Reversing the Unbottables

Wrote new code? Fixed a bug? Want to discuss technical stuff? Feel free to post it here.

Moderator: Moderators

Reversy
Noob
Noob
Posts: 3
Joined: 26 Oct 2011, 11:25
Noob?: No

Reversing the Unbottables

#1 Post by Reversy »

I've given myself a foolish task of reversing each unbottable private server until I've become proficient in reversing. I've started with RebirthRO and I'm stuck :x. It seems like RebirthRO is not packed but I can't rebuild a fully functional dump so I'm guessing that it's a custom packer or I'm just a lame noob who can't properly read ollydbg and decipher the correc adresses for the DLL's.

OEP:
004268B0 *I Know its different from the IMG

Image

I've thrown RebirthRO in a PE tool but I couldn't manage to recognizable one DLL(it doesn't matter if I deleted it or not) but it did lead me to an interesting functions when I've set a "write hardware breakpoint" on 00344460.

Code: Select all

[b]CPU Disasm
Address   Hex dump          Command                                  Comments[/b]
00537CF0  /$  55            PUSH EBP                                 ; RebirthRO_-_Copy.00537CF0(guessed Arg1,Arg2,Arg3)
00537CF1  |.  8BEC          MOV EBP,ESP
00537CF3  |.  6A FF         PUSH -1
00537CF5  |.  68 DBAD7300   PUSH RebirthRO_-_Copy.0073ADDB
00537CFA  |.  64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
00537D00  |.  50            PUSH EAX
00537D01  |.  64:8925 00000 MOV DWORD PTR FS:[0],ESP                 ; Installs SE handler 73ADDB
00537D08  |.  81EC 9C000000 SUB ESP,9C
00537D0E  |.  56            PUSH ESI
00537D0F  |.  8B75 08       MOV ESI,DWORD PTR [ARG.1]
00537D12  |.  894D E8       MOV DWORD PTR [LOCAL.6],ECX
00537D15  |.  57            PUSH EDI
00537D16  |.  8B4E 04       MOV ECX,DWORD PTR [ESI+4]
00537D19  |.  8B46 08       MOV EAX,DWORD PTR [ESI+8]
00537D1C  |.  51            PUSH ECX                                 ; /Arg3
00537D1D  |.  50            PUSH EAX                                 ; |Arg2
00537D1E  |.  50            PUSH EAX                                 ; |Arg1
00537D1F  |.  E8 DC6D0000   CALL RebirthRO_-_Copy.0053EB00           ; \RebirthRO_-_Copy.0053EB00
00537D24  |.  83C4 0C       ADD ESP,0C
00537D27  |.  8BF8          MOV EDI,EAX
00537D29  |.  8B46 08       MOV EAX,DWORD PTR [ESI+8]
00537D2C  |.  8BCE          MOV ECX,ESI
00537D2E  |.  50            PUSH EAX                                 ; /Arg2
00537D2F  |.  57            PUSH EDI                                 ; |Arg1
00537D30  |.  E8 8B34F6FF   CALL RebirthRO_-_Copy.0049B1C0           ; \RebirthRO_-_Copy.0049B1C0
00537D35  |.  8B46 04       MOV EAX,DWORD PTR [ESI+4]
00537D38  |.  897E 08       MOV DWORD PTR [ESI+8],EDI
00537D3B  |.  85C0          TEST EAX,EAX
00537D3D  |.  74 10         JE SHORT RebirthRO_-_Copy.00537D4F
00537D3F  |.  8B4E 0C       MOV ECX,DWORD PTR [ESI+0C]
00537D42  |.  2BC8          SUB ECX,EAX
00537D44  |.  C1F9 02       SAR ECX,2
00537D47  |.  81F9 00100000 CMP ECX,1000
00537D4D  |.  73 5F         JNB SHORT RebirthRO_-_Copy.00537DAE
00537D4F  |>  68 00400000   PUSH 4000                                ; /Arg1 = 4000
00537D54  |.  E8 123D1D00   CALL RebirthRO_-_Copy.0070BA6B           ; \RebirthRO_-_Copy.0070BA6B
00537D59  |.  8B56 08       MOV EDX,DWORD PTR [ESI+8]
00537D5C  |.  83C4 04       ADD ESP,4
