[Release] CA EU Unpacked Client Binaries

Hi. This is my first post on this site as I registered yesterday

.

Anyway, I've unpacked the latest CShell.dll and Engine.exe. And before someone says that these are already posted, these are not!

I've removed the Themida protector of these files and the files are basically in the same condition as before packed.

The difference between these and the memory dumped ones is that these have rebuilt and intact Import Tables so that you can ie open the files in a debugger and debug them. (Can't be done with the memory dumps.)

There's just one thing lost in both of the files and that's the Export Table but you are proably not gonna need it so I stripped it from the file with all the Themida code.

The entrypoint is corrected to the real entrypoint made by Microsoft Visual C++ 9.0.

In case someone doesn't trust me, here are some scans:

VirusTotal - unpacked_CShell.rar
Virscan - unpacked_CShell.rar
VirusTotal - unpacked_Engine.rar
Virscan - unpacked_Engine.rar

i sooooooo
dont trust this

EDIT: you need 2 vuirs scans for each and a pic
upload the pic to like image shack

READ MORE HERE

http://www.mpgh.net/forum/164-combat...step-step.html

/Moved to EU.

You must scan the .rar, not the files inside!
/Pending.

What is the difference between the .rar and the files inside it?

Originally Posted by mothh

What is the difference between the .rar and the files inside it?

if u scan the .rar u scan all the files , if u dont , u have to scan every different file in it(but they wont aprove it even if u scan them all) .

Originally Posted by ^...,^

i sooooooo
dont trust this

EDIT: you need 2 vuirs scans for each and a pic
upload the pic to like image shack

READ MORE HERE

http://www.mpgh.net/forum/164-combat...step-step.html

What should I take pics of, files? These aren't direct hacks but, a referece to make new hacks etc.

Originally Posted by hejsan

/Moved to EU.

You must scan the .rar, not the files inside!
/Pending.

Okay, thought that it wouldn't matter because there is only one file/archive.

EDIT: Corrected everything necessary!

/Approved .

its a working please say!

Originally Posted by yakuzza4

its a working please say!

What do you mean? Of course they are working (for analyzing purposes), why would I post them otherwise?

This is a Fail dump.... you cant find D3D device pointer in this.... altho i made a sucsessful dump and got the pointers:

D3D : 0x9096F8
LTC : 0x377B5AC8

Originally Posted by iopop9

This is a Fail dump.... you cant find D3D device pointer in this.... altho i made a sucsessful dump and got the pointers:

D3D : 0x9096F8
LTC : 0x377B5AC8

No it's not a fail dump. It's the unpacked file before any of the application code was executed meaning that any dynamically loaded code doesn't exist. D3DX is loaded in the program code so it's not allocated in the file. These files are not meant to be replacements for any memory dumps. These are mainly for the analysis purpose of the way the files execute stuff.

If you want just some pointers I suggest that you use the memory dumps as they have all the allocated memory present.

But ie the PushToConsole address can be gotten without the allocatd memory just by looking at the CShell.dll own static proc

yes i know where to find LTC PTC adress in CShell.dll

[Release] CA EU Unpacked Client Binaries

Post a Reply

Similar Threads

Tags for this Thread