AriethMu_S6.dll Unpacked by Nemesis

[Kiosani]

Well this dll is for client version: 1.08C+ all unpacked (included main.exe and NOT CRACKED)

Img (Edited text of Custom Item, change with hex editor xD):

DOWNLOAD

PS: The only thing missing is to crack the dlls and the launcher, so they can connect with other IPS. if anyone knows how to do this is welcome to provide help.

Credits: AriethMu (create and protect custom library)
Nemesis (unpack custom library )

[MentaL]

[BARAMOS]

Check if you need something from here
if you need i can add MuServer+client 1.08C
Multiupload.com - upload your files to multiple file hosting sites!

[Nathaniel23k]

thanks guys.. awsome

[JoniverPH]

is this episode 1 or 2 ?

[Kiosani]

BARAMOS: That file server is that you you mean?

JoniverPH: This is for Season 6 Episode 2 Kor Client. (1.08C+)

[ChromoMU]

Cool!

How to use the AutoUpdater?

[Aszmhodeus]

congratulations - nice skills - i`ll give you a PM

[tomatoes]

UnVMed ?
If unVM u can bypass Laucher.
but u should decode some important fuction on this dll,and recode is better,u can use all main.exe.

Main Global:

[[RCZ]ShadowKing]

I wonder how you managed to unpack it but failed to crack. Anyhow its good to have material like this for study.

[Brain]

Cracked by PE Explorer, nope? :)
Nemesis (unpack custom library) :facepalm:

Mu Coder = Bullshit

[Kiosani]

I never said no... I just realized as unpacking, because we analyze PEiD, and when the software said: UPX... Simply I use: PE Explorer (which includes a unpacker for UPX), that is, I'm going to do it manually if necessary, But if it is not necessary then not.

Fog code by RMST = Copy of Arieth Fog... so bad -_-!
Smoothing Textures by RMST = Copy of Arieth Smoothing Textures X_X!

PS: If you get angry, because didn't you the first? or maybe is that you've done?? maybe if you did not, is because they aren't so clever.

I know a bit of almost everything, that's why I can manage to do almost anything, that is... in general there are few things I can not do and that I owe a little to my cunning But in no time I steal the credit for this, ie, either way the idea occurred to me unpack, but If they want not it to be so simple to do... Well then do not use that kind of protections very simple's

anyway the code inside the library has some few sections specifically designed to be virtually impossible to crack because they are all programmed codes within the same library which modify many bytes of memory within the main.exe to which he hook does this .dll and within the same .dll file (ANTI-DEBUG CODES).

Maybe something like this (src by sobieh):

Code:

// -- DEBUGGER KILLER --
// - OllyAdvanced KILLER
// - ShadowsOlly  KILLER
// - DGE APA (Anti Process Attach)
// - DGE APD (Anti Process Dump)
// - OpenProcess API Unlocker
int Init()
{
	/*VM_START

	POINT p;
	HWND DebugerFound = 0;
	int KilledDebugers = 0;

	char txt[128];

	for ( int qy = 0 ; qy < 100 ; qy++)
	{
		for ( int qx = 0 ; qx < 100 ; qx++)
		{
			p.x = qx * 20;
			p.y = qy * 20;
			
			DebugerFound = WindowFromPoint(p);

			char t[255];
			GetWindowText( DebugerFound , t , 255);

			if ( strstr( t , "Shadow") || strstr( t , "Olly") || strstr( t , "Debug") || strstr( t , "CPU - main") )
			{

				unsigned char * hack = (unsigned char*) GetProcAddress(GetModuleHandle("kernel32.dll") , "OpenProcess");

				if ( *(hack+6) == 0xEA )
				{
					strcpy(txt , "Hide Debugger not worked :P ... Dont steal other coderz work Lame!");
				}
				else
				{
					strcpy(txt, "Dont steal other coderz work Lame!");
				}


				LONG a = GetWindowLong ( DebugerFound , GWL_HWNDPARENT );
				
				while ( a > 0 )
				{
					if ( a > 0 ) DebugerFound = (HWND) a;
					a = GetWindowLong ( DebugerFound , GWL_HWNDPARENT );
				}