00537D5F  |.  8BF8          MOV EDI,EAX
00537D61  |.  8B46 04       MOV EAX,DWORD PTR [ESI+4]
00537D64  |.  57            PUSH EDI                                 ; /Arg3
00537D65  |.  52            PUSH EDX                                 ; |Arg2
00537D66  |.  50            PUSH EAX                                 ; |Arg1
00537D67  |.  8BCE          MOV ECX,ESI                              ; |
00537D69  |.  E8 6234F6FF   CALL RebirthRO_-_Copy.0049B1D0           ; \RebirthRO_-_Copy.0049B1D0
00537D6E  |.  8B4E 08       MOV ECX,DWORD PTR [ESI+8]
00537D71  |.  8B56 04       MOV EDX,DWORD PTR [ESI+4]
00537D74  |.  51            PUSH ECX                                 ; /Arg2
00537D75  |.  52            PUSH EDX                                 ; |Arg1
00537D76  |.  8BCE          MOV ECX,ESI                              ; |
00537D78  |.  E8 4334F6FF   CALL RebirthRO_-_Copy.0049B1C0           ; \RebirthRO_-_Copy.0049B1C0
00537D7D  |.  8B46 04       MOV EAX,DWORD PTR [ESI+4]
00537D80  |.  50            PUSH EAX                                 ; /Arg1
00537D81  |.  E8 20591C00   CALL RebirthRO_-_Copy.006FD6A6           ; \RebirthRO_-_Copy.006FD6A6
00537D86  |.  8B4E 04       MOV ECX,DWORD PTR [ESI+4]
00537D89  |.  83C4 04       ADD ESP,4
00537D8C  |.  8D87 00400000 LEA EAX,[EDI+4000]
00537D92  |.  85C9          TEST ECX,ECX
00537D94  |.  8946 0C       MOV DWORD PTR [ESI+0C],EAX
00537D97  |.  75 04         JNE SHORT RebirthRO_-_Copy.00537D9D
00537D99  |.  33C0          XOR EAX,EAX
00537D9B  |.  EB 08         JMP SHORT RebirthRO_-_Copy.00537DA5
00537D9D  |>  8B46 08       MOV EAX,DWORD PTR [ESI+8]
00537DA0  |.  2BC1          SUB EAX,ECX
00537DA2  |.  C1F8 02       SAR EAX,2
00537DA5  |>  8D0C87        LEA ECX,[EAX*4+EDI]
00537DA8  |.  897E 04       MOV DWORD PTR [ESI+4],EDI
00537DAB  |.  894E 08       MOV DWORD PTR [ESI+8],ECX
00537DAE  |>  8D8D 58FFFFFF LEA ECX,[LOCAL.42]
00537DB4  |.  E8 47BA0000   CALL RebirthRO_-_Copy.00543800
00537DB9  |.  8B0D 94F28100 MOV ECX,DWORD PTR [RebirthRO_-_Copy.81F2
00537DBF  |.  C745 FC 00000 MOV DWORD PTR [LOCAL.1],0
00537DC6  |.  85C9          TEST ECX,ECX
00537DC8  |.  74 0B         JE SHORT RebirthRO_-_Copy.00537DD5
00537DCA  |.  8B55 0C       MOV EDX,DWORD PTR [ARG.2]
00537DCD  |.  52            PUSH EDX                                 ; /Arg1 => [ARG.2]
00537DCE  |.  E8 6D0EFFFF   CALL RebirthRO_-_Copy.00528C40           ; \RebirthRO_-_Copy.00528C40
00537DD3  |.  EB 03         JMP SHORT RebirthRO_-_Copy.00537DD8
00537DD5  |>  8B45 0C       MOV EAX,DWORD PTR [ARG.2]
00537DD8  |>  6A 00         PUSH 0                                   ; /Arg2 = 0
00537DDA  |.  50            PUSH EAX                                 ; |Arg1
00537DDB  |.  8D8D 58FFFFFF LEA ECX,[LOCAL.42]                       ; |
00537DE1  |.  E8 6ABA0000   CALL RebirthRO_-_Copy.00543850           ; \71A60F5A
00537DE6  |.  84C0          TEST AL,AL
00537DE8  |.  75 26         JNE SHORT RebirthRO_-_Copy.00537E10
00537DEA  |.  8D8D 58FFFFFF LEA ECX,[LOCAL.42]
00537DF0  |.  C745 FC FFFFF MOV DWORD PTR [LOCAL.1],-1
00537DF7  |.  E8 14BA0000   CALL RebirthRO_-_Copy.00543810           ; [RebirthRO_-_Copy.00543810
00537DFC  |.  5F            POP EDI
00537DFD  |.  32C0          XOR AL,AL
00537DFF  |.  5E            POP ESI
00537E00  |.  8B4D F4       MOV ECX,DWORD PTR [LOCAL.3]
