Home

Awesome

GameGuard String Decryption (IDA)

This script is designed to identify the decryption function within any GameGuard module, decrypt strings passed to it and subsequently label them in both the decompilation and assembly, while also outputting them to a file.

Usage

Load your preferred GameGuard module dump into IDA, then utilize File -> Script File to load it.

Notes

Some interesting strings to look out for:

x64dbg.exe
[IsScanSkip] skip: WhiteList. %d, %ws
d3dhook.dll
Inject Check: %lu, %s
SUSPECT_KERNEL_MANIPULATION
Scan64Thread SuspendThread
checkp text section md5 : %s
checkp md5 : %d, %s
GG_GRT_VIRUS
\kaspersky lab\
MD5 Succ %d %d
BinaryPattern Succ %d %d
Check threads(%d): h:%d %d (%d)
e8: %x %x (%x): %x %x %x %x %x %x %x %x %x
[LS] checkpkernelmem, addr: %p, base: %p size: %x, image: %s, i: %d
(PID: %lu, Ret: %p) BitBlt(%x, %d, %d, %d, %d, %x, %d, %d, %x)
process allowed, API : %02x, procHash : %08x