raiderz unpacking
someone help me
found no stolen code
Spoiler
2 possible op
method used in importrec
Spoiler
starting the game
the game loads falls into the login screen.
after a few seconds
Spoiler
up here alright
this error and for the gameguard
but when I restart the pc the game not loads.
discover my mistake.
now and discover the cause of gamemon not let the game run.
31-01-2013
Please register or login to download attachments.
Last edited by crazy; 2013-02-05 at 09:38 PM.
Seems usual integrity check. Remove startup GG
=S raderz perfect bypass UPDate kiss
gameguard CreateProcess
gamemon CreateProcessCode:00869234 . /0F85 1D010000 JNZ raiderzu.00869357 0086923A . |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 0086923D . |8D95 D8FEFFFF LEA EDX,DWORD PTR SS:[EBP-128] 00869243 . |51 PUSH ECX ; /pProcessInfo 00869244 . |52 PUSH EDX ; |pStartupInfo 00869245 . |57 PUSH EDI ; |CurrentDir => NULL 00869246 . |57 PUSH EDI ; |pEnvironment => NULL 00869247 . |57 PUSH EDI ; |CreationFlags => 0 00869248 . |6A 01 PUSH 1 ; |InheritHandles = TRUE 0086924A . |57 PUSH EDI ; |pThreadSecurity => NULL 0086924B . |8D85 C0E8FFFF LEA EAX,DWORD PTR SS:[EBP-1740] ; | 00869251 . |57 PUSH EDI ; |pProcessSecurity => NULL 00869252 . |8D8D D0FCFFFF LEA ECX,DWORD PTR SS:[EBP-330] ; | 00869258 . |50 PUSH EAX ; |CommandLine 00869259 . |51 PUSH ECX ; |ModuleFileName 0086925A . |FF15 74F1AC00 CALL DWORD PTR DS:[<&kernel32.CreateProc>; \CreateProcessA 00869260 . |85C0 TEST EAX,EAX 00869262 . |75 1E JNZ SHORT raiderzu.00869282 00869264 . |8B35 14F1AC00 MOV ESI,DWORD PTR DS:[<&kernel32.GetLast>; ntdll.RtlGetLastWin32Error 0086926A . |FFD6 CALL ESI ; [GetLastError 0086926C . |8D95 C8F9FFFF LEA EDX,DWORD PTR SS:[EBP-638] 00869272 . |52 PUSH EDX 00869273 . |FFD6 CALL ESI ; [GetLastError 00869275 . |50 PUSH EAX 00869276 . |8D85 D0FCFFFF LEA EAX,DWORD PTR SS:[EBP-330] 0086927C . |50 PUSH EAX 0086927D . |E9 0C0B0000 JMP raiderzu.00869D8E 00869282 > |8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] 00869285 . |51 PUSH ECX 00869286 . |68 A424BF00 PUSH raiderzu.00BF24A4 0086928B . |E8 00750000 CALL raiderzu.00870790 00869290 . |83C4 04 ADD ESP,4 00869293 . |50 PUSH EAX 00869294 . |53 PUSH EBX 00869295 . |E8 B6100000 CALL raiderzu.0086A350 0086929A . |8B96 9C3B0000 MOV EDX,DWORD PTR DS:[ESI+3B9C] 008692A0 . |8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] 008692A3 . |83C4 0C ADD ESP,0C 008692A6 . |8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88] 008692AC . |897D 08 MOV DWORD PTR SS:[EBP+8],EDI 008692AF . |8995 78FFFFFF MOV DWORD PTR SS:[EBP-88],EDX 008692B5 . |6A FF PUSH -1 ; /Timeout = INFINITE 008692B7 . |57 PUSH EDI ; |WaitForAll 008692B8 . |51 PUSH ECX ; |pObjects 008692B9 . |6A 02 PUSH 2 ; |nObjects = 2 008692BB . |8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX ; | 008692C1 . |FF15 78F1AC00 CALL DWORD PTR DS:[<&kernel32.WaitForMul>; \WaitForMultipleObjects 008692C7 . |85C0 TEST EAX,EAX 008692C9 . |74 69 JE SHORT raiderzu.00869334
