CS.RIN.RU - Steam Underground Community

I found a topic about extracting a trainer that used BoxedApp on https://forum.tuts4you.com/topic/34207-unpackme-boxedapp-packer-3239-demo-unpackme
If you want some of the files in the topic just pm me
Don't know if it helps

Yeah as far as I know there is no actual 'unpacker' for BoxedAppPacker, unless the program itself (BoxAppPacker) will do it, I won't have a chance to check until I get home but I did manage to grab a 'non-demo' copy of the application for testing later.

Haaaa, I never thought a indie developer would made something that would stop people from cracking their games.

I really hope this is not the case though since that would stop the much needed try before you buy which is so important this day, and age.

Cheers!

I've dabbled a bit in the exe with Ida. This isn't a real packed exe, so the re tuts about BoxedApp are a little lame in their scope. I haven't even looked at them although I might do so later. The WinMain is the actual "packed" main, except that some calls made from there are virtualized. So there's no OEP to hunt down or stuff like that.

What I found with Ida immediately (by reading WinMain) is how to enable logging for this game. Pass "-logfile some.log" on the command line. The interesting bit coming out from that is:



So it definitely tries to use the Steam API, although this API appears built in the Unity engine compiled with the game. I did find where the WinMain tries to load (the virtualized) mono.dll (which is the knockoff .NET used by Unity) that's at loc_5E1B3A, but I haven't found any (virtualized) dlls related to Steam yet.

There's definitely more than meets the eye here. There's no single occurrence of "Steam" in the Ida-extracted strings for example (Shift+F12 then Alt+T to search them), so there's definitely more dll code being extracted from the .bxpck section (from where those log prints must come from), of which Ida is blissfully unaware in this case. I tried the UUNP (Universal Unpacked Plugin) for Ida but it's geared toward finding a single OEP, so unsurprisingly fails to find shit in this exe (also because it runs into exceptions and UUNP can't handle those at all apparently).

I have been messing around with it, and I got it to work.

This is so confusing to me, and to tell you the truth all I did was copy & paste different versions of luma from other games.

Just extract the contents in UG_Fix.rar into your Ultimate General Gettysburg game directory, It doesn't overwrite anything. To launch the game just use the "Steam2WrapperLauncher.exe" instead of starting the game the normal way.

You might want to change your nickname in the "Luma_Emu.ini" file.

NOTE: The ID found in the "steam_appid.txt" is for Plague Inc." so you might want to change it to 306660

Download Link:

This is working for me, and so far the game is allot of fun.

To MonsterPizza who shared the game, I am very thankful to you for sharing, and I am wondering if would you be able to keep the game up to date for us here if you can manage it?

Thanks again, and you have made my day.

If anyone need it,here is a full crack that unpack all the unprotected files from BoxedApp preotection which the dev used.

3DMGAME-Ultimate.General.Gettysburg.v0.82.Crack.Only-3DM

Ultimate.General.Gettysburg.v0.82.Cracked-3DM (210.41 MB) - Firedrive Mirror

I'm glad to hear that it eventually calls an external Steam dll (even though it might include one too). I've stepped through it with Ida a little bit, but it creates something like 1000 code segments at runtime and memoves stuff into them and eventually starts to call some of those generated code segments, but it gets really hairy to figure out what's going on because of the large amount of generated/unpacked code.

3DM had no trouble sorting it all out very quickly though. Kudos to them.

I should add that the BoxedApp API calls "undocumented" NT functions like RtlImageNtHeader. I put "undocumented" in scare quotes because these are documented if you have access to the WRK (WindowsResearchKernel).

-- Edit --



Just to see what happens, I've replaced the 3DM unpacked exe with the packed one, but kept all the other 3DM-extracted files, including their steam_api.dll. But the BoxedApp-packed exe won't use the plain/unpacked steam_api.dll, which probably means it includes a non-cracked steam_api.dll. The reason why the Luma loader works with the packed exe is that Luma is a more complete emulation so the non-cracked steam_api.dll from the BoxedApp thinks it actually can access Steam.

And one final amusing thing is that the BoxedApp actually tries to load an unboxed version of the bxsdk32.dll from its startup dir. So if you have a do-nothing wrapper that just loads dlls from the file system there (instead of the virtualized one), it would probably break any BoxedApp. Though off course you'd need to know what dlls it actually tries to load, which in this case is a whole bunch of them.

Whoosh... Right over my head.

Does this mean that it's better to use Luma than playing with the actual cracked game files? I now know since this works (luma version I am using), all I need is the update, and just keeping using what I am using or am I all wrong here?

I'm so new to this that it's obvious I could be talking out of my bum here.

I think it makes no practical difference in this case. With the 3DM crack, the craked steam_api.dll tells the game exe that it's licensed. With the Luma loader, Luma tells the uncracked steam_api.dll (found inside the packed binary) that the game is licensed, which in turn tells that to the game exe's main code. The game doesn't seem to use Steam much besides the basic licensing check, although I've not done much else besides starting it, gawking at the campaign graphics for 15 seconds then quitting it.

It would be nice if someone released a dumper for the BoxedApp... but it's not strictly necessary for this game in the future. I don't want to turn this thread into a technical analysis of that BoxedApp tech, but the main problem (I'm having) writing dumper for it is finding when it loads dlls from its own exe image. Alas, there is no in-memory equivalent of the LoadImage system call, which means that BoxedApp is basically emulating the operating system's work along the lines explained in http://www.joachim-bauch.de/tutorials/l ... om-memory/. So there's no convenient OS call to intercept. I'd have to figure out the precise code that does the linking... which with all the other .net (or rather mono) and the crapload of dlls and threads started by the game engine (there's like 10 of them) is really a lot of work. I should probably try a simpler packed exe first, but I'm not sure those crackmes use the same version of BoxedApp and I read on a blog (http://ltops9.wordpress.com/2012/10/14/ ... xecutable/) that the internals of BoxedApp have changed... This game appears to use BoxedApp v2.2.0.44 according to RDG Packer Detector 0.7.2, which actually takes a sweet amount of time (15 seconds) to figure that out.

Ultimate.General.Gettysburg-ALI213 (241.94 MB) - Firedrive Mirror

By the way, I was wrong about the BoxedApp version used. This game uses BoxedApp SDK 3.3.5.7, which is the latest one as you might expect for a game recently released. I have a 100% sure way of detecting that (unlike most if not all detectors out there), but I don't quite have a generic unpacker yet. For more on the technical mumbo-jumbo, I've created a thread in the developers' section: viewtopic.php?f=20&t=64985&p=929570

Thanks bro def going to check it out

It occurred to me that I was acting like a scene wannabe and did this in a overly complicated way. You can actually crack all BoxedApp-packed Steam games in an extremely trivial manner. The idea is to cause the game to fail to find its internally packed steam_api.dll. BoxedApp is only a thin virtualization layer, meaning that if it fails to find a dll in its virtual file system, it will then search for it in the real file system. And on top of that BoxedApp has basically no integrity checks, so if you for example mangle the internally stored file name to steam_api.dXl then it fail to find the internal version of that dll and load whatever Steam emulator you put alongside the exe.

Basically changing one byte in that 30Mb exe, for example (in fc /b format):

00AC44DC: 6C 58

does the job for this game. With that change you can use whatever Steam emulator you like best as long as it comes with its own steam_api.dll without having to unpack anything from the original exe.

I'm not going to "productize" this idea into a script right now given the paucity of games using this packer, but for anyone interested in the future, the algorithm I applied by hand was to open the .bxpck section search for "<ExeDir>\steam_api.dll" as a Unicode string, then mangle one character in that file name.

Nicely done bro for sure.