Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Battle of the Immortals
You last visited: Today at 18:44

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



[Tutorial]How to unpack Game.exe

Discussion on [Tutorial]How to unpack Game.exe within the Battle of the Immortals forum part of the MMORPGs category.

Reply
 
Old   #1
 
LemoniscooL's Avatar
 
elite*gold: 0
Join Date: Sep 2006
Posts: 1,100
Received Thanks: 395
[Tutorial]How to unpack Game.exe

In this Tutorial you will learn how to bypass the IsDebuggerPresent function from VMProtect and how to unpack the Game.exe from BoI.
This Tutorial was originally written by "PHANTOM28" from S.N.O.X.D!
I only removed some typos and added the way on how to find the second address needed for the OEP rebuild.


[-]Index:
  1. Requirements
  2. Preparations
  3. Unpacking Game.exe
  4. Fixing the IAT
  5. Afterthought

[-]1. Requirements
  1. Ollydbg 1.10 Unmodified
  2. On olly we need the plugins:
    - StrongOD
    - OllyDump
  3. Any Hex Editor
  4. ImpRec V1.7
  5. Universal Import Fixer (UIF)
  6. Brain.exe
[-]2. Preparations
We need to setup ollydbg to make it invisible, if we don't do this, the game will detect and close itself.
Extract olly, get the plugins and start it once then close it. (it will ask to patch the class name windows, press ok)
Now open the ollydbg.ini and search for text "
fengyue". U will find the StrongOD settings, change the Drivername from "fengyue0" to something different (for example "XXXXXXX0") save and close ollydbg.ini

Now open ur hex editor and select the ollydbg, we need do some changes here.
First search the text "fengyue" and change it to (for example) "XXXXXXX"
The next thing to do is search for the text "ACPU" and change all to (for example) "AXXX"

Ok now we need to setup the options of StrongOD (change them to what you see in the picture)



Now change the ollydbg debug settings to the following:





Ok if everything is right, close the olly, open it again and open the game.exe from the bin folder. To test ur olly, press Run (F9) twice and if the game just runs like normal then that means u already bypassed the IsDebuggerPresent check. But if u put a breakpoint in the code section u will see that the program will detect it, and will stop, that is the vmprotection. And thats what were going to unpack now, see the next Part.

[-]3. Unpacking Game.exe
Load Game.exe in olly you will break at the system breakpoint in ntdll section. Press run or F9 and u will break at the EP.

Here you must find the call to the VMProtect function, so i will show you this easy way..
Press ctrl + G and search for the expresion "VirtualProtect"

Put a soft break on it with double click or F2.
In the stack window (the one in the bottom right corner) u will see this:



(Dont remove the BP yet!)
If u follow the address "00401000" in dump u will see that its empty, so we will press run (F9) until we see that in the address 00401000 get filled.

That means the code section is filled and now we can set a break in that section, so delete the BP at the begining of the function and press F8 until u reach the RETN 10.

After this if we press F7 or F8 we will be at the EP again and thats where want to get at this time so press F7 or F8.

Now go to the Memory map tab, pressing the M in the olly menu bar, select the code section, set a memory breakpoint on access and press F9.

The instruction we break at is the function that we need to find to fix our OEP. So save this address we will need it later.
First delete the memory bp, then go to the RETN at the end of this function and put a BP.

Press run u to get there, delete the soft break, press F7 and u will be at the EP again.

Follow the Application with Ctrl+F8 (or F7, long way) until you find the call where the window is created, set a BP on that call, restart and run till that call press F7 and animate (
Ctrl+F8) till the next Call. You might want to do that 3 or 4 times.

At the 3rd or 4th Call you press Ctrl+G and go to "GetStartupInfoA", scroll down to the RETN set a BP there and press F9 after that press F7 or F8 to leave the function.

Now 7 Lines above where you landed the second address needed can be found (The command is
"PUSH 60"). So save that address again!

Now we need to rebuild our OEP, go to the free space at the end and assemble the following two lines:

Code:
CALL <Address1>
JMP <Address2>


After you assembled these instructions, you need to set the new origin on the CALL. Now you can create your dump, so use the plugin ollydump for this without "Rebuild Import" Option checked.

Great you just unpacked VMProtect =)
You can test this dump file and you will see that its working, but if u send that dump file to another OS it wont work, and u will feel frustrated.. =(

But dont worry, we dont finish here, you need to fix the dump file so it can run on other OS's too

[-]4. Fixing the IAT
After creating an unpacked dump file thats working you need to fix the IAT so the Dump will work on other OS's too.

