[Tutorial]How to unpack Game.exe
In this Tutorial you will learn how to bypass the IsDebuggerPresent function from VMProtect and how to unpack the Game.exe from BoI.
This Tutorial was originally written by "PHANTOM28" from S.N.O.X.D!
I only removed some typos and added the way on how to find the second address needed for the OEP rebuild.
[-]Index:
[-]1. Requirements
We need to setup ollydbg to make it invisible, if we don't do this, the game will detect and close itself.
Extract olly, get the plugins and start it once then close it. (it will ask to patch the class name windows, press ok)
Now open the ollydbg.ini and search for text "fengyue". U will find the StrongOD settings, change the Drivername from "fengyue0" to something different (for example "XXXXXXX0") save and close ollydbg.ini
Now open ur hex editor and select the ollydbg, we need do some changes here.
First search the text "fengyue" and change it to (for example) "XXXXXXX"
The next thing to do is search for the text "ACPU" and change all to (for example) "AXXX"
Ok now we need to setup the options of StrongOD (change them to what you see in the picture)
Now change the ollydbg debug settings to the following:
Ok if everything is right, close the olly, open it again and open the game.exe from the bin folder. To test ur olly, press Run (F9) twice and if the game just runs like normal then that means u already bypassed the IsDebuggerPresent check. But if u put a breakpoint in the code section u will see that the program will detect it, and will stop, that is the vmprotection. And thats what were going to unpack now, see the next Part.
[-]3. Unpacking Game.exe
Load Game.exe in olly you will break at the system breakpoint in ntdll section. Press run or F9 and u will break at the EP.
Here you must find the call to the VMProtect function, so i will show you this easy way..
Press ctrl + G and search for the expresion "VirtualProtect"
Put a soft break on it with double click or F2.
In the stack window (the one in the bottom right corner) u will see this:
(Dont remove the BP yet!)
If u follow the address "00401000" in dump u will see that its empty, so we will press run (F9) until we see that in the address 00401000 get filled.
That means the code section is filled and now we can set a break in that section, so delete the BP at the begining of the function and press F8 until u reach the RETN 10.
After this if we press F7 or F8 we will be at the EP again and thats where want to get at this time so press F7 or F8.
Now go to the Memory map tab, pressing the M in the olly menu bar, select the code section, set a memory breakpoint on access and press F9.
The instruction we break at is the function that we need to find to fix our OEP. So save this address we will need it later.
First delete the memory bp, then go to the RETN at the end of this function and put a BP.
Press run u to get there, delete the soft break, press F7 and u will be at the EP again.
Follow the Application with Ctrl+F8 (or F7, long way) until you find the call where the window is created, set a BP on that call, restart and run till that call press F7 and animate (Ctrl+F8) till the next Call. You might want to do that 3 or 4 times.
At the 3rd or 4th Call you press Ctrl+G and go to "GetStartupInfoA", scroll down to the RETN set a BP there and press F9 after that press F7 or F8 to leave the function.
Now 7 Lines above where you landed the second address needed can be found (The command is "PUSH 60"). So save that address again!
Now we need to rebuild our OEP, go to the free space at the end and assemble the following two lines:
After you assembled these instructions, you need to set the new origin on the CALL. Now you can create your dump, so use the plugin ollydump for this without "Rebuild Import" Option checked.
Great you just unpacked VMProtect =)
You can test this dump file and you will see that its working, but if u send that dump file to another OS it wont work, and u will feel frustrated.. =(
But dont worry, we dont finish here, you need to fix the dump file so it can run on other OS's too
[-]4. Fixing the IAT
After creating an unpacked dump file thats working you need to fix the IAT so the Dump will work on other OS's too.
Run your Dump File in Olly and break at the EP you created (press F9 twice) now you need the Process ID of your Dump, to get this you can use Taskmanager or something similar or just run cmd.exe and execute the command "tasklist"
After that run the Universal Import Fixer (UIF) and input the PID of your Dump and leave "Code Start/End" and "New IAT VA" untouched (means 0)
Press "Start" and let it work, when it finished you will see something like this:
The info that is shown after "Fixing Success..." is what we need now to fix the dump, so start ImpRec now.
Attach the process of the dump file, if you click "AutoSearch" button you will see a bad message telling that it cant find anything interesting in that OEP, and if u press the button get imports, it will fill the listbox of imported functions with invalid values, and thats what we are going to fix ^^
Press the "Clear Import" button, now fill OEP box with "00000000", in the RVA box put what the UIF showed you, then the same with the size, and then press the button "Get Imports" again, and u will see a list of Valid Thunks in the Listbox.
Great, so now i will show how to setup ImpRect to fix the dump. Check "Add New section" in the main window, and press the "Options"-Button. Now select only the things that you see in this pic:
Close the options and then press the "Fix Dump"-Button, a window will pop up, select the dump file that u need to fix.
Let ImpRec work and u will have a fixed dump file, gratz =)
Now it will work in other OS's too. ImpRec saves the file with an extra "_" at the end. If you want to do some research in the game code now, you dont need an invisible Olly anymore, but you can use it anyways.
[-]Afterthought:
I hope this helped you and i want to note again:
This Tutorial was originally written by "PHANTOM28" from S.N.O.X.D!
I only removed some typos and added the way on how to find the second address needed for the OEP rebuild.
greetz
This Tutorial was originally written by "PHANTOM28" from S.N.O.X.D!
