|
You last visited: Today at 00:50
Advertisement
Unpacked dekaron.exe [4.6.21]
Discussion on Unpacked dekaron.exe [4.6.21] within the Dekaron Exploits, Hacks, Bots, Tools & Macros forum part of the Dekaron category.
05/24/2009, 07:47
|
#16
|
elite*gold: 0
Join Date: Dec 2008
Posts: 841
Received Thanks: 270
|
IF i use this unpack i dont need ggk right? And i find new offset for ce and all done.
|
|
|
05/24/2009, 08:05
|
#17
|
elite*gold: 0
Join Date: Mar 2008
Posts: 172
Received Thanks: 48
|
Quote:
Originally Posted by CrystalMaiden
IF i use this unpack i dont need ggk right? And i find new offset for ce and all done.
|
Please ignore this. I was using a different exe than I thought I was.
No need for the ggk, and no need to find new offsets for CE. The only thing that has really changed is the removal of GG. The new anti-hack isn't in yet, apparently.
|
|
|
05/24/2009, 15:16
|
#18
|
elite*gold: 0
Join Date: May 2009
Posts: 1
Received Thanks: 1
|
Filename: unpacked_dekaron_4.6.21.exe
Size (Bytes): 8974336
MD5 Hash: 4268924c7ccd105bacf2e6be04f9ddf7
Report link:
AntiVirus Engine Version Definition Version Status
Antivir 7.4.0.37 6.39.0.81 Nothing found
ArcaVir 1.0.4 2006.01.27 Nothing found
Avast 1.0.7 0753-0 Nothing found
AVG 7.5.47 269.9.14/883 Nothing found
BitDefender 7.60825 7.60825 Nothing found
F-Prot 4.6.6 3.16.14 Nothing found
Norman 5.70.01 5.70.01 Nothing found
Rising 17.00.00.36 19.25.00.00 Nothing found
VirusBlokAda32 3.12.0.2 2007.07.01 Nothing found
VirusBuster 4.3.23:9 (2007-02-16) 9.86.8/11.0 Nothing found
|
|
|
05/24/2009, 17:45
|
#19
|
elite*gold: 0
Join Date: Aug 2008
Posts: 8,097
Received Thanks: 3,355
|
Quote:
Originally Posted by deviousd123
Filename: unpacked_dekaron_4.6.21.exe
Size (Bytes): 8974336
MD5 Hash: 4268924c7ccd105bacf2e6be04f9ddf7
Report link:
AntiVirus Engine Version Definition Version Status
Antivir 7.4.0.37 6.39.0.81 Nothing found
ArcaVir 1.0.4 2006.01.27 Nothing found
Avast 1.0.7 0753-0 Nothing found
AVG 7.5.47 269.9.14/883 Nothing found
BitDefender 7.60825 7.60825 Nothing found
F-Prot 4.6.6 3.16.14 Nothing found
Norman 5.70.01 5.70.01 Nothing found
Rising 17.00.00.36 19.25.00.00 Nothing found
VirusBlokAda32 3.12.0.2 2007.07.01 Nothing found
VirusBuster 4.3.23:9 (2007-02-16) 9.86.8/11.0 Nothing found
|
should it be infected ^^ ? InstantDeath isn't that dumb to post virus here, he knows that I would delete it , or other mod
|
|
|
05/24/2009, 18:07
|
#20
|
elite*gold: 0
Join Date: Dec 2008
Posts: 928
Received Thanks: 132
|
Quote:
Originally Posted by deviousd123
Filename: unpacked_dekaron_4.6.21.exe
Size (Bytes): 8974336
MD5 Hash: 4268924c7ccd105bacf2e6be04f9ddf7
Report link:
AntiVirus Engine Version Definition Version Status
Antivir 7.4.0.37 6.39.0.81 Nothing found
ArcaVir 1.0.4 2006.01.27 Nothing found
Avast 1.0.7 0753-0 Nothing found
AVG 7.5.47 269.9.14/883 Nothing found
BitDefender 7.60825 7.60825 Nothing found
F-Prot 4.6.6 3.16.14 Nothing found
Norman 5.70.01 5.70.01 Nothing found
Rising 17.00.00.36 19.25.00.00 Nothing found
VirusBlokAda32 3.12.0.2 2007.07.01 Nothing found
VirusBuster 4.3.23:9 (2007-02-16) 9.86.8/11.0 Nothing found
|
that also comes a lil bit late ^^
|
|
|
05/24/2009, 18:21
|
#21
|
elite*gold: 20
Join Date: Aug 2008
Posts: 2,762
Received Thanks: 4,395
|
Quote:
Originally Posted by ~trane~
should it be infected ^^ ? InstantDeath isn't that dumb to post virus here, he knows that I would delete it , or other mod
|
Atleast I would make it more undetectable ...