00537E03  |.  64:890D 00000 MOV DWORD PTR FS:[0],ECX
00537E0A  |.  8BE5          MOV ESP,EBP
00537E0C  |.  5D            POP EBP
00537E0D  |.  C2 0C00       RET 0C
00537E10  |>  8B85 64FFFFFF MOV EAX,DWORD PTR [LOCAL.39]
00537E16  |.  53            PUSH EBX
00537E17  |.  8BD8          MOV EBX,EAX
00537E19  |.  40            INC EAX
00537E1A  |.  50            PUSH EAX                                 ; /Arg1
00537E1B  |.  E8 4B3C1D00   CALL RebirthRO_-_Copy.0070BA6B           ; \RebirthRO_-_Copy.0070BA6B
00537E20  |.  83C4 04       ADD ESP,4
00537E23  |.  8D8D 58FFFFFF LEA ECX,[LOCAL.42]
00537E29  |.  8945 F0       MOV DWORD PTR [LOCAL.4],EAX
00537E2C  |.  53            PUSH EBX                                 ; /Arg2
00537E2D  |.  50            PUSH EAX                                 ; |Arg1
00537E2E  |.  E8 7DBC0000   CALL RebirthRO_-_Copy.00543AB0           ; \RebirthRO_-_Copy.00543AB0
00537E33  |.  8B45 F0       MOV EAX,DWORD PTR [LOCAL.4]
00537E36  |.  8D8D 58FFFFFF LEA ECX,[LOCAL.42]
00537E3C  |.  C60418 00     MOV BYTE PTR [EBX+EAX],0
00537E40  |.  E8 2BBC0000   CALL RebirthRO_-_Copy.00543A70           ; [RebirthRO_-_Copy.00543A70
00537E45  |.  8B45 F0       MOV EAX,DWORD PTR [LOCAL.4]
00537E48  |.  33FF          XOR EDI,EDI
00537E4A  |.  85DB          TEST EBX,EBX
00537E4C  |.  8945 08       MOV DWORD PTR [ARG.1],EAX
Remove Ba |.  0F8E CA000000 JLE RebirthRO_-_Copy.00537F1F
00537E55  |>  8A0C07        /MOV CL,BYTE PTR [EAX+EDI]
00537E58  |.  80F9 0A       |CMP CL,0A
00537E5B  |.  74 62         |JE SHORT RebirthRO_-_Copy.00537EBF
00537E5D  |.  80F9 0D       |CMP CL,0D
00537E60  |.  74 66         |JE SHORT RebirthRO_-_Copy.00537EC8
00537E62  |.  80F9 23       |CMP CL,23
00537E65  |.  0F85 AB000000 |JNE RebirthRO_-_Copy.00537F16           ; 
00537E6B  |.  8B4D 08       |MOV ECX,DWORD PTR [ARG.1]
00537E6E  |.  6A 02         |PUSH 2                                  ; /Arg3 = 2
00537E70  |.  68 98C47700   |PUSH OFFSET RebirthRO_-_Copy.0077C498   ; |Arg2 = ASCII "//"
00537E75  |.  51            |PUSH ECX                                ; |Arg1
00537E76  |.  E8 C55F1D00   |CALL RebirthRO_-_Copy.0070DE40          ; \RebirthRO_-_Copy.0070DE40
00537E7B  |.  83C4 0C       |ADD ESP,0C
00537E7E  |.  85C0          |TEST EAX,EAX
00537E80  |.  0F84 8D000000 |JE RebirthRO_-_Copy.00537F13
00537E86  |.  8B55 F0       |MOV EDX,DWORD PTR [LOCAL.4]
00537E89  |.  8D4D 08       |LEA ECX,[ARG.1]
00537E8C  |.  51            |PUSH ECX                                ; /Arg3 => OFFSET ARG.1
00537E8D  |.  6A 01         |PUSH 1                                  ; |Arg2 = 1
00537E8F  |.  C60417 00     |MOV BYTE PTR [EDX+EDI],0                ; |
00537E93  |.  8B46 08       |MOV EAX,DWORD PTR [ESI+8]               ; |
00537E96  |.  50            |PUSH EAX                                ; |Arg1
00537E97  |.  8BCE          |MOV ECX,ESI                             ; |
00537E99  |.  E8 F2FDEEFF   |CALL RebirthRO_-_Copy.00427C90          ; \RebirthRO_-_Copy.00427C90
00537E9E  |.  837D 10 02    |CMP DWORD PTR [ARG.3],2
00537EA2  |.  75 18         |JNE SHORT RebirthRO_-_Copy.00537EBC
00537EA4  |.  8B46 08       |MOV EAX,DWORD PTR [ESI+8]
00537EA7  |.  8D55 EC       |LEA EDX,[LOCAL.5]
00537EAA  |.  52            |PUSH EDX                                ; /Arg3 => OFFSET LOCAL.5
