[Tutorial]How to unpack Game.exe

Nav1cat · 10/11/2010, 02:14

Well good guide...

I have a target packed with VMProtect
I used this guide but it didn't helped me at all...i don't know if i am doing something wrong..

Anyone who wanna try unpack it can download here

dumpersta · 11/20/2010, 00:20

Ok, going to try this out this next week sometime, but I am wondering if you can explain precisely what we get out of it:

You said that we can see the game's code with this. As in we can view it just like we were in C++ (or whatever) and able to compile the game and run it?

If so, that would mean we can find the EXACT function used for various things, like upgrading your Chalice (is it really diminishing chance, or just a 50/50 each time?), rebirthing your pets (does Advanced Gem give better average growth than basic? Are the odds of a perfect the same for Medium and Advanced?), melding pets (exactly what from parents is looked at?) and all kinds of other "mysteries" in the game right now. Are droprates of SG really impacted by your level, or just the other junk?

If we can see THAT level of code... We can do a lot more than just write bots/hacks. We can finally understand how to maximize our actual gameplay.

~~phantom23~~ · 11/20/2010, 01:37

Quote:

Originally Posted by dumpersta

Ok, going to try this out this next week sometime, but I am wondering if you can explain precisely what we get out of it:

You said that we can see the game's code with this. As in we can view it just like we were in C++ (or whatever) and able to compile the game and run it?

If so, that would mean we can find the EXACT function used for various things, like upgrading your Chalice (is it really diminishing chance, or just a 50/50 each time?), rebirthing your pets (does Advanced Gem give better average growth than basic? Are the odds of a perfect the same for Medium and Advanced?), melding pets (exactly what from parents is looked at?) and all kinds of other "mysteries" in the game right now. Are droprates of SG really impacted by your level, or just the other junk?

If we can see THAT level of code... We can do a lot more than just write bots/hacks. We can finally understand how to maximize our actual gameplay.

you see the client code, something are on the server application, and no u dont see it in c++, u see in asm, u need know about assembler to read the code.

dumpersta · 11/20/2010, 01:54

Ok, so most of the nice mysteries wouldn't be revealed then. Bit of a bummer, but still it shows us exactly what we can adjust on our side of the fence, so quite nice.

~~phantom23~~ · 11/20/2010, 02:59

well is not like have the source code in the languaje that is programmed but its close enough to look if u know alot of asm and have the time to do it. good luck with that

dumpersta · 11/23/2010, 21:49

I believe I have everything set up now so that this should work. I can pause and resume the game.exe at the least.

But in step [3] of the first post I get lost. It says to place a breakpoint at the ntdll section, then find VirtualProtect. I don't know what the ntdll section is though, and don't see any VirtualProtect show up when running or when paused.

First time I tried things I had run game.exe from the bin file myself, and attached ollydbg to it. I re-read the section and instead tried opening game.exe with Olly. When I do that it sits paused and I see some references to ntdll in the lower right window of Olly. But when I GTRL+G and check for "VirtualProtect" I get an error message instead of a result.

So, I open game.exe from the bin folder in Olly. It presumably runs briefly, but pauses very quick, with ntdll listed shortly after the current location.

If I hit F9 so that it runs it pauses again, this time there are references to KERNALBA in various windows. I don't know if this is "Press run or F9 and u will break at the EP" as I do not understand what EP refers to.

I am unable to find VirtualProtect at this point though. If I hit F9 again then it terminates. Still unable to find VirtualProtect at that point as well.

~~phantom23~~ · 11/23/2010, 22:10

dumpersta what u should do is watch the Lena's tutorials to know about reversing, unpacking, using ollydbg, etc. The things that u are asking are basic concepts, so i recomend watch those videos. if u want the game.exe unpacked i can give it to u, but u wont learn how to unpack it and if u need unpack it again u need wait for someone else.
good luck with that.

dumpersta · 11/24/2010, 00:29

Certainly prefer to learn it myself. I'll try to find these tutorials you talk about. Just incase I can't, a link to them would be appreciated

Won't be till tomorrow that I look for them.

devilpooh · 01/11/2011, 16:18

More picture plzzz
So confuse on part 3

SuneC · 01/11/2011, 16:39

Quote:

Originally Posted by devilpooh

More picture plzzz
So confuse on part 3

If you just want to debug the client with Olly you don't need to do the unpacking. And that seems to be what you want judging from the thread you started and which I answered.

jepher · 01/12/2011, 01:23

sorry for being noob..but what will this thing work on to?

can i find the addresses by using this?

devilpooh · 01/12/2011, 10:09

I'm newbie on olly.
I use Cheat Engine to find "What access to this address" but couldn't cuz cannot attach the debugger, after Unpack could I do it?

Next question, I follow to this step

Quote:

That means the code section is filled and now we can set a break in that section, so delete the BP at the begining of the function and press F8 until u reach the RETN 10.

After this if we press F7 or F8 we will be at the EP again and thats where want to get at this time so press F7 or F8.

Now go to the Memory map tab, pressing the M in the olly menu bar, select the code section, set a memory breakpoint on access and press F9.

select the code section where this mean??

SuneC · 01/12/2011, 11:49

Quote:

Originally Posted by devilpooh

I'm newbie on olly.
select the code section where this mean??

I don't know if you're ignoring what I'm telling you, or if you are simply having issues with attaching Olly to the game client even when using StrongOD.

"Select the code section" means: Bring up the Memory window (Alt+M) scroll down until you see the sections belonging to "Game". There will be one particular (starting at 401000) with the name ".code" - that is the one being talked about

Just right-click it and set a break on access.

devilpooh · 01/12/2011, 14:49

Quote:

Originally Posted by SuneC

I don't know if you're ignoring what I'm telling you, or if you are simply having issues with attaching Olly to the game client even when using StrongOD.

I want to attached debugger with other program not olly.

SuneC · 01/12/2011, 15:39

Quote:

Originally Posted by devilpooh

I want to attached debugger with other program not olly.

That may be quite difficult. I honestly don't know if there are any other debuggers available that are able to stealth themselves from the VMProtect anti-debugger stuff - but I haven't eagerly searched for it since Olly has always been my beloved preference.