[Discussion] Removing DC Flag

Quote:

Originally Posted by brian86 The problem is there is another protection, I'll keep you guys updated. I was able to unpack the file and have it running through CR . However , if I attempt to attached olly to cabalmain.exe and run debug . It is detected by GameGuard , from this point I no longer know what to do hide olly and phantom don't seem to work . Please advise if there is any software I can use to bypass the 2nd protection . ^>> ^ thanks .. guys

Here's what I do, but its not live debug.. my unpacked exe cannot run normally..

1. Unpack cabal main (UnExeStealth + RL_dePacker1.4)
2. Run Ollydbg
3. Open the unpacked cabalmain (not attach since it's not running)
4. From there you can see lots of stuff.. search for all referenced strings

@dlnqt
may i know what is the OEP of your unpacked exe file?

@dlnqt
does antivirus detects RL!dePacker as a virus???
ive DLed one and its full of virus lol =))

and yes
i think im encountering that second protection so
does that means i need to unpack the already unpacked exe by RL!depACKER ?
PLS enlighten me thanks

@logan432, i don't know the OEP, mine is wrong because it won't run normally, tried re-packing it but still doesn't work :p

@jagd, yeah unexestealth is detected as a virus, not sure with RL!dePacker..1st protection (UnExeStealth) ... you still can't see any useful asm code, 2nd protection (RL!dePacker) after this, you will already see important asm codes, but i think there is still a protection but i'm not sure..

Quote:

Originally Posted by dlnqt @logan432, i don't know the OEP, mine is wrong because it won't run normally, tried re-packing it but still doesn't work :p @jagd, yeah unexestealth is detected as a virus, not sure with RL!dePacker..1st protection (UnExeStealth) ... you still can't see any useful asm code, 2nd protection (RL!dePacker) after this, you will already see important asm codes, but i think there is still a protection but i'm not sure..

mine too.. i cant run my unexestealth.. it has a error or something like this "error while processing memory" or such.. sorry for my bad english..

unexestealth + RL!dePacker
I am under the impression that once unexestealth is applied to the cabalmain.exe this is already the unpacked version . How come we still need to use RL!dePacker ? When I tried to apply RL!dePacker the the unpack cabalmain.exe it won't detect the cabalmain.exe file .
hmmm....it only make sense to give this message "file cannot be unpacked" since it is already unpacked . ^ ^.. thanks..anyways

OK. Even I succeeded with unpacking cabalmain, I did wonder why I cannot see the codes hinted by dlnqt.

You need RL depacker so that you could see codes like the one attached.

I am not a master programmer, but I have a bet
Unexestealth make new header and RVA and new import records (I think it is similar with what ImpRec is doing) - you do not need to find the OEP because it is done automatically. But since it is automatic, you could do it the other way by finding the OEP, manually setting the OEP, importing the tables and all the other stuff.

On the other hand RLdepacker just did another thing.
As you may know to completely unpack the file, the following are the main options of many reversers...
Copying the erased header
Passing the CRC check
Avoiding API redirection
Avoiding Imports erasing
Patching Anti dumping
Patching Anti SoftICE, SmartCheck, IDA., Olly :D

SO the two tools mentioned above do one or more of the reversing procedures I have stated.

If you cannot understand all of these things, then you are too far behind the race.

Quote:

Originally Posted by 168Atomica OK. Even I succeeded with unpacking cabalmain, I did wonder why I cannot see the codes hinted by dlnqt. You need RL depacker so that you could see codes like the one attached. I am not a master programmer, but I have a bet Unexestealth make new header and RVA and new import records (I think it is similar with what ImpRec is doing) - you do not need to find the OEP because it is done automatically. But since it is automatic, you could do it the other way by finding the OEP, manually setting the OEP, importing the tables and all the other stuff. On the other hand RLdepacker just did another thing. As you may know to completely unpack the file, the following are the main options of many reversers... Copying the erased header Passing the CRC check Avoiding API redirection Avoiding Imports erasing Patching Anti dumping Patching Anti SoftICE, SmartCheck, IDA., Olly :D SO the two tools mentioned above do one or more of the reversing procedures I have stated. If you cannot understand all of these things, then you are too far behind the race.

