lunes, 13 de octubre de 2008

Themida + GameMon.des

Themida + GameMon.des [Post by SunBeam]

Hello everyone. Been lurking around trying to unpack GameMon.des (part of iNCA's GameGuard protection system) and managed so far to obtain some results which I am willing to share with you all. Am not interested in unpacking the file for running purposes, since GameGuard.des (as you all know) checks the files for tampering and re-downloads a fresh copy of GameMon.des (in this case). Am trying to unpack it in pursue of a recently implemented method that guards the game's memory (memory coming from GameMon's side).

For the sake of argument, I've provided GameMon.des » [ download ] | Size: ~2MB

Target is protected with Themida. So far, these are my results :

a. Using OllyICE or OLLY-ICY + HideOD, I managed to get to OEP section. Of course that's not the real OEP. 0x2E bytes are 'stolen':


b. ImpREC reports a few APIs missing. Yet they all get corrected. Again, I fixed the OEP after everything was 'rebuilt' :


c. Target with OEP stolen bytes fixed and IAT rebuilt looks like this :



The problem I'm facing next is within the application's code. After executing it, and passing a GetModuleHandleA call, GameMon calls up on a section containing redirected code. Pattern to set breakpoints and follow (in case you're interested) is 46264B, 405900, 410A99 and you should land at 7FBAF8 here


Next instruction will fail, since E40028 doesn't exist. That's part of Themida's VM, and I didn't dump it along with its VM. I guess it could work if I do that, but is there any way to get rid of the VM once and for all ?

Any help in this matter is greatly appreciated. Am not requesting for anything, just for tips and am willing to learn

Thanks, and am waiting your replies!

PD: This post is for help SunBeam and learn how work about themida

No hay comentarios: