I loved star fox +1 for best game ever.Quote:
I would assume that the encryption is just a stop-gap method of denying most people access to pake, whilst Nexon blackrobes all of the player ba- I mean, whilst they work out a better solution to stop pake.
Or they're currently having a meeting that sounds a lot like this:
[Only registered and activated users can see links. Click Here To Register...]
But, if they apply the same update to Japan, wouldn't pake 1.30 just be posted, ruining their efforts?
[Release] Unpacked Client.exe
02/23/2012 10:10
jas161#31
02/23/2012 13:31
adam_j#32
Every time I think of Nexon trying to stop pake, I think of that moment.Quote:
02/23/2012 13:59
jas161#33
Didn't really pay any attention to the video I just love that game :DQuote:
02/23/2012 21:13
dkend#34
Start your ollydbg, make sure your phantom setting is like below. Configure it by pressing Plugin>Phantom>Option . You will need to restart ollydbg for setting to take effect.
Phantom Setting
Do this by moving the phantom.dll into the ollydbg folder.
[IMG]http://richie86.files.*********.com/2008/01/phantom-opt.jpg[/IMG]
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
[IMG]http://richie86.files.*********.com/2008/01/load.jpg[/IMG]
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
C++
Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc
The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
[IMG]http://richie86.files.*********.com/2008/01/oep.jpg[/IMG]
Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.
Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.
So dump the image by Righ***ick>Advanced Commands>Select Code Section(s)
[IMG]http://richie86.files.*********.com/2008/01/imprec.jpg[/IMG]
Press Full Dump. then save it at somewhere as cpp1_dump.exe
[IMG]http://richie86.files.*********.com/2008/01/dumped.jpg[/IMG]
Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
[IMG]http://richie86.files.*********.com/2008/01/fixdump.jpg[/IMG]
After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
[IMG]http://richie86.files.*********.com/2008/01/done.jpg[/IMG]
Credit: okdodo for the script. unpack.cn for the resources.
okdodo script"/*
Script written by okdodo 2007/03
Tested for themida IAT restore and OEP find~
Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)
Test Environment : Ollyice 1.1 + HideOD
ODBGScript 1.52 under WINXP
Thanks :
kanxue – author of HideOD
hnhuqiong – author of ODbgScript 1.52
*/
data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg
findapibase:
gpa “GetLocalTime”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
gpa “VirtualAlloc”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa “LoadLibraryA”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE809000 0005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop
iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,”x”
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB
alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A10000 00008907807FFFE8750866C747FEFF15EB0666C747FEFF2558 E90000000050A100000000894701807FFFE8750866C747FFFF 15EB0666C747FFFF25580F8500000000E90000000083C704E9 00000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem
find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#
find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#
add tmpbp,9
add tmp,29
eval “jmp {tmp}”
asm tmpbp, $RESULT
mov memtmp,mem
add memtmp,0F
eval “jmp {addr1}”
asm memtmp, $RESULT
add memtmp,22
eval “jmp {addr2}”
asm memtmp, $RESULT
add memtmp,23
eval “jne {addr2}”
asm memtmp, $RESULT
add memtmp,06
eval “jmp {addr3}”
asm memtmp, $RESULT
add memtmp,08
eval “jmp {addr1}”
asm memtmp, $RESULT
find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,”x”
esto
bphwc tmpbp
mov tmp,cbase
add tmp,csize
findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg “script finished,check the oep place by yourself~”
ret
stop:
pause
apierror:
pause"
Phantom Setting
Do this by moving the phantom.dll into the ollydbg folder.
[IMG]http://richie86.files.*********.com/2008/01/phantom-opt.jpg[/IMG]
After that drag Cpp1.exe into ollydbg. See the yellow line in main thread. B8 00 00 00 60, common entry point used by Themida/WinLicense.
[IMG]http://richie86.files.*********.com/2008/01/load.jpg[/IMG]
Pressing ALT+M to switch into Memory Map tab. Drag down a little bit the list and you will found msvcrt on PE Header. Shows that this EXE is using C++ Runtime.
C++
Let’s continue. Run okdodo script by pressing Plugin>ODbgScript>RunScript>then select okdodo.osc
The script will automatic run. After you being prompt that the script has completed. The debugger will stop at the OEP (Original Entry Point) of your EXE.
[IMG]http://richie86.files.*********.com/2008/01/oep.jpg[/IMG]
Take note of the OEP address above. We will using it later on. 00401151
Next we will try to dump the image out. Do NOT close OllyDbg yet.
Open your importRec. Attach the process to the Cpp1.Exe in the list.
