Why everyone is unable to FULLY unpack the bot without error.

09/27/2007 19:36 Fugltlve#1
Update:
looks like the EIP might be in the actual exe we run to launch the the bot. after entry it calls to the gamemon.des. this isnt a problem in itself, BUT becomes a huge problem when trying to unpack it.
the launcher program doesnt use Themdia


running SEVERAL unpackers, debuggers, and dissassemblers on this damn bot I have found something.
Themdia is not the problem at all. that actually should be able to be stripped out fairly easy.
anyone thats run UnThemida on the bot has probably found that you get an OEP error and UnThemida terminates.

What I have tried:

i have run a couple OEP finders as well as tried to force OEP in the unpacking.
i have found a varience of OEP depending on which find method I was using. all the OEP end up having various offset errors. (most at FFFF 038FB039)
in the version I did unpack (but did not unhook anything) that address comes up with "FFFF ??? Unknown Command" every time.

What I have Found:
every working solution is found by trying to repro the problem.
I was able to figure out WHY this is a problem, but I do not know how to get around it without manually unpacking with a MUP (i tried but I am unable to locate the ACTUAL entry point for OEP)

problem with this damn bot is that the OEP is outside of the PE headers. that is why any of our unpacking utilities are having problems, or giving errors.

if anyone can find me the EP for OEP, i can manually unpack it and unhook all the needless crap in it.
Im PRETTY sure the entry point is located in the "launcher" program.
09/27/2007 20:58 lordpipas#2
heh .... we unpack it . isn't it ? Yes Ep is in the launch program use Artmoney and u can see it :D
09/27/2007 21:20 Fugltlve#3
Quote:
Originally Posted by lordpipas View Post
heh .... we unpack it . isn't it ? Yes Ep is in the launch program use Artmoney and u can see it :D
yep. i got the EIP address for OEP, its just that i havent found a utility that will allow me to unpack gamemon.des correctly with the EIP outside of the PE header.
09/28/2007 08:05 lordpipas#4
so ..what the problem ?
09/28/2007 16:20 Fugltlve#5
Quote:
Originally Posted by lordpipas View Post
so ..what the problem ?
i havent found a utility that will allow me to unpack gamemon.des correctly with the EIP outside of the PE header, and im not sure how to remove themida by using MUP
09/28/2007 16:55 lordpipas#6
wm qUp ? its work ....why not ?
09/28/2007 17:53 Fugltlve#7
Quote:
Originally Posted by lordpipas View Post
wm qUp ? its work ....why not ?
i can unpack it just fine with qunpack. BUT you cant unhook anything and you get an error that the OEP is outside the PE header. so it unpacks incorrectly as the EP isnt in the unpack.
I researched this a little bit and found that if the OEP is ouside of the PE header you need to unpack the program manually via MUP in order to unpack with the entry point.
i can unpack manually (although id rather not cause its a horrid process) but i dont know how to strip out Themida before i unpack it
09/28/2007 20:13 lordpipas#8
em....GameMons insnt .exe file its source file ... and nothing more ... so u dont must have EP ....
09/28/2007 20:27 Fugltlve#9
Quote:
Originally Posted by lordpipas View Post
em....GameMons insnt .exe file its source file ... and nothing more ... so u dont must have EP ....
wont run unpacked without the EP for some reason. if i unpack with qunp, not unhook anything, the unpack file size is massive (56000k) compared to the packed 2000k. if i unhook everything as it should be, unpacked size is 2004k but wont initialize or test. just gives me the OEP error
09/28/2007 20:57 luckyjol#10
its normal that themida packs file to a file size which is hundretfold so largly like the normal file
09/28/2007 22:28 Fugltlve#11
Quote:
Originally Posted by luckyjol View Post
its normal that themida packs file to a file size which is hundretfold so largly like the normal file
ok. so the original file the at 56000k with everything still hooked can be used?
09/28/2007 22:33 luckyjol#12
i am not sure i have no oep to test it but i read it in another forum from a guy called "sd333221" he is also registered to epvp
09/29/2007 10:11 lordpipas#13
yes it can be
09/29/2007 20:37 Fugltlve#14
Quote:
Originally Posted by lordpipas View Post
yes it can be
thanks lord. i can start working on it again.

on that note. found the 3 call stacks that 1) request auth 2) recieve auth 3) deny on failed auth

looking for a way to put a bypass in. gonna try playing around with adding a EIP after the call stacks and see what happens
09/29/2007 20:55 lordpipas#15
Crashing :) may be i doing something wrong ....