Results 1 to 9 of 9
  1. #1
    Active Member CoreCoins User blar0's Avatar
    Reputation
    17
    Join Date
    Apr 2012
    Posts
    81
    Thanks G/R
    0/0
    CoreCoins
    205
    Trade Feedback
    0 (0%)

    Unpack eso.live.1.0.0.709717

    So apparently some guys try to unpack the eso binary, and other guys spam my PM box with question, so I decided to make this short tutorial.
    The OS version used to unpack the binary is "Windows XP SP3", so there is no ASLR applied on the binary, and ollyDBG v1 can work (I prefere the version one than two).
    At the end of this tutorial you will find, a link to an archive with the original eso binary, ollydbg v1 and the plugin I used.

    First open ollydbg and configure the phant0m plugin like this :
    Unpack eso.live.1.0.0.709717-first_olly-png

    Go the menu "File" and choose "Open", and select the file "eso.exe".
    Olly detect that the binary is packed stop the analysis.
    Unpack eso.live.1.0.0.709717-second_olly-jpg

    The binary is loaded press F7 for steping to the instruction aftter PUSH EBX, so that the value of EBX has been pushed on the stack.
    Right click in the registry window on ESP and choose "Follow in Dump", it will display the content of the stack in the dump window.
    Select the first DWORD, right click and put an hardware breakpoint on access on it.
    Unpack eso.live.1.0.0.709717-third_olly-jpg

    Press SHITF + F9 until the value will be accessed by this adress, you can recognize that the call is the "call security_init_cookie" (you can follow the assembly to see that), and the jump is the "jmp mainCRTStartup". So you are at OEP !
    Unpack eso.live.1.0.0.709717-fourth_olly-png

    You can now dump the process like that.

    Unpack eso.live.1.0.0.709717-five_olly-png

    And you can load the binary in IDA !

    Unpack eso.live.1.0.0.709717-six_ida-png

    Link to ollydbg + bin + plugins : HERE

    That's it. Btw I will not answer to some n00b ollydbg or IDA questions.

  2. #2
    Site Donator Cheat or Die! CoreCoins User Distiny's Avatar
    Reputation
    170
    Join Date
    Nov 2006
    Posts
    313
    Thanks G/R
    28/141
    CoreCoins
    701
    Trade Feedback
    0 (0%)
    or use PETOOLS for a full dump

  3. #3
    Active Member CoreCoins User blar0's Avatar
    Reputation
    17
    Join Date
    Apr 2012
    Posts
    81
    Thanks G/R
    0/0
    CoreCoins
    205
    Trade Feedback
    0 (0%)
    But the full dump of PETOOLS will fix the raw offset automatically with the value of section aligned, and you will have to rebuild IAT.
    Here all the offset inside all the data directories are correct if you don't fix the raw offset of sections.

    If you say that about the fact that you have to load the binary in manual mode, it's because there is a lot of (obfuscated) code inside .reloc section, and IDA doesn't load it by default has segment of code.
    Last edited by blar0; 01-11-2014 at 08:34 PM.

  4. #4
    Master Sergeant CoreCoins User nippel's Avatar
    Reputation
    21
    Join Date
    Jun 2009
    Posts
    71
    Thanks G/R
    0/0
    CoreCoins
    1445
    Trade Feedback
    0 (0%)
    thank you very much, didnt know about ASLR

  5. #5
    Sergeant CoreCoins User Sirmabus's Avatar
    Reputation
    34
    Join Date
    Jun 2008
    Posts
    69
    Thanks G/R
    0/1
    CoreCoins
    2081
    Trade Feedback
    0 (0%)
    You can disable/enable ASLR with the "Enhanced Mitigation Experience Toolkit".
    It helps quite a bit while you reverse and what not.
    As I write this the latest version of EMET:
    Download Enhanced Mitigation Experience Toolkit 4.1 from Official Microsoft Download Center

  6. #6
    Member awesomeb's Avatar
    Reputation
    1
    Join Date
    Apr 2014
    Posts
    3
    Thanks G/R
    0/0
    CoreCoins
    0
    Trade Feedback
    0 (0%)
    Thanks for the unpacked files,
    I have the dumped .exe file, how can I extract .DAT to review some LUA scripts? I'm trying to build simple addons.

  7. #7
    Sergeant CoreCoins User Sirmabus's Avatar
    Reputation
    34
    Join Date
    Jun 2008
    Posts
    69
    Thanks G/R
    0/1
    CoreCoins
    2081
    Trade Feedback
    0 (0%)
    Currently with this method some imports will be lost with a straight dump.
    Need to use ImpREC or some other imports fixer if you want a real clean dump.

    This can be handy here "setdllcharacteristics":
    setdllcharacteristics | Didier Stevens
    Copy "eso.exe" to say "_eso.exe" and run this like:
    setdllcharacteristics -n -d _eso.exe
    That'll clear the ASLR flag on the copy.

    There is a new thread just now where someone released their unpacker for the .dat file.
    You don't really need to look at the game Lua files to make addons, but there is extra info there though.

    The site for addons is: ESOUI
    IMHO the central place for ESO addons. A wiki there that shows the Lua API, and global constants et al.
    And a forum where people can get help, etc.

    EDIT: Actually I've been looking at a lot of the internal Lua files recently (currently 281 of them).
    A lot of the popular AddOns use internal functions. A lot have too, just that there is not a lot of talk about it getting into the "gray" area
    of reversing, "3rd party", no official support for it, etc.
    So if you want to make addons well, you probably want to look at some of these..
    Last edited by Sirmabus; 04-13-2014 at 04:36 PM.

  8. #8
    Sergeant cute_star's Avatar
    Reputation
    4
    Join Date
    Apr 2014
    Posts
    58
    Thanks G/R
    0/0
    CoreCoins
    64
    Trade Feedback
    0 (0%)
    Hello , Guys . Nice to meet you .
    after dumped the ESO with imprec or ollydump , you can find some parts obfuscated .
    How did you guys remove the parts ?

  9. #9
    Private JohnnyKing94's Avatar
    Reputation
    1
    Join Date
    Aug 2014
    Posts
    2
    Thanks G/R
    0/0
    CoreCoins
    0
    Trade Feedback
    0 (0%)
    wrong topic, remove the post

 

 

Similar Threads

  1. [Selling] Cheap & Safe ESO Gold 24/7 Fast Delivery and Live Support. www.Guy4game.com
    By guy4gamesite in forum Elder Scrolls Online Buy Sell Trade
    Replies: 0
    Last Post: 04-22-2014, 03:05 AM
  2. [ESO] Unpacked binaries
    By JuJuBoSc in forum Elder Scrolls Online Memory Editing
    Replies: 4
    Last Post: 04-15-2014, 07:16 AM
  3. [Selling] Cheapest Always cheapest ESO GOLD Power level Fast delivery 24/7 online live chat
    By gaming4ez in forum Elder Scrolls Online Buy Sell Trade
    Replies: 0
    Last Post: 03-31-2014, 09:02 AM
  4. eso.live.1.0.0.714440
    By Geraff in forum Elder Scrolls Online General
    Replies: 12
    Last Post: 01-22-2014, 06:31 PM
  5. ESO live game play footage TODAY 8-2-13
    By Valliana in forum Elder Scrolls Online General
    Replies: 4
    Last Post: 08-11-2013, 05:10 AM
All times are GMT -5. The time now is 10:10 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2018 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search