Thread: SoulSaver Online ASProtect Unpacked

Originally Posted by daily

dwar comon release new unpacked

I release unpacked files right after client updates (generally)

Originally Posted by choyung

hmm, maybe we can inject dll for the gameguard?

It will be discussed in another thread

Originally Posted by rendika2

i cant find that.

Code:

0090F94E > $ 6A 74          PUSH 74
0090F950   . 68 388A9C00    PUSH 2Game.009C8A38

Stolen bytes. You need to find them while unpacking

can i see where stolen bytes?
and replace that?

Originally Posted by rendika2

can i see where stolen bytes?

If I correctly understand your question, you can't find them in exe. ASProtect execute stolen code during unpacking and then point you to the OEP without these stolen bytes. Follow general ASProtect unpacking tutorial and try to get needed data

Originally Posted by rendika2

u can ss where ur find stolen code?

During tracing and deobfuscating ASProtect code. It's impossible to directly point you to the right place. Just analyze the code.

Let me make small explanation: ASProtect, due further exe protection, remove and copy to the internal routines several instruction from original OEP. Removed instruction are replaced by zero. At the end of unpacking protector executes these stolen instructions from his obfuscated routines and then continue running application right after zeros at the beginning of OEP.
How to get these bytes? You need manually trace code after last exception (if you follow the tutorial).
You should find junk code with a lots of jmp's

Code:

01E9D4D3    83CF 98         or      edi, -0x68
01E9D4D6    5F              pop     edi
01E9D4D7    6A 74           push    0x74
01E9D4D9    68 388A9C00     push    0x9C8A38
01E9D4DE    F3:             prefix rep:
01E9D4DF    EB 02           jmp     short 01E9D4E3
01E9D4E1    CD20 66812DEC   vxdjump 0xEC2D8166
01E9D4E7    D4 E9           aam     0xE9
01E9D4E9    0145 67         add     dword ptr [ebp+0x67], eax
01E9D4EC    36:EB 01        jmp     short 01E9D4F0
01E9D4EF    F3:             prefix rep:
01E9D4F0    53              push    ebx
01E9D4F1    EB 08           jmp     short 01E9D4FB
01E9D4F3    E3 13           jecxz   short 01E9D508
01E9D4F5    3B94E3 133B94EB cmp     edx, dword ptr [ebx-0x146BC4ED]
01E9D4FC    01C7            add     edi, eax
01E9D4FE    68 F3D4E901     push    0x1E9D4F3
01E9D503    5B              pop     ebx
01E9D504    F2:             prefix repne:
01E9D505    EB 01           jmp     short 01E9D508
01E9D507    9A 50EB01F0 FF3>call    far 34FF:F001EB50

here we have our stolen code at 01E9D4D7 and 01E9D4D9

Originally Posted by rendika2

for trace like this?

Are you kidding? I say "manually trace the code".

Originally Posted by rendika2

like this find trace?

I don't use condition BP and "run trace". After last exception, I step-by-step tracing code until I reach needed data. Sorry, but do you understand word "manually"?