tRO after 25 june 2013 patch

#41 Post by **ROX_Leopardo** » 08 Jul 2013, 10:58

Here the unpacked 2013-07-04aRagexe: https://www.dropbox.com/s/pjps7wc7hyxkuba/_Ragexe.exe
Now I'm getting the infos...

The function that generate the KMA is sub_5A6530, that refer to FUNCTION CHUNK on loc_998222.
This is all that I found about KMA keys so far.

munda · #42 Post by **munda** » 09 Jul 2013, 15:48

I use ida to find the key in yours but not found encrypt key at an address.
i know encrypt key ( 2013-07-04aRagexe ) because it seem like previous encrypt key in ragexe before.
(2013-06-28thRagexe.rgz is old ragexe is not pack with themida)

Code: Select all

K = 0x03BB3374;
M = 0x372702B3;
A = 0x713F3DD3;

i not found this in yours.

This is the lastest exe in tro https://www.dropbox.com/s/kd0tmcv25777l ... Ragexe.rgz

and i try to unpack them but i was failed. (this's mine unpacked => https://www.dropbox.com/s/l5w3gldh4spaa ... Ragexe.exe)
i not experience in reverse engineering.
Do you suggest me to success unpacking .

thank you very much.

#43 Post by **kLabMouse** » 09 Jul 2013, 16:53

munda wrote:I use ida to find the key in yours but not found encrypt key at an address.
i know encrypt key ( 2013-07-04aRagexe ) because it seem like previous encrypt key in ragexe before.
(2013-06-28thRagexe.rgz is old ragexe is not pack with themida)
Code: Select all
K = 0x03BB3374;
M = 0x372702B3;
A = 0x713F3DD3; 
i not found this in yours.

This is the lastest exe in tro https://www.dropbox.com/s/kd0tmcv25777l ... Ragexe.rgz

and i try to unpack them but i was failed. (this's mine unpacked => https://www.dropbox.com/s/l5w3gldh4spaa ... Ragexe.exe)
i not experience in reverse engineering.
Do you suggest me to success unpacking .

thank you very much.

From what I already know. Themida is not just for fun there. Looks like the functions with KMA and Shadow table are protected by Themida RISC VM. Everything else seems normal.

#44 Post by **ROX_Leopardo** » 09 Jul 2013, 20:59

kLabMouse wrote:
munda wrote:I use ida to find the key in yours but not found encrypt key at an address.
i know encrypt key ( 2013-07-04aRagexe ) because it seem like previous encrypt key in ragexe before.
(2013-06-28thRagexe.rgz is old ragexe is not pack with themida)
Code: Select all
K = 0x03BB3374;
M = 0x372702B3;
A = 0x713F3DD3; 
i not found this in yours.

This is the lastest exe in tro https://www.dropbox.com/s/kd0tmcv25777l ... Ragexe.rgz

and i try to unpack them but i was failed. (this's mine unpacked => https://www.dropbox.com/s/l5w3gldh4spaa ... Ragexe.exe)
i not experience in reverse engineering.
Do you suggest me to success unpacking .

thank you very much.
From what I already know. Themida is not just for fun there. Looks like the functions with KMA and Shadow table are protected by Themida RISC VM. Everything else seems normal.

I found the same KMA on Virtualized Fuction... I think that's right.

I will work now inside 2013-07-09 Ragexe...

#45 Post by **ROX_Leopardo** » 09 Jul 2013, 22:43

Here the unpacked 2013-07-09 Ragexe: https://www.dropbox.com/s/gmx9emyflj1qv ... Ragexe.exe
Here the information that I get from it: https://www.dropbox.com/s/46ced3yn4xzs2 ... Ragexe.txt

Now I just need to found the packet ID of the fuctions... This can take a little time.

I updated now and the Ragexe is fully dumped with KMA and hided packets.

SinDecaLocK · #46 Post by **SinDecaLocK** » 10 Jul 2013, 08:01

ROX_Leopardo wrote:Here the unpacked 2013-07-09 Ragexe: https://www.dropbox.com/s/90bcml4j88nxb ... Ragexe.exe
Here the information that I get from it: https://www.dropbox.com/s/cj3q5cmdmejoa ... Ragexe.txt

Now I just need to found the packet ID of the fuctions... This can take a little time.

Thank you for all.
But how we do?
In next week or future.
Can you recommend tooling and approach about unpack ragexe?
Because it would be impossible for you to have time always. - -'

bobe · #47 Post by **bobe** » 10 Jul 2013, 12:27

ROX_Leopardo wrote:Here the unpacked 2013-07-09 Ragexe: https://www.dropbox.com/s/90bcml4j88nxb ... Ragexe.exe
Here the information that I get from it: https://www.dropbox.com/s/cj3q5cmdmejoa ... Ragexe.txt

Now I just need to found the packet ID of the fuctions... This can take a little time.

Thanks a lot to help us.

#48 Post by **ROX_Leopardo** » 10 Jul 2013, 18:26

Can someone give me an account that have characters inside?
I can't run tRO at my country and can't do simple things :S

#49 Post by **kLabMouse** » 11 Jul 2013, 03:43

SinDecaLocK wrote:
ROX_Leopardo wrote:Here the unpacked 2013-07-09 Ragexe: https://www.dropbox.com/s/90bcml4j88nxb ... Ragexe.exe
Here the information that I get from it: https://www.dropbox.com/s/cj3q5cmdmejoa ... Ragexe.txt

Now I just need to found the packet ID of the fuctions... This can take a little time.
Thank you for all.
But how we do?
In next week or future.
Can you recommend tooling and approach about unpack ragexe?
Because it would be impossible for you to have time always. - -'

Well it's Simple. You need some tools/plugins and scripts from Tuts4you.
And ROX is currently tries to modify his Extractor to work with tRO too.

attamokus · #50 Post by **attamokus** » 11 Jul 2013, 04:27

ROX_Leopardo wrote:Can someone give me an account that have characters inside?
I can't run tRO at my country and can't do simple things :S

i pm account for you
sever: angeling

OpenKore

tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch

Re: tRO after 25 june 2013 patch