View Full Version : Unpacking Kazaa 2.6
Ferasso
11-23-2003, 11:32 PM
Anyone found a way to unpack Kazaa 2.6? I've been trying, and all i got was a file with around 3.7 MB (the original is 2.4 MB). I thought it was unpacked, but it don't disassemble, and all sections seems to be still encrypted <_< (when i've checked with resource hacker) . Not enough, the damn IAT is messed, and ImpREC couldn't resolve it... :(
I've done a search, and seems that no one have found a way to unpack ActiveMark? :blink:
By the way: Is it really packed with ActiveMark? I've run a game witch was packed with ActiveMark, and it bitched because SoftICE, but Kazaa don't detect it... :unsure:
Edit:
http://www.zerosecurity.de/modules.php?op=...order=0&thold=0 (http://www.zerosecurity.de/modules.php?op=modload&name=News&file=article&sid=4418&mode=&order=0&thold=0)
sharedholder
11-23-2003, 11:51 PM
http://protools.cjb.net/
Agent-Smith
11-24-2003, 07:15 PM
Im trying to play with proc dump but somehow kazaa is hiding itself from the listing - any ideas?
Ferasso
11-25-2003, 03:20 AM
To sharedholder:
I have been there before, not much help, since i've lots of tools. Thanks.
To Agent-Smith:
No, it don't hide itself. Right-click on the list and choose refresh. When i tried to unpack, procdump crashed.
To anyone interested:
I've been able to unpack this file (kazaa available at kazaa.com) and so far here is a summary:
The dumped code sections seems to match.
It includes a splashscreen of Kazaa Plus and a dialog saying: You appear to be trying to use Kazaa Plus in a PC that isn't licensed.
But there's no direct reference to this dialog, what makes me think that the programmers just commented-out some parts to make Kazaa Plus.
All resource sections (besides strings reference) are ok.
The string references are working well on the disassembly listing.
The IAT is mangled. But it uses the FF15 trick, where it calls an address, and this address jumps to the API. I've found the table where this data is located.
Anyone's interested?
Just one thing is pissing me off: when I start, it complais that the adware files have been removed, and it will be shut down. Until now, i couldn't bypass this dialog.
If you have any tips...
Agent-Smith
11-25-2003, 03:35 AM
How'd you get it to unpack? I messed about with it for a few hours and got frustrated.
Hasnain
11-25-2003, 04:18 AM
Maybe you could upload an unpacked copy somewhere, so people more proficient at cracking can get to work. Good work with unpacking.
FTFakes
11-25-2003, 09:46 AM
@Ferasso
Great work so far! I have problems to make KaZuperNodes and KaNAT work with KMD since version 2.5, as it doesn't allow me to modify values in its memory space (OpenProcess fails). I'm very interested in this unpacked version!
RileyF
11-25-2003, 01:53 PM
he you done great work so far with unpacking, nice to see there's so initiative :P .. so you can come in the resource sections huh? so are there many differents in strings and stuff in comparing with kmd2.02? cause if not, i think we could get k++ and kl extentions to work with a few little changes and that would be very good news..
btw indeed host the unpacked version somewhere so more devs can look at it. in this way there can be a solution more quick to your problems :D
RileyF
11-28-2003, 11:19 AM
hey man just wondering..what program did you use to get this result?
(hmm i should have edited my above post.. damn i'm just too lazy ;) so sorry for double post)
Ferasso
11-28-2003, 04:54 PM
First, sorry for taking so long, my pc broke after i've kicked it, so now, i've borrowed a machine from a friend.
I can't host the file, since this computer don't have the file, not softice, nothing. But as a good cracker, i have everything on paper, so, i'll tell you how to unpack kazaa yourself.
Tools: SoftIce, LordPE, Hex editor
Open kazaa.exe in hex editor, go to offset 12FACC, there you will find a byte BB, and change it to CC. Save and to into SICE and:
bpint 03
Run the file, Sice breaks.
e eip bb
bc*
bpmb 576E71 x
F5
Wait... sice breaks
a eip
jmp eip
nop
enter
F5
Go into lord PE, fully dump kazaa, then kill task.
Open it in PE editor, set the entry point to 176E71
Save. Open it in hex editor, find EBFE90 and replace with 558BEC. Done.
If you want to disassemble in w32dasm, set the section characteristics to E0000..
instead of C00...
I'll get back WHEN i can, and IF i can... sorry.
Edit:
OH MY GOD! I'VE FINALLY POSTED! THE DAMN COMPUTER CRASHED TWICE WHILE I WAS POSTING BEFORE....
The IAT will be corrupted, but you can do bpx on it and watch the stack, (dd esp), the first address, it's where it came from, do a unassemble in that address and you will see something like
jmp address
jmp address
jmp address
jmp API_CALL
jmp API_CALL
jmp API_CALL
jmp API_CALL
jmp API_CALL
jmp API_CALL
and so on....
in my computer look: A00014 and you will see.
Good luck. And if anyone wants to buy me a new pc...
Ferasso
11-29-2003, 04:21 PM
And...??? Too lazy, boys? Doesn't seem too hard!
My old machine seems to be working now, and if it will keep working, i can have the unpacked file hosted somewhere. But for some reason, klboard crashes my system when i open it in ie. Others sites don't do that. :blink:
RileyF
11-29-2003, 05:41 PM
looks there's some kind of spell of sharman lies over your pc then lol :lol: j/k
but it would be nice if you or some one else can host it (maybe edkes ??) in this way the resource editors can go to work to tune it into a k-lite, such as the icons, menu's and textboxes :P , then it's only waiting for a loader to get rid of the spyware..
internet.news
11-29-2003, 08:08 PM
I tried it as well and what I got is something called
"p2p networking..." in my tasks...
Just us K-Lite K++ ;)
Agent-Smith
12-01-2003, 07:12 PM
Anyone had any luck - I can get to the first breakpoint but after that softice goes to 2 unhandled exceptions and kazaa crashes.
STATUS_ACCESS_VIOLATION
STACK_OVERFLOW
STATUS_ACCESS_VIOLATION
This is what I get if I enter the break point on memory access with 576E71 x
what exactly are we looking for at that address - because I have a feeling it has changed on my machine.
