Results 1 to 4 of 4
  1. 05-10-2010 #1
    scriptkiddy
    scriptkiddy is offline
    Newbie
    MPGH Member
    scriptkiddy's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Location
    Canada
    Posts
    67
    Reputation
    12
    Thanks
    63
    Send a message via Birdie™ to scriptkiddy Canada

    [Unpacking] MapleStory (Themida)

    I have been reverse engineering for a long time. However, I have never attempted to unpack Themida. I know how to manually unpack easier protectors using ImpRec & OllyDump. My question is, how can I get better so that I can unpack Themida?

    I want to unpack Themida for the following reason:

    While reverse engineering GameLauncher.exe I found that:

    GameLauncher:
    Code:
            PUSH -1
        PUSH GameLaun_00401FB9               ; Entry address
        MOV EAX,DWORD PTR FS:[0]
        PUSH EAX
        MOV DWORD PTR FS:[0],ESP
        SUB ESP,0140h
        PUSH ESI
        MOV ESI,ECX
        LEA EAX,DWORD PTR SS:[ESP+034h]
        LEA ECX,DWORD PTR SS:[ESP+018h]
        PUSH EAX
        PUSH ECX
        PUSH 0
        PUSH 0Fh
        PUSH 0
        PUSH 0
        PUSH 0
        PUSH GameLaun_00403160               ; ASCII "SOFTWARE\\Wizet\\MapleStory"
        PUSH 080000002h
        MOV DWORD PTR SS:[ESP+028h],0
        CALL DWORD PTR DS:[<&ADVAPI32.RegCreateKeyExA>] ; ADVAPI32.RegCreateKeyExA
        LEA ECX,DWORD PTR SS:[ESP+024h]
        CALL #540                            ;<= Jump/Call Address Not Resolved
        LEA EDX,DWORD PTR SS:[ESP+02Ch]
        LEA EAX,DWORD PTR SS:[ESP+03Ch]
        PUSH EDX
        MOV EDX,DWORD PTR SS:[ESP+01Ch]
        LEA ECX,DWORD PTR SS:[ESP+03Ch]
        PUSH EAX
        PUSH ECX
        PUSH 0
        PUSH GameLaun_00403154               ; ASCII "ExecPath"
        PUSH EDX
        MOV DWORD PTR SS:[ESP+0164h],0
        MOV DWORD PTR SS:[ESP+044h],0104h
        CALL DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>] ; ADVAPI32.RegQueryValueExA
        TEST EAX,EAX
        JE @GameLaun_0040165D
        MOV ECX,ESI
        CALL @GameLaun_00401880              ;<= Jump/Call Address Not Resolved
        TEST EAX,EAX
        JNZ @GameLaun_00401844
        PUSH EAX
        PUSH EAX
        PUSH GameLaun_00403108               ; ASCII "Cannot locate the game installation path. Please check the installation."
        MOV ECX,ESI
        CALL #4224                           ;<= Jump/Call Address Not Resolved
        JMP @GameLaun_00401844

@GameLaun_0040165D:

        LEA EAX,DWORD PTR SS:[ESP+03Ch]
        PUSH EBX
        PUSH EAX
        LEA ECX,DWORD PTR SS:[ESP+010h]
        CALL #537                            ;<= Jump/Call Address Not Resolved
        LEA ECX,DWORD PTR SS:[ESP+02Ch]
        PUSH 1
        PUSH ECX
        LEA ECX,DWORD PTR SS:[ESP+014h]
        MOV BYTE PTR SS:[ESP+0158h],1
        CALL #5710                           ;<= Jump/Call Address Not Resolved
        MOV EAX,DWORD PTR DS:[EAX]
        PUSH GameLaun_00403104
        PUSH EAX
        MOV BYTE PTR SS:[ESP+0158h],2
        CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp
        ADD ESP,8
        TEST EAX,EAX
        JNZ @GameLaun_004016C8
        LEA EDX,DWORD PTR SS:[ESP+0Ch]
        PUSH GameLaun_004030F4               ; ASCII "MapleStory.exe"
        LEA EAX,DWORD PTR SS:[ESP+018h]
        PUSH EDX
        PUSH EAX
        CALL #924                            ;<= Jump/Call Address Not Resolved
        MOV EBX,1
        MOV DWORD PTR SS:[ESP+8],EBX
        MOV BYTE PTR SS:[ESP+0150h],3
        JMP @GameLaun_00401713

