Update:
looks like the EIP might be in the actual exe we run to launch the the bot. after entry it calls to the gamemon.des. this isnt a problem in itself, BUT becomes a huge problem when trying to unpack it.
the launcher program doesnt use Themdia
running SEVERAL unpackers, debuggers, and dissassemblers on this **** bot I have found something.
Themdia is not the problem at all. that actually should be able to be stripped out fairly easy.
anyone thats run UnThemida on the bot has probably found that you get an OEP error and UnThemida terminates.
What I have tried:
i have run a couple OEP finders as well as tried to force OEP in the unpacking.
i have found a varience of OEP depending on which find method I was using. all the OEP end up having various offset errors. (most at FFFF 038FB039)
in the version I did unpack (but did not unhook anything) that address comes up with "FFFF ??? Unknown Command" every time.
What I have Found:
every working solution is found by trying to repro the problem.
I was able to figure out WHY this is a problem, but I do not know how to get around it without manually unpacking with a MUP (i tried but I am unable to locate the ACTUAL entry point for OEP)
problem with this **** bot is that the OEP is outside of the PE headers. that is why any of our unpacking utilities are having problems, or giving errors.
if anyone can find me the EP for OEP, i can manually unpack it and unhook all the needless **** in it.
Im PRETTY sure the entry point is located in the "launcher" program.
 |
may be i doing something wrong ....