00537EAB  |.  6A 01         |PUSH 1                                  ; |Arg2 = 1
00537EAD  |.  50            |PUSH EAX                                ; |Arg1
00537EAE  |.  8BCE          |MOV ECX,ESI                             ; |
00537EB0  |.  C745 EC 00000 |MOV DWORD PTR [LOCAL.5],0               ; |
00537EB7  |.  E8 D4FDEEFF   |CALL RebirthRO_-_Copy.00427C90          ; \RebirthRO_-_Copy.00427C90
00537EBC  |>  8B45 F0       |MOV EAX,DWORD PTR [LOCAL.4]
00537EBF  |>  8D4C07 01     |LEA ECX,[EAX+EDI+1]
00537EC3  |.  894D 08       |MOV DWORD PTR [ARG.1],ECX
00537EC6  |.  EB 4E         |JMP SHORT RebirthRO_-_Copy.00537F16
00537EC8  |>  C60407 00     |MOV BYTE PTR [EAX+EDI],0
00537ECC  |.  8B45 10       |MOV EAX,DWORD PTR [ARG.3]
00537ECF  |.  85C0          |TEST EAX,EAX
00537ED1  |.  74 34         |JE SHORT RebirthRO_-_Copy.00537F07
00537ED3  |.  8B55 08       |MOV EDX,DWORD PTR [ARG.1]
00537ED6  |.  6A 02         |PUSH 2                                  ; /Arg3 = 2
00537ED8  |.  68 98C47700   |PUSH OFFSET RebirthRO_-_Copy.0077C498   ; |Arg2 = ASCII "//"
00537EDD  |.  52            |PUSH EDX                                ; |Arg1 => [ARG.1]
00537EDE  |.  E8 5D5F1D00   |CALL RebirthRO_-_Copy.0070DE40          ; \RebirthRO_-_Copy.0070DE40
00537EE3  |.  83C4 0C       |ADD ESP,0C
00537EE6  |.  85C0          |TEST EAX,EAX
00537EE8  |.  74 1D         |JE SHORT RebirthRO_-_Copy.00537F07
00537EEA  |.  8B45 08       |MOV EAX,DWORD PTR [ARG.1]
00537EED  |.  85C0          |TEST EAX,EAX
00537EEF  |.  74 16         |JE SHORT RebirthRO_-_Copy.00537F07
00537EF1  |.  8038 00       |CMP BYTE PTR [EAX],0
00537EF4  |.  74 11         |JE SHORT RebirthRO_-_Copy.00537F07
00537EF6  |.  8B46 08       |MOV EAX,DWORD PTR [ESI+8]
00537EF9  |.  8D4D 08       |LEA ECX,[ARG.1]
00537EFC  |.  51            |PUSH ECX                                ; /Arg3 => OFFSET ARG.1
00537EFD  |.  6A 01         |PUSH 1                                  ; |Arg2 = 1
00537EFF  |.  50            |PUSH EAX                                ; |Arg1
00537F00  |.  8BCE          |MOV ECX,ESI                             ; |
00537F02  |.  E8 89FDEEFF   |CALL RebirthRO_-_Copy.00427C90          ; \RebirthRO_-_Copy.00427C90
00537F07  |>  8B45 F0       |MOV EAX,DWORD PTR [LOCAL.4]
00537F0A  |.  8D5407 01     |LEA EDX,[EAX+EDI+1]
00537F0E  |.  8955 08       |MOV DWORD PTR [ARG.1],EDX
00537F11  |.  EB 03         |JMP SHORT RebirthRO_-_Copy.00537F16
00537F13  |>  8B45 F0       |MOV EAX,DWORD PTR [LOCAL.4]
00537F16  |>  47            |INC EDI
00537F17  |.  3BFB          |CMP EDI,EBX
00537F19  |.^ 0F8C 36FFFFFF \JL RebirthRO_-_Copy.00537E55          
00537F1F  |>  8B4E 04       MOV ECX,DWORD PTR [ESI+4]
00537F22  |.  5B            POP EBX
00537F23  |.  85C9          TEST ECX,ECX
00537F25  |.  75 04         JNE SHORT RebirthRO_-_Copy.00537F2B
00537F27  |.  33C0          XOR EAX,EAX
00537F29  |.  EB 08         JMP SHORT RebirthRO_-_Copy.00537F33
00537F2B  |>  8B46 0C       MOV EAX,DWORD PTR [ESI+0C]
00537F2E  |.  2BC1          SUB EAX,ECX
00537F30  |.  C1F8 02       SAR EAX,2
00537F33  |>  85C9          TEST ECX,ECX
00537F35  |.  75 04         JNE SHORT RebirthRO_-_Copy.00537F3B
00537F37  |.  33F6          XOR ESI,ESI
00537F39  |.  EB 08         JMP SHORT RebirthRO_-_Copy.00537F43
00537F3B  |>  8B76 08       MOV ESI,DWORD PTR [ESI+8]
