Hi. This is my first post on this site as I registered yesterday .
Anyway, I've unpacked the latest CShell.dll and Engine.exe. And before someone says that these are already posted, these are not!
I've removed the Themida protector of these files and the files are basically in the same condition as before packed.
The difference between these and the memory dumped ones is that these have rebuilt and intact Import Tables so that you can ie open the files in a debugger and debug them. (Can't be done with the memory dumps.)
There's just one thing lost in both of the files and that's the Export Table but you are proably not gonna need it so I stripped it from the file with all the Themida code.
The entrypoint is corrected to the real entrypoint made by Microsoft Visual C++ 9.0.
In case someone doesn't trust me, here are some scans:
VirusTotal - unpacked_CShell.rar
Virscan - unpacked_CShell.rar
VirusTotal - unpacked_Engine.rar
Virscan - unpacked_Engine.rar
Last edited by HellSpider; 06-05-2010 at 12:20 AM. Reason: Added more scans...
i sooooooo
dont trust this
EDIT: you need 2 vuirs scans for each and a pic
upload the pic to like image shack
READ MORE HERE
https://www.mpgh.net/forum/164-combat...step-step.html
Last edited by ^...,^; 06-04-2010 at 06:25 PM.
/Moved to EU.
You must scan the .rar, not the files inside!
/Pending.
-Rest in peace leechers-
Your PM box is 100% full.
What is the difference between the .rar and the files inside it?
Ali (06-05-2010)
Last edited by HellSpider; 06-04-2010 at 11:20 PM.
/Approved .
No it's not a fail dump. It's the unpacked file before any of the application code was executed meaning that any dynamically loaded code doesn't exist. D3DX is loaded in the program code so it's not allocated in the file. These files are not meant to be replacements for any memory dumps. These are mainly for the analysis purpose of the way the files execute stuff.
If you want just some pointers I suggest that you use the memory dumps as they have all the allocated memory present.
But ie the PushToConsole address can be gotten without the allocatd memory just by looking at the CShell.dll own static proc .