XeNTaX

Since the 1.3 patch, the StarWars The Old Replublic client (swtor.exe) is now packed and cant be reversed out of the box. I was wondering if someone has started to work on it and could share some intel. I tried various PE tool to identify which packer they have used with no luck.

Thanks in advance.

Upload main executable with all dll's and send me in PM. I do not want to download 30GB :}

Sent ! Thanks in advance..

You sent msg without link.

Weird, I included a zip as attachment to the message....

Sending you another msg with a link this time.

So executable not packed. Original Entry Point on 00C2E774

Ya I noticed the entry point there but even when telling Ida about the image base address, I end up with pretty much all text segments with no code (all grey instead of blue):
> https://dl.dropbox.com/u/45839385/ida-swtor.png

Steps I do :

1) Open the executable in Ida
2) In the options, I check "Manual Load" then click OK
3) Ida prompts for the new image base, i then enter "0x00C2E774"
4) I then proceed to load all the segments
5) At the end, IDA warns me that the imports segment seems to be destroyed, hinting at a packed file.

If it's not packed, I am guessing I do it wrong when it comes to manually loading the segments. Can you help me out ? Thanks !

tlvenn wrote:3) Ida prompts for the new image base, i then enter "0x00C2E774"

Image base always 00400000

For me Olly and IDA work fine.



0082E774 + Image base 00400000 = 00C2E774



Here IDA - Loaded corrected adresses

http://oi50.tinypic.com/2dj56ww.jpg

@Ekey You can tell the exe is packed by looking at the IDA image you provide.

Exe cleared and not packed.

Thanks for the info Ekey !

Could you explain how you load properly the exe into IDA plz ? No matter what i try, I dont end up with the same result as yours...
Also, could you elaborate what you mean by "The exe is cleared not packed" ?

Thanks in advance !

For IDA 6.1 nothing hard. Run IDA, open swotr.exe , in opened window ->



just press OK and wait when dissasembling finished.

Ok this is embarassing, I dont know how but I end up giving you an old version which is not packed yet at this point....

Here is a link to the latest version which I believe is packed: https://dl.dropbox.com/u/45839385/retailclientV2.7z

Sorry about that.....

tlvenn wrote:Here is a link to the latest version which I believe is packed: https://dl.dropbox.com/u/45839385/retailclientV2.7z

So yes this version is packed or obfuscated. I do not know what this.

Yeah figured that much

It's been a long time since I didnt mess up with PE. So I am guessing the next steps are to find the original OEP and from there, dump the process from OllyDump and reconstruct the IAT ?
Looks like it gonna be fun....