Code:00869D45 .^\E9 57FFFFFF JMP raiderzu.00869CA1 00869D4A > 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] 00869D4D . 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00869D53 . 50 PUSH EAX ; /pProcessInfo 00869D54 . 51 PUSH ECX ; |pStartupInfo 00869D55 . 6A 00 PUSH 0 ; |CurrentDir = NULL 00869D57 . 6A 00 PUSH 0 ; |pEnvironment = NULL 00869D59 . 6A 04 PUSH 4 ; |CreationFlags = CREATE_SUSPENDED 00869D5B . 6A 00 PUSH 0 ; |InheritHandles = FALSE 00869D5D . 6A 00 PUSH 0 ; |pThreadSecurity = NULL 00869D5F . 8D95 C0E8FFFF LEA EDX,DWORD PTR SS:[EBP-1740] ; | 00869D65 . 6A 00 PUSH 0 ; |pProcessSecurity = NULL 00869D67 . 52 PUSH EDX ; |CommandLine 00869D68 . 68 58D10201 PUSH raiderzu.0102D158 ; |ModuleFileName = "" 00869D6D . FF15 74F1AC00 CALL DWORD PTR DS:[<&kernel32.CreateProc>; \CreateProcessA 00869D73 . 85C0 TEST EAX,EAX 00869D75 . 75 3C JNZ SHORT raiderzu.00869DB3 00869D77 . 8B35 14F1AC00 MOV ESI,DWORD PTR DS:[<&kernel32.GetLast>; ntdll.RtlGetLastWin32Error 00869D7D . FFD6 CALL ESI ; [GetLastError 00869D7F . 8D85 C8F9FFFF LEA EAX,DWORD PTR SS:[EBP-638] 00869D85 . 50 PUSH EAX 00869D86 . FFD6 CALL ESI ; [GetLastError 00869D88 . 50 PUSH EAX 00869D89 . 68 58D10201 PUSH raiderzu.0102D158 00869D8E > 68 EC21BF00 PUSH raiderzu.00BF21EC 00869D93 > E8 F8690000 CALL raiderzu.00870790 00869D98 . 83C4 04 ADD ESP,4 00869D9B . 50 PUSH EAX 00869D9C . 53 PUSH EBX 00869D9D . E8 AE050000 CALL raiderzu.0086A350 00869DA2 . 83C4 14 ADD ESP,14 00869DA5 . B8 AA000000 MOV EAX,0AA 00869DAA . 5F POP EDI 00869DAB . 5E POP ESI 00869DAC . 5B POP EBX 00869DAD . 8BE5 MOV ESP,EBP 00869DAF . 5D POP EBP 00869DB0 . C2 0400 RETN 4 00869DB3 > 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] 00869DB6 . 51 PUSH ECX 00869DB7 . 68 E021BF00 PUSH raiderzu.00BF21E0 00869DBC . E8 CF690000 CALL raiderzu.00870790 00869DC1 . 83C4 04 ADD ESP,4 00869DC4 . 50 PUSH EAX 00869DC5 . 53 PUSH EBX 00869DC6 . E8 85050000 CALL raiderzu.0086A350 00869DCB . 83C4 0C ADD ESP,0C 00869DCE . EB 03 JMP SHORT raiderzu.00869DD3 00869DD0 > 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] 00869DD3 > A1 78D20201 MOV EAX,DWORD PTR DS:[102D278] 00869DD8 . 33FF XOR EDI,EDI 00869DDA . 3BC7 CMP EAX,EDI 00869DDC . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX 00869DE1 . 75 48 JNZ SHORT raiderzu.00869E2B 00869DE3 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 00869DE6 . 3BC7 CMP EAX,EDI 00869DE8 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX 00869DED . 75 3C JNZ SHORT raiderzu.00869E2B 00869DEF . A1 98D20201 MOV EAX,DWORD PTR DS:[102D298] 00869DF4 . 3BC7 CMP EAX,EDI 00869DF6 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX 00869DFB . 75 2E JNZ SHORT raiderzu.00869E2B 00869DFD . A1 94D20201 MOV EAX,DWORD PTR DS:[102D294] 00869E02 . 3BC7 CMP EAX,EDI 00869E04 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX 00869E09 . 75 20 JNZ SHORT raiderzu.00869E2B 00869E0B . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00869E0E . 52 PUSH EDX 00869E0F . 68 CC21BF00 PUSH raiderzu.00BF21CC 00869E14 . 