undercover Apple Juice based emule mods (ExeStealth V2.x and later)
Not many unpackers can handle it but finally if you dont want follow the tutorial for ollydbg
here the right tool:
http://www.cdw.de.vu/UnExeStealth.zip
Mirror - Mirror
Test Object
eMule.v0.48a.Applejuice.v2.1.2.bin
target:
emule.exe
(ExeStealth V2.76 webtoolmaster.c0m
try CDW's Dark Side Stealth Detector & Shield Destroyer UnExeStealth - www.cdw.de.vu)
result unpacked and clean:
dump.exe - (mirror) - rename to emule.exe
(not packed , try disassemble OllyDbg ( www.ollydbg.de ) or WD32dsm89.exe (http://www.exetools.com/disassemblers.htm) )
feel free to make your changes!
Target eMule.v0.48a.ROCKFORCE.Mod.v1.2.bin
emule.exe
Log:
start unpacking
trying to open file...
ok
reading address of entry point value: 00000140
reading imagebase: 00400000
reading size/address of SizeOfImage value: 00000168
reading address of Import Directory VA value: 00000198
reading address of Import Directory Size value: 0000019C
reading section alignment: 00001000
calculating dumpsize (virtual size sum of all sections): 00776000
reading VirtualSize value of last section: 000002B8
reading SizeOfRawData value of last section: 000002C0
have all needed values, closing file
creating process: 00000734
reserving memory for import table ...
trying to get the IAT (where is your mojo ;) ?) ...
placing bp on 'LoadLibrary' in: 7C801D77
lets fight! (runnig application, placing BP in LoadLibraryA call etc.)...
...
found OEP: 0029315C
entry point value corrected!
got some import stuff,now writing last IMAGE_IMPORT_DESCTIPTOR...
calculating new section table values
Name: VSize: RawSize: VAddress: RawAddress: Flags:
.text 00304DB6 00304DB6 00001000 00001000 E0000060
.rdata 000A8092 000A8092 00306000 00306000 E0000060
.data 00234F58 00234F58 003AF000 003AF000 E0000060
.rsrc 0018F5C0 0018F5C0 005E4000 005E4000 E0000060
rsrr 00002000 00002000 00774000 00774000 E0000060
new Import Table RVA: 00776000
new Import Table size: 00000140
new imagesize: 00777000
extend last section to: 00001000
dumping file ... done, bytes dumped(decimal value): 7827456
File unpacked!
Object: eMule.v0.48a.Fireball.v2.2.bin
target: emule.exe
Log:
start unpacking
trying to open file...
ok
reading address of entry point value: 00000140
reading imagebase: 00400000
reading size/address of SizeOfImage value: 00000168
reading address of Import Directory VA value: 00000198
reading address of Import Directory Size value: 0000019C
reading section alignment: 00001000
calculating dumpsize (virtual size sum of all sections): 007A5000
reading VirtualSize value of last section: 000002B8
reading SizeOfRawData value of last section: 000002C0
have all needed values, closing file
creating process: 00000B0C
reserving memory for import table ...
trying to get the IAT (where is your mojo ;) ?) ...
placing bp on 'LoadLibrary' in: 7C801D77
lets fight! (runnig application, placing BP in LoadLibraryA call etc.)...
...
found OEP: 002A08B0
entry point value corrected!
got some import stuff,now writing last IMAGE_IMPORT_DESCTIPTOR...
calculating new section table values
Name: VSize: RawSize: VAddress: RawAddress: Flags:
.text 003133B6 003133B6 00001000 00001000 E0000060
.rdata 000A9EC2 000A9EC2 00315000 00315000 E0000060
.data 002350B8 002350B8 003BF000 003BF000 E0000060
.rsrc 001AD898 001AD898 005F5000 005F5000 E0000060
rsrr 00002000 00002000 007A3000 007A3000 E0000060
new Import Table RVA: 007A5000
new Import Table size: 00000140
new imagesize: 007A6000
extend last section to: 00001000
dumping file ... done, bytes dumped(decimal value): 8019968
File unpacked!
36BB20 8B A9 6C 00 40 8C 6D 00 C9 7F 6C 00 60 05 64 00 ‹©l.@Œm.Él.`.d.
36BB30 D0 B1 43 00 E0 B1 43 00 36 8A 6D 00 5A BF 6C 00 бC.à±C.6Šm.Z¿l.
36BB40 06 82 6C 00 AA B4 6C 00 82 7F 6C 00 70 7F 6C 00 .‚l.ª´l.‚l.pl.
36BB50 EA BD 6C 00 90 D2 6C 00 43 8B 6C 00 69 8B 6C 00 ê½l.Òl.C‹l.i‹l.