How much ram did u have at the time of unpacking, maybe that is affecting the memory address.
Ferasso
12-01-2003, 09:44 PM
Try using Win98. You must be using XP, and that's crap.
And just one thing: my hd died, with all on it. Lost all lesbians movies :angry:
576E71 is the entry point of the unpacked executable. The opcodes:
558BEC
55 stands for Push ebp
8BEC i don't remember.
Someone with W98 must give it a try. And can't be true that just me and you on this forum can use softice. I'll try to get the unpacked file on another machine, but it's so hard to find another machine besides these public computers.
EDIT:
To Agent-Smith:
Read here:
http://www.woodmann.net/forum/showthread.p...onal+breakpoint (http://www.woodmann.net/forum/showthread.php?t=4683&highlight=conditional+breakpoint)
Wonderful for breaking when you know the opcodes: 558BEC
Remember that on memory they are reversed.
jakert50
12-11-2003, 05:52 PM
If you need some hosting, let me know. I can put it up on my site (Intrepid Studios). Just PM me if you want and I'll set up a user account for you on that site so you can upload stuff.
~Jaker B)
jakert50
12-11-2003, 05:57 PM
Quick Question.. I don't have 2.6 yet, but will those VB modules that allowed communication to older Kazaa's still work? I used those for KazIE (the post for that doesn't appear to be here anymore) and I'm wondering if KazIE will still work with the new version...
~Jaker
Edit: If you go to the site to download KazIE, there's a very old version up. I should probably update that. The new version is at www.intrepidstudios.net/KazIE35.zip (http://www.intrepidstudios.net/KazIE35.zip)
Just FYI...
SuBKulture
12-11-2003, 06:20 PM
Originally posted by jakert50@11 December 2003 - 17:57
Quick Question.. I don't have 2.6 yet, but will those VB modules that allowed communication to older Kazaa's still work? I used those for KazIE (the post for that doesn't appear to be here anymore) and I'm wondering if KazIE will still work with the new version...
~Jaker
Edit: If you go to the site to download KazIE, there's a very old version up. I should probably update that. The new version is at www.intrepidstudios.net/KazIE35.zip (http://www.intrepidstudios.net/KazIE35.zip)
Just FYI...
Quick answer: Yes it will.
Johnny_B
12-11-2003, 06:26 PM
Didn't random nut unpack kazaa.exe? :unsure:
RileyF
12-11-2003, 06:49 PM
Originally posted by Johnny_B@11 December 2003 - 19:26
Didn't random nut unpack kazaa.exe? :unsure:
well yeah he unpacked it, how would you otherwise reverse engineer it... but that's not the point.. if some one can host the unpacked kazaa other devs that can't unpack it (cause it's protected) ,trough whatever problems, can work on programs for 2.6, resource sections can be changed --> turn outlook in to a lite (icons)and maybe some one can work on KLR and imporve it.. so if some one can host it, that will be a 'investment' in the developing of kazaa lite...
Johnny_B
12-11-2003, 07:04 PM
Originally posted by RileyF+11 December 2003 - 17:49--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (RileyF @ 11 December 2003 - 17:49)</td></tr><tr><td id='QUOTE'><!--QuoteBegin-Johnny_B@11 December 2003 - 19:26
Didn't random nut unpack kazaa.exe? :unsure:
well yeah he unpacked it, how would you otherwise reverse engineer it... but that's not the point.. if some one can host the unpacked kazaa other devs that can't unpack it (cause it's protected) ,trough whatever problems, can work on programs for 2.6, resource sections can be changed --> turn outlook in to a lite (icons)and maybe some one can work on KLR and imporve it.. so if some one can host it, that will be a 'investment' in the developing of kazaa lite...[/b][/quote]
Yeah I know all that.
It's just that if random nut already did it, perhaps he could make it easier for us and put it up on his klr website for us to download (or perhaps maybe even email it to someone that can host it).
Once some of us have it, he could then take take it off of his website (no need for him to get into trouble :ph34r: ).
We will eventually spread it. ;)
random nut
12-11-2003, 08:08 PM
Yes, I unpacked it, but I will not send it to anyone else or put it on a web site. I have provided the source code to klr.exe and use the source luke. :D
Kunal
12-11-2003, 08:32 PM
c'mon RN, just send it to me pls! :)
Johnny_B
12-11-2003, 09:01 PM
Originally posted by random nut@11 December 2003 - 19:08
Yes, I unpacked it, but I will not send it to anyone else or put it on a web site. I have provided the source code to klr.exe and use the source luke. :D
I think you like watching us trying to do in a month what you can do in 5 minutes. :lol:
We can't handle the source like you do, Obi-wan. :D
Please help us on this one, random nut. :)
--Spam--
12-12-2003, 04:15 AM
Does this help?
This code unpacks ActiveMark wrapper thanks to the fact, that it uses upx to compress the original PE. Sometimes theres is an error if SoftICE is active in w98 due to a high INT1 address, because a protection checks a large amount of memory from this address and it may produce an access exception.
.386
.model flat, stdcall
option casemap: none
include masm32includewindows.inc
include masm32includekernel32.inc
include masm32includeuser32.inc
include masm32includecomdlg32.inc
includelib masm32libkernel32.lib
includelib masm32libuser32.lib
includelib masm32libcomdlg32.lib
ImageBase equ 400000h
sizeCabecera equ 600h
FALSO equ 0
CIERTO equ -1
GetSection PROTO :DWORD
RealignSections PROTO
WriteITAddress PROTO :DWORD, :DWORD
.data
Save db 'Unpacked.exe',0
Semaforo db 'LeeMe.txt',0
msgNoes db 'La proteccion no es ActiveMark o es otra version, desea continuar de todas maneras?',0
ofnTitle db 'Unpacker para el ActiveMARK v2.6 bY eSn-mIn',0
ofnFilter db 'Executable Files (*.exe)',0
db '*.exe',0,0
Readme db 'Unpacker para el ActiveMARK v2.6 bY eSn-mIn',13,10
db 'Creado el 28 de Septiembre del 2002',13,10
db 'http://www.esnmin.get.to'
sizeReadme equ $ - OFFSET Readme
Pregunta db FALSO
.data?
stnfo STARTUPINFO <>
pinfo PROCESS_INFORMATION <>
ofn OPENFILENAME <>
ofnFile db 200h dup (?)
