Search For Google and here But No Specific tutorial to unpack game exe can someone tutor me to unpack it
Printable View
Search For Google and here But No Specific tutorial to unpack game exe can someone tutor me to unpack it
First of all there are no "unpack a game exe"-tutorial.
first you need to figure out what it's packed with. so.. go do that. and reply back here when that's done.
http://www.megaupload.com/?d=C2V1J1WV
client 559 unpacked
and...for pack it, use ASProtect
most suitable, i try other packer and they crash with GG.
you didn't exactly specify which version
ok i have start learn something that i have found the client protect with aspack then i look for some guide but i didnt get what the tutorial said.. btw its 1753..
why dont you just download the unpacked 1750 client i posted 2 days ago then. (there is no 1753 client btw 1750->1755 and possibly higher are only script updates all use 1750 client)Quote:
Originally Posted by ketupat
hmm... ya download it but still wanna learn it :)
Heh alright well the 1750 client is protected with ASProtect 1.23RC4.
First get the plugin ollydump for ollydbg.
Open ollydbg, go into options and make sure memory access violation is NOT ticked in debug options.
Open client in olly and you should see a access violation exception in lower left corner, hit shift+f9 once select no to analyze code.
The starting code should look something like push <address> call <address>
now hit shift+f9 (27 times for me) and break on every access violation until you hit a place where the code looks something like this:
xor dword.. ,eax
pop ..
pop ..
cmp dword.. ,0
je ..
push 0C
..
Place a breakpoint on RETN at the end of this function and hit shift+f9 again to break on it, remove the breakpoint, hit f7 once.
hit alt+m and find your client in the list and click the section of your client that says code (starting at address 00401000) rightclick on it and select: Set memory breakpoint on access.
hit ctrl+f11 to start trace (it will take awhile) once it breaks hit f7 once and you're now on the OEP (Original Entry Point) however there are some stolen bytes by asprotect that you need to restore, the way you do that is by openening your trace log, view runtrace and make sure highlight register=esp is selected. Then you find the stolen bytes by analyzing this, however i cba to explain it so just close the runtrace scroll a bit up and insert these 2 lines at where the code is junk:
006BC90D PUSH 60
006BC90F PUSH 0071B668
those are the only 2 stolen code commands. rightclick on the line with push 60 and select new origin here.
now you need to dump the entire thing to file, so select plugins->ollydump->dump debugged process (untick rebuild import at bottom) and click ok, save the file to some new filename.
Now you just need to fix the imports (which asprotect has changed) use imprec to do this. You'll need to use a program like imprec 1.7c select your ollydbg client.exe process from its open dll dropdown box.
Fill in your (OEP - 00400000) in the OEP editbox (002BC90D) and click iat autosearch.
Click on get imports, click show invalid button at right side, it will highlight all invalid import calls.
Rightclick on them and select plugin tracers->asprotect 1.23rc4
Click again on show invalid, it should not have any left (it might highlight some valid calls just ignore that) click on fix dump and select the filename you dumped from ollydbg, exit imprec.
Now open up program LordPE, click rebuild PE open your filename imprec saved, and exit LordPE.
You will now have an unpacked client.exe.
Note that there might be compatability issues when running this new file on 32bit vs 64bit systems, there is another program similar to imprec that will fix this issue however it doesn't have the tracers support so it will take a long time to fix the imports, alternatively you can first use imprec then open the imprec saved file in the new program (CHimpRec) and save a new file from that (this will make the file work on all 32bit/64bit editions of windows)
--
The End.
Good luck unpacking and merry Christmas :)
thx tyfix nice tutorial
Sure no problem, this method doesn't work for newer versions of ASPR btw.
Sorry for the offtopic..Quote:
Originally Posted by Tyfix
Sir tyfix, as i quoted above you are saying, if we use the CHimpRec to edit and .exe or unpack it, then it can be use on 64 bit windows version. So it means if there is any compatibality issue after using olly or any other 32 bit debugger than using this will fix those issue?
Anyway nice guide on the unpacking, you are one of the most helpful persons here in RZ besides alpha and arpa.
normal imprec works on 64bit as well, but then it doesn't work on 32bit, basically it works on the architecture you unpacked it on but not the other. But the reason why you should still use it is to fix the imports which it is excellent at and CHImpRec does not have all the plugin tracers that normal imprec does and therefore cannot fix the imports so you will have to use both.Quote:
Originally Posted by taiko
There isn't any compatibility issue using olly 32bit really, you do need a plugin for olly to make it work on 64bit tho.
Thanks :)Quote:
Originally Posted by taiko
thank tyfix ... and merry christmas
thx morbid
can u unpack my game.exe??
Follow the guide.
for unpack client RYL1 557 Same step in Tyfix guide?Quote:
Originally Posted by AnXi3ty