00537F3E  |.  2BF1          SUB ESI,ECX
00537F40  |.  C1FE 02       SAR ESI,2
00537F43  |>  8B55 0C       MOV EDX,DWORD PTR [ARG.2]
00537F46  |.  46            INC ESI
00537F47  |.  50            PUSH EAX
00537F48  |.  56            PUSH ESI
00537F49  |.  52            PUSH EDX
00537F4A  |.  68 7CC47700   PUSH OFFSET RebirthRO_-_Copy.0077C47C    ; ASCII "%s size = %d capacity = %d"
00537F4F  |.  E8 3CDEECFF   CALL RebirthRO_-_Copy.00405D90
00537F54  |.  8B4D E8       MOV ECX,DWORD PTR [LOCAL.6]
00537F57  |.  83C4 10       ADD ESP,10
00537F5A  |.  8D55 F0       LEA EDX,[LOCAL.4]
00537F5D  |.  8B41 08       MOV EAX,DWORD PTR [ECX+8]
00537F60  |.  52            PUSH EDX                                 ; /Arg3 => OFFSET LOCAL.4
00537F61  |.  6A 01         PUSH 1                                   ; |Arg2 = 1
00537F63  |.  50            PUSH EAX                                 ; |Arg1
00537F64  |.  E8 176BF8FF   CALL RebirthRO_-_Copy.004BEA80           ; \RebirthRO_-_Copy.004BEA80
00537F69  |.  8D8D 58FFFFFF LEA ECX,[LOCAL.42]
00537F6F  |.  C745 FC FFFFF MOV DWORD PTR [LOCAL.1],-1
00537F76  |.  E8 95B80000   CALL RebirthRO_-_Copy.00543810           ; [RebirthRO_-_Copy.00543810
00537F7B  |.  8B4D F4       MOV ECX,DWORD PTR [LOCAL.3]
00537F7E  |.  5F            POP EDI
00537F7F  |.  B0 01         MOV AL,1
00537F81  |.  5E            POP ESI
00537F82  |.  64:890D 00000 MOV DWORD PTR FS:[0],ECX
00537F89  |.  8BE5          MOV ESP,EBP
00537F8B  |.  5D            POP EBP
00537F8C  \.  C2 0C00       RET 0C
00537F8F      90            NOP
00537F90  /.  55            PUSH EBP
00537F91  |.  8BEC          MOV EBP,ESP
00537F93  |.  56            PUSH ESI
00537F94  |.  8B75 08       MOV ESI,DWORD PTR [ARG.1]
00537F97  |.  57            PUSH EDI
00537F98  |.  8BFE          MOV EDI,ESI
00537F9A  |.  83C9 FF       OR ECX,FFFFFFFF
00537F9D  |.  33C0          XOR EAX,EAX
00537F9F  |.  33D2          XOR EDX,EDX
00537FA1  |.  F2:AE         REPNE SCAS BYTE PTR [EDI]
00537FA3  |.  F7D1          NOT ECX
00537FA5  |.  49            DEC ECX
00537FA6  |.  74 20         JE SHORT RebirthRO_-_Copy.00537FC8
00537FA8  |>  33C0          /XOR EAX,EAX
00537FAA  |.  8A0432        |MOV AL,BYTE PTR [ESI+EDX]
00537FAD  |.  8A88 7CC37700 |MOV CL,BYTE PTR [EAX+RebirthRO_-_Copy.7
00537FB3  |.  84C9          |TEST CL,CL
00537FB5  |.  74 17         |JE SHORT RebirthRO_-_Copy.00537FCE
00537FB7  |.  8BFE          |MOV EDI,ESI
00537FB9  |.  83C9 FF       |OR ECX,FFFFFFFF
00537FBC  |.  33C0          |XOR EAX,EAX
00537FBE  |.  42            |INC EDX
00537FBF  |.  F2:AE         |REPNE SCAS BYTE PTR [EDI]
00537FC1  |.  F7D1          |NOT ECX
00537FC3  |.  49            |DEC ECX
00537FC4  |.  3BD1          |CMP EDX,ECX
00537FC6  |.^ 72 E0         \JB SHORT RebirthRO_-_Copy.00537FA8
00537FC8  |>  5F            POP EDI
00537FC9  |.  B0 01         MOV AL,1
00537FCB  |.  5E            POP ESI
00537FCC  |.  5D            POP EBP
00537FCD  |.  C3            RET
00537FCE  |>  5F            POP EDI
00537FCF  |.  32C0          XOR AL,AL
00537FD1  |.  5E            POP ESI
00537FD2  |.  5D            POP EBP
00537FD3  \.  C3            RET
This particular function has something to do with the management of the bdata.grf files it usually dumps memory (maps and other jazz) temporarily to 3200000 (out of the 4000000).