@GameLaun_004016C8:

        LEA ECX,DWORD PTR SS:[ESP+0Ch]
        PUSH GameLaun_00403104
        LEA EDX,DWORD PTR SS:[ESP+028h]
        PUSH ECX
        PUSH EDX
        CALL #924                            ;<= Jump/Call Address Not Resolved
        MOV DWORD PTR SS:[ESP+8],2
        PUSH GameLaun_004030F4               ; ASCII "MapleStory.exe"
        PUSH EAX
        LEA EAX,DWORD PTR SS:[ESP+03Ch]
        MOV DWORD PTR SS:[ESP+0158h],4
        PUSH EAX
        CALL #924                            ;<= Jump/Call Address Not Resolved
        MOV EBX,6
        MOV DWORD PTR SS:[ESP+8],EBX
        MOV DWORD PTR SS:[ESP+0150h],5

@GameLaun_00401713:

        PUSH EAX
        LEA ECX,DWORD PTR SS:[ESP+014h]
        CALL #535                            ;<= Jump/Call Address Not Resolved
        TEST BL,4
        MOV DWORD PTR SS:[ESP+0150h],0Ah
        JE @GameLaun_0040173D
        AND EBX,FFFFFFFB
        LEA ECX,DWORD PTR SS:[ESP+034h]
        MOV DWORD PTR SS:[ESP+8],EBX
        CALL #800                            ;<= Jump/Call Address Not Resolved

@GameLaun_0040173D:

        TEST BL,2
        MOV DWORD PTR SS:[ESP+0150h],9
        JE @GameLaun_0040175D
        AND EBX,FFFFFFFD
        LEA ECX,DWORD PTR SS:[ESP+024h]
        MOV DWORD PTR SS:[ESP+8],EBX
        CALL #800                            ;<= Jump/Call Address Not Resolved

@GameLaun_0040175D:

        TEST BL,1
        MOV DWORD PTR SS:[ESP+0150h],8
        JE @GameLaun_0040177D
        AND EBX,FFFFFFFE
        LEA ECX,DWORD PTR SS:[ESP+014h]
        MOV DWORD PTR SS:[ESP+8],EBX
        CALL #800                            ;<= Jump/Call Address Not Resolved

@GameLaun_0040177D:

        LEA ECX,DWORD PTR SS:[ESP+02Ch]
        MOV DWORD PTR SS:[ESP+0150h],7
        CALL #800                            ;<= Jump/Call Address Not Resolved
        PUSH GameLaun_004030E4               ; ASCII " GameLaunching"
        LEA ECX,DWORD PTR SS:[ESP+024h]
        CALL #537                            ;<= Jump/Call Address Not Resolved
        LEA ECX,DWORD PTR SS:[ESP+010h]
        PUSH EAX
        LEA EDX,DWORD PTR SS:[ESP+01Ch]
        MOV 0BhL,0B
        PUSH ECX
        PUSH EDX
        MOV BYTE PTR SS:[ESP+015Ch],BL
        CALL #922                            ;<= Jump/Call Address Not Resolved
        PUSH EAX
        LEA ECX,DWORD PTR SS:[ESP+014h]
        MOV BYTE PTR SS:[ESP+0154h],0Ch
        CALL #858                            ;<= Jump/Call Address Not Resolved
        LEA ECX,DWORD PTR SS:[ESP+018h]
        MOV BYTE PTR SS:[ESP+0150h],BL
        CALL #800                            ;<= Jump/Call Address Not Resolved
        LEA ECX,DWORD PTR SS:[ESP+020h]
        MOV BYTE PTR SS:[ESP+0150h],7
        CALL #800                            ;<= Jump/Call Address Not Resolved
        MOV EAX,DWORD PTR SS:[ESP+0Ch]
        PUSH EAX
        CALL DWORD PTR DS:[<&KERNEL32.SetCurrentDirectoryA>] ; kernel32.SetCurrentDirectoryA
        MOV ECX,DWORD PTR SS:[ESP+010h]
        PUSH 5
        PUSH ECX
        CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; AcLayers.71C21A97
        CMP EAX,01Fh
        POP EBX
        JA @GameLaun_00401822
        MOV ECX,ESI
        CALL @GameLaun_00401880              ;<= Jump/Call Address Not Resolved
        TEST EAX,EAX
        JNZ @GameLaun_00401822
        PUSH EAX
        PUSH EAX
        PUSH GameLaun_004030A8               ; ASCII "Failed to execute the game. Please check the installation."
        MOV ECX,ESI
        CALL #4224                           ;<= Jump/Call Address Not Resolved

