byte ptr [ebp+arg_C+3]
add al, [edx+ebx]
lea ecx, [edx+ebx]
mov byte ptr [ebp+arg_C+3], al
movzx eax, al
add eax, ebx
mov [ebp+var_4], eax
call make_byte
movzx eax, byte ptr [eax]
add al, [ecx]
xor edx, edx
movzx ecx, al
mov dh, [ecx+ebx]
mov al, byte ptr [ebp+arg_8+3]
add al, 1
mov byte ptr [ebp+arg_8+3], al
or edi, edx
movzx edx, al
mov al, byte ptr [ebp+arg_C+3]
add al, [edx+ebx]
lea ecx, [edx+ebx]
mov byte ptr [ebp+arg_C+3], al
movzx eax, al
add eax, ebx
mov [ebp+var_4], eax
call make_byte
mov edx, eax
movzx eax, byte ptr [edx]
add al, [ecx]
movzx ecx, al
mov al, byte ptr [ebp+arg_8+3]
movzx edx, byte ptr [ecx+ebx]
add al, 1
mov byte ptr [ebp+arg_8+3], al
movzx eax, al
lea ecx, [eax+ebx]
mov al, byte ptr [ebp+arg_C+3]
add al, [ecx]
shl edx, 10h
or edi, edx
movzx edx, al
mov byte ptr [ebp+arg_C+3], al
lea eax, [edx+ebx]
mov [ebp+var_4], eax
call make_byte
mov dl, [eax]
add dl, [ecx]
add esi, 4
movzx eax, dl
movzx ecx, byte ptr [eax+ebx]
mov eax, [ebp+arg_0]
shl ecx, 18h
or ecx, edi
xor [esi+eax-4], ecx
cmp esi, [ebp+var_8]
mov al, byte ptr [ebp+arg_C+3]
jb @loc_622D02

@loc_622DE3:
cmp esi, [ebp+arg_4]
jnb @loc_622E2F
jmp @loc_622DF3
lea ebx, [ebx+0]

@loc_622DF0:
mov al, byte ptr [ebp+arg_C+3]

@loc_622DF3:
mov cl, byte ptr [ebp+arg_8+3]
add cl, 1
movzx edx, cl
add al, [edx+ebx]
mov byte ptr [ebp+arg_8+3], cl
lea ecx, [edx+ebx]
mov byte ptr [ebp+arg_C+3], al
movzx eax, al
lea edi, [eax+ebx]
mov eax, edi
call make_byte
mov dl, [edi]
add dl, [ecx]
add esi, 1
movzx eax, dl
movzx ecx, byte ptr [eax+ebx]
mov eax, [ebp+arg_0]
xor [esi+eax-1], cl
cmp esi, [ebp+arg_4]
jb @loc_622DF0

@loc_622E2F:
pop edi
pop esi
pop ebx
mov esp, ebp
end;
```

Reply

rektbyfaith

06-27-2025, 11:49 AM #15

Archived author: Deamon • Posted: 2025-06-27T11:49:23.799000+00:00
Original source

hilarious

Reply

Recently Browsing
1 Guest(s)