I'm in a stumped on what I have to do to fully dump this file. An idea of what particular guide or section in a book I should read/see, so I can do it myself, would be splendid. I feel tantamount to Don Quixote slaying imaginary dragons without an idea on how this program works since its my first time even looking within eAthena on-top of that I don't know whats vanilla or what's blatantly customized.
Top
User avatar
kLabMouse
Administrator
Administrator
Posts: 1301
Joined: 24 Apr 2008, 12:02

Re: Reversing the Unbottables

#2 Post by kLabMouse »

Well. For me, it looks like a Custom DLL, without a body.
That is loaded directly to the Memory.

I have only One Idea, in the time:
1) Dump the page that Ref looks too.
2) Try to understand the structure of it (and other non code section)
3) Make a custom DLL, that holds the target codes
4) Modify the Saved IAT tree, and point unknown trunks to your new DLL.
Top
Reversy
Noob
Noob
Posts: 3
Joined: 26 Oct 2011, 11:25
Noob?: No

Re: Reversing the Unbottables

#3 Post by Reversy »

So I figured its symphony.dll is the villain. The consistent jumping from VirtualProtect to the DLL gave it away.
Top
User avatar
kLabMouse
Administrator
Administrator
Posts: 1301
Joined: 24 Apr 2008, 12:02

Re: Reversing the Unbottables

#4 Post by kLabMouse »

So it's Symphony... your Target.
Well. there is a way to get rid of VirtualProtect fully. But I donno, if starters are able to understand the manual way.
Top
Reversy
Noob
Noob
Posts: 3
Joined: 26 Oct 2011, 11:25
Noob?: No

Re: Reversing the Unbottables

#5 Post by Reversy »

I have some resources that will lead individuals in the right direction but I don't know if that's allowed in the Developers Corner. It's not your typical resources either like your run of the mill broad reversing website "hope you figure out how to apply your skill."
Top

Return to “Developers Corner”