36BB60 76 8B 6C 00 D8 CE 6C 00 90 7E 49 00 A9 D7 6C 00 v‹l.ØÎl.~I.©×l.
36BB70 03 D8 6C 00 93 D7 6C 00 72 D5 6C 00 40 47 64 00 .Øl.“×l.rÕl.@Gd.
36BB80 44 CF 6C 00 E0 89 6D 00 E0 89 6D 00 70 7F 6C 00 DÏl.à‰m.à‰m.pl.
36BB90 C0 4A 64 00 D8 89 6D 00 E1 89 6D 00 E0 01 64 00 ÀJd.؉m.á‰m.à.d.
36BBA0 05 8A 6D 00 09 8A 6D 00 09 8A 6D 00 0C 8A 6D 00 .Šm..Šm..Šm..Šm.
36BBB0 46 00 52 00 49 00 45 00 4E 00 44 00 00 00 00 00 F.R.I.E.N.D.....
36BBC0 42 00 4F 00 4F 00 53 00 54 00 53 00 4F 00 55 00 B.O.O.S.T.S.O.U.
36BBD0 52 00 43 00 45 00 53 00 00 00 00 00 43 00 4F 00 R.C.E.S.....C.O.
36BBE0 4D 00 50 00 52 00 45 00 53 00 53 00 49 00 4F 00 M.P.R.E.S.S.I.O.
36BBF0 4E 00 00 00 00 00 00 00 68 00 74 00 74 00 70 00 N.......h.t.t.p.
36BC00 3A 00 2F 00 2F 00 66 00 69 00 72 00 65 00 62 00 :././.f.i.r.e.b.
36BC10 61 00 6C 00 6C 00 2E 00 66 00 75 00 74 00 75 00 a.l.l...f.u.t.u.
36BC20 72 00 65 00 6D 00 6F 00 64 00 73 00 2E 00 64 00 r.e.m.o.d.s...d.
36BC30 65 00 2F 00 6C 00 6F 00 67 00 69 00 6E 00 69 00 e./.l.o.g.i.n.i.
36BC40 6E 00 66 00 6F 00 5F 00 65 00 6E 00 67 00 2E 00 n.f.o._.e.n.g...
36BC50 68 00 74 00 6D 00 00 00 68 00 74 00 74 00 70 00 h.t.m...h.t.t.p.
36BC60 3A 00 2F 00 2F 00 66 00 69 00 72 00 65 00 62 00 :././.f.i.r.e.b.
36BC70 61 00 6C 00 6C 00 2E 00 66 00 75 00 74 00 75 00 a.l.l...f.u.t.u.
36BC80 72 00 65 00 6D 00 6F 00 64 00 73 00 2E 00 64 00 r.e.m.o.d.s...d.
36BC90 65 00 2F 00 6C 00 6F 00 67 00 69 00 6E 00 69 00 e./.l.o.g.i.n.i.
36BCA0 6E 00 66 00 6F 00 2E 00 68 00 74 00 6D n.f.o...h.t.m
follow up >CPPgRelease
http://fireball.futuremods.de/logininfo.htm
http://fireball.futuremods.de/crewmember.html
Ekliptor,RSVCD-Forum-Testversion,laraspa59,Muio,DCON Crew
make the release features free for all or someone patch it. Its the same as if u create 'kind of powerseed' but limit it to a few people only to use .
----------------------------------------------------------------------------------
for communities:apple juice, eMule.0.48a.Titandonkey.v4.11-Bin all versions, eMule.0.48a.Razorback3.Next.Generation.v4.11 all versions, eMule.v0.48a.Wikinger-Mod all versions, sun power mod all versions, rockforce mod all versions, fireball mod all versions,... and the all the rest of apple juice factory leecher coder productions
required unpacking of ExeStealth V2.76
you can process the unpacked apple juice mods with reshacker and put your splashscreen, your logos, icons and graphic stuff in, also you can change all dialogues. Change the URL's, the Applejuice Startpage,... change razorback and titandonkey community strings and the default dual servers connect of your choice.
You can Hexedit, ollydbg etc... and do some credits by self.
eMule 0.48a Razorback3 Next Generation v4.11 Mod-Binary fast and xtreme unpacked emule.exe
Easy to unpack Ekliptor's c++ stuff but can he unpack this unpackme Ekeliptor???
3 comments:
Community RAMMSTEIN
I ask me what company is behind the AJ mods?
all of them have the same signature.
Razorback server admins, usenext sponsored http://www.usenext.de/index.cfm?TD=xxxnumber of sponsor ??
Hoho thats cool. Thanks
Post a Comment