Did you know? elitepvpers has its own image host, epvpimg.com.
[RELEASE+DISCUSSION] Unpacked CABALMAIN.EXE
This is a discussion on [RELEASE+DISCUSSION] Unpacked CABALMAIN.EXE within the Cabal Main - Discussions / Questions forum part of the Cabal Online category; Update: September 7, 2009 1:03PM (+8 GMT) - VERY IMPORTANT PLEASE READ: You don't need an unpacked cabalmain.exe in removing ...
Update: September 7, 2009 1:03PM (+8 GMT) - VERY IMPORTANT PLEASE READ: You don't need an unpacked cabalmain.exe in removing the DC flag, live debugging will already suffice. The benefit for an unpacked cabalmain.exe is that you will be able to apply the removal of the dc flag PERMANENTLY. Meaning you don't need to open up ollydbg anymore.
But if you want to skip the unpacking of cabalmain.exe and skip to the removal of dc flag, you may do so.. Although if you found the dc flag but you don't have an unpacked cabalmain.exe and can't apply it permanently, you will have to open ollydbg every time you run cabal.. Now that I made it clear, please don't PM me that your unpacked cabalmain.exe isn't running normally.. I already said it a lot of time in this post :|
Update: September 6, 2009 9:17PM (+8 GMT) - I will be editing this entire guide soon since I found 1 shot unpacker for Cabal PH's cabalmain.exe. As for other clients (NA EU SEA etc), their cabalmain.exe has a different packer as so many people here mentioned that their client has a different packer.. So my guide won't apply for any other client, this is only for Cabal PH.. Although it will work if that particular server has the same packer as cabal PH.
Update: September 3, 2009 2:35PM (+8 GMT) - I'm currently looking for an unpacker that will unpack cabalmain.exe in just 1 shot.. meaning 1 unpacker program is sufficient and that will run an unpacked cabalmain.exe normally.. Though if I find such a program, I'm having doubts sharing it because of people like Leech-King
Here is the unpacked cabalmain.exe (for cabal PH only)
[Only registered and activated users can see links. ]
(Scan files before opening)
If you want to unpack your own cabalmain.exe, follow this guide:
Download these files first:
[Only registered and activated users can see links. ] (DiE - Detect it Easy - Packer Identifier)
[Only registered and activated users can see links. ] (PEiD - Packer Identifier)
[Only registered and activated users can see links. ] - UnExeStealth (this will be detected as a virus, just ignore it..)
[Only registered and activated users can see links. ] - RL!depacker
(Scan files before opening)
Extract the 2 files anywhere you want.. Note: If you extract UnExeStealth.zip and no .exe appears, it means your anti-virus is deleting it.
Now on to unpacking cabalmain.exe:
I. Identifying the First Packer (Optional)
1. Make sure you know where cabalmain.exe is located
2. Make a backup of it in case something happens
3. Use a packer identifier like PEiD or DiE (Detect it Easy)
4. Identify what kind of packer cabalmain.exe has:
5. PEiD detects it as yoda cryptor 1.x / modified while DiE will detect it as ExeStealth 2.7x
II. Unpacking the First packer (ExeStealth 2.7x / Yoda Crpytor 1.x modified)
1. Use UnExeStealth for the first packer of cabalmain.exe
> So why did I use UnExeStealth? I've read in other forums that ExeStealth is a variant of yoda cryptor or something like that, and if you look at the things that UnExeStealth can unpack, yoda cryptor is included there
2. After opening UnExeStealth, point it to your cabalmain.exe, then click on unpacker
3. Wait after a few seconds then it will say that is unpacked successfully
4. You will see on your cabal folder that a new .exe was formed, named dump.exe, don't do anything to it, just leave it as it is. (Note: your cabalmain.exe is still intact, no changes were made to it during the use of UnExeStealth. UnExeStealth only created a new file for you named dump.exe)
III. Identifying the Second Packer (Optional)
1. Open DiE and/or PEiD again to identify the packer
2. Point it towards your dump.exe (located at the same folder as cabalmain.exe
3. DiE detects the following protection/packers for dump.exe
> ASPack/ASProtect (Scan Tab)
> External Sign: ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov (Scan Tab)
> Entropy (Hard Scan): ASProtect 1.23 RC4 (Entro Tab)
> VerA 0.15: ASProtect 1.23 RC4 - 1.3.08.24  (DiE Plugin)
3. PEiD detects the following protection/packer for dump.exe
> Yoda's Cryptor 1.x / modified (Still the same)
IV. Unpacking the Second Packer (ASPack/ASprotect)
1. Use RL!depacker for the second packer of dump.exe
> This is the only unpacker that I found to work with dump.exe, maybe there are other unpackers that would work out there..
2. Open up RL!depacker
3. Point it towards your dump.exe (Located at the same folder as your cabalmain.exe)
4. For the options, checking the following options FAILS the unpacking process:
> Hide unpacker for detection
> Use tracer to correct IAT
> Other options are working, try different options. I haven't played around with OEP though..
5. Once dump.exe has been unpacked successfully, a new .exe will be created in the same folder named unpacked.exe
V. Viewing your unpacked.exe in Ollydbg
1. Open up your Ollydbg only (don't run cabalmain.exe)
2. Open your unpacked.exe (do not attach)
> If you ollydbg hangs during the opening of unpacked.exe, install a new OllyDbg without any plugins and it should work
3. Once your unpacked.exe has been loaded, right click on the main windows, goto 'Search for:', then choose all referenced text strings
4. Ollydbg will load for a while, then you will be able to see lots and lots of the actual asm codes (Like the picture 168Atomica uploaded)
VI. Some stuff
> There is another protection found in unpacked.exe if you use DiE, it will detect MoleBox 2.6x.. I haven't tried unpacking this yet, and I'm not sure if this is a bug or not..
> You cannot run you unpacked.exe normally, if you live debug unpacked.exe, it will only point you to a retn code..
[Only registered and activated users can see images. ]
I wonder what you can do with these asm codes
May this serve as a warning for people who are trying to hack cabal..
This whole guide is just for unpacking cabalmain.exe, and it's not the exact process of making an unpacked cabalmain.exe, there's still some missing parts.. This guide does not include removing dc flag as I have not yet started on that part..
The unpacked cabalmain.exe that I posted is only for Cabal PH, the process is NOT the same as other server clients as they have different kinds of packer..
if it can't be run then maybe there's something wrong with it. the way my little understanding of the unpacking is that, all functions necessary for the programs execution must not be affected only the protection or the packaging is being stripped off. its like opening a gift, you'll see what is the gift itself not just wonder what it is,but it is still the same only the cover was taken.
in this case, you opened the gift, but you lost the gift itself.
its like diffusing a bomb not detonating it.
maybe the best way to unpack this is to unpack it "manually" and a guide would be a great one.