-
2 Attachment(s)
raiderz unpacking
someone help me
found no stolen code
2 possible op
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
method used in importrec
starting the game
the game loads falls into the login screen.
after a few seconds
up here alright
this error and for the gameguard
but when I restart the pc the game not loads.
discover my mistake.
now and discover the cause of gamemon not let the game run.
[Only registered and activated users can see links. Click Here To Register...]
31-01-2013
-
Seems usual integrity check. Remove startup GG :)
-
=S raderz perfect bypass UPDate kiss
-
gameguard CreateProcess
Code:
00869234 . /0F85 1D010000 JNZ raiderzu.00869357
0086923A . |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0086923D . |8D95 D8FEFFFF LEA EDX,DWORD PTR SS:[EBP-128]
00869243 . |51 PUSH ECX ; /pProcessInfo
00869244 . |52 PUSH EDX ; |pStartupInfo
00869245 . |57 PUSH EDI ; |CurrentDir => NULL
00869246 . |57 PUSH EDI ; |pEnvironment => NULL
00869247 . |57 PUSH EDI ; |CreationFlags => 0
00869248 . |6A 01 PUSH 1 ; |InheritHandles = TRUE
0086924A . |57 PUSH EDI ; |pThreadSecurity => NULL
0086924B . |8D85 C0E8FFFF LEA EAX,DWORD PTR SS:[EBP-1740] ; |
00869251 . |57 PUSH EDI ; |pProcessSecurity => NULL
00869252 . |8D8D D0FCFFFF LEA ECX,DWORD PTR SS:[EBP-330] ; |
00869258 . |50 PUSH EAX ; |CommandLine
00869259 . |51 PUSH ECX ; |ModuleFileName
0086925A . |FF15 74F1AC00 CALL DWORD PTR DS:[<&kernel32.CreateProc>; \CreateProcessA
00869260 . |85C0 TEST EAX,EAX
00869262 . |75 1E JNZ SHORT raiderzu.00869282
00869264 . |8B35 14F1AC00 MOV ESI,DWORD PTR DS:[<&kernel32.GetLast>; ntdll.RtlGetLastWin32Error
0086926A . |FFD6 CALL ESI ; [GetLastError
0086926C . |8D95 C8F9FFFF LEA EDX,DWORD PTR SS:[EBP-638]
00869272 . |52 PUSH EDX
00869273 . |FFD6 CALL ESI ; [GetLastError
00869275 . |50 PUSH EAX
00869276 . |8D85 D0FCFFFF LEA EAX,DWORD PTR SS:[EBP-330]
0086927C . |50 PUSH EAX
0086927D . |E9 0C0B0000 JMP raiderzu.00869D8E
00869282 > |8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
00869285 . |51 PUSH ECX
00869286 . |68 A424BF00 PUSH raiderzu.00BF24A4
0086928B . |E8 00750000 CALL raiderzu.00870790
00869290 . |83C4 04 ADD ESP,4
00869293 . |50 PUSH EAX
00869294 . |53 PUSH EBX
00869295 . |E8 B6100000 CALL raiderzu.0086A350
0086929A . |8B96 9C3B0000 MOV EDX,DWORD PTR DS:[ESI+3B9C]
008692A0 . |8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
008692A3 . |83C4 0C ADD ESP,0C
008692A6 . |8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]
008692AC . |897D 08 MOV DWORD PTR SS:[EBP+8],EDI
008692AF . |8995 78FFFFFF MOV DWORD PTR SS:[EBP-88],EDX
008692B5 . |6A FF PUSH -1 ; /Timeout = INFINITE
008692B7 . |57 PUSH EDI ; |WaitForAll
008692B8 . |51 PUSH ECX ; |pObjects
008692B9 . |6A 02 PUSH 2 ; |nObjects = 2
008692BB . |8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX ; |
008692C1 . |FF15 78F1AC00 CALL DWORD PTR DS:[<&kernel32.WaitForMul>; \WaitForMultipleObjects
008692C7 . |85C0 TEST EAX,EAX
008692C9 . |74 69 JE SHORT raiderzu.00869334
gamemon CreateProcess
Code:
00869D45 .^\E9 57FFFFFF JMP raiderzu.00869CA1
00869D4A > 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00869D4D . 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128]
00869D53 . 50 PUSH EAX ; /pProcessInfo
00869D54 . 51 PUSH ECX ; |pStartupInfo
00869D55 . 6A 00 PUSH 0 ; |CurrentDir = NULL
00869D57 . 6A 00 PUSH 0 ; |pEnvironment = NULL
00869D59 . 6A 04 PUSH 4 ; |CreationFlags = CREATE_SUSPENDED
00869D5B . 6A 00 PUSH 0 ; |InheritHandles = FALSE
00869D5D . 6A 00 PUSH 0 ; |pThreadSecurity = NULL
00869D5F . 8D95 C0E8FFFF LEA EDX,DWORD PTR SS:[EBP-1740] ; |
00869D65 . 6A 00 PUSH 0 ; |pProcessSecurity = NULL
00869D67 . 52 PUSH EDX ; |CommandLine
00869D68 . 68 58D10201 PUSH raiderzu.0102D158 ; |ModuleFileName = ""
00869D6D . FF15 74F1AC00 CALL DWORD PTR DS:[<&kernel32.CreateProc>; \CreateProcessA
00869D73 . 85C0 TEST EAX,EAX
00869D75 . 75 3C JNZ SHORT raiderzu.00869DB3
00869D77 . 8B35 14F1AC00 MOV ESI,DWORD PTR DS:[<&kernel32.GetLast>; ntdll.RtlGetLastWin32Error
00869D7D . FFD6 CALL ESI ; [GetLastError
00869D7F . 8D85 C8F9FFFF LEA EAX,DWORD PTR SS:[EBP-638]
00869D85 . 50 PUSH EAX
00869D86 . FFD6 CALL ESI ; [GetLastError
00869D88 . 50 PUSH EAX
00869D89 . 68 58D10201 PUSH raiderzu.0102D158
00869D8E > 68 EC21BF00 PUSH raiderzu.00BF21EC
00869D93 > E8 F8690000 CALL raiderzu.00870790
00869D98 . 83C4 04 ADD ESP,4
00869D9B . 50 PUSH EAX
00869D9C . 53 PUSH EBX
00869D9D . E8 AE050000 CALL raiderzu.0086A350
00869DA2 . 83C4 14 ADD ESP,14
00869DA5 . B8 AA000000 MOV EAX,0AA
00869DAA . 5F POP EDI
00869DAB . 5E POP ESI
00869DAC . 5B POP EBX
00869DAD . 8BE5 MOV ESP,EBP
00869DAF . 5D POP EBP
00869DB0 . C2 0400 RETN 4
00869DB3 > 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
00869DB6 . 51 PUSH ECX
00869DB7 . 68 E021BF00 PUSH raiderzu.00BF21E0
00869DBC . E8 CF690000 CALL raiderzu.00870790
00869DC1 . 83C4 04 ADD ESP,4
00869DC4 . 50 PUSH EAX
00869DC5 . 53 PUSH EBX
00869DC6 . E8 85050000 CALL raiderzu.0086A350
00869DCB . 83C4 0C ADD ESP,0C
00869DCE . EB 03 JMP SHORT raiderzu.00869DD3
00869DD0 > 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4]
00869DD3 > A1 78D20201 MOV EAX,DWORD PTR DS:[102D278]
00869DD8 . 33FF XOR EDI,EDI
00869DDA . 3BC7 CMP EAX,EDI
00869DDC . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX
00869DE1 . 75 48 JNZ SHORT raiderzu.00869E2B
00869DE3 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00869DE6 . 3BC7 CMP EAX,EDI
00869DE8 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX
00869DED . 75 3C JNZ SHORT raiderzu.00869E2B
00869DEF . A1 98D20201 MOV EAX,DWORD PTR DS:[102D298]
00869DF4 . 3BC7 CMP EAX,EDI
00869DF6 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX
00869DFB . 75 2E JNZ SHORT raiderzu.00869E2B
00869DFD . A1 94D20201 MOV EAX,DWORD PTR DS:[102D294]
00869E02 . 3BC7 CMP EAX,EDI
00869E04 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX
00869E09 . 75 20 JNZ SHORT raiderzu.00869E2B
00869E0B . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00869E0E . 52 PUSH EDX
00869E0F . 68 CC21BF00 PUSH raiderzu.00BF21CC