Bytes dd ?
sizeRsrc dd ?
lpRsrc dd ?
lpRsrc2 dd ?
rvaRsrc dd ?
Cabecera db sizeCabecera dup (?)
lpHook dd ?
lpFile dd ?
hSave dd ?
hReadme dd ?
.code
Main proc
LOCAL rvaIT:DWORD, sizeIT:DWORD, ImageSize:DWORD
invoke GetModuleHandle, NULL
mov ofn.hWndOwner, eax
mov ofn.lStructSize, SIZEOF ofn
mov ofn.lpstrFilter, offset ofnFilter
mov ofn.lpstrTitle, offset ofnTitle
mov ofn.lpstrFile, offset ofnFile
mov ofn.nMaxFile, 200h
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or
OFN_LONGNAMES or OFN_EXPLORER or
OFN_HIDEREADONLY
invoke GetOpenFileNameA, offset ofn
or eax, eax
jz error
invoke GetStartupInfo, OFFSET stnfo
invoke CreateProcess, OFFSET ofnFile, NULL, NULL, NULL, NULL,
CREATE_SUSPENDED, NULL, NULL, OFFSET stnfo, OFFSET pinfo
; Lee la cabecera
invoke ReadProcessMemory, pinfo.hProcess, ImageBase, OFFSET Cabecera,
sizeCabecera, OFFSET Bytes
; Obtiene el size y la RVA de la seccion RSRC
invoke GetSection, 3
mov rvaRsrc, eax
mov sizeRsrc, edx
; Realinea las secciones
invoke RealignSections
cmp eax, -1
jz error
; Lee la seccion de recursos donde esta la IAT (La segunda vez es un backup)
invoke GlobalAlloc, NULL, sizeRsrc
mov lpRsrc, eax
invoke ReadProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc, sizeRsrc, OFFSET Bytes
invoke GlobalAlloc, NULL, sizeRsrc
mov lpRsrc2, eax
invoke ReadProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc2, sizeRsrc, OFFSET Bytes
mov edi, lpRsrc
; Escribe Funcion con la direccion de LoadLibraryA
mov eax, LoadLibrary
mov eax, [eax+2]
mov eax, [eax]
mov FuncionLoadLibrary, eax
mov eax, CreateFile
mov eax, [eax+2]
mov eax, [eax]
mov FuncionCreateFile, eax
mov eax, CloseHandle
mov eax, [eax+2]
mov eax, [eax]
mov FuncionCloseHandle, eax
; Busca la cadena LoadLibraryA
mov eax, 'daoL'
xor ecx, ecx
.WHILE [edi+ecx] != eax && ecx < sizeRsrc
inc ecx
.ENDW
.IF ecx == sizeRsrc && Pregunta == FALSO
mov Pregunta, CIERTO
invoke MessageBoxA, 0, OFFSET msgNoes, OFFSET ofnTitle, MB_OKCANCEL OR MB_ICONQUESTION
cmp eax, IDCANCEL
jz error
.ENDIF
mov eax, ecx
sub eax, 2
push eax
; Busca algunos ceros seguidos
xor eax, eax
xor edx, edx
.WHILE edx < sizeHook + 1 ; Uno de los ceros marca el final de una cadena, de ahi el +1
.IF BYTE PTR [edi+ecx] == 0
inc edx
.ELSEIF
xor edx, edx
.ENDIF
inc ecx
.ENDW
mov eax, ecx
sub eax, sizeHook
add eax, rvaRsrc
mov lpHook, eax
; Busca la parte de la IAT que referencia a esa cadena y escribe la direccion del Hook
pop eax
add eax, rvaRsrc
sub eax, ImageBase
xor ecx, ecx
.WHILE [edi+ecx] != eax
inc ecx
.ENDW
mov eax, lpHook
mov [edi+ecx], eax
; Busca el FirstThunk del bloque del Kernel32.dll y suma 4
mov eax, ecx
add eax, rvaRsrc
sub eax, ImageBase
xor ecx, ecx
.WHILE [edi+ecx] != eax
inc ecx
.ENDW
add DWORD PTR [edi+ecx], 4
; Busca el rva de la IT
sub ecx, 10h
mov eax, ecx
add eax, rvaRsrc
sub eax, ImageBase
mov rvaIT, eax
; Busca el size de la IT
mov bl, FALSO
.WHILE bl == FALSO
mov bl, CIERTO
mov edx, 20
.WHILE edx > 0
.IF BYTE PTR [edi+ecx] != 0
mov bl, FALSO
.ENDIF
inc ecx
dec edx
.ENDW
.ENDW
mov eax, ecx
add eax, rvaRsrc
sub eax, rvaIT
mov sizeIT, eax
; Escribe la direccion y size de la IT en la cabecera
invoke WriteITAddress, rvaIT, sizeIT
; Escribe el Hook en el hueco libre
mov edi, lpHook
sub edi, rvaRsrc
add edi, lpRsrc
mov esi, OFFSET Hook
mov ecx, sizeHook
rep movsb
; Obtiene la ImageSize de la Cabecera
mov edi, DWORD PTR Cabecera + 3Ch
add edi, OFFSET Cabecera
mov eax, [edi+50h]
mov ImageSize, eax
invoke DeleteFile, OFFSET Readme
invoke WriteProcessMemory, pinfo.hProcess, ImageBase, OFFSET Cabecera, sizeCabecera, OFFSET Bytes
invoke WriteProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc, sizeRsrc, OFFSET Bytes
invoke GlobalFree, lpRsrc
invoke ResumeThread, pinfo.hThread
; Espera a que se desempaque..
