I haven’t posted anything here in a while and well this just happened yesterday.
VAC ban wave
They are indeed doing something to the timestamps of the modules because
File: vac_module_0_4034d3e194a4d269c43e889593b00bcb.dll Size: 29KB Export TimeStamp: 13/05/2017 4:07:59 AM Debug TimeStamp: 13/05/2017 4:07:59 AM .text hash: 70E41F8439001066DE3FFFB00B1CDE52A0BF9E6F
File: vac_module_0_125e53d20a0cbe4849b7ff5f0130a2bf.dll Size: 29KB Export TimeStamp: 16/05/2017 4:59:39 AM Debug TimeStamp: 16/05/2017 4:59:39 AM .text hash: 3AD50243148A16042AA035749A1AEC049FCEA2A3
Same module, which enumerates drivers that is 100% identical has different timestamps.
signed int __thiscall sub_100021AE(char *this)
{
char *v1; // ebp@1
signed int v2; // ebx@1
int v3; // esi@1
int v4; // eax@2
_DWORD *v5; // esi@2
_DWORD *v6; // edi@6
int v7; // ST38_4@6
int v8; // esi@6
int v9; // eax@6
signed int v10; // eax@8
bool v11; // cf@8
bool v12; // zf@8
int v13; // eax@14
int v14; // esi@16
int v15; // ecx@16
int v16; // eax@16
int v17; // ecx@16
int v18; // eax@16
int v19; // eax@17
int v20; // edi@19
int v21; // eax@19
int v22; // eax@21
int v23; // edx@21
int v24; // esi@21
int v25; // eax@22
int v26; // ecx@23
_DWORD *lpMem; // [sp+4Ch] [bp-2918h]@1
_DWORD *v29; // [sp+50h] [bp-2914h]@13
int v30; // [sp+54h] [bp-2910h]@1
unsigned int v31; // [sp+58h] [bp-290Ch]@6
LPVOID v32; // [sp+5Ch] [bp-2908h]@1
int v33; // [sp+60h] [bp-2904h]@20
int v34; // [sp+64h] [bp-2900h]@1
unsigned int v35; // [sp+68h] [bp-28FCh]@12
int v36; // [sp+6Ch] [bp-28F8h]@20
int v37; // [sp+70h] [bp-28F4h]@20
int v38; // [sp+74h] [bp-28F0h]@1
int v39; // [sp+78h] [bp-28ECh]@16
char v40; // [sp+7Ch] [bp-28E8h]@6
char v41; // [sp+80h] [bp-28E4h]@1
char v42; // [sp+94h] [bp-28D0h]@1
char v43; // [sp+A8h] [bp-28BCh]@1
char v44; // [sp+BCh] [bp-28A8h]@23
int v45; // [sp+12Ch] [bp-2838h]@23
char v46; // [sp+134h] [bp-2830h]@16
char v47; // [sp+135h] [bp-282Fh]@18
char v48; // [sp+234h] [bp-2730h]@21
v1 = this;
v2 = 0;
v30 = 0;
v32 = 0;
lpMem = 0;
v38 = 0;
sub_1000505E(&v43);
sub_1000505E(&v41);
sub_1000505E(&v42);
v3 = ((int (__stdcall *)(_DWORD, _DWORD, signed int))vac_import_tbl.OpenSCManagerA)(0, 0, 4);
v34 = v3;
if ( !v3 )
goto LABEL_2;
v32 = (LPVOID)HeapAllocSimple(0x10000u);
if ( v32 )
{
memset(0x10000);
v6 = v32;
v8 = ((int (__thiscall *)(int, int, signed int, signed int, LPVOID, signed int, char *, unsigned int *, int *))vac_import_tbl.EnumServicesStatusA)(
v7,
v3,
11,
1,
v32,
0x10000,
&v40,
&v31,
&v38);
v9 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();
if ( !v8 && v9 != 234 )
{
LABEL_2:
v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();
v5 = 0;
LABEL_32:
v2 = v4;
goto LABEL_33;
}
v10 = v31;
v11 = v31 < 0xCB;
v12 = v31 == 203;
*((_DWORD *)v1 + 6) = 0;
if ( !v11 && !v12 )
v10 = 203;
v31 = v10;
v5 = (_DWORD *)HeapAllocSimple(0x1000u);
lpMem = v5;
if ( v5 )
{
v35 = 0;
if ( v31 > 0 )
{
v29 = v6;
while ( 1 )
{
v13 = ((int (__stdcall *)(int, _DWORD, signed int))vac_import_tbl.OpenServiceA)(v34, *v6, 5);
v30 = v13;
if ( !v13
|| !((int (__stdcall *)(int, _DWORD *, signed int, char *))vac_import_tbl.QueryServiceConfigA)(
v13,
v5,
4096,
&v40) )
{
break;
}
((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30);
v14 = 20 * *((_DWORD *)v1 + 6);
v15 = *v6;
v30 = 0;
v39 = v14;
v16 = sub_10006495(v15);
*(_DWORD *)&v1[v14 + 36] = sub_10005043(*v6, v16);
memset(256);
v17 = lpMem[3];
sub_10003C47();
v18 = sub_10001A77(&v46);
if ( v18 )
{
v19 = sub_10006495(v18 + 8);
sub_1000633F(v19);
sub_1000633F(6);
}
if ( v47 != 58 )
{
v20 = sub_10006495((char *)off_10007290 + 469);
v21 = sub_10006495(&v46);
sub_1000633F(v21);
sub_1000633F(v20);
*(&v46 + v20) = 92;
v6 = v29;
}
v33 = 0;
v36 = 0;
v37 = 0;
if ( (unsigned __int8)sub_10003677(&v33, &v36) )
{
sub_100043AA(&v48);
v29 = 0;
v22 = sub_100047B1(v33, v36, v37, &v29);
v23 = v39;
*(_DWORD *)&v1[v39 + 44] = v29;
v24 = (int)&v1[v23];
*(_DWORD *)&v1[v23 + 40] = v22;
*(_DWORD *)&v1[v23 + 48] = 0;
*(_DWORD *)&v1[v23 + 52] = 0;
if ( !v22 )
{
v25 = sub_1000480B(&v48);
*(_DWORD *)(v24 + 40) = v25;
if ( !v25 )
{
v45 = 1;
sub_10004FF1(&v44);
if ( (unsigned __int8)sub_10004EA5(&v44, v26) )
sub_10006323(16);
sub_10004FF1(&v44);
sub_10004FF1(&v44);
}
}
if ( ++*((_DWORD *)v1 + 6) >= 0xCBu )
{
sub_10004936(&v48);
sub_10003D1B(&v48);
goto LABEL_5;
}
sub_10004936(&v48);
sub_10003D1B(&v48);
}
v6 += 9;
v5 = lpMem;
++v35;
v29 = v6;
if ( v35 >= v31 )
goto LABEL_33;
}
v4 = ((int (*)(void))vac_import_tbl_ptr->GetLastError)();
goto LABEL_32;
}
}
else
{
v2 = 8;
}
}
else
{
v2 = 8;
LABEL_5:
v5 = lpMem;
}
LABEL_33:
HeapFreeSimple(v5);
HeapFreeSimple(v32);
((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v30);
((void (__stdcall *)(int))vac_import_tbl.CloseServiceHandle)(v34);
sub_10005089(&v42);
sub_10005089(&v41);
sub_10005089(&v43);
return v2;
}
100% match
Valve what are you up to now… 🙄