00869E14 . 68 58D10201 PUSH raiderzu.0102D158
00869E19 . E8 722A0000 CALL raiderzu.0086C890
00869E1E . 83C4 0C ADD ESP,0C
00869E21 . 25 FF000000 AND EAX,0FF
00869E26 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX
00869E2B > 68 C421BF00 PUSH raiderzu.00BF21C4
00869E30 . E8 5B690000 CALL raiderzu.00870790
00869E35 . 83C4 04 ADD ESP,4
00869E38 . 50 PUSH EAX
00869E39 . 53 PUSH EBX
00869E3A . E8 11050000 CALL raiderzu.0086A350
00869E3F . 83C4 08 ADD ESP,8
00869E42 . 8D8E 74140000 LEA ECX,DWORD PTR DS:[ESI+1474]
00869E48 . E8 135B0000 CALL raiderzu.0086F960
00869E4D . 3BC7 CMP EAX,EDI
00869E4F . 75 30 JNZ SHORT raiderzu.00869E81
00869E51 . 8B35 14F1AC00 MOV ESI,DWORD PTR DS:[<&kernel32.GetLast>; ntdll.RtlGetLastWin32Error
00869E57 . FFD6 CALL ESI ; [GetLastError
00869E59 . FFD6 CALL ESI ; [GetLastError
00869E5B . 50 PUSH EAX
00869E5C . 68 B021BF00 PUSH raiderzu.00BF21B0
00869E61 . E8 2A690000 CALL raiderzu.00870790
00869E66 . 83C4 04 ADD ESP,4
00869E69 . 50 PUSH EAX
00869E6A . 53 PUSH EBX
00869E6B . E8 E0040000 CALL raiderzu.0086A350
00869E70 . 83C4 0C ADD ESP,0C
00869E73 . B8 A0000000 MOV EAX,0A0
00869E78 . 5F POP EDI
00869E79 . 5E POP ESI
00869E7A . 5B POP EBX
00869E7B . 8BE5 MOV ESP,EBP
00869E7D . 5D POP EBP
00869E7E . C2 0400 RETN 4
00869E81 > 50 PUSH EAX
00869E82 . 68 8021BF00 PUSH raiderzu.00BF2180
00869E87 . E8 04690000 CALL raiderzu.00870790
00869E8C . 83C4 04 ADD ESP,4
00869E8F . 50 PUSH EAX
00869E90 . 53 PUSH EBX
00869E91 . E8 BA040000 CALL raiderzu.0086A350
00869E96 . A1 94D20201 MOV EAX,DWORD PTR DS:[102D294]
00869E9B . 83C4 0C ADD ESP,0C
00869E9E . 3BC7 CMP EAX,EDI
00869EA0 . 0F85 94000000 JNZ raiderzu.00869F3A
00869EA6 . 393D 98D20201 CMP DWORD PTR DS:[102D298],EDI
00869EAC . 0F85 88000000 JNZ raiderzu.00869F3A
00869EB2 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
00869EB5 . 50 PUSH EAX ; /hThread
00869EB6 . FF15 64F3AC00 CALL DWORD PTR DS:[<&kernel32.ResumeThre>; \ResumeThread
00869EBC . 8B8E 983B0000 MOV ECX,DWORD PTR DS:[ESI+3B98]
00869EC2 . A1 74D20201 MOV EAX,DWORD PTR DS:[102D274]
00869EC7 . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00869ECA . 898D 78FFFFFF MOV DWORD PTR SS:[EBP-88],ECX
00869ED0 . 50 PUSH EAX ; /Timeout => 0. ms
00869ED1 . 8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88] ; |
00869ED7 . 57 PUSH EDI ; |WaitForAll
00869ED8 . 51 PUSH ECX ; |pObjects
00869ED9 . 6A 02 PUSH 2 ; |nObjects = 2
00869EDB . 8995 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EDX ; |
00869EE1 . FF15 78F1AC00 CALL DWORD PTR DS:[<&kernel32.WaitForMul>; \WaitForMultipleObjects
00869EE7 . 85C0 TEST EAX,EAX
00869EE9 . 0F84 A4000000 JE raiderzu.00869F93
00869EEF . 68 6C21BF00 PUSH raiderzu.00BF216C
00869EF4 . E8 97680000 CALL raiderzu.00870790
00869EF9 . 83C4 04 ADD ESP,4
00869EFC . 50 PUSH EAX ; /EventName
00869EFD . 57 PUSH EDI ; |Inheritable
00869EFE . 68 00001000 PUSH 100000 ; |Access = 100000
00869F03 . FF15 70F1AC00 CALL DWORD PTR DS:[<&kernel32.OpenEventA>; \OpenEventA
00869F09 . 3BC7 CMP EAX,EDI
-
why not carried
gamemon not let the game run.