Those are the asm codes I was talking about :p So.. you can run your unpacked cabalmain.exe normally? :D RL!depacker is not enough to unpack cabalmain, you also need UnExeStealth..

@brian86

UnExeStealth is not applied.. a new .exe will be formed automaticall named dump.exe, I guess you were running cabalmain.exe at the same time? exit any program that is using cabalmain.exe.. then use UnExeStealth. A new .exe named dump.exe will be formed. Then use RL!depacker on dump.exe.. again a new .exe will be formed named unpacked.exe. You must use the latest RL!depacker for it to work.. Older versions will crash..

Quote:

Originally Posted by dlnqt Those are the asm codes I was talking about :p So.. you can run your unpacked cabalmain.exe normally? :D RL!depacker is not enough to unpack cabalmain, you also need UnExeStealth.. @brian86 UnExeStealth is not applied.. a new .exe will be formed automaticall named dump.exe, I guess you were running cabalmain.exe at the same time? exit any program that is using cabalmain.exe.. then use UnExeStealth. A new .exe named dump.exe will be formed. Then use RL!depacker on dump.exe.. again a new .exe will be formed named unpacked.exe. You must use the latest RL!depacker for it to work.. Older versions will crash..

I may have doing something wrong with my unpacked cabalmain, after I renamed it cabalmain.exe (its the one called by CR), nothing happend when I call it from CR. I launched olly and found out that the OEP pointed to the instructed RTN :mad:

Now, I'm currently tracing where the starting code should be....

haha same problem as me.. I'm guessing that we can't really run an unpacked cabalmain.exe, OEP is incorrect, some asm codes were destroyed during unpacking, or we lack the following options as you mentioned:

Copying the erased header
Passing the CRC check
Avoiding API redirection
Avoiding Imports erasing
Patching Anti dumping
Patching Anti SoftICE, SmartCheck, IDA., Olly

:p

Quote:

Originally Posted by dlnqt haha same problem as me.. I'm guessing that we can't really run an unpacked cabalmain.exe, OEP is incorrect, some asm codes were destroyed during unpacking, or we lack the following options as you mentioned: Copying the erased header Passing the CRC check Avoiding API redirection Avoiding Imports erasing Patching Anti dumping Patching Anti SoftICE, SmartCheck, IDA., Olly :p

Uhmm I wonder how to produce the log you posted earlier in this thread - WSA logs...

Quote:

Originally Posted by 168Atomica Uhmm I wonder how to produce the log you posted earlier in this thread - WSA logs...

hey do you have any idea how to fix the IAT?

Quote:

Originally Posted by 168Atomica Uhmm I wonder how to produce the log you posted earlier in this thread - WSA logs...

WHAT??? You've seen the WSA logs I posted??? Those logs contained my accounts ID so I quickly edited it... :(

I thought you already made damage hack work? So why are you still continuing this and asking stuff? :D

First I didnt say I saw your WSA logs in my cabalmain.

Next is, I was able to "successfully" run unpacked cabalmain after numerous attempts to find the OEP. I didnt claim that I even got dmg hack worked.

And lastly, I wasn't able to see the code you were mentioning in MY cabalmain that is why I tried using RLDe and finally saw what you were saying before.

Now I am wondering how did you get WSA calls from the logs before when you admitted that your current unpacked client doesnt work either...

Just thinking aloud. No ofnc meant...

I am posting what I have learned and somehow collaboratively make clue with those others (better than me) who still working hard to find the solution to this dc problem.

Quote:

Originally Posted by logan432 hey do you have any idea how to fix the IAT?

Is this from the screenshot you provided earlier?
If yes, then I think you need to find the "exact" oep.
Why am I telling this? Because you could get the same screenies even if your OEP input is not 384895
Try using 384005 and you can get the same screenie. Did you get what I mean?