68 58D10201 PUSH raiderzu.0102D158 00869E19 . E8 722A0000 CALL raiderzu.0086C890 00869E1E . 83C4 0C ADD ESP,0C 00869E21 . 25 FF000000 AND EAX,0FF 00869E26 . A3 90D20201 MOV DWORD PTR DS:[102D290],EAX 00869E2B > 68 C421BF00 PUSH raiderzu.00BF21C4 00869E30 . E8 5B690000 CALL raiderzu.00870790 00869E35 . 83C4 04 ADD ESP,4 00869E38 . 50 PUSH EAX 00869E39 . 53 PUSH EBX 00869E3A . E8 11050000 CALL raiderzu.0086A350 00869E3F . 83C4 08 ADD ESP,8 00869E42 . 8D8E 74140000 LEA ECX,DWORD PTR DS:[ESI+1474] 00869E48 . E8 135B0000 CALL raiderzu.0086F960 00869E4D . 3BC7 CMP EAX,EDI 00869E4F . 75 30 JNZ SHORT raiderzu.00869E81 00869E51 . 8B35 14F1AC00 MOV ESI,DWORD PTR DS:[<&kernel32.GetLast>; ntdll.RtlGetLastWin32Error 00869E57 . FFD6 CALL ESI ; [GetLastError 00869E59 . FFD6 CALL ESI ; [GetLastError 00869E5B . 50 PUSH EAX 00869E5C . 68 B021BF00 PUSH raiderzu.00BF21B0 00869E61 . E8 2A690000 CALL raiderzu.00870790 00869E66 . 83C4 04 ADD ESP,4 00869E69 . 50 PUSH EAX 00869E6A . 53 PUSH EBX 00869E6B . E8 E0040000 CALL raiderzu.0086A350 00869E70 . 83C4 0C ADD ESP,0C 00869E73 . B8 A0000000 MOV EAX,0A0 00869E78 . 5F POP EDI 00869E79 . 5E POP ESI 00869E7A . 5B POP EBX 00869E7B . 8BE5 MOV ESP,EBP 00869E7D . 5D POP EBP 00869E7E . C2 0400 RETN 4 00869E81 > 50 PUSH EAX 00869E82 . 68 8021BF00 PUSH raiderzu.00BF2180 00869E87 . E8 04690000 CALL raiderzu.00870790 00869E8C . 83C4 04 ADD ESP,4 00869E8F . 50 PUSH EAX 00869E90 . 53 PUSH EBX 00869E91 . E8 BA040000 CALL raiderzu.0086A350 00869E96 . A1 94D20201 MOV EAX,DWORD PTR DS:[102D294] 00869E9B . 83C4 0C ADD ESP,0C 00869E9E . 3BC7 CMP EAX,EDI 00869EA0 . 0F85 94000000 JNZ raiderzu.00869F3A 00869EA6 . 393D 98D20201 CMP DWORD PTR DS:[102D298],EDI 00869EAC . 0F85 88000000 JNZ raiderzu.00869F3A 00869EB2 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] 00869EB5 . 50 PUSH EAX ; /hThread 00869EB6 . FF15 64F3AC00 CALL DWORD PTR DS:[<&kernel32.ResumeThre>; \ResumeThread 00869EBC . 8B8E 983B0000 MOV ECX,DWORD PTR DS:[ESI+3B98] 00869EC2 . A1 74D20201 MOV EAX,DWORD PTR DS:[102D274] 00869EC7 . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] 00869ECA . 898D 78FFFFFF MOV DWORD PTR SS:[EBP-88],ECX 00869ED0 . 50 PUSH EAX ; /Timeout => 0. ms 00869ED1 . 8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88] ; | 00869ED7 . 57 PUSH EDI ; |WaitForAll 00869ED8 . 51 PUSH ECX ; |pObjects 00869ED9 . 6A 02 PUSH 2 ; |nObjects = 2 00869EDB . 8995 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EDX ; | 00869EE1 . FF15 78F1AC00 CALL DWORD PTR DS:[<&kernel32.WaitForMul>; \WaitForMultipleObjects 00869EE7 . 85C0 TEST EAX,EAX 00869EE9 . 0F84 A4000000 JE raiderzu.00869F93 00869EEF . 68 6C21BF00 PUSH raiderzu.00BF216C 00869EF4 . E8 97680000 CALL raiderzu.00870790 00869EF9 . 83C4 04 ADD ESP,4 00869EFC . 50 PUSH EAX ; /EventName 00869EFD . 57 PUSH EDI ; |Inheritable 00869EFE . 68 00001000 PUSH 100000 ; |Access = 100000 00869F03 . FF15 70F1AC00 CALL DWORD PTR DS:[<&kernel32.OpenEventA>; \OpenEventA 00869F09 . 3BC7 CMP EAX,EDI
Last edited by crazy; 2013-02-02 at 03:20 PM.
why not carried
gamemon not let the game run.