|
|
|
05/24/2009, 20:18
|
#22
|
elite*gold: 0
Join Date: Aug 2008
Posts: 8,097
Received Thanks: 3,355
|
Quote:
Originally Posted by InstantDeath
Atleast I would make it more undetectable ...
|
But I would still find it!
|
|
|
05/25/2009, 15:09
|
#23
|
elite*gold: 0
Join Date: Mar 2008
Posts: 165
Received Thanks: 13
|
Quote:
Originally Posted by ~trane~
But I would still find it!
|
but he might make it like a ninja virus and runs around ya screen?! ;D
|
|
|
05/25/2009, 21:43
|
#24
|
elite*gold: 20
Join Date: Jun 2008
Posts: 1,394
Received Thanks: 227
|
nice 2x post
|
|
|
05/29/2009, 15:26
|
#25
|
elite*gold: 0
Join Date: Aug 2008
Posts: 88
Received Thanks: 25
|
Instant I think i have asked you before but dont remember. Is there anyway that you can post a tut on how u unpack the .exe. So that people like myself wouldnt have to wait for someone else to do it, and give me the opportunity to learn something new.Anyways great work and thanks again.
|
|
|
05/29/2009, 21:03
|
#26
|
elite*gold: 20
Join Date: Aug 2008
Posts: 2,762
Received Thanks: 4,395
|
Quote:
Originally Posted by twiggy345
Instant I think i have asked you before but dont remember. Is there anyway that you can post a tut on how u unpack the .exe. So that people like myself wouldnt have to wait for someone else to do it, and give me the opportunity to learn something new.Anyways great work and thanks again.
|
Well there used to be a script for this but it wont work anymore because the packer has changed. Actually it was much harder to unpack before. Everything gets easier all the time .
Ok, this is in text version. No need to record it because it's so short.
- Tools needed: OllyDbg (prefer ver 1.10), ImpREC
1. Ignore all exceptions in OllyDbg.
2. Load the dekaron.exe in Olly.
3. The entrypoint will look like this:
Quote:
00C84F2E 0000 add byte ptr ds:[eax],al
00C84F30 > 60 pushad <--- EntryPoint
00C84F31 BE 00B0A100 mov esi,dekaron.00A1B000
00C84F36 8DBE 00609EFF lea edi,dword ptr ds:[esi+FF9E6000]
00C84F3C 57 push edi
00C84F3D 83CD FF or ebp,FFFFFFFF
00C84F40 EB 10 jmp short dekaron.00C84F52
|
4. Step over/into the first pushad command.
5. Put a hardware breakpoint on the esp register --> Word/Dword on Access.
6. Execute shift+F9.
7. Now you should find yourself at a routine before the OriginalEntryPoint:
Quote:
00C850C7 61 popad
00C850C8 8D4424 80 lea eax,dword ptr ss:[esp-80] <--- You should be here
00C850CC 6A 00 push 0
00C850CE 39C4 cmp esp,eax
00C850D0 ^ 75 FA jnz short dekaron.00C850CC
00C850D2 83EC 80 sub esp,-80
00C850D5 - E9 88E9BFFF jmp dekaron.00883A62
00C850DA 0000 add byte ptr ds:[eax],al
00C850DC 48 dec eax
00C850DD 0000 add byte ptr ds:[eax],al
|
8. Disable the hardware breakpoint put earlier (Debug --> Hardware breakpoints --> Delete 1).
9. Put a breakpoint (press F2) on the unconditional jump.
Quote:
00C850C7 61 popad
00C850C8 8D4424 80 lea eax,dword ptr ss:[esp-80] <--- You should be here
00C850CC 6A 00 push 0
00C850CE 39C4 cmp esp,eax
00C850D0 ^ 75 FA jnz short dekaron.00C850CC
00C850D2 83EC 80 sub esp,-80
00C850D5 - E9 88E9BFFF jmp dekaron.00883A62 <--- Breakpoint here
00C850DA 0000 add byte ptr ds:[eax],al
00C850DC 48 dec eax
00C850DD 0000 add byte ptr ds:[eax],al
|
9. Execute Shift+F9 then remove the breakpoint (press F2 again).
10. Step over/into the unconditional jump.
11. You should land here:
Quote:
00883A61 C3 retn
00883A62 6A 60 push 60 <---- HERE
00883A64 68 6878AF00 push dekaron.00AF7868
00883A69 E8 AA620000 call dekaron.00889D18
00883A6E BF 94000000 mov edi,94
00883A73 8BC7 mov eax,edi
|
12. Now launch ImpREC, dump the target with ImpREC. Put the OriginalEntryPoint in the OEP grid and press Auto Search. Then press Get Imports.
13. After that choose Fix dump and choose your dumped file and you're done .
|
|
|
05/30/2009, 01:53
|
#27
|
elite*gold: 0
Join Date: Dec 2008
Posts: 841
Received Thanks: 270
|
Quote:
Originally Posted by giljs
Please ignore this. I was using a different exe than I thought I was.
|
5mins work. Everything in order. Dont worry.
Quote:
Originally Posted by InstantDeath
Well there used to be a script for this but it wont work anymore because the packer has changed. Actually it was much harder to unpack before. Everything gets easier all the time .
|
Nice tutorial. I'm always here. Maybe not posting but always watching.
|
|
|
05/30/2009, 09:41
|
#28
|
elite*gold: 20
Join Date: Jun 2008
Posts: 1,394
Received Thanks: 227
|
nice tut , but were can i get the tools ? ^^
|
|
|
05/30/2009, 12:43
|
#29
|
elite*gold: 0
Join Date: Dec 2008
Posts: 7
Received Thanks: 0
|
Tnx
|
|
|
05/30/2009, 17:03
|
#30
|
elite*gold: 20
Join Date: Aug 2008
Posts: 2,762
Received Thanks: 4,395
|
Quote:
Originally Posted by WarMasterRealOne
nice tut , but were can i get the tools ? ^^
|
Master , ever heard of Google?
ImpREC is but you'll find the Olly by yourself...
Quote:
Originally Posted by mita6ki2
Tnx
|
No problem but I and many other people prefer the Thanks button. Just to keep the forum clean I recommend to use that .
|
|
|
Similar Threads
|
Dekaron Unpacked Help me pls,,
05/10/2010 - Dekaron - 2 Replies
Hey guyz,, can any1 help me about this dekaron unpacked i search on furoms & i get all but when i unpacked it in my data files & try to edit using winhex but still nothing happen,, so some kindly help me,, more thx for helping me guyz,,
|
Unpacked dekaron.exe [SEA]
12/22/2008 - Dekaron Exploits, Hacks, Bots, Tools & Macros - 2 Replies
This is the unpacked dekaron.exe of Dekaron SEA. This should be from the latest patch (I'm not sure, I don't play SEA).
Removed the UPX packer from the executable. (UPX, LOL?)
The RAR Archive has a recovery record in case of corrupted archive.
The new No-CRC will be soon out. What I've heard ;).
VirusTotal:
|
All times are GMT +2. The time now is 00:50.
|
|