← Back to DevelopmentAging & Mixing viewer.dll generatorProgramsClan filesInternet Information ServiceOllyDbg tutorialsMiscellaneousSkinsLinks / Files


← Back to Miscellaneous
The OllyDbg parts happens inside psupdate.exe.

0. Beginning of setfile.lst
That's just for info.

1. setfile.lst version
The file settfile.lst has a version number. It's the first bytes of your file.

That's version 3801. Keeping this value all the time is a good idea.

This version number (from the downloaded setfile.lst) is compared with limit values.


00402C5E  |.  3D 00380000   CMP EAX,3800 <- lower limit
00402C63  |.  0F86 F5080000 JBE 0040355E
00402C69  |.  3D FF380000   CMP EAX,38FF <- upper limit
00402C6E  |.  0F83 EA080000 JNB 0040355E

If it's not between, the following steps are skipped.

2. setfile.lst file number
The following step is a "comparison" with the number of files listed inside the setfile.lst file. I added quotes because it just checks it isn't null.
For instance :

And the comparison :


00402C7E  |.  8B47 04       MOV EAX,DWORD PTR DS:[EDI+4] <- number of files loaded into EAX
00402C81  |.  83C4 04       ADD ESP,4
00402C84  |.  3BC3          CMP EAX,EBX <- compared with EBX

EBX seems to be always null. The jump following this is a JBE so it's just checking if it's null or negative.
I assume that EBX should be containing another value but it doesn't seem to work.

If it's null or negative, the following steps are skipped.

3. Filtering loop
After all those checks, the fun begins. We finally enter the loop filtering which file is to be downloaded.

a. Shifting cursor to the first file info
The first piece of information is located 4C after the beginning of the file. Also the cursor offset seems to be stored inside EBP.


00402C94  |.  83C5 4C       ADD EBP,4C

That brings use here:

b. Number of files
The number of files from the local setfile.lst is loaded into EAX.


00402CA0  |> >A1 FC0A4400   MOV EAX,DWORD PTR DS:[440AFC]            ; ASCII "WF"

If you don't have an old setfile, the loop is exited and the whole client is downloaded.

c. Filetime structure
This is some piece of information about the mysterious value, which is actually a time.
It's actually a structure called FILETIME (http://msdn.microsoft.com/en-us/library/ms724284%28v=VS.85%29.aspx), defined like this :

It consists of 2 DWORD (32bit / 4 bytes) values.
For instance for the file GameGuard.des it's :

LowDateTime = 75 ED 21 10
HighDateTime = 10 C6 0A 3F

d. Filetime comparison
The current file last write time (a pointer to the structure actually), from the new setfile.lst, is stored in ECX and pushed to the stack.


00402CE6      8D4D 08       LEA ECX,[EBP+8]
00402CE9      51            PUSH ECX                                 ;  FileTime2 = 0FF00CC -> {LowDateTime=75ED2110,HighDateTime=1C60A3F}

The current file last write time, from the old setfile.lst, is stored in EDX and pushed to the stack.


00402CEA      8D90 4C0B4400 LEA EDX,[EAX+440B4C]                     ;
00402CF0      52            PUSH EDX                                 ;  FileTime1 = psupdate.440BA4 -> {LowDateTime=75ED2110,HighDateTime=1C60A3F}

Then it's compared :


CPU Disasm
Address   Hex dump          Command                                  Comments
00402CF1      FF15 80F04100 CALL DWORD PTR DS:[<&KERNEL32.CompareFil ;  KERNEL32.CompareFileTime

e. KERNEL32.CompareFileTime
Just read: http://msdn.microsoft.com/en-us/library/ms724214%28VS.85%29.aspx

f. Choice
I didn't really go after that, too lazy.
But I assume depending on the CompareFileTime result, it rewrite the setfile.lst data. After that for each file it compares the filetime and decides whether or not downloading it. No clue :P .

4. Moar
To get the values for the structure: