unpack themida client

[Yommy]

since many will know, gravity started to protect the ragnarok client with Themida since 2012-07-24aRagexeRE

if anyone is able to unpack the clients back to normal, it would help alot

Thank you

Yom

[Rynbef]

Does anyone have the unpacked files? It will help me to reinforcement engineering.

Rynbet~

[k3dT]

Hi Yommy,

Here is unpacked 2012-10-17bRagexeRE client (all credits goes to my friend giv).

 

http://k3dt.eu/2012-10-17bRagexeRE-unpacked.exe

 

if you need unpack some other versions, contact me at irc://irc.reborn.cz/reborn

Edited March 7, 2013 by k3dt

[Judas]

this is great =)

can you do march 2013? Rytech would probably appreciate this alot

[Lemongrass]

The problem is that you cant use a diffpatcher on those yet...

[k3dT]

Judas: No problem... only problem is that the process is very time consuming... so please be patient.

Edited March 7, 2013 by k3dt

[Judas]

client seems to work well =)

Just have to tinker with some stuff

[Rytech]

Woa this is interesting. Someone was finally able to crack it and get a actual usable client from it (Im guessing its usable in its state). Text like job names and message strings are visible within the client and it even shows its client date of October 27, 2012. Its a sure sign of progress on things. Their's a number of other resources that will need to be worked on before these newer clients are fully usable. Lemongrass pointed out one of them being diffs. The client has changed around due to the packing/unpacking stuff. Another is packets and packet lengths, 3rd is a updated msgstringtable.txt, and the 4th and final one is lua files which we currently have some severely outdated decompiled lua files, along with the wondering of what lub's the client officially uses and no longer uses.

 

Their's a lot of work to be done to catchup to things. Honestly I wouldn't bother with anything until the day gravity adds all those new skills to the main kRO server. Whatever date that is is the client data we should focus on. That way we wont be expecting any feature or animation updates for a while. Thats my suggestion. Awesome work by the way.

[Relzz]

Then the only thing left is re-translate all the lua files and make another Artificial Inteligence Manager.. im waiting that day ..

This is the script that you're using? It's really confusing to me.. xD i  need to learn more about this :I

 

http://k3dt.eu/Themida%20-%20Winlicense%201.x%20-%202.x%20Multi%20PRO%20Edition%201.2.txt

Edited March 13, 2013 by M45T3R

[Judas]

@k3dt, any update on the latest unpacked ragexeRE client?

 

It seems like the level 160 aura is controlled by the effect files now, if people dont' know about it.

So this will be a lot easier than the old way than hexing to add the level 160 aura in for the older clients:

 

This is as far as I can go because the packet tools we have available now all fail, probably because what rytech said above that the client has been unpacked and maybe it's hard to get them now.

 

 

[k3dT]

Then the only thing left is re-translate all the lua files and make another Artificial Inteligence Manager.. im waiting that day ..

This is the script that you're using? It's really confusing to me.. xD i  need to learn more about this :I

 

http://k3dt.eu/Themida%20-%20Winlicense%201.x%20-%202.x%20Multi%20PRO%20Edition%201.2.txt

 

Yes.. this is script for Ollydump plugin for OllyDbg, but it is only part of demangling/dumping/fixing/rebuilding process... 

 

@k3dt, any update on the latest unpacked ragexeRE client?

 

Sorry.. As I wrote at IRC, I need dedicated windows machine now :/ It's hard to catch Giv anymore, but he told me all what to to.

[Judas]

Alright, thanks for the update

[k3dT]

I figured out how to unpack Themida inside VMware.. 

 

Here is unpacked latest exe (2013-03-13c):

http://k3dt.eu/2013_03_13c_RagexeRE_unpacked.exe

 

(my first try.. but size should be OK)

 

EDIT: AV scan looks great.. http://virusscan.jotti.org/en/scanresult/347e5f1cae73e4863274ec96949358c9af15642f

Edited March 17, 2013 by k3dt

[Judas]

thanks! I'll try it out, it seems it doesn't produce any packets though as 10-17 did

 

EDIT:

Is there anyway you can try again? Unless these newer clients something else was added onto it? I kinda doubt that though. I tried to do the packet obfuscation and it won't work. But the 10-17 unpacked I was able to do it

[k3dT]

Everything seems fine. They must changed something.

 

here is unpacked first themida-protected exe I found.. - http://k3dt.eu/2012-08-08dRagexeRE_dumped.exe (i'm able to extract encryption keys from this, can you try extract packetdb - which tool you use?)

Edited March 18, 2013 by k3dt

[Judas]

yeah that works, so I guess they did change something up in the newest 2013 clients

[k3dT]

I will unpack more EXEs today... we will see. 

[Judas]

thanks i appreciate it

[k3dT]

My mirror of (protected yet) RagexeRE: http://k3dt.eu/RagexeRE/

Gravity changed compiler from Visual Studio 9.0 to 10.0 first in 2013-01-15aRagexeRE.exe

Unpacked clients available soon (here http://k3dt.eu/RagexeRE/unpacked/ )

 

edit: all done

Edited March 19, 2013 by k3dt

[Neo-Mind]

k3dt you rock!! 

[Judas]

awesome

 

Thanks for telling what's been changed. So I guess we can only go up to 2013-01-09aRagexeRE.

[Lemongrass]

Thank you k3dt.

Mind telling me how you were able to run this with VmWare?

And would it be possible that you also unpack and upload the main server client files?

[k3dT]

Thank you k3dt.

Mind telling me how you were able to run this with VmWare?

And would it be possible that you also unpack and upload the main server client files?

 

you need paste this to your .vmx file:

monitor_control.restrict_backdoor = "TRUE"
isolation. tools.getPtrLocation.disable = "TRUE"
isolation. tools.setPtrLocation.disable = "TRUE"
isolation. tools.setVersion.disable = "TRUE"
isolation. tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"

 

and change display adapter name to empty string (in registry).

 

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{4D36E968-E325-11CE- 
BFC1-08002BE10318}/0000 

Double Click on "DriverDesc" and erase the value.

 

Then uninstall VMware tools and shutdown windows (!) an start again.

Tested only on VMware Fusion (OSX 10.8.3) and Windows XP SP3 as host.

 

Unpacking newer RagRE/RagEXE's should not be problem.. now it's quick and easy.

 

EDIT: 

http://k3dt.eu/Ragexe/

http://k3dt.eu/Ragexe/unpacked/

Now Yommy can unpack EXE's too...

Edited March 20, 2013 by k3dT

[Judas]

awesome!

[Yommy]

k3dt, do athena a favour, and dont make the RE clients, these are for the sakray server.

instead you should force athena to use the main server client, ragexe.exe

 

<3

[nanakiwurtz]

I'm following this thread