Run your Dump File in Olly and break at the EP you created (press F9 twice) now you need the Process ID of your Dump, to get this you can use Taskmanager or something similar or just run cmd.exe and execute the command "tasklist"

After that run the Universal Import Fixer (UIF) and input the PID of your Dump and leave "Code Start/End" and "New IAT VA" untouched (means 0)
Press "Start" and let it work, when it finished you will see something like this:



The info that is shown after "Fixing Success..." is what we need now to fix the dump, so start ImpRec now.
Attach the process of the dump file, if you click "AutoSearch" button you will see a bad message telling that it cant find anything interesting in that OEP, and if u press the button get imports, it will fill the listbox of imported functions with invalid values, and thats what we are going to fix ^^

Press the "Clear Import" button, now fill OEP box with "00000000", in the RVA box put what the UIF showed you, then the same with the size, and then press the button "Get Imports" again, and u will see a list of Valid Thunks in the Listbox.

Great, so now i will show how to setup ImpRect to fix the dump. Check "Add New section" in the main window, and press the "Options"-Button. Now select only the things that you see in this pic:




Close the options and then press the "Fix Dump"-Button, a window will pop up, select the dump file that u need to fix.

Let ImpRec work and u will have a fixed dump file, gratz =)
Now it will work in other OS's too. ImpRec saves the file with an extra "_" at the end. If you want to do some research in the game code now, you dont need an invisible Olly anymore, but you can use it anyways.


[-]Afterthought:
I hope this helped you and i want to note again:
This Tutorial was originally written by "PHANTOM28" from S.N.O.X.D!
I only removed some typos and added the way on how to find the second address needed for the OEP rebuild.


//Edit:
I also added all requirements as an Attachment, so you dont need to search them =)

greetz
Attached Files
File Type: rar requirements.rar (3.10 MB, 2633 views)
LemoniscooL is offline  
Thanks
24 Users
Old 09/22/2010, 17:10   #2
 
elite*gold: 0
Join Date: May 2009
Posts: 125
Received Thanks: 131
glad u figure it out. now try improve some bots
phantom23 is offline  
Thanks
5 Users
Old 09/22/2010, 17:31   #3
 
LemoniscooL's Avatar
 
elite*gold: 0
Join Date: Sep 2006
Posts: 1,100
Received Thanks: 395
well i think im not that inexperienced in disassembling as i thought b4 xD
hope you dont mind me posting this in here and also removing your typos ^^
LemoniscooL is offline  
Thanks
2 Users
Old 09/22/2010, 20:26   #4
 
elite*gold: 0
Join Date: Jul 2005
Posts: 39
Received Thanks: 1
What an awesome article m8!
Thanks a lot for the great content!
General is offline  
Thanks
1 User
Old 09/22/2010, 23:00   #5
 
elite*gold: 0
Join Date: May 2009
Posts: 125
Received Thanks: 131
Quote:
Originally Posted by LemoniscooL View Post
well i think im not that inexperienced in disassembling as i thought b4 xD
hope you dont mind me posting this in here and also removing your typos ^^
u get it, only by trying u will learn, and im cool that u posted here, im to lazy to do this kind of things. btw if u fix my typox errors much better, so ppl can understand better the essence of this tutorial.
phantom23 is offline  
Thanks
1 User
Old 09/23/2010, 02:18   #6
 
elite*gold: 0
Join Date: Apr 2010
Posts: 41
Received Thanks: 7
Great work. I am kinda new to stuff like protection and so.. but i am strong and i manage to do long search on this, know great ppl.. Could u tell me what all can u do with this ? What could u acess ?.. thanks for answer and great guide
shadownesss is offline  
Thanks
1 User
Old 09/23/2010, 06:29   #7
 
LemoniscooL's Avatar
 
elite*gold: 0
Join Date: Sep 2006
Posts: 1,100
Received Thanks: 395
well what can you access when unpacking an executable .. you can access the game's code and if you know what to search for you could achieve many things for example multiclient, several hacks, game data, encryption/decryption algorithms etc ^^
LemoniscooL is offline  
Thanks
3 Users
Old 09/23/2010, 18:30   #8
 
elite*gold: 0
Join Date: Sep 2009
Posts: 92
Received Thanks: 19
wow time to install boi again ll post my findings here. thx lemon
FamousOnion is offline  
Thanks
1 User
Old 09/23/2010, 20:51   #9
 
