Creating A GunzRunnable

**CrazyDeath** · 01-01-2006

RULES
1) Please don't steal my tutorial and clame it as your own. Link to the thread to your hearts content for all I care, but ONLY link to this thread. Do not copy or paste the turoail and post it anywhere else, just link to it.

2) Runnables created using my tutorial should NOT be posted on any forums or released. Use this tutorial to make a runnable for yourself and not a name for yourself as someone who makes runnables.

Tools:
Gunz (Duh)
OllyDbg (The famous debugger) - https://www.ollydbg.de/odbg110.zip
OllyDmp (Olly dbg plugin) - https://dd.x-eye.net/file/ollydump211.zip or https://heero0m.net/files/OllyDump.dll

OllyHelper (Or any other plugin that can disable isdebuggerpresent) - https://heero0m.net/files/OllyHelper.dll
OR
HideDebugger (Another plugin that will disable isdeubuggerpresent) - https://www.wasm.ru/forum/files/_3115...ebugger123.zip

ImpRec (Import reconstructor) - https://www.int3.net/download/Import/imprec.zip ( includes src for imprec )
Almost Any Packer (I recommend aspack) - Aspack= https://www.exetools.com/files/compre...aspack212r.zip

To install the plugins simply throw them in OllyDebug's folder and they should show up in the Plugins dropdown menu.
You don't need to do any configuration with OllyHelper because it will automatically disable IsDebuggerPresent for you. NOTE: If Olly randomly stops and says the program was terminated you will need to use HideDebugger INSTEAD of OllyHelper. Remove the OllyHelper.dll from your Olly folder and put the HideDebugger.dll there instead.

Step #1 - The Hardest Step
Open up Olly.

Step #2 - Config
Configure Olly by going to Options -> Debugging Options.
It should look like this:

Save configuration changes and reload Olly.
Goto file -> open and find the Gunz.exe located in your gunz folder.

Step #3
At the lower left hand corner it should say this:
]

This means that it is tracing through the code and analyizing it to find the true entry point.
This will take quite some time if you have a slow machine so be patient.
NOTE: It may find an offset that ALOT of people have reported doesn't work. I'm not sure why some systems find the wrong offset... however thanks to TheAce there's a simple solution.
Take the offset you found and subtract 400000 from it (the base addr).

For example let's say you have 005380A0, the true OEP would be 005380A0 - 400000 which is 001380A0. If you don't understand this for some odd reason you may want to read up about hexadecimal.
THE NEW OEP YOU JUST CALCULATED IS THE OEP YOU WILL USE THE REST OF THE TUTORIAL.
If while scanning it randomly stops and says that it was terminated you will need to use the second plugin I posted for disabling IsDebuggerPresent because OllyHelper doesn't seem to be working for you. Just download and throw HideDebugger.dll into your Olly folder and restart this tutorial.

To reiterate (Thanks to ogfdnbvjkfdn)
1. When it finishes finding the REAL OEP, Let's say it finds... 00791C9M.
2. Dump debugged Process from this Address.
3. In the text box right next to 'modify', you would type: 00391C9M. (00791C9M - 400000 = 00391C9M)
4. Dump.

5. Open ImpRec and Target "gunz.exe" (THE ORIGINAL GUNZ FILE THATS RUNNING IN OLLY STILL).
6. In the OEP box, type in 00391C9M and Press the "IAT Autosearch" button.
7. Make sure it finds something and then Rebuild Imports.

Step #4 - Taking A Dump
When it stops tracing and you see in the main window to the right of the ASM it means it has found the entry point.

Take note of the offset on the far left of the line that has "Real entry point of SFX code" in it.

Now you have to use the OllyDump plug.
Goto Plugins -> OllyDump -> Dump debugged process as shown here:

Ignore where it says "Entry Point" because this is the INCORRECT one. I made it so you can't see it just so you don't be an ***** and try to use that one.
As shown here you will need to type in the address that you found (The offset on the far left of the line that has "Realy entry point of SFX code" in it) into where I circled in red up top:

Next you will need to uncheck Rebuild Import I circled in red at the bottom.
Click Dump and save it in the Gunz folder. Name it whatever you want but for the sake of this tutorial name it "dump.exe".

Step #5 - Import Reconstruction
Now you need to reconstruct the imports for GunZ using imprec. Your runnable will not function without it.
Make sure you do not touch Olly any further at this point. You need to have gunz (the original one) still running (At this point it will be running inside olly so just don't close out of olly).
As shown in the picture here you will first need to attatch to the Gunz.exe. To do this simply use the dropdown menu up top and find Gunz.exe

Once you have done this you will need to fill in the Entry Point you found and dumped from.
If you have found the correct entry point and have followed this tutorial word by word you should then see this when you click 'IAT AutoSearch':

If you do not see this... Don't ask me what you did wrong because I'm not going to help you.

Now what you need to do is click "Get Imports"
This is what it should look like after you click it:

If this is pretty much what you see (Everything looks valid) you're almost done.

All you have to do now is click "Fix Dump" and a dialog will appear asking you for the dump file to fix. Simply open our "dump.exe" and it should fix it.
NOTE: ImpRec will make a file called "dump_.exe". This is the RUNNABLE. Just delete the old "dump.exe"

You're runnable is pretty much complete!
Since you're runnable is currently about as large as Gabe Newell you probably want to compress it.
My suggestion using an exe packer such as aspack to compress it.

All finished. Wasn't that hard now was it?
Also, this thread is NOT for posting offsets. PLEASE DO NOT POST ANY OFFSETS FOR THE LAST TIME.