Then you will see in the status box. Image Base: 00400000. So calculate the OEP by 00401151-00400000 = 1151
Fill in into the OEP box and press IAT Auto Search. It will inform you that the OEP is found.
Press Get Import to get all import function. From the Imports status, shows that valid:YES. Which means all imports function pointer are match.
So dump the image by Righ***ick>Advanced Commands>Select Code Section(s)
[IMG]http://richie86.files.*********.com/2008/01/imprec.jpg[/IMG]
Press Full Dump. then save it at somewhere as cpp1_dump.exe
[IMG]http://richie86.files.*********.com/2008/01/dumped.jpg[/IMG]
Then continue to reconstruct the dump base on new OEP. At main menu. Press Fix Dump, then select the dump image cpp1_dump.exe we create just now.
[IMG]http://richie86.files.*********.com/2008/01/fixdump.jpg[/IMG]
After reconstruct. New image cpp1_dump_.exe is created. And now try to open the cpp1_dump_.exe and you will see you are sucessfully unpacked it.
[IMG]http://richie86.files.*********.com/2008/01/done.jpg[/IMG]
Credit: okdodo for the script. unpack.cn for the resources.
okdodo script"/*
Script written by okdodo 2007/03
Tested for themida IAT restore and OEP find~
Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)
Test Environment : Ollyice 1.1 + HideOD
ODBGScript 1.52 under WINXP
Thanks :
kanxue – author of HideOD
hnhuqiong – author of ODbgScript 1.52
*/
data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg
findapibase:
gpa “GetLocalTime”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
gpa “VirtualAlloc”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa “LoadLibraryA”, “kernel32.dll”
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
esto
bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE809000 0005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,”x”
iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop
iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,”x”
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB
alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A10000 00008907807FFFE8750866C747FEFF15EB0666C747FEFF2558 E90000000050A100000000894701807FFFE8750866C747FFFF 15EB0666C747FFFF25580F8500000000E90000000083C704E9 00000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem
find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval “jmp {tmp}”
asm tmpbp, $RESULT
find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#
find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#
add tmpbp,9
add tmp,29
eval “jmp {tmp}”
asm tmpbp, $RESULT
mov memtmp,mem
add memtmp,0F
eval “jmp {addr1}”
asm memtmp, $RESULT
add memtmp,22
eval “jmp {addr2}”
asm memtmp, $RESULT
add memtmp,23
eval “jne {addr2}”
asm memtmp, $RESULT
add memtmp,06
eval “jmp {addr3}”
asm memtmp, $RESULT
add memtmp,08
eval “jmp {addr1}”
asm memtmp, $RESULT
find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,”x”
esto
bphwc tmpbp
mov tmp,cbase
add tmp,csize
findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg “script finished,check the oep place by yourself~”
ret
stop:
pause
apierror:
pause"
02/23/2012 23:30
Epvp_God#35
O_o Shazaam...
02/24/2012 01:30
mabilife13#36
what tool you use to unpack client.exe
02/24/2012 01:40
Epvp_God#37
You should facedesk yourself a couple of times to enhance your ability to comprehend what you read. Then read this thread. SOLVEDQuote:
02/24/2012 01:43
Nosirrom#38
What he posted, but with functional images.
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
02/24/2012 03:41
Yiting#39
I think most of issues doesn't cause of Themida or HackShield, but their coding was getting worse and buggy...Quote:
--
Not much changed between r101 and r102, i got the unpacked client and fix some useful symbol by same process.
[Only registered and activated users can see links. Click Here To Register...]
02/24/2012 08:27
Lycoris#40
And I'm mostly lost. What is dkend's post do, exactly? (I'll probably figure it out soon enough, just a bit lost right now)
02/24/2012 12:31
omgjesus#41
logic that can not be beat. i always told myself and never really decided to bring it up but you got a point. people complain so much about what nexon does,does not do. when people should point fingers at devcat and get them to stop being lazy when it comes to making the patches.Quote:
from my understanding. devcat does a hack job with patches to begin with and nexon NA tries to fill in the blanks as best as they can.
02/24/2012 16:34
dkend#42
Currently the client is "packed" with an anti-debug guard called Themida. So you have to unpack the client to have this guard removed.Quote:
That is all.
-LLZIOL
02/25/2012 00:17
hg478#43
[Only registered and activated users can see links. Click Here To Register...]
02/25/2012 00:53
adam_j#44
I'm curious to see if anyone runs that.Quote:
02/25/2012 01:55
Klymore#45
I might out of sheer curiosity on my laptop... Before I do though, do you have an idea on what it might do/be? I can only guess because I'm too lazy to look... =.=