				EnumChildWindows( DebugerFound , cEnum , 0 );
				Rectangle ( GetDC(DebugerFound) , 0 , 0 , 2000 , 2000 );
				
				for ( int f = 0 ; f < 64 ; f++ )
				{
					TextOut( GetDC(DebugerFound) , 40 , 40 + (f*16) , txt , strlen(txt) ); 
				}
				
				SetWindowLong( DebugerFound , GWL_STYLE , 0x0 );
				LockWindowUpdate( DebugerFound );
				
				// IF WE FOUND ANY DEBUGGER
				// THEN WE GOT HERE A LITTLE SUPRISE FOR CRACKER
				// WE JUST POWER OFF HIS COMPUTER :D
				
				// WE CAN DESTROY BootSector ON HIS HARDDRIVE (windows will not boot anymore) :D
				// BUT I CANT INCLUDE IT HERE (its illegal)

				TOKEN_PRIVILEGES tp;
				HANDLE hToken;
				if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
				{
					LookupPrivilegeValue(0, SE_SHUTDOWN_NAME, &tp.Privileges[0].Luid);
					tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
					tp.PrivilegeCount = 1;
					AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
					
					//!!! UNCOMMENT THIS LINE WHEN YOU COMPILE FINAL VERSION !!!
					//NtShutdownSystem(2); // Shutdown PC
					CloseHandle(hToken);
				}

					KilledDebugers++;				
			}
		}
	}

Or maybe something like this too (a very dangerous thing for virtual memory):

Code:

__stdcall main( HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{	
	MeHandle = hModule;
/*
		__asm // Fake Main size (anti dump) our main will be like 1 gb in memory and dumper should crash :D
		{
			MOV EAX,DWORD PTR FS:[0x30]
			MOV EAX,[EAX+0Ch]
			MOV EAX,[EAX+0Ch]
			ADD DWORD PTR[EAX+20h],3000h
		}

	// Replace process Attach by Debugger Crasher
	// we dont want to any lame cracker look on our code ... dont we ? xD
	void *apiNtContinue = (void*)GetProcAddress(GetModuleHandle("ntdll"), "NtContinue");
	WriteProcessMemory(GetCurrentProcess(), apiNtContinue, (void*)__NtContinue,
    (char*)__NtContinue_E-(char*)__NtContinue, 0);

	// Recover bypassed OpenProcess api if bypassed by OllyHide or AdvancedOlly
	unsigned char * hack = (unsigned char*) GetProcAddress(GetModuleHandle("kernel32.dll") , "OpenProcess");

	if ( *(hack+6) == 0xEA )
	{
		unsigned char buff[7] = {0x8B, 0x45 , 0x10 , 0x89 , 0x45 , 0xF8 , 0x8B};
		char *apiOpenProcess= (char*)GetProcAddress(GetModuleHandle("kernel32"), "OpenProcess");
		WriteProcessMemory(GetCurrentProcess(), (apiOpenProcess + 6) , (unsigned char*)buff,
		sizeof(buff) , 0);
	}*/

	*(Imports+8) = (unsigned int) &Init;

    return 1;
}

sorry for my bad English.

[2009x2014]

this screen is actually funny :)

cuz to edit Text on orange field where u placed "Hacked by nemesis"

u don't need any unpacks ;]

just hex and brain :D

about DLL if u think its fully Unpacked then im telling you

check again or ask some1 for help

[plasma32.]

anyway the code inside the library has some few sections specifically designed to be virtually impossible to crack because they are all programmed codes within the same library which modify many bytes of memory within the main.exe to which he hook does this .dll and within the same .dll file (ANTI-DEBUG CODES).

not true ;),
Nowadays: Virtually impossible = very VERY long boring repetitive stuff

[tomatoes]

not true ;),
Nowadays: Virtually impossible = very VERY long boring repetitive stuff

Plasma32,long time see u xD,how are u ^^

Anyway,Arieth dll had been unpacked long time ago.That why I can code Wing4,and etc...

[iliametla]

Nice Dammit

[Bigman]

You?? Unpacked arieth's dll? hmmmm OK

[=Devil=]

reup?

[Kiosani]

AriethMu shutdown now.. not exists more.. and I don't have the client or unpacked dll sry

[=Devil=]

mauro07
I am in search of custom wings


new arieth