I didn't see any effore in posting a virus scan, if someone is interested to do that, feel free. You can just double-click on the dekaron.exe and you're done :). I added a minilauncher/launcher bypassed unpacked dekaron.exe too so you don't need to run GGKiller or anything. Idk if the previous ones still work but I'll post this anyway :). Unpacked dekaron.exe - Dekaron Exploits, Hacks, Bots, Tools & Macros - 79 Replies Once again, here's the most recent unpacked dekaron.exe You need to put the executable in the same location in which the original NINEDRAGONS.exe is (the root folder). I've removed the modified yoda's Crypter and the ASProtect 2.xx from the executable. I was asked to unpack the NINEDRAGONS.exe for the latest patch (patchversion 122). This is my first release in the 9Dragons section. Unpacked NINEDRAGONS.exe - 9Dragons - 46 Replies Hi. Unfortunately, most of this procedure is virtualized too. It calls a value located in the stack (ESP+0xC), as you see it's the address returned by the previous call. Now I have stepped to the second CALL instruction. Remember the CALL EAX in picture 2? I let that call execute and returned to the code after that call. Unfortunately the execution continues inside Themida's VM, so tracing it will be of no use (we can't understand what really happens). The call will return an address in the stack location pointed by ECX.īecause the constant 1 got pushed before the call, the JNZ at 0圆9122477 does not jump. Note that before the call a constant gets pushed onto the stack (PUSH 1). If the address of the export got retrieved successfully it will be called at 0x004024B8. If that fails, an error code will be set, code = 0圎0190401. Then the address of the first import (and only) of x3.xem is retrieved with GetProcAddress. Dekaron.exe loads x3.xem into its process space with LoadLibraryW.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |