I have been reverse engineering for a long time. However, I have never attempted to unpack Themida. I know how to manually unpack easier protectors using ImpRec & OllyDump. My question is, how can I get better so that I can unpack Themida?
I want to unpack Themida for the following reason:
While reverse engineering GameLauncher.exe I found that:
GameLauncher:
Code:
PUSH -1
PUSH GameLaun_00401FB9 ; Entry address
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,0140h
PUSH ESI
MOV ESI,ECX
LEA EAX,DWORD PTR SS:[ESP+034h]
LEA ECX,DWORD PTR SS:[ESP+018h]
PUSH EAX
PUSH ECX
PUSH 0
PUSH 0Fh
PUSH 0
PUSH 0
PUSH 0
PUSH GameLaun_00403160 ; ASCII "SOFTWARE\\Wizet\\MapleStory"
PUSH 080000002h
MOV DWORD PTR SS:[ESP+028h],0
CALL DWORD PTR DS:[<&ADVAPI32.RegCreateKeyExA>] ; ADVAPI32.RegCreateKeyExA
LEA ECX,DWORD PTR SS:[ESP+024h]
CALL #540 ;<= Jump/Call Address Not Resolved
LEA EDX,DWORD PTR SS:[ESP+02Ch]
LEA EAX,DWORD PTR SS:[ESP+03Ch]
PUSH EDX
MOV EDX,DWORD PTR SS:[ESP+01Ch]
LEA ECX,DWORD PTR SS:[ESP+03Ch]
PUSH EAX
PUSH ECX
PUSH 0
PUSH GameLaun_00403154 ; ASCII "ExecPath"
PUSH EDX
MOV DWORD PTR SS:[ESP+0164h],0
MOV DWORD PTR SS:[ESP+044h],0104h
CALL DWORD PTR DS:[<&ADVAPI32.RegQueryValueExA>] ; ADVAPI32.RegQueryValueExA
TEST EAX,EAX
JE @GameLaun_0040165D
MOV ECX,ESI
CALL @GameLaun_00401880 ;<= Jump/Call Address Not Resolved
TEST EAX,EAX
JNZ @GameLaun_00401844
PUSH EAX
PUSH EAX
PUSH GameLaun_00403108 ; ASCII "Cannot locate the game installation path. Please check the installation."
MOV ECX,ESI
CALL #4224 ;<= Jump/Call Address Not Resolved
JMP @GameLaun_00401844
@GameLaun_0040165D:
LEA EAX,DWORD PTR SS:[ESP+03Ch]
PUSH EBX
PUSH EAX
LEA ECX,DWORD PTR SS:[ESP+010h]
CALL #537 ;<= Jump/Call Address Not Resolved
LEA ECX,DWORD PTR SS:[ESP+02Ch]
PUSH 1
PUSH ECX
LEA ECX,DWORD PTR SS:[ESP+014h]
MOV BYTE PTR SS:[ESP+0158h],1
CALL #5710 ;<= Jump/Call Address Not Resolved
MOV EAX,DWORD PTR DS:[EAX]
PUSH GameLaun_00403104
PUSH EAX
MOV BYTE PTR SS:[ESP+0158h],2
CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp
ADD ESP,8
TEST EAX,EAX
JNZ @GameLaun_004016C8
LEA EDX,DWORD PTR SS:[ESP+0Ch]
PUSH GameLaun_004030F4 ; ASCII "MapleStory.exe"
LEA EAX,DWORD PTR SS:[ESP+018h]
PUSH EDX
PUSH EAX
CALL #924 ;<= Jump/Call Address Not Resolved
MOV EBX,1
MOV DWORD PTR SS:[ESP+8],EBX
MOV BYTE PTR SS:[ESP+0150h],3
JMP @GameLaun_00401713
@GameLaun_004016C8:
LEA ECX,DWORD PTR SS:[ESP+0Ch]
PUSH GameLaun_00403104
LEA EDX,DWORD PTR SS:[ESP+028h]
PUSH ECX
PUSH EDX
CALL #924 ;<= Jump/Call Address Not Resolved
MOV DWORD PTR SS:[ESP+8],2
PUSH GameLaun_004030F4 ; ASCII "MapleStory.exe"
PUSH EAX
LEA EAX,DWORD PTR SS:[ESP+03Ch]
MOV DWORD PTR SS:[ESP+0158h],4
PUSH EAX
CALL #924 ;<= Jump/Call Address Not Resolved
MOV EBX,6
MOV DWORD PTR SS:[ESP+8],EBX
MOV DWORD PTR SS:[ESP+0150h],5
@GameLaun_00401713:
PUSH EAX
LEA ECX,DWORD PTR SS:[ESP+014h]
CALL #535 ;<= Jump/Call Address Not Resolved
TEST BL,4
MOV DWORD PTR SS:[ESP+0150h],0Ah
