k3dT

Good news, 2013-12-18bRagexe.exe, 2013-12-23bRagexe.exe, 2013-12-23cRagexe.exe are not packed with Themida. They aren't packed at all.. Anybody can update phpDiffPatcher ?

[updated first post, please delete it]

2013-03-20eRagexe-nohs.exe - latest RagEXE with hackshield disabled (may contain some more patches.. for testing only)

It's MSVC 10. Are you sure? Linker info is 9.0 and imports msvcp90.dll and msvcr90.dll are runtine files for Visual Studio 2008. And yes, sections are merged, because of Themida. I can't help.

Hi,k3dT, Thanks for your amazing work..I'm following u these days,Bigfan. if possible,could u do me a favour? https://docs.google.com/file/d/0B1k-Z7DOattDQUdJTl80bFU0Yms/edit It's another "ragexe.exe" with themida, I've failded about it for a long time. Drive me crazy so I would be very much obliged if u could unpack it long time? it's exe from 18.3.2013 o_O Here is latest unpacked Ragexe: 2013-03-20eRagexe.exe

All RagExe's are compiled with MSVC 9 (!!)... Last unpacked RagExe is here: 2013-03-13aRagexe.exe

you need paste this to your .vmx file: monitor_control.restrict_backdoor = "TRUE" isolation. tools.getPtrLocation.disable = "TRUE" isolation. tools.setPtrLocation.disable = "TRUE" isolation. tools.setVersion.disable = "TRUE" isolation. tools.getVersion.disable = "TRUE" monitor_control.disable_directexec = "TRUE" and change display adapter name to empty string (in registry). HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{4D36E968-E325-11CE- BFC1-08002BE10318}/0000 Double Click on "DriverDesc" and erase the value. Then uninstall VMware tools and shutdown windows (!) an start again. Tested only on VMware Fusion (OSX 10.8.3) and Windows XP SP3 as host. Unpacking newer RagRE/RagEXE's should not be problem.. now it's quick and easy. EDIT: http://k3dt.eu/Ragexe/ http://k3dt.eu/Ragexe/unpacked/ Now Yommy can unpack EXE's too...

My mirror of (protected yet) RagexeRE: http://k3dt.eu/RagexeRE/ Gravity changed compiler from Visual Studio 9.0 to 10.0 first in 2013-01-15aRagexeRE.exe Unpacked clients available soon (here http://k3dt.eu/RagexeRE/unpacked/ ) edit: all done

I will unpack more EXEs today... we will see.

Everything seems fine. They must changed something. here is unpacked first themida-protected exe I found.. - http://k3dt.eu/2012-08-08dRagexeRE_dumped.exe (i'm able to extract encryption keys from this, can you try extract packetdb - which tool you use?)

I figured out how to unpack Themida inside VMware.. Here is unpacked latest exe (2013-03-13c): http://k3dt.eu/2013_03_13c_RagexeRE_unpacked.exe (my first try.. but size should be OK) EDIT: AV scan looks great.. http://virusscan.jotti.org/en/scanresult/347e5f1cae73e4863274ec96949358c9af15642f

Yes.. this is script for Ollydump plugin for OllyDbg, but it is only part of demangling/dumping/fixing/rebuilding process... Sorry.. As I wrote at IRC, I need dedicated windows machine now :/ It's hard to catch Giv anymore, but he told me all what to to.

Judas: No problem... only problem is that the process is very time consuming... so please be patient.

Hi Yommy, Here is unpacked 2012-10-17bRagexeRE client (all credits goes to my friend giv). http://k3dt.eu/2012-10-17bRagexeRE-unpacked.exe if you need unpack some other versions, contact me at irc://irc.reborn.cz/reborn