Dumping Process Memory Using Scylla

---

Disclaimer

The information included in this post is for educational purposes only. Any material on this webpage may not be reproduced, retransmitted, or redisplayed other than for personal or educational use. While I aim to provide informative content, I cannot guarantee that following these instructions will not result in any consequences, including account bans or actions taken by third-party services. By using this information, you acknowledge that you do so at your own risk and agree that I am not responsible for any results that may arise from your actions.

Introduction

A memory dump is a file that captures all information in a device's RAM related to a specific program at a given moment. These dumps are valuable for digital forensics, debugging, and performance analysis. Process memory dumps, which focus on the memory of a particular running process, provide insights into variables, function calls, and other critical data. However, standard memory dumping techniques often fall short with packed executables or those protected by anti-cheat systems. Packed executables use compression and obfuscation methods to make it more difficult to retrieve their true file code. Additionally, anti-cheat systems actively monitor and restrict access to process memory, complicating traditional memory dumps. To address these challenges, analysts may use PE memory dumps, which specifically target the memory of processes associated with Portable Executable (PE) files to capture their unpacked state. I will be evaluating the "cod.exe" executable.

cod.exe Executable Analysis

The "cod.exe" executable refers to the executable file associated with the "Call of Duty" series; its file description is "Call of Duty® HQ". "cod.exe" is protected by RICOCHET Anti-Cheat, an anti-cheat system that operates at the kernel level of an operating system, rather than at the application level. This allows RICOCHET Anti-Cheat to have deeper access to system resources and processes, enhancing its ability to detect and prevent cheating in online games. We can use "Detect It Easy(DiE)" to analyze the executable.

Once you have saved the compressed (zipped) folder of "Detect It Easy(DiE)" into the directory of your choice, extract its contents into that directory. Enter the directory of the extracted contents and open Detect It Easy(DiE).

Once you have Detect It Easy(DiE) opened, ensure that, in the "Signatures" section, you have "Heuristic scan" checked in addition to "Recursive scan", "Deep scan", and "Verbose". Then, left-click on the button that reads "..." in the "File name" section. In the File Explorer instance that opens, head to where you have the "cod.exe" executable installed. Left-click on the executable, and then left-click on "Open" to begin the scan.

After the scan has completed, you should see the following text under "PE64": "Packer: Packer detected(Heuristic)[Section names repeating + High entropy + Section 0 (".text") compressed]". This suggests that, although the specific protector was unable to be found on the basis of signature detection, the "cod.exe" executable is packed according to the following heuristics: 1) section names are repeating, 2) there is high entropy, and 3) section 0 (".text") is compressed. In general, high entropy can indicate (note: not prove) that data has been encrypted. Although, non-encrypted data can also exhibit high entropy, especially if it is inherently random.

To examine the entropy of the "cod.exe" executable, check off the "Advanced" checkbox. Then, a selection of additional buttons will appear. Left-click on the "Entropy" button. A new window that details the entropy information pertaining to the "cod.exe" executable will open. You should see that 97% of the executable is packed, meaning that a significant portion of it has been compressed or obfuscated using a packing algorithm. Due to this, reverse engineering tools such as Ghidra and IDA Pro will not be able to properly analyze the "cod.exe" executable. Therefore, you will need to dump the unobfuscated code from the memory of a running game process. You can use Scylla to dump processes with their imports.

Warning

Attaching any tools that RICOCHET Anti-Cheat detects as unauthorized software or software that could be used to manipulate game data, such as Scylla, could cause Activision Publishing, Inc. to flag your account, and this could eventually lead to a game ban.

Instructions

The following is a list of instructions required to dump the memory of a process, "cod.exe" in this case, using Scylla:

1. Visit this URL and left-click on "Scylla_v0.9.8.rar". Save the compressed (zipped) folder of "Scylla_v0.9.8" into the directory of your choice.

2. Head to the location of the completed download and extract the contents of the compressed (zipped) folder "Scylla_v0.9.8" into the directory of your choice.

3. Launch Call of Duty®.

4. Open Resource Monitor. You should see the "cod.exe" executable, along with its associated process identifier, in the list of processes. Right-click on it and left-click on "Suspend Process".

5. Open Scylla. Left-click on the drop-down in the "Attach to an active process" section. In this drop-down list, you will see a list of every process currently running on your device. You should see the "cod.exe" executable listed here, along with both an associated process identifier and a file path specifying where the executable is located. Left-click on the process of "cod.exe" that has the corresponding process identifier to the one that you suspended in step 4. After doing this, Scylla will analyze the "cod.exe" executable to parse and load the modules that it detects to be associated with it, and it will determine the address and size of its imagebase.

6. In Scylla, left-click on "Dump" to generate a PE memory dump. Save the resultant executable into the directory of your choice. You can now close Scylla, resume the "cod.exe" process in Resource Monitor, close Resource Monitor, and close Call of Duty®.