trying ur tut atm but again ... just like you busy w/ school etc etc so this is second priority... ALSO the Sienna Queen patch is scheduled for Euro and NA pretty soon soooooo what if they find another way to make us not able to do this whole unpack bussiness >.> or maybe we''ll just have to redo our work? (if we successfully get it dun by then)
Any Ideas? (Debugging Cabalmain.exe)
09/21/2009 23:22
howcow95#16
09/22/2009 05:43
.Law.#17
what'cha dreaming about ? took em months to fix that even though they knew it existed,they probably fell in denial,but I don't think they'll add extra protection to the cabalmain.exe,like Themida etc.
09/22/2009 05:56
howcow95#18
lol... according to bindie CabalNA is packed with themida >.> ALSO I followed the dekaron thing it works perfectly till I have to fix in imprec ... it doesn't have the right OEP which means that I'm missing something from the step before(after I set the BP at the cabalmain jmp and run it, it doesn't take me anywhere) >.> ... well atleast it's good news to here estsoft is slow !
09/22/2009 11:41
oren_studio#19
SEA is also packed with Themida, 1.9.9.0 specifically. tried unpacking it but i too end up Themida detecting the exe being debugged; gives some oreans error message. I believe the oep is correct as i tried finding it manually and using scripts, both gives the same oep. I think the problem im facing now is fixing the IAT.
09/22/2009 14:48
NoobWant2Learn#20
btw, if cabalridre bypasses your security system (xtrap,gg) no need for twinR..
if u already bypass ur security protection theres no reason why cabal detects olly...
asfaik
if u already bypass ur security protection theres no reason why cabal detects olly...
asfaik
09/22/2009 15:41
NovaCygni#21
Themida is removable... just takes longer, think I should complile a Ollydbg+Cabal toolkit with all the plugins tools people should need? Im very suprised no-one noticed there where scripts for removing the packers on cabal in the last folder I posted!.Quote:
what'cha dreaming about ? took em months to fix that even though they knew it existed,they probably fell in denial,but I don't think they'll add extra protection to the cabalmain.exe,like Themida etc.
09/22/2009 15:57
.Law.#22
I never dlded it :P.Will do now,as I said,im overloaded,I usually post from my phone while in classes xD
Never said Themida was un-removable,it just takes more for ppl to remove it by meerely reading guides.
EDIT:Holy shot ,the folder u posted pwns,all in 1 folder >;,epic.
Never said Themida was un-removable,it just takes more for ppl to remove it by meerely reading guides.
EDIT:Holy shot ,the folder u posted pwns,all in 1 folder >;,epic.
09/22/2009 17:40
ktamer#23
Nova provided some really great stuff. Just wondering, Nova did you work on Debug of NA Cabal or others? Or maybe all of them? If so, did you ever get errors while using Olly that some Memory Adresses were un-readable? I like the tools you provided, I just wish that it would all come together smoothly. Is there a specific setup I should use to each plugin for it to actually run and not be detected and fail? I've been racking my brain for this accursed .exe. I can attach to other games no problem and run debugger succesfully...I swear once I figure this out, I will dedicate my life to killing X-Trap :bandit:
09/22/2009 20:22
oren_studio#24
tried with all themida script included in your folder, but still couldn't find oep. most script gives oreans internal exception error, some straighaway terminated.Quote:
of all the scripts i tried, only one script successfully finished till the end.
[Only registered and activated users can see links. Click Here To Register...]
tried the manual way following joker_italy guide on tmd 1.9.1.0 gives the same result as this script (although SEA is packed with 1990, that's why im sceptical whether its real oep).
well, there are still many things i'm going to try, and i'm back to basics. :p
09/22/2009 21:44
howcow95#25
@ oren that's the only script that works for me as well but when I try to rebuild IAT using imprec using the OEP I found there and subtracting image base .... it doesn't work :S
@punk... that post about dekaron ... Cabalmain seems a little more complex? I'm trying dif things but can't find the correct way to find the proper OEP =(
@punk... that post about dekaron ... Cabalmain seems a little more complex? I'm trying dif things but can't find the correct way to find the proper OEP =(
09/23/2009 06:54
ktamer#26
Upon further research. Could you use MHS to actually Debug? and Would it also work if you inject a code where the flag is triggered? Or would that still require repetitive procedures after Cabal is closed? I've read MHS can read kernal memory without actually attaching to the process. It's odd, something that should be so simple is made complicated by a simple thing. Unless of course I'm looking in the wrong places. But then I'm just thinking about it too hard. :pimp:
09/23/2009 10:34
NovaCygni#27
You need to remove the Protection in the correct order, also if you run the script for say Yoda and it gives a "Maybe its not Yoda" message, you havnt removed the other security...Quote:
@punk... that post about dekaron ... Cabalmain seems a little more complex? I'm trying dif things but can't find the correct way to find the proper OEP =(
09/23/2009 13:15
.Law.#28
Dekaron.exe is packed with UPX,no dumping protection,that vid only serves the purpose of showing you an example.Quote:
@punk... that post about dekaron ... Cabalmain seems a little more complex? I'm trying dif things but can't find the correct way to find the proper OEP =(
09/23/2009 13:42
oren_studio#29
So you're saying that it has other protection other than Themida?Quote:
09/23/2009 15:37
brian86#30
what do you mean by removing the protection in order? whats the correct order? im stock in finding the correct OEP.. always failing in IAT part!Quote: