[1.3] Swtor.exe obfuscated/packed/crypted

[tlvenn]

Hi,

I was wondering if anyone has figured out how the swtor executable is now packed/crypted since the 1.3 ? I have tried many PE tools to check against known sigs and it came empty. Is there a collaborative effort going on to understand and unpack it ?

Thanks !

[WOST]

lol to decryot you do not need full client dump, see data1 section and you'll found public key (rsa), key size = 292 byte.
look more info here - http://www.ownedcore.com/forums/star...decrypt-2.html

[yamashi12]

Problem here being how to dump the full exe to reverse engineer it...
1.4.3 is not packed or obfuscated so far my hooks work with 1.5 as well, you could work with 1.4.3 until someone figures out how to dump it.

[Namingo]

Problem here being how to dump the full exe to reverse engineer it...
1.4.3 is not packed or obfuscated so far my hooks work with 1.5 as well, you could work with 1.4.3 until someone figures out how to dump it.

Hey. I inject into the .exe but my hooks for send, sendto, wsasend, and wsasendto never hook. My dll injection works for the loader but that is it. My technique has worked for other games. Is there something I am doing wrong?

[tlvenn]

Hi Wost,

I am not sure I fully follow you with the key stuff you are talking about.

Usually to unpack an exe, it comes to locating the unpacking method and when in memory the process has been fully unpacked, have a BP there and just dump it to the disk and fix the IAT.

I am new to this whole exe packing stuff, so it's a learning process for me. I was able to unpack some other known packers but I cant seem to do it with swtor.exe and at the same time, I am sure it's not that complex so I am missing something...

Regarding your issue with debugger, have you tried IDA Pro with IDA stealth plugin, I am surprised that Swtor would detect it...

Thanks in advance for your help !

[yamashi12]

@Namingo : Swtor doesn't use these functions, as far as I remember it uses ReadFile but I never managed to use it as it's also used for files and it's a pain to find the correct descriptors.

@tlvenn : I found that the EP changes everytime you run the game, do you think it would be possible to dump from a hook ?

[Namingo]

Thank you for such a quick reply. How would you use ReadFile to send data? How does SWTOR send data? Client <> Server? I would imagine it would use either of these functions:

send:
send function (Windows)

sendto: /ms740149(v=vs.85).aspx

wsasend: /ms742203(v=vs.85).asp

wsasendto: /ms741693(v=vs.85).aspx

So, if SWTOR uses any of those functions to send data from Client <> Server, I wonder why my hooks are not working.

Thanks for the reply!

[yamashi12]

They use this : ReadFile function (Windows)

See boost.asio's code for reference, they use boost a lot ^^

I have posted a binary packet dumper in the emulator section if you need to dump packets...

[Namingo]

Thank you! I was going crazy for a second! hehe :-)

[yamashi12]

1.6 is packed aswell... But my hook works on 1.6 aswell so I assume they won't change the internals (Crypto++, asio).

[tlvenn]

@tlvenn : I found that the EP changes everytime you run the game, do you think it would be possible to dump from a hook ?

From an hook I dont think so, you need a debugger, a break point and dump from there. Theoretically speaking, if you know the algo to unpack, you could write some code that would analyze the exe and unpack it without even a need for a debugger anymore but to find the algo, you need a debugger first.