I only removed some typos and added the way on how to find the second address needed for the OEP rebuild.
[-]Index:
- Requirements
- Preparations
- Unpacking Game.exe
- Fixing the IAT
- Afterthought
[-]1. Requirements
- Ollydbg 1.10 Unmodified
- On olly we need the plugins:
- StrongOD
- OllyDump - Any Hex Editor
- ImpRec V1.7
- Universal Import Fixer (UIF)
- Brain.exe
We need to setup ollydbg to make it invisible, if we don't do this, the game will detect and close itself.
Extract olly, get the plugins and start it once then close it. (it will ask to patch the class name windows, press ok)
Now open the ollydbg.ini and search for text "fengyue". U will find the StrongOD settings, change the Drivername from "fengyue0" to something different (for example "XXXXXXX0") save and close ollydbg.ini
Now open ur hex editor and select the ollydbg, we need do some changes here.
First search the text "fengyue" and change it to (for example) "XXXXXXX"
The next thing to do is search for the text "ACPU" and change all to (for example) "AXXX"
Ok now we need to setup the options of StrongOD (change them to what you see in the picture)
Now change the ollydbg debug settings to the following:
Ok if everything is right, close the olly, open it again and open the game.exe from the bin folder. To test ur olly, press Run (F9) twice and if the game just runs like normal then that means u already bypassed the IsDebuggerPresent check. But if u put a breakpoint in the code section u will see that the program will detect it, and will stop, that is the vmprotection. And thats what were going to unpack now, see the next Part.
[-]3. Unpacking Game.exe
Load Game.exe in olly you will break at the system breakpoint in ntdll section. Press run or F9 and u will break at the EP.
Here you must find the call to the VMProtect function, so i will show you this easy way..
Press ctrl + G and search for the expresion "VirtualProtect"
Put a soft break on it with double click or F2.
In the stack window (the one in the bottom right corner) u will see this:
(Dont remove the BP yet!)
If u follow the address "00401000" in dump u will see that its empty, so we will press run (F9) until we see that in the address 00401000 get filled.
That means the code section is filled and now we can set a break in that section, so delete the BP at the begining of the function and press F8 until u reach the RETN 10.
After this if we press F7 or F8 we will be at the EP again and thats where want to get at this time so press F7 or F8.
Now go to the Memory map tab, pressing the M in the olly menu bar, select the code section, set a memory breakpoint on access and press F9.
The instruction we break at is the function that we need to find to fix our OEP. So save this address we will need it later.
First delete the memory bp, then go to the RETN at the end of this function and put a BP.
Press run u to get there, delete the soft break, press F7 and u will be at the EP again.
Follow the Application with Ctrl+F8 (or F7, long way) until you find the call where the window is created, set a BP on that call, restart and run till that call press F7 and animate (Ctrl+F8) till the next Call. You might want to do that 3 or 4 times.
At the 3rd or 4th Call you press Ctrl+G and go to "GetStartupInfoA", scroll down to the RETN set a BP there and press F9 after that press F7 or F8 to leave the function.
Now 7 Lines above where you landed the second address needed can be found (The command is "PUSH 60"). So save that address again!
Now we need to rebuild our OEP, go to the free space at the end and assemble the following two lines:
Code:
CALLJMP
After you assembled these instructions, you need to set the new origin on the CALL. Now you can create your dump, so use the plugin ollydump for this without "Rebuild Import" Option checked.
Great you just unpacked VMProtect =)
You can test this dump file and you will see that its working, but if u send that dump file to another OS it wont work, and u will feel frustrated.. =(
But dont worry, we dont finish here, you need to fix the dump file so it can run on other OS's too
[-]4. Fixing the IAT
After creating an unpacked dump file thats working you need to fix the IAT so the Dump will work on other OS's too.
Run your Dump File in Olly and break at the EP you created (press F9 twice) now you need the Process ID of your Dump, to get this you can use Taskmanager or something similar or just run cmd.exe and execute the command "tasklist"
After that run the Universal Import Fixer (UIF) and input the PID of your Dump and leave "Code Start/End" and "New IAT VA" untouched (means 0)
Press "Start" and let it work, when it finished you will see something like this:
The info that is shown after "Fixing Success..." is what we need now to fix the dump, so start ImpRec now.
Attach the process of the dump file, if you click "AutoSearch" button you will see a bad message telling that it cant find anything interesting in that OEP, and if u press the button get imports, it will fill the listbox of imported functions with invalid values, and thats what we are going to fix ^^
Press the "Clear Import" button, now fill OEP box with "00000000", in the RVA box put what the UIF showed you, then the same with the size, and then press the button "Get Imports" again, and u will see a list of Valid Thunks in the Listbox.
Great, so now i will show how to setup ImpRect to fix the dump. Check "Add New section" in the main window, and press the "Options"-Button. Now select only the things that you see in this pic:
Close the options and then press the "Fix Dump"-Button, a window will pop up, select the dump file that u need to fix.
Let ImpRec work and u will have a fixed dump file, gratz =)
Now it will work in other OS's too. ImpRec saves the file with an extra "_" at the end. If you want to do some research in the game code now, you dont need an invisible Olly anymore, but you can use it anyways.
[-]Afterthought:
I hope this helped you and i want to note again:
This Tutorial was originally written by "PHANTOM28" from S.N.O.X.D!
I only removed some typos and added the way on how to find the second address needed for the OEP rebuild.
greetz
0 comentarios:
Publicar un comentario