@@:
invoke CreateFile, OFFSET Semaforo, GENERIC_WRITE, NULL, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
cmp eax, INVALID_HANDLE_VALUE
jz @b
mov hReadme, eax
invoke WriteFile, hReadme, OFFSET Readme, sizeReadme, OFFSET Bytes, NULL
invoke CloseHandle, hReadme
invoke SuspendThread, pinfo.hThread
invoke WriteProcessMemory, pinfo.hProcess, rvaRsrc, lpRsrc2, sizeRsrc, OFFSET Bytes
invoke GlobalFree, lpRsrc2
invoke GlobalAlloc, NULL, ImageSize
mov lpFile, eax
invoke ReadProcessMemory, pinfo.hProcess, ImageBase, lpFile, ImageSize, OFFSET Bytes
invoke CreateFile, OFFSET Save, GENERIC_WRITE, NULL, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov hSave, eax
invoke WriteFile, hSave, lpFile, ImageSize, OFFSET Bytes, NULL
invoke GlobalFree, lpFile
invoke TerminateProcess, pinfo.hProcess, NULL
invoke CloseHandle, pinfo.hProcess
invoke CloseHandle, hSave
jmp fin
error:
invoke GlobalFree, lpRsrc
invoke GlobalFree, lpRsrc2
invoke TerminateProcess, pinfo.hProcess, NULL
invoke CloseHandle, pinfo.hProcess
fin:
invoke ExitProcess, NULL
ret
Main endp
; -----------------------------------------------------------------------
GetSection proc Number
LOCAL rvaSection:DWORD, sizeSection:DWORD
push ebx
push edi
mov edi, DWORD PTR Cabecera + 3Ch
add edi, OFFSET Cabecera
xor ebx, ebx
mov bx, [edi+14h] ; Size of NT header
add edi, ebx
add edi, 18h+8 ; Size of FileHeader + Size of the name of the section
mov eax, 28h
mov ebx, Number
dec ebx
mul ebx
add edi, eax ; Size of a section * Number of section - 1
mov eax, [edi] ; Size of RSRC section
mov sizeSection, eax
add edi, 4
mov eax, [edi]
add eax, ImageBase ; RVA of RSRC section
mov rvaSection, eax
mov eax, rvaSection
mov edx, sizeSection
pop edi
pop ebx
ret
GetSection endp
; -----------------------------------------------------------------------
RealignSections proc
LOCAL NumberOfSections:WORD
push eax
push ebx
push edi
mov edi, DWORD PTR Cabecera + 3Ch
add edi, OFFSET Cabecera
mov ax, [edi+6]
mov NumberOfSections, ax
xor ebx, ebx
mov bx, [edi+14h] ; Size of NT header
add edi, ebx
add edi, 18h ; Size of FileHeader
mov bx, NumberOfSections
.WHILE bx > 0
.IF (DWORD PTR [edi] != '????' || DWORD PTR [edi+4] != '????') && Pregunta == FALSO
mov Pregunta, CIERTO
invoke MessageBoxA, 0, OFFSET msgNoes, OFFSET ofnTitle, MB_OKCANCEL OR MB_ICONQUESTION
cmp eax, IDCANCEL
jz error
.ENDIF
mov eax, [edi+8]
mov [edi+8+8], eax
mov eax, [edi+0Ch]
mov [edi+0Ch+8], eax
add edi, 28h
dec bx
.ENDW
pop edi
pop ebx
pop eax
jmp fin
error:
mov eax, -1
fin:
ret
RealignSections endp
; -----------------------------------------------------------------------
WriteITAddress proc rvaIT:DWORD, sizeIT:DWORD
mov edi, DWORD PTR Cabecera + 3Ch
add edi, OFFSET Cabecera
mov eax, rvaIT
mov [edi+80h], eax
mov eax, sizeIT
mov [edi+84h], eax
ret
WriteITAddress endp
; -----------------------------------------------------------------------
Hook proc Modulo:DWORD
LOCAL hRead:DWORD
mov eax, [ebp+4]
mov eax, [eax]
.IF eax == 47078A95h ; xchg eax, ebp | mov al, [edi] | inc edi
mov edx, [ebp+4]
.WHILE DWORD PTR [edx] != 0C009078Bh ; mov eax, [edi] | or eax, eax
dec edx
.ENDW
sub edx, 6
mov eax, edx
.WHILE DWORD PTR [eax] != 0FFCD8357h ; push edi | or ebp, -1
dec eax
.ENDW
inc eax
mov WORD PTR [eax], 685Eh ; pop esi | push
mov [eax+2], edx ; address
mov BYTE PTR [eax+6], 0C3h ; ret
sub eax, 0Dh ; eax = OEP !!
; Escribe el OEP en la cabecera
mov edx, ImageBase
add edx, [edx+3Ch]
sub eax, ImageBase
mov [edx+28h], eax
; Crea algo para avisar de que ya estamos
call _CreateFile
FuncionCreateFile dd ?
db 'LeeMe.txt',0
_CreateFile:
pop eax
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_ALWAYS
push NULL
push NULL
push NULL
add eax, 4
push eax
mov eax, [eax-4]
call eax
mov hRead, eax
call _CloseHandle
FuncionCloseHandle dd ?
_CloseHandle:
pop eax
mov eax, [eax]
push hRead
call eax
jmp $
.ENDIF
call _LoadLibrary
FuncionLoadLibrary dd ?
_LoadLibrary:
pop eax
mov eax, [eax]
push Modulo
call eax
ret
Hook endp
sizeHook equ $ - OFFSET Hook
end Main
--Spam--
12-12-2003, 04:17 AM
Or this?
A 10-30 minutes method to remove the activemark protection from a game is presented here:
AM=Activemark
tools required :
PTRW/W9x, SoftIce, C/C++ compiler, basic debugging skills.
Now this method is very cumbersome, my english is bad and if your not familiar with S-ice and such
you can skip all this :)
Background:
AM's Softice detection is quite simple. It tries to open a file like "\\.\SICE", "\\.\NTICE", etc and exits if success. So simply use Yoda's HOKO and you can play with SoftIce as you like.
I needed PTRW 2000 / WinMe because it makes a correct dump, which I wasn't able (I didnt' try hard :) to make
under NT/2k with Sice - addins.
1). Method of finding our entrypoint:
* under nt/2k, launch hoko (use CreateFileA hook and ret -1 if "\\.\NTICE" on CreateFileA)
* launch the AM protected game, wait 1-3 seconds, press ctrl-d, then search for the following pattern in memory :
if you cant find it, g and wait another second, then ctrl-d again. It is there, believe me.
