|
simple, 99.9% of them all use WriteProcessMemory to patch in the trainer code...
so we could have a tool (i guess i could make it if needed) which 'caught' the api call, and outputed what it would write, the size, and the location
we do this on both trainers, and analyse the code that would be injected...
we then compare it (taking rva's into account) and look for similar or identical byte patterns, which gives us a very early indication to the uniqueness of them (or otherwise)
__________________
bleh
DO NOT PM me with questions, leave that in the forums...ESPECIALLY if i dont know you...
|