@GameLaun_00401822:

        LEA ECX,DWORD PTR SS:[ESP+0Ch]
        MOV BYTE PTR SS:[ESP+014Ch],1
        CALL #800                            ;<= Jump/Call Address Not Resolved
        LEA ECX,DWORD PTR SS:[ESP+8]
        MOV BYTE PTR SS:[ESP+014Ch],0
        CALL #800                            ;<= Jump/Call Address Not Resolved

@GameLaun_00401844:

        MOV ECX,ESI
        CALL #4853                           ;<= Jump/Call Address Not Resolved
        LEA ECX,DWORD PTR SS:[ESP+024h]
        MOV DWORD PTR SS:[ESP+014Ch],-1
        CALL #800                            ;<= Jump/Call Address Not Resolved
        MOV ECX,DWORD PTR SS:[ESP+0144h]
        POP ESI
        MOV DWORD PTR FS:[0],ECX
        ADD ESP,014Ch
        RETN
    MapleStory will only execute if the command parameter is 'GameLaunching'

    My goal is to reverse engineer MapleStory so that I can find out where it is checking to see if the 'GameLaunching' parameter is there, so that I can patch that and the function. I also want to make hacks and contribute to the forum. The only problem is Themida.

    Does anybody have any advice for me? Any tutorials that will make my skill in reverse engineering get more advanced? Or possibly any up to date tutorials on unpacking themida?

    Thank you.
    Reply With Quote Reply With Quote
  2. 05-11-2010 #2
    Hell_Demon
    Hell_Demon is offline
    MPGH Addict
    Former Staff
    Hell_Demon's Avatar
    Join Date
    Mar 2008
    Gender
    male
    Location
    I love causing havoc
    Posts
    3,976
    Reputation
    343
    Thanks
    4,320
    My Mood
    Cheeky
    Send a message via Birdie™ to Hell_Demon Netherlands
    "Follow the magic jump"
    Ah we-a blaze the fyah, make it bun dem!
    Reply With Quote Reply With Quote
  3. 05-11-2010 #3
    why06
    why06 is offline
    What is Watson?
    MPGH Member
    why06's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Location
    IBM
    Posts
    4,304
    Reputation
    170
    Thanks
    2,203
    My Mood
    Flirty
    Send a message via Birdie™ to why06 United States
    Lena's tuts: Tuts 4 You: Downloads / Lenas Reversing for Newbies

    "Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."
     - Dwight D. Eisenhower
    Reply With Quote Reply With Quote
  4. 05-11-2010 #4
    scriptkiddy
    scriptkiddy is offline
    Threadstarter
    Newbie
    MPGH Member
    scriptkiddy's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Location
    Canada
    Posts
    67
    Reputation
    12
    Thanks
    63
    Send a message via Birdie™ to scriptkiddy Canada
    Quote Originally Posted by why06 View Post
    Lena's tuts: Tuts 4 You: Downloads / Lenas Reversing for Newbies
    Hey whats up why06? How are you doing? Remember me ?

    I already have seen all of lena151 tutorials, and I am way past that. Also thank you Hell_Demon, I have found the magic jump, now I am looking for conditional jumps to that area. I am going to dump Themida and fix up the import tables soon. However, this is an unpack me program, and not MapleStorys version of themida. (Which should be up to date).
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Unpacking themida and other protections [TUT]
    By cnttuchme in forum Assembly
    Replies: 16
    Last Post: 09-02-2010, 12:20 AM
  2. [Unpacking] Maplestory Client [Only Themida Left]
    By Themida in forum Assembly
    Replies: 0
    Last Post: 06-27-2010, 08:51 AM
  3. [Unpacking Help] MapleStory (Themida)
    By scriptkiddy in forum MapleStory Hacks, Cheats & Trainers
    Replies: 3
    Last Post: 05-10-2010, 09:38 PM
  4. Is it possible to unpack themida?
    By zmansquared in forum Combat Arms Discussions
    Replies: 9
    Last Post: 01-24-2010, 03:40 AM
  5. Unpacking Themida?
    By Zetsu in forum General Hacking
    Replies: 0
    Last Post: 09-14-2009, 02:00 PM