L0 lea edi, [esi + ...]
L1 mov eax, [edi]
L2 or eax, eax
L3 jnz XXX
i.e. s 400000 L -1 8B, 07, 09, C0, 74
OK. note the above instruction, is something like lea edi, [esi + ...]
because this will be our new entry point.
now boot in w9x, load the .exe in PTRW, bpx at L0, and go.
we will receive a break due to our bpx @ L0
(Here I should tell you that even you make the perfect dump at this point, it won't work because:
a) - the .exe already loaded &LoadLibraryA and &GetProcAddress somewhere in memory, making our crack OS-dependant);
B) - you need to skip 2 more checks (2 JMPs);
c) - the game is reading itself, so because our dump is different than the original exe, another error will occur.
you will learn to avoid all these problems in a sec.
for the point c). we will be loading at L0 a little DLL, am.dll, which will overwrite LoadLibraryA and GetProcAddress (at loadtime) in the game (their locations are found very easy :
scroll down the code, you will see a call to [esi + ...] just a few lines below, notice the address on a
paper, I call them LLA. The GPA (GetProcAddress) is just after the LLA. Also note the values of the ESI and EDI registers, as when the EIP will be "L1". (i.e LEA EDI, ... is executed)
(ESI is always 401000, EDI is 401000 + some_value)
so, we will write a little stub. Search down the code, you will notice that we have plenty of space (0s) just
after this kind of jump, at L6...
L4 POPAD
L5 JMP ep
L6 db 0, 0, 0, 0,... (lots of them, cant miss'em :)
so, we'll jump at L6, make a call to loadlibrary, then jump back, then dump the exe.
at L0: overwrite with :
NOP 90
JMP L6 ; (E9 XX XX XX XX)
at L6:
CALL $+7 ; (E8 07 00 00 00)
db 'am.dll', 0 ; (7 bytes)
mov edx, @LLA ; address of LoadLibraryA you've noted before
call edx ; the stack is already with 'am.dll' on it
; return to host
pushad
mov esi, 401000 ; (BE 00 10 40 00) (prev. noted value)
mov edi, ... ; (BF xx xx xx xx) (prev. noted value)
JMP L1
ok, now is time to fix the point B). i.e. get rid of the subsequent AM checks.
search in memory for the address of the following
AS1 = "ActiveMark Client engine could not find a valid volume."
AS2 = "Unable to start ActiveMark Client engine due to an internal error."
ok, now search in memory for instructions : "PUSH AS1" and "PUSH AS2", (they appear only once)
and look just before. Sometimes there is a simple JNZ or JZ instruction, sometimes it takes a
little bit of effort but this is it : you just have to avoid (with a simple JMP) getting here.
(shouldnt' take you more than 5 minutes of debugging).
ok, now everything is set, just "pedump dump.exe", and go
the game should not crash, if we did it right.
Now, boot again in nt/w2k, make a quick tool that will scan dump.exe for "KERNEL32.DLL" (case sensitive)
where we find a PE import section. (a routine is presented below)
and fix the imports just before it...
---------------------------------------------
Now, all we need is our injected DLL, "am.dll"
the scope of this DLL is to check if the game tries to open itself, and present him with the
original exe if so :).
For this you could also use Yoda's HOKO. (great tool, too bad its for money)
This am.dll presented here is configurable, meaning am_hooks.dll will have 4x2 bytes containing the
addresses of LoadLibraryA and GetProcAddress in the game. Quick and DIRTY :
With this, move the original game xxxx.exe into xxxx.ex_, copy the dumped.exe as xxxx.exe,
compile & copy the am.dll into the game dir, fix the imports on the dumped.exe, edit am_hooks.bin
and enter the addresses of LoadLibraryA and GetProcAddress, and there you go, launch the exe
and it will go. No more AM.
If something goes wrong, you will have to figure out for yourself
---------------------------------------------------------------
// am.cpp : Defines the entry point for the DLL application.
//
#include
typedef HANDLE WINAPI _LoadLibraryA_t
(
LPCTSTR lpLibraryName
);
typedef HANDLE WINAPI _GetProcAddress_t
(
HMODULE hModule,
LPCTSTR lpFunctionName
);
typedef HANDLE WINAPI _CreateFile_t(
LPSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);
static char g_szGame[MAX_PATH + 1];
static long g_szGameLen = 0;
static char* g_szHooksPointersFile = "am_hooks.bin";
DWORD g_pfnCreateFile_ORIG = 0;
DWORD g_pfnLoadLibraryA_ORIG = 0;
DWORD g_pfnGetProcAddress_ORIG = 0;
DWORD g_bLoadingKernel32 = FALSE;
HANDLE WINAPI xCreateFile(LPSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
HANDLE WINAPI xLLA(LPCTSTR lpLibraryName);
HANDLE WINAPI xGPA(HMODULE hModule, LPCTSTR lpFunctionName);
void FixPointers()
{
DWORD dwDummy;
DWORD dwLLA = 0;
DWORD dwGPA = 0;
HANDLE hFile = CreateFile(g_szHooksPointersFile,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (INVALID_HANDLE_VALUE != hFile)
{
ReadFile(hFile, &dwLLA, 4, &dwDummy, NULL);
ReadFile(hFile, &dwGPA, 4, &dwDummy, NULL);
CloseHandle(hFile);
*((DWORD*)dwLLA) = (DWORD)xLLA;
*((DWORD*)dwGPA) = (DWORD)xGPA;
}
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
// initialize the pointers
g_pfnCreateFile_ORIG = (DWORD)CreateFileA;
g_pfnLoadLibraryA_ORIG = (DWORD)LoadLibraryA;
g_pfnGetProcAddress_ORIG = (DWORD)GetProcAddress;
g_szGame[0] = '\0';
// Get self name
g_szGameLen = GetModuleFileName(GetModuleHandle(NULL), g_szGame, MAX_PATH);