?? HELP develop unpacking? please
client raiderz protected Themida or Nprotect ???? HElp
-
1 Attachment(s)
-
thanks kiss love you
can you teach me how to make withdraw gameguard client?
withdraw gameguard
you can do video please
-
if the error msg of gamemon
you only need to find the line to disable
-
you video disable gammon + gameguard I always atulizar? please PV can we talk?
-
1 Attachment(s)
Well I do not know from what version they sent me inesbrasil but I unpacked. In archive 2 exe first only unpacked second with removed startup GG. If you need manually remove here asm code :
PHP Code:
0040D960 56 PUSH ESI
0040D961 57 PUSH EDI
0040D962 8BF9 MOV EDI,ECX
0040D964 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
0040D967 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D969 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
0040D96C FFD2 CALL EDX
0040D96E 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
0040D971 8D77 0C LEA ESI,DWORD PTR DS:[EDI+C]
0040D974 3BCE CMP ECX,ESI
0040D976 74 0F JE SHORT Raiderz.0040D987
0040D978 85C9 TEST ECX,ECX
0040D97A 74 08 JE SHORT Raiderz.0040D984
0040D97C 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D97E 8B10 MOV EDX,DWORD PTR DS:[EAX]
0040D980 6A 01 PUSH 1
0040D982 FFD2 CALL EDX
0040D984 8977 08 MOV DWORD PTR DS:[EDI+8],ESI
0040D987 6A 20 PUSH 20
0040D989 E8 4CC44200 CALL Raiderz.00839DDA
0040D98E 8BF0 MOV ESI,EAX
0040D990 83C4 04 ADD ESP,4
0040D993 85F6 TEST ESI,ESI
0040D995 74 43 JE SHORT Raiderz.0040D9DA
0040D997 C706 3CA9B100 MOV DWORD PTR DS:[ESI],Raiderz.00B1A93C
0040D99D 33C0 XOR EAX,EAX
0040D99F C746 04 30A9B10>MOV DWORD PTR DS:[ESI+4],Raiderz.00B1A930
0040D9A6 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
0040D9A9 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
0040D9AC 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0040D9AF 68 149EB100 PUSH Raiderz.00B19E14 ; UNICODE "RaiderzUS"
0040D9B4 8946 14 MOV DWORD PTR DS:[ESI+14],EAX
0040D9B7 E8 549E4500 CALL Raiderz.00867810
0040D9BC 8BCE MOV ECX,ESI
0040D9BE C746 18 0000000>MOV DWORD PTR DS:[ESI+18],0
0040D9C5 894F 08 MOV DWORD PTR DS:[EDI+8],ECX
0040D9C8 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D9CA 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0040D9CD 83C4 04 ADD ESP,4
0040D9D0 FFD2 CALL EDX ; <- NOP -> MOV AL, 1
0040D9D2 84C0 TEST AL,AL
0040D9D4 5F POP EDI
0040D9D5 0F95C0 SETNE AL
0040D9D8 5E POP ESI
0040D9D9 C3 RETN
0040D9DA 33C9 XOR ECX,ECX
0040D9DC 894F 08 MOV DWORD PTR DS:[EDI+8],ECX
0040D9DF 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D9E1 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0040D9E4 FFD2 CALL EDX
0040D9E6 84C0 TEST AL,AL
0040D9E8 5F POP EDI
0040D9E9 0F95C0 SETNE AL
0040D9EC 5E POP ESI
0040D9ED C3 RETN
PHP Code:
0040D9D0 FFD2 CALL EDX
replace to
PHP Code:
0040D9D0 B0 01 MOV AL,1
I do not know how the game will work because i have only main executable with all modules and without game resource's.
Btw: I'm too lazy to download full client :)