DeadlyData
12-12-2010, 06:41 AM
Alright so I've tried this several times both on my windows 7 machine and on my XP Mode VM and I can't seem to ever get the OEP of this game client I'm attempting to unpack.
I've tried ever publicly available version of aspstripper,
and followed several unpacking tutorials...
One I've just now followed before creating this thread was here
http://www.reversing.be/article.php?story=20050329165716822
After getting to this point
00B45000 68 C3F44000 PUSH 40F4C3
00B45005 68 DB4DB400 PUSH 0B44DDB
00B4500A C3 RETN <--------- Until this RETN
Then execute that RETN:
00B44DDB EB 01 JMP SHORT 00B44DDE
00B44DDD 9A 51579CFC BF1F CALL FAR 1FBF:FC9C5751
00B44DE4 4E DEC ESI
00B44DE5 B4 00 MOV AH,0
00B44DE7 B9 5E140000 MOV ECX,145E
00B44DEC F3:AA REP STOS BYTE PTR ES:[EDI]
00B44DEE 9D POPFD
00B44DEF 5F POP EDI
00B44DF0 59 POP ECX
00B44DF1 C3 RETN <-------------------- Put bp here!
The code seems to be different because that return does not end with the same result as what most other people have gotten...
Instead it ends in a another return which has no relation to the signature code I've seen in everyone's tutorial
Below is the 'signature' code I'm speaking of...
0040F4C3 FF15 30174100 CALL DWORD PTR DS:[411730] ; msvcrt.__set_app_type
0040F4C9 59 POP ECX
0040F4CA 830D F4AE4100 FF OR DWORD PTR DS:[41AEF4],FFFFFFFF
0040F4D1 830D F8AE4100 FF OR DWORD PTR DS:[41AEF8],FFFFFFFF
0040F4D8 FF15 38174100 CALL DWORD PTR DS:[411738] ; msvcrt.__p__fmode
I'm not quite sure if this is because the game client has nProtect's GameGuard software embedded within it or what the case is but if anyone can help with unpacking this I'd greatly appreciate it.
URL:
http://rapidshare.com/files/436357998/RH.rar
The file is 'rohanclient.exe' all required dlls, gameguard and etc are within that rar supplied and it's on my file share so it shouldn't require you to have a rapidshare account to download it without wait times or etc.
I've tried ever publicly available version of aspstripper,
and followed several unpacking tutorials...
One I've just now followed before creating this thread was here
http://www.reversing.be/article.php?story=20050329165716822
After getting to this point
00B45000 68 C3F44000 PUSH 40F4C3
00B45005 68 DB4DB400 PUSH 0B44DDB
00B4500A C3 RETN <--------- Until this RETN
Then execute that RETN:
00B44DDB EB 01 JMP SHORT 00B44DDE
00B44DDD 9A 51579CFC BF1F CALL FAR 1FBF:FC9C5751
00B44DE4 4E DEC ESI
00B44DE5 B4 00 MOV AH,0
00B44DE7 B9 5E140000 MOV ECX,145E
00B44DEC F3:AA REP STOS BYTE PTR ES:[EDI]
00B44DEE 9D POPFD
00B44DEF 5F POP EDI
00B44DF0 59 POP ECX
00B44DF1 C3 RETN <-------------------- Put bp here!
The code seems to be different because that return does not end with the same result as what most other people have gotten...
Instead it ends in a another return which has no relation to the signature code I've seen in everyone's tutorial
Below is the 'signature' code I'm speaking of...
0040F4C3 FF15 30174100 CALL DWORD PTR DS:[411730] ; msvcrt.__set_app_type
0040F4C9 59 POP ECX
0040F4CA 830D F4AE4100 FF OR DWORD PTR DS:[41AEF4],FFFFFFFF
0040F4D1 830D F8AE4100 FF OR DWORD PTR DS:[41AEF8],FFFFFFFF
0040F4D8 FF15 38174100 CALL DWORD PTR DS:[411738] ; msvcrt.__p__fmode
I'm not quite sure if this is because the game client has nProtect's GameGuard software embedded within it or what the case is but if anyone can help with unpacking this I'd greatly appreciate it.
URL:
http://rapidshare.com/files/436357998/RH.rar
The file is 'rohanclient.exe' all required dlls, gameguard and etc are within that rar supplied and it's on my file share so it shouldn't require you to have a rapidshare account to download it without wait times or etc.