// mark pointers in the game
FixPointers();
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
HANDLE WINAPI xLLA(LPCTSTR lpLibraryName)
{
long k, nLen;
for (k = nLen = 0; !IsBadReadPtr(&lpLibraryName[k], 1) && lpLibraryName[k] != '\0'; k++)
nLen++;
if (nLen == 12)
{
if (lpLibraryName[0] | 0x20 == 'k' &&
lpLibraryName[1] | 0x20 == 'e' &&
lpLibraryName[2] | 0x20 == 'r' &&
lpLibraryName[3] | 0x20 == 'n' &&
lpLibraryName[4] | 0x20 == 'e' &&
lpLibraryName[5] | 0x20 == 'l' &&
lpLibraryName[6] | 0x20 == '3' &&
lpLibraryName[7] | 0x20 == '2' &&
lpLibraryName[8] | 0x20 == '.' &&
lpLibraryName[9] | 0x20 == 'd' &&
lpLibraryName[10] | 0x20 == 'l' &&
lpLibraryName[11] | 0x20 == 'l')
{
g_bLoadingKernel32 = 1;
}
else
{
g_bLoadingKernel32 = 0;
}
}
_LoadLibraryA_t* pfnMyLoadLibraryA = (_LoadLibraryA_t*)g_pfnLoadLibraryA_ORIG;
return (*pfnMyLoadLibraryA)(lpLibraryName);
}
HANDLE WINAPI xGPA(HMODULE hModule, LPCTSTR lpFunctionName)
{
if (g_bLoadingKernel32)
{
long k, nLen;
for (k = nLen = 0; !IsBadReadPtr(&lpFunctionName[k], 1) && lpFunctionName[k] != '\0'; k++)
nLen++;
if (11 == nLen)
{
if ((lpFunctionName[0] | 0x20) == 'c' &&
(lpFunctionName[1] | 0x20) == 'r' &&
(lpFunctionName[2] | 0x20) == 'e' &&
(lpFunctionName[3] | 0x20) == 'a' &&
(lpFunctionName[4] | 0x20) == 't' &&
(lpFunctionName[5] | 0x20) == 'e' &&
(lpFunctionName[6] | 0x20) == 'f' &&
(lpFunctionName[7] | 0x20) == 'i' &&
(lpFunctionName[8] | 0x20) == 'l' &&
(lpFunctionName[9] | 0x20) == 'e' &&
(lpFunctionName[10] | 0x20) == 'a')
{
return xCreateFile;
}
}
}
_GetProcAddress_t* pfnMyGetProcAddress = (_GetProcAddress_t*)g_pfnGetProcAddress_ORIG;
return (*pfnMyGetProcAddress)(hModule, lpFunctionName);
}
HANDLE WINAPI xCreateFile(LPSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
if (IsBadReadPtr(lpFileName, 1))
return INVALID_HANDLE_VALUE;
long k, nLen;
for (k = nLen = 0; lpFileName[k] != '\0'; k++)
nLen++;
if (g_szGameLen == nLen)
{
for (k = 0; k < nLen; k++)
{
if ((lpFileName[k] | 0x20) != (g_szGame[k] | 0x20))
break;
}
if (k == nLen)
{
lpFileName[k -1] = '_';
}
}
_CreateFile_t* pfnMyCreateFile = (_CreateFile_t*)g_pfnCreateFile_ORIG;
return (*pfnMyCreateFile)(lpFileName,
dwDesiredAccess,
dwShareMode,
lpSecurityAttributes,
dwCreationDisposition,
dwFlagsAndAttributes,
hTemplateFile);
}
---------------------------------------------------------------
and the "optimised", DIRTY too, routine for fixing imports :
bool FixImports(char* pszFileName)
{
CString strOrigGame = CString(pszFileName);
char* szFileName = (LPSTR)(LPCSTR)strOrigGame;
HANDLE hFile = CreateFile(szFileName,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN,
NULL);
if (INVALID_HANDLE_VALUE == hFile)
{
return false;
}
DWORD dwDummy;
DWORD dwSize = GetFileSize(hFile, &dwDummy);
HANDLE hMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, dwSize, "__KRNL32OFFS_SCAN2");
if (!hMap)
{
printf("CreateFileMapping failed\n");
}
DWORD* pMapMem = (DWORD*)MapViewOfFile(hMap, FILE_MAP_READ, 0, 0, 0);
ULONG _bFound = 0;
ULONG _nOffset = 0;
if (pMapMem)
{
__asm
{
cld
mov _bFound, 0
mov ecx, dwSize
shr ecx, 2
mov edi, pMapMem
_loop:
mov eax, 0x4e52454b // 'KERN'
repnz scasd
cmp ecx, 0
jnz _found1
jmp _notfound
_found1: cmp [edi], 0x32334c45 // 'EL32'
jz _found2
jmp _notfound
_found2: cmp [edi + 4], 0x4c4c442e // '.DLL'
jnz _notfound
inc ecx
shl ecx, 2
mov eax, dwSize
and eax, 0xfffffffc
sub eax, ecx
mov _nOffset, eax
jmp _done
_notfound:
cmp ecx, 8
ja _loop
_done:
}
}
else
{
return false;
}
UnmapViewOfFile(pMapMem);
DWORD dwAddressOffset = _nOffset - 0x70;
CloseHandle(hMap);
CloseHandle(hFile);
char buff[512];
char libbuff[1024];
GetSystemDirectory(buff, 512);
DWORD a[24];
HINSTANCE h;
memset(a, 0, 24 * sizeof(DWORD));
a[0] = (DWORD)LoadLibrary;
a[1] = (DWORD)GetProcAddress;
a[2] = (DWORD)ExitProcess;
a[4] = (DWORD)RegCloseKey;
strcpy(libbuff, buff);
strcat(libbuff, "\\comdlg32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[6] = (DWORD)GetProcAddress(h, "PrintDlgA");;
FreeLibrary(h);
}
strcpy(libbuff, buff);
strcat(libbuff, "\\crypt32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[8] = (DWORD)GetProcAddress(h, "CertOpenStore");;
FreeLibrary(h);
}
a[10] = (DWORD)::DPtoLP;
strcpy(libbuff, buff);
strcat(libbuff, "\\netapi32.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[12] = (DWORD)GetProcAddress(h, "Netbios");
FreeLibrary(h);
}
a[14] = (DWORD)CoInitialize;
a[16] = (DWORD)ExtractIconA;
a[18] = (DWORD)::GetDC;
strcpy(libbuff, buff);
strcat(libbuff, "\\wininet.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[20] = (DWORD)GetProcAddress(h, "InternetOpenA");;
FreeLibrary(h);
}
strcpy(libbuff, buff);
strcat(libbuff, "\\winmm.dll");
h = LoadLibrary(libbuff);
if (h)
{
a[22] = (DWORD)GetProcAddress(h, "joyGetPos");;
FreeLibrary(h);
}
CFile f;
if (f.Open(strOrigGame, CFile::modeReadWrite))
{
f.Seek(dwAddressOffset, CFile::begin);
f.Write(a, 24 * sizeof(DWORD));
f.Close();
}
else
{
return false;
}
return true;
}
Ariel_001
12-12-2003, 04:27 AM
if someone here successfully unpacked kazaa can please host it somewere. I really want to edit out some of shareman crap. :D
infamousalbo101
12-12-2003, 04:56 AM
Yes It does help :)
Kunal
12-13-2003, 11:32 AM
C'mon someone just send me the god dam file :) .