?? HELP develop unpacking? please
client raiderz protected Themida or Nprotect ???? HElp
asprotect 1.23
Please register or login to download attachments.
Last edited by crazy; 2013-02-02 at 03:47 AM.
thanks kiss love you
can you teach me how to make withdraw gameguard client?
withdraw gameguard
you can do video please
Last edited by inesbrasil; 2013-02-02 at 03:28 PM.
if the error msg of gamemon
you only need to find the line to disable
you video disable gammon + gameguard I always atulizar? please PV can we talk?
Well I do not know from what version they sent me inesbrasil but I unpacked. In archive 2 exe first only unpacked second with removed startup GG. If you need manually remove here asm code :
PHP Code:0040D960 56 PUSH ESI
0040D961 57 PUSH EDI
0040D962 8BF9 MOV EDI,ECX
0040D964 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
0040D967 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D969 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
0040D96C FFD2 CALL EDX
0040D96E 8B4F 08 MOV ECX,DWORD PTR DS:[EDI+8]
0040D971 8D77 0C LEA ESI,DWORD PTR DS:[EDI+C]
0040D974 3BCE CMP ECX,ESI
0040D976 74 0F JE SHORT Raiderz.0040D987
0040D978 85C9 TEST ECX,ECX
0040D97A 74 08 JE SHORT Raiderz.0040D984
0040D97C 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D97E 8B10 MOV EDX,DWORD PTR DS:[EAX]
0040D980 6A 01 PUSH 1
0040D982 FFD2 CALL EDX
0040D984 8977 08 MOV DWORD PTR DS:[EDI+8],ESI
0040D987 6A 20 PUSH 20
0040D989 E8 4CC44200 CALL Raiderz.00839DDA
0040D98E 8BF0 MOV ESI,EAX
0040D990 83C4 04 ADD ESP,4
0040D993 85F6 TEST ESI,ESI
0040D995 74 43 JE SHORT Raiderz.0040D9DA
0040D997 C706 3CA9B100 MOV DWORD PTR DS:[ESI],Raiderz.00B1A93C
0040D99D 33C0 XOR EAX,EAX
0040D99F C746 04 30A9B10>MOV DWORD PTR DS:[ESI+4],Raiderz.00B1A930
0040D9A6 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
0040D9A9 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
0040D9AC 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0040D9AF 68 149EB100 PUSH Raiderz.00B19E14 ; UNICODE "RaiderzUS"
0040D9B4 8946 14 MOV DWORD PTR DS:[ESI+14],EAX
0040D9B7 E8 549E4500 CALL Raiderz.00867810
0040D9BC 8BCE MOV ECX,ESI
0040D9BE C746 18 0000000>MOV DWORD PTR DS:[ESI+18],0
0040D9C5 894F 08 MOV DWORD PTR DS:[EDI+8],ECX
0040D9C8 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D9CA 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0040D9CD 83C4 04 ADD ESP,4
0040D9D0 FFD2 CALL EDX ; <- NOP -> MOV AL, 1
0040D9D2 84C0 TEST AL,AL
0040D9D4 5F POP EDI
0040D9D5 0F95C0 SETNE AL
0040D9D8 5E POP ESI
0040D9D9 C3 RETN
0040D9DA 33C9 XOR ECX,ECX
0040D9DC 894F 08 MOV DWORD PTR DS:[EDI+8],ECX
0040D9DF 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040D9E1 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0040D9E4 FFD2 CALL EDX
0040D9E6 84C0 TEST AL,AL
0040D9E8 5F POP EDI
0040D9E9 0F95C0 SETNE AL
0040D9EC 5E POP ESI
0040D9ED C3 RETN
replace toPHP Code:0040D9D0 FFD2 CALL EDX
I do not know how the game will work because i have only main executable with all modules and without game resource's.PHP Code:0040D9D0 B0 01 MOV AL,1
Btw: I'm too lazy to download full client
Please register or login to download attachments.
Posting Permissions
Reply With Quote