LemoniscooL's Avatar
 
elite*gold: 0
Join Date: Sep 2006
Posts: 1,100
Received Thanks: 395
always glad to help ^^
if you find the inventory functions (like move item, split stack etc) pm me =P
LemoniscooL is offline  
Thanks
2 Users
Old 09/24/2010, 18:03   #10
 
elite*gold: 0
Join Date: Sep 2009
Posts: 138
Received Thanks: 14
wow very nice one thanks!
@Mods: please sticky this thread
Neyoel is offline  
Old 09/25/2010, 06:09   #11
 
elite*gold: 0
Join Date: Feb 2008
Posts: 231
Received Thanks: 99
Awesome tutorial I was able to unpack it and rebuild the IAT successfully.

Here few tips:

When you say

Quote:
go to the RETN at the end of this function and put a BP.
Press run u to get there, delete the soft break
Rather then doing all that you could just execute till return ( Ctrl+F9 )

Also this part:

Quote:
Follow the Application with Ctrl+F8 (or F7, long way) until you find the call where the window is created, set a BP on that call, restart and run till that call press F7 and animate (Ctrl+F8) till the next Call. You might want to do that 3 or 4 times.
Isn't nescesary at all you can simply skip it and directly BP GetStartupInfoA at least it worked for me.

For some reason also ImpRec 1.7c wasn't working for me it couldn't load the function of d3dx9_30.dll for some reason, but i just used imprec 1.6 and it worked fine just to let everyone know incase someone have the same issue.
powerfear is offline  
Thanks
1 User
Old 09/25/2010, 06:23   #12
 
LemoniscooL's Avatar
 
elite*gold: 0
Join Date: Sep 2006
Posts: 1,100
Received Thanks: 395
hm well i dont know all hotkeys in olly but who does thanks for that ^^
i posted the longer way of finding the 2nd address cuz its more secure, just in case GetStartupInfoA is called somewhere else, might lead to issues
btw. ImpRec1.7c worked just fine for me
LemoniscooL is offline  
Old 09/25/2010, 20:19   #13
 
elite*gold: 0
Join Date: Jan 2008
Posts: 3
Received Thanks: 0
good tut but i couldnt do it cus it's not enoguh for me to just read in english . and my english is worse than your thoughts can u make a vid tut? i can help you for video programs etc.
root426 is offline  
Old 09/25/2010, 23:59   #14
 
elite*gold: 0
Join Date: May 2009
Posts: 125
Received Thanks: 131
guys this is a guide tutorial, try to learn with lenas tutorial they are great. coz what happen if in the future something change? **** we are f... up. for that reazon some times is better do it manualy and try and try.
to unpack it the first time took me like 1 week, to figure out how vmprotect work and find the right things, after learned that i can unpack the game in 10 min. even if u want to know how to use the unpack game to do ur bots, u need to know asm and how to search functions, etc. so unpacking is the easiest thing about this. searching is the hardest. so try learn. there are tons of videos about vmprotect.
phantom23 is offline  
Old 10/01/2010, 17:04   #15
 
elite*gold: 0
Join Date: Jan 2008
Posts: 3
Received Thanks: 0
i think searchin is the easily for me cus i can just searchin adresses. if i can unpack game.exe i think that i can search and find more adress than now i found.
root426 is offline  
Reply


Similar Threads Similar Threads
[Release] Unpack GlobalDekaron dekaron.exe [Tutorial]
07/21/2022 - Dekaron Exploits, Hacks, Bots, Tools & Macros - 161 Replies
Hi. Many people asked how to unpack the new dekaron.exe. This tutorial works for the current 2moons, GlobalDekaron and Korean official dekaron.exe. The tutorial is a flash movie so you shouldn't have any difficulties to hang along. The tutorial is extra beginner friendly and I'm explaining things too (so you could learn something). ------------------------------------------------ Update 8.11.2009 !
[Release] Unpack dekaron.exe [Flash-Tutorial]
01/23/2010 - Dekaron Exploits, Hacks, Bots, Tools & Macros - 12 Replies
Hi. A lot of people have lately been asking on how to unpack dekaron.exe . Some found my written mini-tutorial but didn't understand it and some didn't even find it. So I decided to make a Flash-tutorial on how to unpack the dekaron.exe of 2moons with OllyDbg 1.10 . Tools needed: - OllyDbg 1.10 - ImpREC - LordPE or some other process memory dumper



All times are GMT +1. The time now is 18:44.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2024 elitepvpers All Rights Reserved.