JE @GameLaun_0040173D
AND EBX,FFFFFFFB
LEA ECX,DWORD PTR SS:[ESP+034h]
MOV DWORD PTR SS:[ESP+8],EBX
CALL #800 ;<= Jump/Call Address Not Resolved
@GameLaun_0040173D:
TEST BL,2
MOV DWORD PTR SS:[ESP+0150h],9
JE @GameLaun_0040175D
AND EBX,FFFFFFFD
LEA ECX,DWORD PTR SS:[ESP+024h]
MOV DWORD PTR SS:[ESP+8],EBX
CALL #800 ;<= Jump/Call Address Not Resolved
@GameLaun_0040175D:
TEST BL,1
MOV DWORD PTR SS:[ESP+0150h],8
JE @GameLaun_0040177D
AND EBX,FFFFFFFE
LEA ECX,DWORD PTR SS:[ESP+014h]
MOV DWORD PTR SS:[ESP+8],EBX
CALL #800 ;<= Jump/Call Address Not Resolved
@GameLaun_0040177D:
LEA ECX,DWORD PTR SS:[ESP+02Ch]
MOV DWORD PTR SS:[ESP+0150h],7
CALL #800 ;<= Jump/Call Address Not Resolved
PUSH GameLaun_004030E4 ; ASCII " GameLaunching"
LEA ECX,DWORD PTR SS:[ESP+024h]
CALL #537 ;<= Jump/Call Address Not Resolved
LEA ECX,DWORD PTR SS:[ESP+010h]
PUSH EAX
LEA EDX,DWORD PTR SS:[ESP+01Ch]
MOV 0BhL,0B
PUSH ECX
PUSH EDX
MOV BYTE PTR SS:[ESP+015Ch],BL
CALL #922 ;<= Jump/Call Address Not Resolved
PUSH EAX
LEA ECX,DWORD PTR SS:[ESP+014h]
MOV BYTE PTR SS:[ESP+0154h],0Ch
CALL #858 ;<= Jump/Call Address Not Resolved
LEA ECX,DWORD PTR SS:[ESP+018h]
MOV BYTE PTR SS:[ESP+0150h],BL
CALL #800 ;<= Jump/Call Address Not Resolved
LEA ECX,DWORD PTR SS:[ESP+020h]
MOV BYTE PTR SS:[ESP+0150h],7
CALL #800 ;<= Jump/Call Address Not Resolved
MOV EAX,DWORD PTR SS:[ESP+0Ch]
PUSH EAX
CALL DWORD PTR DS:[<&KERNEL32.SetCurrentDirectoryA>] ; kernel32.SetCurrentDirectoryA
MOV ECX,DWORD PTR SS:[ESP+010h]
PUSH 5
PUSH ECX
CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; AcLayers.71C21A97
CMP EAX,01Fh
POP EBX
JA @GameLaun_00401822
MOV ECX,ESI
CALL @GameLaun_00401880 ;<= Jump/Call Address Not Resolved
TEST EAX,EAX
JNZ @GameLaun_00401822
PUSH EAX
PUSH EAX
PUSH GameLaun_004030A8 ; ASCII "Failed to execute the game. Please check the installation."
MOV ECX,ESI
CALL #4224 ;<= Jump/Call Address Not Resolved
@GameLaun_00401822:
LEA ECX,DWORD PTR SS:[ESP+0Ch]
MOV BYTE PTR SS:[ESP+014Ch],1
CALL #800 ;<= Jump/Call Address Not Resolved
LEA ECX,DWORD PTR SS:[ESP+8]
MOV BYTE PTR SS:[ESP+014Ch],0
CALL #800 ;<= Jump/Call Address Not Resolved
@GameLaun_00401844:
MOV ECX,ESI
CALL #4853 ;<= Jump/Call Address Not Resolved
LEA ECX,DWORD PTR SS:[ESP+024h]
MOV DWORD PTR SS:[ESP+014Ch],-1
CALL #800 ;<= Jump/Call Address Not Resolved
MOV ECX,DWORD PTR SS:[ESP+0144h]
POP ESI
MOV DWORD PTR FS:[0],ECX
ADD ESP,014Ch
RETN
MapleStory will only execute if the command parameter is 'GameLaunching'
My goal is to reverse engineer MapleStory so that I can find out where it is checking to see if the 'GameLaunching' parameter is there, so that I can patch that and the function. I also want to make hacks and contribute to the forum. The only problem is Themida.
Does anybody have any advice for me? Any tutorials that will make my skill in reverse engineering get more advanced? Or possibly any up to date tutorials on unpacking themida?
Thank you.
Originally Posted by why06
?