::
Information::
Tools needed : (all in Download1)
a. OllyDbg + IsDebugPresent + OllyDbgScript
b. ImpREC
c. MapleUnpack.osc
Steps :
1. Unzip the contents to Desktop, keeping folder structure. Once unzipped, go inside OllyDbg folder and run OLLYDBG.EXE. A pop-up should appear. Click "No".
2. Drag "MapleStory.exe" or your Desktop shortcut into OllyDbg's window. A few pop-ups should appear. Follow the pics :
3. Once process has been loaded, maximize the window so you see it better. From the Plugins menu select IsDebugPresent and choose Hide :
4. Same menu, choose ODbgScript - Run Script - Open :
Select the script from the root menu of the folder you just unzipped the archive to :
Wait for the script to finish, and it'll notify you :
Pay attention to the details. OEP's RVA is
31F2C7 (in this case). Keep it in mind for the next steps.
Script will let you know it finished :
And if you scroll a bit up in Olly, you'll see that OEP has the stolen bytes fixed. Analyze the script if you want to learn more :
Also, the script automatically
dumps the target for you. You can find it in MapleStory's folder named "dump.exe" :
5. Time to fix the imports.
Leave Olly running! Navigate your way to the "ImpREC" folder (located in the folder you unzipped on the Desktop) and run ImpREC.exe. From the top list, select your MapleStory.exe :
6. Remember when I told you to pay attention to the pop-up? In
OEP field, change the data to 31F2C7 :
Once you change that, hit "IAT AutoSearch" and you'll receive a message box :
Click OK. Then press "Get Imports" and the list should fill. There are unresolved imports in 2 thunks as the picture shows it :
7. Press "Show Invalid" and the list will expand showing the invalid APIs :
Right-click on the list, and choose "Trace Level1" :
Once selected, you'll see 98% of the APIs get resolved. Click "Show Invalid" again, and it'll select the remaining unsolved ones (if you scroll a bit, you'll see there are 7). Right-click and choose "Plugin Tracers - ASProtect v2.xx" :
8. Now everything is solved and ImpREC notifies you that there are no more invalid imports :
Click "Fix Dump" and select "dump.exe" located in Maple folder :
ImpREC will save the data and will let you know it has created a new file - "dump_.exe" which will be our
unpacked MapleStory.exe :
The working unpacked file is in your Maple folder, named "dump_.exe" :
That's about it!
NOTES:
a. The tutorial is
not aimed at bypassing any CRC whatsoever!
b. You'll find the game closes due to GameGuard detecting the file CRC having changed.
c. Even so, if you bypass GG's check, you may get disconnected at server screen since the memory CRC is performed with the stolen bytes missing (and we have them rebuilt in the unpacked file). Just get yourself a dump of the original game memory using an UCE or something.