Ferasso/ RN, can you put it on some webpace for us please?
nettwister
12-17-2003, 07:12 PM
Originally posted by Ferasso@28 November 2003 - 16:54
Open kazaa.exe in hex editor, go to offset 12FACC, there you will find a byte BB, and change it to CC. Save and to into SICE and:
bpint 03
Run the file, Sice breaks.
e eip bb
bc*
bpmb 576E71 x
F5
Wait... sice breaks
a eip
jmp eip
nop
enter
F5
Go into lord PE, fully dump kazaa, then kill task.
Open it in PE editor, set the entry point to 176E71
Save. Open it in hex editor, find EBFE90 and replace with 558BEC. Done.
Unpacked succesfully with this trick, but I have fixed the import table with ImportREC. After that, the file didn't run successfully. But I'm sure that ImportREC has fixed the hole import table, 'cos in the screen, there wasn't unresolved item in the import table list. Where did I make a mistake?
metheowner
12-17-2003, 08:19 PM
can't someone upload the unpacked file anywhere ... or atleast give a reason why no one is willing to do so .. :( i can't follow the instructions that are posted, coz softice doesn't run on windows server 2003 :( (btw .. neither does kazaa 2.6 .. tried it out on 4 different PCs runiing win2k3, and on all of them, kmd2.6 starts, an icon appears in the tray, and then it exits ... wrote to the sharman guys a couple of times already, but till now, there is no mention of any problem with win2k3 or a patch on their website)
Kunal
12-17-2003, 08:26 PM
Originally posted by metheowner@17 December 2003 - 21:19
tried it out on 4 different PCs runiing win2k3, and on all of them, kmd2.6 starts, an icon appears in the tray, and then it exits ... wrote to the sharman guys a couple of times already, but till now, there is no mention of any problem with win2k3 or a patch on their website)
Ok first off Windows 2003 is a server os, so i dont know what you are doing with it installed on a workstation! i run kazaa #klchat build fine on win 2k3 server. Looks to me you dont know what your doing using win 2k3, go back to win xp, and it will work fine (sorry i didnt want to make you seem like a n00b, but i think i did ;) )
Explosive
12-17-2003, 08:48 PM
Originally posted by Kunal+17 December 2003 - 21:26--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Kunal @ 17 December 2003 - 21:26)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-metheowner@17 December 2003 - 21:19
tried it out on 4 different PCs runiing win2k3, and on all of them, kmd2.6 starts, an icon appears in the tray, and then it exits ... wrote to the sharman guys a couple of times already, but till now, there is no mention of any problem with win2k3 or a patch on their website)
Ok first off Windows 2003 is a server os, so i dont know what you are doing with it installed on a workstation! i run kazaa #klchat build fine on win 2k3 server. Looks to me you dont know what your doing using win 2k3, go back to win xp, and it will work fine (sorry i didnt want to make you seem like a n00b, but i think i did ;) ) [/b][/quote]
sure u did! hehe :D
nettwister
12-17-2003, 10:02 PM
Well, I can upload this file, but I bet it doesn't matter, 'cos I think the file has some checks about unpacking and some tricks about import table. I don't believe that unpacking this file is so easy.
Ferasso
12-20-2003, 01:05 AM
Hi, boys and girls, i'm back. $220 bucks for a 20 gb hd, and another $40 bucks for a drive a: (broke with a kick). Besides the money and one month, not so bad...
nettwister, great work, following the steps and having the unpacked file. But i've advised that the IAT would be messed.
I'm downloading kmd 2.6 now, and i'll unpack it again, if the file is really really needed to be hosted somewhere, now it can be done (unless my pc melts again... :angry: ) but: it can't be run, BUT can be disassembled (for knowledge pourposes).
I also got klr source, and since i'm on Win 98 i also want it to run. And that's what i'll try to do. I'll also try to understand if there's anything usefull regarding the unpacking, to have a perfectly unpacked file. I'll get back ASAP (with the unpacked file hosted somewhere). Bye.
todzuallen
12-20-2003, 01:42 AM
$220 bucks for a 20 gig hd what currency? my 80 gig hd (serial ATA 150 8 MB Cache) was only $120 Canadian like 5-6 months ago.
Ferasso
12-20-2003, 02:00 AM
Well, around US$ 70, then. How much is $120 Canadian?
------
The file is unpacked, as I said, IAT is messed. Working on it. Contacted jakert50 about hosting, waiting his reply.
nettwister
12-20-2003, 02:25 AM
@Ferasso
Just a little help:
To bypass the "My ad's were removed, I won't run" dialog in kazaa, place a dummy cd_clint.dll file into you system folder (Win9x Windows/System, WinXP Windows/System32 folder). Not a null file, here is a dummy cd_clint.dll @ http://www.cexx.org/cd_clint.zip
Well, after that, Kazaa will show "Error about showing ad's" dialog. I've searched this dialog in W32Dasm, there were two references about this string. And top of the strings, there were nice "jne"s :D
Ferasso
12-20-2003, 02:55 AM
Thanks for the help, nettwister. But something left...
