Crypto ; packet decrypt stuff

[Esoserv2]

I wish, i could have helped more, but with win 8.1 it's not possible for me to debug the compressed/encrypted exe or i'm to stupid. At olly dumping there is a can't read memory exception, without dumping eso's error form comes up, the same probs under ida. A look at the uncompressed exe with ida is fine, but not the same as debugging at runtime and look what values are written into the registers. I turned aslr off through a prg called emet(from ms). The only thing i can do, is to port the python part into C# ;-)

[races]

You just have to use the binary shared from blar0, and load it into IDA, and for having the same RVA (with static analysis and dynamic), just change the DLLCharacteristics of the original eso binary, for removing ASLR on the binary.

[blar0]

You just found how to switch on your brain ! GG

haha

Just received a MP from member dodoman :



did this guy contact you blar0 ?
The guy doesn't describe the crash ...
The second question has no sense, the guy doesn't understand that he have to code a server and not a client.

LOL

I wish, i could have helped more, but with win 8.1 it's not possible for me to debug the compressed/encrypted exe or i'm to stupid. At olly dumping there is a can't read memory exception, without dumping eso's error form comes up, the same probs under ida. A look at the uncompressed exe with ida is fine, but not the same as debugging at runtime and look what values are written into the registers. I turned aslr off through a prg called emet(from ms). The only thing i can do, is to port the python part into C# ;-)

Enjoy => Private Paste - Pastie (LAST VERSION OF MY STUFF)

You just have to use the binary shared from blar0, and load it into IDA, and for having the same RVA (with static analysis and dynamic), just change the DLLCharacteristics of the original eso binary, for removing ASLR on the binary.

Exactly works fine on every OS, I mostly work with windbg under windows 8.1, it works fine.

[dodoman]

Sorry if iäm to nooby for you guys, i'm still learning how all this stuff works.
afaic i can learn alot here ^^

[blar0]

The reproach is to say it crashs, without giving any clue (like where crash occurs, last log of the code, etc ..), we can't help you without that

[Esoserv2]

You just have to use the binary shared from blar0, and load it into IDA, and for having the same RVA (with static analysis and dynamic), just change the DLLCharacteristics of the original eso binary, for removing ASLR on the binary.

Hey thanks, that was no problem neither, no rebasing, but that's not the problem... i can't debug, because this error is thrown: "The instruction at 0x15E7CA8 referenced memory at 0x4668B7. The memory could not be written -> 004668B7 (exc.code c0000005, tid 4212)". I can't bypass :-( Month before the exe was encrypted everything was good...

What am I doing wrong?

[blar0]

And if you pass the exception to the program, what's happen ?
Because the compressed (original) executable generate a lot of exception that you have to pass to the original program (they should not be handled by your debugger)

[Esoserv2]

And if you pass the exception to the program, what's happen ?

Can't pass the exception, debugger stucks at that point. F9, F8, F7 let's me stay at that address. Only way out is to point eip to the next instruction, but then after a few lines same happens over and over again. What happens at your pc, when you execute the unpacked exe (Normal way of starting a program, not debugging)?

To track down the fault, it happens after finding EsoGameData folder, everything loads (game0000.dat, eso0xxx.dat and so on).

[blar0]

The unpacked binary is only for static analysis under IDA.
I run under the debugger the original exe, that's why in my unpacked binary I didn't fix offset of sections, to keep same RVA under IDA the same as the debugged binary.

[Esoserv2]

Okay, with some logic i found out, what i did wrong. The .text segment wasn't writable, so i changed that flag with LordPE and now your unpacked eso executes like a normal prg on my system. So i used your public key and overwrote the old one in the unpacked exe with a hex editor, so that no inject.exe is needed any more. Maybe this tip can help other's who don't want to compile the masm stuff. By the way, thanks a lot for your great effort and work! Works like charme your python server.

[yamashi12]

Wait how did you get the unpacked exe running ? Did you fix the IAT ?

[blar0]

Wait how did you get the unpacked exe running ? Did you fix the IAT ?

I don't understand too, the Import Table is well constructed that's not the main problem.

Okay, with some logic i found out, what i did wrong. The .text segment wasn't writable, so i changed that flag with LordPE and now your unpacked eso executes like a normal prg on my system. So i used your public key and overwrote the old one in the unpacked exe with a hex editor, so that no inject.exe is needed any more. Maybe this tip can help other's who don't want to compile the masm stuff. By the way, thanks a lot for your great effort and work! Works like charme your python server.

"Works like charme your python server." + without region stuff

Really weird, because in my point of view, the Relocation Data directories should be NULL (it's not the case in all my unpacked binary iirc), the .reloc section should be flagged as executable, because all the obfuscation reside here, and the section is not executable.
Bit if you say that it works, congratz

[Esoserv2]

Wait how did you get the unpacked exe running ? Did you fix the IAT ?

1. Dump original exe like blar0 described or use the unpacked exe which can be downloaded here.
2. Download LordPE (i've got an version from 2002),
3. Click "PE Editor", open the dumped exe.
4. Click button "sections".
5. Right click ".text" segment. Click "edit section header".
6. Click "..." to change flags.
7. Check "writeable". Close dialogs.
8. Don't forget to click "save" at end of process, otherwise your change isn't applied.

How do i get to this solution? I debugged the unpacked exe til the point where the "can't write memory" exception is thrown. There was an instruction, who want's to write to .text segment, which is normally "read only" (i think). So i changed it to be writeable, That was the solution. Now the unpacked exe runs like the normal exe, and is not encrypted anymore. That means, i overwrote the static public key with the one provided from blar0 and got to the character selection screen, can create a character and so on. The client isn't crashing. Before i did the fix, the unpacked client crashed when running with the error reporting dialog.

Hope it works for you too. I've got win8.1 x64 as i said before. I removed aslr from exe with a command line tool, so that there is no rebasing.

Greetings.

[yamashi12]

To remove rebasing you can just change the PE flag with LordPE as well, "relocation..." will remove rebasing.

I tried doing what you said and it didn't work for me I still get a crash...

[Esoserv2]

To remove rebasing you can just change the PE flag with LordPE as well, "relocation..." will remove rebasing.

I tried doing what you said and it didn't work for me I still get a crash...

Strange...btw. i have installed english language. So why it is working on my pc? Ok yes, i haven't thought of setting the flag with LordPE. I used the unedited unpacked_eso.live.1.0.0.714440.exe. Have you tried to dump the exe by yourself and then set the .text writable?