Cheat Engine

[iktov]

Hello,

I have never really worked with packers before, and seeing as TwelveSky 1 didn't really have any issues with the use of debuggers there was never really any reason for me to care about unpacking it. However with the TwelveSky 2 Client released by aeriagames it is a different story. The client is packed with Themida(thats about all I can tell). It has the anti-debugger feature so everytime I try to attack to the running process the game just exits.

I will post the client here. If anybody can take a look for me and post back with the exact version of the packer that would help out a lot. Even more helpful would be some direction where I can find how to "FULLY" unpack that particular version.

[Sirmabus]

Will be next to impossible AFAIK to "fully" unpack it becuase it will probably have parts that are obfuscated with VM stuff.
But it would be nice to have a halfway decent dump of it..

Protection ID says it's "Themida v2.0.5.0 (or newer)".
Apparently it was ASPack up until a month or two ago..

I've got to study some tutorials.
If anyone has a nice dump, please upload it..

[iktov]

So it wouldn't be possible to unpack it into a working executable? All I really want to be able to do is attach debuggers to the running process of the game to see if I can create a few of the memory hacks that I was able find in TwelveSky 1.

[Sirmabus]

Probably not. At any rate it doesn't matter so much because you have the same EXE after it's unpacked in memory.
What ever offset you find in the dump is the same in the process once it's unpacked.

Command line for US client:
..\TwelveSky2.exe /0/US/2/1024/768
FYI the last part of the argument obviously tell it to run in windowed mode
at 1024x768.

Inject your DLL from your loader, put an API hook on "GetStartupInfoA". This gets called right after the OEP and before "WinMain()".
Use as a trigger to know when Themida is unpacked, and it's time to add your patches and hooks, et al.

I'd probably use a system that relies on signatures so I wouldn't have to unpack the client at every update.

[iktov]

So how did you dump the client? I usually just used Ollydbg plugin to make a dumb in TS1, but with Themida it will force the game to crash when a debugger is detected in memory. I really am not a professional in this stuff so I am unsure how to get around this or what other methods are available for me to make a dump of the client.

Also practically everything of use that I was able to make for TS1, I found them by doing memory scans to find a starting point and then using ollydbg to breakpoint and whatnot to find what I needed to make a decent "hack". Such as the chi-hack that I made, I had to use T-Search to start with to find where my current chi amount was being stored and then from there I breakpointed and found out where I needed to alter in the client to prevent chi from being consumed.

So basically am I just SOL on TS2 until I learn a bit more? Or is there something more I could do? Such as a Custom copy of Ollydbg that bypasses Themida's Debugger check.

Anyways I would still be very interested in figuring out how I can dump the client. Right now TS2 isn't a hug priority for me however since I don't have a PC with a decent video card right now so my FPS is trash(using onboard video atm).

[sponge]

Phant0m.

[iktov]

Naw, I have Phantom plugin already. It doesn't work for this.

[sponge]

If you have it already, then themida shouldn't be able to find anything. Find your address and go to it in olly. Memory or HW bp on access.

[Sirmabus]

Use the "RAMODBG" Olly setup from tuts4you.

MODs: Look at my posts, and least the data vrs noise level and just grant me URL posting already

[iktov]

[sponge]

[iktov]

Sirmabus - I tried that Ollydbg setup you recommended and it still detects it. I was able launch ollydbg and then load the game without any problems, but as soon as I tried to attach it I got the same old "Themida: A debugged has been detected in memory....". And then after that I am now unable to load the game at all until I reboot the PC as for some reason Themida continues to detect a debugger in memory long after olly has already been closed out.


Also here is a copy of the currect client for TS2 of aeriagames:

12Sky2-US Client Download

[Cheat Engine User]

I need some Flyte up in this thread, I think someone is doing something that goes way above their head. Where is that article he goes on and on about?

Anyway, you are in here way above your head, since I had to help you finding the encryption for that BADWORDS.DAT, which was the simplest thing ever, and that made me doubt you actually tried it yourself.

This is not a flaming thread, or a thread to make you feel down, I'm just facing you with some facts.

[sponge]

TwelveSky Unpacked
This will not run. This is only to be used as a static analysis. The reason it cannot run is because the OEP is stolen and is possibly run in the VM. Therefore the true OEP is unknown, as I have little knowledge about Themida's VM. Anyways, due to a little mess up, the EP of this unpacked but not running dump should be located at 004B20C8, although it is of little importance. There is one virtualized function located at 01220761.

[tri407tiny]

Well i use AllyDBG, and you need to delet 2 files in your twelve sky 2 directory, and open 2 other and erase everything in those, then AllyDBG (modified OllyDBG) will work,i use it all the time,

Delete all the .des in your home folder excepct the agh ones, just open the two agh ones up and erase everything then save them, and wala Allydbg works


AllyDBG(Picture in my download has the download address cus ss i cant post links
if you ever need anything else ikotv, just contact me on YIM, or MSN

YAHOO IM - tri407tiny
MSN - tri407tiny