1) The cd_clint.dll wasn't removed (i've checked it and it was on /windows/system).
2) I've seen no reference to this string.
Strange... could you give me the addresses? Thanks.
nettwister
12-20-2003, 01:47 PM
Sorry, I had written here about v2.52. I will check with WinME about kazaa 2.6 modules, so you can check the dll files in your windows.
Well, here are the modules (This is ImpRec Log):
Analysing process...
Module loaded: c:\windows\system\browseui.dll
Module loaded: c:\windows\system\imm32.dll
Module loaded: c:\windows\system\msls31.dll
Module loaded: c:\windows\system\mshtml.dll
Module loaded: c:\program files\vmware\hook.dll
Module loaded: c:\windows\system\mlang.dll
* No export for module: c:\windows\system\shdoclc.dll
Module loaded: c:\windows\system\shdocvw.dll
Module loaded: c:\windows\system\rnr20.dll
Module loaded: c:\windows\system\iphlpapi.dll
Module loaded: c:\windows\system\dhcpcsvc.dll
Module loaded: c:\windows\system\icmp.dll
Module loaded: c:\windows\system\cd_clint.dll
Module loaded: c:\windows\system\msafd.dll
Module loaded: c:\windows\inetmib1.dll
Module loaded: c:\windows\snmpapi.dll
Module loaded: c:\windows\system\rsaenh.dll
Module loaded: c:\program files\kazaa\topsearch.dll
Module loaded: c:\windows\system\winmm.dll
Module loaded: c:\windows\system\olepro32.dll
Module loaded: c:\windows\system\oleaut32.dll
Module loaded: c:\windows\system\oledlg.dll
Module loaded: c:\windows\system\msvcrt20.dll
Module loaded: c:\program files\kazaa\kzscan.dll
Module loaded: c:\windows\system\urlmon.dll
Module loaded: c:\program files\kazaa\bdcore.dll
Module loaded: c:\windows\system\wininet.dll
Module loaded: c:\windows\system\setupapi.dll
Module loaded: c:\windows\system\wintrust.dll
Module loaded: c:\windows\system\imagehlp.dll
Module loaded: c:\windows\system\crypt32.dll
Module loaded: c:\windows\system\msasn1.dll
Module loaded: c:\windows\system\cfgmgr32.dll
Module loaded: c:\windows\system\ntdll.dll
Module loaded: c:\windows\system\cabinet.dll
Module loaded: c:\windows\system\winspool.drv
Module loaded: c:\windows\system\ole32.dll
Module loaded: c:\windows\system\lz32.dll
Module loaded: c:\windows\system\comdlg32.dll
Module loaded: c:\windows\system\shell32.dll
Module loaded: c:\windows\system\comctl32.dll
Module loaded: c:\windows\system\version.dll
Module loaded: c:\windows\system\shlwapi.dll
Module loaded: c:\windows\system\wsock32.dll
Module loaded: c:\windows\system\mswsock.dll
Module loaded: c:\windows\system\ws2_32.dll
Module loaded: c:\windows\system\rasapi32.dll
Module loaded: c:\windows\system\secur32.dll
Module loaded: c:\windows\system\svrapi.dll
Module loaded: c:\windows\system\msnet32.dll
Module loaded: c:\windows\system\mspwl32.dll
Module loaded: c:\windows\system\tapi32.dll
Module loaded: c:\windows\system\rpcrt4.dll
Module loaded: c:\windows\system\netapi32.dll
Module loaded: c:\windows\system\netbios.dll
Module loaded: c:\windows\system\mpr.dll
Module loaded: c:\windows\system\ws2help.dll
Module loaded: c:\windows\system\msvcrt.dll
Module loaded: c:\windows\system\user32.dll
Module loaded: c:\windows\system\gdi32.dll
Module loaded: c:\windows\system\advapi32.dll
Module loaded: c:\windows\system\kernel32.dll
Getting associated modules done.
Image Base:00400000 Size:003A7000
Hope this helps.
RileyF
12-20-2003, 07:00 PM
well if you try to make klr compactable with 98 can you also add more features to it?? like load KL extensions!!! and remove the adspace above each new search?? hope you can :D good luck!
jakert50
12-20-2003, 08:16 PM
Hello all,
You can download the unpacked version here:
www.intrepidstudios.net/Kazaa26/Kazaa26Unpacked.rar (http://www.intrepidstudios.net/Kazaa26/Kazaa26Unpacked.rar)
Just remember that the import table is corrupted, it can't be run, but can be disassembled. We know you can't run it. Don't even post that it doesn't run, because we already know it doesn't!!
:lol: :P :D
Enjoy!
~Jaker
jakert50
12-20-2003, 08:24 PM
And btw...
If you ever need to get more hardware, I highly recommend one of the following sites:
www.newegg.com (http://www.newegg.com)
www.pricewatch.com (http://www.pricewatch.com)
www.techdepot.com (http://www.techdepot.com)
B)
~Jaker
Kunal
12-21-2003, 01:01 PM
Errrmmmm, it doesnt load :blink: .............. jokes
Nice work guys, but you did have to unpack the beta version didnt you *sigh*
Ferasso
12-22-2003, 01:29 AM
Thanks for everything, people. But what does
but you did have to unpack the beta version didnt you
mean?
I've downloaded the file 20/12?
Kunal
12-22-2003, 10:13 PM
Originally posted by Ferasso@22 December 2003 - 02:29
but you did have to unpack the beta version didnt you
mean?
I've downloaded the file 20/12?
its just on some of the resource sections it says important BETA information
RileyF
12-29-2003, 04:07 PM
so guys, how far are you guys with fixing that error that is caused because the import table is corrupted?? just wondering how you're doing on this 'project', cause i believe that you guys can take the new 2.6 to a higher level if it's able to run.. :P serious work can be done once ready..
So will there be good news in the future??
jan ter hofte
01-20-2004, 09:17 PM
thank you verymuch for the unpacked exe from kazaa
jan ter hofte
01-20-2004, 09:34 PM
maybe you can make it work !!!
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.